Architecture Edge

Introduction

The implementation of hybrid IoT/Edge in the Onesait platform is based on the collaboration of the two components, Edge Engine as an architecture that is deployed in the different distributed nodes and in the Edge Management system, this being the global management center of all this infrastructure.

The following diagram represents the components involved in Phygital Edge, which provide the necessary capabilities to have a complete management of the devices deployed in the field with various functionalities provided by the agent.

 

Architecture Phygital Edge

 

Edge management system: Global distributed node management component that allows (i) device on/off, (ii) secure communication with nodes including device attestation, (ii) management of a remote configuration repository for remote Edge Engines, (iii) carrying out operations to update configurations and deployed applications and (iv) remote management with the ssh operation console.

Edge Engine: Set of capabilities deployed in the gateways through containers, managed by the deployed agent, allows us: remote node control, information acquisition and monitoring, local information processing as well as connectivity with the final business cloud and scalability.

Field Device: The Phygital Edge has capabilities for connection with multiple devices, which allow limited remote management and does not have capabilities for the deployment of applications, such as autonomous 3G communication sensors.

Component View

Edge Management System (EMS):

IoT Broker (EMQX):Main communication broker between the deployed gateways and the platform, through MQTT communications, all the information is retrieved from the field and where it is subsequently distributed to the integrated business platform.

Minsait Edge Core: this is the main element of the system, responsible for the management and communication of the devices, it`s the control center of the Phygital Edge.

Phygital Edge Management Console

Key Management System (KMS): Key management system, where the keys for device authentication are generated and at the same time an interface is provided to control them.

Monitoring: Monitoring system for communications in the environments, based on Grafana and Prometheus, which stores the broker's statistics and provides a friendly interface for the end user.

Registry: in charge of storing all the DOCKER images that will be downloaded by the devices that have the possibility of downloading the agent in the IOT device.

The reason for incorporating a registry into IOTedge is to centralize all the components that can be installed on the different devices. Understanding as components those containers intended to carry out a specific task such as the monitoring of MODBUS devices, ZIGBEE, etc.

Reverse Proxy: The reverse proxy is in charge of filtering all the requests made to the Phygital Edge using the security component for this purpose. It also assigns a web context to each of the services included within the application, so for example we have the /grafana context for the grafana service within Phygital Edge.

Reverse SSH: The EMS itself allows the management of the Salto server that allows the web connection between the devices and the Phygital Edge. This server acts as an intermediary between devices located anywhere in the world and Phygital Edge.

The configuration of this jump server is done from the Phygital Edge website itself in the configuration section:

Edge Engine

Iota: The agent known as IoTa, supports deployments on different hardware architectures with defined component requirements, additionally, it can be installed on VMs that use hypervisors (type 1 or type 2) Vmware (ESXi, Player, Station), KVM, VirtualBox, MS-Hyper-V and Windows 10 WSL2 and on which the requirements have been deployed.

The main functionalities of the Edge Agent are the following:

  • It initiates and manages (in case of disconnection) the channel that allows the flow of command and control information from the Edge Management System supported with MQTT/TLS. The TLS opening is done with the certificates deployed in the installation.

  • It communicates the edge node with internal IOT HUB modules, specifically, the Docker Image Registry and the Git configuration repositories.

  • Process all commands sent from IOT HUB:

o Reverse tunneling commands for SSH, monitoring and information, hardware status and software status of the edge node.

o Docker-compose and Ansible configuration update commands to modify/deploy applications (edge ​​node containers).

o Direct commands with OS scripting that allow the update of libraries, the application of patches or the low-level control of hardware elements (eg- 4G modem).

Edge Modules: Applications deployed in the gateways that provide greater management and capabilities to the devices, expandable and evolutionary thanks to their management through docker containers, among the main ones we find:

  • Edge MQTT: service supported by the Mosquitto broker. In this service, all the events produced by the rest of the applications are dumped and are available for later processes. The configuration of this component can be done locally to the node or remotely thanks to the IOT HUB capabilities.

  • Edge Database: service that is supported by the InfluxDB TickTack stack technology. Allowing: (i) the persistence of the events published in the internal messaging service, (ii) the way that it´s represent, (iii) the execution of queries and (iv) their export. The configuration of this component can be done locally to the node or remotely thanks to the capabilities of the Edge Management System.

Edge Flow (Node-Red): Node-Red is based on Node.js technology and allows the definition of rule flows on the events published in the internal messaging service. The configuration of this component can be done locally to the node or remotely thanks to the IOT HUB capabilities. Given the extensive set of connectors provided by Node-Red, it is possible to use these components as an SDK element for connection to various.

Edge Modbus: Modules that allow Modbus communication both by serial and by network, allowing flexibility to the end user in the registration and management of signals.

Edge ZigBee: Modules that allow the management and registration of Zigbee systems such as lamps, analysers, switches, etc.

  • WoT: web of things, the module indicated for the discovery of the signals connected to the nodes deployed in the field, capable of connecting to the platform with a basic configuration.

  • Additional applications: within the Onesait Platform products there are also containers that already enable complex services, apart from those already defined, such as: Bacnet, OPC-UA, OPC-DA, Virtual-PLC, IA-OpenVINO, etc.

Security

The Phygital Edge has an identity registry that stores information about the devices and modules they are allowed to connect to. Before a device or module can connect, there must be an entry for that device or module in the system identity registry.

A device or module authenticates against the Edge Management System based on the credentials stored in the identity registry (KMS: Key Management System). The Phygital Edge allows two methods of authentication between the device and the Edge Management System. You can use an encrypted file associated with the device's MAC address, or you can generate a certificate pair using TPM2.0 installed on the device and used by the Edge Management System to create an encrypted connection file (iotagent.enc).

Core technologies

MODULE

TECHNOLOGY

Base Technology

Java 11, Spring Boot v.2.4.5

Edge Console

OpenSSH, Wetty (Javascript)

BBDD

 MongoDB v.5.0

MQTT

EMQx v.4.2.11

NodeRed

Nodered (Esta puede ser cualquier versión)

GIT

Gitea v.1.11.5

Proxy Reverso 

Traefik v.2.2.1

Base Technology

Java 11, Spring Boot v.2.4.5

Â