Merge device provisioning feature

@@ -89,13 +89,16 @@ CREATE TABLE IF NOT EXISTS device_profile (
     name varchar(255),
     type varchar(255),
     transport_type varchar(255),
+    provision_type varchar(255),
     profile_data jsonb,
     description varchar,
     search_text varchar(255),
     is_default boolean,
     tenant_id uuid,
     default_rule_chain_id uuid,
+    provision_device_key varchar,
     CONSTRAINT device_profile_name_unq_key UNIQUE (tenant_id, name),
+    CONSTRAINT device_provision_key_unq_key UNIQUE (provision_device_key),
     CONSTRAINT fk_default_rule_chain_device_profile FOREIGN KEY (default_rule_chain_id) REFERENCES rule_chain(id)
 );
 

@@ -700,6 +700,12 @@ public abstract class BaseController {
             case ASSIGNED_TO_TENANT:
                 msgType = DataConstants.ENTITY_ASSIGNED_TO_TENANT;
                 break;
+            case PROVISION_SUCCESS:
+                msgType = DataConstants.PROVISION_SUCCESS;
+                break;
+            case PROVISION_FAILURE:
+                msgType = DataConstants.PROVISION_FAILURE;
+                break;
         }
         if (!StringUtils.isEmpty(msgType)) {
             try {

+/**
+ * Copyright © 2016-2020 The Thingsboard Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.thingsboard.server.service.device;
+
+import com.fasterxml.jackson.core.JsonProcessingException;
+import com.fasterxml.jackson.databind.JsonNode;
+import com.fasterxml.jackson.databind.node.ObjectNode;
+import com.google.common.util.concurrent.Futures;
+import com.google.common.util.concurrent.ListenableFuture;
+import com.google.common.util.concurrent.MoreExecutors;
+import lombok.extern.slf4j.Slf4j;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.stereotype.Service;
+import org.springframework.util.StringUtils;
+import org.thingsboard.server.common.data.DataConstants;
+import org.thingsboard.server.common.data.Device;
+import org.thingsboard.server.common.data.DeviceProfile;
+import org.thingsboard.server.common.data.audit.ActionType;
+import org.thingsboard.server.common.data.id.CustomerId;
+import org.thingsboard.server.common.data.id.TenantId;
+import org.thingsboard.server.common.data.id.UserId;
+import org.thingsboard.server.common.data.kv.AttributeKvEntry;
+import org.thingsboard.server.common.data.kv.BaseAttributeKvEntry;
+import org.thingsboard.server.common.data.kv.StringDataEntry;
+import org.thingsboard.server.common.data.security.DeviceCredentials;
+import org.thingsboard.server.common.msg.TbMsg;
+import org.thingsboard.server.common.msg.TbMsgMetaData;
+import org.thingsboard.server.common.msg.queue.ServiceType;
+import org.thingsboard.server.common.msg.queue.TopicPartitionInfo;
+import org.thingsboard.server.dao.attributes.AttributesService;
+import org.thingsboard.server.dao.audit.AuditLogService;
+import org.thingsboard.server.dao.device.DeviceCredentialsService;
+import org.thingsboard.server.dao.device.DeviceDao;
+import org.thingsboard.server.dao.device.DeviceProfileDao;
+import org.thingsboard.server.dao.device.DeviceProvisionService;
+import org.thingsboard.server.dao.device.DeviceService;
+import org.thingsboard.server.dao.device.provision.ProvisionFailedException;
+import org.thingsboard.server.dao.device.provision.ProvisionRequest;
+import org.thingsboard.server.dao.device.provision.ProvisionResponse;
+import org.thingsboard.server.dao.device.provision.ProvisionResponseStatus;
+import org.thingsboard.server.dao.util.mapping.JacksonUtil;
+import org.thingsboard.server.gen.transport.TransportProtos;
+import org.thingsboard.server.gen.transport.TransportProtos.ToRuleEngineMsg;
+import org.thingsboard.server.queue.TbQueueCallback;
+import org.thingsboard.server.queue.TbQueueProducer;
+import org.thingsboard.server.queue.common.TbProtoQueueMsg;
+import org.thingsboard.server.queue.discovery.PartitionService;
+import org.thingsboard.server.queue.provider.TbQueueProducerProvider;
+import org.thingsboard.server.queue.util.TbCoreComponent;
+import org.thingsboard.server.service.state.DeviceStateService;
+
+import java.util.Collections;
+import java.util.List;
+import java.util.Optional;
+import java.util.concurrent.ExecutionException;
+import java.util.concurrent.locks.ReentrantLock;
+
+
+@Service
+@Slf4j
+@TbCoreComponent
+public class DeviceProvisionServiceImpl implements DeviceProvisionService {
+
+    protected TbQueueProducer<TbProtoQueueMsg<ToRuleEngineMsg>> ruleEngineMsgProducer;
+
+    private static final String DEVICE_PROVISION_STATE = "provisionState";
+    private static final String PROVISIONED_STATE = "provisioned";
+
+    private final ReentrantLock deviceCreationLock = new ReentrantLock();
+
+    @Autowired
+    DeviceDao deviceDao;
+
+    @Autowired
+    DeviceProfileDao deviceProfileDao;
+
+    @Autowired
+    DeviceService deviceService;
+
+    @Autowired
+    DeviceCredentialsService deviceCredentialsService;
+
+    @Autowired
+    AttributesService attributesService;
+
+    @Autowired
+    DeviceStateService deviceStateService;
+
+    @Autowired
+    AuditLogService auditLogService;
+
+    @Autowired
+    PartitionService partitionService;
+
+    public DeviceProvisionServiceImpl(TbQueueProducerProvider producerProvider) {
+        ruleEngineMsgProducer = producerProvider.getRuleEngineMsgProducer();
+    }
+
+    @Override
+    public ProvisionResponse provisionDevice(ProvisionRequest provisionRequest) {
+        String provisionRequestKey = provisionRequest.getCredentials().getProvisionDeviceKey();
+        String provisionRequestSecret = provisionRequest.getCredentials().getProvisionDeviceSecret();
+
+        if (StringUtils.isEmpty(provisionRequestKey) || StringUtils.isEmpty(provisionRequestSecret)) {
+            throw new ProvisionFailedException(ProvisionResponseStatus.NOT_FOUND.name());
+        }
+
+        DeviceProfile targetProfile = deviceProfileDao.findByProvisionDeviceKey(provisionRequestKey);
+
+        if (targetProfile == null || targetProfile.getProfileData().getProvisionConfiguration() == null ||
+                targetProfile.getProfileData().getProvisionConfiguration().getProvisionDeviceSecret() == null) {
+            throw new ProvisionFailedException(ProvisionResponseStatus.NOT_FOUND.name());
+        }
+
+        Device targetDevice = deviceDao.findDeviceByTenantIdAndName(targetProfile.getTenantId().getId(), provisionRequest.getDeviceName()).orElse(null);
+
+        switch (targetProfile.getProvisionType()) {
+            case ALLOW_CREATE_NEW_DEVICES:
+                if (targetProfile.getProfileData().getProvisionConfiguration().getProvisionDeviceSecret().equals(provisionRequestSecret)) {
+                    if (targetDevice != null) {
+                        log.warn("[{}] The device is present and could not be provisioned once more!", targetDevice.getName());
+                        notify(targetDevice, provisionRequest, DataConstants.PROVISION_FAILURE, false);
+                        throw new ProvisionFailedException(ProvisionResponseStatus.FAILURE.name());
+                    } else {
+                        return createDevice(provisionRequest, targetProfile);
+                    }
+                }
+                break;
+            case CHECK_PRE_PROVISIONED_DEVICES:
+                if (targetProfile.getProfileData().getProvisionConfiguration().getProvisionDeviceSecret().equals(provisionRequestSecret)) {
+                    if (targetDevice != null && targetDevice.getDeviceProfileId().equals(targetProfile.getId())) {
+                        return processProvision(targetDevice, provisionRequest);
+                    } else {
+                        log.warn("[{}] Failed to find pre provisioned device!", provisionRequest.getDeviceName());
+                        throw new ProvisionFailedException(ProvisionResponseStatus.FAILURE.name());
+                    }
+                }
+                break;
+        }
+        throw new ProvisionFailedException(ProvisionResponseStatus.NOT_FOUND.name());
+    }
+
+    private ProvisionResponse processProvision(Device device, ProvisionRequest provisionRequest) {
+        try {
+            Optional<AttributeKvEntry> provisionState = attributesService.find(device.getTenantId(), device.getId(),
+                    DataConstants.SERVER_SCOPE, DEVICE_PROVISION_STATE).get();
+            if (provisionState != null && provisionState.isPresent() && !provisionState.get().getValueAsString().equals(PROVISIONED_STATE)) {
+                notify(device, provisionRequest, DataConstants.PROVISION_FAILURE, false);
+                throw new ProvisionFailedException(ProvisionResponseStatus.FAILURE.name());
+            } else {
+                saveProvisionStateAttribute(device).get();
+                notify(device, provisionRequest, DataConstants.PROVISION_SUCCESS, true);
+            }
+        } catch (InterruptedException | ExecutionException e) {
+            throw new ProvisionFailedException(ProvisionResponseStatus.FAILURE.name());
+        }
+        return new ProvisionResponse(deviceCredentialsService.findDeviceCredentialsByDeviceId(device.getTenantId(), device.getId()), ProvisionResponseStatus.SUCCESS);
+    }
+
+    private ProvisionResponse createDevice(ProvisionRequest provisionRequest, DeviceProfile profile) {
+        deviceCreationLock.lock();
+        try {
+            return processCreateDevice(provisionRequest, profile);
+        } finally {
+            deviceCreationLock.unlock();
+        }
+    }
+
+    private void notify(Device device, ProvisionRequest provisionRequest, String type, boolean success) {
+        pushProvisionEventToRuleEngine(provisionRequest, device, type);
+        logAction(device.getTenantId(), device.getCustomerId(), device, success, provisionRequest);
+    }
+
+    private ProvisionResponse processCreateDevice(ProvisionRequest provisionRequest, DeviceProfile profile) {
+        Device device = deviceService.findDeviceByTenantIdAndName(profile.getTenantId(), provisionRequest.getDeviceName());
+        try {
+            if (device == null) {
+                Device savedDevice = deviceService.saveDevice(provisionRequest, profile);
+
+                deviceStateService.onDeviceAdded(savedDevice);
+                saveProvisionStateAttribute(savedDevice).get();
+                pushDeviceCreatedEventToRuleEngine(savedDevice);
+                notify(savedDevice, provisionRequest, DataConstants.PROVISION_SUCCESS, true);
+
+                return new ProvisionResponse(getDeviceCredentials(savedDevice), ProvisionResponseStatus.SUCCESS);
+            } else {
+                log.warn("[{}] The device is already provisioned!", device.getName());
+                notify(device, provisionRequest, DataConstants.PROVISION_FAILURE, false);
+                throw new ProvisionFailedException(ProvisionResponseStatus.FAILURE.name());
+            }
+        } catch (InterruptedException | ExecutionException e) {
+            throw new ProvisionFailedException(ProvisionResponseStatus.FAILURE.name());
+        }
+    }
+
+    private ListenableFuture<List<Void>> saveProvisionStateAttribute(Device device) {
+        return attributesService.save(device.getTenantId(), device.getId(), DataConstants.SERVER_SCOPE,
+                Collections.singletonList(new BaseAttributeKvEntry(new StringDataEntry(DEVICE_PROVISION_STATE, PROVISIONED_STATE),
+                        System.currentTimeMillis())));
+    }
+
+    private DeviceCredentials getDeviceCredentials(Device device) {
+        return deviceCredentialsService.findDeviceCredentialsByDeviceId(device.getTenantId(), device.getId());
+    }
+
+    private void pushProvisionEventToRuleEngine(ProvisionRequest request, Device device, String type) {
+        try {
+            JsonNode entityNode = JacksonUtil.valueToTree(request);
+            TbMsg msg = TbMsg.newMsg(type, device.getId(), createTbMsgMetaData(device), JacksonUtil.toString(entityNode));
+            sendToRuleEngine(device.getTenantId(), msg, null);
+        } catch (IllegalArgumentException e) {
+            log.warn("[{}] Failed to push device action to rule engine: {}", device.getId(), type, e);
+        }
+    }
+
+    private void pushDeviceCreatedEventToRuleEngine(Device device) {
+        try {
+            ObjectNode entityNode = JacksonUtil.OBJECT_MAPPER.valueToTree(device);
+            TbMsg msg = TbMsg.newMsg(DataConstants.ENTITY_CREATED, device.getId(), createTbMsgMetaData(device), JacksonUtil.OBJECT_MAPPER.writeValueAsString(entityNode));
+            sendToRuleEngine(device.getTenantId(), msg, null);
+        } catch (JsonProcessingException | IllegalArgumentException e) {
+            log.warn("[{}] Failed to push device action to rule engine: {}", device.getId(), DataConstants.ENTITY_CREATED, e);
+        }
+    }
+
+    protected void sendToRuleEngine(TenantId tenantId, TbMsg tbMsg, TbQueueCallback callback) {
+        TopicPartitionInfo tpi = partitionService.resolve(ServiceType.TB_RULE_ENGINE, tenantId, tbMsg.getOriginator());
+        TransportProtos.ToRuleEngineMsg msg = TransportProtos.ToRuleEngineMsg.newBuilder().setTbMsg(TbMsg.toByteString(tbMsg))
+                .setTenantIdMSB(tenantId.getId().getMostSignificantBits())
+                .setTenantIdLSB(tenantId.getId().getLeastSignificantBits()).build();
+        ruleEngineMsgProducer.send(tpi, new TbProtoQueueMsg<>(tbMsg.getId(), msg), callback);
+    }
+
+    private TbMsgMetaData createTbMsgMetaData(Device device) {
+        TbMsgMetaData metaData = new TbMsgMetaData();
+        metaData.putValue("tenantId", device.getTenantId().toString());
+        return metaData;
+    }
+
+    private void logAction(TenantId tenantId, CustomerId customerId, Device device, boolean success, ProvisionRequest provisionRequest) {
+        ActionType actionType = success ? ActionType.PROVISION_SUCCESS : ActionType.PROVISION_FAILURE;
+        auditLogService.logEntityAction(tenantId, customerId, new UserId(UserId.NULL_UUID), device.getName(), device.getId(), device, actionType, null, provisionRequest);
+    }
+}

@@ -23,7 +23,6 @@ import com.google.common.util.concurrent.ListenableFuture;
 import com.google.common.util.concurrent.MoreExecutors;
 import com.google.protobuf.ByteString;
 import lombok.extern.slf4j.Slf4j;
-import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
 import org.springframework.stereotype.Service;
 import org.springframework.util.StringUtils;
 import org.thingsboard.server.common.data.DataConstants;
@@ -31,6 +30,8 @@ import org.thingsboard.server.common.data.Device;
 import org.thingsboard.server.common.data.DeviceProfile;
 import org.thingsboard.server.common.data.TenantProfile;
 import org.thingsboard.server.common.data.device.credentials.BasicMqttCredentials;
+import org.thingsboard.server.common.data.device.credentials.ProvisionDeviceCredentialsData;
+import org.thingsboard.server.common.data.device.profile.ProvisionDeviceProfileCredentials;
 import org.thingsboard.server.common.data.id.CustomerId;
 import org.thingsboard.server.common.data.id.DeviceId;
 import org.thingsboard.server.common.data.id.DeviceProfileId;
@@ -45,7 +46,10 @@ import org.thingsboard.server.common.msg.TbMsgMetaData;
 import org.thingsboard.server.common.transport.util.DataDecodingEncodingService;
 import org.thingsboard.server.dao.device.DeviceCredentialsService;
 import org.thingsboard.server.dao.device.DeviceProfileService;
+import org.thingsboard.server.dao.device.DeviceProvisionService;
 import org.thingsboard.server.dao.device.DeviceService;
+import org.thingsboard.server.dao.device.provision.ProvisionRequest;
+import org.thingsboard.server.dao.device.provision.ProvisionResponse;
 import org.thingsboard.server.dao.relation.RelationService;
 import org.thingsboard.server.dao.tenant.TenantProfileService;
 import org.thingsboard.server.dao.tenant.TenantService;
@@ -56,6 +60,7 @@ import org.thingsboard.server.gen.transport.TransportProtos.GetOrCreateDeviceFro
 import org.thingsboard.server.gen.transport.TransportProtos.GetOrCreateDeviceFromGatewayResponseMsg;
 import org.thingsboard.server.gen.transport.TransportProtos.GetTenantRoutingInfoRequestMsg;
 import org.thingsboard.server.gen.transport.TransportProtos.GetTenantRoutingInfoResponseMsg;
+import org.thingsboard.server.gen.transport.TransportProtos.ProvisionDeviceRequestMsg;
 import org.thingsboard.server.gen.transport.TransportProtos.TransportApiRequestMsg;
 import org.thingsboard.server.gen.transport.TransportProtos.TransportApiResponseMsg;
 import org.thingsboard.server.gen.transport.TransportProtos.ValidateDeviceCredentialsResponseMsg;
@@ -63,6 +68,7 @@ import org.thingsboard.server.gen.transport.TransportProtos.ValidateDeviceTokenR
 import org.thingsboard.server.gen.transport.TransportProtos.ValidateDeviceX509CertRequestMsg;
 import org.thingsboard.server.queue.common.TbProtoQueueMsg;
 import org.thingsboard.server.queue.util.TbCoreComponent;
+import org.thingsboard.server.dao.device.provision.ProvisionFailedException;
 import org.thingsboard.server.service.executors.DbCallbackExecutorService;
 import org.thingsboard.server.service.queue.TbClusterService;
 import org.thingsboard.server.service.state.DeviceStateService;
@@ -94,6 +100,7 @@ public class DefaultTransportApiService implements TransportApiService {
     private final DbCallbackExecutorService dbCallbackExecutorService;
     private final TbClusterService tbClusterService;
     private final DataDecodingEncodingService dataDecodingEncodingService;
+    private final DeviceProvisionService deviceProvisionService;
 
 
     private final ConcurrentMap<String, ReentrantLock> deviceCreationLocks = new ConcurrentHashMap<>();
@@ -102,7 +109,8 @@ public class DefaultTransportApiService implements TransportApiService {
                                       TenantProfileService tenantProfileService, DeviceService deviceService,
                                       RelationService relationService, DeviceCredentialsService deviceCredentialsService,
                                       DeviceStateService deviceStateService, DbCallbackExecutorService dbCallbackExecutorService,
-                                      TbClusterService tbClusterService, DataDecodingEncodingService dataDecodingEncodingService) {
+                                      TbClusterService tbClusterService, DataDecodingEncodingService dataDecodingEncodingService,
+                                      DeviceProvisionService deviceProvisionService) {
         this.deviceProfileService = deviceProfileService;
         this.tenantService = tenantService;
         this.tenantProfileService = tenantProfileService;
@@ -113,6 +121,7 @@ public class DefaultTransportApiService implements TransportApiService {
         this.dbCallbackExecutorService = dbCallbackExecutorService;
         this.tbClusterService = tbClusterService;
         this.dataDecodingEncodingService = dataDecodingEncodingService;
+        this.deviceProvisionService = deviceProvisionService;
     }
 
     @Override
@@ -139,6 +148,9 @@ public class DefaultTransportApiService implements TransportApiService {
         } else if (transportApiRequestMsg.hasGetDeviceProfileRequestMsg()) {
             return Futures.transform(handle(transportApiRequestMsg.getGetDeviceProfileRequestMsg()),
                     value -> new TbProtoQueueMsg<>(tbProtoQueueMsg.getKey(), value, tbProtoQueueMsg.getHeaders()), MoreExecutors.directExecutor());
+        } else if (transportApiRequestMsg.hasProvisionDeviceRequestMsg()) {
+            return Futures.transform(handle(transportApiRequestMsg.getProvisionDeviceRequestMsg()),
+                    value -> new TbProtoQueueMsg<>(tbProtoQueueMsg.getKey(), value, tbProtoQueueMsg.getHeaders()), MoreExecutors.directExecutor());
         }
         return Futures.transform(getEmptyTransportApiResponseFuture(),
                 value -> new TbProtoQueueMsg<>(tbProtoQueueMsg.getKey(), value, tbProtoQueueMsg.getHeaders()), MoreExecutors.directExecutor());
@@ -263,6 +275,50 @@ public class DefaultTransportApiService implements TransportApiService {
         }, dbCallbackExecutorService);
     }
 
+    private ListenableFuture<TransportApiResponseMsg> handle(ProvisionDeviceRequestMsg requestMsg) {
+        ListenableFuture<ProvisionResponse> provisionResponseFuture = null;
+        try {
+            provisionResponseFuture = Futures.immediateFuture(deviceProvisionService.provisionDevice(
+                    new ProvisionRequest(
+                            requestMsg.getDeviceName(),
+                            requestMsg.getCredentialsType() != null ? DeviceCredentialsType.valueOf(requestMsg.getCredentialsType().name()) : null,
+                            new ProvisionDeviceCredentialsData(requestMsg.getCredentialsDataProto().getValidateDeviceTokenRequestMsg().getToken(),
+                                    requestMsg.getCredentialsDataProto().getValidateBasicMqttCredRequestMsg().getClientId(),
+                                    requestMsg.getCredentialsDataProto().getValidateBasicMqttCredRequestMsg().getUserName(),
+                                    requestMsg.getCredentialsDataProto().getValidateBasicMqttCredRequestMsg().getPassword(),
+                                    requestMsg.getCredentialsDataProto().getValidateDeviceX509CertRequestMsg().getHash()),
+                            new ProvisionDeviceProfileCredentials(
+                                    requestMsg.getProvisionDeviceCredentialsMsg().getProvisionDeviceKey(),
+                                    requestMsg.getProvisionDeviceCredentialsMsg().getProvisionDeviceSecret()))));
+        } catch (ProvisionFailedException e) {
+            return Futures.immediateFuture(getTransportApiResponseMsg(
+                    TransportProtos.DeviceCredentialsProto.getDefaultInstance(),
+                    TransportProtos.ProvisionResponseStatus.valueOf(e.getMessage())));
+        }
+        return Futures.transform(provisionResponseFuture, provisionResponse -> getTransportApiResponseMsg(
+                getDeviceCredentials(provisionResponse.getDeviceCredentials()), TransportProtos.ProvisionResponseStatus.SUCCESS),
+                dbCallbackExecutorService);
+    }
+
+    private TransportApiResponseMsg getTransportApiResponseMsg(TransportProtos.DeviceCredentialsProto deviceCredentials, TransportProtos.ProvisionResponseStatus status) {
+        return TransportApiResponseMsg.newBuilder()
+                .setProvisionDeviceResponseMsg(TransportProtos.ProvisionDeviceResponseMsg.newBuilder()
+                        .setDeviceCredentials(deviceCredentials)
+                        .setProvisionResponseStatus(status)
+                        .build())
+                .build();
+    }
+
+    private TransportProtos.DeviceCredentialsProto getDeviceCredentials(DeviceCredentials deviceCredentials) {
+        return TransportProtos.DeviceCredentialsProto.newBuilder()
+                .setDeviceIdMSB(deviceCredentials.getDeviceId().getId().getMostSignificantBits())
+                .setDeviceIdLSB(deviceCredentials.getDeviceId().getId().getLeastSignificantBits())
+                .setCredentialsType(TransportProtos.CredentialsType.valueOf(deviceCredentials.getCredentialsType().name()))
+                .setCredentialsId(deviceCredentials.getCredentialsId())
+                .setCredentialsValue(deviceCredentials.getCredentialsValue() != null ? deviceCredentials.getCredentialsValue() : "")
+                .build();
+    }
+
     private ListenableFuture<TransportApiResponseMsg> handle(GetTenantRoutingInfoRequestMsg requestMsg) {
         TenantId tenantId = new TenantId(new UUID(requestMsg.getTenantIdMSB(), requestMsg.getTenantIdLSB()));
         // TODO: Tenant Profile from cache

@@ -68,6 +68,7 @@ import org.thingsboard.server.common.data.User;
 import org.thingsboard.server.common.data.device.profile.DefaultDeviceProfileConfiguration;
 import org.thingsboard.server.common.data.device.profile.DefaultDeviceProfileTransportConfiguration;
 import org.thingsboard.server.common.data.device.profile.DeviceProfileData;
+import org.thingsboard.server.common.data.device.profile.ProvisionDeviceProfileCredentials;
 import org.thingsboard.server.common.data.id.HasId;
 import org.thingsboard.server.common.data.id.RuleChainId;
 import org.thingsboard.server.common.data.id.TenantId;

@@ -28,6 +28,7 @@ import org.thingsboard.server.common.data.DeviceProfileType;
 import org.thingsboard.server.common.data.DeviceTransportType;
 import org.thingsboard.server.common.data.Tenant;
 import org.thingsboard.server.common.data.User;
+import org.thingsboard.server.common.data.device.profile.ProvisionDeviceProfileCredentials;
 import org.thingsboard.server.common.data.page.PageData;
 import org.thingsboard.server.common.data.page.PageLink;
 import org.thingsboard.server.common.data.security.Authority;
@@ -153,6 +154,17 @@ public abstract class BaseDeviceProfileControllerTest extends AbstractController
                 .andExpect(statusReason(containsString("Device profile with such name already exists")));
     }
 
+    @Test
+    public void testSaveDeviceProfileWithSameProvisionDeviceKey() throws Exception {
+        DeviceProfile deviceProfile = this.createDeviceProfile("Device Profile");
+        deviceProfile.setProvisionDeviceKey("testProvisionDeviceKey");
+        doPost("/api/deviceProfile", deviceProfile).andExpect(status().isOk());
+        DeviceProfile deviceProfile2 = this.createDeviceProfile("Device Profile 2");
+        deviceProfile2.setProvisionDeviceKey("testProvisionDeviceKey");
+        doPost("/api/deviceProfile", deviceProfile2).andExpect(status().isBadRequest())
+                .andExpect(statusReason(containsString("Device profile with such provision device key already exists")));
+    }
+
     @Ignore
     @Test
     public void testChangeDeviceProfileTypeWithExistingDevices() throws Exception {

@@ -26,13 +26,18 @@ import org.junit.Assert;
 import org.springframework.util.StringUtils;
 import org.thingsboard.server.common.data.Device;
 import org.thingsboard.server.common.data.DeviceProfile;
+import org.thingsboard.server.common.data.DeviceProfileProvisionType;
 import org.thingsboard.server.common.data.DeviceProfileType;
 import org.thingsboard.server.common.data.DeviceTransportType;
 import org.thingsboard.server.common.data.Tenant;
 import org.thingsboard.server.common.data.TransportPayloadType;
 import org.thingsboard.server.common.data.User;
+import org.thingsboard.server.common.data.device.profile.AllowCreateNewDevicesDeviceProfileProvisionConfiguration;
+import org.thingsboard.server.common.data.device.profile.CheckPreProvisionedDevicesDeviceProfileProvisionConfiguration;
 import org.thingsboard.server.common.data.device.profile.DefaultDeviceProfileConfiguration;
 import org.thingsboard.server.common.data.device.profile.DeviceProfileData;
+import org.thingsboard.server.common.data.device.profile.DeviceProfileProvisionConfiguration;
+import org.thingsboard.server.common.data.device.profile.DisabledDeviceProfileProvisionConfiguration;
 import org.thingsboard.server.common.data.device.profile.MqttDeviceProfileTransportConfiguration;
 import org.thingsboard.server.common.data.security.Authority;
 import org.thingsboard.server.common.data.security.DeviceCredentials;
@@ -64,7 +69,18 @@ public abstract class AbstractMqttIntegrationTest extends AbstractControllerTest
     protected Device savedGateway;
     protected String gatewayAccessToken;
 
-    protected void processBeforeTest(String deviceName, String gatewayName, TransportPayloadType payloadType, String telemetryTopic, String attributesTopic) throws Exception {
+    protected void processBeforeTest (String deviceName, String gatewayName, TransportPayloadType payloadType, String telemetryTopic, String attributesTopic) throws Exception {
+        this.processBeforeTest(deviceName, gatewayName, payloadType, telemetryTopic, attributesTopic, DeviceProfileProvisionType.DISABLED, null, null);
+    }
+
+    protected void processBeforeTest(String deviceName,
+                                     String gatewayName,
+                                     TransportPayloadType payloadType,
+                                     String telemetryTopic,
+                                     String attributesTopic,
+                                     DeviceProfileProvisionType provisionType,
+                                     String provisionKey, String provisionSecret
+                                     ) throws Exception {
         loginSysAdmin();
 
         Tenant tenant = new Tenant();
@@ -93,7 +109,7 @@ public abstract class AbstractMqttIntegrationTest extends AbstractControllerTest
         gateway.setAdditionalInfo(additionalInfo);
 
         if (payloadType != null) {
-            DeviceProfile mqttDeviceProfile = createMqttDeviceProfile(payloadType, telemetryTopic, attributesTopic);
+            DeviceProfile mqttDeviceProfile = createMqttDeviceProfile(payloadType, telemetryTopic, attributesTopic, provisionType, provisionKey, provisionSecret);
             DeviceProfile savedDeviceProfile = doPost("/api/deviceProfile", mqttDeviceProfile, DeviceProfile.class);
             device.setType(savedDeviceProfile.getName());
             device.setDeviceProfileId(savedDeviceProfile.getId());
@@ -183,11 +199,17 @@ public abstract class AbstractMqttIntegrationTest extends AbstractControllerTest
         return keyValueProtoBuilder.build();
     }
 
-    protected DeviceProfile createMqttDeviceProfile(TransportPayloadType transportPayloadType, String telemetryTopic, String attributesTopic) {
+    protected DeviceProfile createMqttDeviceProfile(TransportPayloadType transportPayloadType,
+                                                    String telemetryTopic, String attributesTopic,
+                                                    DeviceProfileProvisionType provisionType,
+                                                    String provisionKey, String provisionSecret
+    ) {
         DeviceProfile deviceProfile = new DeviceProfile();
         deviceProfile.setName(transportPayloadType.name());
         deviceProfile.setType(DeviceProfileType.DEFAULT);
         deviceProfile.setTransportType(DeviceTransportType.MQTT);
+        deviceProfile.setProvisionType(provisionType);
+        deviceProfile.setProvisionDeviceKey(provisionKey);
         deviceProfile.setDescription(transportPayloadType.name() + " Test");
         DeviceProfileData deviceProfileData = new DeviceProfileData();
         DefaultDeviceProfileConfiguration configuration = new DefaultDeviceProfileConfiguration();
@@ -200,6 +222,19 @@ public abstract class AbstractMqttIntegrationTest extends AbstractControllerTest
             transportConfiguration.setDeviceAttributesTopic(attributesTopic);
         }
         deviceProfileData.setTransportConfiguration(transportConfiguration);
+        DeviceProfileProvisionConfiguration provisionConfiguration;
+        switch (provisionType) {
+            case ALLOW_CREATE_NEW_DEVICES:
+                provisionConfiguration = new AllowCreateNewDevicesDeviceProfileProvisionConfiguration(provisionSecret);
+                break;
+            case CHECK_PRE_PROVISIONED_DEVICES:
+                provisionConfiguration = new CheckPreProvisionedDevicesDeviceProfileProvisionConfiguration(provisionSecret);
+                break;
+            case DISABLED:
+            default:
+                provisionConfiguration = new DisabledDeviceProfileProvisionConfiguration(provisionSecret);
+        }
+        deviceProfileData.setProvisionConfiguration(provisionConfiguration);
         deviceProfileData.setConfiguration(configuration);
         deviceProfile.setProfileData(deviceProfileData);
         deviceProfile.setDefault(false);

@@ -31,7 +31,8 @@ import java.util.Arrays;
         "org.thingsboard.server.mqtt.telemetry.attributes.sql.*Test",
         "org.thingsboard.server.mqtt.attributes.updates.sql.*Test",
         "org.thingsboard.server.mqtt.attributes.request.sql.*Test",
-        "org.thingsboard.server.mqtt.claim.sql.*Test"
+        "org.thingsboard.server.mqtt.claim.sql.*Test",
+        "org.thingsboard.server.mqtt.provision.sql.*Test"
 })
 public class MqttSqlTestSuite {
 

+/**
+ * Copyright © 2016-2020 The Thingsboard Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.thingsboard.server.mqtt.provision;
+
+import com.google.gson.JsonObject;
+import io.netty.handler.codec.mqtt.MqttQoS;
+import lombok.extern.slf4j.Slf4j;
+import org.eclipse.paho.client.mqttv3.IMqttDeliveryToken;
+import org.eclipse.paho.client.mqttv3.MqttAsyncClient;
+import org.eclipse.paho.client.mqttv3.MqttCallback;
+import org.eclipse.paho.client.mqttv3.MqttMessage;
+import org.junit.After;
+import org.junit.Assert;
+import org.junit.Test;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.thingsboard.server.common.data.Device;
+import org.thingsboard.server.common.data.DeviceProfileProvisionType;
+import org.thingsboard.server.common.data.TransportPayloadType;
+import org.thingsboard.server.common.data.device.credentials.BasicMqttCredentials;
+import org.thingsboard.server.common.data.device.profile.MqttTopics;
+import org.thingsboard.server.common.data.security.DeviceCredentials;
+import org.thingsboard.server.common.msg.EncryptionUtil;
+import org.thingsboard.server.common.transport.util.JsonUtils;
+import org.thingsboard.server.dao.device.DeviceCredentialsService;
+import org.thingsboard.server.dao.device.DeviceService;
+import org.thingsboard.server.dao.device.provision.ProvisionResponseStatus;
+import org.thingsboard.server.dao.util.mapping.JacksonUtil;
+import org.thingsboard.server.mqtt.AbstractMqttIntegrationTest;
+
+import java.util.concurrent.CountDownLatch;
+import java.util.concurrent.TimeUnit;
+
+@Slf4j
+public abstract class AbstractMqttProvisionJsonDeviceTest extends AbstractMqttIntegrationTest {
+
+    @Autowired
+    DeviceCredentialsService deviceCredentialsService;
+
+    @Autowired
+    DeviceService deviceService;
+
+    @After
+    public void afterTest() throws Exception {
+        super.processAfterTest();
+    }
+
+    @Test
+    public void testProvisioningDisabledDevice() throws Exception {
+        processTestProvisioningDisabledDevice();
+    }
+
+    @Test
+    public void testProvisioningCheckPreProvisionedDevice() throws Exception {
+        processTestProvisioningCheckPreProvisionedDevice();
+    }
+
+    @Test
+    public void testProvisioningCreateNewDeviceWithoutCredentials() throws Exception {
+        processTestProvisioningCreateNewDeviceWithoutCredentials();
+    }
+
+    @Test
+    public void testProvisioningCreateNewDeviceWithAccessToken() throws Exception {
+        processTestProvisioningCreateNewDeviceWithAccessToken();
+    }
+
+    @Test
+    public void testProvisioningCreateNewDeviceWithCert() throws Exception {
+        processTestProvisioningCreateNewDeviceWithCert();
+    }
+
+    @Test
+    public void testProvisioningCreateNewDeviceWithMqttBasic() throws Exception {
+        processTestProvisioningCreateNewDeviceWithMqttBasic();
+    }
+
+    @Test
+    public void testProvisioningWithBadKeyDevice() throws Exception {
+        processTestProvisioningWithBadKeyDevice();
+    }
+
+
+    protected void processTestProvisioningDisabledDevice() throws Exception {
+        super.processBeforeTest("Test Provision device", "Test Provision gateway", TransportPayloadType.JSON, null, null, DeviceProfileProvisionType.DISABLED, null, null);
+        byte[] result = createMqttClientAndPublish().getPayloadBytes();
+        JsonObject response = JsonUtils.parse(new String(result)).getAsJsonObject();
+        Assert.assertEquals("Provision data was not found!", response.get("errorMsg").getAsString());
+        Assert.assertEquals(ProvisionResponseStatus.NOT_FOUND.name(), response.get("provisionDeviceStatus").getAsString());
+    }
+
+
+    protected void processTestProvisioningCreateNewDeviceWithoutCredentials() throws Exception {
+        super.processBeforeTest("Test Provision device3", "Test Provision gateway", TransportPayloadType.JSON, null, null, DeviceProfileProvisionType.ALLOW_CREATE_NEW_DEVICES, "testProvisionKey", "testProvisionSecret");
+        byte[] result = createMqttClientAndPublish().getPayloadBytes();
+        JsonObject response = JsonUtils.parse(new String(result)).getAsJsonObject();
+
+        Device createdDevice = deviceService.findDeviceByTenantIdAndName(savedTenant.getTenantId(), "Test Provision device");
+
+        Assert.assertNotNull(createdDevice);
+        Assert.assertEquals(createdDevice.getId().toString(), response.get("deviceId").getAsString());
+
+        DeviceCredentials deviceCredentials = deviceCredentialsService.findDeviceCredentialsByDeviceId(savedTenant.getTenantId(), createdDevice.getId());
+
+        Assert.assertEquals(deviceCredentials.getCredentialsType().name(), response.get("credentialsType").getAsString());
+        Assert.assertEquals(deviceCredentials.getCredentialsId(), response.get("credentialsId").getAsString());
+        Assert.assertEquals(ProvisionResponseStatus.SUCCESS.name(), response.get("provisionDeviceStatus").getAsString());
+    }
+
+
+    protected void processTestProvisioningCreateNewDeviceWithAccessToken() throws Exception {
+        super.processBeforeTest("Test Provision device3", "Test Provision gateway", TransportPayloadType.JSON, null, null, DeviceProfileProvisionType.ALLOW_CREATE_NEW_DEVICES, "testProvisionKey", "testProvisionSecret");
+        String requestCredentials = ",\"credentialsType\": \"ACCESS_TOKEN\",\"token\": \"test_token\"";
+        byte[] result = createMqttClientAndPublish(requestCredentials).getPayloadBytes();
+        JsonObject response = JsonUtils.parse(new String(result)).getAsJsonObject();
+
+        Device createdDevice = deviceService.findDeviceByTenantIdAndName(savedTenant.getTenantId(), "Test Provision device");
+
+        Assert.assertNotNull(createdDevice);
+        Assert.assertEquals(createdDevice.getId().toString(), response.get("deviceId").getAsString());
+
+        DeviceCredentials deviceCredentials = deviceCredentialsService.findDeviceCredentialsByDeviceId(savedTenant.getTenantId(), createdDevice.getId());
+
+        Assert.assertEquals(deviceCredentials.getCredentialsType().name(), response.get("credentialsType").getAsString());
+        Assert.assertEquals(deviceCredentials.getCredentialsId(), response.get("credentialsId").getAsString());
+        Assert.assertEquals(deviceCredentials.getCredentialsType().name(), "ACCESS_TOKEN");
+        Assert.assertEquals(deviceCredentials.getCredentialsId(), "test_token");
+        Assert.assertEquals(ProvisionResponseStatus.SUCCESS.name(), response.get("provisionDeviceStatus").getAsString());
+    }
+
+
+    protected void processTestProvisioningCreateNewDeviceWithCert() throws Exception {
+        super.processBeforeTest("Test Provision device3", "Test Provision gateway", TransportPayloadType.JSON, null, null, DeviceProfileProvisionType.ALLOW_CREATE_NEW_DEVICES, "testProvisionKey", "testProvisionSecret");
+        String requestCredentials = ",\"credentialsType\": \"X509_CERTIFICATE\",\"hash\": \"testHash\"";
+        byte[] result = createMqttClientAndPublish(requestCredentials).getPayloadBytes();
+        JsonObject response = JsonUtils.parse(new String(result)).getAsJsonObject();
+
+        Device createdDevice = deviceService.findDeviceByTenantIdAndName(savedTenant.getTenantId(), "Test Provision device");
+
+        Assert.assertNotNull(createdDevice);
+        Assert.assertEquals(createdDevice.getId().toString(), response.get("deviceId").getAsString());
+
+        DeviceCredentials deviceCredentials = deviceCredentialsService.findDeviceCredentialsByDeviceId(savedTenant.getTenantId(), createdDevice.getId());
+
+        Assert.assertEquals(deviceCredentials.getCredentialsType().name(), response.get("credentialsType").getAsString());
+        Assert.assertEquals(deviceCredentials.getCredentialsId(), response.get("credentialsId").getAsString());
+        Assert.assertEquals(deviceCredentials.getCredentialsType().name(), "X509_CERTIFICATE");
+
+        String cert = EncryptionUtil.trimNewLines(deviceCredentials.getCredentialsValue());
+        String sha3Hash = EncryptionUtil.getSha3Hash(cert);
+
+        Assert.assertEquals(deviceCredentials.getCredentialsId(), sha3Hash);
+
+        Assert.assertEquals(deviceCredentials.getCredentialsValue(), "testHash");
+        Assert.assertEquals(ProvisionResponseStatus.SUCCESS.name(), response.get("provisionDeviceStatus").getAsString());
+    }
+
+
+    protected void processTestProvisioningCreateNewDeviceWithMqttBasic() throws Exception {
+        super.processBeforeTest("Test Provision device3", "Test Provision gateway", TransportPayloadType.JSON, null, null, DeviceProfileProvisionType.ALLOW_CREATE_NEW_DEVICES, "testProvisionKey", "testProvisionSecret");
+        String requestCredentials = ",\"credentialsType\": \"MQTT_BASIC\",\"clientId\": \"test_clientId\",\"username\": \"test_username\",\"password\": \"test_password\"";
+        byte[] result = createMqttClientAndPublish(requestCredentials).getPayloadBytes();
+        JsonObject response = JsonUtils.parse(new String(result)).getAsJsonObject();
+
+        Device createdDevice = deviceService.findDeviceByTenantIdAndName(savedTenant.getTenantId(), "Test Provision device");
+
+        Assert.assertNotNull(createdDevice);
+        Assert.assertEquals(createdDevice.getId().toString(), response.get("deviceId").getAsString());
+
+        DeviceCredentials deviceCredentials = deviceCredentialsService.findDeviceCredentialsByDeviceId(savedTenant.getTenantId(), createdDevice.getId());
+
+        Assert.assertEquals(deviceCredentials.getCredentialsType().name(), response.get("credentialsType").getAsString());
+        Assert.assertEquals(deviceCredentials.getCredentialsId(), response.get("credentialsId").getAsString());
+        Assert.assertEquals(deviceCredentials.getCredentialsType().name(), "MQTT_BASIC");
+        Assert.assertEquals(deviceCredentials.getCredentialsId(), EncryptionUtil.getSha3Hash("|", "test_clientId", "test_username"));
+
+        BasicMqttCredentials mqttCredentials = new BasicMqttCredentials();
+        mqttCredentials.setClientId("test_clientId");
+        mqttCredentials.setUserName("test_username");
+        mqttCredentials.setPassword("test_password");
+
+        Assert.assertEquals(deviceCredentials.getCredentialsValue(), JacksonUtil.toString(mqttCredentials));
+        Assert.assertEquals(deviceCredentials.getCredentialsId(), response.get("credentialsId").getAsString());
+        Assert.assertEquals(ProvisionResponseStatus.SUCCESS.name(), response.get("provisionDeviceStatus").getAsString());
+    }
+
+    protected void processTestProvisioningCheckPreProvisionedDevice() throws Exception {
+        super.processBeforeTest("Test Provision device", "Test Provision gateway", TransportPayloadType.JSON, null, null, DeviceProfileProvisionType.CHECK_PRE_PROVISIONED_DEVICES, "testProvisionKey", "testProvisionSecret");
+        byte[] result = createMqttClientAndPublish().getPayloadBytes();
+        JsonObject response = JsonUtils.parse(new String(result)).getAsJsonObject();
+        Assert.assertEquals(savedDevice.getId().toString(), response.get("deviceId").getAsString());
+
+        DeviceCredentials deviceCredentials = deviceCredentialsService.findDeviceCredentialsByDeviceId(savedTenant.getTenantId(), savedDevice.getId());
+
+        Assert.assertEquals(deviceCredentials.getCredentialsType().name(), response.get("credentialsType").getAsString());
+        Assert.assertEquals(deviceCredentials.getCredentialsId(), response.get("credentialsId").getAsString());
+        Assert.assertEquals(ProvisionResponseStatus.SUCCESS.name(), response.get("provisionDeviceStatus").getAsString());
+    }
+
+    protected void processTestProvisioningWithBadKeyDevice() throws Exception {
+        super.processBeforeTest("Test Provision device", "Test Provision gateway", TransportPayloadType.JSON, null, null, DeviceProfileProvisionType.CHECK_PRE_PROVISIONED_DEVICES, "testProvisionKeyOrig", "testProvisionSecret");
+        byte[] result = createMqttClientAndPublish().getPayloadBytes();
+        JsonObject response = JsonUtils.parse(new String(result)).getAsJsonObject();
+        Assert.assertEquals("Provision data was not found!", response.get("errorMsg").getAsString());
+        Assert.assertEquals(ProvisionResponseStatus.NOT_FOUND.name(), response.get("provisionDeviceStatus").getAsString());
+    }
+
+    protected TestMqttCallback createMqttClientAndPublish() throws Exception {
+        return createMqttClientAndPublish("");
+    }
+
+    protected TestMqttCallback createMqttClientAndPublish(String deviceCredentials) throws Exception {
+        String provisionRequestMsg = createTestProvisionMessage(deviceCredentials);
+        MqttAsyncClient client = getMqttAsyncClient("provision");
+        TestMqttCallback onProvisionCallback = getTestMqttCallback();
+        client.setCallback(onProvisionCallback);
+        client.subscribe(MqttTopics.DEVICE_PROVISION_RESPONSE_TOPIC, MqttQoS.AT_MOST_ONCE.value());
+        Thread.sleep(2000);
+        client.publish(MqttTopics.DEVICE_PROVISION_REQUEST_TOPIC, new MqttMessage(provisionRequestMsg.getBytes()));
+        onProvisionCallback.getLatch().await(3, TimeUnit.SECONDS);
+        return onProvisionCallback;
+    }
+
+
+    protected TestMqttCallback getTestMqttCallback() {
+        CountDownLatch latch = new CountDownLatch(1);
+        return new TestMqttCallback(latch);
+    }
+
+
+    protected static class TestMqttCallback implements MqttCallback {
+
+        private final CountDownLatch latch;
+        private Integer qoS;
+        private byte[] payloadBytes;
+
+        TestMqttCallback(CountDownLatch latch) {
+            this.latch = latch;
+        }
+
+        public int getQoS() {
+            return qoS;
+        }
+
+        public byte[] getPayloadBytes() {
+            return payloadBytes;
+        }
+
+        public CountDownLatch getLatch() {
+            return latch;
+        }
+
+        @Override
+        public void connectionLost(Throwable throwable) {
+        }
+
+        @Override
+        public void messageArrived(String requestTopic, MqttMessage mqttMessage) throws Exception {
+            qoS = mqttMessage.getQos();
+            payloadBytes = mqttMessage.getPayload();
+            latch.countDown();
+        }
+
+        @Override
+        public void deliveryComplete(IMqttDeliveryToken iMqttDeliveryToken) {
+
+        }
+    }
+
+    protected String createTestProvisionMessage(String deviceCredentials) {
+        return "{\"deviceName\":\"Test Provision device\",\"provisionDeviceKey\":\"testProvisionKey\", \"provisionDeviceSecret\":\"testProvisionSecret\"" + deviceCredentials + "}";
+    }
+}

+/**
+ * Copyright © 2016-2020 The Thingsboard Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.thingsboard.server.mqtt.provision;
+
+import io.netty.handler.codec.mqtt.MqttQoS;
+import lombok.extern.slf4j.Slf4j;
+import org.eclipse.paho.client.mqttv3.IMqttDeliveryToken;
+import org.eclipse.paho.client.mqttv3.MqttAsyncClient;
+import org.eclipse.paho.client.mqttv3.MqttCallback;
+import org.eclipse.paho.client.mqttv3.MqttMessage;
+import org.junit.After;
+import org.junit.Assert;
+import org.junit.Test;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.thingsboard.server.common.data.Device;
+import org.thingsboard.server.common.data.DeviceProfileProvisionType;
+import org.thingsboard.server.common.data.TransportPayloadType;
+import org.thingsboard.server.common.data.device.credentials.BasicMqttCredentials;
+import org.thingsboard.server.common.data.device.profile.MqttTopics;
+import org.thingsboard.server.common.data.security.DeviceCredentials;
+import org.thingsboard.server.common.data.security.DeviceCredentialsType;
+import org.thingsboard.server.common.msg.EncryptionUtil;
+import org.thingsboard.server.dao.device.DeviceCredentialsService;
+import org.thingsboard.server.dao.device.DeviceService;
+import org.thingsboard.server.dao.device.provision.ProvisionResponseStatus;
+import org.thingsboard.server.dao.util.mapping.JacksonUtil;
+import org.thingsboard.server.gen.transport.TransportProtos.CredentialsDataProto;
+import org.thingsboard.server.gen.transport.TransportProtos.CredentialsType;
+import org.thingsboard.server.gen.transport.TransportProtos.ProvisionDeviceCredentialsMsg;
+import org.thingsboard.server.gen.transport.TransportProtos.ProvisionDeviceRequestMsg;
+import org.thingsboard.server.gen.transport.TransportProtos.ProvisionDeviceResponseMsg;
+import org.thingsboard.server.gen.transport.TransportProtos.ValidateBasicMqttCredRequestMsg;
+import org.thingsboard.server.gen.transport.TransportProtos.ValidateDeviceTokenRequestMsg;
+import org.thingsboard.server.gen.transport.TransportProtos.ValidateDeviceX509CertRequestMsg;
+import org.thingsboard.server.mqtt.AbstractMqttIntegrationTest;
+
+import java.util.UUID;
+import java.util.concurrent.CountDownLatch;
+import java.util.concurrent.TimeUnit;
+
+@Slf4j
+public abstract class AbstractMqttProvisionProtoDeviceTest extends AbstractMqttIntegrationTest {
+
+    @Autowired
+    DeviceCredentialsService deviceCredentialsService;
+
+    @Autowired
+    DeviceService deviceService;
+
+    @After
+    public void afterTest() throws Exception {
+        super.processAfterTest();
+    }
+
+    @Test
+    public void testProvisioningDisabledDevice() throws Exception {
+        processTestProvisioningDisabledDevice();
+    }
+
+    @Test
+    public void testProvisioningCheckPreProvisionedDevice() throws Exception {
+        processTestProvisioningCheckPreProvisionedDevice();
+    }
+
+    @Test
+    public void testProvisioningCreateNewDeviceWithoutCredentials() throws Exception {
+        processTestProvisioningCreateNewDeviceWithoutCredentials();
+    }
+
+    @Test
+    public void testProvisioningCreateNewDeviceWithAccessToken() throws Exception {
+        processTestProvisioningCreateNewDeviceWithAccessToken();
+    }
+
+    @Test
+    public void testProvisioningCreateNewDeviceWithCert() throws Exception {
+        processTestProvisioningCreateNewDeviceWithCert();
+    }
+
+    @Test
+    public void testProvisioningCreateNewDeviceWithMqttBasic() throws Exception {
+        processTestProvisioningCreateNewDeviceWithMqttBasic();
+    }
+
+    @Test
+    public void testProvisioningWithBadKeyDevice() throws Exception {
+        processTestProvisioningWithBadKeyDevice();
+    }
+
+
+    protected void processTestProvisioningDisabledDevice() throws Exception {
+        super.processBeforeTest("Test Provision device", "Test Provision gateway", TransportPayloadType.PROTOBUF, null, null, DeviceProfileProvisionType.DISABLED, null, null);
+        ProvisionDeviceResponseMsg result = ProvisionDeviceResponseMsg.parseFrom(createMqttClientAndPublish().getPayloadBytes());
+        Assert.assertNotNull(result);
+        Assert.assertEquals(ProvisionResponseStatus.NOT_FOUND.name(), result.getProvisionResponseStatus().toString());
+    }
+
+    protected void processTestProvisioningCreateNewDeviceWithoutCredentials() throws Exception {
+        super.processBeforeTest("Test Provision device3", "Test Provision gateway", TransportPayloadType.PROTOBUF, null, null, DeviceProfileProvisionType.ALLOW_CREATE_NEW_DEVICES, "testProvisionKey", "testProvisionSecret");
+        ProvisionDeviceResponseMsg response = ProvisionDeviceResponseMsg.parseFrom(createMqttClientAndPublish().getPayloadBytes());
+
+        Device createdDevice = deviceService.findDeviceByTenantIdAndName(savedTenant.getTenantId(), "Test Provision device");
+
+        Assert.assertNotNull(createdDevice);
+        Assert.assertEquals(createdDevice.getId().getId(), new UUID(response.getDeviceCredentials().getDeviceIdMSB(), response.getDeviceCredentials().getDeviceIdLSB()));
+
+        DeviceCredentials deviceCredentials = deviceCredentialsService.findDeviceCredentialsByDeviceId(savedTenant.getTenantId(), createdDevice.getId());
+
+        Assert.assertEquals(deviceCredentials.getCredentialsType().name(), response.getDeviceCredentials().getCredentialsType().toString());
+        Assert.assertEquals(deviceCredentials.getCredentialsId(), response.getDeviceCredentials().getCredentialsId());
+        Assert.assertEquals(ProvisionResponseStatus.SUCCESS.name(), response.getProvisionResponseStatus().toString());
+    }
+
+    protected void processTestProvisioningCreateNewDeviceWithAccessToken() throws Exception {
+        super.processBeforeTest("Test Provision device3", "Test Provision gateway", TransportPayloadType.PROTOBUF, null, null, DeviceProfileProvisionType.ALLOW_CREATE_NEW_DEVICES, "testProvisionKey", "testProvisionSecret");
+        CredentialsDataProto requestCredentials = CredentialsDataProto.newBuilder().setValidateDeviceTokenRequestMsg(ValidateDeviceTokenRequestMsg.newBuilder().setToken("test_token").build()).build();
+
+        ProvisionDeviceResponseMsg response = ProvisionDeviceResponseMsg.parseFrom(createMqttClientAndPublish(createTestsProvisionMessage(CredentialsType.ACCESS_TOKEN, requestCredentials)).getPayloadBytes());
+
+        Device createdDevice = deviceService.findDeviceByTenantIdAndName(savedTenant.getTenantId(), "Test Provision device");
+
+        Assert.assertNotNull(createdDevice);
+        Assert.assertEquals(createdDevice.getId().getId(), new UUID(response.getDeviceCredentials().getDeviceIdMSB(), response.getDeviceCredentials().getDeviceIdLSB()));
+
+        DeviceCredentials deviceCredentials = deviceCredentialsService.findDeviceCredentialsByDeviceId(savedTenant.getTenantId(), createdDevice.getId());
+
+        Assert.assertEquals(deviceCredentials.getCredentialsType().name(), response.getDeviceCredentials().getCredentialsType().toString());
+        Assert.assertEquals(deviceCredentials.getCredentialsId(), response.getDeviceCredentials().getCredentialsId());
+        Assert.assertEquals(deviceCredentials.getCredentialsType(), DeviceCredentialsType.ACCESS_TOKEN);
+        Assert.assertEquals(deviceCredentials.getCredentialsId(), "test_token");
+        Assert.assertEquals(ProvisionResponseStatus.SUCCESS.name(), response.getProvisionResponseStatus().toString());
+    }
+
+    protected void processTestProvisioningCreateNewDeviceWithCert() throws Exception {
+        super.processBeforeTest("Test Provision device3", "Test Provision gateway", TransportPayloadType.PROTOBUF, null, null, DeviceProfileProvisionType.ALLOW_CREATE_NEW_DEVICES, "testProvisionKey", "testProvisionSecret");
+        CredentialsDataProto requestCredentials = CredentialsDataProto.newBuilder().setValidateDeviceX509CertRequestMsg(ValidateDeviceX509CertRequestMsg.newBuilder().setHash("testHash").build()).build();
+
+        ProvisionDeviceResponseMsg response = ProvisionDeviceResponseMsg.parseFrom(createMqttClientAndPublish(createTestsProvisionMessage(CredentialsType.X509_CERTIFICATE, requestCredentials)).getPayloadBytes());
+
+        Device createdDevice = deviceService.findDeviceByTenantIdAndName(savedTenant.getTenantId(), "Test Provision device");
+
+        Assert.assertNotNull(createdDevice);
+        Assert.assertEquals(createdDevice.getId().getId(), new UUID(response.getDeviceCredentials().getDeviceIdMSB(), response.getDeviceCredentials().getDeviceIdLSB()));
+
+        DeviceCredentials deviceCredentials = deviceCredentialsService.findDeviceCredentialsByDeviceId(savedTenant.getTenantId(), createdDevice.getId());
+
+        Assert.assertEquals(deviceCredentials.getCredentialsType().name(), response.getDeviceCredentials().getCredentialsType().toString());
+        Assert.assertEquals(deviceCredentials.getCredentialsId(), response.getDeviceCredentials().getCredentialsId());
+        Assert.assertEquals(deviceCredentials.getCredentialsType(), DeviceCredentialsType.X509_CERTIFICATE);
+
+        String cert = EncryptionUtil.trimNewLines(deviceCredentials.getCredentialsValue());
+        String sha3Hash = EncryptionUtil.getSha3Hash(cert);
+
+        Assert.assertEquals(deviceCredentials.getCredentialsId(), sha3Hash);
+
+        Assert.assertEquals(deviceCredentials.getCredentialsValue(), "testHash");
+        Assert.assertEquals(ProvisionResponseStatus.SUCCESS.name(), response.getProvisionResponseStatus().toString());
+    }
+
+    protected void processTestProvisioningCreateNewDeviceWithMqttBasic() throws Exception {
+        super.processBeforeTest("Test Provision device3", "Test Provision gateway", TransportPayloadType.PROTOBUF, null, null, DeviceProfileProvisionType.ALLOW_CREATE_NEW_DEVICES, "testProvisionKey", "testProvisionSecret");
+        CredentialsDataProto requestCredentials = CredentialsDataProto.newBuilder().setValidateBasicMqttCredRequestMsg(
+                ValidateBasicMqttCredRequestMsg.newBuilder()
+                        .setClientId("test_clientId")
+                        .setUserName("test_username")
+                        .setPassword("test_password")
+                    .build()
+        ).build();
+
+        ProvisionDeviceResponseMsg response = ProvisionDeviceResponseMsg.parseFrom(createMqttClientAndPublish(createTestsProvisionMessage(CredentialsType.MQTT_BASIC, requestCredentials)).getPayloadBytes());
+
+        Device createdDevice = deviceService.findDeviceByTenantIdAndName(savedTenant.getTenantId(), "Test Provision device");
+
+        Assert.assertNotNull(createdDevice);
+        Assert.assertEquals(createdDevice.getId().getId(), new UUID(response.getDeviceCredentials().getDeviceIdMSB(), response.getDeviceCredentials().getDeviceIdLSB()));
+
+        DeviceCredentials deviceCredentials = deviceCredentialsService.findDeviceCredentialsByDeviceId(savedTenant.getTenantId(), createdDevice.getId());
+
+        Assert.assertEquals(deviceCredentials.getCredentialsType().name(), response.getDeviceCredentials().getCredentialsType().toString());
+        Assert.assertEquals(deviceCredentials.getCredentialsId(), response.getDeviceCredentials().getCredentialsId());
+        Assert.assertEquals(deviceCredentials.getCredentialsType(), DeviceCredentialsType.MQTT_BASIC);
+        Assert.assertEquals(deviceCredentials.getCredentialsId(), EncryptionUtil.getSha3Hash("|", "test_clientId", "test_username"));
+
+        BasicMqttCredentials mqttCredentials = new BasicMqttCredentials();
+        mqttCredentials.setClientId("test_clientId");
+        mqttCredentials.setUserName("test_username");
+        mqttCredentials.setPassword("test_password");
+
+        Assert.assertEquals(deviceCredentials.getCredentialsValue(), JacksonUtil.toString(mqttCredentials));
+        Assert.assertEquals(deviceCredentials.getCredentialsId(), response.getDeviceCredentials().getCredentialsId());
+        Assert.assertEquals(ProvisionResponseStatus.SUCCESS.name(), response.getProvisionResponseStatus().toString());
+    }
+
+    protected void processTestProvisioningCheckPreProvisionedDevice() throws Exception {
+        super.processBeforeTest("Test Provision device", "Test Provision gateway", TransportPayloadType.PROTOBUF, null, null, DeviceProfileProvisionType.CHECK_PRE_PROVISIONED_DEVICES, "testProvisionKey", "testProvisionSecret");
+        ProvisionDeviceResponseMsg response = ProvisionDeviceResponseMsg.parseFrom(createMqttClientAndPublish().getPayloadBytes());
+        Assert.assertEquals(savedDevice.getId().getId(), new UUID(response.getDeviceCredentials().getDeviceIdMSB(), response.getDeviceCredentials().getDeviceIdLSB()));
+
+        DeviceCredentials deviceCredentials = deviceCredentialsService.findDeviceCredentialsByDeviceId(savedTenant.getTenantId(), savedDevice.getId());
+
+        Assert.assertEquals(deviceCredentials.getCredentialsType().name(), response.getDeviceCredentials().getCredentialsType().toString());
+        Assert.assertEquals(deviceCredentials.getCredentialsId(), response.getDeviceCredentials().getCredentialsId());
+        Assert.assertEquals(ProvisionResponseStatus.SUCCESS.name(), response.getProvisionResponseStatus().toString());
+    }
+
+    protected void processTestProvisioningWithBadKeyDevice() throws Exception {
+        super.processBeforeTest("Test Provision device", "Test Provision gateway", TransportPayloadType.PROTOBUF, null, null, DeviceProfileProvisionType.CHECK_PRE_PROVISIONED_DEVICES, "testProvisionKeyOrig", "testProvisionSecret");
+        ProvisionDeviceResponseMsg response = ProvisionDeviceResponseMsg.parseFrom(createMqttClientAndPublish().getPayloadBytes());
+        Assert.assertEquals(ProvisionResponseStatus.NOT_FOUND.name(), response.getProvisionResponseStatus().toString());
+    }
+
+    protected TestMqttCallback createMqttClientAndPublish() throws Exception {
+        byte[] provisionRequestMsg = createTestProvisionMessage();
+        return createMqttClientAndPublish(provisionRequestMsg);
+    }
+
+    protected TestMqttCallback createMqttClientAndPublish(byte[] provisionRequestMsg) throws Exception {
+        MqttAsyncClient client = getMqttAsyncClient("provision");
+        TestMqttCallback onProvisionCallback = getTestMqttCallback();
+        client.setCallback(onProvisionCallback);
+        client.subscribe(MqttTopics.DEVICE_PROVISION_RESPONSE_TOPIC, MqttQoS.AT_MOST_ONCE.value());
+        Thread.sleep(2000);
+        client.publish(MqttTopics.DEVICE_PROVISION_REQUEST_TOPIC, new MqttMessage(provisionRequestMsg));
+        onProvisionCallback.getLatch().await(3, TimeUnit.SECONDS);
+        return onProvisionCallback;
+    }
+
+
+    protected TestMqttCallback getTestMqttCallback() {
+        CountDownLatch latch = new CountDownLatch(1);
+        return new TestMqttCallback(latch);
+    }
+
+
+    protected static class TestMqttCallback implements MqttCallback {
+
+        private final CountDownLatch latch;
+        private Integer qoS;
+        private byte[] payloadBytes;
+
+        TestMqttCallback(CountDownLatch latch) {
+            this.latch = latch;
+        }
+
+        public int getQoS() {
+            return qoS;
+        }
+
+        public byte[] getPayloadBytes() {
+            return payloadBytes;
+        }
+
+        public CountDownLatch getLatch() {
+            return latch;
+        }
+
+        @Override
+        public void connectionLost(Throwable throwable) {
+        }
+
+        @Override
+        public void messageArrived(String requestTopic, MqttMessage mqttMessage) throws Exception {
+            qoS = mqttMessage.getQos();
+            payloadBytes = mqttMessage.getPayload();
+            latch.countDown();
+        }
+
+        @Override
+        public void deliveryComplete(IMqttDeliveryToken iMqttDeliveryToken) {
+
+        }
+    }
+
+    protected byte[] createTestsProvisionMessage(CredentialsType credentialsType, CredentialsDataProto credentialsData) throws Exception {
+        return ProvisionDeviceRequestMsg.newBuilder()
+                .setDeviceName("Test Provision device")
+                .setCredentialsType(credentialsType != null ? credentialsType : CredentialsType.ACCESS_TOKEN)
+                .setCredentialsDataProto(credentialsData != null ? credentialsData: CredentialsDataProto.newBuilder().build())
+                .setProvisionDeviceCredentialsMsg(
+                        ProvisionDeviceCredentialsMsg.newBuilder()
+                                .setProvisionDeviceKey("testProvisionKey")
+                                .setProvisionDeviceSecret("testProvisionSecret")
+                ).build()
+                .toByteArray();
+    }
+
+
+    protected byte[] createTestProvisionMessage() throws Exception {
+        return createTestsProvisionMessage(null, null);
+    }
+
+}

+/**
+ * Copyright © 2016-2020 The Thingsboard Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.thingsboard.server.mqtt.provision.sql;
+
+import org.thingsboard.server.dao.service.DaoSqlTest;
+import org.thingsboard.server.mqtt.provision.AbstractMqttProvisionJsonDeviceTest;
+
+@DaoSqlTest
+public class MqttProvisionDeviceJsonSqlTest extends AbstractMqttProvisionJsonDeviceTest {
+}

+/**
+ * Copyright © 2016-2020 The Thingsboard Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.thingsboard.server.mqtt.provision.sql;
+
+import org.thingsboard.server.dao.service.DaoSqlTest;
+import org.thingsboard.server.mqtt.provision.AbstractMqttProvisionProtoDeviceTest;
+
+@DaoSqlTest
+public class MqttProvisionDeviceProtoSqlTest extends AbstractMqttProvisionProtoDeviceTest {
+}

+/**
+ * Copyright © 2016-2020 The Thingsboard Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.thingsboard.server.dao.device;
+
+import com.google.common.util.concurrent.ListenableFuture;
+import org.thingsboard.server.common.data.Device;
+import org.thingsboard.server.common.data.DeviceProfile;
+import org.thingsboard.server.dao.device.provision.ProvisionFailedException;
+import org.thingsboard.server.dao.device.provision.ProvisionRequest;
+import org.thingsboard.server.dao.device.provision.ProvisionResponse;
+
+public interface DeviceProvisionService {
+
+    ProvisionResponse provisionDevice(ProvisionRequest provisionRequest) throws ProvisionFailedException;
+}

@@ -18,6 +18,7 @@ package org.thingsboard.server.dao.device;
 import com.google.common.util.concurrent.ListenableFuture;
 import org.thingsboard.server.common.data.Device;
 import org.thingsboard.server.common.data.DeviceInfo;
+import org.thingsboard.server.common.data.DeviceProfile;
 import org.thingsboard.server.common.data.EntitySubtype;
 import org.thingsboard.server.common.data.device.DeviceSearchQuery;
 import org.thingsboard.server.common.data.id.CustomerId;
@@ -26,6 +27,7 @@ import org.thingsboard.server.common.data.id.DeviceProfileId;
 import org.thingsboard.server.common.data.id.TenantId;
 import org.thingsboard.server.common.data.page.PageData;
 import org.thingsboard.server.common.data.page.PageLink;
+import org.thingsboard.server.dao.device.provision.ProvisionRequest;
 
 import java.util.List;
 
@@ -83,4 +85,6 @@ public interface DeviceService {
 
     Device assignDeviceToTenant(TenantId tenantId, Device device);
 
+    Device saveDevice(ProvisionRequest provisionRequest, DeviceProfile profile);
+
 }

+/**
+ * Copyright © 2016-2020 The Thingsboard Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.thingsboard.server.dao.device.provision;
+
+public class ProvisionFailedException extends RuntimeException {
+    public ProvisionFailedException(String errorMsg) {
+        super(errorMsg);
+    }
+}

+/**
+ * Copyright © 2016-2020 The Thingsboard Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.thingsboard.server.dao.device.provision;
+
+import lombok.AllArgsConstructor;
+import lombok.Data;
+import org.thingsboard.server.common.data.device.credentials.ProvisionDeviceCredentialsData;
+import org.thingsboard.server.common.data.device.profile.ProvisionDeviceProfileCredentials;
+import org.thingsboard.server.common.data.security.DeviceCredentialsType;
+
+@Data
+@AllArgsConstructor
+public class ProvisionRequest {
+    private String deviceName;
+    private DeviceCredentialsType credentialsType;
+    private ProvisionDeviceCredentialsData credentialsData;
+    private ProvisionDeviceProfileCredentials credentials;
+}

+/**
+ * Copyright © 2016-2020 The Thingsboard Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.thingsboard.server.dao.device.provision;
+
+import lombok.Data;
+import org.thingsboard.server.common.data.security.DeviceCredentials;
+
+@Data
+public class ProvisionResponse {
+    private final DeviceCredentials deviceCredentials;
+    private final ProvisionResponseStatus responseStatus;
+}

+/**
+ * Copyright © 2016-2020 The Thingsboard Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.thingsboard.server.dao.device.provision;
+
+public enum ProvisionResponseStatus {
+    UNKNOWN,
+    SUCCESS,
+    NOT_FOUND,
+    FAILURE
+}

@@ -63,6 +63,8 @@ public class DataConstants {
     public static final String ALARM_CLEAR = "ALARM_CLEAR";
     public static final String ENTITY_ASSIGNED_FROM_TENANT = "ENTITY_ASSIGNED_FROM_TENANT";
     public static final String ENTITY_ASSIGNED_TO_TENANT = "ENTITY_ASSIGNED_TO_TENANT";
+    public static final String PROVISION_SUCCESS = "PROVISION_SUCCESS";
+    public static final String PROVISION_FAILURE = "PROVISION_FAILURE";
 
     public static final String RPC_CALL_FROM_SERVER_TO_DEVICE = "RPC_CALL_FROM_SERVER_TO_DEVICE";
 
@@ -70,4 +72,18 @@ public class DataConstants {
     public static final String SECRET_KEY_FIELD_NAME = "secretKey";
     public static final String DURATION_MS_FIELD_NAME = "durationMs";
 
+    public static final String PROVISION = "provision";
+    public static final String PROVISION_KEY = "provisionDeviceKey";
+    public static final String PROVISION_SECRET = "provisionDeviceSecret";
+
+    public static final String DEVICE_NAME = "deviceName";
+    public static final String DEVICE_TYPE = "deviceType";
+    public static final String CERT_PUB_KEY = "x509CertPubKey";
+    public static final String CREDENTIALS_TYPE = "credentialsType";
+    public static final String TOKEN = "token";
+    public static final String HASH = "hash";
+    public static final String CLIENT_ID = "clientId";
+    public static final String USERNAME = "username";
+    public static final String PASSWORD = "password";
+
 }

@@ -41,10 +41,12 @@ public class DeviceProfile extends SearchTextBased<DeviceProfileId> implements H
     private boolean isDefault;
     private DeviceProfileType type;
     private DeviceTransportType transportType;
+    private DeviceProfileProvisionType provisionType;
     private RuleChainId defaultRuleChainId;
     private transient DeviceProfileData profileData;
     @JsonIgnore
     private byte[] profileDataBytes;
+    private String provisionDeviceKey;
 
     public DeviceProfile() {
         super();
@@ -62,6 +64,7 @@ public class DeviceProfile extends SearchTextBased<DeviceProfileId> implements H
         this.isDefault = deviceProfile.isDefault();
         this.defaultRuleChainId = deviceProfile.getDefaultRuleChainId();
         this.setProfileData(deviceProfile.getProfileData());
+        this.provisionDeviceKey = deviceProfile.getProvisionDeviceKey();
     }
 
     @Override

+/**
+ * Copyright © 2016-2020 The Thingsboard Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.thingsboard.server.common.data;
+
+public enum DeviceProfileProvisionType {
+    DISABLED,
+    ALLOW_CREATE_NEW_DEVICES,
+    CHECK_PRE_PROVISIONED_DEVICES
+}

@@ -42,7 +42,9 @@ public enum ActionType {
     LOGOUT(false),
     LOCKOUT(false),
     ASSIGNED_FROM_TENANT(false),
-    ASSIGNED_TO_TENANT(false);
+    ASSIGNED_TO_TENANT(false),
+    PROVISION_SUCCESS(false),
+    PROVISION_FAILURE(false);
 
     private final boolean isRead;
 

+/**
+ * Copyright © 2016-2020 The Thingsboard Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.thingsboard.server.common.data.device.credentials;
+
+import lombok.Data;
+
+@Data
+public class ProvisionDeviceCredentialsData {
+    private final String token;
+    private final String clientId;
+    private final String username;
+    private final String password;
+    private final String x509CertHash;
+}

+/**
+ * Copyright © 2016-2020 The Thingsboard Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.thingsboard.server.common.data.device.profile;
+
+import lombok.Data;
+import org.thingsboard.server.common.data.DeviceProfileProvisionType;
+
+@Data
+public class AllowCreateNewDevicesDeviceProfileProvisionConfiguration implements DeviceProfileProvisionConfiguration {
+
+    private final String provisionDeviceSecret;
+
+    @Override
+    public DeviceProfileProvisionType getType() {
+        return DeviceProfileProvisionType.ALLOW_CREATE_NEW_DEVICES;
+    }
+
+}

+/**
+ * Copyright © 2016-2020 The Thingsboard Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.thingsboard.server.common.data.device.profile;
+
+import lombok.Data;
+import org.thingsboard.server.common.data.DeviceProfileProvisionType;
+
+@Data
+public class CheckPreProvisionedDevicesDeviceProfileProvisionConfiguration implements DeviceProfileProvisionConfiguration {
+
+    private final String provisionDeviceSecret;
+
+    @Override
+    public DeviceProfileProvisionType getType() {
+        return DeviceProfileProvisionType.CHECK_PRE_PROVISIONED_DEVICES;
+    }
+
+}

@@ -24,6 +24,7 @@ public class DeviceProfileData {
 
     private DeviceProfileConfiguration configuration;
     private DeviceProfileTransportConfiguration transportConfiguration;
+    private DeviceProfileProvisionConfiguration provisionConfiguration;
     private List<DeviceProfileAlarm> alarms;
 
 }

+/**
+ * Copyright © 2016-2020 The Thingsboard Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.thingsboard.server.common.data.device.profile;
+
+import com.fasterxml.jackson.annotation.JsonIgnore;
+import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
+import com.fasterxml.jackson.annotation.JsonSubTypes;
+import com.fasterxml.jackson.annotation.JsonTypeInfo;
+import org.thingsboard.server.common.data.DeviceProfileProvisionType;
+
+
+@JsonIgnoreProperties(ignoreUnknown = true)
+@JsonTypeInfo(
+        use = JsonTypeInfo.Id.NAME,
+        include = JsonTypeInfo.As.PROPERTY,
+        property = "type")
+@JsonSubTypes({
+        @JsonSubTypes.Type(value = DisabledDeviceProfileProvisionConfiguration.class, name = "DISABLED"),
+        @JsonSubTypes.Type(value = AllowCreateNewDevicesDeviceProfileProvisionConfiguration.class, name = "ALLOW_CREATE_NEW_DEVICES"),
+        @JsonSubTypes.Type(value = CheckPreProvisionedDevicesDeviceProfileProvisionConfiguration.class, name = "CHECK_PRE_PROVISIONED_DEVICES")})
+public interface DeviceProfileProvisionConfiguration {
+
+    String getProvisionDeviceSecret();
+
+    @JsonIgnore
+    DeviceProfileProvisionType getType();
+
+}

+/**
+ * Copyright © 2016-2020 The Thingsboard Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.thingsboard.server.common.data.device.profile;
+
+import lombok.Data;
+import org.thingsboard.server.common.data.DeviceProfileProvisionType;
+
+@Data
+public class DisabledDeviceProfileProvisionConfiguration implements DeviceProfileProvisionConfiguration {
+
+    private final String provisionDeviceSecret;
+
+    @Override
+    public DeviceProfileProvisionType getType() {
+        return DeviceProfileProvisionType.DISABLED;
+    }
+
+}

@@ -20,6 +20,8 @@ package org.thingsboard.server.common.data.device.profile;
  */
 public class MqttTopics {
 
+    private static final String REQUEST = "/request";
+    private static final String RESPONSE = "/response";
     private static final String RPC = "/rpc";
     private static final String CONNECT = "/connect";
     private static final String DISCONNECT = "/disconnect";
@@ -27,11 +29,13 @@ public class MqttTopics {
     private static final String ATTRIBUTES = "/attributes";
     private static final String CLAIM = "/claim";
     private static final String SUB_TOPIC = "+";
-    private static final String ATTRIBUTES_RESPONSE = "/attributes/response";
-    private static final String ATTRIBUTES_REQUEST = "/attributes/request";
+    private static final String PROVISION = "/provision";
 
-    private static final String DEVICE_RPC_RESPONSE = "/rpc/response/";
-    private static final String DEVICE_RPC_REQUEST = "/rpc/request/";
+    private static final String ATTRIBUTES_RESPONSE = ATTRIBUTES + RESPONSE;
+    private static final String ATTRIBUTES_REQUEST = ATTRIBUTES + REQUEST;
+
+    private static final String DEVICE_RPC_RESPONSE = RPC + RESPONSE + "/";
+    private static final String DEVICE_RPC_REQUEST = RPC + REQUEST + "/";
 
     private static final String DEVICE_ATTRIBUTES_RESPONSE = ATTRIBUTES_RESPONSE + "/";
     private static final String DEVICE_ATTRIBUTES_REQUEST = ATTRIBUTES_REQUEST + "/";
@@ -50,6 +54,8 @@ public class MqttTopics {
     public static final String DEVICE_TELEMETRY_TOPIC = BASE_DEVICE_API_TOPIC + TELEMETRY;
     public static final String DEVICE_CLAIM_TOPIC = BASE_DEVICE_API_TOPIC + CLAIM;
     public static final String DEVICE_ATTRIBUTES_TOPIC = BASE_DEVICE_API_TOPIC + ATTRIBUTES;
+    public static final String DEVICE_PROVISION_REQUEST_TOPIC = PROVISION + REQUEST;
+    public static final String DEVICE_PROVISION_RESPONSE_TOPIC = PROVISION + RESPONSE;
 
     // V1_JSON gateway topics
 

+/**
+ * Copyright © 2016-2020 The Thingsboard Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.thingsboard.server.common.data.device.profile;
+
+import lombok.Data;
+
+@Data
+public class ProvisionDeviceProfileCredentials {
+    private final String provisionDeviceKey;
+    private final String provisionDeviceSecret;
+}

@@ -16,5 +16,5 @@
 package org.thingsboard.server.common.msg.session;
 
 public enum FeatureType {
-    ATTRIBUTES, TELEMETRY, RPC, CLAIM
+    ATTRIBUTES, TELEMETRY, RPC, CLAIM, PROVISION
 }

@@ -73,6 +73,12 @@ enum KeyValueType {
   JSON_V = 4;
 }
 
+enum CredentialsType {
+  ACCESS_TOKEN = 0;
+  X509_CERTIFICATE = 1;
+  MQTT_BASIC = 2;
+}
+
 message KeyValueProto {
   string key = 1;
   KeyValueType type = 2;
@@ -241,6 +247,43 @@ message ClaimDeviceMsg {
   int64 durationMs = 4;
 }
 
+message DeviceCredentialsProto {
+  int64 deviceIdMSB = 1;
+  int64 deviceIdLSB = 2;
+  CredentialsType credentialsType = 3;
+  string credentialsId = 4;
+  string credentialsValue = 5;
+}
+
+message CredentialsDataProto {
+  ValidateDeviceTokenRequestMsg validateDeviceTokenRequestMsg = 1;
+  ValidateDeviceX509CertRequestMsg validateDeviceX509CertRequestMsg = 2;
+  ValidateBasicMqttCredRequestMsg validateBasicMqttCredRequestMsg = 3;
+}
+
+message ProvisionDeviceRequestMsg {
+  string deviceName = 1;
+  CredentialsType credentialsType = 2;
+  ProvisionDeviceCredentialsMsg provisionDeviceCredentialsMsg = 3;
+  CredentialsDataProto credentialsDataProto = 4;
+}
+
+message ProvisionDeviceCredentialsMsg {
+  string provisionDeviceKey = 1;
+  string provisionDeviceSecret = 2;
+}
+
+message ProvisionDeviceResponseMsg {
+  DeviceCredentialsProto deviceCredentials = 1;
+  ProvisionResponseStatus provisionResponseStatus = 2;
+}
+
+enum ProvisionResponseStatus {
+  UNKNOWN = 0;
+  SUCCESS = 1;
+  NOT_FOUND = 2;
+  FAILURE = 3;
+}
 //Used to report session state to tb-Service and persist this state in the cache on the tb-Service level.
 message SubscriptionInfoProto {
   int64 lastActivityTime = 1;
@@ -266,6 +309,7 @@ message TransportToDeviceActorMsg {
   ToDeviceRpcResponseMsg toDeviceRPCCallResponse = 6;
   SubscriptionInfoProto subscriptionInfo = 7;
   ClaimDeviceMsg claimDevice = 8;
+  ProvisionDeviceRequestMsg provisionDevice = 9;
 }
 
 message TransportToRuleEngineMsg {
@@ -441,6 +485,7 @@ message TransportApiRequestMsg {
   GetTenantRoutingInfoRequestMsg getTenantRoutingInfoRequestMsg = 4;
   GetDeviceProfileRequestMsg getDeviceProfileRequestMsg = 5;
   ValidateBasicMqttCredRequestMsg validateBasicMqttCredRequestMsg = 6;
+  ProvisionDeviceRequestMsg provisionDeviceRequestMsg = 7;
 }
 
 /* Response from ThingsBoard Core Service to Transport Service */
@@ -449,6 +494,7 @@ message TransportApiResponseMsg {
   GetOrCreateDeviceFromGatewayResponseMsg getOrCreateDeviceResponseMsg = 2;
   GetTenantRoutingInfoResponseMsg getTenantRoutingInfoResponseMsg = 4;
   GetDeviceProfileResponseMsg getDeviceProfileResponseMsg = 5;
+  ProvisionDeviceResponseMsg provisionDeviceResponseMsg = 6;
 }
 
 /* Messages that are handled by ThingsBoard Core Service */
@@ -491,4 +537,5 @@ message ToTransportMsg {
   ToServerRpcResponseMsg toServerResponse = 7;
   DeviceProfileUpdateMsg deviceProfileUpdateMsg = 8;
   DeviceProfileDeleteMsg deviceProfileDeleteMsg = 9;
+  ProvisionDeviceResponseMsg provisionResponse = 10;
 }

@@ -24,6 +24,7 @@ import org.eclipse.californium.core.network.ExchangeObserver;
 import org.eclipse.californium.core.server.resources.CoapExchange;
 import org.eclipse.californium.core.server.resources.Resource;
 import org.springframework.util.ReflectionUtils;
+import org.thingsboard.server.common.data.DataConstants;
 import org.thingsboard.server.common.data.DeviceTransportType;
 import org.thingsboard.server.common.data.security.DeviceTokenCredentials;
 import org.thingsboard.server.common.msg.session.FeatureType;
@@ -33,9 +34,11 @@ import org.thingsboard.server.common.transport.TransportContext;
 import org.thingsboard.server.common.transport.TransportService;
 import org.thingsboard.server.common.transport.TransportServiceCallback;
 import org.thingsboard.server.common.transport.adaptor.AdaptorException;
+import org.thingsboard.server.common.transport.adaptor.JsonConverter;
 import org.thingsboard.server.common.transport.auth.SessionInfoCreator;
 import org.thingsboard.server.common.transport.auth.ValidateDeviceCredentialsResponse;
 import org.thingsboard.server.gen.transport.TransportProtos;
+import org.thingsboard.server.gen.transport.TransportProtos.ProvisionDeviceResponseMsg;
 
 import java.lang.reflect.Field;
 import java.util.List;
@@ -130,10 +133,25 @@ public class CoapTransportResource extends CoapResource {
                 case CLAIM:
                     processRequest(exchange, SessionMsgType.CLAIM_REQUEST);
                     break;
+                case PROVISION:
+                    processProvision(exchange);
+                    break;
             }
         }
     }
 
+    private void processProvision(CoapExchange exchange) {
+        log.trace("Processing {}", exchange.advanced().getRequest());
+        exchange.accept();
+        try {
+            transportService.process(transportContext.getAdaptor().convertToProvisionRequestMsg(UUID.randomUUID(), exchange.advanced().getRequest()),
+                    new DeviceProvisionCallback(exchange));
+        } catch (AdaptorException e) {
+            log.trace("Failed to decode message: ", e);
+            exchange.respond(ResponseCode.BAD_REQUEST);
+        }
+    }
+
     private void processRequest(CoapExchange exchange, SessionMsgType type) {
         log.trace("Processing {}", exchange.advanced().getRequest());
         exchange.accept();
@@ -274,6 +292,8 @@ public class CoapTransportResource extends CoapResource {
         try {
             if (uriPath.size() >= FEATURE_TYPE_POSITION) {
                 return Optional.of(FeatureType.valueOf(uriPath.get(FEATURE_TYPE_POSITION - 1).toUpperCase()));
+            } else if (uriPath.size() == 3 && uriPath.contains(DataConstants.PROVISION)) {
+                return Optional.of(FeatureType.valueOf(DataConstants.PROVISION.toUpperCase()));
             }
         } catch (RuntimeException e) {
             log.warn("Failed to decode feature type: {}", uriPath);
@@ -325,6 +345,25 @@ public class CoapTransportResource extends CoapResource {
         }
     }
 
+    private static class DeviceProvisionCallback implements TransportServiceCallback<ProvisionDeviceResponseMsg> {
+        private final CoapExchange exchange;
+
+        DeviceProvisionCallback(CoapExchange exchange) {
+            this.exchange = exchange;
+        }
+
+        @Override
+        public void onSuccess(TransportProtos.ProvisionDeviceResponseMsg msg) {
+            exchange.respond(JsonConverter.toJson(msg).toString());
+        }
+
+        @Override
+        public void onError(Throwable e) {
+            log.warn("Failed to process request", e);
+            exchange.respond(ResponseCode.INTERNAL_SERVER_ERROR);
+        }
+    }
+
     private static class CoapOkCallback implements TransportServiceCallback<Void> {
         private final CoapExchange exchange;
 

@@ -19,6 +19,7 @@ import org.eclipse.californium.core.coap.Request;
 import org.eclipse.californium.core.coap.Response;
 import org.thingsboard.server.common.transport.adaptor.AdaptorException;
 import org.thingsboard.server.gen.transport.TransportProtos;
+import org.thingsboard.server.gen.transport.TransportProtos.ProvisionDeviceRequestMsg;
 import org.thingsboard.server.transport.coap.CoapTransportResource;
 
 import java.util.UUID;
@@ -45,4 +46,6 @@ public interface CoapTransportAdaptor {
 
     Response convertToPublish(CoapTransportResource.CoapSessionListener coapSessionListener, TransportProtos.ToServerRpcResponseMsg msg) throws AdaptorException;
 
+    ProvisionDeviceRequestMsg convertToProvisionRequestMsg(UUID sessionId, Request inbound) throws AdaptorException;
+
 }

@@ -124,6 +124,16 @@ public class JsonCoapAdaptor implements CoapTransportAdaptor {
     }
 
     @Override
+    public TransportProtos.ProvisionDeviceRequestMsg convertToProvisionRequestMsg(UUID sessionId, Request inbound) throws AdaptorException {
+        String payload = validatePayload(sessionId, inbound, false);
+        try {
+            return JsonConverter.convertToProvisionRequestMsg(payload);
+        } catch (IllegalStateException | JsonSyntaxException ex) {
+            throw new AdaptorException(ex);
+        }
+    }
+
+    @Override
     public Response convertToPublish(CoapTransportResource.CoapSessionListener session, TransportProtos.GetAttributeResponseMsg msg) throws AdaptorException {
         if (msg.getClientAttributeListCount() == 0 && msg.getSharedAttributeListCount() == 0) {
             return new Response(CoAP.ResponseCode.NOT_FOUND);

@@ -44,6 +44,7 @@ import org.thingsboard.server.gen.transport.TransportProtos.AttributeUpdateNotif
 import org.thingsboard.server.gen.transport.TransportProtos.DeviceInfoProto;
 import org.thingsboard.server.gen.transport.TransportProtos.GetAttributeRequestMsg;
 import org.thingsboard.server.gen.transport.TransportProtos.GetAttributeResponseMsg;
+import org.thingsboard.server.gen.transport.TransportProtos.ProvisionDeviceResponseMsg;
 import org.thingsboard.server.gen.transport.TransportProtos.SessionCloseNotificationProto;
 import org.thingsboard.server.gen.transport.TransportProtos.SessionInfoProto;
 import org.thingsboard.server.gen.transport.TransportProtos.SubscribeToAttributeUpdatesMsg;
@@ -203,6 +204,14 @@ public class DeviceApiController {
         return responseWriter;
     }
 
+    @RequestMapping(value = "/provision", method = RequestMethod.POST)
+    public DeferredResult<ResponseEntity> provisionDevice(@RequestBody String json, HttpServletRequest httpRequest) {
+        DeferredResult<ResponseEntity> responseWriter = new DeferredResult<>();
+        transportContext.getTransportService().process(JsonConverter.convertToProvisionRequestMsg(json),
+                new DeviceProvisionCallback(responseWriter));
+        return responseWriter;
+    }
+
     private static class DeviceAuthCallback implements TransportServiceCallback<ValidateDeviceCredentialsResponse> {
         private final TransportContext transportContext;
         private final DeferredResult<ResponseEntity> responseWriter;
@@ -230,6 +239,25 @@ public class DeviceApiController {
         }
     }
 
+    private static class DeviceProvisionCallback implements TransportServiceCallback<ProvisionDeviceResponseMsg> {
+        private final DeferredResult<ResponseEntity> responseWriter;
+
+        DeviceProvisionCallback(DeferredResult<ResponseEntity> responseWriter) {
+            this.responseWriter = responseWriter;
+        }
+
+        @Override
+        public void onSuccess(ProvisionDeviceResponseMsg msg) {
+            responseWriter.setResult(new ResponseEntity<>(JsonConverter.toJson(msg).toString(), HttpStatus.OK));
+        }
+
+        @Override
+        public void onError(Throwable e) {
+            log.warn("Failed to process request", e);
+            responseWriter.setResult(new ResponseEntity<>(HttpStatus.INTERNAL_SERVER_ERROR));
+        }
+    }
+
     private static class SessionCloseOnErrorCallback implements TransportServiceCallback<Void> {
         private final TransportService transportService;
         private final SessionInfoProto sessionInfo;

@@ -16,6 +16,7 @@
 package org.thingsboard.server.transport.mqtt;
 
 import com.fasterxml.jackson.databind.JsonNode;
+import com.google.gson.JsonParseException;
 import io.netty.channel.ChannelHandlerContext;
 import io.netty.channel.ChannelInboundHandlerAdapter;
 import io.netty.handler.codec.mqtt.MqttConnAckMessage;
@@ -38,8 +39,10 @@ import io.netty.util.ReferenceCountUtil;
 import io.netty.util.concurrent.Future;
 import io.netty.util.concurrent.GenericFutureListener;
 import lombok.extern.slf4j.Slf4j;
+import org.thingsboard.server.common.data.DataConstants;
 import org.thingsboard.server.common.data.DeviceProfile;
 import org.thingsboard.server.common.data.DeviceTransportType;
+import org.thingsboard.server.common.data.TransportPayloadType;
 import org.thingsboard.server.common.data.device.profile.MqttTopics;
 import org.thingsboard.server.common.msg.EncryptionUtil;
 import org.thingsboard.server.common.transport.SessionMsgListener;
@@ -51,6 +54,7 @@ import org.thingsboard.server.common.transport.auth.TransportDeviceInfo;
 import org.thingsboard.server.common.transport.auth.ValidateDeviceCredentialsResponse;
 import org.thingsboard.server.common.transport.service.DefaultTransportService;
 import org.thingsboard.server.gen.transport.TransportProtos;
+import org.thingsboard.server.gen.transport.TransportProtos.ProvisionDeviceResponseMsg;
 import org.thingsboard.server.gen.transport.TransportProtos.SessionEvent;
 import org.thingsboard.server.gen.transport.TransportProtos.ValidateDeviceX509CertRequestMsg;
 import org.thingsboard.server.transport.mqtt.adaptors.MqttTransportAdaptor;
@@ -68,11 +72,12 @@ import java.util.List;
 import java.util.UUID;
 import java.util.concurrent.ConcurrentHashMap;
 import java.util.concurrent.ConcurrentMap;
-import java.util.Date;
+import java.util.concurrent.TimeUnit;
 
 import static io.netty.handler.codec.mqtt.MqttConnectReturnCode.CONNECTION_ACCEPTED;
 import static io.netty.handler.codec.mqtt.MqttConnectReturnCode.CONNECTION_REFUSED_NOT_AUTHORIZED;
 import static io.netty.handler.codec.mqtt.MqttMessageType.CONNACK;
+import static io.netty.handler.codec.mqtt.MqttMessageType.CONNECT;
 import static io.netty.handler.codec.mqtt.MqttMessageType.PINGRESP;
 import static io.netty.handler.codec.mqtt.MqttMessageType.PUBACK;
 import static io.netty.handler.codec.mqtt.MqttMessageType.SUBACK;
@@ -130,10 +135,58 @@ public class MqttTransportHandler extends ChannelInboundHandlerAdapter implement
             return;
         }
         deviceSessionCtx.setChannel(ctx);
+        if (CONNECT.equals(msg.fixedHeader().messageType())) {
+            processConnect(ctx, (MqttConnectMessage) msg);
+        } else if (deviceSessionCtx.isProvisionOnly()) {
+            processProvisionSessionMsg(ctx, msg);
+        } else {
+            processRegularSessionMsg(ctx, msg);
+        }
+    }
+
+    private void processProvisionSessionMsg(ChannelHandlerContext ctx, MqttMessage msg) {
         switch (msg.fixedHeader().messageType()) {
-            case CONNECT:
-                processConnect(ctx, (MqttConnectMessage) msg);
+            case PUBLISH:
+                MqttPublishMessage mqttMsg = (MqttPublishMessage) msg;
+                String topicName = mqttMsg.variableHeader().topicName();
+                int msgId = mqttMsg.variableHeader().packetId();
+                try {
+                    if (topicName.equals(MqttTopics.DEVICE_PROVISION_REQUEST_TOPIC)) {
+                        try {
+                            TransportProtos.ProvisionDeviceRequestMsg provisionRequestMsg = deviceSessionCtx.getContext().getJsonMqttAdaptor().convertToProvisionRequestMsg(deviceSessionCtx, mqttMsg);
+                            transportService.process(provisionRequestMsg, new DeviceProvisionCallback(ctx, msgId, provisionRequestMsg));
+                            log.trace("[{}][{}] Processing provision publish msg [{}][{}]!", sessionId, deviceSessionCtx.getDeviceId(), topicName, msgId);
+                        } catch (Exception e) {
+                            if (e instanceof JsonParseException || (e.getCause() != null && e.getCause() instanceof JsonParseException)) {
+                                TransportProtos.ProvisionDeviceRequestMsg provisionRequestMsg = deviceSessionCtx.getContext().getProtoMqttAdaptor().convertToProvisionRequestMsg(deviceSessionCtx, mqttMsg);
+                                transportService.process(provisionRequestMsg, new DeviceProvisionCallback(ctx, msgId, provisionRequestMsg));
+                                deviceSessionCtx.setProvisionPayloadType(TransportPayloadType.PROTOBUF);
+                                log.trace("[{}][{}] Processing provision publish msg [{}][{}]!", sessionId, deviceSessionCtx.getDeviceId(), topicName, msgId);
+                            } else {
+                                throw e;
+                            }
+                        }
+                    } else {
+                        throw new RuntimeException("Unsupported topic for provisioning requests!");
+                    }
+                } catch (RuntimeException | AdaptorException e) {
+                    log.warn("[{}] Failed to process publish msg [{}][{}]", sessionId, topicName, msgId, e);
+                    ctx.close();
+                }
                 break;
+            case PINGREQ:
+                ctx.writeAndFlush(new MqttMessage(new MqttFixedHeader(PINGRESP, false, AT_MOST_ONCE, false, 0)));
+                break;
+            case DISCONNECT:
+                if (checkConnected(ctx, msg)) {
+                    processDisconnect(ctx);
+                }
+                break;
+        }
+    }
+
+    private void processRegularSessionMsg(ChannelHandlerContext ctx, MqttMessage msg) {
+        switch (msg.fixedHeader().messageType()) {
             case PUBLISH:
                 processPublish(ctx, (MqttPublishMessage) msg);
                 break;
@@ -257,6 +310,42 @@ public class MqttTransportHandler extends ChannelInboundHandlerAdapter implement
         };
     }
 
+    private class DeviceProvisionCallback implements TransportServiceCallback<ProvisionDeviceResponseMsg> {
+        private final ChannelHandlerContext ctx;
+        private final int msgId;
+        private final TransportProtos.ProvisionDeviceRequestMsg msg;
+
+        DeviceProvisionCallback(ChannelHandlerContext ctx, int msgId, TransportProtos.ProvisionDeviceRequestMsg msg) {
+            this.ctx = ctx;
+            this.msgId = msgId;
+            this.msg = msg;
+        }
+
+        @Override
+        public void onSuccess(TransportProtos.ProvisionDeviceResponseMsg provisionResponseMsg) {
+            log.trace("[{}] Published msg: {}", sessionId, msg);
+            if (msgId > 0) {
+                ctx.writeAndFlush(createMqttPubAckMsg(msgId));
+            }
+            try {
+                if (deviceSessionCtx.getProvisionPayloadType().equals(TransportPayloadType.JSON)) {
+                    deviceSessionCtx.getContext().getJsonMqttAdaptor().convertToPublish(deviceSessionCtx, provisionResponseMsg).ifPresent(deviceSessionCtx.getChannel()::writeAndFlush);
+                } else {
+                    deviceSessionCtx.getContext().getProtoMqttAdaptor().convertToPublish(deviceSessionCtx, provisionResponseMsg).ifPresent(deviceSessionCtx.getChannel()::writeAndFlush);
+                }
+                transportService.getSchedulerExecutor().schedule(() -> processDisconnect(ctx), 60, TimeUnit.SECONDS);
+            } catch (Exception e) {
+                log.trace("[{}] Failed to convert device attributes response to MQTT msg", sessionId, e);
+            }
+        }
+
+        @Override
+        public void onError(Throwable e) {
+            log.trace("[{}] Failed to publish msg: {}", sessionId, msg, e);
+            processDisconnect(ctx);
+        }
+    }
+
     private void processSubscribe(ChannelHandlerContext ctx, MqttSubscribeMessage mqttMsg) {
         if (!checkConnected(ctx, mqttMsg)) {
             return;
@@ -286,6 +375,7 @@ public class MqttTransportHandler extends ChannelInboundHandlerAdapter implement
                     case MqttTopics.GATEWAY_ATTRIBUTES_TOPIC:
                     case MqttTopics.GATEWAY_RPC_TOPIC:
                     case MqttTopics.GATEWAY_ATTRIBUTES_RESPONSE_TOPIC:
+                    case MqttTopics.DEVICE_PROVISION_RESPONSE_TOPIC:
                         registerSubQoS(topic, grantedQoSList, reqQoS);
                         break;
                     default:
@@ -351,11 +441,18 @@ public class MqttTransportHandler extends ChannelInboundHandlerAdapter implement
 
     private void processConnect(ChannelHandlerContext ctx, MqttConnectMessage msg) {
         log.info("[{}] Processing connect msg for client: {}!", sessionId, msg.payload().clientIdentifier());
-        X509Certificate cert;
-        if (sslHandler != null && (cert = getX509Certificate()) != null) {
-            processX509CertConnect(ctx, cert);
+        String userName = msg.payload().userName();
+        String clientId = msg.payload().clientIdentifier();
+        if (DataConstants.PROVISION.equals(userName) || DataConstants.PROVISION.equals(clientId)) {
+            deviceSessionCtx.setProvisionOnly(true);
+            ctx.writeAndFlush(createMqttConnAckMsg(CONNECTION_ACCEPTED));
         } else {
-            processAuthTokenConnect(ctx, msg);
+            X509Certificate cert;
+            if (sslHandler != null && (cert = getX509Certificate()) != null) {
+                processX509CertConnect(ctx, cert);
+            } else {
+                processAuthTokenConnect(ctx, msg);
+            }
         }
     }
 
@@ -387,7 +484,7 @@ public class MqttTransportHandler extends ChannelInboundHandlerAdapter implement
 
     private void processX509CertConnect(ChannelHandlerContext ctx, X509Certificate cert) {
         try {
-            if(!context.isSkipValidityCheckForClientCert()){
+            if (!context.isSkipValidityCheckForClientCert()) {
                 cert.checkValidity();
             }
             String strCert = SslUtil.getX509CertificateString(cert);

@@ -88,6 +88,16 @@ public class JsonMqttAdaptor implements MqttTransportAdaptor {
     }
 
     @Override
+    public TransportProtos.ProvisionDeviceRequestMsg convertToProvisionRequestMsg(MqttDeviceAwareSessionContext ctx, MqttPublishMessage inbound) throws AdaptorException {
+        String payload = validatePayload(ctx.getSessionId(), inbound.payload(), false);
+        try {
+            return JsonConverter.convertToProvisionRequestMsg(payload);
+        } catch (IllegalStateException | JsonSyntaxException ex) {
+            throw new AdaptorException(ex);
+        }
+    }
+
+    @Override
     public TransportProtos.GetAttributeRequestMsg convertToGetAttributes(MqttDeviceAwareSessionContext ctx, MqttPublishMessage inbound) throws AdaptorException {
         return processGetAttributeRequestMsg(inbound, MqttTopics.DEVICE_ATTRIBUTES_REQUEST_TOPIC_PREFIX);
     }
@@ -138,6 +148,11 @@ public class JsonMqttAdaptor implements MqttTransportAdaptor {
         return Optional.of(createMqttPublishMsg(ctx, MqttTopics.DEVICE_RPC_RESPONSE_TOPIC + rpcResponse.getRequestId(), JsonConverter.toJson(rpcResponse)));
     }
 
+    @Override
+    public Optional<MqttMessage> convertToPublish(MqttDeviceAwareSessionContext ctx, TransportProtos.ProvisionDeviceResponseMsg provisionResponse) {
+        return Optional.of(createMqttPublishMsg(ctx, MqttTopics.DEVICE_PROVISION_RESPONSE_TOPIC, JsonConverter.toJson(provisionResponse)));
+    }
+
     public static JsonElement validateJsonPayload(UUID sessionId, ByteBuf payloadData) throws AdaptorException {
         String payload = validatePayload(sessionId, payloadData, false);
         try {

@@ -24,6 +24,8 @@ import org.thingsboard.server.gen.transport.TransportProtos.GetAttributeRequestM
 import org.thingsboard.server.gen.transport.TransportProtos.GetAttributeResponseMsg;
 import org.thingsboard.server.gen.transport.TransportProtos.PostAttributeMsg;
 import org.thingsboard.server.gen.transport.TransportProtos.PostTelemetryMsg;
+import org.thingsboard.server.gen.transport.TransportProtos.ProvisionDeviceRequestMsg;
+import org.thingsboard.server.gen.transport.TransportProtos.ProvisionDeviceResponseMsg;
 import org.thingsboard.server.gen.transport.TransportProtos.ToDeviceRpcRequestMsg;
 import org.thingsboard.server.gen.transport.TransportProtos.ToDeviceRpcResponseMsg;
 import org.thingsboard.server.gen.transport.TransportProtos.ToServerRpcRequestMsg;
@@ -63,4 +65,8 @@ public interface MqttTransportAdaptor {
 
     Optional<MqttMessage> convertToPublish(MqttDeviceAwareSessionContext ctx, ToServerRpcResponseMsg rpcResponse) throws AdaptorException;
 
+    ProvisionDeviceRequestMsg convertToProvisionRequestMsg(MqttDeviceAwareSessionContext ctx, MqttPublishMessage inbound) throws AdaptorException;
+
+    Optional<MqttMessage> convertToPublish(MqttDeviceAwareSessionContext ctx, ProvisionDeviceResponseMsg provisionResponse) throws AdaptorException;
+
 }

@@ -32,6 +32,7 @@ import org.thingsboard.server.common.transport.adaptor.AdaptorException;
 import org.thingsboard.server.common.transport.adaptor.ProtoConverter;
 import org.thingsboard.server.gen.transport.TransportApiProtos;
 import org.thingsboard.server.gen.transport.TransportProtos;
+import org.thingsboard.server.gen.transport.TransportProtos.ProvisionDeviceResponseMsg;
 import org.thingsboard.server.transport.mqtt.session.MqttDeviceAwareSessionContext;
 
 import java.util.Optional;
@@ -109,6 +110,17 @@ public class ProtoMqttAdaptor implements MqttTransportAdaptor {
     }
 
     @Override
+    public TransportProtos.ProvisionDeviceRequestMsg convertToProvisionRequestMsg(MqttDeviceAwareSessionContext ctx, MqttPublishMessage mqttMsg) throws AdaptorException {
+        byte[] bytes = toBytes(mqttMsg.payload());
+        String topicName = mqttMsg.variableHeader().topicName();
+        try {
+            return ProtoConverter.convertToProvisionRequestMsg(bytes);
+        } catch (InvalidProtocolBufferException ex) {
+            throw new AdaptorException(ex);
+        }
+    }
+
+    @Override
     public Optional<MqttMessage> convertToPublish(MqttDeviceAwareSessionContext ctx, TransportProtos.GetAttributeResponseMsg responseMsg) throws AdaptorException {
         if (!StringUtils.isEmpty(responseMsg.getError())) {
             throw new AdaptorException(responseMsg.getError());
@@ -140,6 +152,11 @@ public class ProtoMqttAdaptor implements MqttTransportAdaptor {
     }
 
     @Override
+    public Optional<MqttMessage> convertToPublish(MqttDeviceAwareSessionContext ctx, TransportProtos.ProvisionDeviceResponseMsg provisionResponse) {
+        return Optional.of(createMqttPublishMsg(ctx, MqttTopics.DEVICE_PROVISION_RESPONSE_TOPIC, provisionResponse.toByteArray()));
+    }
+
+    @Override
     public Optional<MqttMessage> convertToGatewayPublish(MqttDeviceAwareSessionContext ctx, String deviceName, TransportProtos.GetAttributeResponseMsg responseMsg) throws AdaptorException {
         if (!StringUtils.isEmpty(responseMsg.getError())) {
             throw new AdaptorException(responseMsg.getError());

@@ -17,6 +17,7 @@ package org.thingsboard.server.transport.mqtt.session;
 
 import io.netty.channel.ChannelHandlerContext;
 import lombok.Getter;
+import lombok.Setter;
 import lombok.extern.slf4j.Slf4j;
 import org.thingsboard.server.common.data.DeviceProfile;
 import org.thingsboard.server.common.data.DeviceTransportType;
@@ -46,10 +47,18 @@ public class DeviceSessionCtx extends MqttDeviceAwareSessionContext {
 
     private final AtomicInteger msgIdSeq = new AtomicInteger(0);
 
+    @Getter
+    @Setter
+    private boolean provisionOnly = false;
+
     private volatile MqttTopicFilter telemetryTopicFilter = MqttTopicFilterFactory.getDefaultTelemetryFilter();
     private volatile MqttTopicFilter attributesTopicFilter = MqttTopicFilterFactory.getDefaultAttributesFilter();
     private volatile TransportPayloadType payloadType = TransportPayloadType.JSON;
 
+    @Getter
+    @Setter
+    private TransportPayloadType provisionPayloadType = payloadType;
+
     public DeviceSessionCtx(UUID sessionId, ConcurrentMap<MqttTopicMatcher, Integer> mqttQoSMap, MqttTransportContext context) {
         super(sessionId, mqttQoSMap);
         this.context = context;

@@ -27,6 +27,8 @@ import org.thingsboard.server.gen.transport.TransportProtos.GetTenantRoutingInfo
 import org.thingsboard.server.gen.transport.TransportProtos.GetTenantRoutingInfoResponseMsg;
 import org.thingsboard.server.gen.transport.TransportProtos.PostAttributeMsg;
 import org.thingsboard.server.gen.transport.TransportProtos.PostTelemetryMsg;
+import org.thingsboard.server.gen.transport.TransportProtos.ProvisionDeviceRequestMsg;
+import org.thingsboard.server.gen.transport.TransportProtos.ProvisionDeviceResponseMsg;
 import org.thingsboard.server.gen.transport.TransportProtos.SessionEventMsg;
 import org.thingsboard.server.gen.transport.TransportProtos.SessionInfoProto;
 import org.thingsboard.server.gen.transport.TransportProtos.SubscribeToAttributeUpdatesMsg;
@@ -38,6 +40,8 @@ import org.thingsboard.server.gen.transport.TransportProtos.ValidateBasicMqttCre
 import org.thingsboard.server.gen.transport.TransportProtos.ValidateDeviceTokenRequestMsg;
 import org.thingsboard.server.gen.transport.TransportProtos.ValidateDeviceX509CertRequestMsg;
 
+import java.util.concurrent.ScheduledExecutorService;
+
 /**
  * Created by ashvayka on 04.10.18.
  */
@@ -57,6 +61,9 @@ public interface TransportService {
     void process(GetOrCreateDeviceFromGatewayRequestMsg msg,
                  TransportServiceCallback<GetOrCreateDeviceFromGatewayResponse> callback);
 
+    void process(ProvisionDeviceRequestMsg msg,
+                 TransportServiceCallback<ProvisionDeviceResponseMsg> callback);
+
     void getDeviceProfile(DeviceProfileId deviceProfileId, TransportServiceCallback<DeviceProfile> callback);
 
     void onProfileUpdate(DeviceProfile deviceProfile);
@@ -83,6 +90,8 @@ public interface TransportService {
 
     void process(SessionInfoProto sessionInfo, ClaimDeviceMsg msg, TransportServiceCallback<Void> callback);
 
+    ScheduledExecutorService getSchedulerExecutor();
+
     void registerAsyncSession(SessionInfoProto sessionInfo, SessionMsgListener listener);
 
     void registerSyncSession(SessionInfoProto sessionInfo, SessionMsgListener listener, long timeout);
@@ -90,5 +99,4 @@ public interface TransportService {
     void reportActivity(SessionInfoProto sessionInfo);
 
     void deregisterSession(SessionInfoProto sessionInfo);
-
 }

@@ -37,13 +37,19 @@ import org.thingsboard.server.common.data.kv.StringDataEntry;
 import org.thingsboard.server.gen.transport.TransportProtos;
 import org.thingsboard.server.gen.transport.TransportProtos.AttributeUpdateNotificationMsg;
 import org.thingsboard.server.gen.transport.TransportProtos.ClaimDeviceMsg;
+import org.thingsboard.server.gen.transport.TransportProtos.CredentialsType;
 import org.thingsboard.server.gen.transport.TransportProtos.GetAttributeResponseMsg;
 import org.thingsboard.server.gen.transport.TransportProtos.KeyValueProto;
 import org.thingsboard.server.gen.transport.TransportProtos.KeyValueType;
 import org.thingsboard.server.gen.transport.TransportProtos.PostAttributeMsg;
 import org.thingsboard.server.gen.transport.TransportProtos.PostTelemetryMsg;
+import org.thingsboard.server.gen.transport.TransportProtos.ProvisionDeviceResponseMsg;
+import org.thingsboard.server.gen.transport.TransportProtos.ProvisionResponseStatus;
 import org.thingsboard.server.gen.transport.TransportProtos.TsKvListProto;
 import org.thingsboard.server.gen.transport.TransportProtos.TsKvProto;
+import org.thingsboard.server.gen.transport.TransportProtos.ValidateBasicMqttCredRequestMsg;
+import org.thingsboard.server.gen.transport.TransportProtos.ValidateDeviceTokenRequestMsg;
+import org.thingsboard.server.gen.transport.TransportProtos.ValidateDeviceX509CertRequestMsg;
 
 import java.util.ArrayList;
 import java.util.HashMap;
@@ -53,6 +59,7 @@ import java.util.Map;
 import java.util.Map.Entry;
 import java.util.Set;
 import java.util.TreeMap;
+import java.util.UUID;
 import java.util.function.Consumer;
 import java.util.stream.Collectors;
 
@@ -397,6 +404,36 @@ public class JsonConverter {
         }
     }
 
+    public static JsonObject toJson(ProvisionDeviceResponseMsg payload) {
+        return toJson(payload, false, 0);
+    }
+
+    public static JsonObject toJson(ProvisionDeviceResponseMsg payload, int requestId) {
+        return toJson(payload, true, requestId);
+    }
+
+    private static JsonObject toJson(ProvisionDeviceResponseMsg payload, boolean toGateway, int requestId) {
+        JsonObject result = new JsonObject();
+        if (payload.getProvisionResponseStatus() == TransportProtos.ProvisionResponseStatus.NOT_FOUND) {
+            result.addProperty("errorMsg", "Provision data was not found!");
+            result.addProperty("provisionDeviceStatus", ProvisionResponseStatus.NOT_FOUND.name());
+        } else if (payload.getProvisionResponseStatus() == TransportProtos.ProvisionResponseStatus.FAILURE) {
+            result.addProperty("errorMsg", "Failed to provision device!");
+            result.addProperty("provisionDeviceStatus", ProvisionResponseStatus.FAILURE.name());
+        } else {
+            if (toGateway) {
+                result.addProperty("id", requestId);
+            }
+            result.addProperty("deviceId", new UUID(payload.getDeviceCredentials().getDeviceIdMSB(), payload.getDeviceCredentials().getDeviceIdLSB()).toString());
+            result.addProperty("credentialsType", payload.getDeviceCredentials().getCredentialsType().name());
+            result.addProperty("credentialsId", payload.getDeviceCredentials().getCredentialsId());
+            result.addProperty("credentialsValue",
+                    StringUtils.isEmpty(payload.getDeviceCredentials().getCredentialsValue()) ? null : payload.getDeviceCredentials().getCredentialsValue());
+            result.addProperty("provisionDeviceStatus", ProvisionResponseStatus.SUCCESS.name());
+        }
+        return result;
+    }
+
     public static JsonElement toErrorJson(String errorMsg) {
         JsonObject error = new JsonObject();
         error.addProperty("error", errorMsg);
@@ -410,6 +447,13 @@ public class JsonConverter {
         return result;
     }
 
+    public static JsonElement toGatewayJson(String deviceName, TransportProtos.ProvisionDeviceResponseMsg responseRequest) {
+        JsonObject result = new JsonObject();
+        result.addProperty(DEVICE_PROPERTY, deviceName);
+        result.add("data", JsonConverter.toJson(responseRequest));
+        return result;
+    }
+
     public static Set<AttributeKvEntry> convertToAttributes(JsonElement element) {
         Set<AttributeKvEntry> result = new HashSet<>();
         long ts = System.currentTimeMillis();
@@ -498,4 +542,55 @@ public class JsonConverter {
         maxStringValueLength = length;
     }
 
+    public static TransportProtos.ProvisionDeviceRequestMsg convertToProvisionRequestMsg(String json) {
+        JsonElement jsonElement = new JsonParser().parse(json);
+        if (jsonElement.isJsonObject()) {
+            return buildProvisionRequestMsg(jsonElement.getAsJsonObject());
+        } else {
+            throw new JsonSyntaxException(CAN_T_PARSE_VALUE + jsonElement);
+        }
+    }
+
+    public static TransportProtos.ProvisionDeviceRequestMsg convertToProvisionRequestMsg(JsonObject jo) {
+        return buildProvisionRequestMsg(jo);
+    }
+
+    private static TransportProtos.ProvisionDeviceRequestMsg buildProvisionRequestMsg(JsonObject jo) {
+        return TransportProtos.ProvisionDeviceRequestMsg.newBuilder()
+                .setDeviceName(getStrValue(jo, DataConstants.DEVICE_NAME, true))
+                .setCredentialsType(jo.get(DataConstants.CREDENTIALS_TYPE) != null ? TransportProtos.CredentialsType.valueOf(getStrValue(jo, DataConstants.CREDENTIALS_TYPE, false)) : CredentialsType.ACCESS_TOKEN)
+                .setCredentialsDataProto(TransportProtos.CredentialsDataProto.newBuilder()
+                        .setValidateDeviceTokenRequestMsg(ValidateDeviceTokenRequestMsg.newBuilder().setToken(getStrValue(jo, DataConstants.TOKEN, false)).build())
+                        .setValidateBasicMqttCredRequestMsg(ValidateBasicMqttCredRequestMsg.newBuilder()
+                                .setClientId(getStrValue(jo, DataConstants.CLIENT_ID, false))
+                                .setUserName(getStrValue(jo, DataConstants.USERNAME, false))
+                                .setPassword(getStrValue(jo, DataConstants.PASSWORD, false))
+                                .build())
+                        .setValidateDeviceX509CertRequestMsg(ValidateDeviceX509CertRequestMsg.newBuilder()
+                                .setHash(getStrValue(jo, DataConstants.HASH, false)).build())
+                        .build())
+                .setProvisionDeviceCredentialsMsg(buildProvisionDeviceCredentialsMsg(
+                        getStrValue(jo, DataConstants.PROVISION_KEY, true),
+                        getStrValue(jo, DataConstants.PROVISION_SECRET, true)))
+                .build();
+    }
+
+    private static TransportProtos.ProvisionDeviceCredentialsMsg buildProvisionDeviceCredentialsMsg(String provisionKey, String provisionSecret) {
+        return TransportProtos.ProvisionDeviceCredentialsMsg.newBuilder()
+                .setProvisionDeviceKey(provisionKey)
+                .setProvisionDeviceSecret(provisionSecret)
+                .build();
+    }
+
+
+    private static String getStrValue(JsonObject jo, String field, boolean requiredField) {
+        if (jo.has(field)) {
+            return jo.get(field).getAsString();
+        } else {
+            if (requiredField) {
+                throw new RuntimeException("Failed to find the field " + field + " in JSON body " + jo + "!");
+            }
+            return "";
+        }
+    }
 }

@@ -130,6 +130,9 @@ public class ProtoConverter {
         }
     }
 
+    public static TransportProtos.ProvisionDeviceRequestMsg convertToProvisionRequestMsg(byte[] bytes) throws InvalidProtocolBufferException {
+        return TransportProtos.ProvisionDeviceRequestMsg.parseFrom(bytes);
+    }
 
     private static List<TransportProtos.KeyValueProto> validateKeyValueProtos(List<TransportProtos.KeyValueProto> kvList) {
         kvList.forEach(keyValueProto -> {

@@ -34,7 +34,6 @@ import org.thingsboard.server.common.data.id.DeviceProfileId;
 import org.thingsboard.server.common.data.id.RuleChainId;
 import org.thingsboard.server.common.data.id.TenantId;
 import org.thingsboard.server.common.msg.TbMsg;
-import org.thingsboard.server.common.msg.TbMsgDataType;
 import org.thingsboard.server.common.msg.TbMsgMetaData;
 import org.thingsboard.server.common.msg.queue.ServiceQueue;
 import org.thingsboard.server.common.msg.queue.ServiceType;
@@ -49,9 +48,10 @@ import org.thingsboard.server.common.transport.TransportServiceCallback;
 import org.thingsboard.server.common.transport.auth.GetOrCreateDeviceFromGatewayResponse;
 import org.thingsboard.server.common.transport.auth.TransportDeviceInfo;
 import org.thingsboard.server.common.transport.auth.ValidateDeviceCredentialsResponse;
-import org.thingsboard.server.common.transport.util.DataDecodingEncodingService;
 import org.thingsboard.server.common.transport.util.JsonUtils;
 import org.thingsboard.server.gen.transport.TransportProtos;
+import org.thingsboard.server.gen.transport.TransportProtos.ProvisionDeviceRequestMsg;
+import org.thingsboard.server.gen.transport.TransportProtos.ProvisionDeviceResponseMsg;
 import org.thingsboard.server.gen.transport.TransportProtos.ToCoreMsg;
 import org.thingsboard.server.gen.transport.TransportProtos.ToRuleEngineMsg;
 import org.thingsboard.server.gen.transport.TransportProtos.ToTransportMsg;
@@ -75,11 +75,9 @@ import org.thingsboard.server.common.stats.StatsType;
 
 import javax.annotation.PostConstruct;
 import javax.annotation.PreDestroy;
-import java.util.Arrays;
 import java.util.Collections;
 import java.util.List;
 import java.util.Map;
-import java.util.Optional;
 import java.util.Random;
 import java.util.UUID;
 import java.util.concurrent.ConcurrentHashMap;
@@ -91,7 +89,6 @@ import java.util.concurrent.ScheduledExecutorService;
 import java.util.concurrent.ScheduledFuture;
 import java.util.concurrent.TimeUnit;
 import java.util.concurrent.atomic.AtomicInteger;
-import java.util.function.Function;
 
 /**
  * Created by ashvayka on 17.10.18.
@@ -235,6 +232,11 @@ public class DefaultTransportService implements TransportService {
     }
 
     @Override
+    public ScheduledExecutorService getSchedulerExecutor(){
+        return this.schedulerExecutor;
+    }
+
+    @Override
     public void registerAsyncSession(TransportProtos.SessionInfoProto sessionInfo, SessionMsgListener listener) {
         sessions.putIfAbsent(toSessionId(sessionInfo), new SessionMetaData(sessionInfo, TransportProtos.SessionType.ASYNC, listener));
     }
@@ -333,6 +335,16 @@ public class DefaultTransportService implements TransportService {
     }
 
     @Override
+    public void process(ProvisionDeviceRequestMsg requestMsg, TransportServiceCallback<ProvisionDeviceResponseMsg> callback) {
+        log.trace("Processing msg: {}", requestMsg);
+        TbProtoQueueMsg<TransportApiRequestMsg> protoMsg = new TbProtoQueueMsg<>(UUID.randomUUID(), TransportApiRequestMsg.newBuilder().setProvisionDeviceRequestMsg(requestMsg).build());
+        ListenableFuture<ProvisionDeviceResponseMsg> response = Futures.transform(transportApiRequestTemplate.send(protoMsg), tmp ->
+            tmp.getValue().getProvisionDeviceResponseMsg()
+        , MoreExecutors.directExecutor());
+        AsyncCallbackTemplate.withCallback(response, callback::onSuccess, callback::onError, transportCallbackExecutor);
+    }
+
+    @Override
     public void process(TransportProtos.SessionInfoProto sessionInfo, TransportProtos.SubscriptionInfoProto msg, TransportServiceCallback<Void> callback) {
         if (log.isTraceEnabled()) {
             log.trace("[{}] Processing msg: {}", toSessionId(sessionInfo), msg);

@@ -47,6 +47,7 @@ import org.thingsboard.server.common.data.security.DeviceCredentials;
 import org.thingsboard.server.dao.audit.sink.AuditLogSink;
 import org.thingsboard.server.dao.entity.EntityService;
 import org.thingsboard.server.dao.exception.DataValidationException;
+import org.thingsboard.server.dao.device.provision.ProvisionRequest;
 import org.thingsboard.server.dao.service.DataValidator;
 
 import java.io.PrintWriter;
@@ -257,6 +258,13 @@ public class AuditLogServiceImpl implements AuditLogService {
                 actionData.put("os", os);
                 actionData.put("device", device);
                 break;
+            case PROVISION_SUCCESS:
+            case PROVISION_FAILURE:
+                ProvisionRequest request = extractParameter(ProvisionRequest.class, additionalInfo);
+                if (request != null) {
+                    actionData.set("provisionRequest", objectMapper.valueToTree(request));
+                }
+                break;
         }
         return actionData;
     }

@@ -214,5 +214,4 @@ public interface DeviceDao extends Dao<Device> {
      * @return the list of device objects
      */
     PageData<Device> findDevicesByTenantIdAndProfileId(UUID tenantId, UUID profileId, PageLink pageLink);
-
 }

@@ -38,5 +38,7 @@ public interface DeviceProfileDao extends Dao<DeviceProfile> {
 
     DeviceProfileInfo findDefaultDeviceProfileInfo(TenantId tenantId);
 
+    DeviceProfile findByProvisionDeviceKey(String provisionDeviceKey);
+
     DeviceProfile findByName(TenantId tenantId, String profileName);
 }

@@ -26,6 +26,7 @@ import org.springframework.stereotype.Service;
 import org.thingsboard.server.common.data.Device;
 import org.thingsboard.server.common.data.DeviceProfile;
 import org.thingsboard.server.common.data.DeviceProfileInfo;
+import org.thingsboard.server.common.data.DeviceProfileProvisionType;
 import org.thingsboard.server.common.data.DeviceProfileType;
 import org.thingsboard.server.common.data.DeviceTransportType;
 import org.thingsboard.server.common.data.EntitySubtype;
@@ -33,6 +34,7 @@ import org.thingsboard.server.common.data.Tenant;
 import org.thingsboard.server.common.data.device.profile.DefaultDeviceProfileConfiguration;
 import org.thingsboard.server.common.data.device.profile.DefaultDeviceProfileTransportConfiguration;
 import org.thingsboard.server.common.data.device.profile.DeviceProfileData;
+import org.thingsboard.server.common.data.device.profile.DisabledDeviceProfileProvisionConfiguration;
 import org.thingsboard.server.common.data.id.DeviceProfileId;
 import org.thingsboard.server.common.data.id.TenantId;
 import org.thingsboard.server.common.data.page.PageData;
@@ -112,6 +114,8 @@ public class DeviceProfileServiceImpl extends AbstractEntityService implements D
             ConstraintViolationException e = extractConstraintViolationException(t).orElse(null);
             if (e != null && e.getConstraintName() != null && e.getConstraintName().equalsIgnoreCase("device_profile_name_unq_key")) {
                 throw new DataValidationException("Device profile with such name already exists!");
+            } else if (e != null && e.getConstraintName() != null && e.getConstraintName().equalsIgnoreCase("device_provision_key_unq_key")) {
+                    throw new DataValidationException("Device profile with such provision device key already exists!");
             } else {
                 throw t;
             }
@@ -210,12 +214,15 @@ public class DeviceProfileServiceImpl extends AbstractEntityService implements D
         deviceProfile.setName(profileName);
         deviceProfile.setType(DeviceProfileType.DEFAULT);
         deviceProfile.setTransportType(DeviceTransportType.DEFAULT);
+        deviceProfile.setProvisionType(DeviceProfileProvisionType.DISABLED);
         deviceProfile.setDescription("Default device profile");
         DeviceProfileData deviceProfileData = new DeviceProfileData();
         DefaultDeviceProfileConfiguration configuration = new DefaultDeviceProfileConfiguration();
         DefaultDeviceProfileTransportConfiguration transportConfiguration = new DefaultDeviceProfileTransportConfiguration();
+        DisabledDeviceProfileProvisionConfiguration provisionConfiguration = new DisabledDeviceProfileProvisionConfiguration(null);
         deviceProfileData.setConfiguration(configuration);
         deviceProfileData.setTransportConfiguration(transportConfiguration);
+        deviceProfileData.setProvisionConfiguration(provisionConfiguration);
         deviceProfile.setProfileData(deviceProfileData);
         return saveDeviceProfile(deviceProfile);
     }

@@ -40,6 +40,7 @@ import org.thingsboard.server.common.data.EntityType;
 import org.thingsboard.server.common.data.EntityView;
 import org.thingsboard.server.common.data.Tenant;
 import org.thingsboard.server.common.data.device.DeviceSearchQuery;
+import org.thingsboard.server.common.data.device.credentials.BasicMqttCredentials;
 import org.thingsboard.server.common.data.device.data.DefaultDeviceConfiguration;
 import org.thingsboard.server.common.data.device.data.DefaultDeviceTransportConfiguration;
 import org.thingsboard.server.common.data.device.data.DeviceData;
@@ -57,6 +58,9 @@ import org.thingsboard.server.common.data.relation.EntitySearchDirection;
 import org.thingsboard.server.common.data.security.DeviceCredentials;
 import org.thingsboard.server.common.data.security.DeviceCredentialsType;
 import org.thingsboard.server.dao.customer.CustomerDao;
+import org.thingsboard.server.dao.device.provision.ProvisionFailedException;
+import org.thingsboard.server.dao.device.provision.ProvisionRequest;
+import org.thingsboard.server.dao.device.provision.ProvisionResponseStatus;
 import org.thingsboard.server.dao.entity.AbstractEntityService;
 import org.thingsboard.server.dao.entityview.EntityViewService;
 import org.thingsboard.server.dao.event.EventService;
@@ -64,6 +68,7 @@ import org.thingsboard.server.dao.exception.DataValidationException;
 import org.thingsboard.server.dao.service.DataValidator;
 import org.thingsboard.server.dao.service.PaginatedRemover;
 import org.thingsboard.server.dao.tenant.TenantDao;
+import org.thingsboard.server.dao.util.mapping.JacksonUtil;
 
 import javax.annotation.Nullable;
 import java.util.ArrayList;
@@ -466,6 +471,50 @@ public class DeviceServiceImpl extends AbstractEntityService implements DeviceSe
         return doSaveDevice(device, null);
     }
 
+    @Override
+    @CacheEvict(cacheNames = DEVICE_CACHE, key = "{#profile.tenantId, #provisionRequest.deviceName}")
+    @Transactional
+    public Device saveDevice(ProvisionRequest provisionRequest, DeviceProfile profile) {
+        Device device = new Device();
+        device.setName(provisionRequest.getDeviceName());
+        device.setType(profile.getName());
+        device.setTenantId(profile.getTenantId());
+        Device savedDevice = saveDevice(device);
+        if (!StringUtils.isEmpty(provisionRequest.getCredentialsData().getToken()) ||
+                !StringUtils.isEmpty(provisionRequest.getCredentialsData().getX509CertHash()) ||
+                !StringUtils.isEmpty(provisionRequest.getCredentialsData().getUsername()) ||
+                !StringUtils.isEmpty(provisionRequest.getCredentialsData().getPassword()) ||
+                !StringUtils.isEmpty(provisionRequest.getCredentialsData().getClientId())) {
+            DeviceCredentials deviceCredentials = deviceCredentialsService.findDeviceCredentialsByDeviceId(savedDevice.getTenantId(), savedDevice.getId());
+            if (deviceCredentials == null) {
+                deviceCredentials = new DeviceCredentials();
+            }
+            deviceCredentials.setDeviceId(savedDevice.getId());
+            deviceCredentials.setCredentialsType(provisionRequest.getCredentialsType());
+            switch (provisionRequest.getCredentialsType()) {
+                case ACCESS_TOKEN:
+                    deviceCredentials.setCredentialsId(provisionRequest.getCredentialsData().getToken());
+                    break;
+                case MQTT_BASIC:
+                    BasicMqttCredentials mqttCredentials = new BasicMqttCredentials();
+                    mqttCredentials.setClientId(provisionRequest.getCredentialsData().getClientId());
+                    mqttCredentials.setUserName(provisionRequest.getCredentialsData().getUsername());
+                    mqttCredentials.setPassword(provisionRequest.getCredentialsData().getPassword());
+                    deviceCredentials.setCredentialsValue(JacksonUtil.toString(mqttCredentials));
+                    break;
+                case X509_CERTIFICATE:
+                    deviceCredentials.setCredentialsValue(provisionRequest.getCredentialsData().getX509CertHash());
+                    break;
+            }
+            try {
+                deviceCredentialsService.updateDeviceCredentials(savedDevice.getTenantId(), deviceCredentials);
+            } catch (Exception e) {
+                throw new ProvisionFailedException(ProvisionResponseStatus.FAILURE.name());
+            }
+        }
+        return savedDevice;
+    }
+
     private DataValidator<Device> deviceValidator =
             new DataValidator<Device>() {
 

@@ -169,10 +169,12 @@ public class ModelConstants {
     public static final String DEVICE_PROFILE_NAME_PROPERTY = "name";
     public static final String DEVICE_PROFILE_TYPE_PROPERTY = "type";
     public static final String DEVICE_PROFILE_TRANSPORT_TYPE_PROPERTY = "transport_type";
+    public static final String DEVICE_PROFILE_PROVISION_TYPE_PROPERTY = "provision_type";
     public static final String DEVICE_PROFILE_PROFILE_DATA_PROPERTY = "profile_data";
     public static final String DEVICE_PROFILE_DESCRIPTION_PROPERTY = "description";
     public static final String DEVICE_PROFILE_IS_DEFAULT_PROPERTY = "is_default";
     public static final String DEVICE_PROFILE_DEFAULT_RULE_CHAIN_ID_PROPERTY = "default_rule_chain_id";
+    public static final String DEVICE_PROFILE_PROVISION_DEVICE_KEY = "provision_device_key";
 
     /**
      * Cassandra entityView constants.

@@ -23,6 +23,7 @@ import org.hibernate.annotations.Type;
 import org.hibernate.annotations.TypeDef;
 import org.thingsboard.server.common.data.DeviceProfile;
 import org.thingsboard.server.common.data.DeviceProfileType;
+import org.thingsboard.server.common.data.DeviceProfileProvisionType;
 import org.thingsboard.server.common.data.DeviceTransportType;
 import org.thingsboard.server.common.data.device.profile.DeviceProfileData;
 import org.thingsboard.server.common.data.id.DeviceProfileId;
@@ -62,6 +63,10 @@ public final class DeviceProfileEntity extends BaseSqlEntity<DeviceProfile> impl
     @Column(name = ModelConstants.DEVICE_PROFILE_TRANSPORT_TYPE_PROPERTY)
     private DeviceTransportType transportType;
 
+    @Enumerated(EnumType.STRING)
+    @Column(name = ModelConstants.DEVICE_PROFILE_PROVISION_TYPE_PROPERTY)
+    private DeviceProfileProvisionType provisionType;
+
     @Column(name = ModelConstants.DEVICE_PROFILE_DESCRIPTION_PROPERTY)
     private String description;
 
@@ -78,6 +83,9 @@ public final class DeviceProfileEntity extends BaseSqlEntity<DeviceProfile> impl
     @Column(name = ModelConstants.DEVICE_PROFILE_PROFILE_DATA_PROPERTY, columnDefinition = "jsonb")
     private JsonNode profileData;
 
+    @Column(name=ModelConstants.DEVICE_PROFILE_PROVISION_DEVICE_KEY)
+    private String provisionDeviceKey;
+
     public DeviceProfileEntity() {
         super();
     }
@@ -93,12 +101,14 @@ public final class DeviceProfileEntity extends BaseSqlEntity<DeviceProfile> impl
         this.name = deviceProfile.getName();
         this.type = deviceProfile.getType();
         this.transportType = deviceProfile.getTransportType();
+        this.provisionType = deviceProfile.getProvisionType();
         this.description = deviceProfile.getDescription();
         this.isDefault = deviceProfile.isDefault();
         this.profileData = JacksonUtil.convertValue(deviceProfile.getProfileData(), ObjectNode.class);
         if (deviceProfile.getDefaultRuleChainId() != null) {
             this.defaultRuleChainId = deviceProfile.getDefaultRuleChainId().getId();
         }
+        this.provisionDeviceKey = deviceProfile.getProvisionDeviceKey();
     }
 
     @Override
@@ -125,12 +135,14 @@ public final class DeviceProfileEntity extends BaseSqlEntity<DeviceProfile> impl
         deviceProfile.setName(name);
         deviceProfile.setType(type);
         deviceProfile.setTransportType(transportType);
+        deviceProfile.setProvisionType(provisionType);
         deviceProfile.setDescription(description);
         deviceProfile.setDefault(isDefault);
         deviceProfile.setProfileData(JacksonUtil.convertValue(profileData, DeviceProfileData.class));
         if (defaultRuleChainId != null) {
             deviceProfile.setDefaultRuleChainId(new RuleChainId(defaultRuleChainId));
         }
+        deviceProfile.setProvisionDeviceKey(provisionDeviceKey);
         return deviceProfile;
     }
 }

@@ -20,7 +20,6 @@ import org.springframework.data.domain.Pageable;
 import org.springframework.data.jpa.repository.Query;
 import org.springframework.data.repository.PagingAndSortingRepository;
 import org.springframework.data.repository.query.Param;
-import org.thingsboard.server.common.data.DeviceProfile;
 import org.thingsboard.server.common.data.DeviceProfileInfo;
 import org.thingsboard.server.common.data.DeviceTransportType;
 import org.thingsboard.server.dao.model.sql.DeviceProfileEntity;
@@ -66,4 +65,5 @@ public interface DeviceProfileRepository extends PagingAndSortingRepository<Devi
 
     DeviceProfileEntity findByTenantIdAndName(UUID id, String profileName);
 
+    DeviceProfileEntity findByProvisionDeviceKey(@Param("provisionDeviceKey") String provisionDeviceKey);
 }

@@ -168,5 +168,4 @@ public interface DeviceRepository extends PagingAndSortingRepository<DeviceEntit
     DeviceEntity findByTenantIdAndId(UUID tenantId, UUID id);
 
     Long countByDeviceProfileId(UUID deviceProfileId);
-
 }

@@ -92,6 +92,11 @@ public class JpaDeviceProfileDao extends JpaAbstractSearchTextDao<DeviceProfileE
     }
 
     @Override
+    public DeviceProfile findByProvisionDeviceKey(String provisionDeviceKey) {
+        return DaoUtil.getData(deviceProfileRepository.findByProvisionDeviceKey(provisionDeviceKey));
+    }
+
+    @Override
     public DeviceProfile findByName(TenantId tenantId, String profileName) {
         return DaoUtil.getData(deviceProfileRepository.findByTenantIdAndName(tenantId.getId(), profileName));
     }

@@ -163,13 +163,16 @@ CREATE TABLE IF NOT EXISTS device_profile (
     name varchar(255),
     type varchar(255),
     transport_type varchar(255),
+    provision_type varchar(255),
     profile_data jsonb,
     description varchar,
     search_text varchar(255),
     is_default boolean,
     tenant_id uuid,
     default_rule_chain_id uuid,
+    provision_device_key varchar,
     CONSTRAINT device_profile_name_unq_key UNIQUE (tenant_id, name),
+    CONSTRAINT device_provision_key_unq_key UNIQUE (provision_device_key),
     CONSTRAINT fk_default_rule_chain_device_profile FOREIGN KEY (default_rule_chain_id) REFERENCES rule_chain(id)
 );
 

@@ -181,13 +181,16 @@ CREATE TABLE IF NOT EXISTS device_profile (
     name varchar(255),
     type varchar(255),
     transport_type varchar(255),
+    provision_type varchar(255),
     profile_data jsonb,
     description varchar,
     search_text varchar(255),
     is_default boolean,
     tenant_id uuid,
     default_rule_chain_id uuid,
+    provision_device_key varchar,
     CONSTRAINT device_profile_name_unq_key UNIQUE (tenant_id, name),
+    CONSTRAINT device_provision_key_unq_key UNIQUE (provision_device_key),
     CONSTRAINT fk_default_rule_chain_device_profile FOREIGN KEY (default_rule_chain_id) REFERENCES rule_chain(id)
 );
 

@@ -105,6 +105,7 @@ import { AlarmRuleConditionComponent } from './profile/alarm/alarm-rule-conditio
 import { FilterTextComponent } from './filter/filter-text.component';
 import { AddDeviceProfileDialogComponent } from './profile/add-device-profile-dialog.component';
 import { RuleChainAutocompleteComponent } from './rule-chain/rule-chain-autocomplete.component';
+import { DeviceProfileProvisionConfigurationComponent } from "./profile/device-profile-provision-configuration.component";
 import { AlarmScheduleComponent } from './profile/alarm/alarm-schedule.component';
 import { DeviceWizardDialogComponent } from './wizard/device-wizard-dialog.component';
 import { DeviceCredentialsComponent } from './device/device-credentials.component';
@@ -202,6 +203,7 @@ import { AlarmRuleConditionDialogComponent } from '@home/components/profile/alar
       AddDeviceProfileDialogComponent,
       RuleChainAutocompleteComponent,
       AlarmScheduleInfoComponent,
+      DeviceProfileProvisionConfigurationComponent,
       AlarmScheduleComponent,
       DeviceWizardDialogComponent,
       DeviceCredentialsComponent,
@@ -290,7 +292,9 @@ import { AlarmRuleConditionDialogComponent } from '@home/components/profile/alar
     AlarmScheduleInfoComponent,
     AlarmScheduleComponent,
     AlarmScheduleDialogComponent,
-    EditAlarmDetailsDialogComponent
+    EditAlarmDetailsDialogComponent,
+    DeviceProfileProvisionConfigurationComponent,
+    AlarmScheduleComponent
   ],
   providers: [
     WidgetComponentService,

@@ -96,6 +96,14 @@
           </tb-device-profile-alarms>
         </form>
       </mat-step>
+      <mat-step [stepControl]="provisionConfigFormGroup" [optional]="true">
+        <form [formGroup]="provisionConfigFormGroup" style="padding-bottom: 16px;">
+          <ng-template matStepLabel>{{ 'device-profile.device-provisioning' | translate }}</ng-template>
+          <tb-device-profile-provision-configuration
+            formControlName="provisionConfiguration">
+          </tb-device-profile-provision-configuration>
+        </form>
+      </mat-step>
     </mat-horizontal-stepper>
   </div>
   <div mat-dialog-actions fxLayout="column" fxLayoutAlign="start wrap" fxLayoutGap="8px" style="height: 100px;">

@@ -36,7 +36,10 @@ import {
   DeviceProfile,
   DeviceProfileType,
   deviceProfileTypeTranslationMap,
-  DeviceTransportType, deviceTransportTypeHintMap,
+  DeviceProvisionConfiguration,
+  DeviceProvisionType,
+  DeviceTransportType,
+  deviceTransportTypeHintMap,
   deviceTransportTypeTranslationMap
 } from '@shared/models/device.models';
 import { DeviceProfileService } from '@core/http/device-profile.service';
@@ -84,6 +87,8 @@ export class AddDeviceProfileDialogComponent extends
 
   alarmRulesFormGroup: FormGroup;
 
+  provisionConfigFormGroup: FormGroup;
+
   constructor(protected store: Store<AppState>,
               protected router: Router,
               @Inject(MAT_DIALOG_DATA) public data: AddDeviceProfileDialogData,
@@ -118,6 +123,14 @@ export class AddDeviceProfileDialogComponent extends
         alarms: [null]
       }
     );
+
+    this.provisionConfigFormGroup = this.fb.group(
+      {
+        provisionConfiguration: [{
+          type: DeviceProvisionType.DISABLED
+        } as DeviceProvisionConfiguration, [Validators.required]]
+      }
+    );
   }
 
   private deviceProfileTransportTypeChanged() {
@@ -138,7 +151,7 @@ export class AddDeviceProfileDialogComponent extends
   }
 
   nextStep() {
-    if (this.selectedIndex < 2) {
+    if (this.selectedIndex < 3) {
       this.addDeviceProfileStepper.next();
     } else {
       this.add();
@@ -153,20 +166,28 @@ export class AddDeviceProfileDialogComponent extends
         return this.transportConfigFormGroup;
       case 2:
         return this.alarmRulesFormGroup;
+      case 3:
+        return this.provisionConfigFormGroup;
     }
   }
 
   add(): void {
     if (this.allValid()) {
+      const deviceProvisionConfiguration: DeviceProvisionConfiguration = this.provisionConfigFormGroup.get('provisionConfiguration').value;
+      const provisionDeviceKey = deviceProvisionConfiguration.provisionDeviceKey;
+      delete deviceProvisionConfiguration.provisionDeviceKey;
       const deviceProfile: DeviceProfile = {
         name: this.deviceProfileDetailsFormGroup.get('name').value,
         type: this.deviceProfileDetailsFormGroup.get('type').value,
         transportType: this.transportConfigFormGroup.get('transportType').value,
+        provisionType: deviceProvisionConfiguration.type,
+        provisionDeviceKey,
         description: this.deviceProfileDetailsFormGroup.get('description').value,
         profileData: {
           configuration: createDeviceProfileConfiguration(DeviceProfileType.DEFAULT),
           transportConfiguration: this.transportConfigFormGroup.get('transportConfiguration').value,
-          alarms: this.alarmRulesFormGroup.get('alarms').value
+          alarms: this.alarmRulesFormGroup.get('alarms').value,
+          provisionConfiguration: deviceProvisionConfiguration
         }
       };
       if (this.deviceProfileDetailsFormGroup.get('defaultRuleChainId').value) {
@@ -188,6 +209,8 @@ export class AddDeviceProfileDialogComponent extends
         return 'device-profile.transport-configuration';
       case 2:
         return 'device-profile.alarm-rules';
+      case 3:
+        return 'device-profile.device-provisioning';
     }
   }
 

+<!--
+
+    Copyright © 2016-2020 The Thingsboard Authors
+
+    Licensed under the Apache License, Version 2.0 (the "License");
+    you may not use this file except in compliance with the License.
+    You may obtain a copy of the License at
+
+        http://www.apache.org/licenses/LICENSE-2.0
+
+    Unless required by applicable law or agreed to in writing, software
+    distributed under the License is distributed on an "AS IS" BASIS,
+    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+    See the License for the specific language governing permissions and
+    limitations under the License.
+
+-->
+<div [formGroup]="provisionConfigurationFormGroup">
+  <mat-form-field class="mat-block">
+    <mat-label translate>device-profile.provision-strategy</mat-label>
+    <mat-select formControlName="type" required>
+      <mat-option *ngFor="let type of deviceProvisionTypes" [value]="type">
+        {{deviceProvisionTypeTranslateMap.get(type) | translate}}
+      </mat-option>
+    </mat-select>
+    <mat-error *ngIf="provisionConfigurationFormGroup.get('type').hasError('required')">
+      {{ 'device-profile.provision-strategy-required' | translate }}
+    </mat-error>
+  </mat-form-field>
+  <section *ngIf="provisionConfigurationFormGroup.get('type').value !== deviceProvisionType.DISABLED" fxLayoutGap.gt-xs="8px" fxLayout="row" fxLayout.xs="column">
+    <mat-form-field fxFlex class="mat-block">
+      <mat-label translate>device-profile.provision-device-key</mat-label>
+      <input matInput formControlName="provisionDeviceKey" required/>
+      <mat-error *ngIf="provisionConfigurationFormGroup.get('provisionDeviceKey').hasError('required')">
+        {{ 'device-profile.provision-device-key-required' | translate }}
+      </mat-error>
+    </mat-form-field>
+    <mat-form-field fxFlex class="mat-block">
+      <mat-label translate>device-profile.provision-device-secret</mat-label>
+      <input matInput formControlName="provisionDeviceSecret" required/>
+      <mat-error *ngIf="provisionConfigurationFormGroup.get('provisionDeviceSecret').hasError('required')">
+        {{ 'device-profile.provision-device-secret-required' | translate }}
+      </mat-error>
+    </mat-form-field>
+  </section>
+</div>

+///
+/// Copyright © 2016-2020 The Thingsboard Authors
+///
+/// Licensed under the Apache License, Version 2.0 (the "License");
+/// you may not use this file except in compliance with the License.
+/// You may obtain a copy of the License at
+///
+///     http://www.apache.org/licenses/LICENSE-2.0
+///
+/// Unless required by applicable law or agreed to in writing, software
+/// distributed under the License is distributed on an "AS IS" BASIS,
+/// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+/// See the License for the specific language governing permissions and
+/// limitations under the License.
+///
+
+import { Component, forwardRef, Input, OnInit } from "@angular/core";
+import {
+  ControlValueAccessor,
+  FormBuilder,
+  FormControl,
+  FormGroup,
+  NG_VALIDATORS,
+  NG_VALUE_ACCESSOR,
+  ValidationErrors,
+  Validator,
+  Validators
+} from "@angular/forms";
+import { coerceBooleanProperty } from "@angular/cdk/coercion";
+import {
+  DeviceProvisionConfiguration,
+  DeviceProvisionType,
+  deviceProvisionTypeTranslationMap
+} from "@shared/models/device.models";
+import { isDefinedAndNotNull } from "@core/utils";
+
+@Component({
+  selector: 'tb-device-profile-provision-configuration',
+  templateUrl: './device-profile-provision-configuration.component.html',
+  styleUrls: [],
+  providers: [
+    {
+      provide: NG_VALUE_ACCESSOR,
+      useExisting: forwardRef(() => DeviceProfileProvisionConfigurationComponent),
+      multi: true
+    },
+    {
+      provide: NG_VALIDATORS,
+      useExisting: forwardRef(() => DeviceProfileProvisionConfigurationComponent),
+      multi: true,
+    }
+  ]
+})
+export class DeviceProfileProvisionConfigurationComponent implements ControlValueAccessor, OnInit, Validator {
+
+  provisionConfigurationFormGroup: FormGroup;
+
+  deviceProvisionType = DeviceProvisionType;
+  deviceProvisionTypes = Object.keys(DeviceProvisionType);
+  deviceProvisionTypeTranslateMap = deviceProvisionTypeTranslationMap;
+
+  private requiredValue: boolean;
+  get required(): boolean {
+    return this.requiredValue;
+  }
+  @Input()
+  set required(value: boolean) {
+    this.requiredValue = coerceBooleanProperty(value);
+  }
+
+  @Input()
+  disabled: boolean;
+
+  private propagateChange = (v: any) => { };
+
+  constructor(private fb: FormBuilder) {
+  }
+
+  ngOnInit(): void {
+    this.provisionConfigurationFormGroup = this.fb.group({
+      type: [DeviceProvisionType.DISABLED, Validators.required],
+      provisionDeviceSecret: [{value: null, disabled: true}, Validators.required],
+      provisionDeviceKey: [{value: null, disabled: true}, Validators.required]
+    });
+    this.provisionConfigurationFormGroup.get('type').valueChanges.subscribe((type) => {
+      if (type === DeviceProvisionType.DISABLED) {
+        this.provisionConfigurationFormGroup.get('provisionDeviceSecret').disable({emitEvent: false});
+        this.provisionConfigurationFormGroup.get('provisionDeviceSecret').patchValue(null,{emitEvent: false});
+        this.provisionConfigurationFormGroup.get('provisionDeviceKey').disable({emitEvent: false});
+        this.provisionConfigurationFormGroup.get('provisionDeviceKey').patchValue(null);
+      } else {
+        this.provisionConfigurationFormGroup.get('provisionDeviceSecret').enable({emitEvent: false});
+        this.provisionConfigurationFormGroup.get('provisionDeviceKey').enable({emitEvent: false});
+      }
+    });
+    this.provisionConfigurationFormGroup.valueChanges.subscribe(() => {
+      this.updateModel();
+    });
+  }
+
+  registerOnChange(fn: any): void {
+    this.propagateChange = fn;
+  }
+
+  registerOnTouched(fn: any): void {
+  }
+
+  writeValue(value: DeviceProvisionConfiguration | null): void {
+    if (isDefinedAndNotNull(value)){
+      this.provisionConfigurationFormGroup.patchValue(value, {emitEvent: false});
+    } else {
+      this.provisionConfigurationFormGroup.patchValue({type: DeviceProvisionType.DISABLED});
+    }
+  }
+
+  setDisabledState(isDisabled: boolean){
+    this.disabled = isDisabled;
+    if (this.disabled){
+      this.provisionConfigurationFormGroup.disable();
+    } else {
+      this.provisionConfigurationFormGroup.enable({emitEvent: false});
+    }
+  }
+
+  validate(c: FormControl): ValidationErrors | null {
+    return (this.provisionConfigurationFormGroup.valid) ? null : {
+      provisionConfiguration: {
+        valid: false,
+      },
+    };
+  }
+
+  private updateModel(): void {
+    let deviceProvisionConfiguration: DeviceProvisionConfiguration = null;
+    if (this.provisionConfigurationFormGroup.valid) {
+      deviceProvisionConfiguration = this.provisionConfigurationFormGroup.getRawValue();
+    }
+    this.propagateChange(deviceProvisionConfiguration);
+  }
+}

@@ -24,13 +24,15 @@ import { EntityTableConfig } from '@home/models/entity/entities-table-config.mod
 import { EntityComponent } from '../entity/entity.component';
 import {
   createDeviceProfileConfiguration,
+  createDeviceProfileTransportConfiguration,
   DeviceProfile,
   DeviceProfileData,
   DeviceProfileType,
   deviceProfileTypeTranslationMap,
+  DeviceProvisionConfiguration,
+  DeviceProvisionType,
   DeviceTransportType,
-  deviceTransportTypeTranslationMap,
-  createDeviceProfileTransportConfiguration
+  deviceTransportTypeTranslationMap
 } from '@shared/models/device.models';
 import { EntityType } from '@shared/models/entity-type.models';
 import { RuleChainId } from '@shared/models/id/rule-chain-id';
@@ -72,15 +74,23 @@ export class DeviceProfileComponent extends EntityComponent<DeviceProfile> {
   }
 
   buildForm(entity: DeviceProfile): FormGroup {
+    const deviceProvisionConfiguration: DeviceProvisionConfiguration = {
+      type: entity?.provisionType ? entity?.provisionType : DeviceProvisionType.DISABLED,
+      provisionDeviceKey: entity?.provisionDeviceKey,
+      provisionDeviceSecret: entity?.profileData?.provisionConfiguration?.provisionDeviceSecret
+    };
     const form = this.fb.group(
       {
         name: [entity ? entity.name : '', [Validators.required]],
         type: [entity ? entity.type : null, [Validators.required]],
         transportType: [entity ? entity.transportType : null, [Validators.required]],
+        provisionType: [deviceProvisionConfiguration.type, [Validators.required]],
+        provisionDeviceKey: [deviceProvisionConfiguration.provisionDeviceKey],
         profileData: this.fb.group({
           configuration: [entity && !this.isAdd ? entity.profileData?.configuration : {}, Validators.required],
           transportConfiguration: [entity && !this.isAdd ? entity.profileData?.transportConfiguration : {}, Validators.required],
-          alarms: [entity && !this.isAdd ? entity.profileData?.alarms : []]
+          alarms: [entity && !this.isAdd ? entity.profileData?.alarms : []],
+          provisionConfiguration: [deviceProvisionConfiguration, Validators.required]
         }),
         defaultRuleChainId: [entity && entity.defaultRuleChainId ? entity.defaultRuleChainId.id : null, []],
         description: [entity ? entity.description : '', []],
@@ -100,6 +110,7 @@ export class DeviceProfileComponent extends EntityComponent<DeviceProfile> {
     if (entity && !entity.id) {
       form.get('type').patchValue(DeviceProfileType.DEFAULT, {emitEvent: true});
       form.get('transportType').patchValue(DeviceTransportType.DEFAULT, {emitEvent: true});
+      form.get('provisionType').patchValue(DeviceProvisionType.DISABLED, {emitEvent: true});
     }
   }
 
@@ -130,10 +141,22 @@ export class DeviceProfileComponent extends EntityComponent<DeviceProfile> {
   }
 
   updateForm(entity: DeviceProfile) {
+    const deviceProvisionConfiguration: DeviceProvisionConfiguration = {
+      type: entity?.provisionType ? entity?.provisionType : DeviceProvisionType.DISABLED,
+      provisionDeviceKey: entity?.provisionDeviceKey,
+      provisionDeviceSecret: entity?.profileData?.provisionConfiguration?.provisionDeviceSecret
+    };
     this.entityForm.patchValue({name: entity.name});
     this.entityForm.patchValue({type: entity.type}, {emitEvent: false});
     this.entityForm.patchValue({transportType: entity.transportType}, {emitEvent: false});
-    this.entityForm.patchValue({profileData: entity.profileData});
+    this.entityForm.patchValue({provisionType: entity.provisionType}, {emitEvent: false});
+    this.entityForm.patchValue({provisionDeviceKey: entity.provisionDeviceKey}, {emitEvent: false});
+    this.entityForm.patchValue({profileData: {
+      configuration: entity.profileData?.configuration,
+      transportConfiguration: entity.profileData?.transportConfiguration,
+      alarms: entity.profileData?.alarms,
+      provisionConfiguration: deviceProvisionConfiguration
+    }});
     this.entityForm.patchValue({defaultRuleChainId: entity.defaultRuleChainId ? entity.defaultRuleChainId.id : null});
     this.entityForm.patchValue({description: entity.description});
   }
@@ -142,6 +165,10 @@ export class DeviceProfileComponent extends EntityComponent<DeviceProfile> {
     if (formValue.defaultRuleChainId) {
       formValue.defaultRuleChainId = new RuleChainId(formValue.defaultRuleChainId);
     }
+    const deviceProvisionConfiguration: DeviceProvisionConfiguration = formValue.profileData.provisionConfiguration;
+    formValue.provisionType = deviceProvisionConfiguration.type;
+    formValue.provisionDeviceKey = deviceProvisionConfiguration.provisionDeviceKey;
+    delete deviceProvisionConfiguration.provisionDeviceKey;
     return super.prepareFormValue(formValue);
   }
 

@@ -121,6 +121,14 @@
           </tb-device-profile-alarms>
         </form>
       </mat-step>
+      <mat-step [stepControl]="provisionConfigFormGroup" [optional]="true" *ngIf="createProfile">
+        <form [formGroup]="provisionConfigFormGroup" style="padding-bottom: 16px;">
+          <ng-template matStepLabel>{{ 'device-profile.device-provisioning' | translate }}</ng-template>
+          <tb-device-profile-provision-configuration
+            formControlName="provisionConfiguration">
+          </tb-device-profile-provision-configuration>
+        </form>
+      </mat-step>
       <mat-step [stepControl]="credentialsFormGroup" [optional]="true">
         <ng-template matStepLabel>{{ 'device.credentials' | translate }}</ng-template>
         <form [formGroup]="credentialsFormGroup" style="padding-bottom: 16px;">

@@ -25,7 +25,7 @@ import {
   createDeviceProfileConfiguration,
   createDeviceProfileTransportConfiguration,
   DeviceProfile,
-  DeviceProfileType,
+  DeviceProfileType, DeviceProvisionConfiguration, DeviceProvisionType,
   DeviceTransportType, deviceTransportTypeConfigurationInfoMap, deviceTransportTypeHintMap,
   deviceTransportTypeTranslationMap
 } from '@shared/models/device.models';
@@ -75,6 +75,8 @@ export class DeviceWizardDialogComponent extends
 
   alarmRulesFormGroup: FormGroup;
 
+  provisionConfigFormGroup: FormGroup;
+
   credentialsFormGroup: FormGroup;
 
   customerFormGroup: FormGroup;
@@ -142,6 +144,14 @@ export class DeviceWizardDialogComponent extends
       }
     );
 
+    this.provisionConfigFormGroup = this.fb.group(
+      {
+        provisionConfiguration: [{
+          type: DeviceProvisionType.DISABLED
+        } as DeviceProvisionConfiguration, [Validators.required]]
+      }
+    );
+
     this.credentialsFormGroup  = this.fb.group({
         setCredential: [false],
         credential: [{value: null, disabled: true}]
@@ -201,7 +211,7 @@ export class DeviceWizardDialogComponent extends
   getFormLabel(index: number): string {
     if (index > 0) {
       if (!this.createProfile) {
-        index += 2;
+        index += 3;
       } else if (!this.createTransportConfiguration) {
         index += 1;
       }
@@ -214,8 +224,10 @@ export class DeviceWizardDialogComponent extends
       case 2:
         return 'device-profile.alarm-rules';
       case 3:
-        return 'device.credentials';
+        return 'device-profile.device-provisioning';
       case 4:
+        return 'device.credentials';
+      case 5:
         return 'customer.customer';
     }
   }
@@ -246,14 +258,20 @@ export class DeviceWizardDialogComponent extends
 
   private createDeviceProfile(): Observable<EntityId> {
     if (this.deviceWizardFormGroup.get('addProfileType').value) {
+      const deviceProvisionConfiguration: DeviceProvisionConfiguration = this.provisionConfigFormGroup.get('provisionConfiguration').value;
+      const provisionDeviceKey = deviceProvisionConfiguration.provisionDeviceKey;
+      delete deviceProvisionConfiguration.provisionDeviceKey;
       const deviceProfile: DeviceProfile = {
         name: this.deviceWizardFormGroup.get('newDeviceProfileTitle').value,
         type: DeviceProfileType.DEFAULT,
         transportType: this.deviceWizardFormGroup.get('transportType').value,
+        provisionType: deviceProvisionConfiguration.type,
+        provisionDeviceKey,
         profileData: {
           configuration: createDeviceProfileConfiguration(DeviceProfileType.DEFAULT),
           transportConfiguration: this.transportConfigFormGroup.get('transportConfiguration').value,
-          alarms: this.alarmRulesFormGroup.get('alarms').value
+          alarms: this.alarmRulesFormGroup.get('alarms').value,
+          provisionConfiguration: deviceProvisionConfiguration
         }
       };
       return this.deviceProfileService.saveDeviceProfile(deviceProfile).pipe(

@@ -50,6 +50,15 @@
     </div>
   </div>
 </mat-tab>
+<mat-tab *ngIf="entity"
+         label="{{ 'device-profile.device-provisioning' | translate }}" #deviceProvisioning="matTab">
+  <div class="mat-padding" [formGroup]="detailsForm">
+    <div formGroupName="profileData">
+      <tb-device-profile-provision-configuration formControlName="provisionConfiguration">
+      </tb-device-profile-provision-configuration>
+    </div>
+  </div>
+</mat-tab>
 <mat-tab *ngIf="false"
          label="{{'device-profile.profile-configuration' | translate }}" #deviceProfile="matTab">
   <div class="mat-padding" [formGroup]="detailsForm">

@@ -43,6 +43,12 @@ export enum MqttTransportPayloadType {
   PROTOBUF = 'PROTOBUF'
 }
 
+export enum DeviceProvisionType {
+  DISABLED = 'DISABLED',
+  ALLOW_CREATE_NEW_DEVICES = 'ALLOW_CREATE_NEW_DEVICES',
+  CHECK_PRE_PROVISIONED_DEVICES = 'CHECK_PRE_PROVISIONED_DEVICES'
+}
+
 export interface DeviceConfigurationFormInfo {
   hasProfileConfiguration: boolean;
   hasDeviceConfiguration: boolean;
@@ -74,6 +80,15 @@ export const deviceTransportTypeTranslationMap = new Map<DeviceTransportType, st
   ]
 );
 
+
+export const deviceProvisionTypeTranslationMap = new Map<DeviceProvisionType, string>(
+  [
+    [DeviceProvisionType.DISABLED, 'device-profile.provision-strategy-disabled'],
+    [DeviceProvisionType.ALLOW_CREATE_NEW_DEVICES, 'device-profile.provision-strategy-created-new'],
+    [DeviceProvisionType.CHECK_PRE_PROVISIONED_DEVICES, 'device-profile.provision-strategy-check-pre-provisioned']
+  ]
+)
+
 export const deviceTransportTypeHintMap = new Map<DeviceTransportType, string>(
   [
     [DeviceTransportType.DEFAULT, 'device-profile.transport-type-default-hint'],
@@ -148,6 +163,12 @@ export interface DeviceProfileTransportConfiguration extends DeviceProfileTransp
   type: DeviceTransportType;
 }
 
+export interface DeviceProvisionConfiguration {
+  type: DeviceProvisionType;
+  provisionDeviceSecret?: string;
+  provisionDeviceKey?: string;
+}
+
 export function createDeviceProfileConfiguration(type: DeviceProfileType): DeviceProfileConfiguration {
   let configuration: DeviceProfileConfiguration = null;
   if (type) {
@@ -295,6 +316,7 @@ export interface DeviceProfileData {
   configuration: DeviceProfileConfiguration;
   transportConfiguration: DeviceProfileTransportConfiguration;
   alarms?: Array<DeviceProfileAlarm>;
+  provisionConfiguration?: DeviceProvisionConfiguration;
 }
 
 export interface DeviceProfile extends BaseData<DeviceProfileId> {
@@ -304,6 +326,8 @@ export interface DeviceProfile extends BaseData<DeviceProfileId> {
   default?: boolean;
   type: DeviceProfileType;
   transportType: DeviceTransportType;
+  provisionType: DeviceProvisionType;
+  provisionDeviceKey?: string;
   defaultRuleChainId?: RuleChainId;
   profileData: DeviceProfileData;
 }

@@ -930,6 +930,16 @@
         "alarm-rule-condition": "Alarm rule condition",
         "enter-alarm-rule-condition-prompt": "Please add alarm rule condition",
         "edit-alarm-rule-condition": "Edit alarm rule condition",
+        "device-provisioning": "Device provisioning",
+        "provision-strategy": "Provision strategy",
+        "provision-strategy-required": "Provision strategy is required.",
+        "provision-strategy-disabled": "Disabled",
+        "provision-strategy-created-new": "Allow create new devices",
+        "provision-strategy-check-pre-provisioned": "Check pre provisioned devices",
+        "provision-device-key": "Provision device key",
+        "provision-device-key-required": "Provision device key is required.",
+        "provision-device-secret": "Provision device secret",
+        "provision-device-secret-required": "Provision device secret is required.",
         "condition": "Condition",
         "condition-type": "Condition type",
         "condition-type-simple": "Simple",