Lwm2m: back: start DTLS -one bootstrap 4 security

@@ -34,6 +34,9 @@
 
 <!--    <logger name="org.thingsboard.server.service.subscription" level="TRACE"/>-->
 <!--    <logger name="org.thingsboard.server.service.telemetry" level="TRACE"/>-->
+<!--    <logger name="org.eclipse.californium.scandium.DTLSConnector" level="TRACE" />-->
+<!--    <logger name="org.eclipse.californium.scandium.dtls.Handshaker" level="DEBUG" />-->
+
     <logger name="com.microsoft.azure.servicebus.primitives.CoreMessageReceiver" level="OFF" />
 
     <root level="INFO">
@@ -41,4 +44,4 @@
     </root>
 
 
-</configuration>
\ No newline at end of file
+</configuration>

@@ -577,7 +577,7 @@ transport:
 #    model_path_file: "${LWM2M_MODEL_PATH_FILE:./common/transport/lwm2m/src/main/resources/models/}"
     model_path_file: "${LWM2M_MODEL_PATH_FILE:}"
     recommended_ciphers: "${LWM2M_RECOMMENDED_CIPHERS:false}"
-    recommended_supported_groups: "${LWM2M_RECOMMENDED_SUPPORTED_GROUPS:false}"
+    recommended_supported_groups: "${LWM2M_RECOMMENDED_SUPPORTED_GROUPS:true}"
     request_pool_size: "${LWM2M_REQUEST_POOL_SIZE:100}"
     request_error_pool_size: "${LWM2M_REQUEST_ERROR_POOL_SIZE:10}"
     registered_pool_size: "${LWM2M_REGISTERED_POOL_SIZE:10}"
@@ -593,7 +593,7 @@ transport:
       key_store_path_file: "${KEY_STORE_PATH_FILE:}"
       key_store_password: "${LWM2M_KEYSTORE_PASSWORD_SERVER:server_ks_password}"
       root_alias: "${LWM2M_SERVER_ROOT_CA:rootca}"
-      enable_gen_psk_rpk: "${ENABLE_GEN_PSK_RPK:true}"
+      enable_gen_new_key_psk_rpk: "${ENABLE_GEN_NEW_KEY_PSK_RPK:false}"
     server:
       id: "${LWM2M_SERVER_ID:123}"
       bind_address: "${LWM2M_BIND_ADDRESS:0.0.0.0}"
@@ -602,11 +602,14 @@ transport:
         bind_address_security: "${LWM2M_BIND_ADDRESS_SECURITY:0.0.0.0}"
         bind_port_security: "${LWM2M_BIND_PORT_SECURITY:5686}"
         # Only for RPK: Public & Private Key. If the keystore file is missing or not working
-#        create_rpk: "${CREATE_RPK:}"
-        public_x: "${LWM2M_SERVER_PUBLIC_X:405354ea8893471d9296afbc8b020a5c6201b0bb25812a53b849d4480fa5f069}"
-        public_y: "${LWM2M_SERVER_PUBLIC_Y:30c9237e946a3a1692c1cafaa01a238a077f632c99371348337512363f28212b}"
-        private_s: "${LWM2M_SERVER_PRIVATE_S:274671fe40ce937b8a6352cf0a418e8a39e4bf0bb9bf74c910db953c20c73802}"
-        # Only Certificate_x509:
+        #        create_rpk: "${CREATE_RPK:}"
+#          - Public Key (Hex): [ 3059301306072a8648ce3d020106082a8648ce3d03010703420004b47a14ea87ab31cce28f24df0ae0a4cfcdb845134bcd088f2fac393b4d4843d140ebc1bfd8f5e0ec402fb8308c5c07bc380783276a385f89ef0da0b1a2545c25 ]
+#          - Private Key (Hex): [ 3041020100301306072a8648ce3d020106082a8648ce3d030107042730250201010420b65b265abfb9e67be12a7699c13123cf081c72c974688fb4faba82be129ef367 ],
+#          - Elliptic Curve parameters: [ secp256r1 [ NIST P-256, X9.62 prime256v1 ] (1.2.840.10045.3.1.7) ]
+        public_x: "${LWM2M_SERVER_PUBLIC_X:b47a14ea87ab31cce28f24df0ae0a4cfcdb845134bcd088f2fac393b4d4843d1}"
+        public_y: "${LWM2M_SERVER_PUBLIC_Y:40ebc1bfd8f5e0ec402fb8308c5c07bc380783276a385f89ef0da0b1a2545c25}"
+        private_s: "${LWM2M_SERVER_PRIVATE_S:b65b265abfb9e67be12a7699c13123cf081c72c974688fb4faba82be129ef367}"
+  # Only Certificate_x509:
         alias: "${LWM2M_KEYSTORE_ALIAS_SERVER:server}"
     bootstrap:
       enable: "${LWM2M_BOOTSTRAP_ENABLED:true}"
@@ -617,10 +620,10 @@ transport:
         bind_address_security: "${LWM2M_BIND_ADDRESS_BS:0.0.0.0}"
         bind_port_security: "${LWM2M_BIND_PORT_SEC_BS:5688}"
         #  Only for RPK: Public & Private Key. If the keystore file is missing or not working
-        public_x: "${LWM2M_SERVER_PUBLIC_X_BS:993ef2b698c6a9c0c1d8be78b13a9383c0854c7c7c7a504d289b403794648183}"
-        public_y: "${LWM2M_SERVER_PUBLIC_Y_BS:267412d5fc4e5ceb2257cb7fd7f76ebdac2fa9aa100afb162e990074cc0bfaa2}"
-        private_s: "${LWM2M_SERVER_PRIVATE_S_BS:9dbdbb073fc63570693a9aaf1013414e261c571f27e27fc6a8c1c2ad9347875a}"
-        # Only Certificate_x509:
+        public_x: "${LWM2M_SERVER_PUBLIC_X_BS:f6e4e77f76296472bd72acfb6b2dd26fd858042f9075b44b45e2ebeb41cae387}"
+        public_y: "${LWM2M_SERVER_PUBLIC_Y_BS:3e97534c6b833639f71916041b0596ecd616748d81174d19c59ef02bbb21c822}"
+        private_s: "${LWM2M_SERVER_PRIVATE_S_BS:3e97534c6b833639f71916041b0596ecd616748d81174d19c59ef02bbb21c822}"
+  # Only Certificate_x509:
         alias: "${LWM2M_KEYSTORE_ALIAS_BOOTSTRAP:bootstrap}"
     # Redis
     redis_url: "${LWM2M_REDIS_URL:''}"

@@ -52,7 +52,15 @@ import java.security.spec.InvalidParameterSpecException;
 import java.security.spec.KeySpec;
 import java.util.Arrays;
 
+import static org.eclipse.californium.scandium.dtls.cipher.CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256;
+import static org.eclipse.californium.scandium.dtls.cipher.CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_128_CCM;
+import static org.eclipse.californium.scandium.dtls.cipher.CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8;
 import static org.eclipse.californium.scandium.dtls.cipher.CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256;
+import static org.eclipse.californium.scandium.dtls.cipher.CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA;
+import static org.eclipse.californium.scandium.dtls.cipher.CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384;
+import static org.eclipse.californium.scandium.dtls.cipher.CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_256_CCM;
+import static org.eclipse.californium.scandium.dtls.cipher.CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8;
+import static org.eclipse.californium.scandium.dtls.cipher.CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384;
 import static org.eclipse.californium.scandium.dtls.cipher.CipherSuite.TLS_PSK_WITH_AES_128_CBC_SHA256;
 import static org.thingsboard.server.transport.lwm2m.server.LwM2MTransportHandler.getCoapConfig;
 
@@ -62,6 +70,7 @@ import static org.thingsboard.server.transport.lwm2m.server.LwM2MTransportHandle
 public class LwM2MTransportBootstrapServerConfiguration {
     private PublicKey publicKey;
     private PrivateKey privateKey;
+    private boolean pskMode = false;
 
     @Autowired
     private LwM2MTransportContextBootstrap contextBs;
@@ -105,9 +114,24 @@ public class LwM2MTransportBootstrapServerConfiguration {
 
         /** Create and Set DTLS Config */
         DtlsConnectorConfig.Builder dtlsConfig = new DtlsConnectorConfig.Builder();
-        dtlsConfig.setRecommendedSupportedGroupsOnly(!this.contextS.getCtxServer().isRecommendedSupportedGroups());
+        dtlsConfig.setRecommendedSupportedGroupsOnly(this.contextS.getCtxServer().isRecommendedSupportedGroups());
         dtlsConfig.setRecommendedCipherSuitesOnly(this.contextS.getCtxServer().isRecommendedCiphers());
-        dtlsConfig.setSupportedCipherSuites(TLS_PSK_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256);
+        if (this.pskMode) {
+            dtlsConfig.setSupportedCipherSuites(TLS_PSK_WITH_AES_128_CBC_SHA256);
+        }
+        else {
+//            dtlsConfig.setSupportedCipherSuites(TLS_PSK_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256);
+            dtlsConfig.setSupportedCipherSuites(TLS_PSK_WITH_AES_128_CBC_SHA256,
+                    TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+                    TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+                    TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8,
+                    TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8,
+                    TLS_ECDHE_ECDSA_WITH_AES_128_CCM,
+                    TLS_ECDHE_ECDSA_WITH_AES_256_CCM,
+                    TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
+                    TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
+                    TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384);
+        }
 
         /** Set DTLS Config */
         builder.setDtlsConfig(dtlsConfig);
@@ -133,14 +157,16 @@ public class LwM2MTransportBootstrapServerConfiguration {
                         /** by default trust all */
                         builder.setTrustedCertificates(new X509Certificate[0]);
                     }
-                } else if (this.setServerRPK(builder)) {
-                    this.infoParamsServerRPK();
-                } else {
-                    /** by default trust all */
-                    builder.setTrustedCertificates(new X509Certificate[0]);
-                    log.info("Unable to load X509 files for BootStrapServer");
-                    this.infoParamsServerPSK();
                 }
+            } else if (this.setServerRPK(builder)) {
+                this.infoPramsUri("RPK");
+                this.infoParamsBootstrapServerKey(this.publicKey, this.privateKey);
+            } else {
+                /** by default trust all */
+                builder.setTrustedCertificates(new X509Certificate[0]);
+                log.info("Unable to load X509 files for BootStrapServer");
+                this.pskMode = true;
+                this.infoPramsUri("PSK");
             }
         } catch (KeyStoreException ex) {
             log.error("[{}] Unable to load X509 files server", ex.getMessage());
@@ -175,15 +201,23 @@ public class LwM2MTransportBootstrapServerConfiguration {
 
     private void infoParamsServerX509(X509Certificate certificate, PublicKey publicKey, PrivateKey privateKey) {
         try {
-            log.info("Bootstrap Server uses X509 : \n X509 Certificate (Hex): [{}] \n Public Key (Hex): [{}] \n Private Key (Hex): [{}]",
-                    Hex.encodeHexString(certificate.getEncoded()),
-                    Hex.encodeHexString(publicKey.getEncoded()),
-                    Hex.encodeHexString(privateKey.getEncoded()));
+            this.infoPramsUri("X509");
+            log.info("\n- X509 Certificate (Hex): [{}]",
+                    Hex.encodeHexString(certificate.getEncoded()));
+            this.infoParamsBootstrapServerKey(publicKey, privateKey);
         } catch (CertificateEncodingException e) {
             log.error("", e);
         }
     }
 
+    private void infoPramsUri(String mode) {
+        log.info("Bootstrap Server uses [{}]: serverNoSecureURI : [{}], serverSecureURI : [{}]",
+                mode,
+                this.contextBs.getCtxBootStrap().getBootstrapHost() + ":" + this.contextBs.getCtxBootStrap().getBootstrapPortNoSec(),
+                this.contextBs.getCtxBootStrap().getBootstrapHostSecurity() + ":" + this.contextBs.getCtxBootStrap().getBootstrapPortSecurity());
+    }
+
+
     private boolean setServerRPK(LeshanBootstrapServerBuilder builder) {
         try {
             this.generateKeyForBootstrapRPK();
@@ -231,41 +265,31 @@ public class LwM2MTransportBootstrapServerConfiguration {
         }
     }
 
-    private void infoParamsServerRPK() {
+    private void infoParamsBootstrapServerKey(PublicKey publicKey, PrivateKey privateKey) {
         /** Get x coordinate */
-        byte[] x = ((ECPublicKey) this.publicKey).getW().getAffineX().toByteArray();
+        byte[] x = ((ECPublicKey) publicKey).getW().getAffineX().toByteArray();
         if (x[0] == 0)
             x = Arrays.copyOfRange(x, 1, x.length);
 
         /** Get Y coordinate */
-        byte[] y = ((ECPublicKey) this.publicKey).getW().getAffineY().toByteArray();
+        byte[] y = ((ECPublicKey) publicKey).getW().getAffineY().toByteArray();
         if (y[0] == 0)
             y = Arrays.copyOfRange(y, 1, y.length);
 
         /** Get Curves params */
-        String params = ((ECPublicKey) this.publicKey).getParams().toString();
-        String privHex = Hex.encodeHexString(this.privateKey.getEncoded());
-        log.info("Server uses RPK -> serverNoSecureURI : [{}], serverSecureURI : [{}], \n" +
-                        "Public Key (Hex): [{}] \n" +
-                        "Private Key (Hex): [{}], \n" +
-                        "- public_x :  [{}] \n" +
-                        "- public_y :  [{}] \n" +
-                        "- private_s : [{}] \n" +
+        String params = ((ECPublicKey) publicKey).getParams().toString();
+        String privHex = Hex.encodeHexString(privateKey.getEncoded());
+        log.info("\n- Public Key (Hex): [{}] \n" +
+                        "- Private Key (Hex): [{}], \n" +
+                        "public_x: \"${LWM2M_SERVER_PUBLIC_X_BS:{}}\" \n" +
+                        "public_y: \"${LWM2M_SERVER_PUBLIC_Y_BS:{}}\" \n" +
+                        "private_s: \"${LWM2M_SERVER_PRIVATE_S_BS:{}}\" \n" +
                         "- Elliptic Curve parameters  : [{}]",
-                this.contextBs.getCtxBootStrap().getBootstrapHost() + ":" + this.contextBs.getCtxBootStrap().getBootstrapPortNoSec(),
-                this.contextBs.getCtxBootStrap().getBootstrapHostSecurity() + ":" + this.contextBs.getCtxBootStrap().getBootstrapPortSecurity(),
-                Hex.encodeHexString(this.publicKey.getEncoded()),
-                Hex.encodeHexString(this.privateKey.getEncoded()),
+                Hex.encodeHexString(publicKey.getEncoded()),
+                Hex.encodeHexString(privateKey.getEncoded()),
                 Hex.encodeHexString(x),
                 Hex.encodeHexString(y),
                 privHex.substring(privHex.length() - 64),
                 params);
     }
-
-    private void infoParamsServerPSK() {
-        log.info("Server uses PSK -> serverNoSecureURI : [{}], serverSecureURI : [{}]",
-                this.contextBs.getCtxBootStrap().getBootstrapHost() + ":" + this.contextBs.getCtxBootStrap().getBootstrapPortNoSec(),
-                this.contextBs.getCtxBootStrap().getBootstrapHostSecurity() + ":" + this.contextBs.getCtxBootStrap().getBootstrapPortSecurity());
-    }
-
 }

@@ -19,7 +19,6 @@ import lombok.extern.slf4j.Slf4j;
 import org.eclipse.californium.scandium.config.DtlsConnectorConfig;
 import org.eclipse.leshan.core.node.codec.DefaultLwM2mNodeDecoder;
 import org.eclipse.leshan.core.node.codec.DefaultLwM2mNodeEncoder;
-import org.eclipse.leshan.core.node.codec.LwM2mNodeDecoder;
 import org.eclipse.leshan.core.util.Hex;
 import org.eclipse.leshan.server.californium.LeshanServer;
 import org.eclipse.leshan.server.californium.LeshanServerBuilder;
@@ -54,7 +53,15 @@ import java.security.spec.InvalidParameterSpecException;
 import java.security.spec.KeySpec;
 import java.util.Arrays;
 
+import static org.eclipse.californium.scandium.dtls.cipher.CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256;
+import static org.eclipse.californium.scandium.dtls.cipher.CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_128_CCM;
+import static org.eclipse.californium.scandium.dtls.cipher.CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8;
 import static org.eclipse.californium.scandium.dtls.cipher.CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256;
+import static org.eclipse.californium.scandium.dtls.cipher.CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA;
+import static org.eclipse.californium.scandium.dtls.cipher.CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384;
+import static org.eclipse.californium.scandium.dtls.cipher.CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_256_CCM;
+import static org.eclipse.californium.scandium.dtls.cipher.CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8;
+import static org.eclipse.californium.scandium.dtls.cipher.CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384;
 import static org.eclipse.californium.scandium.dtls.cipher.CipherSuite.TLS_PSK_WITH_AES_128_CBC_SHA256;
 import static org.thingsboard.server.transport.lwm2m.server.LwM2MTransportHandler.getCoapConfig;
 
@@ -64,6 +71,7 @@ import static org.thingsboard.server.transport.lwm2m.server.LwM2MTransportHandle
 public class LwM2MTransportServerConfiguration {
     private PublicKey publicKey;
     private PrivateKey privateKey;
+    private boolean pskMode = false;
 
     @Autowired
     private LwM2MTransportContextServer context;
@@ -81,9 +89,8 @@ public class LwM2MTransportServerConfiguration {
         LeshanServerBuilder builder = new LeshanServerBuilder();
         builder.setLocalAddress(this.context.getCtxServer().getServerHost(), serverPortNoSec);
         builder.setLocalSecureAddress(this.context.getCtxServer().getServerHostSecurity(), serverSecurePort);
-        builder.setEncoder(new DefaultLwM2mNodeEncoder());
-        LwM2mNodeDecoder decoder = new DefaultLwM2mNodeDecoder();
-        builder.setDecoder(decoder);
+        builder.setDecoder(new DefaultLwM2mNodeDecoder());
+        /** Use a magic converter to support bad type send by the UI. */
         builder.setEncoder(new DefaultLwM2mNodeEncoder(LwM2mValueConverterImpl.getInstance()));
 
         /** Create CoAP Config */
@@ -102,17 +109,30 @@ public class LwM2MTransportServerConfiguration {
 
         /** Create DTLS Config */
         DtlsConnectorConfig.Builder dtlsConfig = new DtlsConnectorConfig.Builder();
-        dtlsConfig.setRecommendedSupportedGroupsOnly(!this.context.getCtxServer().isRecommendedSupportedGroups());
+        dtlsConfig.setRecommendedSupportedGroupsOnly(this.context.getCtxServer().isRecommendedSupportedGroups());
         dtlsConfig.setRecommendedCipherSuitesOnly(this.context.getCtxServer().isRecommendedCiphers());
-        dtlsConfig.setSupportedCipherSuites(TLS_PSK_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256);
+        if (this.pskMode) {
+            dtlsConfig.setSupportedCipherSuites(TLS_PSK_WITH_AES_128_CBC_SHA256);
+        }
+        else {
+//            dtlsConfig.setSupportedCipherSuites(TLS_PSK_WITH_AES_128_CBC_SHA256,
+//                    TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256);
+            dtlsConfig.setSupportedCipherSuites(TLS_PSK_WITH_AES_128_CBC_SHA256,
+                    TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+                    TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+                    TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8,
+                    TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8,
+                    TLS_ECDHE_ECDSA_WITH_AES_128_CCM,
+                    TLS_ECDHE_ECDSA_WITH_AES_256_CCM,
+                    TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
+                    TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
+                    TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384);
+        }
+
 
         /** Set DTLS Config */
         builder.setDtlsConfig(dtlsConfig);
 
-        /** Use a magic converter to support bad type send by the UI. */
-        builder.setEncoder(new DefaultLwM2mNodeEncoder(LwM2mValueConverterImpl.getInstance()));
-
-
         /** Create LWM2M server */
         return builder.build();
     }
@@ -138,14 +158,16 @@ public class LwM2MTransportServerConfiguration {
                             return endpoint.startsWith(expectedX509CommonName);
                         }
                     }));
-                } else if (this.setServerRPK(builder)) {
-                    this.infoParamsServerRPK();
-                } else {
-                    /** by default trust all */
-                    builder.setTrustedCertificates(new X509Certificate[0]);
-                    log.info("Unable to load X509 files for LWM2MServer");
-                    this.infoParamsServerPSK();
                 }
+            } else if (this.setServerRPK(builder)) {
+                this.infoPramsUri("RPK");
+                this.infoParamsServerKey(this.publicKey, this.privateKey);
+            } else {
+                /** by default trust all */
+                builder.setTrustedCertificates(new X509Certificate[0]);
+                log.info("Unable to load X509 files for LWM2MServer");
+                this.pskMode = true;
+                this.infoPramsUri("PSK");
             }
         } catch (KeyStoreException ex) {
             log.error("[{}] Unable to load X509 files server", ex.getMessage());
@@ -169,8 +191,7 @@ public class LwM2MTransportServerConfiguration {
                 builder.setCertificateChain(new X509Certificate[]{serverCertificate});
                 this.infoParamsServerX509(serverCertificate, publicKey, privateKey);
                 return true;
-            }
-            else {
+            } else {
                 return false;
             }
         } catch (Exception ex) {
@@ -181,15 +202,22 @@ public class LwM2MTransportServerConfiguration {
 
     private void infoParamsServerX509(X509Certificate certificate, PublicKey publicKey, PrivateKey privateKey) {
         try {
-            log.info("Server uses X509 : \n X509 Certificate (Hex): [{}] \n Public Key (Hex): [{}] \n Private Key (Hex): [{}]",
-                    Hex.encodeHexString(certificate.getEncoded()),
-                    Hex.encodeHexString(publicKey.getEncoded()),
-                    Hex.encodeHexString(privateKey.getEncoded()));
+            infoPramsUri("X509");
+            log.info("\n- X509 Certificate (Hex): [{}]",
+                    Hex.encodeHexString(certificate.getEncoded()));
+            this.infoParamsServerKey(publicKey, privateKey);
         } catch (CertificateEncodingException e) {
             log.error("", e);
         }
     }
 
+    private void infoPramsUri(String mode) {
+        log.info("Server uses [{}]: serverNoSecureURI : [{}], serverSecureURI : [{}]",
+                mode,
+                this.context.getCtxServer().getServerHost() + ":" + this.context.getCtxServer().getServerPortNoSec(),
+                this.context.getCtxServer().getServerHostSecurity() + ":" + this.context.getCtxServer().getServerPortSecurity());
+    }
+
     private boolean setServerRPK(LeshanServerBuilder builder) {
         try {
             this.generateKeyForRPK();
@@ -207,7 +235,7 @@ public class LwM2MTransportServerConfiguration {
 
 
     /**
-     * From yml^ server
+     * From yml: server
      * public_x: "${LWM2M_SERVER_PUBLIC_X:405354ea8893471d9296afbc8b020a5c6201b0bb25812a53b849d4480fa5f069}"
      * public_y: "${LWM2M_SERVER_PUBLIC_Y:30c9237e946a3a1692c1cafaa01a238a077f632c99371348337512363f28212b}"
      * private_s: "${LWM2M_SERVER_PRIVATE_S:274671fe40ce937b8a6352cf0a418e8a39e4bf0bb9bf74c910db953c20c73802}"
@@ -241,41 +269,32 @@ public class LwM2MTransportServerConfiguration {
         }
     }
 
-    private void infoParamsServerRPK() {
+    private void infoParamsServerKey(PublicKey publicKey, PrivateKey privateKey) {
         /** Get x coordinate */
-        byte[] x = ((ECPublicKey) this.publicKey).getW().getAffineX().toByteArray();
+        byte[] x = ((ECPublicKey) publicKey).getW().getAffineX().toByteArray();
         if (x[0] == 0)
             x = Arrays.copyOfRange(x, 1, x.length);
 
         /** Get Y coordinate */
-        byte[] y = ((ECPublicKey) this.publicKey).getW().getAffineY().toByteArray();
+        byte[] y = ((ECPublicKey) publicKey).getW().getAffineY().toByteArray();
         if (y[0] == 0)
             y = Arrays.copyOfRange(y, 1, y.length);
 
         /** Get Curves params */
-        String params = ((ECPublicKey) this.publicKey).getParams().toString();
-        String privHex = Hex.encodeHexString(this.privateKey.getEncoded());
-        log.info("Server uses RPK -> serverNoSecureURI : [{}], serverSecureURI : [{}], \n" +
-                        "Public Key (Hex): [{}] \n" +
-                        "Private Key (Hex): [{}], \n" +
-                        "- public_x :  [{}] \n" +
-                        "- public_y :  [{}] \n" +
-                        "- private_s : [{}] \n" +
+        String params = ((ECPublicKey) publicKey).getParams().toString();
+        String privHex = Hex.encodeHexString(privateKey.getEncoded());
+        log.info(" \n- Public Key (Hex): [{}] \n" +
+                        "- Private Key (Hex): [{}], \n" +
+                        "public_x: \"${LWM2M_SERVER_PUBLIC_X:{}}\" \n" +
+                        "public_y: \"${LWM2M_SERVER_PUBLIC_Y:{}}\" \n" +
+                        "private_s: \"${LWM2M_SERVER_PRIVATE_S:{}}\" \n" +
                         "- Elliptic Curve parameters  : [{}]",
-                this.context.getCtxServer().getServerHost() + ":" + this.context.getCtxServer().getServerPortNoSec(),
-                this.context.getCtxServer().getServerHostSecurity() + ":" + this.context.getCtxServer().getServerPortSecurity(),
-                Hex.encodeHexString(this.publicKey.getEncoded()),
-                Hex.encodeHexString(this.privateKey.getEncoded()),
+                Hex.encodeHexString(publicKey.getEncoded()),
+                privHex,
                 Hex.encodeHexString(x),
                 Hex.encodeHexString(y),
                 privHex.substring(privHex.length() - 64),
                 params);
     }
 
-    private void infoParamsServerPSK() {
-        log.info("Server uses PSK -> serverNoSecureURI : [{}], serverSecureURI : [{}]",
-                this.context.getCtxServer().getServerHost() + ":" + Integer.toString(this.context.getCtxServer().getServerPortNoSec()),
-                this.context.getCtxServer().getServerHostSecurity() + ":" + Integer.toString(this.context.getCtxServer().getServerPortSecurity()));
-    }
-
 }

@@ -41,7 +41,7 @@ public class LwM2MTransportServerInitializer {
 
     @PostConstruct
     public void init() {
-        if (this.context.getCtxServer().getEnableGenPskRpk()) {
+        if (this.context.getCtxServer().getEnableGenNewKeyPskRpk()) {
             new LWM2MGenerationPSkRPkECC();
         }
         this.startLhServer();

-#!/bin/bash
+#!/bin/sh
 #
 # Copyright © 2016-2021 The Thingsboard Authors
 #
@@ -15,77 +15,35 @@
 # limitations under the License.
 #
 
-#p) CLIENT_CN=LwX50900000000
+#/home/nick/Igor_project/Thingsboard_Perfrmance_test/performance-tests/src/main/resources/credentials/shell/lwM2M_credentials.sh -p LwX509 -s 0 -f 2000 -a client_alias_ -e client_self_signed_ -b bootstrap -d server -j serverKeyStore.jks -k clientKeyStore.jks -c client_ks_password -w server_ks_password
+
+#p) CLIENT_CN=$CLIENT_PREFIX00000000
 #s) client_start=0
 #f) client_finish=1
-#a) CLIENT_ALIAS=client_alias_00000000
+#a) CLIENT_ALIAS=CLIENT_ALIAS_PREFIX_00000000
+#e) CLIENT_SELF_ALIAS=CLIENT_SELF_ALIAS_PREFIX_00000000
 #b) BOOTSTRAP_ALIAS=bootstrap
 #d) SERVER_ALIAS=server
 #j) SERVER_STORE=serverKeyStore.jks
 #k) CLIENT_STORE=clientKeyStore.jks
 #c) CLIENT_STORE_PWD=client_ks_password
 #w) SERVER_STORE_PWD=server_ks_password
+#l) ROOT_KEY_ALIAS=root_key_alias
 
-#while test $# -gt 0; do
-#  case "$1" in
-#    -h|--help)
-#      echo "$package - attempt to capture frames"
-#      echo " "
-#      echo "$package [options] application [arguments]"
-#      echo " "
-#      echo "options:"
-#      echo "-h, --help                show brief help"
-#      echo "-a, --action=ACTION       specify an action to use"
-#      echo "-o, --output-dir=DIR      specify a directory to store output in"
-#      exit 0
-#      ;;
-#    -a)
-#      shift
-#      if test $# -gt 0; then
-#        export PROCESS=$1
-#      else
-#        echo "no process specified"
-#        exit 1
-#      fi
-#      shift
-#      ;;
-#    --action*)
-#      export PROCESS=`echo $1 | sed -e 's/^[^=]*=//g'`
-#      shift
-#      ;;
-#    -o)
-#      shift
-#      if test $# -gt 0; then
-#        export OUTPUT=$1
-#      else
-#        echo "no output dir specified"
-#        exit 1
-#      fi
-#      shift
-#      ;;
-#    --output-dir*)
-#      export OUTPUT=`echo $1 | sed -e 's/^[^=]*=//g'`
-#      shift
-#      ;;
-#    *)
-#      break
-#      ;;
-#  esac
-#done
-
-
-while getopts p:s:f:a:b:d:j:k:c:w: flag; do
+while getopts p:s:f:a:e:b:d:j:k:c:w:l: flag; do
   case "${flag}" in
-  p) client_prefix=${OPTARG} ;;
+  p) client_pref=${OPTARG} ;;
   s) client_start=${OPTARG} ;;
   f) client_finish=${OPTARG} ;;
-  a) client_alias=${OPTARG} ;;
+  a) client_alias_pref=${OPTARG} ;;
+  e) client_self_alias_pref=${OPTARG} ;;
   b) bootstrap_alias=${OPTARG} ;;
   d) server_alias=${OPTARG} ;;
   j) key_store_server_file=${OPTARG} ;;
   k) key_store_client_file=${OPTARG} ;;
   c) client_key_store_pwd=${OPTARG} ;;
   w) server_key_store_pwd=${OPTARG} ;;
+  w) root_key_alias=${OPTARG} ;;
   esac
 done
 
@@ -96,9 +54,8 @@ cd $script_dir
 # source the properties:
 . ./lwM2M_keygen.properties
 
-
-if [ -n "$client_prefix" ]; then
-  CLIENT_PREFIX=$client_prefix
+if [ -n "$client_pref" ]; then
+  CLIENT_PREFIX=$client_pref
 fi
 
 if [ -z "$client_start" ]; then
@@ -109,8 +66,12 @@ if [ -z "$client_finish" ]; then
   client_finish=1
 fi
 
-if [ -n "$client_alias" ]; then
-  CLIENT_ALIAS=$client_alias
+if [ -n "$client_alias_pref" ]; then
+  CLIENT_ALIAS_PREFIX=$client_alias_pref
+fi
+
+if [ -n "$client_self_alias_pref" ]; then
+  CLIENT_SELF_ALIAS_PREFIX=$client_self_alias_pref
 fi
 
 if [ -n "$bootstrap_alias" ]; then
@@ -137,23 +98,37 @@ if [ -n "$server_key_store_pwd" ]; then
   SERVER_STORE_PWD=$server_key_store_pwd
 fi
 
+if [ -n "$root_key_alias" ]; then
+  ROOT_KEY_ALIAS=$root_key_alias
+fi
+
+CLIENT_NUMBER=$client_start
+
 echo "==Start=="
 echo "CLIENT_PREFIX: $CLIENT_PREFIX"
 echo "client_start: $client_start"
 echo "client_finish: $client_finish"
-echo "CLIENT_ALIAS: $CLIENT_ALIAS"
+echo "CLIENT_ALIAS_PREFIX: $CLIENT_ALIAS_PREFIX"
+echo "CLIENT_SELF_ALIAS_PREFIX: $CLIENT_SELF_ALIAS_PREFIX"
 echo "BOOTSTRAP_ALIAS: $BOOTSTRAP_ALIAS"
 echo "SERVER_ALIAS: $SERVER_ALIAS"
 echo "SERVER_STORE: $SERVER_STORE"
 echo "CLIENT_STORE: $CLIENT_STORE"
 echo "CLIENT_STORE_PWD: $CLIENT_STORE_PWD"
 echo "SERVER_STORE_PWD: $SERVER_STORE_PWD"
+echo "CLIENT_NUMBER: $CLIENT_NUMBER"
+echo "ROOT_KEY_ALIAS: $ROOT_KEY_ALIAS"
 
 end_point() {
   echo "$CLIENT_PREFIX$(printf "%08d" $CLIENT_NUMBER)"
 }
+
 client_alias_point() {
-  echo "$CLIENT_ALIAS$(printf "%08d" $CLIENT_NUMBER)"
+  echo "$CLIENT_ALIAS_PREFIX$(printf "%08d" $CLIENT_NUMBER)"
+}
+
+client_self_alias_point() {
+  echo "$CLIENT_SELF_ALIAS_PREFIX$(printf "%08d" $CLIENT_NUMBER)"
 }
 
 # Generation of the keystore.
@@ -264,73 +239,30 @@ keytool \
     -keystore $SERVER_STORE \
     -storepass $SERVER_STORE_PWD
 
-echo
-echo "${H1}Client Keystore : ${RESET}"
-echo "${H1}==================${RESET}"
-#echo "${H2}Creating client key and self-signed certificate with expected CN...${RESET}"
-#keytool \
-#  -genkeypair \
-#  -alias $CLIENT_ALIAS \
-#  -keyalg EC \
-#  -dname "CN=$CLIENT_SELF_CN, OU=$ORGANIZATIONAL_UNIT, O=$ORGANIZATION, L=$CITY, ST=$STATE_OR_PROVINCE, C=$TWO_LETTER_COUNTRY_CODE" \
-#  -validity $VALIDITY \
-#  -storetype $STORETYPE \
-#  -keypass $CLIENT_STORE_PWD \
-#  -keystore $CLIENT_STORE \
-#  -storepass $CLIENT_STORE_PWD
-#keytool \
-#  -exportcert \
-#  -alias $CLIENT_ALIAS \
-#  -keystore $CLIENT_STORE \
-#  -storepass $CLIENT_STORE_PWD | \
-#  keytool \
-#    -importcert \
-#    -alias $CLIENT_SELF_ALIAS \
-#    -keystore $CLIENT_STORE \
-#    -storepass $CLIENT_STORE_PWD \
-#    -noprompt
-
-echo
-echo "${H2}Import root certificate just to be able to import  need by root CA with expected CN...${RESET}"
-keytool \
-  -exportcert \
-  -alias $ROOT_KEY_ALIAS \
-  -keystore $SERVER_STORE \
-  -storepass $SERVER_STORE_PWD |
+if [ "$client_start" -lt "$client_finish" ]; then
+  echo
+  echo "${H2}Import root certificate just to be able to import  need by root CA with expected CN to $CLIENT_STORE${RESET}"
   keytool \
-    -importcert \
+    -exportcert \
     -alias $ROOT_KEY_ALIAS \
-    -keystore $CLIENT_STORE \
-    -storepass $CLIENT_STORE_PWD \
-    -noprompt
-
-#echo
-#echo "${H2}Creating client certificate signed by root CA with expected CN...${RESET}"
-#keytool \
-#  -certreq \
-#  -alias $CLIENT_ALIAS \
-#  -dname "CN=$CLIENT_CN, OU=$ORGANIZATIONAL_UNIT, O=$ORGANIZATION, L=$CITY, ST=$STATE_OR_PROVINCE, C=$TWO_LETTER_COUNTRY_CODE" \
-#  -keystore $CLIENT_STORE \
-#  -storepass $CLIENT_STORE_PWD | \
-#  keytool \
-#    -gencert \
-#    -alias $ROOT_KEY_ALIAS \
-#    -keystore $SERVER_STORE \
-#    -storepass $SERVER_STORE_PWD \
-#    -storetype $STORETYPE \
-#    -validity $VALIDITY  | \
-#    keytool \
-#      -importcert \
-#      -alias $CLIENT_ALIAS \
-#      -keystore $CLIENT_STORE \
-#      -storepass $CLIENT_STORE_PWD \
-#      -noprompt
+    -keystore $SERVER_STORE \
+    -storepass $SERVER_STORE_PWD |
+    keytool \
+      -importcert \
+      -alias $ROOT_KEY_ALIAS \
+      -keystore $CLIENT_STORE \
+      -storepass $CLIENT_STORE_PWD \
+      -noprompt
+fi
 
 cert_end_point() {
-  echo "${H2}Creating client key and self-signed certificate with expected CN $CLIENT_SELF_CN ${RESET}"
+  echo
+  echo "${H1}Client Keystore : ${RESET}"
+  echo "${H1}==================${RESET}"
+  echo "${H2}Creating client key and self-signed certificate with expected CN CLIENT_ALIAS: $CLIENT_ALIAS${RESET}"
   keytool \
     -genkeypair \
-    -alias $CLIENT_CN_ALIAS \
+    -alias $CLIENT_ALIAS \
     -keyalg EC \
     -dname "CN=$CLIENT_SELF_CN, OU=$ORGANIZATIONAL_UNIT, O=$ORGANIZATION, L=$CITY, ST=$STATE_OR_PROVINCE, C=$TWO_LETTER_COUNTRY_CODE" \
     -validity $VALIDITY \
@@ -340,7 +272,7 @@ cert_end_point() {
     -storepass $CLIENT_STORE_PWD
   keytool \
     -exportcert \
-    -alias $CLIENT_CN_ALIAS \
+    -alias $CLIENT_ALIAS \
     -keystore $CLIENT_STORE \
     -storepass $CLIENT_STORE_PWD |
     keytool \
@@ -349,13 +281,28 @@ cert_end_point() {
       -keystore $CLIENT_STORE \
       -storepass $CLIENT_STORE_PWD \
       -noprompt
+#
+#  echo
+#  echo "${H2}Import root certificate just to be able to import  ned by root CA with expected CN...${RESET}"
+#  keytool \
+#    -exportcert \
+#    -alias $ROOT_KEY_ALIAS \
+#    -keystore $SERVER_STORE \
+#    -storepass $SERVER_STORE_PWD |
+#    keytool \
+#      -importcert \
+#      -alias $ROOT_KEY_ALIAS \
+#      -keystore $CLIENT_STORE \
+#      -storepass $CLIENT_STORE_PWD \
+#      -noprompt
+#
 
   echo
-  echo "${H2}Creating client certificate signed by root CA with expected $CLIENT_CN_NAME ${RESET}"
+  echo "${H2}Creating client certificate signed by root CA with expected CN CLIENT_ALIAS: $CLIENT_ALIAS CLIENT_CN: $CLIENT_CN${RESET}"
   keytool \
     -certreq \
-    -alias $CLIENT_CN_ALIAS \
-    -dname "CN=$CLIENT_CN_NAME, OU=$ORGANIZATIONAL_UNIT, O=$ORGANIZATION, L=$CITY, ST=$STATE_OR_PROVINCE, C=$TWO_LETTER_COUNTRY_CODE" \
+    -alias $CLIENT_ALIAS \
+    -dname "CN=$CLIENT_CN, OU=$ORGANIZATIONAL_UNIT, O=$ORGANIZATION, L=$CITY, ST=$STATE_OR_PROVINCE, C=$TWO_LETTER_COUNTRY_CODE" \
     -keystore $CLIENT_STORE \
     -storepass $CLIENT_STORE_PWD |
     keytool \
@@ -367,22 +314,30 @@ cert_end_point() {
       -validity $VALIDITY |
     keytool \
       -importcert \
-      -alias $CLIENT_CN_ALIAS \
+      -alias $CLIENT_ALIAS \
       -keystore $CLIENT_STORE \
       -storepass $CLIENT_STORE_PWD \
       -noprompt
 }
 
-while [ "$CLIENT_NUMBER" != "$client_finish" ]; do
-  CLIENT_CN_NAME=$(end_point)
-  CLIENT_CN_ALIAS=$(client_alias_point)
-  echo "$CLIENT_CN_NAME"
-  echo "$CLIENT_CN_ALIAS"
-  cert_end_point
-  CLIENT_NUMBER=$(($CLIENT_NUMBER + 1))
-  echo "number $CLIENT_NUMBER"
-  echo "finish $client_finish"
-done
+if [ "$client_start" -lt "$client_finish" ]; then
+  echo "Файл содержит, как минимум, одно слово Bash."
+  echo
+  echo "==Start Client=="
+  while [ "$CLIENT_NUMBER" -lt "$client_finish" ]; do
+    echo "number $CLIENT_NUMBER"
+    echo "finish $client_finish"
+    CLIENT_CN=$(end_point)
+    CLIENT_ALIAS=$(client_alias_point)
+    CLIENT_SELF_ALIAS=$(client_self_alias_point)
+    echo "CLIENT_CN $CLIENT_CN"
+    echo "CLIENT_ALIAS $CLIENT_ALIAS"
+    echo "CLIENT_SELF_ALIAS $CLIENT_SELF_ALIAS"
+    cert_end_point
+    CLIENT_NUMBER=$(($CLIENT_NUMBER + 1))
+    echo
+  done
+fi
 
 echo
 echo "${H0}!!! Warning ${H2}Migrate ${H1}${SERVER_STORE} ${H2}to ${H1}PKCS12 ${H2}which is an industry standard format..${RESET}"
@@ -393,11 +348,13 @@ keytool \
   -deststoretype pkcs12 \
   -srcstorepass $SERVER_STORE_PWD
 
-echo
-echo "${H0}!!! Warning ${H2}Migrate ${H1}${CLIENT_STORE} ${H2}to ${H1}PKCS12 ${H2}which is an industry standard format..${RESET}"
-keytool \
-  -importkeystore \
-  -srckeystore $CLIENT_STORE \
-  -destkeystore $CLIENT_STORE \
-  -deststoretype pkcs12 \
-  -srcstorepass $CLIENT_STORE_PWD
+if [ "$client_start" -lt "$client_finish" ]; then
+  echo
+  echo "${H0}!!! Warning ${H2}Migrate ${H1}${CLIENT_STORE} ${H2}to ${H1}PKCS12 ${H2}which is an industry standard format..${RESET}"
+  keytool \
+    -importkeystore \
+    -srckeystore $CLIENT_STORE \
+    -destkeystore $CLIENT_STORE \
+    -deststoretype pkcs12 \
+    -srcstorepass $CLIENT_STORE_PWD
+fi

@@ -41,9 +41,9 @@ BOOTSTRAP_SELF_CN="$DOMAIN_SUFFIX bootstrap server LwM2M self-signed"
 # Client
 CLIENT_STORE=clientKeyStore1.jks
 CLIENT_STORE_PWD=client_ks_password1
-CLIENT_ALIAS=client_alias_1
-CLIENT_PREFIX=LwX509_
-CLIENT_SELF_ALIAS=client_self_signed
+CLIENT_ALIAS_PREFIX=client_alias_1
+CLIENT_PREFIX=LwX509___
+CLIENT_SELF_ALIAS_PREFIX=client_self_signed_1
 CLIENT_SELF_CN="$DOMAIN_SUFFIX client LwM2M self-signed"
 
 # Color output stuff

@@ -147,8 +147,8 @@ public class LwM2MTransportConfigServer {
     private String rootAlias;
 
     @Getter
-    @Value("${transport.lwm2m.secure.enable_gen_psk_rpk:}")
-    private Boolean enableGenPskRpk;
+    @Value("${transport.lwm2m.secure.enable_gen_new_key_psk_rpk:}")
+    private Boolean enableGenNewKeyPskRpk;
 
     @Getter
     @Value("${transport.lwm2m.server.id:}")

-#!/bin/bash
+#!/bin/sh
 #
 # Copyright © 2016-2021 The Thingsboard Authors
 #
@@ -15,77 +15,35 @@
 # limitations under the License.
 #
 
-#p) CLIENT_CN=LwX50900000000
+#/home/nick/Igor_project/Thingsboard_Perfrmance_test/performance-tests/src/main/resources/credentials/shell/lwM2M_credentials.sh -p LwX509 -s 0 -f 2000 -a client_alias_ -e client_self_signed_ -b bootstrap -d server -j serverKeyStore.jks -k clientKeyStore.jks -c client_ks_password -w server_ks_password
+
+#p) CLIENT_CN=$CLIENT_PREFIX00000000
 #s) client_start=0
 #f) client_finish=1
-#a) CLIENT_ALIAS=client_alias_00000000
+#a) CLIENT_ALIAS=CLIENT_ALIAS_PREFIX_00000000
+#e) CLIENT_SELF_ALIAS=CLIENT_SELF_ALIAS_PREFIX_00000000
 #b) BOOTSTRAP_ALIAS=bootstrap
 #d) SERVER_ALIAS=server
 #j) SERVER_STORE=serverKeyStore.jks
 #k) CLIENT_STORE=clientKeyStore.jks
 #c) CLIENT_STORE_PWD=client_ks_password
 #w) SERVER_STORE_PWD=server_ks_password
+#l) ROOT_KEY_ALIAS=root_key_alias
 
-#while test $# -gt 0; do
-#  case "$1" in
-#    -h|--help)
-#      echo "$package - attempt to capture frames"
-#      echo " "
-#      echo "$package [options] application [arguments]"
-#      echo " "
-#      echo "options:"
-#      echo "-h, --help                show brief help"
-#      echo "-a, --action=ACTION       specify an action to use"
-#      echo "-o, --output-dir=DIR      specify a directory to store output in"
-#      exit 0
-#      ;;
-#    -a)
-#      shift
-#      if test $# -gt 0; then
-#        export PROCESS=$1
-#      else
-#        echo "no process specified"
-#        exit 1
-#      fi
-#      shift
-#      ;;
-#    --action*)
-#      export PROCESS=`echo $1 | sed -e 's/^[^=]*=//g'`
-#      shift
-#      ;;
-#    -o)
-#      shift
-#      if test $# -gt 0; then
-#        export OUTPUT=$1
-#      else
-#        echo "no output dir specified"
-#        exit 1
-#      fi
-#      shift
-#      ;;
-#    --output-dir*)
-#      export OUTPUT=`echo $1 | sed -e 's/^[^=]*=//g'`
-#      shift
-#      ;;
-#    *)
-#      break
-#      ;;
-#  esac
-#done
-
-
-while getopts p:s:f:a:b:d:j:k:c:w: flag; do
+while getopts p:s:f:a:e:b:d:j:k:c:w:l: flag; do
   case "${flag}" in
-  p) client_prefix=${OPTARG} ;;
+  p) client_pref=${OPTARG} ;;
   s) client_start=${OPTARG} ;;
   f) client_finish=${OPTARG} ;;
-  a) client_alias=${OPTARG} ;;
+  a) client_alias_pref=${OPTARG} ;;
+  e) client_self_alias_pref=${OPTARG} ;;
   b) bootstrap_alias=${OPTARG} ;;
   d) server_alias=${OPTARG} ;;
   j) key_store_server_file=${OPTARG} ;;
   k) key_store_client_file=${OPTARG} ;;
   c) client_key_store_pwd=${OPTARG} ;;
   w) server_key_store_pwd=${OPTARG} ;;
+  w) root_key_alias=${OPTARG} ;;
   esac
 done
 
@@ -96,9 +54,8 @@ cd $script_dir
 # source the properties:
 . ./lwM2M_keygen.properties
 
-
-if [ -n "$client_prefix" ]; then
-  CLIENT_PREFIX=$client_prefix
+if [ -n "$client_pref" ]; then
+  CLIENT_PREFIX=$client_pref
 fi
 
 if [ -z "$client_start" ]; then
@@ -109,8 +66,12 @@ if [ -z "$client_finish" ]; then
   client_finish=1
 fi
 
-if [ -n "$client_alias" ]; then
-  CLIENT_ALIAS=$client_alias
+if [ -n "$client_alias_pref" ]; then
+  CLIENT_ALIAS_PREFIX=$client_alias_pref
+fi
+
+if [ -n "$client_self_alias_pref" ]; then
+  CLIENT_SELF_ALIAS_PREFIX=$client_self_alias_pref
 fi
 
 if [ -n "$bootstrap_alias" ]; then
@@ -137,23 +98,37 @@ if [ -n "$server_key_store_pwd" ]; then
   SERVER_STORE_PWD=$server_key_store_pwd
 fi
 
+if [ -n "$root_key_alias" ]; then
+  ROOT_KEY_ALIAS=$root_key_alias
+fi
+
+CLIENT_NUMBER=$client_start
+
 echo "==Start=="
 echo "CLIENT_PREFIX: $CLIENT_PREFIX"
 echo "client_start: $client_start"
 echo "client_finish: $client_finish"
-echo "CLIENT_ALIAS: $CLIENT_ALIAS"
+echo "CLIENT_ALIAS_PREFIX: $CLIENT_ALIAS_PREFIX"
+echo "CLIENT_SELF_ALIAS_PREFIX: $CLIENT_SELF_ALIAS_PREFIX"
 echo "BOOTSTRAP_ALIAS: $BOOTSTRAP_ALIAS"
 echo "SERVER_ALIAS: $SERVER_ALIAS"
 echo "SERVER_STORE: $SERVER_STORE"
 echo "CLIENT_STORE: $CLIENT_STORE"
 echo "CLIENT_STORE_PWD: $CLIENT_STORE_PWD"
 echo "SERVER_STORE_PWD: $SERVER_STORE_PWD"
+echo "CLIENT_NUMBER: $CLIENT_NUMBER"
+echo "ROOT_KEY_ALIAS: $ROOT_KEY_ALIAS"
 
 end_point() {
   echo "$CLIENT_PREFIX$(printf "%08d" $CLIENT_NUMBER)"
 }
+
 client_alias_point() {
-  echo "$CLIENT_ALIAS$(printf "%08d" $CLIENT_NUMBER)"
+  echo "$CLIENT_ALIAS_PREFIX$(printf "%08d" $CLIENT_NUMBER)"
+}
+
+client_self_alias_point() {
+  echo "$CLIENT_SELF_ALIAS_PREFIX$(printf "%08d" $CLIENT_NUMBER)"
 }
 
 # Generation of the keystore.
@@ -264,73 +239,30 @@ keytool \
     -keystore $SERVER_STORE \
     -storepass $SERVER_STORE_PWD
 
-echo
-echo "${H1}Client Keystore : ${RESET}"
-echo "${H1}==================${RESET}"
-#echo "${H2}Creating client key and self-signed certificate with expected CN...${RESET}"
-#keytool \
-#  -genkeypair \
-#  -alias $CLIENT_ALIAS \
-#  -keyalg EC \
-#  -dname "CN=$CLIENT_SELF_CN, OU=$ORGANIZATIONAL_UNIT, O=$ORGANIZATION, L=$CITY, ST=$STATE_OR_PROVINCE, C=$TWO_LETTER_COUNTRY_CODE" \
-#  -validity $VALIDITY \
-#  -storetype $STORETYPE \
-#  -keypass $CLIENT_STORE_PWD \
-#  -keystore $CLIENT_STORE \
-#  -storepass $CLIENT_STORE_PWD
-#keytool \
-#  -exportcert \
-#  -alias $CLIENT_ALIAS \
-#  -keystore $CLIENT_STORE \
-#  -storepass $CLIENT_STORE_PWD | \
-#  keytool \
-#    -importcert \
-#    -alias $CLIENT_SELF_ALIAS \
-#    -keystore $CLIENT_STORE \
-#    -storepass $CLIENT_STORE_PWD \
-#    -noprompt
-
-echo
-echo "${H2}Import root certificate just to be able to import  need by root CA with expected CN...${RESET}"
-keytool \
-  -exportcert \
-  -alias $ROOT_KEY_ALIAS \
-  -keystore $SERVER_STORE \
-  -storepass $SERVER_STORE_PWD |
+if [ "$client_start" -lt "$client_finish" ]; then
+  echo
+  echo "${H2}Import root certificate just to be able to import  need by root CA with expected CN to $CLIENT_STORE${RESET}"
   keytool \
-    -importcert \
+    -exportcert \
     -alias $ROOT_KEY_ALIAS \
-    -keystore $CLIENT_STORE \
-    -storepass $CLIENT_STORE_PWD \
-    -noprompt
-
-#echo
-#echo "${H2}Creating client certificate signed by root CA with expected CN...${RESET}"
-#keytool \
-#  -certreq \
-#  -alias $CLIENT_ALIAS \
-#  -dname "CN=$CLIENT_CN, OU=$ORGANIZATIONAL_UNIT, O=$ORGANIZATION, L=$CITY, ST=$STATE_OR_PROVINCE, C=$TWO_LETTER_COUNTRY_CODE" \
-#  -keystore $CLIENT_STORE \
-#  -storepass $CLIENT_STORE_PWD | \
-#  keytool \
-#    -gencert \
-#    -alias $ROOT_KEY_ALIAS \
-#    -keystore $SERVER_STORE \
-#    -storepass $SERVER_STORE_PWD \
-#    -storetype $STORETYPE \
-#    -validity $VALIDITY  | \
-#    keytool \
-#      -importcert \
-#      -alias $CLIENT_ALIAS \
-#      -keystore $CLIENT_STORE \
-#      -storepass $CLIENT_STORE_PWD \
-#      -noprompt
+    -keystore $SERVER_STORE \
+    -storepass $SERVER_STORE_PWD |
+    keytool \
+      -importcert \
+      -alias $ROOT_KEY_ALIAS \
+      -keystore $CLIENT_STORE \
+      -storepass $CLIENT_STORE_PWD \
+      -noprompt
+fi
 
 cert_end_point() {
-  echo "${H2}Creating client key and self-signed certificate with expected CN $CLIENT_SELF_CN ${RESET}"
+  echo
+  echo "${H1}Client Keystore : ${RESET}"
+  echo "${H1}==================${RESET}"
+  echo "${H2}Creating client key and self-signed certificate with expected CN CLIENT_ALIAS: $CLIENT_ALIAS${RESET}"
   keytool \
     -genkeypair \
-    -alias $CLIENT_CN_ALIAS \
+    -alias $CLIENT_ALIAS \
     -keyalg EC \
     -dname "CN=$CLIENT_SELF_CN, OU=$ORGANIZATIONAL_UNIT, O=$ORGANIZATION, L=$CITY, ST=$STATE_OR_PROVINCE, C=$TWO_LETTER_COUNTRY_CODE" \
     -validity $VALIDITY \
@@ -340,7 +272,7 @@ cert_end_point() {
     -storepass $CLIENT_STORE_PWD
   keytool \
     -exportcert \
-    -alias $CLIENT_CN_ALIAS \
+    -alias $CLIENT_ALIAS \
     -keystore $CLIENT_STORE \
     -storepass $CLIENT_STORE_PWD |
     keytool \
@@ -349,13 +281,28 @@ cert_end_point() {
       -keystore $CLIENT_STORE \
       -storepass $CLIENT_STORE_PWD \
       -noprompt
+#
+#  echo
+#  echo "${H2}Import root certificate just to be able to import  ned by root CA with expected CN...${RESET}"
+#  keytool \
+#    -exportcert \
+#    -alias $ROOT_KEY_ALIAS \
+#    -keystore $SERVER_STORE \
+#    -storepass $SERVER_STORE_PWD |
+#    keytool \
+#      -importcert \
+#      -alias $ROOT_KEY_ALIAS \
+#      -keystore $CLIENT_STORE \
+#      -storepass $CLIENT_STORE_PWD \
+#      -noprompt
+#
 
   echo
-  echo "${H2}Creating client certificate signed by root CA with expected $CLIENT_CN_NAME ${RESET}"
+  echo "${H2}Creating client certificate signed by root CA with expected CN CLIENT_ALIAS: $CLIENT_ALIAS CLIENT_CN: $CLIENT_CN${RESET}"
   keytool \
     -certreq \
-    -alias $CLIENT_CN_ALIAS \
-    -dname "CN=$CLIENT_CN_NAME, OU=$ORGANIZATIONAL_UNIT, O=$ORGANIZATION, L=$CITY, ST=$STATE_OR_PROVINCE, C=$TWO_LETTER_COUNTRY_CODE" \
+    -alias $CLIENT_ALIAS \
+    -dname "CN=$CLIENT_CN, OU=$ORGANIZATIONAL_UNIT, O=$ORGANIZATION, L=$CITY, ST=$STATE_OR_PROVINCE, C=$TWO_LETTER_COUNTRY_CODE" \
     -keystore $CLIENT_STORE \
     -storepass $CLIENT_STORE_PWD |
     keytool \
@@ -367,22 +314,30 @@ cert_end_point() {
       -validity $VALIDITY |
     keytool \
       -importcert \
-      -alias $CLIENT_CN_ALIAS \
+      -alias $CLIENT_ALIAS \
       -keystore $CLIENT_STORE \
       -storepass $CLIENT_STORE_PWD \
       -noprompt
 }
 
-while [ "$CLIENT_NUMBER" != "$client_finish" ]; do
-  CLIENT_CN_NAME=$(end_point)
-  CLIENT_CN_ALIAS=$(client_alias_point)
-  echo "$CLIENT_CN_NAME"
-  echo "$CLIENT_CN_ALIAS"
-  cert_end_point
-  CLIENT_NUMBER=$(($CLIENT_NUMBER + 1))
-  echo "number $CLIENT_NUMBER"
-  echo "finish $client_finish"
-done
+if [ "$client_start" -lt "$client_finish" ]; then
+  echo "Файл содержит, как минимум, одно слово Bash."
+  echo
+  echo "==Start Client=="
+  while [ "$CLIENT_NUMBER" -lt "$client_finish" ]; do
+    echo "number $CLIENT_NUMBER"
+    echo "finish $client_finish"
+    CLIENT_CN=$(end_point)
+    CLIENT_ALIAS=$(client_alias_point)
+    CLIENT_SELF_ALIAS=$(client_self_alias_point)
+    echo "CLIENT_CN $CLIENT_CN"
+    echo "CLIENT_ALIAS $CLIENT_ALIAS"
+    echo "CLIENT_SELF_ALIAS $CLIENT_SELF_ALIAS"
+    cert_end_point
+    CLIENT_NUMBER=$(($CLIENT_NUMBER + 1))
+    echo
+  done
+fi
 
 echo
 echo "${H0}!!! Warning ${H2}Migrate ${H1}${SERVER_STORE} ${H2}to ${H1}PKCS12 ${H2}which is an industry standard format..${RESET}"
@@ -393,11 +348,13 @@ keytool \
   -deststoretype pkcs12 \
   -srcstorepass $SERVER_STORE_PWD
 
-echo
-echo "${H0}!!! Warning ${H2}Migrate ${H1}${CLIENT_STORE} ${H2}to ${H1}PKCS12 ${H2}which is an industry standard format..${RESET}"
-keytool \
-  -importkeystore \
-  -srckeystore $CLIENT_STORE \
-  -destkeystore $CLIENT_STORE \
-  -deststoretype pkcs12 \
-  -srcstorepass $CLIENT_STORE_PWD
+if [ "$client_start" -lt "$client_finish" ]; then
+  echo
+  echo "${H0}!!! Warning ${H2}Migrate ${H1}${CLIENT_STORE} ${H2}to ${H1}PKCS12 ${H2}which is an industry standard format..${RESET}"
+  keytool \
+    -importkeystore \
+    -srckeystore $CLIENT_STORE \
+    -destkeystore $CLIENT_STORE \
+    -deststoretype pkcs12 \
+    -srcstorepass $CLIENT_STORE_PWD
+fi

@@ -41,9 +41,9 @@ BOOTSTRAP_SELF_CN="$DOMAIN_SUFFIX bootstrap server LwM2M self-signed"
 # Client
 CLIENT_STORE=clientKeyStore1.jks
 CLIENT_STORE_PWD=client_ks_password1
-CLIENT_ALIAS=client_alias_1
-CLIENT_PREFIX=LwX509_
-CLIENT_SELF_ALIAS=client_self_signed
+CLIENT_ALIAS_PREFIX=client_alias_1
+CLIENT_PREFIX=LwX509___
+CLIENT_SELF_ALIAS_PREFIX=client_self_signed_1
 CLIENT_SELF_CN="$DOMAIN_SUFFIX client LwM2M self-signed"
 
 # Color output stuff

@@ -53,7 +53,7 @@ transport:
     #    model_path_file: "${LWM2M_MODEL_PATH_FILE:./common/transport/lwm2m/src/main/resources/models/}"
     model_path_file: "${LWM2M_MODEL_PATH_FILE:}"
     recommended_ciphers: "${LWM2M_RECOMMENDED_CIPHERS:false}"
-    recommended_supported_groups: "${LWM2M_RECOMMENDED_SUPPORTED_GROUPS:false}"
+    recommended_supported_groups: "${LWM2M_RECOMMENDED_SUPPORTED_GROUPS:true}"
     request_pool_size: "${LWM2M_REQUEST_POOL_SIZE:100}"
     request_error_pool_size: "${LWM2M_REQUEST_ERROR_POOL_SIZE:10}"
     registered_pool_size: "${LWM2M_REGISTERED_POOL_SIZE:10}"
@@ -69,7 +69,7 @@ transport:
       key_store_path_file: "${KEY_STORE_PATH_FILE:}"
       key_store_password: "${LWM2M_KEYSTORE_PASSWORD_SERVER:server_ks_password}"
       root_alias: "${LWM2M_SERVER_ROOT_CA:rootca}"
-      enable_gen_psk_rpk: "${ENABLE_GEN_PSK_RPK:true}"
+      enable_gen_new_key_psk_rpk: "${ENABLE_GEN_NEW_KEY_PSK_RPK:false}"
     server:
       id: "${LWM2M_SERVER_ID:123}"
       bind_address: "${LWM2M_BIND_ADDRESS:0.0.0.0}"
@@ -79,9 +79,12 @@ transport:
         bind_port_security: "${LWM2M_BIND_PORT_SECURITY:5686}"
         # Only for RPK: Public & Private Key. If the keystore file is missing or not working
         #        create_rpk: "${CREATE_RPK:}"
-        public_x: "${LWM2M_SERVER_PUBLIC_X:405354ea8893471d9296afbc8b020a5c6201b0bb25812a53b849d4480fa5f069}"
-        public_y: "${LWM2M_SERVER_PUBLIC_Y:30c9237e946a3a1692c1cafaa01a238a077f632c99371348337512363f28212b}"
-        private_s: "${LWM2M_SERVER_PRIVATE_S:274671fe40ce937b8a6352cf0a418e8a39e4bf0bb9bf74c910db953c20c73802}"
+        #          - Public Key (Hex): [ 3059301306072a8648ce3d020106082a8648ce3d03010703420004b47a14ea87ab31cce28f24df0ae0a4cfcdb845134bcd088f2fac393b4d4843d140ebc1bfd8f5e0ec402fb8308c5c07bc380783276a385f89ef0da0b1a2545c25 ]
+        #          - Private Key (Hex): [ 3041020100301306072a8648ce3d020106082a8648ce3d030107042730250201010420b65b265abfb9e67be12a7699c13123cf081c72c974688fb4faba82be129ef367 ],
+        #          - Elliptic Curve parameters: [ secp256r1 [ NIST P-256, X9.62 prime256v1 ] (1.2.840.10045.3.1.7) ]
+        public_x: "${LWM2M_SERVER_PUBLIC_X:b47a14ea87ab31cce28f24df0ae0a4cfcdb845134bcd088f2fac393b4d4843d1}"
+        public_y: "${LWM2M_SERVER_PUBLIC_Y:40ebc1bfd8f5e0ec402fb8308c5c07bc380783276a385f89ef0da0b1a2545c25}"
+        private_s: "${LWM2M_SERVER_PRIVATE_S:b65b265abfb9e67be12a7699c13123cf081c72c974688fb4faba82be129ef367}"
         # Only Certificate_x509:
         alias: "${LWM2M_KEYSTORE_ALIAS_SERVER:server}"
     bootstrap:
@@ -93,9 +96,9 @@ transport:
         bind_address_security: "${LWM2M_BIND_ADDRESS_BS:0.0.0.0}"
         bind_port_security: "${LWM2M_BIND_PORT_SEC_BS:5688}"
         #  Only for RPK: Public & Private Key. If the keystore file is missing or not working
-        public_x: "${LWM2M_SERVER_PUBLIC_X_BS:993ef2b698c6a9c0c1d8be78b13a9383c0854c7c7c7a504d289b403794648183}"
-        public_y: "${LWM2M_SERVER_PUBLIC_Y_BS:267412d5fc4e5ceb2257cb7fd7f76ebdac2fa9aa100afb162e990074cc0bfaa2}"
-        private_s: "${LWM2M_SERVER_PRIVATE_S_BS:9dbdbb073fc63570693a9aaf1013414e261c571f27e27fc6a8c1c2ad9347875a}"
+        public_x: "${LWM2M_SERVER_PUBLIC_X_BS:f6e4e77f76296472bd72acfb6b2dd26fd858042f9075b44b45e2ebeb41cae387}"
+        public_y: "${LWM2M_SERVER_PUBLIC_Y_BS:3e97534c6b833639f71916041b0596ecd616748d81174d19c59ef02bbb21c822}"
+        private_s: "${LWM2M_SERVER_PRIVATE_S_BS:3e97534c6b833639f71916041b0596ecd616748d81174d19c59ef02bbb21c822}"
         # Only Certificate_x509:
         alias: "${LWM2M_KEYSTORE_ALIAS_BOOTSTRAP:bootstrap}"
     # Redis