WO2021035587A1

WO2021035587A1 - Method and apparatus for configuring client, and terminal device

Info

Publication number: WO2021035587A1
Application number: PCT/CN2019/103128
Authority: WO
Inventors: 杨宁
Original assignee: Oppo广东移动通信有限公司
Priority date: 2019-08-28
Filing date: 2019-08-28
Publication date: 2021-03-04
Also published as: CN113678420B; CN113678420A

Abstract

Embodiments of the present application provide a method and apparatus for configuring a client, and a terminal device. The method comprises: a client sends to a first configuration device a target attribute of a target resource of the client, the target attribute being used for representing a device role of the client, and the client having at least one first secure resource; in the case that the device role of the client is a mobile device, the client receives first creation signaling sent by the first configuration device, and creates a second secure resource on the client on the basis of the first creation signaling, the second secure resource and the at least one first secure resource belonging to a same resource type; and the client receives first configuration signaling sent by the first configuration device, and configures the second secure resource on the basis of the first configuration signaling.

Description

Method and device for configuring client terminal and terminal equipment

Technical field

本申请实施例涉及物联网技术领域，具体涉及一种配置客户端的方法及装置、终端设备。The embodiments of the present application relate to the technical field of the Internet of Things, and specifically relate to a method and device for configuring a client, and terminal equipment.

Background technique

激活工具(Onboarding Tool，OBT)用于对设备的客户端(以下简称客户端)进行配置，从而实现对该设备的管控以及该设备与其他设备之间的互联互通。目前，客户端只能由一个OBT进行配置，当客户端在网络1时，由网络1中的OBT对该客户端进行配置，当该客户端从网络1移动到网络2时，此时由于网络1中的OBT已经对该客户端进行了配置，因此网络2中的OBT无法对该客户端进行配置，一种方式是重置该客户端，使得网络2中的OBT能够对该客户端进行配置，然而，当该客户端再次移动到网络1时，还会出现同样的问题，导致每次切换网络都需要重新配置客户端，用户体验较差。The activation tool (Onboarding Tool, OBT) is used to configure the client of the device (hereinafter referred to as the client), so as to realize the management and control of the device and the interconnection and intercommunication between the device and other devices. At present, the client can only be configured by one OBT. When the client is in network 1, the OBT in network 1 configures the client. When the client moves from network 1 to network 2, at this time due to the network The OBT in 1 has already configured the client, so the OBT in network 2 cannot configure the client. One way is to reset the client so that the OBT in network 2 can configure the client However, when the client moves to network 1 again, the same problem will occur, resulting in the need to reconfigure the client every time the network is switched, and the user experience is poor.

发明内容Summary of the invention

本申请实施例提供一种配置客户端的方法及装置、终端设备。The embodiments of the present application provide a method and device for configuring a client, and terminal equipment.

本申请实施例提供的配置客户端的方法，包括：The method for configuring the client provided by the embodiment of the present application includes:

客户端向第一配置设备发送所述客户端的目标资源的目标属性，所述目标属性用于表示所述客户端的设备角色；其中，所述客户端具有至少一个第一安全资源；The client sends the target attribute of the target resource of the client to the first configuration device, where the target attribute is used to indicate the device role of the client; wherein the client has at least one first security resource;

所述客户端的设备角色为移动设备的情况下，所述客户端接收所述第一配置设备发送的第一创建信令，基于所述第一创建信令在所述客户端上创建第二安全资源，所述第二安全资源与所述至少一个第一安全资源属于同一资源类型；When the device role of the client is a mobile device, the client receives the first creation signaling sent by the first configuration device, and creates a second security on the client based on the first creation signaling. Resource, the second security resource and the at least one first security resource belong to the same resource type;

所述客户端接收所述第一配置设备发送的第一配置信令，基于所述第一配置信令配置所述第二安全资源。The client receives the first configuration signaling sent by the first configuration device, and configures the second security resource based on the first configuration signaling.

所述客户端的设备角色为移动设备的情况下，所述客户端接收所述第一配置设备发送的触发信令，所述触发信令用于触发所述客户端启动设备主导配置；When the device role of the client is a mobile device, the client receives trigger signaling sent by the first configuration device, and the trigger signaling is used to trigger the client to initiate device-led configuration;

所述客户端在所述客户端上创建第二安全资源，所述第二安全资源与所述至少一个第一安全资源属于同一资源类型；Creating a second secure resource on the client by the client, where the second secure resource and the at least one first secure resource belong to the same resource type;

所述客户端从所述第一配置设备获取配置参数，基于所述配置参数配置所述第二安全资源。The client obtains configuration parameters from the first configuration device, and configures the second security resource based on the configuration parameters.

第一配置设备接收客户端发送的目标资源的目标属性，所述目标属性用于表示所述客户端的设备角色；其中，所述客户端具有至少一个第一安全资源；The first configuration device receives the target attribute of the target resource sent by the client, where the target attribute is used to indicate the device role of the client; wherein the client has at least one first secure resource;

所述客户端的设备角色为移动设备的情况下，所述第一配置设备向所述客户端发送第一创建信令，所述第一创建信令用于指示在所述客户端上创建第二安全资源，所述第二安全资源与所述至少一个第一安全资源属于同一资源类型；When the device role of the client is a mobile device, the first configuration device sends a first creation signaling to the client, and the first creation signaling is used to instruct to create a second creation on the client. A security resource, where the second security resource and the at least one first security resource belong to the same resource type;

所述第一配置设备向所述客户端发送第一配置信令，所述第一配置信令用于配置所述第二安全资源。The first configuration device sends a first configuration signaling to the client, where the first configuration signaling is used to configure the second security resource.

第一配置设备接收客户端发送的所述客户端的目标资源的目标属性，所述目标属性用于表示所述客户端的设备角色；其中，所述客户端具有至少一个第一安全资源；The first configuration device receives the target attribute of the target resource of the client sent by the client, where the target attribute is used to indicate the device role of the client; wherein the client has at least one first security resource;

所述客户端的设备角色为移动设备的情况下，所述第一配置设备向所述客户端发送触发信令，所述触发信令用于触发所述客户端在所述客户端上创建第二安全资源，所述第二安全资源与所述至少一个第一安全资源属于同一资源类型；When the device role of the client is a mobile device, the first configuration device sends trigger signaling to the client, and the trigger signaling is used to trigger the client to create a second configuration on the client. A security resource, where the second security resource and the at least one first security resource belong to the same resource type;

所述第一配置设备向所述客户端发送配置参数，所述配置参数用于所述客户端配置所述第二安全资源。The first configuration device sends configuration parameters to the client, where the configuration parameters are used by the client to configure the second security resource.

本申请实施例提供的配置客户端的装置，包括：The device for configuring the client provided by the embodiment of the present application includes:

发送单元，用于向第一配置设备发送所述客户端的目标资源的目标属性，所述目标属性用于表示所述客户端的设备角色；其中，所述客户端具有至少一个第一安全资源；A sending unit, configured to send a target attribute of a target resource of the client to the first configuration device, where the target attribute is used to indicate a device role of the client; wherein the client has at least one first security resource;

接收单元，用于在所述客户端的设备角色为移动设备的情况下，接收所述第一配置设备发送的第一创建信令，基于所述第一创建信令在所述客户端上创建第二安全资源，所述第二安全资源与所述至少一个第一安全资源属于同一资源类型；接收所述第一配置设备发送的第一配置信令，基于所述第一配置信令配置所述第二安全资源。The receiving unit is configured to receive the first creation signaling sent by the first configuration device when the device role of the client is a mobile device, and create a first creation signaling on the client based on the first creation signaling. Two security resources, the second security resource and the at least one first security resource belong to the same resource type; receiving the first configuration signaling sent by the first configuration device, and configuring the first configuration signaling based on the first configuration signaling The second security resource.

接收单元，用于在所述客户端的设备角色为移动设备的情况下，接收所述第一配置设备发送的触发信令，所述触发信令用于触发所述客户端启动设备主导配置；A receiving unit, configured to receive trigger signaling sent by the first configuration device when the device role of the client is a mobile device, where the trigger signaling is used to trigger the client to initiate device-led configuration;

创建单元，用于在所述客户端上创建第二安全资源，所述第二安全资源与所述至少一个第一安全资源属于同一资源类型；A creating unit, configured to create a second secure resource on the client, where the second secure resource and the at least one first secure resource belong to the same resource type;

获取单元，用于从所述第一配置设备获取配置参数，基于所述配置参数配置所述第二安全资源。The obtaining unit is configured to obtain configuration parameters from the first configuration device, and configure the second security resource based on the configuration parameters.

接收单元，用于接收客户端发送的目标资源的目标属性，所述目标属性用于表示所述客户端的设备角色；其中，所述客户端具有至少一个第一安全资源；A receiving unit, configured to receive a target attribute of a target resource sent by a client, where the target attribute is used to indicate a device role of the client; wherein the client has at least one first secure resource;

发送单元，用于在所述客户端的设备角色为移动设备的情况下，向所述客户端发送第一创建信令，所述第一创建信令用于指示在所述客户端上创建第二安全资源，所述第二安全资源与所述至少一个第一安全资源属于同一资源类型；向所述客户端发送第一配置信令，所述第一配置信令用于配置所述第二安全资源。The sending unit is configured to send a first creation signaling to the client when the device role of the client is a mobile device, where the first creation signaling is used to instruct to create a second creation on the client A security resource, the second security resource and the at least one first security resource belong to the same resource type; sending a first configuration signaling to the client, where the first configuration signaling is used to configure the second security Resources.

接收单元，用于接收客户端发送的所述客户端的目标资源的目标属性，所述目标属性用于表示所述客户端的设备角色；其中，所述客户端具有至少一个第一安全资源；The receiving unit is configured to receive the target attribute of the target resource of the client sent by the client, the target attribute is used to indicate the device role of the client; wherein the client has at least one first security resource;

发送单元，用于在所述客户端的设备角色为移动设备的情况下，向所述客户端发送触发信令，所述触发信令用于触发所述客户端在所述客户端上创建第二安全资源，所述第二安全资源与所述至少一个第一安全资源属于同一资源类型；向所述客户端发送配置参数，所述配置参数用于所述客户端配置所述第二安全资源。The sending unit is configured to send trigger signaling to the client when the device role of the client is a mobile device, where the trigger signaling is used to trigger the client to create a second on the client A secure resource, where the second secure resource and the at least one first secure resource belong to the same resource type; sending configuration parameters to the client, where the configuration parameters are used by the client to configure the second secure resource.

本申请实施例提供的终端设备，包括处理器和存储器。该存储器用于存储计算机程序，该处理器用于调用并运行该存储器中存储的计算机程序，执行上述的配置客户端的方法。The terminal device provided in the embodiment of the present application includes a processor and a memory. The memory is used to store a computer program, and the processor is used to call and run the computer program stored in the memory to execute the above-mentioned method for configuring a client.

本申请实施例提供的芯片，用于实现上述的配置客户端的方法。The chip provided in the embodiment of the present application is used to implement the above-mentioned method for configuring the client.

具体地，该芯片包括：处理器，用于从存储器中调用并运行计算机程序，使得安装有该芯片的设备执行上述的配置客户端的方法。Specifically, the chip includes: a processor, configured to call and run a computer program from the memory, so that the device installed with the chip executes the above-mentioned method for configuring the client.

本申请实施例提供的计算机可读存储介质，用于存储计算机程序，该计算机程序使得计算机执行上述的配置客户端的方法。The computer-readable storage medium provided by the embodiment of the present application is used to store a computer program, and the computer program causes a computer to execute the above-mentioned method for configuring a client.

本申请实施例提供的计算机程序产品，包括计算机程序指令，该计算机程序指令使得计算机执行上述的配置客户端的方法。The computer program product provided by the embodiment of the present application includes computer program instructions, and the computer program instructions cause a computer to execute the above-mentioned method for configuring a client.

本申请实施例提供的计算机程序，当其在计算机上运行时，使得计算机执行上述的配置客户端的方法。The computer program provided by the embodiment of the present application, when it runs on a computer, causes the computer to execute the above-mentioned method for configuring the client.

通过上述技术方案，通过增加客户端的用于表示设备角色的目标属性，使客户端及OBT(即第一配置设备)能区分该客户端属于移动设备还是固定设备，从而选择不同的配置策略。对于属于移动设备的客户端，OBT可以创建新的安全资源并将配置信息写入新创建的安全资源，这样，客户端在具有不同主人(owner)的网络中漫游时，可以分别由当前网络的OBT对其进行配置。尤其是客户端经常往来于两个或以上网络时，由于已支持了这些网络的OBT作为主人，因此不需要每次配置时再重复进行OTM操作，避免了过多繁琐的配置过程。Through the above technical solution, by adding the target attribute of the client to indicate the role of the device, the client and the OBT (that is, the first configuration device) can distinguish whether the client is a mobile device or a fixed device, thereby selecting different configuration strategies. For clients belonging to mobile devices, OBT can create new security resources and write configuration information into the newly created security resources. In this way, when the client roams in a network with different owners, it can be controlled by the current network. OBT configures it. Especially when the client frequently travels to and from two or more networks, since the OBT of these networks has been supported as the master, there is no need to repeat the OTM operation every time it is configured, avoiding too much tedious configuration process.

Description of the drawings

此处所说明的附图用来提供对本申请的进一步理解，构成本申请的一部分，本申请的示意性实施例及其说明用于解释本申请，并不构成对本申请的不当限定。在附图中：The drawings described here are used to provide a further understanding of the application and constitute a part of the application. The exemplary embodiments and descriptions of the application are used to explain the application, and do not constitute an improper limitation of the application. In the attached picture:

图1是本申请实施例提供的一种通信系统架构的示意性图；FIG. 1 is a schematic diagram of a communication system architecture provided by an embodiment of the present application;

图2是本申请实施例提供的OBT配置设备的流程示意图；FIG. 2 is a schematic flowchart of an OBT configuration device provided by an embodiment of the present application;

图3是本申请实施例提供的家庭应用场景示意图；Figure 3 is a schematic diagram of a home application scenario provided by an embodiment of the present application;

图4是本申请实施例提供的配置客户端的方法的流程示意图一；FIG. 4 is a first schematic flowchart of a method for configuring a client provided by an embodiment of the present application;

图5是本申请实施例提供的示例一的流程图；FIG. 5 is a flowchart of example one provided by an embodiment of the present application;

图6是本申请实施例提供的示例二的流程图；FIG. 6 is a flowchart of Example 2 provided by an embodiment of the present application;

图7是本申请实施例提供的配置客户端的方法的流程示意图二；FIG. 7 is a second schematic flowchart of a method for configuring a client provided by an embodiment of the present application;

图8是本申请实施例提供的示例三的流程图；FIG. 8 is a flowchart of Example 3 provided by an embodiment of the present application;

图9是本申请实施例提供的配置客户端的装置的结构组成示意图一；FIG. 9 is a schematic diagram 1 of the structural composition of an apparatus for configuring a client provided by an embodiment of the present application;

图10是本申请实施例提供的配置客户端的装置的结构组成示意图二；FIG. 10 is a second schematic diagram of the structural composition of an apparatus for configuring a client provided by an embodiment of the present application;

图11是本申请实施例提供的配置客户端的装置的结构组成示意图三；FIG. 11 is a schematic diagram 3 of the structural composition of the apparatus for configuring a client provided by an embodiment of the present application; FIG.

图12是本申请实施例提供的配置客户端的装置的结构组成示意图四；FIG. 12 is a fourth schematic diagram of the structural composition of an apparatus for configuring a client provided by an embodiment of the present application; FIG.

图13是本申请实施例提供的一种通信设备示意性结构图；FIG. 13 is a schematic structural diagram of a communication device provided by an embodiment of the present application;

图14是本申请实施例的芯片的示意性结构图；FIG. 14 is a schematic structural diagram of a chip of an embodiment of the present application;

图15是本申请实施例提供的一种通信系统的示意性框图。FIG. 15 is a schematic block diagram of a communication system provided by an embodiment of the present application.

detailed description

下面将结合本申请实施例中的附图，对本申请实施例中的技术方案进行描述，显然，所描述的实施例是本申请一部分实施例，而不是全部的实施例。基于本申请中的实施例，本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例，都属于本申请保护的范围。The technical solutions in the embodiments of the present application will be described below in conjunction with the drawings in the embodiments of the present application. Obviously, the described embodiments are a part of the embodiments of the present application, not all of the embodiments. Based on the embodiments in this application, all other embodiments obtained by those of ordinary skill in the art without creative work shall fall within the protection scope of this application.

通信架构

Communication architecture

开放互联基金会(Open Connectivity Foundation，OCF)定义了客户端和服务端，服务端是指提供资源的设备，客户端是指访问资源的设备。The Open Connectivity Foundation (OCF) defines the client and server. The server refers to the device that provides resources, and the client refers to the device that accesses resources.

OCF采用表述状态转移(Representational State Transfer，RESTful)架构，通过资源来表述物联网实体设备，以及设备提供的功能服务和设备的状态等信息，提供资源的设备是服务端，访问资源的设备是客户端。OCF中定义的客户端和服务端是逻辑功能实体，一个设备可以是客户端、或服务端、或既是客户端又是服务端。OCF adopts the Representational State Transfer (RESTful) architecture, which uses resources to represent the physical devices of the Internet of Things, as well as the functional services provided by the device and the status of the device. The device that provides the resource is the server, and the device that accesses the resource is the client. end. The client and server defined in OCF are logical functional entities. A device can be a client, a server, or both a client and a server.

客户端和服务端的业务交互是通过对资源进行RESTful操作来实现的，RESTful操作可以是创建-读取-更新-删除-通知(Create-Retrieve-Update-Delete-Notify，CRUDN)操作，显然，CRUDN操作可以是以下任意一种或多种操作：创建(Create)、读取(Retrieve)、更新(Update)、删除(Delete)、通知(Notify)。客户端是RESTful操作的发起方，服务端是RESTful操作的响应方，客户端向服务端发送资源操作请求，请求对服务端上的资源进行操作，服务端执行资源操作，并向客户端返回响应，响应中携带资源的内容及描述信息。The business interaction between the client and the server is realized by performing RESTful operations on resources. RESTful operations can be Create-Retrieve-Update-Delete-Notify (CRUDN) operations. Obviously, CRUDN The operation can be any one or more of the following operations: create (Create), read (Retrieve), update (Update), delete (Delete), and notify (Notify). The client is the initiator of the RESTful operation, and the server is the responder of the RESTful operation. The client sends a resource operation request to the server, requesting to operate the resource on the server, the server performs the resource operation, and returns a response to the client , The content and description information of the resource are carried in the response.

图1是本申请实施例提供的一种可选的通信架构图，对资源的描述为资源模型层，每个资源对应一个特定的统一资源标识符(Uniform Resource Identifier，URI)，可通过访问资源的URI来访问这个资源，另外每个资源具有支持Restful操作的相应接口。传输资源内容及描述信息的是传输协议层，通过把资源操作映射到具体的传输协议中，使每个资源的Restful操作转变为实体消息在设备间传递，为设备间的互联互通提供手段。Figure 1 is an optional communication architecture diagram provided by an embodiment of this application. The description of resources is the resource model layer. Each resource corresponds to a specific Uniform Resource Identifier (URI), which can be accessed by To access this resource, each resource has a corresponding interface that supports Restful operations. It is the transmission protocol layer that transmits resource content and description information. By mapping resource operations to specific transmission protocols, the Restful operation of each resource is transformed into an entity message to be transmitted between devices, providing a means for interconnection and intercommunication between devices.

OCF的传输协议采用受限应用协议(Constrained Application Protocol，CoAP)承载资源操作，每个CRUDN操作都映射为CoAP的请求消息或响应消息，客户端可以通过CoAP中的GET、POST、PUT、DELETE这四种方法对服务端的资源进行操作，从而实现资源状态的转换。The OCF transmission protocol adopts the Constrained Application Protocol (CoAP) to carry resource operations. Each CRUDN operation is mapped to a CoAP request message or response message. The client can use CoAP's GET, POST, PUT, DELETE, etc. Four methods operate on the resources of the server, so as to realize the transformation of the resource state.

资源

Resources

◆资源的统一资源标识符(Uniform Resource Identifier，URI)◆Uniform Resource Identifier (URI) of the resource

资源通过URI进行标识和寻址，OCF规定的资源的URI的表现形式如下：ocf://<deviceID>/<path>？<query>，其中，URI各个部分的含义如下：Resources are identified and addressed by URI. The URI of the resource specified by OCF has the following form: ocf://<deviceID>/<path>? <query>, where the meaning of each part of the URI is as follows:

ocf：资源的URI的组织(schema)是“ocf”，如果某个URI省略了双斜杠“//”前面的部分，默认的schema是“ocf”。ocf: The organization (schema) of the resource URI is "ocf". If a URI omits the part before the double slash "//", the default schema is "ocf".

deviceID：服务端的设备标识(ID)，设备ID是设备全局唯一的身份标识。deviceID: The device identification (ID) of the server. The device ID is the globally unique identification of the device.

path：访问某个资源的路径字符串，path在资源所属服务端的范围内全局唯一，可以唯一对应该服务端上的某个资源。path: The path string for accessing a resource. Path is globally unique within the scope of the server to which the resource belongs, and can uniquely correspond to a resource on the server.

query：查询字符串，查询字符串包含“<name>＝<value>”段，也就是“名称-值对”的列表，每一个“名称-值对”都被一个“&”分隔。在OCF中，查询字符串将被映射到CoAP，使用CoAP对应的语法描述。query: query string, the query string contains the "<name>=<value>" segment, which is a list of "name-value pairs", each "name-value pair" is separated by an "&". In OCF, the query string will be mapped to CoAP, using the syntax description corresponding to CoAP.

一个资源的URI可以是绝对URI或相对URI，绝对URI是上述完整URI形式，相对URI不包括schema和deviceID部分，相对URI是相对于其所属的设备，在该设备范围内唯一标识资源，相对URI结合deviceID可以形成绝对URI。The URI of a resource can be an absolute URI or a relative URI. The absolute URI is the above-mentioned complete URI form. The relative URI does not include the schema and deviceID part. The relative URI is relative to the device to which it belongs, and uniquely identifies the resource within the scope of the device. Combine deviceID to form absolute URI.

◆资源模型◆Resource Model

资源模型是实现设备之间互联互通的核心，传输层提供了传输协议的互联互通性，资源模型独立于传输协议，通过把资源模型映射到传输协议中，为设备间完整的互联互通提供技术支撑。The resource model is the core to realize the interconnection and intercommunication between devices. The transmission layer provides the interconnection and interoperability of the transmission protocol. The resource model is independent of the transmission protocol. By mapping the resource model to the transmission protocol, it provides technical support for the complete interconnection and intercommunication between devices. .

资源的特征主要包括URI、属性、资源引用和接口，以下分别描述：The characteristics of resources mainly include URI, attributes, resource references and interfaces, which are described separately as follows:

-URI：每个资源通过URI进行标识和寻址。-URI: Each resource is identified and addressed by URI.

-属性(property)：每个资源包含属性，属性用于描述资源的状态信息，属性以“<key>＝<value>”键值对的形式出现。资源表述即属性的快照。与资源的交互即通过交换包含资源表述的请求和响应实现。例如向资源进行读取请求，通过响应可以获得资源的表述，向资源进行更新请求，可以更新资源的表述。-Property: Each resource contains attributes, which are used to describe the status information of the resource, and the attributes appear in the form of "<key>=<value>" key-value pairs. The resource representation is a snapshot of the attribute. The interaction with resources is realized by exchanging requests and responses that contain resource expressions. For example, a read request is made to a resource, the expression of the resource can be obtained by responding, and an update request is made to the resource to update the expression of the resource.

-资源引用(link)：资源实例来自于资源类型，link用于建立不同资源实例之间的引用关系。-Resource reference (link): The resource instance comes from the resource type, and the link is used to establish the reference relationship between different resource instances.

-接口(interface)：接口是资源的表述和获取的机制，不同的接口对应资源不同的表述以及对应的操作机制。-Interface: An interface is a mechanism for the expression and acquisition of resources. Different interfaces correspond to different expressions of resources and corresponding operating mechanisms.

资源驻留在设备中，一个资源必须有一个URI，URI可以由该资源创建者在创建资源时指定。此外，资源必须具有一个或多个资源类型，创建资源的请求中必须指定该资源对应的资源类型。The resource resides in the device. A resource must have a URI. The URI can be specified by the resource creator when creating the resource. In addition, the resource must have one or more resource types, and the resource type corresponding to the resource must be specified in the resource creation request.

为便于理解本申请实施例的技术方案，以下对本申请实施例涉及到的相关技术进行说明。In order to facilitate the understanding of the technical solutions of the embodiments of the present application, the related technologies involved in the embodiments of the present application will be described below.

设备需要激活后才能在网络中操作或与其他设备进行交互。激活设备的第一步是配置设备的所有权，合法用户通过OBT使用主人转移方法(Owner Transfer Method，OTM)建立设备的所有权，所有权建立后，合法用户再使用OBT配置设备，最终使设备能够正常操作并与其他设备交互。图2给出了OBT配置设备的流程示意图，其中，图2中的CMS代表凭证管理服务(Certificate Management Service)，CMS通常作为OBT的一部分，考虑扩展性和模块化设计，CMS也可作为服务单独部署。如图2所示，OBT配置设备的流程包括以下步骤：The device needs to be activated before it can operate on the network or interact with other devices. The first step in activating the device is to configure the ownership of the device. The legal user uses OBT to establish the ownership of the device using the Owner Transfer Method (OTM). After the ownership is established, the legal user uses OBT to configure the device and finally enables the device to operate normally. And interact with other devices. Figure 2 shows a schematic diagram of the OBT configuration device process. Among them, CMS in Figure 2 stands for Certificate Management Service. CMS is usually part of OBT. Considering scalability and modular design, CMS can also be used as a separate service. deploy. As shown in Figure 2, the process of OBT configuration equipment includes the following steps:

201：OBT发现无主设备。201: OBT found no master device.

具体地，OBT发现网络中需要配置的无主设备(即新设备)。Specifically, OBT discovers unowned devices (that is, new devices) that need to be configured in the network.

202：设备向OBT返回其支持的主人转让方法。202: The device returns the owner transfer method it supports to OBT.

具体地，待配置的设备向OBT返回其支持的主人转让方法。Specifically, the device to be configured returns its supported owner transfer method to OBT.

203：OBT与设备之间执行业务转让握手流程。203: The business transfer handshake process is executed between the OBT and the device.

具体地，OBT根据选择的主人转让方法与待配置的设备之间通过业务转让握手流程建立安全连接。Specifically, the OBT establishes a secure connection with the device to be configured through the service transfer handshake process according to the selected master transfer method.

204：OBT预读设备标识和配置主人身份。204: OBT pre-read device identification and configuration master identity.

具体地，OBT将自身的设备标识配置到设备的/doxm.deviceowneruuid属性，从而建立设备的主人身份。Specifically, OBT configures its own device identifier to the /doxm.deviceowneruuid attribute of the device, thereby establishing the owner identity of the device.

205：OBT请求设备支持的凭证类型。205: OBT requests the credential type supported by the device.

具体地，OBT查看待配置的设备支持的安全凭证类型，如对称密钥、非对称密钥、证书等。Specifically, OBT looks at the types of security credentials supported by the device to be configured, such as symmetric keys, asymmetric keys, certificates, and so on.

206：OBT决定使用哪个凭证。206: OBT decides which voucher to use.

具体地，OBT基于设备支持的凭证类型，选择一个合适的对称安全凭证。Specifically, OBT selects an appropriate symmetric security credential based on the credential type supported by the device.

207：OBT为设备配置对称主人凭证。207: OBT configures a symmetric master credential for the device.

具体地，OBT将所选的对称安全凭证配置到设备的/cred资源。Specifically, OBT configures the selected symmetric security credential to the /cred resource of the device.

208：OBT将设备分配给CMS。208: OBT allocates equipment to CMS.

具体地，OBT将待配置的设备分配给CMS。Specifically, OBT assigns the device to be configured to the CMS.

209：OBT为设备的/doxm资源设置资源主人。209: OBT sets the resource owner for the /doxm resource of the device.

具体地，OBT将自身的设备标识配置到设备的/doxm.rowneruuid属性，以设置/doxm资源的资源主人。Specifically, OBT configures its own device identifier to the /doxm.rowneruuid attribute of the device to set the resource owner of the /doxm resource.

210：OBT为设备的/cred资源设置资源主人。210: OBT sets the resource owner for the /cred resource of the device.

具体地，OBT将自身的设备标识(CMS的标识)配置到设备的/cred.rowneruuid属性，以设置/cred资源的资源主人。Specifically, OBT configures its own device identification (identification of CMS) to the /cred.rowneruuid attribute of the device to set the resource owner of the /cred resource.

211：OBT配置CMS凭证。211: OBT configures CMS credentials.

具体地，OBT将用于与CMS建立安全连接的凭证配置到设备的/cred.creds属性，以设置CMS凭证。Specifically, the OBT configures the credential used to establish a secure connection with the CMS to the /cred.creds property of the device to set the CMS credential.

212：CMS改变设备状态为业务配置状态。212: The CMS changes the device state to the service configuration state.

如果CMS作为OBT的一部分，则可以表述成OBT改变设备状态为业务配置状态。If CMS is used as part of OBT, it can be expressed as OBT changes the device state to the service configuration state.

213：CMS为设备和对等设备配置凭证。213: CMS configures credentials for devices and peer devices.

具体地，CMS将用于与其他设备建立局域网安全连接的凭证配置到设备的/cred.creds属性。Specifically, the CMS configures the credential used to establish a secure LAN connection with other devices to the /cred.creds property of the device.

如果CMS作为OBT的一部分，则可以表述成OBT为设备和对等设备配置凭证。If CMS is used as part of OBT, it can be expressed as OBT to configure credentials for devices and peer devices.

214：CMS改变设备状态为正常工作状态。214: CMS changes the device status to normal working status.

如果CMS作为OBT的一部分，则可以表述成OBT改变设备状态为正常工作状态。If CMS is used as part of OBT, it can be expressed as OBT to change the device state to normal working state.

其中，/doxm资源的结构为：Among them, the structure of /doxm resource is:

OBT是网络的主人，可以配置网络中的设备。设备被OBT配置后，该OBT为被配置设备的主人。例如，图3是一个家庭中应用的场景，如图3所示，手机1(例如用户1使用的手机)作为OBT，手机2(例如用户2使用的手机)作为待配置的设备，智能家电1和智能家电2可以位于两个不同的房间。在该场景下，可以有如下配置流程：OBT is the owner of the network and can configure the devices in the network. After the device is configured by OBT, the OBT is the owner of the configured device. For example, Figure 3 is an application scenario in a home. As shown in Figure 3, mobile phone 1 (for example, the mobile phone used by user 1) is used as OBT, and mobile phone 2 (for example, the mobile phone used by user 2) is used as the device to be configured, and smart home appliance 1 And the smart appliance 2 can be located in two different rooms. In this scenario, there can be the following configuration process:

1)手机1安装OBT。1) Mobile phone 1 installs OBT.

2)手机1创建家庭以及管理者(admin)、家庭成员(family)、访客(guest)等各种用户角色。2) The mobile phone 1 creates a family and various user roles such as admin, family, and guest.

3)手机1发现并配置智能家电1，从而手机1可以控制智能家电1。3) The mobile phone 1 discovers and configures the smart home appliance 1, so that the mobile phone 1 can control the smart home appliance 1.

4)手机2安装客户端。4) Mobile phone 2 installs the client.

5)手机1的OBT发现手机2的客户端，对手机2的客户端进行配置，赋予其family权限，则手机2也可以控制智能家电1。5) The OBT of mobile phone 1 finds the client of mobile phone 2, configures the client of mobile phone 2, and grants it family permission, then mobile phone 2 can also control smart home appliance 1.

6)手机1也可以赋予手机2admin权限，则手机2也可以配置和管理智能家电1。6) Mobile phone 1 can also give mobile phone 2 admin rights, and mobile phone 2 can also configure and manage smart home appliances 1.

进一步，对于一个新的智能家电，如智能家电2，采取与智能家电1相同的方式进行配置。对于一个新的客户端，采取与手机2的客户端相同的方式配置其角色和权限。Further, for a new smart home appliance, such as smart home appliance 2, it is configured in the same way as smart home appliance 1. For a new client, configure its roles and permissions in the same way as the client of mobile phone 2.

客户端只能由一个OBT配置，即一个客户端只能有一个设备主人(device owner)，该客户端的/doxm资源、/cred资源等安全资源也只能有一个资源主人(resource owner)。由于只有主人具有配置相应资源的权限，因此，在手机2的客户端被用户1的OBT配置后，当手机2移动到办公室的时候，由于办公室网络的主人是用户3，则用户3的OBT无法配置手机2的客户端使其与办公室网络中的其他设备互联互通。A client can only be configured by one OBT, that is, a client can only have one device owner, and the client's security resources such as /doxm resources and /cred resources can only have one resource owner. Since only the owner has the authority to configure the corresponding resources, after the client of mobile phone 2 is configured by user 1’s OBT, when mobile phone 2 moves to the office, since the owner of the office network is user 3, user 3’s OBT cannot Configure the client of mobile phone 2 to communicate with other devices in the office network.

既使重置手机2的客户端使用户3的OBT能够配置手机2的客户端，当手机2再次移动到家后，无法再次控制家中的家电设备，需要由用户1的OBT重新配置。这样手机2在不同安全域网络中移动时，每次都需要重新配置，用户体验不好。为此，提出了本申请实施例的以下技术方案。Even if the client terminal of the mobile phone 2 is reset so that the OBT of the user 3 can configure the client terminal of the mobile phone 2, when the mobile phone 2 moves home again, it cannot control the household appliances at home again, and needs to be reconfigured by the OBT of the user 1. In this way, mobile phone 2 needs to be reconfigured every time when it moves in a different security domain network, and the user experience is not good. To this end, the following technical solutions of the embodiments of the present application are proposed.

图4是本申请实施例提供的配置客户端的方法的流程示意图一，如图4所示，所述配置客户端的方法包括以下步骤：Fig. 4 is a first schematic flowchart of a method for configuring a client provided by an embodiment of the present application. As shown in Fig. 4, the method for configuring a client includes the following steps:

步骤401：客户端向第一配置设备发送所述客户端的目标资源的目标属性，第一配置设备接收客户端发送的目标资源的目标属性，所述目标属性用于表示所述客户端的设备角色；其中，所述客户端具有至少一个第一安全资源。Step 401: The client sends the target attribute of the target resource of the client to the first configuration device, and the first configuration device receives the target attribute of the target resource sent by the client, where the target attribute is used to indicate the device role of the client; Wherein, the client has at least one first secure resource.

本申请实施例中，所述客户端是指待配置设备中的客户端。其中，待配置设备例如是手机、平板电脑、笔记本、可穿戴设备等任意形式的终端。In the embodiment of the present application, the client refers to a client in the device to be configured. Among them, the device to be configured is, for example, a terminal of any form such as a mobile phone, a tablet computer, a notebook, a wearable device, and the like.

本申请实施例中，第一配置设备上安装有第一OBT，若不做特殊说明，本申请实施中的第一配置设备都可以被替换为第一OBT。In the embodiment of this application, the first OBT is installed on the first configuration device. Unless otherwise specified, the first configuration device in the implementation of this application can be replaced with the first OBT.

本申请实施例中，所述客户端具有至少一个第一安全资源，第一安全资源包括以下至少之一：/doxm资源、/cred资源。例如客户端具有/doxm资源、/doxm1资源。再例如客户端具有/cred资源、/cred1资源。又例如客户端具有{/doxm资源、/cred资源}、{/doxm1资源、/cred1资源}。需要说明的是，这里是以客户端具有两个资源为例进行说明，不局限于此，所述客户端原来具有的安全资源的数目可以是1个，或3个，或4个，或5个等等。In the embodiment of the present application, the client has at least one first secure resource, and the first secure resource includes at least one of the following: /doxm resource, /cred resource. For example, the client has /doxm resources and /doxm1 resources. For another example, the client has a /cred resource and a /cred1 resource. For another example, the client has {/doxm resource, /cred resource}, {/doxm1 resource, /cred1 resource}. It should be noted that the client has two resources as an example for description, and it is not limited to this. The number of secure resources originally possessed by the client can be 1, or 3, or 4, or 5. And so on.

本申请实施例中，所述客户端的目标资源具有目标属性，可选地，目标资源可以是/pstat资源，或者/doxm资源等其他资源，也可以是新创建的资源。进一步，可选地，目标属性可以是provisionas属性，用于表示所述客户端的设备角色。In the embodiment of the present application, the target resource of the client has a target attribute. Optionally, the target resource may be a /pstat resource, or other resources such as a /doxm resource, or a newly created resource. Further, optionally, the target attribute may be a provisionas attribute, which is used to indicate the device role of the client.

具体实现时，所述第一配置设备向所述客户端发送第一请求消息，所述客户端接收所述第一配置设备发送的第一请求消息，所述第一请求消息用于请求所述客户端的目标资源的目标属性；所述客户端向所述第一配置设备发送第一响应消息，所述第一配置设备接收所述客户端发送的第一响应消息，所述第一响应消息用于向所述第一配置设备通知所述客户端的目标资源的目标属性。In specific implementation, the first configuration device sends a first request message to the client, and the client receives a first request message sent by the first configuration device, and the first request message is used to request the The target attribute of the target resource of the client; the client sends a first response message to the first configuration device, the first configuration device receives a first response message sent by the client, and the first response message is used Informing the first configuration device of the target attribute of the target resource of the client.

本申请实施例中，所述目标资源的目标属性的取值支持第一取值，所述第一取值用于表示设备角色为移动设备；或者，所述目标资源的目标属性的取值支持第二取值，所述第二取值用于表示设备角色为固定设备。In the embodiment of the present application, the value of the target attribute of the target resource supports a first value, and the first value is used to indicate that the device role is a mobile device; or, the value of the target attribute of the target resource supports A second value, where the second value is used to indicate that the device role is a fixed device.

举个例子：第一取值为“移动的(mobile)”，代表设备角色为移动设备。第二取值为“固定的(stationary)”，代表设备角色为固定设备。For example: the first value is "mobile", which means that the device role is a mobile device. The second value is "stationary", which means that the device role is a stationary device.

在一可选实施方式中，所述客户端检查所述客户端的目标资源的目标属性；所述目标属性的取值为所述第一取值的情况下，则所述客户端进入配置模式后，保留已存在的资源配置；或者，所述目标属性的取值为所述第二取值的情况下，则所述客户端进入配置模式后，删除已存在的资源配置。In an optional implementation manner, the client checks the target attribute of the target resource of the client; if the value of the target attribute is the first value, after the client enters the configuration mode , To retain the existing resource configuration; or, in the case where the value of the target attribute is the second value, after the client enters the configuration mode, the existing resource configuration is deleted.

步骤402：所述客户端的设备角色为移动设备的情况下，所述第一配置设备向所述客户端发送第一创建信令，所述客户端接收所述第一配置设备发送的第一创建信令，基于所述第一创建信令在所述客户端上创建第二安全资源，所述第二安全资源与所述至少一个第一安全资源属于同一资源类型。Step 402: When the device role of the client is a mobile device, the first configuration device sends a first creation signaling to the client, and the client receives the first creation sent by the first configuration device. Signaling, creating a second security resource on the client based on the first creation signaling, where the second security resource and the at least one first security resource belong to the same resource type.

具体实现时，所述客户端的设备角色为移动设备的情况下，所述第一配置设备向所述客户端发送第二请求消息，所述客户端接收所述第一配置设备发送的第二请求消息，所述第二请求消息用于请求所述客户端的资源内容；所述客户端向所述第一配置设备发送所述客户端的资源内容，所述第一配置设备接收所述客户端发送的所述客户端的资源内容，所述资源内容包括所述至少一个第一安全资源的标识和资源类型；所述第一配置设备向所述客户端发送第一创建信令，所述客户端接收所述第一配置设备发送的第一创建信令，所述第一创建信令用于创建所述第二安全资源。In specific implementation, when the device role of the client is a mobile device, the first configuration device sends a second request message to the client, and the client receives the second request sent by the first configuration device Message, the second request message is used to request resource content of the client; the client sends the resource content of the client to the first configuration device, and the first configuration device receives the resource content sent by the client The resource content of the client, the resource content includes the identification and resource type of the at least one first secure resource; the first configuration device sends the first creation signaling to the client, and the client receives the The first creation signaling sent by the first configuration device, where the first creation signaling is used to create the second security resource.

这里，客户端将已经存在的所述至少一个第一安全资源的标识和资源类型告知第一配置设备，第一配置设备就知道客户端具有至少一个第一安全资源，从而可以避免新创建的第二安全资源与已有的至少一个第一安全资源重名。Here, the client informs the first configuration device of the identification and resource type of the at least one first security resource that already exists, and the first configuration device knows that the client has at least one first security resource, so that the newly created first security resource can be avoided. The second security resource has the same name as at least one existing first security resource.

步骤403：所述第一配置设备向所述客户端发送第一配置信令，所述客户端接收所述第一配置设备发送的第一配置信令，基于所述第一配置信令配置所述第二安全资源。Step 403: The first configuration device sends first configuration signaling to the client, and the client receives the first configuration signaling sent by the first configuration device, and configures the station based on the first configuration signaling. The second security resource.

这里，所述第一配置信令用于配置所述第二安全资源。Here, the first configuration signaling is used to configure the second security resource.

本申请实施例中，所述第二安全资源的第一部分属性基于所述至少一个第一安全资源中的其中一个第一安全资源确定；所述第二安全资源的第二部分属性基于所述第一配置信令确定。In the embodiment of the present application, the first partial attribute of the second secure resource is determined based on one of the first secure resources in the at least one first secure resource; the second partial attribute of the second secure resource is determined based on the first secure resource A configuration signaling is determined.

在一可选实施方式中，所述第一部分属性包括以下至少之一：oxms属性、oxmsel属性、sct属性、owned属性和deviceuuid属性。In an optional embodiment, the first part of attributes includes at least one of the following: oxms attribute, oxmsel attribute, sct attribute, owned attribute, and deviceuuid attribute.

在一可选实施方式中，所述第二部分属性包括以下至少之一：/doxm/deviceowneruuid属性(即第一属性)、/doxm/rowneruuid属性(即第二属性)、/cred/rowneruuid属性(即第四属性)、/cred/creds属性(即第五属性)。其中，/doxm/deviceowneruuid属性和/doxm/rowneruuid属性属于/doxm资源类型的属性，/cred/rowneruuid属性和/cred/creds属性属于/cred资源类型的属性。In an optional implementation, the second part of the attributes includes at least one of the following: /doxm/deviceowneruuid attribute (ie the first attribute), /doxm/rowneruuid attribute (ie the second attribute), /cred/rowneruuid attribute ( Namely the fourth attribute), /cred/creds attribute (that is, the fifth attribute). Among them, the /doxm/deviceowneruuid attribute and the /doxm/rowneruuid attribute belong to the attribute of the /doxm resource type, and the /cred/rowneruuid attribute and the /cred/creds attribute belong to the attribute of the /cred resource type.

本申请实施例中，所述至少一个第一安全资源和所述第二安全资源属于相同的资源类型，以下结合两种资源类型进行描述。In the embodiment of the present application, the at least one first security resource and the second security resource belong to the same resource type, which is described below in combination with two resource types.

所述至少一个第一安全资源和所述第二安全资源均属于第一资源类型，所述第一资源类型为与主人相关的资源。

The at least one first security resource and the second security resource both belong to a first resource type, and the first resource type is a resource related to the owner.

这里，第一资源类型为/doxm资源类型。例如：客户端原来具有/doxm资源、/doxm2资源，新创建的安全资源为/doxm3资源。例如：客户端原来具有/doxm资源、/doxm2资源、/doxm3资源，新创建的安全资源为/doxm4资源。需要说明的是，本申请实施例对客户端原来具有的第一安全资源的数目不做限制。Here, the first resource type is the /doxm resource type. For example: the client originally had /doxm resources and /doxm2 resources, and the newly created security resource was /doxm3 resources. For example, the client originally had /doxm resources, /doxm2 resources, and /doxm3 resources, and the newly created security resource was /doxm4 resource. It should be noted that the embodiment of the present application does not limit the number of first security resources originally possessed by the client.

具体实现时，所述客户端接收所述第一配置设备发送的第一配置信令，所述第一配置信令携带所述第一配置设备的第一设备标识；这里，所述第一配置信令用于配置所述第二安全资源的第一属性(如deviceowneruuid属性)和第二属性(如rowneruuid属性)；所述客户端基于所述第一配置信令配置所述第二安全资源的第一属性和第二属性，其中，所述第一属性用于表示设备主人标识，所述第二属性用于表示资源主人标识，所述第一属性的取值为所述第一设备标识，所述第二属性的取值为所述第一设备标识。During specific implementation, the client receives the first configuration signaling sent by the first configuration device, and the first configuration signaling carries the first device identifier of the first configuration device; here, the first configuration The signaling is used to configure the first attribute (such as deviceowneruuid attribute) and the second attribute (such as rowneruuid attribute) of the second security resource; the client configures the second security resource based on the first configuration signaling The first attribute and the second attribute, wherein the first attribute is used to indicate a device owner identifier, the second attribute is used to indicate a resource owner identifier, and the value of the first attribute is the first device identifier, The value of the second attribute is the first device identifier.

进一步，可选地，所述第一配置设备向所述客户端发送第二配置信令，所述第二配置信令用于配置所述第二安全资源的第三属性(如owned属性)；所述客户端接收所述第一配置设备发送的第二配置信令，基于所述第二配置信令配置所述第二安全资源的第三属性，其中，所述第三属性用于表示是否创建设备主人，所述第三属性的取值为第三取值(如true)，所述第三取值用于表示已创建设备主人；所述客户端将所述至少一个第一安全资源的第三属性设置为所述第三取值(如true)。Further, optionally, the first configuration device sends second configuration signaling to the client, where the second configuration signaling is used to configure a third attribute (such as an owned attribute) of the second security resource; The client receives the second configuration signaling sent by the first configuration device, and configures the third attribute of the second security resource based on the second configuration signaling, where the third attribute is used to indicate whether Create a device owner, the value of the third attribute is a third value (for example, true), and the third value is used to indicate that the device owner has been created; the client terminal sets the value of the at least one first secure resource The third attribute is set to the third value (such as true).

所述至少一个第一安全资源和所述第二安全资源均属于第二资源类型，所述第二资源类型为与凭证相关的资源。

The at least one first security resource and the second security resource both belong to a second resource type, and the second resource type is a resource related to a credential.

这里，第二资源类型为/cred资源类型。例如：客户端原来具有/cred资源、/cred2资源，新创建的安全资源为/cred3资源。例如：客户端原来具有/cred资源、/cred2资源、/cred3资源，新创建的安全资源为/cred4资源。需要说明的是，本申请实施例对客户端原来具有的第一安全资源的数目不做限制。Here, the second resource type is the /cred resource type. For example: the client originally had the /cred resource and the /cred2 resource, and the newly created security resource was the /cred3 resource. For example: the client originally had /cred resources, /cred2 resources, and /cred3 resources, and the newly created security resource was /cred4 resource. It should be noted that the embodiment of the present application does not limit the number of first security resources originally possessed by the client.

具体实现时，所述客户端接收所述第一配置设备发送的第一配置信令，所述第一配置信令携带所述第一配置设备的第一设备标识和凭证内容；所述第一配置信令用于配置所述第二安全资源的第四属性(如rowneruuid属性)和第五属性(如creds属性)；所述客户端基于所述第一配置信令配置所述第二安全资源的第四属性和第五属性，其中，所述第四属性用于表示资源主人标识，所述第五属性用于表示凭证内容，所述第四属性的取值为所述第一设备标识。In specific implementation, the client receives the first configuration signaling sent by the first configuration device, and the first configuration signaling carries the first device identifier and the credential content of the first configuration device; the first The configuration signaling is used to configure the fourth attribute (such as rowneruuid attribute) and the fifth attribute (such as creds attribute) of the second security resource; the client configures the second security resource based on the first configuration signaling The fourth attribute and the fifth attribute of, wherein the fourth attribute is used to indicate the resource owner identification, the fifth attribute is used to indicate the content of the voucher, and the value of the fourth attribute is the first device identification.

需要说明的是，客户端具有的至少一个第一安全资源和新创建的第二安全资源可以都属于/doxm资源类型，或者都属于/cred资源类型。不局限于此，第一安全资源可以包括两种类型的资源(如/doxm资源类型、/cred资源类型)，相应地，新创建的第二安全资源也可以包括两种类型的资源(如/doxm资源类型、/cred资源类型)，新创建第二安全资源时，需要保证与已有的安全资源的资源类型一致。It should be noted that the at least one first security resource and the newly created second security resource possessed by the client may both belong to the /doxm resource type, or both belong to the /cred resource type. Not limited to this, the first secure resource may include two types of resources (such as /doxm resource type, /cred resource type), and accordingly, the newly created second secure resource may also include two types of resources (such as / Doxm resource type, /cred resource type), when creating a new second security resource, you need to ensure that it is consistent with the resource type of the existing security resource.

需要说明的是，本申请实施例的技术方案中，客户端具有的第一安全资源的数目大部分是以两个为例进行说明，不局限于此，客户端具有的第一安全资源的数目也可以是其他数目。It should be noted that, in the technical solution of the embodiment of the present application, the number of first secure resources owned by the client is mostly explained by taking two as an example, and it is not limited to this. The number of first secure resources owned by the client Other numbers are also possible.

以下结合5和图6对本申请实施例的技术进行举例说明，需要说明的是，图5中的方案是以扩展/doxm资源为例进行说明，图6中的方案是以扩展/doxm资源和/cred资源为例进行说明。The following uses 5 and FIG. 6 to illustrate the technology of the embodiment of the present application. It should be noted that the solution in FIG. 5 is based on the extension/doxm resource as an example, and the solution in FIG. 6 is based on the extension/doxm resource and/ Take the cred resource as an example.

示例一：Example 1:

在客户端的/oic/sec/pstat资源(简称/pstat资源)中增加一个provisionas属性，属性值为枚举类型，可选的属性值包括“移动的(mobile)”和“固定的(stationary)”。Add a provisionas attribute to the client's /oic/sec/pstat resource (/pstat resource for short), the attribute value is an enumerated type, and the optional attribute values include "mobile" and "stationary" .

此时，/oic/sec/pstat资源的表示形式为：At this time, the representation of the /oic/sec/pstat resource is:

上述provisionas属性的值可以在客户端开发时指定。若客户端出厂时未指定provisionas属性值，则可在客户端被配置时由OBT进行配置。若客户端出厂时指定了provisionas属性值，也可在客户端被配置时进行变更。The value of the above provisionas attribute can be specified during client development. If the client does not specify the provisionas attribute value when it leaves the factory, it can be configured by OBT when the client is configured. If the provisionas attribute value is specified when the client is shipped from the factory, it can also be changed when the client is configured.

假设一个智能手表，出厂时未指定provisionas属性值。在进入第一个网络(家庭1网络)时，家庭1网络的OBT对其进行了配置，并将provisionas属性值设置为“mobile”。之后该手表进入了第二个网络(家庭2网络)，由家庭2网络的OBT对其进行了配置。Assume that a smart watch does not specify the provisionas attribute value when it leaves the factory. When entering the first network (home 1 network), the OBT of the home 1 network configured it and set the provisionas attribute value to "mobile". After that, the watch entered the second network (home 2 network), which was configured by the OBT of the home 2 network.

此时，用户佩戴该手表进入了家庭3网络，家庭3网络的OBT配置该手表的流程如图5所示，其中，客户端代表手表，OBT代表家庭3网络的OBT，受控设备为家庭3网络中的设备。如图5所示，具体流程包括以下步骤：At this time, the user wears the watch and enters the home 3 network. The OBT of the home 3 network configures the watch as shown in Figure 5. The client represents the watch, OBT represents the OBT of the home 3 network, and the controlled device is the home 3 Devices in the network. As shown in Figure 5, the specific process includes the following steps:

步骤501：客户端进入配置状态(主人＝假)。Step 501: The client enters the configuration state (master=false).

这里，“主人＝假”代表客户端为未配置主人的客户端。Here, "master=false" represents that the client is a client without a master configured.

具体地，客户端进入配置状态(即配置模式)后，设置/oic/sec/doxm资源的owned属性为false(即owned＝false)。Specifically, after the client enters the configuration state (ie, configuration mode), the owned attribute of the /oic/sec/doxm resource is set to false (ie, owned=false).

客户端检查自身/oic/sec/pstat资源的provisionas属性，若值为“mobile”，则进入配置状态后保留之前的资源配置；若值为“stationary”，则进入配置状态后清除之前的资源配置。The client checks the provisionas attribute of its /oic/sec/pstat resource. If the value is "mobile", the previous resource configuration will be retained after entering the configuration state; if the value is "stationary", the previous resource configuration will be cleared after entering the configuration state .

步骤502：OBT进行设备发现。Step 502: OBT performs device discovery.

具体地，OBT发送广播或组播Get/oic/sec/doxm？owned＝false消息来发现未被配置主人(unowned)的设备，找到客户端。客户端返回/oic/sec/doxm资源内容。Specifically, OBT sends broadcast or multicast Get/oic/sec/doxm? The owned=false message is used to discover unowned devices and find the client. The client returns /oic/sec/doxm resource content.

步骤503：OBT根据目标资源的目标属性查看设备角色。Step 503: The OBT checks the device role according to the target attribute of the target resource.

这里，OBT例如是/pstat资源，目标属性例如是provisionas属性。Here, the OBT is, for example, the /pstat resource, and the target attribute is, for example, the provisionas attribute.

具体地，OBT与客户端建立连接，发送Get/oic/sec/pstat消息来获取客户端的/pstat资源的provisionas属性，查看其设备角色。Specifically, the OBT establishes a connection with the client, and sends a Get/oic/sec/pstat message to obtain the provisionas attribute of the client's /pstat resource, and view its device role.

客户端返回设备角色为“mobile”。需要说明的是，若客户端返回设备角色为“stationary”，则按照正常配置流程进行配置。The client returns the device role as "mobile". It should be noted that if the client returns the device role as "stationary", it will be configured according to the normal configuration process.

步骤504：OBT获取客户端的资源内容。Step 504: OBT obtains the resource content of the client.

具体地，OBT发送Get/oic/res消息，来获取客户端的/oic/res资源内容，得到客户端的全部资源链接的表示如下(下例有省略)：。Specifically, OBT sends a Get/oic/res message to obtain the client's /oic/res resource content, and the representation of all resource links obtained from the client is as follows (the following example is omitted):.

步骤505：OBT查看客户端的doxm资源类型，得到/doxm资源、/doxm2资源。Step 505: The OBT checks the doxm resource type of the client, and obtains the /doxm resource and the /doxm2 resource.

具体地，OBT查看客户端的doxm资源类型(rt属性包含oic.r.doxm)，找到/oic/sec/doxm资源(简称/doxm资源)和/oic/sec/doxm2(简称/doxm2资源)。Specifically, the OBT checks the client's doxm resource type (the rt attribute includes oic.r.doxm), and finds the /oic/sec/doxm resource (abbreviated as /doxm resource) and /oic/sec/doxm2 (abbreviated as /doxm2 resource).

步骤506：OBT创建/doxm3资源。Step 506: OBT creates a /doxm3 resource.

具体地，OBT发送以下消息，以创建/doxm3资源：Specifically, OBT sends the following message to create the /doxm3 resource:

通过上述消息在客户端上创建一个新的doxm资源，即/oic/sec/doxm3(简称/doxm3资源)。其中，/doxm3资源的"oxms"、"oxmsel"、"sct"、"owned"和"deviceuuid"属性值根据客户端已有的/oic/sec/doxm资源的相应属性值进行确定。Create a new doxm resource on the client through the above message, namely /oic/sec/doxm3 (abbreviated as /doxm3 resource). Among them, the "oxms", "oxmsel", "sct", "owned", and "deviceuuid" attribute values of the /doxm3 resource are determined according to the corresponding attribute values of the /oic/sec/doxm resource that the client has existing.

步骤507：OBT配置/doxm3资源。Step 507: OBT configuration/doxm3 resource.

具体地，OBT配置/oic/sec/doxm3资源，将/oic/sec/doxm3资源的deviceowneruuid和rowneruuid属性设置为OBT的设备标识(device ID)。Specifically, OBT configures the /oic/sec/doxm3 resource, and sets the deviceowneruuid and rowneruuid attributes of the /oic/sec/doxm3 resource as the device ID of the OBT.

步骤508：OBT将doxm3资源的主人属性设置为真(即主人＝真)，客户端同步doxm资源和doxm2资源的主人属性为真。Step 508: The OBT sets the owner attribute of the doxm3 resource to true (ie, master=true), and the client synchronizes the doxm resource and the owner attribute of the doxm2 resource to true.

步骤509：OBT配置凭证。Step 509: OBT configures the credential.

具体地，OBT配置客户端的/oic/sec/cred资源，为其分配对称(pairwise)安全凭证。Specifically, the OBT configures the client's /oic/sec/cred resource and allocates pairwise security credentials to it.

步骤510：OBT配置凭证。Step 510: OBT configures credentials.

具体地，OBT配置受控设备的/oic/sec/cred资源，为其分配pairwise安全凭证。Specifically, OBT configures the /oic/sec/cred resource of the controlled device and assigns pairwise security credentials to it.

步骤511：客户端与受控设备使用凭证进行通信。Step 511: The client communicates with the controlled device using the credential.

具体地，客户端通过pairwise安全凭证与受控设备建立连接并对受控设备进行控制。Specifically, the client establishes a connection with the controlled device through pairwise security credentials and controls the controlled device.

此时，手表可以与家庭3网络中的受控设备进行连接，实现各种智能化场景操作。当手表重新进入家庭1网络或家庭2网络时，仍可与家庭1网络或家庭2网络中的受控设备进行连接，实现各种智能化场景操作。并且，家庭1网络、家庭2网络或家庭3网络中的OBT可直接对手表进行设置，而不用重新开展初始化配置流程。At this point, the watch can be connected with controlled devices in the home 3 network to realize various intelligent scene operations. When the watch re-enters the home 1 network or the home 2 network, it can still be connected with the controlled devices in the home 1 network or the home 2 network to realize various intelligent scene operations. In addition, the OBT in the home 1 network, home 2 network, or home 3 network can directly set the watch without re-starting the initial configuration process.

示例二Example two

此时，用户佩戴该手表进入了家庭3网络，家庭3网络的OBT配置该手表的流程如图6所示，其中，客户端代表手表，OBT代表家庭3网络的OBT，受控设备为家庭3网络中的设备。如图6所示，具体流程包括以下步骤：At this time, the user wears the watch and enters the home 3 network. The OBT of the home 3 network configures the watch as shown in Figure 6. The client represents the watch, OBT represents the OBT of the home 3 network, and the controlled device is the home 3 Devices in the network. As shown in Figure 6, the specific process includes the following steps:

步骤601：客户端进入配置状态(主人＝假)。Step 601: The client enters the configuration state (master=false).

步骤602：OBT进行设备发现。Step 602: OBT performs device discovery.

步骤603：OBT根据目标资源的目标属性查看设备角色。Step 603: The OBT checks the device role according to the target attribute of the target resource.

步骤604：OBT获取客户端的资源内容。Step 604: OBT obtains the resource content of the client.

Get/oic/resGet/oic/res

获取Client的/oic/res资源内容，得到Client的全部资源链接表述(下例有省略)。Get the client's /oic/res resource content, and get the description of all the client's resource links (the following example is omitted).

步骤605：OBT查看客户端的doxm资源类型，得到/doxm资源、/doxm2资源。Step 605: The OBT checks the doxm resource type of the client, and obtains the /doxm resource and the /doxm2 resource.

步骤606：OBT创建/doxm3资源。Step 606: OBT creates a /doxm3 resource.

步骤607：OBT配置/doxm3资源。Step 607: OBT configuration/doxm3 resource.

步骤608：OBT将doxm3资源的主人属性设置为真(即主人＝真)，客户端同步doxm资源和doxm2资源的主人属性为真。Step 608: OBT sets the owner attribute of the doxm3 resource to true (ie, master=true), and the client synchronizes the doxm resource and the owner attribute of the doxm2 resource to true.

步骤609：OBT查看客户端的cred类型资源，得到/cred资源、/cred2资源。Step 609: The OBT checks the cred type resource of the client, and obtains the /cred resource and the /cred2 resource.

具体地，OBT得到/oic/res资源后，判断客户端有两个cred资源类型(rt属性包含oic.r.cred)，分别为/oic/sec/cred资源(简称/cred资源)和/oic/sec/cred2资源(简称/cred2资源)。Specifically, after OBT obtains the /oic/res resource, it judges that the client has two cred resource types (the rt attribute includes oic.r.cred), namely /oic/sec/cred resource (abbreviated as /cred resource) and /oic /sec/cred2 resource (abbreviated as /cred2 resource).

步骤610：OBT创建/cred3资源。Step 610: OBT creates a /cred3 resource.

具体地，OBT发送以下消息，以创建/cred3资源：Specifically, OBT sends the following message to create a /cred3 resource:

进一步，OBT配置/oic/sec/cred3资源(简称/cred3资源)，将/oic/sec/cred3资源的rowneruuid属性设置为OBT的设备标识(device ID)。Further, OBT configures the /oic/sec/cred3 resource (/cred3 resource for short), and sets the rowneruuid attribute of the /oic/sec/cred3 resource to the device ID of the OBT.

步骤611：OBT配置凭证。Step 611: OBT configures credentials.

具体地，OBT进一步配置/oic/sec/cred3资源，为其分配pairwise安全凭证，将凭证写入/oic/sec/cred3资源的creds属性。Specifically, OBT further configures the /oic/sec/cred3 resource, allocates pairwise security credentials to it, and writes the credentials into the creds attribute of the /oic/sec/cred3 resource.

步骤612：OBT配置凭证。Step 612: OBT configures credentials.

步骤613：客户端与受控设备使用凭证进行通信。Step 613: The client communicates with the controlled device using the credential.

图7为本申请实施例提供的配置客户端的方法的流程示意图二，如图7所示，所述配置客户端的方法包括以下步骤：FIG. 7 is a schematic diagram of the second flow of a method for configuring a client provided by an embodiment of the application. As shown in FIG. 7, the method for configuring a client includes the following steps:

步骤701：客户端向第一配置设备发送所述客户端的目标资源的目标属性，第一配置设备接收客户端发送的所述客户端的目标资源的目标属性，所述目标属性用于表示所述客户端的设备角色；其中，所述客户端具有至少一个第一安全资源。Step 701: The client sends the target attribute of the target resource of the client to the first configuration device, and the first configuration device receives the target attribute of the target resource of the client sent by the client, and the target attribute is used to indicate the client The device role of the terminal; wherein, the client has at least one first security resource.

本申请实施例中，所述客户端是指待配置设备中的客户端。其中，待配置设备例如是手机、平板电脑、笔记本、可穿戴设备等任意形式的终端。In the embodiment of the present application, the client refers to the client in the device to be configured. Among them, the device to be configured is, for example, a terminal of any form such as a mobile phone, a tablet computer, a notebook, a wearable device, etc.

步骤702：所述客户端的设备角色为移动设备的情况下，所述第一配置设备向所述客户端发送触发信令，所述客户端接收所述第一配置设备发送的触发信令，所述触发信令用于触发所述客户端启动设备主导配置。Step 702: When the device role of the client is a mobile device, the first configuration device sends trigger signaling to the client, and the client receives the trigger signaling sent by the first configuration device. The trigger signaling is used to trigger the client to initiate device-led configuration.

这里，所述触发信令用于触发所述客户端启动设备主导配置是指触发所述客户端在所述客户端上创建第二安全资源。Here, that the trigger signaling is used to trigger the client to initiate device-led configuration refers to triggering the client to create a second secure resource on the client.

步骤703：所述客户端在所述客户端上创建第二安全资源，所述第二安全资源与所述至少一个第一安全资源属于同一资源类型。Step 703: The client creates a second secure resource on the client, where the second secure resource and the at least one first secure resource belong to the same resource type.

步骤704：所述第一配置设备向所述客户端发送配置参数，所述客户端从所述第一配置设备获取配置参数，所述客户端基于所述配置参数配置所述第二安全资源。Step 704: The first configuration device sends configuration parameters to the client, the client obtains the configuration parameters from the first configuration device, and the client configures the second security resource based on the configuration parameters.

这里，所述配置参数用于所述客户端配置所述第二安全资源。Here, the configuration parameter is used by the client to configure the second security resource.

本申请实施例中，所述第二安全资源的第一部分属性基于所述至少一个第一安全资源中的其中一个第一安全资源确定；所述第二安全资源的第二部分属性基于所述配置参数确定。In the embodiment of the present application, the first partial attribute of the second secure resource is determined based on one of the first secure resources in the at least one first secure resource; the second partial attribute of the second secure resource is based on the configuration The parameters are determined.

这里，第一资源类型为/doxm资源类型。例如：客户端原来具有/doxm资源、/doxm2资源，新创建的安全资源为/doxm3资源。例如：客户端原来具有/doxm资源、/doxm2资源、/doxm3资源，新创建的安全资源为/doxm4资源。需要说明的是，本申请实施例对客户端原来具有的第一安全资源的数目不做限制。Here, the first resource type is the /doxm resource type. For example: the client originally had /doxm resources and /doxm2 resources, and the newly created security resource was /doxm3 resources. For example: the client originally had /doxm resources, /doxm2 resources, and /doxm3 resources, and the newly created security resource was /doxm4 resource. It should be noted that the embodiment of the present application does not limit the number of first security resources originally possessed by the client.

具体实现时，所述客户端从所述第一配置设备获取所述第一配置设备的第一设备标识，所述第一设备标识用于配置所述第二安全资源的第一属性(如deviceowneruuid属性)和第二属性(如rowneruuid属性)，所述客户端基于所述第一设备标识配置所述第二安全资源的第一属性和第二属性，其中，所述第一属性用于表示设备主人标识，所述第二属性用于表示资源主人标识，所述第一属性的取值为所述第一设备标识，所述第二属性的取值为所述第一设备标识。In specific implementation, the client obtains the first device identifier of the first configuration device from the first configuration device, and the first device identifier is used to configure the first attribute of the second security resource (such as deviceowneruuid Attribute) and a second attribute (such as rowneruuid attribute), the client configures the first attribute and the second attribute of the second security resource based on the first device identifier, wherein the first attribute is used to indicate the device The owner identifier, the second attribute is used to indicate the resource owner identifier, the value of the first attribute is the first device identifier, and the value of the second attribute is the first device identifier.

进一步，可选地，所述客户端配置所述第二安全资源的第三属性(如owned属性)，其中，所述第三属性用于表示是否创建设备主人，所述第三属性的取值为第三取值(如owned属性)，所述第三取值用于表示已创建设备主人；所述客户端将所述至少一个第一安全资源的第三属性设置为所述第三取值(如owned属性)。Further, optionally, the client configures a third attribute (such as an owned attribute) of the second secure resource, where the third attribute is used to indicate whether to create a device owner, and the value of the third attribute Is the third value (such as the owned attribute), the third value is used to indicate that the device owner has been created; the client sets the third attribute of the at least one first secure resource to the third value (Such as the owned attribute).

具体实现时，所述客户端从所述第一配置设备获取所述第一配置设备的第一设备标识和凭证内容，所述第一设备标识和所述凭证内容用于配置所述第二安全资源的第四属性(如rowneruuid属性)和第五属性(如creds属性)；所述客户端基于所述第一设备标识和所述凭证内容配置所述第二安全资源的第四属性和第五属性，其中，所述第四属性用于表示资源主人标识，所述第五属性用于表示凭证内容，所述第四属性的取值为所述第一设备标识。During specific implementation, the client obtains the first device identification and credential content of the first configuration device from the first configuration device, and the first device identification and the credential content are used to configure the second security The fourth attribute (such as rowneruuid attribute) and the fifth attribute (such as creds attribute) of the resource; the client configures the fourth and fifth attributes of the second secure resource based on the first device identifier and the content of the credential Attributes, wherein the fourth attribute is used to indicate a resource owner identifier, the fifth attribute is used to indicate voucher content, and the value of the fourth attribute is the first device identifier.

以下结合8对本申请实施例的技术进行举例说明，需要说明的是，图8中的方案是以扩展/doxm资源和/cred资源为例进行说明。The following describes the technology of the embodiment of the present application with reference to 8. It should be noted that the solution in FIG. 8 is described by using the expansion of the /doxm resource and the /cred resource as an example.

示例三：Example three:

在客户端的/oic/sec/pstat资源(简称/pstat资源)中增加一个provisionas属性，属性值为枚举类型，可选的属性值包括“移动的(mobile)”和“固定的(stationary)”。Add a provisionas attribute to the client's /oic/sec/pstat resource (/pstat resource for short), the attribute value is an enumeration type, and the optional attribute values include "mobile" and "stationary" .

此时，用户佩戴该手表进入了家庭3网络，家庭3网络的OBT配置该手表的流程如图8所示，其中，客户端代表手表，OBT代表家庭3网络的OBT，受控设备为家庭3网络中的设备。如图8所示，具体流程包括以下步骤：At this time, the user wears the watch and enters the home 3 network. The OBT of the home 3 network configures the watch as shown in Figure 8. The client represents the watch, OBT represents the OBT of the home 3 network, and the controlled device is the home 3 Devices in the network. As shown in Figure 8, the specific process includes the following steps:

步骤801：客户端进入配置状态(主人＝假)。Step 801: The client enters the configuration state (master=false).

步骤802：OBT进行设备发现。Step 802: OBT performs device discovery.

步骤803：OBT根据目标资源的目标属性查看设备角色。Step 803: The OBT checks the device role according to the target attribute of the target resource.

步骤804：OBT启动设备主导的配置。Step 804: OBT starts the device-led configuration.

具体地，OBT发现客户端支持设备主导的配置模式，发送以下消息(即触发信令，所述触发信令用于触发所述客户端启动设备主导配置)给客户端，以启动设备主导的配置：Specifically, OBT finds that the client supports the device-led configuration mode, and sends the following message (ie, trigger signaling, which is used to trigger the client to initiate the device-led configuration) to the client to start the device-led configuration :

步骤805：客户端查看doxm资源类型，得到/doxm资源、/doxm2资源。Step 805: The client checks the doxm resource type, and obtains the /doxm resource and the /doxm2 resource.

具体地，客户端查看自身的doxm资源类型(rt属性包含oic.r.doxm)，找到/oic/sec/doxm资源(简称/doxm资源)和/oic/sec/doxm2(简称/doxm2资源)。Specifically, the client checks its own doxm resource type (the rt attribute includes oic.r.doxm), and finds /oic/sec/doxm resources (abbreviated as /doxm resources) and /oic/sec/doxm2 (abbreviated as /doxm2 resources).

步骤806：客户端创建/doxm3资源。Step 806: The client creates a /doxm3 resource.

具体地，客户端创建以下新的资源/oic/sec/doxm3资源(简称/doxm3资源)：Specifically, the client creates the following new resource /oic/sec/doxm3 resource (/doxm3 resource for short):

其中，/doxm3资源的"oxms"、"oxmsel"、"sct"、"owned"和"deviceuuid"属性值根据客户端已有的/oic/sec/doxm资源的相应属性值进行确定。Among them, the "oxms", "oxmsel", "sct", "owned", and "deviceuuid" attribute values of the /doxm3 resource are determined according to the corresponding attribute values of the /oic/sec/doxm resource that the client has existing.

步骤807：客户端获取OBT的设备标识。Step 807: The client obtains the device identification of the OBT.

步骤808：客户端配置/doxm3资源。Step 808: The client configures the /doxm3 resource.

具体地，客户端将得到的OBT的设备标识配置到/oic/sec/doxm3资源的deviceowneruuid属性和rowneruuid属性。Specifically, the client configures the obtained device identifier of the OBT to the deviceowneruuid attribute and rowneruuid attribute of the /oic/sec/doxm3 resource.

步骤809：客户端将doxm3资源的主人属性设置为真(即主人＝真)，客户端同步doxm资源和doxm2资源的主人属性为真。Step 809: The client sets the master attribute of the doxm3 resource to true (ie, master=true), and the client synchronizes the master attribute of the doxm resource and the doxm2 resource to true.

步骤810：客户端查看cred类型资源，得到/cred资源、/cred2资源。Step 810: The client checks the cred type resource, and obtains the /cred resource and the /cred2 resource.

具体地，客户端查看自身的cred资源类型(rt属性包含oic.r.cred)，分别为/oic/sec/cred资源(简称/cred资源)和/oic/sec/cred2资源(简称/cred2资源)。Specifically, the client checks its own cred resource type (the rt attribute includes oic.r.cred), which are respectively /oic/sec/cred resource (abbreviated as /cred resource) and /oic/sec/cred2 resource (abbreviated as /cred2 resource) ).

步骤811：客户端创建/cred3资源。Step 811: The client creates a /cred3 resource.

具体地，客户端创建以下新的资源/oic/sec/cred3资源(简称/cred3资源)：Specifically, the client creates the following new resource /oic/sec/cred3 resource (/cred3 resource for short):

其rowneruuid属性设置为OBT的设备标识。Its rowneruuid attribute is set to the device identifier of OBT.

步骤812：客户端配置凭证到/cred3资源。Step 812: The client configures the credential to the /cred3 resource.

具体地，客户端向OBT获取用于P2P连接的pairwise安全凭证。客户端将pairwise安全凭证写入/oic/sec/cred3资源的creds属性。Specifically, the client obtains the pairwise security credential for the P2P connection from the OBT. The client writes the pairwise security credentials into the creds attribute of the /oic/sec/cred3 resource.

步骤813：OBT配置凭证。Step 813: OBT configures the credential.

步骤814：客户端与受控设备使用凭证进行通信。Step 814: The client communicates with the controlled device using the credential.

图9为本申请实施例提供的配置客户端的装置的结构组成示意图一，如图9所示，所述配置客户端的装置包括：FIG. 9 is a schematic diagram 1 of the structural composition of an apparatus for configuring a client provided by an embodiment of the application. As shown in FIG. 9, the apparatus for configuring a client includes:

发送单元901，用于向第一配置设备发送所述客户端的目标资源的目标属性，所述目标属性用于表示所述客户端的设备角色；其中，所述客户端具有至少一个第一安全资源；The sending unit 901 is configured to send the target attribute of the target resource of the client to the first configuration device, where the target attribute is used to indicate the device role of the client; wherein the client has at least one first security resource;

接收单元902，用于在所述客户端的设备角色为移动设备的情况下，接收所述第一配置设备发送的第一创建信令，基于所述第一创建信令在所述客户端上创建第二安全资源，所述第二安全资源与所述至少一个第一安全资源属于同一资源类型；接收所述第一配置设备发送的第一配置信令，基于所述第一配置信令配置所述第二安全资源。The receiving unit 902 is configured to receive the first creation signaling sent by the first configuration device when the device role of the client is a mobile device, and create on the client based on the first creation signaling A second security resource, where the second security resource and the at least one first security resource belong to the same resource type; receiving the first configuration signaling sent by the first configuration device, and configuring the device based on the first configuration signaling The second security resource.

在一可选实施方式中，所述第二安全资源的第一部分属性基于所述至少一个第一安全资源中的其中一个第一安全资源确定；In an optional implementation manner, the first partial attribute of the second secure resource is determined based on one of the at least one first secure resource;

所述第二安全资源的第二部分属性基于所述第一配置信令确定。The second partial attribute of the second security resource is determined based on the first configuration signaling.

在一可选实施方式中，所述目标资源的目标属性的取值支持第一取值，所述第一取值用于表示设备角色为移动设备；或者，In an optional implementation manner, the value of the target attribute of the target resource supports a first value, and the first value is used to indicate that the device role is a mobile device; or,

所述目标资源的目标属性的取值支持第二取值，所述第二取值用于表示设备角色为固定设备。The value of the target attribute of the target resource supports a second value, and the second value is used to indicate that the device role is a fixed device.

在一可选实施方式中，所述装置还包括：In an optional embodiment, the device further includes:

处理单元(图中未示出)，用于检查所述客户端的目标资源的目标属性；所述目标属性的取值为所述第一取值的情况下，则所述客户端进入配置模式后，保留已存在的资源配置；或者，所述目标属性的取值为所述第二取值的情况下，则所述客户端进入配置模式后，删除已存在的资源配置。The processing unit (not shown in the figure) is used to check the target attribute of the target resource of the client; if the value of the target attribute is the first value, after the client enters the configuration mode , To retain the existing resource configuration; or, in the case where the value of the target attribute is the second value, after the client enters the configuration mode, the existing resource configuration is deleted.

在一可选实施方式中，所述接收单元902，用于接收所述第一配置设备发送的第一请求消息，所述第一请求消息用于请求所述客户端的目标资源的目标属性；In an optional implementation manner, the receiving unit 902 is configured to receive a first request message sent by the first configuration device, where the first request message is used to request a target attribute of a target resource of the client;

所述发送单元901，用于向所述第一配置设备发送第一响应消息，所述第一响应消息用于向所述第一配置设备通知所述客户端的目标资源的目标属性。The sending unit 901 is configured to send a first response message to the first configuration device, where the first response message is used to notify the first configuration device of the target attribute of the target resource of the client.

在一可选实施方式中，所述接收单元902，用于在所述客户端的设备角色为移动设备的情况下，接收所述第一配置设备发送的第二请求消息，所述第二请求消息用于请求所述客户端的资源内容；In an optional implementation manner, the receiving unit 902 is configured to receive a second request message sent by the first configuration device when the device role of the client is a mobile device, and the second request message For requesting the resource content of the client;

所述发送单元901，用于向所述第一配置设备发送所述客户端的资源内容，所述资源内容包括所述至少一个第一安全资源的标识和资源类型；The sending unit 901 is configured to send resource content of the client to the first configuration device, where the resource content includes the identifier and resource type of the at least one first secure resource;

所述接收单元902，用于接收所述第一配置设备发送的第一创建信令，所述第一创建信令用于创建所述第二安全资源。The receiving unit 902 is configured to receive first creation signaling sent by the first configuration device, where the first creation signaling is used to create the second security resource.

在一可选实施方式中，所述至少一个第一安全资源和所述第二安全资源均属于第一资源类型，所述第一资源类型为与主人相关的资源。In an optional implementation manner, the at least one first security resource and the second security resource both belong to a first resource type, and the first resource type is a resource related to the owner.

在一可选实施方式中，所述接收单元902，用于接收所述第一配置设备发送的第一配置信令，所述第一配置信令携带所述第一配置设备的第一设备标识；基于所述第一配置信令配置所述第二安全资源的第一属性和第二属性，其中，所述第一属性用于表示设备主人标识，所述第二属性用于表示资源主人标识，所述第一属性的取值为所述第一设备标识，所述第二属性的取值为所述第一设备标识。In an optional implementation manner, the receiving unit 902 is configured to receive first configuration signaling sent by the first configuration device, where the first configuration signaling carries the first device identifier of the first configuration device ; Configure the first attribute and the second attribute of the second security resource based on the first configuration signaling, wherein the first attribute is used to indicate the device owner identification, and the second attribute is used to indicate the resource owner identification , The value of the first attribute is the first device identifier, and the value of the second attribute is the first device identifier.

在一可选实施方式中，所述接收单元902，用于接收所述第一配置设备发送的第二配置信令，基于所述第二配置信令配置所述第二安全资源的第三属性，其中，所述第三属性用于表示是否创建设备主人，所述第三属性的取值为第三取值，所述第三取值用于表示已创建设备主人；将所述至少一个第一安全资源的第三属性设置为所述第三取值。In an optional implementation manner, the receiving unit 902 is configured to receive second configuration signaling sent by the first configuration device, and configure the third attribute of the second security resource based on the second configuration signaling , Wherein the third attribute is used to indicate whether to create a device owner, the value of the third attribute is a third value, and the third value is used to indicate that the device owner has been created; The third attribute of a secure resource is set to the third value.

在一可选实施方式中，所述至少一个第一安全资源和所述第二安全资源均属于第二资源类型，所述第二资源类型为与凭证相关的资源。In an optional implementation manner, the at least one first secure resource and the second secure resource both belong to a second resource type, and the second resource type is a resource related to a credential.

在一可选实施方式中，所述接收单元902，用于接收所述第一配置设备发送的第一配置信令，所述第一配置信令携带所述第一配置设备的第一设备标识和凭证内容；基于所述第一配置信令配置所述第二安全资源的第四属性和第五属性，其中，所述第四属性用于表示资源主人标识，所述第五属性用于表示凭证内容，所述第四属性的取值为所述第一设备标识。In an optional implementation manner, the receiving unit 902 is configured to receive first configuration signaling sent by the first configuration device, where the first configuration signaling carries the first device identifier of the first configuration device And voucher content; configure the fourth attribute and the fifth attribute of the second security resource based on the first configuration signaling, wherein the fourth attribute is used to indicate the resource owner identifier, and the fifth attribute is used to indicate Voucher content, the value of the fourth attribute is the first device identifier.

本领域技术人员应当理解，本申请实施例的上述配置客户端的装置的相关描述可以参照本申请实施例的配置客户端的方法的相关描述进行理解。Those skilled in the art should understand that the relevant description of the foregoing apparatus for configuring the client in the embodiment of the present application can be understood with reference to the relevant description of the method for configuring the client in the embodiment of the present application.

图10为本申请实施例提供的配置客户端的装置的结构组成示意图二，如图10所示，所述配置客户端的装置包括：FIG. 10 is a schematic diagram 2 of the structural composition of the apparatus for configuring a client provided by an embodiment of the application. As shown in FIG. 10, the apparatus for configuring a client includes:

发送单元1001，用于向第一配置设备发送所述客户端的目标资源的目标属性，所述目标属性用于表示所述客户端的设备角色；其中，所述客户端具有至少一个第一安全资源；The sending unit 1001 is configured to send a target attribute of a target resource of the client to a first configuration device, where the target attribute is used to indicate a device role of the client; wherein the client has at least one first security resource;

接收单元1002，用于在所述客户端的设备角色为移动设备的情况下，接收所述第一配置设备发送的触发信令，所述触发信令用于触发所述客户端启动设备主导配置；The receiving unit 1002 is configured to receive trigger signaling sent by the first configuration device when the device role of the client is a mobile device, where the trigger signaling is used to trigger the client to initiate device-led configuration;

创建单元1003，用于在所述客户端上创建第二安全资源，所述第二安全资源与所述至少一个第一安全资源属于同一资源类型；The creating unit 1003 is configured to create a second secure resource on the client, where the second secure resource and the at least one first secure resource belong to the same resource type;

获取单元1004，用于从所述第一配置设备获取配置参数，基于所述配置参数配置所述第二安全资源。The obtaining unit 1004 is configured to obtain configuration parameters from the first configuration device, and configure the second security resource based on the configuration parameters.

所述第二安全资源的第二部分属性基于所述配置参数确定。The second partial attribute of the second security resource is determined based on the configuration parameter.

在一可选实施方式中，所述接收单元1002，用于接收所述第一配置设备发送的第一请求消息，所述第一请求消息用于请求所述客户端的目标资源的目标属性；In an optional implementation manner, the receiving unit 1002 is configured to receive a first request message sent by the first configuration device, where the first request message is used to request a target attribute of a target resource of the client;

所述发送单元1001，用于向所述第一配置设备发送第一响应消息，所述第一响应消息用于向所述第一配置设备通知所述客户端的目标资源的目标属性。The sending unit 1001 is configured to send a first response message to the first configuration device, where the first response message is used to notify the first configuration device of the target attribute of the target resource of the client.

在一可选实施方式中，所述获取单元1004，用于从所述第一配置设备获取所述第一配置设备的第一设备标识，基于所述第一设备标识配置所述第二安全资源的第一属性和第二属性，其中，所述第一属性用于表示设备主人标识，所述第二属性用于表示资源主人标识，所述第一属性的取值为所述第一设备标识，所述第二属性的取值为所述第一设备标识。In an optional implementation manner, the obtaining unit 1004 is configured to obtain a first device identifier of the first configuration device from the first configuration device, and configure the second security resource based on the first device identifier The first attribute and the second attribute of, wherein the first attribute is used to represent the device owner identification, the second attribute is used to represent the resource owner identification, and the value of the first attribute is the first device identification , The value of the second attribute is the first device identifier.

配置单元(图中未示出)，用于配置所述第二安全资源的第三属性，其中，所述第三属性用于表示是否创建设备主人，所述第三属性的取值为第三取值，所述第三取值用于表示已创建设备主人；将所述至少一个第一安全资源的第三属性设置为所述第三取值。The configuration unit (not shown in the figure) is used to configure the third attribute of the second security resource, where the third attribute is used to indicate whether to create a device owner, and the value of the third attribute is third The third value is used to indicate that the device owner has been created; the third attribute of the at least one first secure resource is set to the third value.

在一可选实施方式中，所述获取单元1004，用于从所述第一配置设备获取所述第一配置设备的第一设备标识和凭证内容；基于所述第一设备标识和所述凭证内容配置所述第二安全资源的第四属性和第五属性，其中，所述第四属性用于表示资源主人标识，所述第五属性用于表示凭证内容，所述第四属性的取值为所述第一设备标识。In an optional implementation manner, the acquiring unit 1004 is configured to acquire the first device identification and credential content of the first configuration device from the first configuration device; based on the first device identification and the credential The content configures the fourth attribute and the fifth attribute of the second security resource, where the fourth attribute is used to indicate the resource owner identifier, the fifth attribute is used to indicate the content of the voucher, and the value of the fourth attribute Is the first device identifier.

图11为本申请实施例提供的配置客户端的装置的结构组成示意图三，如图11所示，所述配置客户端的装置包括：FIG. 11 is a schematic diagram 3 of the structural composition of an apparatus for configuring a client provided by an embodiment of the application. As shown in FIG. 11, the apparatus for configuring a client includes:

接收单元1101，用于接收客户端发送的目标资源的目标属性，所述目标属性用于表示所述客户端的设备角色；其中，所述客户端具有至少一个第一安全资源；The receiving unit 1101 is configured to receive a target attribute of a target resource sent by a client, where the target attribute is used to indicate a device role of the client; wherein the client has at least one first secure resource;

发送单元1102，用于在所述客户端的设备角色为移动设备的情况下，向所述客户端发送第一创建信令，所述第一创建信令用于指示在所述客户端上创建第二安全资源，所述第二安全资源与所述至少一个第一安全资源属于同一资源类型；向所述客户端发送第一配置信令，所述第一配置信令用于配置所述第二安全资源。The sending unit 1102 is configured to send a first creation signaling to the client when the device role of the client is a mobile device, where the first creation signaling is used to instruct to create a second creation on the client Two security resources, the second security resource and the at least one first security resource belong to the same resource type; sending a first configuration signaling to the client, and the first configuration signaling is used to configure the second Security resources.

在一可选实施方式中，所述发送单元1102，用于向所述客户端发送第一请求消息，所述第一请求消息用于请求所述客户端的目标资源的目标属性；In an optional implementation manner, the sending unit 1102 is configured to send a first request message to the client, where the first request message is used to request a target attribute of a target resource of the client;

所述接收单元1101，用于接收所述客户端发送的第一响应消息，所述第一响应消息用于向所述第一配置设备通知所述客户端的目标资源的目标属性。The receiving unit 1101 is configured to receive a first response message sent by the client, where the first response message is used to notify the first configuration device of the target attribute of the target resource of the client.

在一可选实施方式中，所述发送单元1102，用于在所述客户端的设备角色为移动设备的情况下，向所述客户端发送第二请求消息，所述第二请求消息用于请求所述客户端的资源内容；In an optional implementation manner, the sending unit 1102 is configured to send a second request message to the client when the device role of the client is a mobile device, and the second request message is used to request The resource content of the client;

所述接收单元1101，用于接收所述客户端发送的所述客户端的资源内容，所述资源内容包括所述至少一个第一安全资源的标识和资源类型；The receiving unit 1101 is configured to receive resource content of the client sent by the client, where the resource content includes the identifier and resource type of the at least one first secure resource;

所述发送单元1102，用于向所述客户端发送第一创建信令，所述第一创建信令用于创建所述第二安全资源。The sending unit 1102 is configured to send first creation signaling to the client, where the first creation signaling is used to create the second security resource.

在一可选实施方式中，所述第一配置信令携带所述第一配置设备的第一设备标识；In an optional implementation manner, the first configuration signaling carries a first device identifier of the first configuration device;

所述第一配置信令用于配置所述第二安全资源的第一属性和第二属性，其中，所述第一属性用于表示设备主人标识，所述第二属性用于表示资源主人标识，所述第一属性的取值为所述第一设备标识，所述第二属性的取值为所述第一设备标识。The first configuration signaling is used to configure the first attribute and the second attribute of the second security resource, where the first attribute is used to indicate the device owner identification, and the second attribute is used to indicate the resource owner identification , The value of the first attribute is the first device identifier, and the value of the second attribute is the first device identifier.

在一可选实施方式中，所述发送单元1102，用于向所述客户端发送第二配置信令，所述第二配置信令用于配置所述第二安全资源的第三属性，其中，所述第三属性用于表示是否创建设备主人，所述第三属性的取值为第三取值，所述第三取值用于表示已创建设备主人。In an optional implementation manner, the sending unit 1102 is configured to send second configuration signaling to the client, and the second configuration signaling is used to configure a third attribute of the second security resource, where The third attribute is used to indicate whether to create a device owner, the value of the third attribute is a third value, and the third value is used to indicate that the device owner has been created.

在一可选实施方式中，所述第一配置信令携带所述第一配置设备的第一设备标识和凭证内容；In an optional implementation manner, the first configuration signaling carries the first device identifier and credential content of the first configuration device;

所述第一配置信令用于配置所述第二安全资源的第四属性和第五属性，其中，所述第四属性用于表示资源主人标识，所述第五属性用于表示凭证内容，所述第四属性的取值为所述第一设备标识。The first configuration signaling is used to configure the fourth attribute and the fifth attribute of the second security resource, where the fourth attribute is used to indicate the resource owner identifier, and the fifth attribute is used to indicate the content of the credential, The value of the fourth attribute is the first device identifier.

图12为本申请实施例提供的配置客户端的装置的结构组成示意图四，如图12所示，所述配置客户端的装置包括：FIG. 12 is a schematic diagram 4 of the structural composition of the apparatus for configuring a client provided by an embodiment of the application. As shown in FIG. 12, the apparatus for configuring a client includes:

接收单元1201，用于接收客户端发送的所述客户端的目标资源的目标属性，所述目标属性用于表示所述客户端的设备角色；其中，所述客户端具有至少一个第一安全资源；The receiving unit 1201 is configured to receive the target attribute of the target resource of the client sent by the client, where the target attribute is used to indicate the device role of the client; wherein the client has at least one first secure resource;

发送单元1202，用于在所述客户端的设备角色为移动设备的情况下，向所述客户端发送触发信令，所述触发信令用于触发所述客户端在所述客户端上创建第二安全资源，所述第二安全资源与所述至少一个第一安全资源属于同一资源类型；向所述客户端发送配置参数，所述配置参数用于所述客户端配置所述第二安全资源。The sending unit 1202 is configured to send trigger signaling to the client when the device role of the client is a mobile device, where the trigger signaling is used to trigger the client to create a second session on the client. Two security resources, the second security resource and the at least one first security resource belong to the same resource type; sending configuration parameters to the client, the configuration parameters being used by the client to configure the second security resource .

在一可选实施方式中，所述发送单元1202，用于向所述客户端发送第一请求消息，所述第一请求消息用于请求所述客户端的目标资源的目标属性；In an optional implementation manner, the sending unit 1202 is configured to send a first request message to the client, where the first request message is used to request a target attribute of a target resource of the client;

所述接收单元1201，用于接收所述客户端发送的第一响应消息，所述第一响应消息用于向所述第一配置设备通知所述客户端的目标资源的目标属性。The receiving unit 1201 is configured to receive a first response message sent by the client, where the first response message is used to notify the first configuration device of the target attribute of the target resource of the client.

在一可选实施方式中，所述配置参数包括所述第一配置设备的第一设备标识；In an optional implementation manner, the configuration parameter includes a first device identifier of the first configuration device;

所述第一设备标识用于配置所述第二安全资源的第一属性和第二属性，其中，所述第一属性用于表示设备主人标识，所述第二属性用于表示资源主人标识，所述第一属性的取值为所述第一设备标识，所述第二属性的取值为所述第一设备标识。The first device identifier is used to configure the first attribute and the second attribute of the second secure resource, where the first attribute is used to indicate the device owner identifier, and the second attribute is used to indicate the resource owner identifier, The value of the first attribute is the first device identifier, and the value of the second attribute is the first device identifier.

在一可选实施方式中，所述配置参数包括所述第一配置设备的第一设备标识和凭证内容；In an optional implementation manner, the configuration parameters include a first device identifier and credential content of the first configuration device;

所述第一设备标识和所述凭证内容用于配置所述第二安全资源的第四属性和第五属性，其中，所述第四属性用于表示资源主人标识，所述第五属性用于表示凭证内容，所述第四属性的取值为所述第一设备标识。The first device identifier and the credential content are used to configure the fourth attribute and the fifth attribute of the second secure resource, where the fourth attribute is used to indicate the resource owner identifier, and the fifth attribute is used to Indicates the content of the voucher, and the value of the fourth attribute is the first device identifier.

图13是本申请实施例提供的一种通信设备1300示意性结构图。该通信设备可以是终端设备或者客户端，图13所示的通信设备1300包括处理器1310，处理器1310可以从存储器中调用并运行计算机程序，以实现本申请实施例中的方法。FIG. 13 is a schematic structural diagram of a communication device 1300 according to an embodiment of the present application. The communication device may be a terminal device or a client. The communication device 1300 shown in FIG. 13 includes a processor 1310, and the processor 1310 can call and run a computer program from a memory to implement the method in the embodiment of the present application.

可选地，如图13所示，通信设备1300还可以包括存储器1320。其中，处理器1310可以从存储器1320中调用并运行计算机程序，以实现本申请实施例中的方法。Optionally, as shown in FIG. 13, the communication device 1300 may further include a memory 1320. The processor 1310 may call and run a computer program from the memory 1320 to implement the method in the embodiment of the present application.

其中，存储器1320可以是独立于处理器1310的一个单独的器件，也可以集成在处理器1310中。The memory 1320 may be a separate device independent of the processor 1310, or may be integrated in the processor 1310.

可选地，如图13所示，通信设备1300还可以包括收发器1330，处理器1310可以控制该收发器1330与其他设备进行通信，具体地，可以向其他设备发送信息或数据，或接收其他设备发送的信息或数据。Optionally, as shown in FIG. 13, the communication device 1300 may further include a transceiver 1330, and the processor 1310 may control the transceiver 1330 to communicate with other devices. Specifically, it may send information or data to other devices, or receive other devices. Information or data sent by the device.

其中，收发器1330可以包括发射机和接收机。收发器1330还可以进一步包括天线，天线的数量可以为一个或多个。Among them, the transceiver 1330 may include a transmitter and a receiver. The transceiver 1330 may further include an antenna, and the number of antennas may be one or more.

可选地，该通信设备1300具体可为本申请实施例的网络设备，并且该通信设备1300可以实现本申请实施例的各个方法中由网络设备实现的相应流程，为了简洁，在此不再赘述。Optionally, the communication device 1300 may specifically be a network device of an embodiment of the application, and the communication device 1300 may implement the corresponding process implemented by the network device in each method of the embodiment of the application. For brevity, details are not repeated here. .

可选地，该通信设备1300具体可为本申请实施例的移动终端/终端设备，并且该通信设备1300可以实现本申请实施例的各个方法中由移动终端/终端设备实现的相应流程，为了简洁，在此不再赘述。Optionally, the communication device 1300 may specifically be a mobile terminal/terminal device of an embodiment of the present application, and the communication device 1300 may implement the corresponding process implemented by the mobile terminal/terminal device in each method of the embodiment of the present application. For the sake of brevity , I won’t repeat it here.

图14是本申请实施例的芯片的示意性结构图。图14所示的芯片1400包括处理器1410，处理器1410可以从存储器中调用并运行计算机程序，以实现本申请实施例中的方法。FIG. 14 is a schematic structural diagram of a chip of an embodiment of the present application. The chip 1400 shown in FIG. 14 includes a processor 1410, and the processor 1410 can call and run a computer program from the memory to implement the method in the embodiment of the present application.

可选地，如图14所示，芯片1400还可以包括存储器1420。其中，处理器1410可以从存储器1420中调用并运行计算机程序，以实现本申请实施例中的方法。Optionally, as shown in FIG. 14, the chip 1400 may further include a memory 1420. The processor 1410 can call and run a computer program from the memory 1420 to implement the method in the embodiment of the present application.

其中，存储器1420可以是独立于处理器1410的一个单独的器件，也可以集成在处理器1410中。The memory 1420 may be a separate device independent of the processor 1410, or may be integrated in the processor 1410.

可选地，该芯片1400还可以包括输入接口1430。其中，处理器1410可以控制该输入接口1430与其他设备或芯片进行通信，具体地，可以获取其他设备或芯片发送的信息或数据。Optionally, the chip 1400 may further include an input interface 1430. The processor 1410 can control the input interface 1430 to communicate with other devices or chips, and specifically, can obtain information or data sent by other devices or chips.

可选地，该芯片1400还可以包括输出接口1440。其中，处理器1410可以控制该输出接口1440与其他设备或芯片进行通信，具体地，可以向其他设备或芯片输出信息或数据。Optionally, the chip 1400 may further include an output interface 1440. The processor 1410 can control the output interface 1440 to communicate with other devices or chips, and specifically, can output information or data to other devices or chips.

可选地，该芯片可应用于本申请实施例中的网络设备，并且该芯片可以实现本申请实施例的各个方法中由网络设备实现的相应流程，为了简洁，在此不再赘述。Optionally, the chip can be applied to the network device in the embodiment of the present application, and the chip can implement the corresponding process implemented by the network device in each method of the embodiment of the present application. For the sake of brevity, details are not described herein again.

可选地，该芯片可应用于本申请实施例中的移动终端/终端设备，并且该芯片可以实现本申请实施例的各个方法中由移动终端/终端设备实现的相应流程，为了简洁，在此不再赘述。Optionally, the chip can be applied to the mobile terminal/terminal device in the embodiment of the present application, and the chip can implement the corresponding process implemented by the mobile terminal/terminal device in each method of the embodiment of the present application. For the sake of brevity, here No longer.

应理解，本申请实施例提到的芯片还可以称为系统级芯片，系统芯片，芯片系统或片上系统芯片等。It should be understood that the chip mentioned in the embodiment of the present application may also be referred to as a system-level chip, a system-on-chip, a system-on-chip, or a system-on-chip.

图15是本申请实施例提供的一种通信系统1500的示意性框图。如图15所示，该通信系统1500包括终端设备1510和网络设备1520。FIG. 15 is a schematic block diagram of a communication system 1500 according to an embodiment of the present application. As shown in FIG. 15, the communication system 1500 includes a terminal device 1510 and a network device 1520.

其中，该终端设备1510可以用于实现上述方法中由终端设备实现的相应的功能，以及该网络设备1520可以用于实现上述方法中由网络设备实现的相应的功能为了简洁，在此不再赘述。Wherein, the terminal device 1510 can be used to implement the corresponding function implemented by the terminal device in the above method, and the network device 1520 can be used to implement the corresponding function implemented by the network device in the above method. For brevity, it will not be repeated here. .

应理解，本申请实施例的处理器可能是一种集成电路芯片，具有信号的处理能力。在实现过程中，上述方法实施例的各步骤可以通过处理器中的硬件的集成逻辑电路或者软件形式的指令完成。上述的处理器可以是通用处理器、数字信号处理器(Digital Signal Processor，DSP)、专用集成电路(Application Specific Integrated Circuit，ASIC)、现成可编程门阵列(Field Programmable Gate Array，FPGA)或者其他可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件。可以实现或者执行本申请实施例中的公开的各方法、步骤及逻辑框图。通用处理器可以是微处理器或者该处理器也可以是任何常规的处理器等。结合本申请实施例所公开的方法的步骤可以直接体现为硬件译码处理器执行完成，或者用译码处理器中的硬件及软件模块组合执行完成。软件模块可以位于随机存储器，闪存、只读存储器，可编程只读存储器或者电可擦写可编程存储器、寄存器等本领域成熟的存储介质中。该存储介质位于存储器，处理器读取存储器中的信息，结合其硬件完成上述方法的步骤。It should be understood that the processor of the embodiment of the present application may be an integrated circuit chip with signal processing capability. In the implementation process, the steps of the foregoing method embodiments can be completed by hardware integrated logic circuits in the processor or instructions in the form of software. The above-mentioned processor may be a general-purpose processor, a digital signal processor (Digital Signal Processor, DSP), an application specific integrated circuit (ASIC), a ready-made programmable gate array (Field Programmable Gate Array, FPGA) or other Programming logic devices, discrete gates or transistor logic devices, discrete hardware components. The methods, steps, and logical block diagrams disclosed in the embodiments of the present application can be implemented or executed. The general-purpose processor may be a microprocessor or the processor may also be any conventional processor or the like. The steps of the method disclosed in the embodiments of the present application can be directly embodied as being executed and completed by a hardware decoding processor, or executed and completed by a combination of hardware and software modules in the decoding processor. The software module can be located in a mature storage medium in the field, such as random access memory, flash memory, read-only memory, programmable read-only memory, or electrically erasable programmable memory, registers. The storage medium is located in the memory, and the processor reads the information in the memory and completes the steps of the above method in combination with its hardware.

可以理解，本申请实施例中的存储器可以是易失性存储器或非易失性存储器，或可包括易失性和非易失性存储器两者。其中，非易失性存储器可以是只读存储器(Read-Only Memory，ROM)、可编程只读存储器(Programmable ROM，PROM)、可擦除可编程只读存储器(Erasable PROM，EPROM)、电可擦除可编程只读存储器(Electrically EPROM，EEPROM)或闪存。易失性存储器可以是随机存取存储器(Random Access Memory，RAM)，其用作外部高速缓存。通过示例性但不是限制性说明，许多形式的RAM可用，例如静态随机存取存储器(Static RAM，SRAM)、动态随机存取存储器(Dynamic RAM，DRAM)、同步动态随机存取存储器(Synchronous DRAM，SDRAM)、双倍数据速率同步动态随机存取存储器(Double Data Rate SDRAM，DDR SDRAM)、增强型同步动态随机存取存储器(Enhanced SDRAM，ESDRAM)、同步连接动态随机存取存储器(Synchlink DRAM，SLDRAM)和直接内存总线随机存取存储器(Direct Rambus RAM，DR RAM)。应注意，本文描述的系统和方法的存储器旨在包括但不限于这些和任意其它适合类型的存储器。It can be understood that the memory in the embodiments of the present application may be a volatile memory or a non-volatile memory, or may include both volatile and non-volatile memory. Among them, the non-volatile memory can be read-only memory (Read-Only Memory, ROM), programmable read-only memory (Programmable ROM, PROM), erasable programmable read-only memory (Erasable PROM, EPROM), and electrically available Erase programmable read-only memory (Electrically EPROM, EEPROM) or flash memory. The volatile memory may be random access memory (Random Access Memory, RAM), which is used as an external cache. By way of exemplary but not restrictive description, many forms of RAM are available, such as static random access memory (Static RAM, SRAM), dynamic random access memory (Dynamic RAM, DRAM), synchronous dynamic random access memory (Synchronous DRAM, SDRAM), Double Data Rate Synchronous Dynamic Random Access Memory (Double Data Rate SDRAM, DDR SDRAM), Enhanced Synchronous Dynamic Random Access Memory (Enhanced SDRAM, ESDRAM), Synchronous Link Dynamic Random Access Memory (Synchlink DRAM, SLDRAM) ) And Direct Rambus RAM (DR RAM). It should be noted that the memories of the systems and methods described herein are intended to include, but are not limited to, these and any other suitable types of memories.

应理解，上述存储器为示例性但不是限制性说明，例如，本申请实施例中的存储器还可以是静态随机存取存储器(static RAM，SRAM)、动态随机存取存储器(dynamic RAM，DRAM)、同步动态随机存取存储器(synchronous DRAM，SDRAM)、双倍数据速率同步动态随机存取存储器(double data rate SDRAM，DDR SDRAM)、增强型同步动态随机存取存储器(enhanced SDRAM，ESDRAM)、同步连接动态随机存取存储器(synch link DRAM，SLDRAM)以及直接内存总线随机存取存储器(Direct Rambus RAM，DR RAM)等等。也就是说，本申请实施例中的存储器旨在包括但不限于这些和任意其它适合类型的存储器。It should be understood that the foregoing memory is exemplary but not restrictive. For example, the memory in the embodiment of the present application may also be static random access memory (static RAM, SRAM), dynamic random access memory (dynamic RAM, DRAM), Synchronous dynamic random access memory (synchronous DRAM, SDRAM), double data rate synchronous dynamic random access memory (double data rate SDRAM, DDR SDRAM), enhanced synchronous dynamic random access memory (enhanced SDRAM, ESDRAM), synchronous connection Dynamic random access memory (synch link DRAM, SLDRAM) and direct memory bus random access memory (Direct Rambus RAM, DR RAM) and so on. That is to say, the memory in the embodiments of the present application is intended to include, but is not limited to, these and any other suitable types of memory.

本申请实施例还提供了一种计算机可读存储介质，用于存储计算机程序。The embodiment of the present application also provides a computer-readable storage medium for storing computer programs.

可选的，该计算机可读存储介质可应用于本申请实施例中的网络设备，并且该计算机程序使得计算机执行本申请实施例的各个方法中由网络设备实现的相应流程，为了简洁，在此不再赘述。Optionally, the computer-readable storage medium may be applied to the network device in the embodiment of the present application, and the computer program causes the computer to execute the corresponding process implemented by the network device in each method of the embodiment of the present application. For the sake of brevity, here No longer.

可选地，该计算机可读存储介质可应用于本申请实施例中的移动终端/终端设备，并且该计算机程序使得计算机执行本申请实施例的各个方法中由移动终端/终端设备实现的相应流程，为了简洁，在此不再赘述。Optionally, the computer-readable storage medium can be applied to the mobile terminal/terminal device in the embodiment of the present application, and the computer program causes the computer to execute the corresponding process implemented by the mobile terminal/terminal device in each method of the embodiment of the present application , For the sake of brevity, I won’t repeat it here.

本申请实施例还提供了一种计算机程序产品，包括计算机程序指令。The embodiments of the present application also provide a computer program product, including computer program instructions.

可选的，该计算机程序产品可应用于本申请实施例中的网络设备，并且该计算机程序指令使得计算机执行本申请实施例的各个方法中由网络设备实现的相应流程，为了简洁，在此不再赘述。Optionally, the computer program product can be applied to the network device in the embodiment of the present application, and the computer program instructions cause the computer to execute the corresponding process implemented by the network device in each method of the embodiment of the present application. For the sake of brevity, it is not here Go into details again.

可选地，该计算机程序产品可应用于本申请实施例中的移动终端/终端设备，并且该计算机程序指令使得计算机执行本申请实施例的各个方法中由移动终端/终端设备实现的相应流程，为了简洁，在此不再赘述。Optionally, the computer program product can be applied to the mobile terminal/terminal device in the embodiment of the present application, and the computer program instructions cause the computer to execute the corresponding process implemented by the mobile terminal/terminal device in each method of the embodiment of the present application, For the sake of brevity, I will not repeat them here.

本申请实施例还提供了一种计算机程序。The embodiment of the present application also provides a computer program.

可选的，该计算机程序可应用于本申请实施例中的网络设备，当该计算机程序在计算机上运行时，使得计算机执行本申请实施例的各个方法中由网络设备实现的相应流程，为了简洁，在此不再赘述。Optionally, the computer program can be applied to the network device in the embodiment of the present application. When the computer program runs on the computer, it causes the computer to execute the corresponding process implemented by the network device in each method of the embodiment of the present application. For the sake of brevity , I won’t repeat it here.

可选地，该计算机程序可应用于本申请实施例中的移动终端/终端设备，当该计算机程序在计算机上运行时，使得计算机执行本申请实施例的各个方法中由移动终端/终端设备实现的相应流程，为了简洁，在此不再赘述。Optionally, the computer program can be applied to the mobile terminal/terminal device in the embodiment of the present application. When the computer program runs on the computer, the computer executes each method in the embodiment of the present application. For the sake of brevity, the corresponding process will not be repeated here.

本领域普通技术人员可以意识到，结合本文中所公开的实施例描述的各示例的单元及算法步骤，能够以电子硬件、或者计算机软件和电子硬件的结合来实现。这些功能究竟以硬件还是软件方式来执行，取决于技术方案的特定应用和设计约束条件。专业技术人员可以对每个特定的应用来使用不同方法来实现所描述的功能，但是这种实现不应认为超出本申请的范围。A person of ordinary skill in the art may realize that the units and algorithm steps of the examples described in combination with the embodiments disclosed herein can be implemented by electronic hardware or a combination of computer software and electronic hardware. Whether these functions are performed by hardware or software depends on the specific application and design constraint conditions of the technical solution. Professionals and technicians can use different methods for each specific application to implement the described functions, but such implementation should not be considered beyond the scope of this application.

所属领域的技术人员可以清楚地了解到，为描述的方便和简洁，上述描述的系统、装置和单元的具体工作过程，可以参考前述方法实施例中的对应过程，在此不再赘述。Those skilled in the art can clearly understand that, for the convenience and conciseness of description, the specific working process of the system, device and unit described above can refer to the corresponding process in the foregoing method embodiment, which will not be repeated here.

在本申请所提供的几个实施例中，应该理解到，所揭露的系统、装置和方法，可以通过其它的方式实现。例如，以上所描述的装置实施例仅仅是示意性的，例如，所述单元的划分，仅仅为一种逻辑功能划分，实际实现时可以有另外的划分方式，例如多个单元或组件可以结合或者可以集成到另一个系统，或一些特征可以忽略，或不执行。另一点，所显示或讨论的相互之间的耦合或直接耦合或通信连接可以是通过一些接口，装置或单元的间接耦合或通信连接，可以是电性，机械或其它的形式。In the several embodiments provided in this application, it should be understood that the disclosed system, device, and method may be implemented in other ways. For example, the device embodiments described above are merely illustrative, for example, the division of the units is only a logical function division, and there may be other divisions in actual implementation, for example, multiple units or components may be combined or It can be integrated into another system, or some features can be ignored or not implemented. In addition, the displayed or discussed mutual coupling or direct coupling or communication connection may be indirect coupling or communication connection through some interfaces, devices or units, and may be in electrical, mechanical or other forms.

所述作为分离部件说明的单元可以是或者也可以不是物理上分开的，作为单元显示的部件可以是或者也可以不是物理单元，即可以位于一个地方，或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部单元来实现本实施例方案的目的。The units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, they may be located in one place, or they may be distributed on multiple network units. Some or all of the units may be selected according to actual needs to achieve the objectives of the solutions of the embodiments.

另外，在本申请各个实施例中的各功能单元可以集成在一个处理单元中，也可以是各个单元单独物理存在，也可以两个或两个以上单元集成在一个单元中。In addition, the functional units in the various embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units may be integrated into one unit.

所述功能如果以软件功能单元的形式实现并作为独立的产品销售或使用时，可以存储在一个计算机可读取存储介质中。基于这样的理解，本申请的技术方案本质上或者说对现有技术做出贡献的部分或者该技术方案的部分可以以软件产品的形式体现出来，该计算机软件产品存储在一个存储介质中，包括若干指令用以使得一台计算机设备(可以是个人计算机，服务器，或者网络设备等)执行本申请各个实施例所述方法的全部或部分步骤。而前述的存储介质包括：U盘、移动硬盘、只读存储器(Read-Only Memory，)ROM、随机存取存储器(Random Access Memory，RAM)、磁碟或者光盘等各种可以存储程序代码的介质。If the function is implemented in the form of a software functional unit and sold or used as an independent product, it can be stored in a computer readable storage medium. Based on this understanding, the technical solution of the present application essentially or the part that contributes to the existing technology or the part of the technical solution can be embodied in the form of a software product, and the computer software product is stored in a storage medium, including Several instructions are used to make a computer device (which may be a personal computer, a server, or a network device, etc.) execute all or part of the steps of the methods described in the various embodiments of the present application. The aforementioned storage media include: U disk, mobile hard disk, read-only memory (Read-Only Memory,) ROM, random access memory (Random Access Memory, RAM), magnetic disks or optical disks and other media that can store program codes. .

以上所述，仅为本申请的具体实施方式，但本申请的保护范围并不局限于此，任何熟悉本技术领域的技术人员在本申请揭露的技术范围内，可轻易想到变化或替换，都应涵盖在本申请的保护范围之内。因此，本申请的保护范围应所述以权利要求的保护范围为准。The above are only specific implementations of this application, but the protection scope of this application is not limited to this. Any person skilled in the art can easily think of changes or substitutions within the technical scope disclosed in this application. Should be covered within the scope of protection of this application. Therefore, the protection scope of this application shall be subject to the protection scope of the claims.

Claims

A method for configuring a client, the method comprising:

The client sends the target attribute of the target resource of the client to the first configuration device, where the target attribute is used to indicate the device role of the client; wherein the client has at least one first security resource;

When the device role of the client is a mobile device, the client receives the first creation signaling sent by the first configuration device, and creates a second security on the client based on the first creation signaling. Resource, the second security resource and the at least one first security resource belong to the same resource type;

The client receives the first configuration signaling sent by the first configuration device, and configures the second security resource based on the first configuration signaling.

The method of claim 1, wherein:

The first partial attribute of the second secure resource is determined based on one of the at least one first secure resource;

The second partial attribute of the second security resource is determined based on the first configuration signaling.

The method of claim 1 or 2, wherein:

The value of the target attribute of the target resource supports a first value, and the first value is used to indicate that the device role is a mobile device; or,

The value of the target attribute of the target resource supports a second value, and the second value is used to indicate that the device role is a fixed device.

The method according to claim 3, wherein the method further comprises:

The client checks the target attribute of the target resource of the client;

In the case where the value of the target attribute is the first value, after the client enters the configuration mode, the existing resource configuration is retained; or,

In a case where the value of the target attribute is the second value, after the client enters the configuration mode, the existing resource configuration is deleted.

The method according to any one of claims 1 to 4, wherein the client sending the target attribute of the target resource of the client to the first configuration device comprises:

Receiving, by the client, a first request message sent by the first configuration device, where the first request message is used to request a target attribute of a target resource of the client;

The client sends a first response message to the first configuration device, where the first response message is used to notify the first configuration device of the target attribute of the target resource of the client.

The method according to any one of claims 1 to 5, wherein when the device role of the client is a mobile device, the client receiving the first creation signaling sent by the first configuration device includes :

When the device role of the client is a mobile device, the client receives a second request message sent by the first configuration device, and the second request message is used to request resource content of the client;

Sending, by the client, the resource content of the client to the first configuration device, the resource content including the identifier and resource type of the at least one first secure resource;

The client receives the first creation signaling sent by the first configuration device, where the first creation signaling is used to create the second security resource.

The method according to any one of claims 1 to 6, wherein the at least one first secure resource and the second secure resource both belong to a first resource type, and the first resource type is related to the owner Resources.

The method according to claim 7, wherein the client receiving the first configuration signaling sent by the first configuration device, and configuring the second security resource based on the first configuration signaling comprises:

Receiving, by the client, first configuration signaling sent by the first configuration device, where the first configuration signaling carries a first device identifier of the first configuration device;

The client configures the first attribute and the second attribute of the second security resource based on the first configuration signaling, where the first attribute is used to indicate the device owner identifier, and the second attribute is used to indicate The resource owner identifier, the value of the first attribute is the first device identifier, and the value of the second attribute is the first device identifier.

The method according to claim 8, wherein the method further comprises:

The client receives the second configuration signaling sent by the first configuration device, and configures the third attribute of the second security resource based on the second configuration signaling, where the third attribute is used to indicate whether Creating a device owner, the value of the third attribute is a third value, and the third value is used to indicate that the device owner has been created;

The client sets the third attribute of the at least one first secure resource to the third value.

The method according to any one of claims 1 to 6, wherein the at least one first secure resource and the second secure resource both belong to a second resource type, and the second resource type is related to a credential Resources.

The method according to claim 10, wherein the client receiving the first configuration signaling sent by the first configuration device, and configuring the second security resource based on the first configuration signaling comprises:

Receiving, by the client, first configuration signaling sent by the first configuration device, where the first configuration signaling carries the first device identifier and credential content of the first configuration device;

The client configures the fourth attribute and the fifth attribute of the second security resource based on the first configuration signaling, where the fourth attribute is used to indicate the resource owner identifier, and the fifth attribute is used to indicate Voucher content, the value of the fourth attribute is the first device identifier.

A method for configuring a client, the method comprising:

When the device role of the client is a mobile device, the client receives trigger signaling sent by the first configuration device, and the trigger signaling is used to trigger the client to initiate device-led configuration;

Creating a second secure resource on the client by the client, where the second secure resource and the at least one first secure resource belong to the same resource type;

The client obtains configuration parameters from the first configuration device, and configures the second security resource based on the configuration parameters.

The method of claim 12, wherein:

The second partial attribute of the second security resource is determined based on the configuration parameter.

The method according to claim 12 or 13, wherein:

The method according to claim 14, wherein the method further comprises:

The client checks the target attribute of the target resource of the client;

The method according to any one of claims 12 to 15, wherein the client sending the target attribute of the target resource of the client to the first configuration device comprises:

The method according to any one of claims 12 to 16, wherein the at least one first secure resource and the second secure resource both belong to a first resource type, and the first resource type is related to the owner Resources.

The method according to claim 17, wherein the client obtaining configuration parameters from the first configuration device, and configuring the second security resource based on the configuration parameters comprises:

The client obtains the first device identifier of the first configuration device from the first configuration device, and configures the first attribute and the second attribute of the second security resource based on the first device identifier, where all The first attribute is used to indicate the device owner identification, the second attribute is used to indicate the resource owner identification, the value of the first attribute is the first device identification, and the value of the second attribute is the The first device identification.

The method according to claim 18, wherein the method further comprises:

The client configures a third attribute of the second secure resource, where the third attribute is used to indicate whether to create a device owner, the value of the third attribute is a third value, and the third attribute is Value is used to indicate the owner of the created device;

The method according to any one of claims 12 to 16, wherein the at least one first secure resource and the second secure resource both belong to a second resource type, and the second resource type is credential-related Resources.

The method according to claim 20, wherein the client obtaining configuration parameters from the first configuration device, and configuring the second security resource based on the configuration parameters comprises:

Acquiring, by the client, the first device identification and credential content of the first configuration device from the first configuration device;

The client configures the fourth attribute and the fifth attribute of the second secure resource based on the first device identifier and the credential content, where the fourth attribute is used to indicate the resource owner identifier, and the fifth attribute The attribute is used to indicate the content of the voucher, and the value of the fourth attribute is the first device identifier.

A method for configuring a client, the method comprising:

The first configuration device receives the target attribute of the target resource sent by the client, where the target attribute is used to indicate the device role of the client; wherein the client has at least one first secure resource;

When the device role of the client is a mobile device, the first configuration device sends a first creation signaling to the client, and the first creation signaling is used to instruct to create a second creation on the client. A security resource, where the second security resource and the at least one first security resource belong to the same resource type;

The first configuration device sends a first configuration signaling to the client, where the first configuration signaling is used to configure the second security resource.

The method of claim 22, wherein:

The method according to claim 22 or 23, wherein:

The method according to any one of claims 22 to 24, wherein the first configuration device receiving the target attribute of the target resource sent by the client includes:

Sending, by the first configuration device, a first request message to the client, where the first request message is used to request the target attribute of the target resource of the client;

The first configuration device receives a first response message sent by the client, where the first response message is used to notify the first configuration device of the target attribute of the target resource of the client.

The method according to any one of claims 22 to 25, wherein when the device role of the client is a mobile device, the first configuration device sending the first creation signaling to the client includes:

When the device role of the client is a mobile device, the first configuration device sends a second request message to the client, and the second request message is used to request resource content of the client;

Receiving, by the first configuration device, resource content of the client sent by the client, the resource content including the identifier and resource type of the at least one first secure resource;

The first configuration device sends a first creation signaling to the client, where the first creation signaling is used to create the second security resource.

The method according to any one of claims 22 to 26, wherein the at least one first security resource and the second security resource both belong to a first resource type, and the first resource type is related to the owner Resources.

The method according to claim 27, wherein the first configuration signaling carries a first device identifier of the first configuration device;

The first configuration signaling is used to configure the first attribute and the second attribute of the second security resource, where the first attribute is used to indicate the device owner identification, and the second attribute is used to indicate the resource owner identification , The value of the first attribute is the first device identifier, and the value of the second attribute is the first device identifier.

The method of claim 28, wherein the method further comprises:

The first configuration device sends second configuration signaling to the client, where the second configuration signaling is used to configure a third attribute of the second security resource, where the third attribute is used to indicate whether A device owner is created, the value of the third attribute is a third value, and the third value is used to indicate that the device owner has been created.

The method according to any one of claims 22 to 26, wherein the at least one first secure resource and the second secure resource both belong to a second resource type, and the second resource type is credential-related Resources.

The method according to claim 30, wherein the first configuration signaling carries the first device identification and credential content of the first configuration device;

The first configuration signaling is used to configure the fourth attribute and the fifth attribute of the second security resource, where the fourth attribute is used to indicate the resource owner identifier, and the fifth attribute is used to indicate the content of the credential, The value of the fourth attribute is the first device identifier.

A method for configuring a client, the method comprising:

The first configuration device receives the target attribute of the target resource of the client sent by the client, where the target attribute is used to indicate the device role of the client; wherein the client has at least one first security resource;

When the device role of the client is a mobile device, the first configuration device sends trigger signaling to the client, and the trigger signaling is used to trigger the client to create a second configuration on the client. A security resource, where the second security resource and the at least one first security resource belong to the same resource type;

The first configuration device sends configuration parameters to the client, where the configuration parameters are used by the client to configure the second security resource.

The method of claim 32, wherein:

The first partial attribute of the second security resource is determined based on one of the at least one first security resource;

The method according to claim 32 or 33, wherein:

The method according to any one of claims 32 to 34, wherein the first configuration device receiving the target attribute of the target resource sent by the client includes:

The method according to any one of claims 32 to 35, wherein the at least one first secure resource and the second secure resource both belong to a first resource type, and the first resource type is related to the owner Resources.

The method of claim 36, wherein the configuration parameter includes a first device identifier of the first configuration device;

The first device identifier is used to configure the first attribute and the second attribute of the second secure resource, where the first attribute is used to indicate the device owner identifier, and the second attribute is used to indicate the resource owner identifier, The value of the first attribute is the first device identifier, and the value of the second attribute is the first device identifier.

The method according to any one of claims 32 to 35, wherein the at least one first secure resource and the second secure resource both belong to a second resource type, and the second resource type is credential-related Resources.

The method according to claim 38, wherein the configuration parameters include a first device identification and credential content of the first configuration device;

The first device identifier and the credential content are used to configure the fourth attribute and the fifth attribute of the second secure resource, where the fourth attribute is used to indicate the resource owner identifier, and the fifth attribute is used to Indicates the content of the voucher, and the value of the fourth attribute is the first device identifier.

A device for configuring a client, the device comprising:

A sending unit, configured to send a target attribute of a target resource of the client to the first configuration device, where the target attribute is used to indicate a device role of the client; wherein the client has at least one first security resource;

The receiving unit is configured to receive the first creation signaling sent by the first configuration device when the device role of the client is a mobile device, and create a first creation signaling on the client based on the first creation signaling. Two security resources, the second security resource and the at least one first security resource belong to the same resource type; receiving the first configuration signaling sent by the first configuration device, and configuring the first configuration signaling based on the first configuration signaling The second security resource.

The device of claim 40, wherein:

The device according to claim 40 or 41, wherein:

The device according to claim 42, wherein the device further comprises:

The processing unit is configured to check the target attribute of the target resource of the client; if the value of the target attribute is the first value, after the client enters the configuration mode, the existing resource configuration is retained Or, in the case where the value of the target attribute is the second value, after the client enters the configuration mode, the existing resource configuration is deleted.

The apparatus according to any one of claims 40 to 43, wherein the receiving unit is configured to receive a first request message sent by the first configuration device, and the first request message is used to request the client The target attribute of the target resource at the end;

The sending unit is configured to send a first response message to the first configuration device, where the first response message is used to notify the first configuration device of the target attribute of the target resource of the client.

The apparatus according to any one of claims 40 to 44, wherein the receiving unit is configured to receive a second request sent by the first configuration device when the device role of the client is a mobile device Message, the second request message is used to request resource content of the client;

The sending unit is configured to send resource content of the client to the first configuration device, where the resource content includes the identifier and resource type of the at least one first secure resource;

The receiving unit is configured to receive first creation signaling sent by the first configuration device, where the first creation signaling is used to create the second security resource.

The device according to any one of claims 40 to 45, wherein the at least one first secure resource and the second secure resource both belong to a first resource type, and the first resource type is related to the owner Resources.

The apparatus according to claim 46, wherein the receiving unit is configured to receive a first configuration signaling sent by the first configuration device, and the first configuration signaling carries a first configuration signal of the first configuration device. Device identification; configure the first attribute and the second attribute of the second security resource based on the first configuration signaling, wherein the first attribute is used to indicate the device owner identification, and the second attribute is used to indicate the resource The owner identifier, the value of the first attribute is the first device identifier, and the value of the second attribute is the first device identifier.

The apparatus according to claim 47, wherein the receiving unit is configured to receive the second configuration signaling sent by the first configuration device, and configure the second configuration signaling of the second security resource based on the second configuration signaling. Three attributes, where the third attribute is used to indicate whether to create a device owner, the value of the third attribute is a third value, and the third value is used to indicate that the device owner has been created; The third attribute of a first security resource is set to the third value.

The device according to any one of claims 40 to 45, wherein the at least one first secure resource and the second secure resource both belong to a second resource type, and the second resource type is related to a credential Resources.

The apparatus according to claim 49, wherein the receiving unit is configured to receive a first configuration signaling sent by the first configuration device, and the first configuration signaling carries a first configuration signal of the first configuration device. Device identification and credential content; configure the fourth attribute and the fifth attribute of the second security resource based on the first configuration signaling, where the fourth attribute is used to indicate the resource owner identification, and the fifth attribute is used To indicate the content of the voucher, the value of the fourth attribute is the first device identifier.

A device for configuring a client, the device comprising:

A receiving unit, configured to receive trigger signaling sent by the first configuration device when the device role of the client is a mobile device, where the trigger signaling is used to trigger the client to initiate device-led configuration;

A creating unit, configured to create a second secure resource on the client, where the second secure resource and the at least one first secure resource belong to the same resource type;

The obtaining unit is configured to obtain configuration parameters from the first configuration device, and configure the second security resource based on the configuration parameters.

The device of claim 51, wherein:

The device according to claim 51 or 52, wherein:

The device according to claim 53, wherein the device further comprises:

The apparatus according to any one of claims 51 to 54, wherein the receiving unit is configured to receive a first request message sent by the first configuration device, and the first request message is used to request the client The target attribute of the target resource at the end;

The device according to any one of claims 51 to 55, wherein the at least one first secure resource and the second secure resource both belong to a first resource type, and the first resource type is related to the owner Resources.

The apparatus according to claim 56, wherein the acquiring unit is configured to acquire the first device identification of the first configuration device from the first configuration device, and configure the second device identification based on the first device identification. The first attribute and the second attribute of the secure resource, wherein the first attribute is used to indicate the device owner identification, the second attribute is used to indicate the resource owner identification, and the value of the first attribute is the first A device identifier, where the value of the second attribute is the first device identifier.

The device of claim 57, wherein the device further comprises:

The configuration unit is configured to configure a third attribute of the second security resource, where the third attribute is used to indicate whether to create a device owner, the value of the third attribute is a third value, and the third attribute is The value is used to indicate that the device owner has been created; the third attribute of the at least one first secure resource is set as the third value.

The device according to any one of claims 51 to 55, wherein the at least one first secure resource and the second secure resource both belong to a second resource type, and the second resource type is related to a credential Resources.

The apparatus according to claim 59, wherein the obtaining unit is configured to obtain a first device identification and credential content of the first configuration device from the first configuration device; based on the first device identification and the first configuration device; The content of the voucher configures the fourth attribute and the fifth attribute of the second security resource, wherein the fourth attribute is used to indicate the resource owner identifier, the fifth attribute is used to indicate the content of the voucher, and the value of the fourth attribute The value is the first device identifier.

A device for configuring a client, the device comprising:

A receiving unit, configured to receive a target attribute of a target resource sent by a client, where the target attribute is used to indicate a device role of the client; wherein the client has at least one first secure resource;

The sending unit is configured to send a first creation signaling to the client when the device role of the client is a mobile device, where the first creation signaling is used to instruct to create a second creation on the client A security resource, the second security resource and the at least one first security resource belong to the same resource type; sending a first configuration signaling to the client, where the first configuration signaling is used to configure the second security Resources.

The device of claim 61, wherein:

The device according to claim 61 or 62, wherein:

The apparatus according to any one of claims 61 to 63, wherein the sending unit is configured to send a first request message to the client, and the first request message is used to request a target resource of the client Target attributes;

The receiving unit is configured to receive a first response message sent by the client, where the first response message is used to notify the first configuration device of the target attribute of the target resource of the client.

The apparatus according to any one of claims 61 to 64, wherein the sending unit is configured to send a second request message to the client when the device role of the client is a mobile device, so The second request message is used to request resource content of the client;

The receiving unit is configured to receive resource content of the client sent by the client, where the resource content includes an identifier and a resource type of the at least one first secure resource;

The sending unit is configured to send first creation signaling to the client, where the first creation signaling is used to create the second security resource.

The apparatus according to any one of claims 61 to 65, wherein the at least one first secure resource and the second secure resource both belong to a first resource type, and the first resource type is related to the owner Resources.

The apparatus according to claim 66, wherein the first configuration signaling carries a first device identifier of the first configuration device;

The apparatus according to claim 67, wherein the sending unit is configured to send second configuration signaling to the client, and the second configuration signaling is configured to configure a third attribute of the second security resource , Wherein the third attribute is used to indicate whether to create a device owner, the value of the third attribute is a third value, and the third value is used to indicate that the device owner has been created.

The device according to any one of claims 61 to 65, wherein the at least one first secure resource and the second secure resource both belong to a second resource type, and the second resource type is related to a credential Resources.

The apparatus according to claim 69, wherein the first configuration signaling carries a first device identification and credential content of the first configuration device;

A device for configuring a client, the device comprising:

The receiving unit is configured to receive the target attribute of the target resource of the client sent by the client, the target attribute is used to indicate the device role of the client; wherein the client has at least one first security resource;

The sending unit is configured to send trigger signaling to the client when the device role of the client is a mobile device, where the trigger signaling is used to trigger the client to create a second on the client A secure resource, where the second secure resource and the at least one first secure resource belong to the same resource type; sending configuration parameters to the client, where the configuration parameters are used by the client to configure the second secure resource.

The device of claim 71, wherein:

The device according to claim 71 or 72, wherein:

The apparatus according to any one of claims 71 to 73, wherein the sending unit is configured to send a first request message to the client, and the first request message is used to request a target resource of the client Target attributes;

The device according to any one of claims 71 to 74, wherein the at least one first secure resource and the second secure resource both belong to a first resource type, and the first resource type is related to the owner Resources.

The apparatus according to claim 75, wherein the configuration parameter includes a first device identifier of the first configuration device;

The device according to any one of claims 71 to 74, wherein the at least one first secure resource and the second secure resource both belong to a second resource type, and the second resource type is related to a credential Resources.

The apparatus according to claim 77, wherein the configuration parameters include a first device identifier and credential content of the first configuration device;

A terminal device, comprising: a processor and a memory, the memory is used to store a computer program, the processor is used to call and run the computer program stored in the memory, and execute any one of claims 1-21 , Or the method of any one of claims 22 to 39.

A chip comprising: a processor, configured to call and run a computer program from a memory, so that a device installed with the chip executes the method according to any one of claims 1 to 21, or claims 22 to 39 The method of any one of.

A computer-readable storage medium for storing a computer program that causes a computer to execute the method according to any one of claims 1 to 21, or the method according to any one of claims 22 to 39 .

A computer program product comprising computer program instructions that cause a computer to execute the method according to any one of claims 1 to 21 or the method according to any one of claims 22 to 39.

A computer program that causes a computer to execute the method according to any one of claims 1 to 21 or the method according to any one of claims 22 to 39.