Over-the-air Orchestrator service (OTAO) is a Kaa service that is responsible for endpoint (EP) over-the-air updates. OTAO does NOT persist software itself, but rather its specification.

OTAO operates “software update” term. The software update is a description of particular software which includes next vital parts:

  • version;
  • upgrade graph from other software;
  • specification (free JSON format).

It can describe any software including firmware, device drivers, operating systems, etc. Software update is defined per application.

Software update specification has free JSON format, thus can include such information as image link(s), image checksum, checksum algorithm, etc. Specification is sent to an endpoint as is.

OTAO lets a user define whether the update(s) of a particular application needs additional consent to be sent to a device. This information is taken into account during endpoint pull / OTAO event broadcasts.

OTAO provides interfaces for managing and retrieving software updates.


OTAO supports a number of interfaces to perform its functional role. The key supported interfaces are summarized in the following diagram.

OTAO interfaces diagram

For inter-service communication, Kaa services mainly use REST APIs and pub-sub messaging protocols that run over NATS messaging system.

Gradual software rollout

OTAO supports gradual software rollout that is based on endpoint filters. It is possible to associate software updates with the endpoint filters. Only the endpoints that match at least one of the specified filters are eligible for receiving the specific software update.

Software file management

OTAO can handle software files upload via REST API and store these files in a configured AWS S3 bucket. When an endpoint requests its software update, OTAO generates presigned file download URL and adds it to the software specification JSON object. Note, that specification must be a JSON object so OTAO can add file download URL into it.

The path used for adding file download URL into JSON specification object can be configured.

OTAO stores uploaded files in AWS S3 bucket under the folder with the next format <tenantID>/<application name>/<software version>, e.g., 389c88fd-a06d-4e4b-9500-cc897fa1ac43/c72cvifq4hhh0acsv630/1.5.3.

OTAO doesn’t expose REST API that relates to the file management feature if AWS S3 file storage type is not enabled.

EP software update management

OTAO provides REST APIs that can be used to manage software updates.

EP software update transport

EP software update transport interface is based on the Configuration Data Transport Protocol (6/CDTP) that runs on top of NATS. It is used for providing software update data to EP configuration data consumers.

EP unregistered lifecycle event

OTAO listens to Endpoint unregistered lifecycle event broadcast by EPR service over NATS. After OTAO received a message about that endpoint was deleted, it removes the data corresponding to this endpoint.

Tekton integration

OTAO is integrated with the Kaa Tekton for centralized application configuration management. It receives configuration update messages from Tekton over 17/SCMP and uses Tekton REST API to retrieve current configs.

See configuration for more information.

Kaa Tenant Manager integration

OTAO supports multi-tenancy with each tenant using a separate OAuth 2.0 issuer for authentication, authorization, and resource management. The list of the existing tenants is managed by the Kaa Tenant Manager, which provides REST API for retrieving tenant security configs.

See the security configuration for more details on how to enable multi-tenancy in OTAO.