ROS2 Security settings and certificates

[darshit-desai]

Is there an already existing issue for this?

• I have searched the existing issues

Expected behavior

The expected behavior as far as my understanding goes is that it should discover and show topics

Current behavior

Hi I have been trying to use the FASTRTPS_DEFAULT_PROFILES_FILE env variable and FASRDDS_DEFAULT_PROFILES_FILE env variable to setup ros2 security and ACLs for my ros2 topics.

Here's the scenario, IN Term#1 I source the relevant files as shown in the screenshot and than I run the MicroXRCEAgent for PX4, it starts up flawlessly and when I open up another terminal to source the same xml file through which the I started the agent it shows me this error

I have checked to make sure my permissions and governance files are signed and converted to smime's. I am using this example from the FASTDDS repo.
https://github.com/eProsima/Fast-DDS/tree/master/examples/cpp/security/certs
https://github.com/eProsima/Fast-DDS/blob/master/examples/cpp/security/secure_publisher_profile.xml

I will be corssposting this on FASTDDS and ROS2 both because I can't seem to figure out what's the issue,

I am using ROS2 Humble , the MicroXRCEAgent and the term#2 are all on the same computer and network

Steps to reproduce

Install ROS2 humble
Clone the fast dds repo
Replace the contents of all the xml files in the security example as attached
Export and source the xml files before the next step, make sure smime's are signed
If possible compile MicroXRCEAgent with Security ON run the agent with the PX4 main line sitl code
In another terminal do the same and than do ros2 doctor --report

Fast DDS version/commit

Not sure, whichever is packaged with ROS2 Humble

Platform/Architecture

Other. Please specify in Additional context section.

Transport layer

UDPv4

Additional context

Ubuntu 22.04

XML configuration file

Below are the permissions, governance and the domain participant xml files:

Permissions file:

<?xml version="1.0" encoding="utf-8"?>
<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="http://www.omg.org/spec/DDS-Security/20170801/omg_shared_ca_permissions.xsd">
    <permissions>
        <grant name="PublisherPermissions">
            <subject_name>emailAddress=mainpub@eprosima.com, CN=Main Publisher, OU=eProsima, O=eProsima, ST=MA, C=ES</subject_name>
            <validity>
                <not_before>2013-06-01T13:00:00</not_before>
                <not_after>2038-06-01T13:00:00</not_after>
            </validity>
            <allow_rule>
                <domains>
                    <id_range>
                        <min>0</min>
                        <max>230</max>
                    </id_range>
                </domains>
                <publish>
                    <topics>
                        <topic>ros_discovery_info</topic>
                        <topic>rt/rosout</topic>
                        <topic>rt/parameter_events</topic>
                        <topic>rt/fmu/out/*</topic>
                        <topic>rr/fmu/*</topic>
                    </topics>
                </publish>
                <subscribe>
                    <topics>
                        <topic>rt/fmu/in/*</topic>
                        <topic>rq/fmu/*</topic>
                        <topic>ros_discovery_info</topic>
                        <topic>rt/rosout</topic>
                        <topic>rt/parameter_events</topic>
                    </topics>
                </subscribe>
            </allow_rule>
            <default>DENY</default>
        </grant>
        <grant name="SubscriberPermissions">
            <subject_name> emailAddress=mainsub@eprosima.com, CN=Main Subscriber, OU=eProsima, O=eProsima, ST=MA, C=ES</subject_name>
            <validity>
                <not_before>2013-06-01T13:00:00</not_before>
                <not_after>2038-06-01T13:00:00</not_after>
            </validity>
            <allow_rule>
                <domains>
                    <id_range>
                        <min>0</min>
                        <max>230</max>
                    </id_range>
                </domains>
                <subscribe>
                    <topics>
                        <topic>rt/fmu/in/*</topic>
                        <topic>rr/fmu/*</topic>
                        <topic>ros_discovery_info</topic>
                        <topic>rt/rosout</topic>
                        <topic>rt/parameter_events</topic>
                    </topics>
                </subscribe>
            </allow_rule>
            <default>DENY</default>
        </grant>
    </permissions>
</dds>


Governance file:

<?xml version="1.0" encoding="utf-8"?>
<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:noNamespaceSchemaLocation="omg_shared_ca_domain_governance.xsd">
    <domain_access_rules>
        <domain_rule>
            <domains>
                <id_range>
                    <min>0</min>
                    <max>230</max>
                </id_range>
            </domains>
            <allow_unauthenticated_participants>false</allow_unauthenticated_participants>
            <enable_join_access_control>true</enable_join_access_control>
            <discovery_protection_kind>ENCRYPT</discovery_protection_kind>
            <liveliness_protection_kind>ENCRYPT</liveliness_protection_kind>
            <rtps_protection_kind>ENCRYPT</rtps_protection_kind>
            <topic_access_rules>
                <topic_rule>
                    <topic_expression>ros_discovery_info</topic_expression>
                    <enable_discovery_protection>false</enable_discovery_protection>
                    <enable_liveliness_protection>false</enable_liveliness_protection>
                    <enable_read_access_control>false</enable_read_access_control>
                    <enable_write_access_control>false</enable_write_access_control>
                    <metadata_protection_kind>NONE</metadata_protection_kind>
                    <data_protection_kind>NONE</data_protection_kind>
                </topic_rule>
                <topic_rule>
                    <topic_expression>rt/rosout</topic_expression>
                    <enable_discovery_protection>false</enable_discovery_protection>
                    <enable_liveliness_protection>false</enable_liveliness_protection>
                    <enable_read_access_control>false</enable_read_access_control>
                    <enable_write_access_control>false</enable_write_access_control>
                    <metadata_protection_kind>NONE</metadata_protection_kind>
                    <data_protection_kind>NONE</data_protection_kind>
                </topic_rule>
                <topic_rule>
                    <topic_expression>rt/parameter_events</topic_expression>
                    <enable_discovery_protection>false</enable_discovery_protection>
                    <enable_liveliness_protection>false</enable_liveliness_protection>
                    <enable_read_access_control>false</enable_read_access_control>
                    <enable_write_access_control>false</enable_write_access_control>
                    <metadata_protection_kind>NONE</metadata_protection_kind>
                    <data_protection_kind>NONE</data_protection_kind>
                </topic_rule>
                <topic_rule>
                    <topic_expression>rt/fmu/out/*</topic_expression>
                    <enable_discovery_protection>true</enable_discovery_protection>
                    <enable_liveliness_protection>false</enable_liveliness_protection>
                    <enable_read_access_control>true</enable_read_access_control>
                    <enable_write_access_control>true</enable_write_access_control>
                    <metadata_protection_kind>ENCRYPT</metadata_protection_kind>
                    <data_protection_kind>ENCRYPT</data_protection_kind>
                </topic_rule>
                <topic_rule>
                    <topic_expression>rt/fmu/in/*</topic_expression>
                    <enable_discovery_protection>true</enable_discovery_protection>
                    <enable_liveliness_protection>false</enable_liveliness_protection>
                    <enable_read_access_control>true</enable_read_access_control>
                    <enable_write_access_control>true</enable_write_access_control>
                    <metadata_protection_kind>ENCRYPT</metadata_protection_kind>
                    <data_protection_kind>ENCRYPT</data_protection_kind>
                </topic_rule>
                <topic_rule>
                    <topic_expression>rq/fmu/*</topic_expression>
                    <enable_discovery_protection>true</enable_discovery_protection>
                    <enable_liveliness_protection>false</enable_liveliness_protection>
                    <enable_read_access_control>true</enable_read_access_control>
                    <enable_write_access_control>true</enable_write_access_control>
                    <metadata_protection_kind>ENCRYPT</metadata_protection_kind>
                    <data_protection_kind>ENCRYPT</data_protection_kind>
                </topic_rule>
                <topic_rule>
                    <topic_expression>rr/fmu/*</topic_expression>
                    <enable_discovery_protection>true</enable_discovery_protection>
                    <enable_liveliness_protection>false</enable_liveliness_protection>
                    <enable_read_access_control>true</enable_read_access_control>
                    <enable_write_access_control>true</enable_write_access_control>
                    <metadata_protection_kind>ENCRYPT</metadata_protection_kind>
                    <data_protection_kind>ENCRYPT</data_protection_kind>
                </topic_rule>
            </topic_access_rules>
        </domain_rule>
    </domain_access_rules>
</dds>


Domain participant xml

<?xml version="1.0" encoding="UTF-8" ?>
<profiles xmlns="http://www.eprosima.com" >
    <transport_descriptors>
        <transport_descriptor>
            <transport_id>custom_udp_transport</transport_id>
            <type>UDPv4</type>
            <interfaceWhiteList>
                <address>127.0.0.1</address>
            </interfaceWhiteList>
        </transport_descriptor>
    </transport_descriptors>

    <!-- Default publisher profile (Data Sharing / Zero-Copy when possible) -->
    <data_writer profile_name="aos_default_publisher_profile" is_default_profile="true">
        <qos>
            <publishMode>
                <kind>SYNCHRONOUS</kind>
            </publishMode>
        </qos>
        <historyMemoryPolicy>PREALLOCATED_WITH_REALLOC</historyMemoryPolicy>
    </data_writer>
    <!-- Default subscriber profile (Data Sharing / Zero-Copy when possible) -->
    <data_reader profile_name="aos_default_subscriber_profile" is_default_profile="true">
        <historyMemoryPolicy>PREALLOCATED_WITH_REALLOC</historyMemoryPolicy>
    </data_reader>
    <participant profile_name="px4_participant" is_default_profile="true">
        <domainId>0</domainId>
        <rtps>
            <userTransports>
                <transport_id>custom_udp_transport</transport_id>
            </userTransports>
            <propertiesPolicy>
                <!-- Set authentication for DDS Domain communication  -->
                <properties>
                    <!-- Activate DDS:Auth:PKI-DH plugin -->
                    <property>
                        <name>dds.sec.auth.plugin</name>
                        <value>builtin.PKI-DH</value>
                    </property>
                    <!-- Configure DDS:Auth:PKI-DH plugin -->
                    <property>
                        <name>dds.sec.auth.builtin.PKI-DH.identity_ca</name>
                        <value>file:///home/px4dev/Software/Fast-DDS/examples/cpp/security/certs/maincacert.pem</value>
                    </property>
                    <property>
                        <name>dds.sec.auth.builtin.PKI-DH.identity_certificate</name>
                        <value>file:///home/px4dev/Software/Fast-DDS/examples/cpp/security/certs/mainpubcert.pem</value>
                    </property>
                    <property>
                        <name>dds.sec.auth.builtin.PKI-DH.private_key</name>
                        <value>file:///home/px4dev/Software/Fast-DDS/examples/cpp/security/certs/mainpubkey.pem</value>
                    </property>
                    <!-- Activate DDS:Access:Permissions plugin -->
                    <property>
                        <name>dds.sec.access.plugin</name>
                        <value>builtin.Access-Permissions</value>
                    </property>
                    <!-- Configure DDS:Access:Permissions plugin -->
                    <property>
                        <name>dds.sec.access.builtin.Access-Permissions.permissions_ca</name>
                        <value>file:///home/px4dev/Software/Fast-DDS/examples/cpp/security/certs/maincacert.pem</value>
                    </property>
                    <property>
                        <name>dds.sec.access.builtin.Access-Permissions.governance</name>
                        <value>file:///home/px4dev/Software/Fast-DDS/examples/cpp/security/certs/governance.smime</value>
                    </property>
                    <property>
                        <name>dds.sec.access.builtin.Access-Permissions.permissions</name>
                        <value>file:///home/px4dev/Software/Fast-DDS/examples/cpp/security/certs/permissions.smime</value>
                    </property>
                    <!-- Activate Crypto:AES-GCM-GMAC plugin -->
                    <property>
                        <name>dds.sec.crypto.plugin</name>
                        <value>builtin.AES-GCM-GMAC</value>
                    </property>
                </properties>
            </propertiesPolicy>
        </rtps>
    </participant>
    <!-- <data_writer profile_name="hello_world_datawriter_profile" is_default_profile="true">
        <qos>
            <durability>
                <kind>TRANSIENT_LOCAL</kind>
            </durability>
            <reliability>
                <kind>RELIABLE</kind>
            </reliability>
        </qos>
        <topic>
            <historyQos>
                <kind>KEEP_LAST</kind>
                <depth>100</depth>
            </historyQos>
            <resourceLimitsQos>
                <max_samples>100</max_samples>
                <max_instances>1</max_instances>
                <max_samples_per_instance>100</max_samples_per_instance>
            </resourceLimitsQos>
        </topic>
    </data_writer> -->
</profiles>

Relevant log output

Network traffic capture

No response

[darshit-desai]

So the thing is I did try something else after this, since I was using certificates which were uploaded in the examples directory of the FastDDS repo I tried generating my own certificates using the documentation showed in the below link:
https://fast-dds.docs.eprosima.com/en/latest/fastdds/security/auth_plugin/auth_plugin.html#generation-of-x-509-certificates

Now when I use this newly generated certificates with my setup I get this error while running the MicroXRCEAgent:

The detailed terminal output along with the ros2 doctor report is below:

px4dev@px4dev-Precision-5510:~$ source /opt/ros/humble/setup.bash 
px4dev@px4dev-Precision-5510:~$ export RMW_IMPLEMENTATION=rmw_fastrtps_cpp
px4dev@px4dev-Precision-5510:~$ export FASTRTPS_DEFAULT_PROFILES_FILE=/home/px4dev/Software/Fast-DDS/examples/cpp/security/secure_publisher_profile.xml 
px4dev@px4dev-Precision-5510:~$ export FASTDDS_DEFAULT_PROFILES_FILE=/home/px4dev/Software/Fast-DDS/examples/cpp/security/secure_publisher_profile.xml 
px4dev@px4dev-Precision-5510:~$ ros2 doctor --report

   NETWORK CONFIGURATION
inet         : 127.0.0.1
inet4        : ['127.0.0.1']
inet6        : ['::1']
netmask      : 255.0.0.0
device       : lo
flags        : 73<UP,LOOPBACK,RUNNING>
mtu          : 65536
inet         : 192.168.102.32
inet4        : ['192.168.102.32']
ether        : 28:16:ad:59:0f:d3
inet6        : ['fe80::e033:5ad0:5eb:602%wlp2s0']
netmask      : 255.255.248.0
device       : wlp2s0
flags        : 4163<UP,BROADCAST,RUNNING,MULTICAST>
mtu          : 1500
broadcast    : 192.168.103.255
inet         : 172.17.0.1
inet4        : ['172.17.0.1']
ether        : 2e:b7:5a:9d:25:e0
netmask      : 255.255.0.0
device       : docker0
flags        : 4099<UP,BROADCAST,MULTICAST>
mtu          : 1500
broadcast    : 172.17.255.255

   PACKAGE VERSIONS
rcl_logging_interface                     : latest=2.3.1, local=2.3.1
examples_rclcpp_minimal_subscriber        : latest=0.15.3, local=0.15.3
rqt_srv                                   : latest=1.0.3, local=1.0.3
lifecycle                                 : latest=0.20.5, local=0.20.5
visualization_msgs                        : latest=4.2.4, local=4.2.4
interactive_markers                       : latest=2.3.2, local=2.3.2
ament_cmake_uncrustify                    : latest=0.12.11, local=0.12.11
ament_copyright                           : latest=0.12.11, local=0.12.11
rosidl_typesupport_cpp                    : latest=2.0.2, local=2.0.2
shared_queues_vendor                      : latest=0.15.13, local=0.15.13
class_loader                              : latest=2.2.0, local=2.2.0
zstd_vendor                               : latest=0.15.13, local=0.15.13
rqt_common_plugins                        : latest=1.2.0, local=1.2.0
rosidl_runtime_c                          : latest=3.1.6, local=3.1.6
ros_core                                  : latest=0.10.0, local=0.10.0
laser_geometry                            : latest=2.4.0, local=2.4.0
action_tutorials_cpp                      : latest=0.20.5, local=0.20.5
ament_cmake_pep257                        : latest=0.12.11, local=0.12.11
rosbag2                                   : latest=0.15.13, local=0.15.13
ros2launch                                : latest=0.19.8, local=0.19.8
pluginlib                                 : latest=5.1.0, local=5.1.0
ros_environment                           : latest=3.2.2, local=3.2.2
qt_gui_cpp                                : latest=2.2.3, local=2.2.3
ament_index_cpp                           : latest=1.4.0, local=1.4.0
image_transport                           : latest=3.1.11, local=3.1.10
lifecycle_msgs                            : latest=1.2.1, local=1.2.1
sros2                                     : latest=0.10.5, local=0.10.5
rosbag2_transport                         : latest=0.15.13, local=0.15.13
stereo_msgs                               : latest=4.2.4, local=4.2.4
ament_lint_cmake                          : latest=0.12.11, local=0.12.11
dummy_sensors                             : latest=0.20.5, local=0.20.5
ament_pep257                              : latest=0.12.11, local=0.12.11
rviz_rendering                            : latest=11.2.16, local=11.2.16
ament_cmake_export_targets                : latest=1.3.11, local=1.3.11
examples_rclpy_minimal_service            : latest=0.15.3, local=0.15.3
ament_cmake_cppcheck                      : latest=0.12.11, local=0.12.11
sensor_msgs_py                            : latest=4.2.4, local=4.2.4
rmw_dds_common                            : latest=1.6.0, local=1.6.0
qt_gui                                    : latest=2.2.3, local=2.2.3
keyboard_handler                          : latest=0.0.5, local=0.0.5
tracetools                                : latest=4.1.1, local=4.1.1
ros2interface                             : latest=0.18.11, local=0.18.11
depthimage_to_laserscan                   : latest=2.5.1, local=2.5.1
example_interfaces                        : latest=0.9.3, local=0.9.3
rqt_publisher                             : latest=1.5.0, local=1.5.0
ament_cmake_python                        : latest=1.3.11, local=1.3.11
examples_rclpy_minimal_publisher          : latest=0.15.3, local=0.15.3
orocos_kdl_vendor                         : latest=0.2.5, local=0.2.5
rosbag2_compression_zstd                  : latest=0.15.13, local=0.15.13
ament_cmake_test                          : latest=1.3.11, local=1.3.11
tinyxml_vendor                            : latest=0.8.3, local=0.8.3
rqt_image_view                            : latest=1.2.0, local=1.2.0
ament_cmake_auto                          : latest=1.3.11, local=1.3.11
dummy_robot_bringup                       : latest=0.20.5, local=0.20.5
ament_cmake_export_interfaces             : latest=1.3.11, local=1.3.11
ament_cmake_gen_version_h                 : latest=1.3.11, local=1.3.11
ament_cmake_lint_cmake                    : latest=0.12.11, local=0.12.11
composition_interfaces                    : latest=1.2.1, local=1.2.1
osrf_pycommon                             : latest=2.1.4, local=2.1.4
kdl_parser                                : latest=2.6.4, local=2.6.4
examples_rclcpp_minimal_action_client     : latest=0.15.3, local=0.15.3
rqt_reconfigure                           : latest=1.1.2, local=1.1.2
pybind11_vendor                           : latest=2.4.2, local=2.4.2
launch_ros                                : latest=0.19.8, local=0.19.8
rosbag2_storage                           : latest=0.15.13, local=0.15.13
ament_uncrustify                          : latest=0.12.11, local=0.12.11
ament_cmake_ros                           : latest=0.10.0, local=0.10.0
rcl_interfaces                            : latest=1.2.1, local=1.2.1
tf2_msgs                                  : latest=0.25.12, local=0.25.12
ament_cmake_export_include_directories    : latest=1.3.11, local=1.3.11
examples_rclpy_minimal_action_client      : latest=0.15.3, local=0.15.3
examples_rclcpp_minimal_service           : latest=0.15.3, local=0.15.3
rosidl_default_runtime                    : latest=1.2.0, local=1.2.0
rqt_topic                                 : latest=1.5.0, local=1.5.0
intra_process_demo                        : latest=0.20.5, local=0.20.5
rosgraph_msgs                             : latest=1.2.1, local=1.2.1
rosidl_runtime_py                         : latest=0.9.3, local=0.9.3
ament_cmake_flake8                        : latest=0.12.11, local=0.12.11
rmw_fastrtps_cpp                          : latest=6.2.7, local=6.2.7
rosbag2_compression                       : latest=0.15.13, local=0.15.13
ros2pkg                                   : latest=0.18.11, local=0.18.11
rqt_action                                : latest=2.0.1, local=2.0.1
ament_xmllint                             : latest=0.12.11, local=0.12.11
ros2cli_common_extensions                 : latest=0.1.1, local=0.1.1
nav_msgs                                  : latest=4.2.4, local=4.2.4
ament_cmake_export_dependencies           : latest=1.3.11, local=1.3.11
rqt_py_common                             : latest=1.1.7, local=1.1.7
rcl_lifecycle                             : latest=5.3.9, local=5.3.9
domain_coordinator                        : latest=0.10.0, local=0.10.0
rqt_msg                                   : latest=1.2.0, local=1.2.0
teleop_twist_keyboard                     : latest=2.4.0, local=2.4.0
uncrustify_vendor                         : latest=2.0.2, local=2.0.2
rcutils                                   : latest=5.1.6, local=5.1.6
tf2_py                                    : latest=0.25.12, local=0.25.12
ros2topic                                 : latest=0.18.11, local=0.18.11
rosidl_typesupport_c                      : latest=2.0.2, local=2.0.2
rttest                                    : latest=0.13.0, local=0.13.0
image_geometry                            : latest=3.2.1, local=3.2.1
tf2_geometry_msgs                         : latest=0.25.12, local=0.25.12
rosidl_typesupport_introspection_c        : latest=3.1.6, local=3.1.6
rosbag2_cpp                               : latest=0.15.13, local=0.15.13
tf2_eigen                                 : latest=0.25.12, local=0.25.12
turtlesim                                 : latest=1.4.2, local=1.4.2
action_tutorials_py                       : latest=0.20.5, local=0.20.5
fastrtps_cmake_module                     : latest=2.2.2, local=2.2.2
ros2service                               : latest=0.18.11, local=0.18.11
ament_cmake_libraries                     : latest=1.3.11, local=1.3.11
rqt_plot                                  : latest=1.1.3, local=1.1.3
quality_of_service_demo_py                : latest=0.20.5, local=0.20.5
rosbag2_py                                : latest=0.15.13, local=0.15.13
libcurl_vendor                            : latest=3.1.2, local=3.1.2
rosbag2_interfaces                        : latest=0.15.13, local=0.15.13
rosidl_typesupport_interface              : latest=3.1.6, local=3.1.6
ament_cmake_target_dependencies           : latest=1.3.11, local=1.3.11
examples_rclcpp_multithreaded_executor    : latest=0.15.3, local=0.15.3
diagnostic_msgs                           : latest=4.2.4, local=4.2.4
tlsf_cpp                                  : latest=0.13.0, local=0.13.0
rmw_implementation_cmake                  : latest=6.1.2, local=6.1.2
sensor_msgs                               : latest=4.2.4, local=4.2.4
std_srvs                                  : latest=4.2.4, local=4.2.4
rqt_gui_py                                : latest=1.1.7, local=1.1.7
ros2doctor                                : latest=0.18.11, local=0.18.11
rclcpp                                    : latest=16.0.11, local=16.0.11
rosidl_runtime_cpp                        : latest=3.1.6, local=3.1.6
console_bridge_vendor                     : latest=1.4.1, local=1.4.1
pcl_msgs                                  : latest=1.0.0, local=1.0.0
ament_lint_common                         : latest=0.12.11, local=0.12.11
geometry_msgs                             : latest=4.2.4, local=4.2.4
rosidl_cmake                              : latest=3.1.6, local=3.1.6
yaml_cpp_vendor                           : latest=8.0.2, local=8.0.2
rosidl_typesupport_fastrtps_c             : latest=2.2.2, local=2.2.2
tf2_kdl                                   : latest=0.25.12, local=0.25.12
rqt_graph                                 : latest=1.3.1, local=1.3.1
ament_lint_auto                           : latest=0.12.11, local=0.12.11
launch_testing_ament_cmake                : latest=1.0.7, local=1.0.7
tf2_eigen_kdl                             : latest=0.25.12, local=0.25.12
ros_workspace                             : latest=1.0.2, local=1.0.2
rosbag2_storage_default_plugins           : latest=0.15.13, local=0.15.13
std_msgs                                  : latest=4.2.4, local=4.2.4
tf2_tools                                 : latest=0.25.12, local=0.25.12
geometry2                                 : latest=0.25.12, local=0.25.12
rviz2                                     : latest=11.2.16, local=11.2.16
ros2param                                 : latest=0.18.11, local=0.18.11
sros2_cmake                               : latest=0.10.5, local=0.10.5
sqlite3_vendor                            : latest=0.15.13, local=0.15.13
rqt_bag                                   : latest=1.1.5, local=1.1.5
rviz_common                               : latest=11.2.16, local=11.2.16
examples_rclpy_minimal_client             : latest=0.15.3, local=0.15.3
ament_package                             : latest=0.14.0, local=0.14.0
trajectory_msgs                           : latest=4.2.4, local=4.2.4
rosidl_generator_c                        : latest=3.1.6, local=3.1.6
python_orocos_kdl_vendor                  : latest=0.2.5, local=0.2.5
topic_monitor                             : latest=0.20.5, local=0.20.5
cv_bridge                                 : latest=3.2.1, local=3.2.1
launch_testing                            : latest=1.0.7, local=1.0.7
qt_gui_py_common                          : latest=2.2.3, local=2.2.3
demo_nodes_cpp_native                     : latest=0.20.5, local=0.20.5
examples_rclcpp_minimal_publisher         : latest=0.15.3, local=0.15.3
rviz_assimp_vendor                        : latest=11.2.16, local=11.2.16
ament_cmake_gtest                         : latest=1.3.11, local=1.3.11
demo_nodes_cpp                            : latest=0.20.5, local=0.20.5
python_qt_binding                         : latest=1.1.2, local=1.1.2
unique_identifier_msgs                    : latest=2.2.1, local=2.2.1
pcl_conversions                           : latest=2.4.5, local=2.4.5
qt_dotgraph                               : latest=2.2.3, local=2.2.3
rviz_default_plugins                      : latest=11.2.16, local=11.2.16
ament_cpplint                             : latest=0.12.11, local=0.12.11
rqt_py_console                            : latest=1.0.2, local=1.0.2
common_interfaces                         : latest=4.2.4, local=4.2.4
python_cmake_module                       : latest=0.10.0, local=0.10.0
action_tutorials_interfaces               : latest=0.20.5, local=0.20.5
rosidl_generator_cpp                      : latest=3.1.6, local=3.1.6
tf2_bullet                                : latest=0.25.12, local=0.25.12
ament_cmake_gmock                         : latest=1.3.11, local=1.3.11
tf2_sensor_msgs                           : latest=0.25.12, local=0.25.12
rclcpp_lifecycle                          : latest=16.0.11, local=16.0.11
rclpy                                     : latest=3.3.15, local=3.3.15
tinyxml2_vendor                           : latest=0.7.6, local=0.7.6
teleop_twist_joy                          : latest=2.4.7, local=2.4.7
ament_lint                                : latest=0.12.11, local=0.12.11
ament_cmake_include_directories           : latest=1.3.11, local=1.3.11
rosidl_adapter                            : latest=3.1.6, local=3.1.6
ament_cmake_pytest                        : latest=1.3.11, local=1.3.11
action_msgs                               : latest=1.2.1, local=1.2.1
rqt_gui_cpp                               : latest=1.1.7, local=1.1.7
robot_state_publisher                     : latest=3.0.3, local=3.0.3
examples_rclcpp_minimal_composition       : latest=0.15.3, local=0.15.3
libstatistics_collector                   : latest=1.3.4, local=1.3.4
rosidl_generator_py                       : latest=0.14.4, local=0.14.4
ros2run                                   : latest=0.18.11, local=0.18.11
map_msgs                                  : latest=2.1.0, local=2.1.0
angles                                    : latest=1.15.0, local=1.15.0
ros2node                                  : latest=0.18.11, local=0.18.11
ros2bag                                   : latest=0.15.13, local=0.15.13
builtin_interfaces                        : latest=1.2.1, local=1.2.1
pendulum_control                          : latest=0.20.5, local=0.20.5
launch                                    : latest=1.0.7, local=1.0.7
ament_cmake_export_definitions            : latest=1.3.11, local=1.3.11
rqt_console                               : latest=2.0.3, local=2.0.3
launch_yaml                               : latest=1.0.7, local=1.0.7
rosidl_default_generators                 : latest=1.2.0, local=1.2.0
rmw                                       : latest=6.1.2, local=6.1.2
ament_cmake_core                          : latest=1.3.11, local=1.3.11
ament_cppcheck                            : latest=0.12.11, local=0.12.11
quality_of_service_demo_cpp               : latest=0.20.5, local=0.20.5
rqt_service_caller                        : latest=1.0.5, local=1.0.5
ament_index_python                        : latest=1.4.0, local=1.4.0
rcl_logging_spdlog                        : latest=2.3.1, local=2.3.1
ament_cmake_export_link_flags             : latest=1.3.11, local=1.3.11
examples_rclcpp_minimal_action_server     : latest=0.15.3, local=0.15.3
rclcpp_components                         : latest=16.0.11, local=16.0.11
statistics_msgs                           : latest=1.2.1, local=1.2.1
tango_icons_vendor                        : latest=0.1.1, local=0.1.1
rclcpp_action                             : latest=16.0.11, local=16.0.11
ros2lifecycle                             : latest=0.18.11, local=0.18.11
rosidl_typesupport_fastrtps_cpp           : latest=2.2.2, local=2.2.2
rcpputils                                 : latest=2.4.4, local=2.4.4
image_tools                               : latest=0.20.5, local=0.20.5
message_filters                           : latest=4.3.5, local=4.3.5
tf2_ros_py                                : latest=0.25.12, local=0.25.12
rviz_ogre_vendor                          : latest=11.2.16, local=11.2.16
rosidl_typesupport_introspection_cpp      : latest=3.1.6, local=3.1.6
eigen3_cmake_module                       : latest=0.1.1, local=0.1.1
sdl2_vendor                               : latest=3.3.0, local=3.3.0
rmw_implementation                        : latest=2.8.4, local=2.8.4
desktop                                   : latest=0.10.0, local=0.10.0
ament_flake8                              : latest=0.12.11, local=0.12.11
composition                               : latest=0.20.5, local=0.20.5
demo_nodes_py                             : latest=0.20.5, local=0.20.5
spdlog_vendor                             : latest=1.3.1, local=1.3.1
ament_cmake_version                       : latest=1.3.11, local=1.3.11
rosidl_parser                             : latest=3.1.6, local=3.1.6
ament_cmake                               : latest=1.3.11, local=1.3.11
ros2component                             : latest=0.18.11, local=0.18.11
examples_rclpy_minimal_subscriber         : latest=0.15.3, local=0.15.3
rcl_action                                : latest=5.3.9, local=5.3.9
launch_testing_ros                        : latest=0.19.8, local=0.19.8
tlsf                                      : latest=0.7.0, local=0.7.0
urdf                                      : latest=2.6.1, local=2.6.1
ros_base                                  : latest=0.10.0, local=0.10.0
logging_demo                              : latest=0.20.5, local=0.20.5
joy                                       : latest=3.3.0, local=3.3.0
rcl                                       : latest=5.3.9, local=5.3.9
ament_cmake_cpplint                       : latest=0.12.11, local=0.12.11
rqt_gui                                   : latest=1.1.7, local=1.1.7
shape_msgs                                : latest=4.2.4, local=4.2.4
rcl_yaml_param_parser                     : latest=5.3.9, local=5.3.9
ros2multicast                             : latest=0.18.11, local=0.18.11
rosidl_cli                                : latest=3.1.6, local=3.1.6
tf2_ros                                   : latest=0.25.12, local=0.25.12
actionlib_msgs                            : latest=4.2.4, local=4.2.4
ros2cli                                   : latest=0.18.11, local=0.18.11
dummy_map_server                          : latest=0.20.5, local=0.20.5
ament_cmake_copyright                     : latest=0.12.11, local=0.12.11
tf2                                       : latest=0.25.12, local=0.25.12
ros2action                                : latest=0.18.11, local=0.18.11
ament_cmake_export_libraries              : latest=1.3.11, local=1.3.11
rmw_fastrtps_shared_cpp                   : latest=6.2.7, local=6.2.7
rpyutils                                  : latest=0.2.1, local=0.2.1
libyaml_vendor                            : latest=1.2.2, local=1.2.2
resource_retriever                        : latest=3.1.2, local=3.1.2
urdf_parser_plugin                        : latest=2.6.1, local=2.6.1
launch_xml                                : latest=1.0.7, local=1.0.7
rqt_bag_plugins                           : latest=1.1.5, local=1.1.5
examples_rclpy_executors                  : latest=0.15.3, local=0.15.3
examples_rclcpp_minimal_client            : latest=0.15.3, local=0.15.3
examples_rclcpp_minimal_timer             : latest=0.15.3, local=0.15.3
ament_cmake_xmllint                       : latest=0.12.11, local=0.12.11
pendulum_msgs                             : latest=0.20.5, local=0.20.5
examples_rclpy_minimal_action_server      : latest=0.15.3, local=0.15.3
rqt_shell                                 : latest=1.0.2, local=1.0.2

   PLATFORM INFORMATION
system           : Linux
platform info    : Linux-6.8.0-52-generic-x86_64-with-glibc2.35
release          : 6.8.0-52-generic
processor        : x86_64

   QOS COMPATIBILITY LIST
compatibility status    : No publisher/subscriber pairs found

   RMW MIDDLEWARE
middleware name    : rmw_fastrtps_cpp

   ROS 2 INFORMATION
distribution name      : humble
distribution type      : ros2
distribution status    : active
release platforms      : {'rhel': ['8'], 'ubuntu': ['jammy']}

   TOPIC LIST
topic               : none
publisher count     : 0
subscriber count    : 0
px4dev@px4dev-Precision-5510:~$ MicroXRCEAgent udp4 -p 8888 -v
[1742248192.491187] info     | UDPv4AgentLinux.cpp | init                     | running...             | port: 8888
[1742248192.491564] info     | Root.cpp           | set_verbose_level        | logger setup           | verbose_level: 4
[1742248194.481266] info     | Root.cpp           | create_client            | create                 | client_key: 0x00000001, session_id: 0x81
[1742248194.481375] info     | SessionManager.hpp | establish_session        | session established    | client_key: 0x00000001, address: 127.0.0.1:56265
2025-03-17 14:49:54.501 [SECURITY Error] Error '79' verifying CA certificate for /C=US/ST=WA/L=Seattle/O=Freefly/CN=FreeflyCA/emailAddress=CA@freeflysystems.com: invalid CA certificate (/home/px4dev/Software/XRCEAgentClient/Micro-XRCE-DDS-Agent/build/fastdds/src/fastdds/src/cpp/security/artifact_providers/FileProvider.cpp:130) -> Function validate_local_identity
2025-03-17 14:49:54.502 [SECURITY Error] Error while configuring security plugin. -> Function init
2025-03-17 14:49:54.502 [SECURITY Error] Error '79' verifying CA certificate for /C=US/ST=WA/L=Seattle/O=Freefly/CN=FreeflyCA/emailAddress=CA@freeflysystems.com: invalid CA certificate (/home/px4dev/Software/XRCEAgentClient/Micro-XRCE-DDS-Agent/build/fastdds/src/fastdds/src/cpp/security/artifact_providers/FileProvider.cpp:130) -> Function init
2025-03-17 14:49:54.502 [RTPS_PARTICIPANT Error] Cannot create participant due to initialization error -> Function createParticipant
2025-03-17 14:49:54.502 [DOMAIN_PARTICIPANT Error] Problem creating RTPSParticipant -> Function enable
[1742248194.503058] info     | Root.cpp           | delete_client            | delete                 | client_key: 0x00000001
[1742248194.503151] info     | SessionManager.hpp | destroy_session          | session closed         | client_key: 0x00000001, address: 127.0.0.1:56265
[1742248195.517719] info     | Root.cpp           | create_client            | create                 | client_key: 0x00000001, session_id: 0x81
[1742248195.517802] info     | SessionManager.hpp | establish_session        | session established    | client_key: 0x00000001, address: 127.0.0.1:16806
2025-03-17 14:49:55.520 [SECURITY Error] Error '79' verifying CA certificate for /C=US/ST=WA/L=Seattle/O=Freefly/CN=FreeflyCA/emailAddress=CA@freeflysystems.com: invalid CA certificate (/home/px4dev/Software/XRCEAgentClient/Micro-XRCE-DDS-Agent/build/fastdds/src/fastdds/src/cpp/security/artifact_providers/FileProvider.cpp:130) -> Function validate_local_identity
2025-03-17 14:49:55.520 [SECURITY Error] Error while configuring security plugin. -> Function init
2025-03-17 14:49:55.520 [SECURITY Error] Error '79' verifying CA certificate for /C=US/ST=WA/L=Seattle/O=Freefly/CN=FreeflyCA/emailAddress=CA@freeflysystems.com: invalid CA certificate (/home/px4dev/Software/XRCEAgentClient/Micro-XRCE-DDS-Agent/build/fastdds/src/fastdds/src/cpp/security/artifact_providers/FileProvider.cpp:130) -> Function init
2025-03-17 14:49:55.520 [RTPS_PARTICIPANT Error] Cannot create participant due to initialization error -> Function createParticipant[1742248195.520941] info    
2025-03-17 14:49:55.520  | Root.cpp           | delete_client            | delete                 | client_key: 0x00000001
[1742248195.521074] info     | SessionManager.hpp | destroy_session          | session closed         | client_key: 0x00000001, address: 127.0.0.1:16806
[DOMAIN_PARTICIPANT Error] Problem creating RTPSParticipant -> Function enable
[1742248196.537492] info     | Root.cpp           | create_client            | create                 | client_key: 0x00000001, session_id: 0x81
[1742248196.537548] info     | SessionManager.hpp | establish_session        | session established    | client_key: 0x00000001, address: 127.0.0.1:1723
2025-03-17 14:49:56.539 [SECURITY Error] Error '79' verifying CA certificate for /C=US/ST=WA/L=Seattle/O=Freefly/CN=FreeflyCA/emailAddress=CA@freeflysystems.com: invalid CA certificate (/home/px4dev/Software/XRCEAgentClient/Micro-XRCE-DDS-Agent/build/fastdds/src/fastdds/src/cpp/security/artifact_providers/FileProvider.cpp:130) -> Function validate_local_identity
2025-03-17 14:49:56.540 [SECURITY Error] Error while configuring security plugin. -> Function init
2025-03-17 14:49:56.540 [SECURITY Error] Error '79' verifying CA certificate for /C=US/ST=WA/L=Seattle/O=Freefly/CN=FreeflyCA/emailAddress=CA@freeflysystems.com: invalid CA certificate (/home/px4dev/Software/XRCEAgentClient/Micro-XRCE-DDS-Agent/build/fastdds/src/fastdds/src/cpp/security/artifact_providers/FileProvider.cpp:130) -> Function init
2025-03-17 14:49:56.540 [RTPS_PARTICIPANT Error] Cannot create participant due to initialization error -> Function createParticipant
2025-03-17 14:49:56.540 [DOMAIN_PARTICIPANT[1742248196.541009] info     | Root.cpp           | delete_client            | delete                 | client_key: 0x00000001
[1742248196.541077] info     | SessionManager.hpp | destroy_session          | session closed         | client_key: 0x00000001, address: 127.0.0.1:1723
 Error] Problem creating RTPSParticipant -> Function enable
^C
px4dev@px4dev-Precision-5510:~$ 

Am I missing some instructions that I need to follow here? This is my new xml setup file given below, it has the new xrce certs as the identity generated using domain participant instructions

<?xml version="1.0" encoding="UTF-8" ?>
<profiles xmlns="http://www.eprosima.com" >
    <transport_descriptors>
        <transport_descriptor>
            <transport_id>custom_udp_transport</transport_id>
            <type>UDPv4</type>
            <interfaceWhiteList>
                <address>127.0.0.1</address>
            </interfaceWhiteList>
        </transport_descriptor>
    </transport_descriptors>

    <!-- Default publisher profile (Data Sharing / Zero-Copy when possible) -->
    <data_writer profile_name="aos_default_publisher_profile" is_default_profile="true">
        <qos>
            <publishMode>
                <kind>SYNCHRONOUS</kind>
            </publishMode>
        </qos>
        <historyMemoryPolicy>PREALLOCATED_WITH_REALLOC</historyMemoryPolicy>
    </data_writer>
    <!-- Default subscriber profile (Data Sharing / Zero-Copy when possible) -->
    <data_reader profile_name="aos_default_subscriber_profile" is_default_profile="true">
        <historyMemoryPolicy>PREALLOCATED_WITH_REALLOC</historyMemoryPolicy>
    </data_reader>
    <participant profile_name="px4_participant" is_default_profile="true">
        <domainId>0</domainId>
        <rtps>
            <userTransports>
                <transport_id>custom_udp_transport</transport_id>
            </userTransports>
            <propertiesPolicy>
                <!-- Set authentication for DDS Domain communication  -->
                <properties>
                    <!-- Activate DDS:Auth:PKI-DH plugin -->
                    <property>
                        <name>dds.sec.auth.plugin</name>
                        <value>builtin.PKI-DH</value>
                    </property>
                    <!-- Configure DDS:Auth:PKI-DH plugin -->
                    <property>
                        <name>dds.sec.auth.builtin.PKI-DH.identity_ca</name>
                        <value>file:///home/px4dev/Software/Fast-DDS/examples/cpp/security/certs/maincacert.pem</value>
                    </property>
                    <property>
                        <name>dds.sec.auth.builtin.PKI-DH.identity_certificate</name>
                        <value>file:///home/px4dev/Software/Fast-DDS/examples/cpp/security/certs/xrcecert.pem</value>
                    </property>
                    <property>
                        <name>dds.sec.auth.builtin.PKI-DH.private_key</name>
                        <value>file:///home/px4dev/Software/Fast-DDS/examples/cpp/security/certs/xrcekey.pem</value>
                    </property>
                    <!-- Activate DDS:Access:Permissions plugin -->
                    <property>
                        <name>dds.sec.access.plugin</name>
                        <value>builtin.Access-Permissions</value>
                    </property>
                    <!-- Configure DDS:Access:Permissions plugin -->
                    <property>
                        <name>dds.sec.access.builtin.Access-Permissions.permissions_ca</name>
                        <value>file:///home/px4dev/Software/Fast-DDS/examples/cpp/security/certs/maincacert.pem</value>
                    </property>
                    <property>
                        <name>dds.sec.access.builtin.Access-Permissions.governance</name>
                        <value>file:///home/px4dev/Software/Fast-DDS/examples/cpp/security/certs/governance.smime</value>
                    </property>
                    <property>
                        <name>dds.sec.access.builtin.Access-Permissions.permissions</name>
                        <value>file:///home/px4dev/Software/Fast-DDS/examples/cpp/security/certs/permissions.smime</value>
                    </property>
                    <!-- Activate Crypto:AES-GCM-GMAC plugin -->
                    <property>
                        <name>dds.sec.crypto.plugin</name>
                        <value>builtin.AES-GCM-GMAC</value>
                    </property>
                </properties>
            </propertiesPolicy>
        </rtps>
    </participant>
    <!-- <data_writer profile_name="hello_world_datawriter_profile" is_default_profile="true">
        <qos>
            <durability>
                <kind>TRANSIENT_LOCAL</kind>
            </durability>
            <reliability>
                <kind>RELIABLE</kind>
            </reliability>
        </qos>
        <topic>
            <historyQos>
                <kind>KEEP_LAST</kind>
                <depth>100</depth>
            </historyQos>
            <resourceLimitsQos>
                <max_samples>100</max_samples>
                <max_instances>1</max_instances>
                <max_samples_per_instance>100</max_samples_per_instance>
            </resourceLimitsQos>
        </topic>
    </data_writer> -->
</profiles>

[darshit-desai]

I was able to generate my own certificates this time from the tutorial from cyclonedds, but I am back to the same issue again as mention here #5707 (comment) . Either I am doing some setup wrong or something else is wrong in FASTDDS, please guide me

[MiguelCompany]

Which version of the MicroXRCEAgent are you using?

ROS 2 Humble Fast DDS version is v2.6.9
If the MicroXRCEAgent is using, for instance, Fast DDS 2.14.x, you would need to set dds.sec.auth.builtin.PKI-DH.transmit_algorithms_as_legacy=true in the participant properties.
Documentation here
See PR #5482 for the motivation

[darshit-desai]

I think I cloned the latest commit on the main branch of the micro xrce DDS agent repository which would make the release version closer v3.0.1

[darshit-desai]

As far as I understand micro xrce agent is using a different fast DDS version than the one installed with humble? Will that cause any issues? I saw the cmakelists file of the agent repo its explicitly cloned fastdds 3.x and builds it, while according to you humble has 2.6.9

Which version of the MicroXRCEAgent are you using?

ROS 2 Humble Fast DDS version is v2.6.9
If the MicroXRCEAgent is using, for instance, Fast DDS 2.14.x, you would need to set dds.sec.auth.builtin.PKI-DH.transmit_algorithms_as_legacy=true in the participant properties.
Documentation here
See PR #5482 for the motivation

[MiguelCompany]

@darshit-desai Correct. The Fast DDS versions are different.

You can try adding the following property to your XML:

                    <property>
                        <name>dds.sec.auth.builtin.PKI-DH.transmit_algorithms_as_legacy</name>
                        <value>true</value>
                    </property>

[darshit-desai]

@darshit-desai Correct. The Fast DDS versions are different.

You can try adding the following property to your XML:

                    <property>
                        <name>dds.sec.auth.builtin.PKI-DH.transmit_algorithms_as_legacy</name>
                        <value>true</value>
                    </property>

Ok thank you I will try this out promptly, will respond back soon

[darshit-desai]

Alright I think this worked, here's an example with term#1 running the XRCE agent with auth keyset and XML#1, the term#2 (one on the right) has auth keyset and XML#2 with subscribe allow_rule to certain topics is able to successfully read out messages. Term#3 (the one on the left) is using no xmls or keysets as you can see is still able to discover topics but not able to echo out messages which means its blocking it (I guess, if there is any other way to verify this please do tell).

I would also like to know if there is a way of finding out DDS versions for my ROS2 and XRCEagent application installed in a linux distro if there is a bash command or a system file which I can cat and find out the versions this confusion might be avoided

[darshit-desai]

Also another weird thing I observed was that lets say I only allowed one topic to be subscribed i.e., rt/fmu/out/vehicle_attitude and if the user which can still discover other topics using ros2 doctor --report or ros2 topic list tries to subscribe to another topic which isn't allowed, the ros2 daemon shows a segmentation fault and core dumps, is there a graceful way of handling this, I am mostly guessing if a user application (C++ node) tries to create a subscription to which it isn't allowed, instead of taking down the ros2 daemon we can gracefully exit. I ask this because there will be ros2 applications with relevant auth keys running in the background which shouldn't be affected by unauthorized access errors

[darshit-desai]

Small update on this, been reading up stuff on why this is happening my XRCE Agent is v3.0.0 while my XRCE client is running on v2.2.0 and the humble runs fastdds on v2.6.9 (as you said) so I think this might be causing seg faults after the security errors are encountered I am going to pull back my XRCE Agent version to 2.4.2 , I checked the CMake of that release it clones v2.12 for fastdds which should be close enough to the ROS system's version 2.6.9 to avoid breaking and seg faulting stuff

[darshit-desai]

In my effort to fallback to v2.4.2 for the XRCEAgent I see that the agent has been trying to clone 2.12.X Fastdds which it can no longer find, is there a temporary fix to this, like do I turn on the USE_SYSTEM_FASTDDS flag but it will result in me trying to turn on FASTCDR and others

[darshit-desai]

Since v2.4.2 was not getting installed as shown here #5707 (comment) I tried this with v2.4.3 and got the same core dumped error, is this a recurring issue, I also saw that v2.4.3 uses v2.14.X fastdds while 2.4.2 uses 2.12.X fastdds, was there a major change there, fyi I get the same error with v2.4.3 (which is compatible with v2.2.0 XRCEClient) #5707 (comment) , My humble fastdds version is the same i.e. v2.6.9

[darshit-desai]

I was able to build 2.4.2 XRCE Agent after changing the CMake on that branch to explicitly clone v2.12.2 Fastdds version as shown below

But now when I run the XRCE agent I get this errors periodically in the bash terminal

On the other terminal with another set of profile exported where I try to do ros2 topic list it doesn't show topics like it used to before, but now I have to do ros2 topic list --no-daemon --spin-time 3, which is fine I guess but the above issue I cannot understand

The segmentation fault issue which I was guessing was a versioning issue between XRCE Client (2.2.0), XRCE Agent (2.4.2 + fastdds 2.12.2) and ROS2 Humble Fastdds (2.6.9) version is still there, now all 3 of them are almost on the same version or compatible as far as I read, Here's the screenshot, again I had to use the --no-daemon flag to echo out topics. Note this is for the topic that was in the block_rule so the security error is fine but the core dumped is I think concerning.