[15596] Secure discovery server

code/XMLTester.xml

@@ -825,6 +825,74 @@
         </builtin>
     </rtps>
 </participant>
+
+<participant profile_name="secure_discovery_server_cli">
+    <rtps>
+        <prefix>44.53.00.5f.45.50.52.4f.53.49.4d.41</prefix>
+        <builtin>
+            <discovery_config>
+                <discoveryProtocol>SERVER</discoveryProtocol>
+            </discovery_config>
+            <metatrafficUnicastLocatorList>
+                <locator>
+                    <udpv4>
+                        <address>0.0.0.0</address>
+                        <port>11811</port>
+                    </udpv4>
+                </locator>
+            </metatrafficUnicastLocatorList>
+        </builtin>
+        <propertiesPolicy>
+            <properties>
+                <!-- Activate Auth:PKI-DH plugin -->
+                <property>
+                    <name>dds.sec.auth.plugin</name>
+                    <value>builtin.PKI-DH</value>
+                </property>
+
+                <!-- Configure Auth:PKI-DH plugin -->
+                <property>
+                    <name>dds.sec.auth.builtin.PKI-DH.identity_ca</name>
+                    <value>file://maincacert.pem</value>
+                </property>
+                <property>
+                    <name>dds.sec.auth.builtin.PKI-DH.identity_certificate</name>
+                    <value>file://appcert.pem</value>
+                </property>
+                <property>
+                    <name>dds.sec.auth.builtin.PKI-DH.private_key</name>
+                    <value>file://appkey.pem</value>
+                </property>
+
+                <!-- Activate Access:Permissions plugin -->
+                <property>
+                    <name>dds.sec.access.plugin</name>
+                    <value>builtin.Access-Permissions</value>
+                </property>
+
+                <!-- Configure Access:Permissions plugin -->
+                <property>
+                    <name>dds.sec.access.builtin.Access-Permissions.permissions_ca</name>
+                    <value>file://maincacet.pem</value>
+                </property>
+                <property>
+                    <name>dds.sec.access.builtin.Access-Permissions.governance</name>
+                    <value>file://governance.smime</value>
+                </property>
+                <property>
+                    <name>dds.sec.access.builtin.Access-Permissions.permissions</name>
+                    <value>file://permissions.smime</value>
+                </property>
+
+                <!-- Activate Crypto:AES-GCM-GMAC plugin -->
+                <property>
+                    <name>dds.sec.crypto.plugin</name>
+                    <value>builtin.AES-GCM-GMAC</value>
+                </property>
+            </properties>
+        </propertiesPolicy>
+    </rtps>
+</participant>
 <!--><-->
 
 

docs/fastdds/discovery/discovery_server.rst

@@ -389,3 +389,33 @@ Client side setup
 |    :lines: 2-3,5-40                                                 |
 |    :append: </profiles>                                             |
 +---------------------------------------------------------------------+
+
+.. _DS_security:
+
+Security
+^^^^^^^^
+
+Configuring :ref:`security` on *servers* and *clients* is done the same way as for any other participant.
+This section depicts the limitations imposed by the security enforcement on the communication between
+*clients* and *servers*, and which discovery information is propagated by a *server* depending on the security
+configuration of the *clients* and *servers* to which it is connected.
+
+It is important to note that for enabling a secure discovery when using Discovery Server, *Fast DDS* must be compiled
+with security support (see :ref:`cmake_options`), and the :ref:`domain_governance_doc` must explicitly encrypt the
+discovery.
+
+As in SDP, when using this feature, the Domain Governance Document of all *clients* and *servers* connecting to a
+*server* must match that of the *server*, which implies that all |DomainParticipants| belonging to the same Discovery
+Sever network must configure the discovery protection in the same manner.
+
+Although the *server* mediates the discovery process and creates connections between *clients*, the *clients* themselves
+still go through the PKI (Public Key Infrastructure) exchange in order to have a secure communication between them.
+
+.. important::
+
+  In order to keep the behavior consistent with the QoS Policies, the *server* does not check the
+  :ref:`domainparticipant_permissions_doc` of the |DomainParticipants| that it is connecting.
+
+.. important::
+
+  Security support for Discovery Server is only supported from Fast DDS v2.10.0 onward.

docs/fastddscli/cli/cli.rst

@@ -97,6 +97,7 @@ The output is:
 
     ### Server is running ###
       Participant Type:   <SERVER|BACKUP>
+      Security:           <YES|NO>
       Server ID:          <server-id>
       Server GUID prefix: 44.53.<server-id-in-hex>.5f.45.50.52.4f.53.49.4d.41
       Server Addresses:   UDPv4:[<ip-address>]:<port>
@@ -106,6 +107,10 @@ Once the *server* is instantiated, the *clients* can be configured either progra
 :ref:`discovery_server`), or using environment variable ``ROS_DISCOVERY_SERVER`` (see
 :ref:`env_vars_ros_discovery_server`)
 
+.. note::
+  The :ref:`security` configuration of the discovery server should be done through XML.
+  See example below.
+
 .. _cli_discovery_examples:
 
 Examples
@@ -125,6 +130,7 @@ Examples
 
         ### Server is running ###
           Participant Type:   SERVER
+          Security:           NO
           Server ID:          0
           Server GUID prefix: 44.53.00.5f.45.50.52.4f.53.49.4d.41
           Server Addresses:   UDPv4:[0.0.0.0]:11811
@@ -143,6 +149,7 @@ Examples
 
         ### Server is running ###
           Participant Type:   SERVER
+          Security:           NO
           Server ID:          1
           Server GUID prefix: 44.53.01.5f.45.50.52.4f.53.49.4d.41
           Server Addresses:   UDPv4:[127.0.0.1]:14520
@@ -171,6 +178,7 @@ Examples
 
         ### Server is running ###
           Participant Type:   SERVER
+          Security:           NO
           Server ID:          1
           Server GUID prefix: 44.53.01.5f.45.50.52.4f.53.49.4d.41
           Server Addresses:   UDPv6:[2a02:ec80:600:ed1a::3]:14520
@@ -190,6 +198,7 @@ Examples
 
         ### Server is running ###
           Participant Type    SERVER
+          Security:           NO
           Server ID:          2
           Server GUID prefix: 44.53.02.5f.45.50.52.4f.53.49.4d.41
           Server Addresses:   UDPv4:[192.168.36.34]:8783
@@ -217,6 +226,7 @@ Examples
 
         ### Server is running ###
           Participant Type    BACKUP
+          Security:           NO
           Server ID:          3
           Server GUID prefix: 44.53.03.5f.45.50.52.4f.53.49.4d.41
           Server Addresses:   UDPv4:[172.30.144.1]:12345
@@ -234,10 +244,29 @@ Examples
     .. code-block:: bash
 
         ### Server is running ###
-        Participant Type:   SERVER
-        Server ID:          0
-        Server GUID prefix: 44.53.00.5f.45.50.52.4f.53.49.4d.41
-        Server Addresses:   UDPv4:[127.0.0.1]:14520
+          Participant Type:   SERVER
+          Security:           NO
+          Server ID:          0
+          Server GUID prefix: 44.53.00.5f.45.50.52.4f.53.49.4d.41
+          Server Addresses:   UDPv4:[127.0.0.1]:14520
+
+7.  Launch a secure server with id 0 (first on ``ROS_DISCOVERY_SERVER``)
+    listening on all available interfaces on UDP port '11811'.
+
+    .. code-block:: bash
+
+        fastdds discovery -x secure_discovery_server_cli@[PATH_TO_FILE]/DiscoveryServerCLI.xml
+
+    Output:
+
+    .. code-block:: bash
+
+        ### Server is running ###
+          Participant Type:   SERVER
+          Security:           YES
+          Server ID:          0
+          Server GUID prefix: 44.53.00.5f.45.50.52.4f.53.49.4d.41
+          Server Addresses:   UDPv4:[0.0.0.0]:11811
 
 .. _cli_shm: