ROS index logo ROS Index
  1. Home
  2. Packages
  3. zenoh_security_tools
 
No version for distro humble. Known supported distros are highlighted in the buttons above.
No version for distro jazzy. Known supported distros are highlighted in the buttons above.
Package symbol

zenoh_security_tools package from rmw_zenoh repo

rmw_zenoh_cpp zenoh_cpp_vendor zenoh_security_tools

API Docs
Browse Code

Package Summary

Tags No category tags.
Version 0.6.1
License Apache License 2.0
Build type AMENT_CMAKE
Use RECOMMENDED

Repository Summary

Checkout URI https://github.com/ros2/rmw_zenoh.git
VCS Type git
VCS Version kilted
Last Updated 2025-05-20
Dev Status DEVELOPED
CI status No Continuous Integration
Released RELEASED
Tags No category tags.
Contributing Help Wanted (0)
Good First Issues (0)
Pull Requests to Review (0)

Package Description

This package generates config files to enforce security with Zenoh

Additional Links

No additional links.

Maintainers

  • Alejandro Hernanadez

Authors

No additional authors.
zenoh_security_tools/README.md

zenoh_security_tools

The zenoh_security_tools package contains the generate_configs executable which generates Zenoh session config files with access control, authentication and encryption parameters based on policies and keystores generated using sros2.

Usage

ros2 run zenoh_security_tools generate_configs -h

Generate Zenoh session configs with security artifacts.

Options:
  -h,--help                         Print this help message and exit
  -p,--policy TEXT REQUIRED         The path to the Access Control Policy file.
  -e,--enclaves TEXT                The directory with the security enclaves for the various nodes in the policy file.
  -d,--ros-domain-id UINT REQUIRED  The ROS Domain ID.
  -c,--session-config TEXT REQUIRED         The path to the Zenoh session config file.
  -r,--router-config TEXT REQUIRED  The path to the Zenoh router config file.

Example of configuring security rmw_zenoh

The process of setting up security is very similar to this tutorial but instead of relying on security environment variables and passing enclaves to nodes, we’ll pass Zenoh session configs with the desired security parameters configured to rmw_zenoh. These modified session configs are generated using the tool above.

Setup

The steps below will walk us through running rmw_zenoh with security enabled for a simple talker-lister system.

First create a directory for security artifacts and configs that will be generated.

mkdir ~/sros2_demo

Generate a keystore

cd ~/sros2_demo
ros2 security create_keystore demo_keystore

Generate the certificates for authentication and encryption

Generate security files for the talker and listener nodes, and the zenohd router respectively.

ros2 security create_enclave demo_keystore /talker_listener/talker
ros2 security create_enclave demo_keystore /talker_listener/listener
ros2 security create_enclave demo_keystore /talker_listener/zenohd

Generate the policy.xml for access control

Launch zenohd

ros2 run rmw_zenoh_cpp rmw_zenohd

Launch the listener

export RMW_IMPLEMENTATION=rmw_zenoh_cpp
ros2 run demo_nodes_cpp listener

Launch the talker

export RMW_IMPLEMENTATION=rmw_zenoh_cpp
ros2 run demo_nodes_cpp talker

Now run the policy generator from sros2

ros2 security generate_policy policy_listener_talker.xml

Finally, terminate all processes.

Try access control

Generate security configs without enclaves (only access control).

ros2 run zenoh_security_tools generate_configs \
  --policy policy_listener_talker.xml \
  --router-config <path to default router config>/DEFAULT_RMW_ZENOH_ROUTER_CONFIG.json5 \
  --session-config <path to default session config>/DEFAULT_RMW_ZENOH_SESSION_CONFIG.json5 \
  --ros-domain-id 0

This will generate Zenoh session config files for each node in the policy_listener_talker.xml file.

Run the talker with the new config file

export ZENOH_SESSION_CONFIG_URI=talker.json5
ros2 run demo_nodes_cpp talker
[INFO] [1740601932.350808475] [talker]: Publishing: 'Hello World: 1'
[INFO] [1740601933.350487483] [talker]: Publishing: 'Hello World: 2'

Run the listener with the new config file

export ZENOH_SESSION_CONFIG_URI=listener.json5
ros2 run demo_nodes_cpp listener
...
[INFO] [1740602312.492840958] [listener]: I heard: [Hello World: 1]
[INFO] [1740602313.492200366] [listener]: I heard: [Hello World: 2]

You can validate access control by remapping the /chatter topic which should result in no messages being published.

export ZENOH_SESSION_CONFIG_URI=talker.json5
ros2 rmw_zenoh_cpp rmw_zenohd


export ZENOH_SESSION_CONFIG_URI=talker.json5
ros2 run demo_nodes_cpp talker --ros-args -r chatter:=new_topic


export ZENOH_SESSION_CONFIG_URI=listener.json5
ros2 run demo_nodes_cpp listener --ros-args -r chatter:=new_topic
...
# listener should not receive anything

Try access control, authentication and encryption

This time we generate the configs with authentication and encryption configured using the enclaves generated by sros2.

ros2 run zenoh_security_tools generate_configs \
  --policy policy_listener_talker.xml \
  --router-config <path to default router config>/DEFAULT_RMW_ZENOH_ROUTER_CONFIG.json5 \
  --session-config <path to default session config>/DEFAULT_RMW_ZENOH_SESSION_CONFIG.json5 \
  --ros-domain-id 0
  --enclaves ~/sros2_demo/demo_keystore/enclaves/talker_listener

[!NOTE] The executable assumes that the ~/sros2_demo/demo_keystore/enclaves/talker_listener directory contains folders with names matching node names defined in the policy_listener_talker.xml with the security files present.

Start the zenoh router with the zenohd.json config file.

export ZENOH_ROUTER_CONFIG_URI=zenohd.json5
ros2 rmw_zenoh_cpp rmw_zenohd

Start the talker

export ZENOH_SESSION_CONFIG_URI=talker.json5
ros2 rmw_zenoh_cpp rmw_zenohd

Start the listener without setting the session config.

ros2 run demo_nodes_cpp listener

The listener will not receive any messages.

Restart the listener with the session config.

export ZENOH_SESSION_CONFIG_URI=listener.json5
ros2 run demo_nodes_cpp listener
...
[INFO] [1740602312.492840958] [listener]: I heard: [Hello World: 10]
[INFO] [1740602313.492200366] [listener]: I heard: [Hello World: 11]

The messages are received by the listener.

CHANGELOG

Changelog for package zenoh_security_tools

0.6.1 (2025-05-20)

  • Update CMakeLists.txt (#622)
  • Fix warning on Windows (#618)
  • Contributors: Alejandro Hernández Cordero, mosfet80

0.6.0 (2025-04-18)

  • Add zenoh_security_tools (#595)
  • Contributors: yadunund

Wiki Tutorials

This package does not provide any links to tutorials in it's rosindex metadata. You can check on the ROS Wiki Tutorials page for the package.

Package Dependencies

Deps Name
ament_lint_auto
ament_lint_common
rcpputils
rcutils
rmw
rmw_security_common
tinyxml2_vendor
zenoh_cpp_vendor

System Dependencies

Name
nlohmann-json-dev

Dependant Packages

No known dependants.

Launch files

No launch files found

Messages

No message files found.

Services

No service files found

Plugins

No plugins found.

Recent questions tagged zenoh_security_tools at Robotics Stack Exchange

Package symbol

zenoh_security_tools package from rmw_zenoh repo

rmw_zenoh_cpp zenoh_cpp_vendor zenoh_security_tools

API Docs
Browse Code

Package Summary

Tags No category tags.
Version 0.7.1
License Apache License 2.0
Build type AMENT_CMAKE
Use RECOMMENDED

Repository Summary

Checkout URI https://github.com/ros2/rmw_zenoh.git
VCS Type git
VCS Version rolling
Last Updated 2025-05-30
Dev Status DEVELOPED
CI status No Continuous Integration
Released RELEASED
Tags No category tags.
Contributing Help Wanted (0)
Good First Issues (0)
Pull Requests to Review (0)

Package Description

This package generates config files to enforce security with Zenoh

Additional Links

No additional links.

Maintainers

  • Alejandro Hernanadez

Authors

No additional authors.
zenoh_security_tools/README.md

zenoh_security_tools

The zenoh_security_tools package contains the generate_configs executable which generates Zenoh session config files with access control, authentication and encryption parameters based on policies and keystores generated using sros2.

Usage

ros2 run zenoh_security_tools generate_configs -h

Generate Zenoh session configs with security artifacts.

Options:
  -h,--help                         Print this help message and exit
  -p,--policy TEXT REQUIRED         The path to the Access Control Policy file.
  -e,--enclaves TEXT                The directory with the security enclaves for the various nodes in the policy file.
  -d,--ros-domain-id UINT REQUIRED  The ROS Domain ID.
  -c,--session-config TEXT REQUIRED         The path to the Zenoh session config file.
  -r,--router-config TEXT REQUIRED  The path to the Zenoh router config file.

Example of configuring security rmw_zenoh

The process of setting up security is very similar to this tutorial but instead of relying on security environment variables and passing enclaves to nodes, we’ll pass Zenoh session configs with the desired security parameters configured to rmw_zenoh. These modified session configs are generated using the tool above.

Setup

The steps below will walk us through running rmw_zenoh with security enabled for a simple talker-lister system.

First create a directory for security artifacts and configs that will be generated.

mkdir ~/sros2_demo

Generate a keystore

cd ~/sros2_demo
ros2 security create_keystore demo_keystore

Generate the certificates for authentication and encryption

Generate security files for the talker and listener nodes, and the zenohd router respectively.

ros2 security create_enclave demo_keystore /talker_listener/talker
ros2 security create_enclave demo_keystore /talker_listener/listener
ros2 security create_enclave demo_keystore /talker_listener/zenohd

Generate the policy.xml for access control

Launch zenohd

ros2 run rmw_zenoh_cpp rmw_zenohd

Launch the listener

export RMW_IMPLEMENTATION=rmw_zenoh_cpp
ros2 run demo_nodes_cpp listener

Launch the talker

export RMW_IMPLEMENTATION=rmw_zenoh_cpp
ros2 run demo_nodes_cpp talker

Now run the policy generator from sros2

ros2 security generate_policy policy_listener_talker.xml

Finally, terminate all processes.

Try access control

Generate security configs without enclaves (only access control).

ros2 run zenoh_security_tools generate_configs \
  --policy policy_listener_talker.xml \
  --router-config <path to default router config>/DEFAULT_RMW_ZENOH_ROUTER_CONFIG.json5 \
  --session-config <path to default session config>/DEFAULT_RMW_ZENOH_SESSION_CONFIG.json5 \
  --ros-domain-id 0

This will generate Zenoh session config files for each node in the policy_listener_talker.xml file.

Run the talker with the new config file

export ZENOH_SESSION_CONFIG_URI=talker.json5
ros2 run demo_nodes_cpp talker
[INFO] [1740601932.350808475] [talker]: Publishing: 'Hello World: 1'
[INFO] [1740601933.350487483] [talker]: Publishing: 'Hello World: 2'

Run the listener with the new config file

export ZENOH_SESSION_CONFIG_URI=listener.json5
ros2 run demo_nodes_cpp listener
...
[INFO] [1740602312.492840958] [listener]: I heard: [Hello World: 1]
[INFO] [1740602313.492200366] [listener]: I heard: [Hello World: 2]

You can validate access control by remapping the /chatter topic which should result in no messages being published.

export ZENOH_SESSION_CONFIG_URI=talker.json5
ros2 rmw_zenoh_cpp rmw_zenohd


export ZENOH_SESSION_CONFIG_URI=talker.json5
ros2 run demo_nodes_cpp talker --ros-args -r chatter:=new_topic


export ZENOH_SESSION_CONFIG_URI=listener.json5
ros2 run demo_nodes_cpp listener --ros-args -r chatter:=new_topic
...
# listener should not receive anything

Try access control, authentication and encryption

This time we generate the configs with authentication and encryption configured using the enclaves generated by sros2.

ros2 run zenoh_security_tools generate_configs \
  --policy policy_listener_talker.xml \
  --router-config <path to default router config>/DEFAULT_RMW_ZENOH_ROUTER_CONFIG.json5 \
  --session-config <path to default session config>/DEFAULT_RMW_ZENOH_SESSION_CONFIG.json5 \
  --ros-domain-id 0
  --enclaves ~/sros2_demo/demo_keystore/enclaves/talker_listener

[!NOTE] The executable assumes that the ~/sros2_demo/demo_keystore/enclaves/talker_listener directory contains folders with names matching node names defined in the policy_listener_talker.xml with the security files present.

Start the zenoh router with the zenohd.json config file.

export ZENOH_ROUTER_CONFIG_URI=zenohd.json5
ros2 rmw_zenoh_cpp rmw_zenohd

Start the talker

export ZENOH_SESSION_CONFIG_URI=talker.json5
ros2 rmw_zenoh_cpp rmw_zenohd

Start the listener without setting the session config.

ros2 run demo_nodes_cpp listener

The listener will not receive any messages.

Restart the listener with the session config.

export ZENOH_SESSION_CONFIG_URI=listener.json5
ros2 run demo_nodes_cpp listener
...
[INFO] [1740602312.492840958] [listener]: I heard: [Hello World: 10]
[INFO] [1740602313.492200366] [listener]: I heard: [Hello World: 11]

The messages are received by the listener.

CHANGELOG

Changelog for package zenoh_security_tools

0.7.1 (2025-05-19)

  • Update CMakeLists.txt (#617)
  • Fix warning on Windows (#615)
  • Contributors: Alejandro Hernández Cordero, mosfet80

0.7.0 (2025-04-24)

0.6.0 (2025-04-18)

  • Add zenoh_security_tools (#595)
  • Contributors: yadunund

Wiki Tutorials

This package does not provide any links to tutorials in it's rosindex metadata. You can check on the ROS Wiki Tutorials page for the package.

Package Dependencies

Deps Name
ament_lint_auto
ament_lint_common
rcpputils
rcutils
rmw
rmw_security_common
tinyxml2_vendor
zenoh_cpp_vendor

System Dependencies

Name
nlohmann-json-dev

Dependant Packages

No known dependants.

Launch files

No launch files found

Messages

No message files found.

Services

No service files found

Plugins

No plugins found.

Recent questions tagged zenoh_security_tools at Robotics Stack Exchange

No version for distro noetic. Known supported distros are highlighted in the buttons above.
No version for distro ardent. Known supported distros are highlighted in the buttons above.
No version for distro bouncy. Known supported distros are highlighted in the buttons above.
No version for distro crystal. Known supported distros are highlighted in the buttons above.
No version for distro eloquent. Known supported distros are highlighted in the buttons above.
No version for distro dashing. Known supported distros are highlighted in the buttons above.
No version for distro galactic. Known supported distros are highlighted in the buttons above.
No version for distro foxy. Known supported distros are highlighted in the buttons above.
No version for distro iron. Known supported distros are highlighted in the buttons above.
No version for distro lunar. Known supported distros are highlighted in the buttons above.
No version for distro jade. Known supported distros are highlighted in the buttons above.
No version for distro indigo. Known supported distros are highlighted in the buttons above.
No version for distro hydro. Known supported distros are highlighted in the buttons above.
No version for distro kinetic. Known supported distros are highlighted in the buttons above.
No version for distro melodic. Known supported distros are highlighted in the buttons above.