Security
Overview
Robot Raconteur supports using credentials to authenticate clients, and supports encrypted communication using TLS. The security features of Robot Raconteur are designed to be flexible and easy to use.
Authentication
Robot Raconteur supports using credentials to authenticate clients. The server can require clients to provide a username and credentials, an optionally a TLS client certificate. The credentials are typically a password, but can be any Robot Raconteur Map containing other information such as a token or one-time password.
The following examples demonstrate connecting to a service that requires a username and password:
1# authentication_example.py - Example of using authentication in Python
2
3from RobotRaconteur.Client import *
4
5url = 'rr+tcp://localhost:53226?service=authentication_example'
6
7# Create the user credentials
8username = "testuser1"
9cred = {"password": RR.VarValue("testpass1", "string")}
10
11# Connect to the service
12c = RRN.ConnectService(url, username, cred)
13
14# Use the service
15c.say("Message to secure service")
1% authentication_example.m - Example of using authentication from Matlab
2
3url = 'rr+tcp://localhost:53226?service=authentication_example';
4
5% Create the user credentials
6username = "testuser1";
7cred = containers.Map({'password'}, {RobotRaconteurVarValue('testpass1', 'string')});
8
9% Connect to the service
10c = RobotRaconteur.ConnectService(url, username, cred);
11
12% Use the service
13c.say('Message to secure service');
14
15RobotRaconteur.DisconnectService(c);
1// authentication_example.cs - Example of handling exceptions in C#
2
3using RobotRaconteur;
4using System;
5using System.Diagnostics;
6using System.Linq;
7using System.Collections.Generic;
8
9using (var node_setup = new ClientNodeSetup(args))
10{
11 // Create the user credentials
12 string username = "testuser1";
13 var cred = new Dictionary<string, object>() { { "password", "testpass1" } };
14
15 // Connect to the service
16 var c = (experimental.reynard_the_robot.Reynard)RobotRaconteurNode.s.ConnectService(
17 "rr+tcp://localhost:53226?service=authentication_example", username, cred);
18
19 // Use the service
20 c.say("Message to secure service");
21}
1// authentication_example.cpp - Example of using Robot Raconteur authentication
2
3#include <stdio.h>
4#include <iostream>
5#include <boost/range/algorithm.hpp>
6#include <RobotRaconteur.h>
7#include "robotraconteur_generated.h"
8
9// Only use the RR alias in cpp files. Do not use it in header files.
10namespace RR = RobotRaconteur;
11
12int main(int argc, char* argv[])
13{
14 RR::ClientNodeSetup node_setup(ROBOTRACONTEUR_SERVICE_TYPES, argc, argv);
15
16 // Create the user credentials
17 std::string username = "testuser1";
18 RR::RRMapPtr<std::string, RR::RRValue> credentials = RR::AllocateEmptyRRMap<std::string, RR::RRValue>();
19 credentials->insert(std::make_pair("password", RR::stringToRRArray("testpass1")));
20
21 // Connect to the service using credentials
22 experimental::reynard_the_robot::ReynardPtr c =
23 RR::rr_cast<experimental::reynard_the_robot::Reynard>(RR::RobotRaconteurNode::s()->ConnectService(
24 "rr+tcp://localhost:53226?service=authentication_example", username, credentials));
25
26 // Use the service
27 c->say("Message to secure service");
28
29 std::cout << "authentication_example.cpp example complete" << std::endl;
30 return 0;
31}
TLS Encryption
Robot Raconteur supports encrypted communication using TLS. Wason Technology provides a certificate authority and sells certificates for use with Robot Raconteur. All production devices using Robot Raconteur are expected to use certificates provided by Wason Technology.
On the server side, the server should use SecureServerNodeSetup to set up the service node with the appropriate
configuration. There must be a certificate and private key file available that matches the NodeID uuid
of the service node. See the framework documentation for more information.
On the client side, simply replace the rr+tcp:// or rr+ws:// URL scheme with rr+tcps:// or rrs+ws://.
For instance, to connect to a service using TLS, use the URL rrs+tcp://192.168.1.10:1234?service=my_service instead of
rr+tcp://192.168.1.10:1234?service=my_service. Otherwise no other changes are necessary for the client, although it is highly
recommended to include the ?nodeid=xxx parameter in the URL to prevent sending credentials to the wrong device.
For example, rrs+tcp://192.168.1.10:1234?nodeid=7932d2a6-b7e1-4068-82d9-16f93e868ed9&service=my_service.
When connecting to web servers, the URL scheme should be rr+wss:// should be used. The rr+wss:// scheme
uses standard DNS based certificate validation, and the certificate must be signed by a standard certificate authority.
This is in contrast to the rrs+tcp:// scheme, which uses the Robot Raconteur certificate authority. For example,
the URL used in the web server example rr+wss://wstest2.wasontech.com/robotraconteur?service=testobj will
use standard certificate validation.