Added SecureSystemObserver snippet. Added ability to generate secure-apps qos with fully resolved absolute paths. Improved logging of setup_security scrip when skipping files.

Author: jmlvega

README.md

@@ -310,6 +310,7 @@ This reference architecture defines the following DomainParticipants in [Partici
 | OperationalDataDomain | Orchestrator | `t/DeviceStatus`, `t/DeviceHeartbeat` | `t/DeviceCommand` | Administer device-level commands and monitor presence and status of all devices.
 | OperationalDataDomain | PatientSensor | `t/DeviceCommand` | `t/Vitals`, `t/DeviceStatus`, `t/DeviceHeartbeat` | Stream simulated patient vitals.
 | OperationalDataDomain | PatientMonitor | `t/DeviceCommand`, `t/Vitals` | `t/DeviceStatus`, `t/DeviceHeartbeat` | Process and display patient vitals.
+| OperationalDataDomain | SystemObserver (external/optional) | All available topics | -- | Read-only observer integration: subscribes to every operational Topic and publishes nothing. Its DDS Security permissions allow subscribe on any Topic and deny all publication.
 | SecureLogDomain | SecureLogReader | `DDS:Security:LogTopicV2` | -- | Subscribe to the DDS Security builtin secure-log topic.
 
 *Note, this reference architecture utilizes one DomainParticipant for each device application. It is a **best practice** to define one DomainParticipant per application. However, in more complex systems, an application may be required to operate on multiple Domains. This requires defining multiple DomainParticipants for those applications that run in parallel.*
@@ -328,6 +329,10 @@ The reference architecture configures security in [SecureAppsQos.xml](./system_a
 | **WAN Communications** | `TeleopWanDomain` governance for WAN connections (Module 03), including PSK-protected RTPS
 | **RTI Services** | Dedicated security profiles for Recording/Replay Services and Routing Services
 
+For independent, security-specific observer integrations (not part of the demo applications), use [SecureExternalAppsQos.xml](./system_arch/qos/SecureExternalAppsQos.xml). It provides the `SecureExternalAppsQosLib::SecureSystemObserver` QoS snippet, which is intended to be composed into external DomainParticipants.
+
+This external snippet is ideal for Connext Studio when configuring an RTI Spy source: include [SecureExternalAppsQos.xml](./system_arch/qos/SecureExternalAppsQos.xml) and apply `SecureSystemObserver` so Spy can attach as a read-only secure observer.
+
 Security Artifacts Structure in [security](./system_arch/security/):
 
 - `ca/` - Certificate Authority hierarchy (root CA → intermediate identity CA + intermediate permissions CA)

system_arch/qos/README.md

@@ -18,6 +18,7 @@ This README describes how we've approached QoS in this reference architecture. F
     - [DataFlowLibrary::Heartbeat profile](#dataflowlibraryheartbeat-profile)
     - [DataFlowLibrary::SecureLog profile](#dataflowlibrarysecurelog-profile)
 - [Application-specific QoS: NonSecureAppsQos.xml and SecureAppsQos.xml](#application-specific-qos-nonsecureappsqosxml-and-secureappsqosxml)
+- [External security snippets: SecureExternalAppsQos.xml](#external-security-snippets-secureexternalappsqosxml)
 - [XML QoS Best Practices](#xml-qos-best-practices)
 
 ## QoS Profile Configuration
@@ -177,16 +178,56 @@ Both files contain only 1 QoS library: ***DpQosLib***. This QoS library contains
 
 [NonSecureAppsQos.xml](./NonSecureAppsQos.xml) contains one profile for each DomainParticipant. For the simplified demonstration, each profile inherits from *SystemLibrary::DefaultParticipant* in [Qos.xml](./Qos.xml). No additional configuration is applied for any given DomainParticipant.
 
-[SecureAppsQos.xml](./SecureAppsQos.xml) also defines one profile for each DomainParticipant in a similar way to that of **NonSecureAppsQos.xml**, but with security configuration added.
+[SecureAppsQos.xml](./SecureAppsQos.xml) defines secure profiles for the demo DomainParticipants and services in a similar way to **NonSecureAppsQos.xml**, but with security configuration added.
 
 [SecureAppsQos.xml](./SecureAppsQos.xml) defines a QoS snippet - *LanCommonSecurityConfig* defines common configuration to enable security for local domains (LAN connections). It references common permissions CA, identity CA, and governance files.
 
 [SecureAppsQos.xml](./SecureAppsQos.xml) defines a QoS snippet - *WanCommonSecurityConfig* defines common configuration to enable security for remote domains (WAN connections). It references common permissions CA, identity CA, and governance files.
 
+## External security snippets: [SecureExternalAppsQos.xml](SecureExternalAppsQos.xml)
+
+[SecureExternalAppsQos.xml](./SecureExternalAppsQos.xml) provides standalone QoS snippets for participants that are **not** part of the demo applications themselves. Unlike the profiles in [SecureAppsQos.xml](./SecureAppsQos.xml), these are independent, Security-specific configurations meant to plug external observers into the secured system.
+
+The file currently defines one snippet:
+
+- **`SecureExternalAppsQosLib::SecureSystemObserver`** — a reusable [QoS Snippet](https://community.rti.com/best-practices/qos-profile-inheritance-and-composition-guidance#h.wr6u1ebybeff) that encapsulates the complete DDS Security property set for a read-only System Observer:
+  - Composes `BuiltinQosSnippetLib::Feature.Security.Enable` to activate the Security Plugins
+  - Permissions CA and Identity CA trust anchors
+  - Operational domain governance
+  - SystemObserver identity certificate and private key
+  - SystemObserver signed permissions document
+  - Secure logging disabled (`mode_mask=BUILTIN`, `verbosity=SILENT`) because the observer has no publish permissions
+
+### Usage
+
+Compose the snippet into any DomainParticipant QoS using the `<base_name>` element:
+
+```xml
+<domain_participant_qos>
+  <base_name>
+    <element>SecureExternalAppsQosLib::SecureSystemObserver</element>
+  </base_name>
+</domain_participant_qos>
+```
+
+### Connext Studio (Spy source)
+
+This configuration is ideal for use with **RTI Connext Studio**. To observe the secured domain with the Spy data source:
+
+1. From the repository root, generate resolved QoS files with absolute security-artifact paths:
+
+  ```bash
+  python3 system_arch/security/setup_security.py --generate-resolved-qos
+  ```
+
+2. In Connext Studio, add a Spy Source and configure the source with the configuration under
+`SecureExternalAppsQosLib::SecureSystemObserver` snippet from the `system_arch/security/resolved_qos/SecureExternalAppsQos.xml`.
+3. Spy will join the secured Operational Domain as a read-only observer — able to subscribe to all Topics without publish permissions.
+
 ## XML QoS Best Practices
 
 >**Best Practice:** Compose your QoS profiles with [QoS Snippets](https://community.rti.com/best-practices/qos-profile-inheritance-and-composition-guidance#h.wr6u1ebybeff). Snippets provide easier readability and result in more maintainable QoS for increasingly complex systems by reducing repetitive configuration.
 >
 >**Best Practice:** Inherit from [Built-in QoS Profiles](https://community.rti.com/static/documentation/connext-dds/7.7.0/doc/manuals/connext_dds_professional/users_manual/users_manual/Built_in_QoS_Profiles.htm). Builtin profiles provide starting points to frequently used and tuned QoS combinations.
 
-Please take a look at the comments inside the profiles in [Qos.xml](./Qos.xml), [NonSecureAppsQos.xml](./NonSecureAppsQos.xml), and [SecureAppsQos.xml](./SecureAppsQos.xml) for further details on each QoS policy and more **best practices** related to QoS configuration.
+Please take a look at the comments inside the profiles and snippets in [Qos.xml](./Qos.xml), [NonSecureAppsQos.xml](./NonSecureAppsQos.xml), [SecureAppsQos.xml](./SecureAppsQos.xml), and [SecureExternalAppsQos.xml](./SecureExternalAppsQos.xml) for further details on each QoS policy and more **best practices** related to QoS configuration.

system_arch/qos/SecureExternalAppsQos.xml

@@ -0,0 +1,90 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!-- (c) 2024 Copyright, Real-Time Innovations, Inc. (RTI) All rights reserved.
+
+RTI grants Licensee a license to use, modify, compile, and create derivative
+works of the software solely for use with RTI Connext DDS.  Licensee may
+redistribute copies of the software provided that all such copies are
+subject to this license. The software is provided "as is", with no warranty
+of any type, including any warranty for fitness for any purpose. RTI is
+under no obligation to maintain or support the software.  RTI shall not be
+liable for any incidental or consequential damages arising out of the use or
+inability to use the software. -->
+<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="http://community.rti.com/schema/7.7.0/rti_dds_profiles.xsd" version="7.7.0">
+
+  <configuration_variables>
+    <value>
+      <element>
+        <!-- Path to security folder to find artifacts.
+              This path is relative to the "current working directory" when
+              running the application (i.e. from the `modules` folder).
+              It can be overridden by setting the RTI_SECURITY_ARTIFACTS_DIR
+              environment variable.
+        -->
+        <name>RTI_SECURITY_ARTIFACTS_DIR</name>
+        <value>../../system_arch/security</value>
+      </element>
+    </value>
+  </configuration_variables>
+
+  <qos_library name="SecureExternalAppsQosLib">
+    <!-- Snippet: SecureSystemObserver
+         Provides full DDS Security configuration for a read-only System Observer.
+         This is not a runnable profile on its own; compose it into a
+         DomainParticipant QoS (e.g. in Connext Studio's Spy source) via:
+           <base_name>
+             <element>SecureExternalAppsQosLib::SecureSystemObserver</element>
+           </base_name>
+    -->
+    <qos_profile name="SecureSystemObserver">
+      <?rti-qos_snippet?>
+      <domain_participant_qos>
+        <base_name>
+          <element>BuiltinQosSnippetLib::Feature.Security.Enable</element>
+        </base_name>
+        <property>
+          <value>
+            <!-- Permissions CA: validates S/MIME signatures on governance and permissions XMLs.
+                 Points to the intermediate Permissions CA that signs these documents. -->
+            <element>
+              <name>dds.sec.access.permissions_ca</name>
+              <value>file:$(RTI_SECURITY_ARTIFACTS_DIR)/ca/TrustedPermissionsCa/certs/TrustedRootCa/TrustedPermissionsCa.crt</value>
+            </element>
+            <!-- Identity CA: validates identity certificate chains.
+                 Points to the intermediate Identity CA that signs participant certs. -->
+            <element>
+              <name>dds.sec.auth.identity_ca</name>
+              <value>file:$(RTI_SECURITY_ARTIFACTS_DIR)/ca/TrustedIdentityCa/certs/TrustedRootCa/TrustedIdentityCa.crt</value>
+            </element>
+            <element>
+              <name>dds.sec.access.governance</name>
+              <value>file:$(RTI_SECURITY_ARTIFACTS_DIR)/domain_scope/OperationalDomain/governance/OperationalDomain/signed/TrustedPermissionsCa/OperationalDomain.p7s</value>
+            </element>
+            <element>
+              <name>dds.sec.auth.identity_certificate</name>
+              <value>file:$(RTI_SECURITY_ARTIFACTS_DIR)/identity/operating-room/SystemObserver/SystemObserver/certs/TrustedIdentityCa/SystemObserver.chain.pem</value>
+            </element>
+            <element>
+              <name>dds.sec.auth.private_key</name>
+              <value>file:$(RTI_SECURITY_ARTIFACTS_DIR)/identity/operating-room/SystemObserver/SystemObserver/private/SystemObserver.key</value>
+            </element>
+            <element>
+              <name>dds.sec.access.permissions</name>
+              <value>file:$(RTI_SECURITY_ARTIFACTS_DIR)/domain_scope/OperationalDomain/permissions/SystemObserver/signed/TrustedPermissionsCa/SystemObserver.p7s</value>
+            </element>
+            <!-- Read-only observer: it has no publish permissions, so it must not
+                 emit to the distributed secure-log topic. Disable secure logging. -->
+            <element>
+              <name>com.rti.serv.secure.logging.mode_mask</name>
+              <value>BUILTIN</value>
+            </element>
+            <element>
+              <name>com.rti.serv.secure.logging.verbosity</name>
+              <value>SILENT</value>
+            </element>
+          </value>
+        </property>
+      </domain_participant_qos>
+    </qos_profile>
+  </qos_library>
+
+</dds>

system_arch/security/.gitignore

@@ -31,3 +31,8 @@ identity/**/certs/
 # Scaffold hash sidecar
 # ---------------------------------------------------------------------------
 .scaffold-hash
+
+# ---------------------------------------------------------------------------
+# Resolved QoS files (generated by --generate-resolved-qos)
+# ---------------------------------------------------------------------------
+resolved_qos/

system_arch/security/README.md

@@ -47,6 +47,7 @@ Certificates expiring within 30 days are flagged as warnings. Use `--warn-days N
 | `--status` | Report certificate expiry status and exit |
 | `--warn-days N` | Days-to-expiry warning threshold for `--status` (default: 30) |
 | `--connext-version X.Y.Z` | Override auto-detected Connext version |
+| `--generate-resolved-qos` | Generate resolved QoS XML files in `system_arch/security/resolved_qos/` with absolute security artifact paths; skips existing files unless `--force` is set |
 
 ## Directory Layout
 
@@ -82,7 +83,7 @@ system_arch/security/
 - **CA hierarchy:** A self-signed root CA (`TrustedRootCa`) issues two intermediate CAs — one for identity certificates (`TrustedIdentityCa`) and one for permissions/governance signing (`TrustedPermissionsCa`).
 - **Chain files:** Identity certificates include a `.chain.pem` containing both the leaf cert and its issuing CA cert, as required by the RTI Security Plugins.
 - **Signed XML:** Governance and permissions XML files are S/MIME-signed by the appropriate intermediate CA. The signed `.p7s` files are what Connext loads at runtime.
-- **Per-participant permissions:** Each participant has its own permissions document specifying the exact topics it may publish/subscribe to, with a default `DENY` rule.
+- **Per-participant permissions:** Each participant has its own permissions document specifying the exact topics it may publish/subscribe to, with a default `DENY` rule. For example, the `SystemObserver` participant grants `subscribe` on any topic and no `publish` rule at all — a least-privilege, read-only observer that can watch the full data flow but can never write to the bus.
 - **PSK passphrases:** Pre-Shared Key seed files (`.psk`) are generated per domain scope and stored alongside the governance/permissions artifacts (e.g. `domain_scope/TeleopWanDomain/TeleopWanDomain.psk`). The file format is `<id>:<seed>` where `<id>` is an integer in [0, 254]. Participants load the passphrase via the `dds.sec.crypto.rtps_psk_secret_passphrase` property.
 
 ## Good Practices for DDS Security

system_arch/security/dds_security.py

@@ -438,7 +438,7 @@ def generate_root_ca(
 ) -> Path:
     """(b) Generate a root CA private key and self-signed certificate."""
     if out_cert.is_file() and not force:
-        log.info("Root CA cert exists, skipping: %s", out_cert)
+        log.warning("Root CA cert already exists, skipping: %s — remove the file or use --force to regenerate", out_cert)
         return out_cert
     generate_key(key_path)
     return self_sign(key_path, cnf, out_cert, days=days)
@@ -473,7 +473,7 @@ def generate_intermediate_ca(
 ) -> Path:
     """(d-f) Generate an intermediate CA: private key, CSR, and signed certificate."""
     if out_cert.is_file() and not force:
-        log.info("Intermediate CA cert exists, skipping: %s", out_cert)
+        log.warning("Intermediate CA cert already exists, skipping: %s — remove the file or use --force to regenerate", out_cert)
         return out_cert
     generate_key(key_path)
     csr = out_cert.with_suffix(".csr")
@@ -528,7 +528,7 @@ def generate_identity(
     intermediate (not directly the root).
     """
     if out_cert.is_file() and not force:
-        log.info("Identity cert exists, skipping: %s", out_cert)
+        log.warning("Identity cert already exists, skipping: %s — remove the file or use --force to regenerate", out_cert)
         return out_cert
     generate_key(key_path)
     csr = out_cert.with_suffix(".csr")
@@ -571,7 +571,7 @@ def generate_expired_identity(
     creation time.
     """
     if out_cert.is_file() and not force:
-        log.info("Expired identity cert exists, skipping: %s", out_cert)
+        log.warning("Expired identity cert already exists, skipping: %s — remove the file or use --force to regenerate", out_cert)
         return out_cert
     generate_key(key_path)
     csr = out_cert.with_suffix(".csr")
@@ -634,7 +634,7 @@ def sign_governance(
 ) -> Path:
     """(m) Sign a governance XML with S/MIME v3.2."""
     if out_p7s.is_file() and not force:
-        log.info("Signed governance exists, skipping: %s", out_p7s)
+        log.warning("Signed governance already exists, skipping: %s — remove the file or use --force to regenerate", out_p7s)
         return out_p7s
     return sign_xml(key_path, cert_path, xml_path, out_p7s)
 
@@ -654,7 +654,7 @@ def sign_permissions(
 ) -> Path:
     """(o) Sign a permissions XML with S/MIME v3.2."""
     if out_p7s.is_file() and not force:
-        log.info("Signed permissions exists, skipping: %s", out_p7s)
+        log.warning("Signed permissions already exists, skipping: %s — remove the file or use --force to regenerate", out_p7s)
         return out_p7s
     return sign_xml(key_path, cert_path, xml_path, out_p7s)
 

system_arch/security/domain_scope/OperationalDomain/permissions/SystemObserver/SystemObserver.xml

@@ -0,0 +1,44 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!-- (c) 2024 Copyright, Real-Time Innovations, Inc. (RTI) All rights reserved.
+
+RTI grants Licensee a license to use, modify, compile, and create derivative
+works of the software solely for use with RTI Connext DDS.  Licensee may
+redistribute copies of the software provided that all such copies are
+subject to this license. The software is provided "as is", with no warranty
+of any type, including any warranty for fitness for any purpose. RTI is
+under no obligation to maintain or support the software.  RTI shall not be
+liable for any incidental or consequential damages arising out of the use or
+inability to use the software. -->
+<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:noNamespaceSchemaLocation="http://community.rti.com/schema/7.7.0/dds_security_permissions.xsd">
+    <permissions>
+        <grant name="SystemObserverParticipant">
+            <subject_name>/C=US/ST=CA/O=Company Name/emailAddress=systemobserver@company_name.com/CN=SystemObserver</subject_name>
+            <validity>
+                <!-- Format is CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm] in GMT -->
+                <not_before>2024-06-01T13:00:00</not_before>
+                <not_after>2037-06-01T13:00:00</not_after>
+            </validity>
+            <!-- Read-only observer: may subscribe to ANY topic on ANY partition,
+                 and may NOT publish anything. The default DENY rule blocks all
+                 publication (no <publish> rule is granted). -->
+            <allow_rule>
+                <domains>
+                    <id>0</id>
+                </domains>
+                <partitions>
+                    <partition>*</partition>
+                </partitions>
+                <subscribe>
+                    <partitions>
+                        <partition>*</partition>
+                    </partitions>
+                    <topics>
+                        <topic>*</topic>
+                    </topics>
+                </subscribe>
+            </allow_rule>
+            <default>DENY</default>
+        </grant>
+    </permissions>
+</dds>

system_arch/security/identity/operating-room/SystemObserver/SystemObserver/SystemObserver.cnf

@@ -0,0 +1,17 @@
+[ req ]
+prompt              = no
+distinguished_name  = req_distinguished_name
+
+[ req_distinguished_name ]
+countryName          = US
+stateOrProvinceName  = CA
+organizationName     = Company Name
+emailAddress         = systemobserver@company_name.com
+commonName           = SystemObserver
+
+[ usr_cert ]
+# End-entity certificate extensions
+basicConstraints       = critical, CA:false
+subjectKeyIdentifier   = hash
+authorityKeyIdentifier = keyid,issuer
+keyUsage               = critical, digitalSignature, keyEncipherment