Updated security configuration to match best practices.

Author: jmlvega

README.md

@@ -321,12 +321,13 @@ DDS Security defines authentication, access control, and encryption capabilities
 
 DDS Security is meant to be a pluggable component to the system architecture. This reference architecture demonstrates the flexibility of the RTI Security Plugins, and how a system can be secured purely through configuration. It should be noted that enabling security does have an effect on performance - both at initialization due to authentication and in steady-state operation due to encryption. It is because of this, that a system's architecture should be designed with security in mind, even if application code has no dependency on the use of security.
 
-The reference architecture configures security in [SecureAppsQos.xml](./system_arch/qos/SecureAppsQos.xml) with:
+The reference architecture configures security in [SecureAppsQos.xml](./system_arch/qos/SecureAppsQos.xml) following the [Builtin Security Plugins domain-level protection](https://community.rti.com/static/documentation/connext-dds/current/doc/manuals/connext_dds_secure/users_manual/p3_advanced/threat_modeling.html#dds-security-threat-protection) pattern with topic-level protection for sensitive topics:
 
 | Component | Security Features
 | ---------------------- | -----------------
-| **LAN Communications** | `OperationalDomain` governance, participant-specific certificates and permissions
-| **WAN Communications** | `TeleopWanDomain` governance for WAN connections (Module 03), including PSK-protected RTPS
+| **LAN Communications** | `OperationalDomain` governance with `ENCRYPT_WITH_ORIGIN_AUTHENTICATION` RTPS protection, PSK encryption (`OperationalDomain.psk`), participant-specific certificates and permissions
+| **WAN Communications** | `TeleopWanDomain` governance with `ENCRYPT_WITH_ORIGIN_AUTHENTICATION` RTPS protection, PSK encryption (`TeleopWanDomain.psk`) for WAN connections (Module 03)
+| **Topic-level protection** | `t/Vitals` and `t/MotorControl` topics use `metadata_protection_kind=ENCRYPT` for insider confidentiality protection
 | **RTI Services** | Dedicated security profiles for Recording/Replay Services and Routing Services
 
 For independent, security-specific observer integrations (not part of the demo applications), use [SecureExternalAppsQos.xml](./system_arch/qos/SecureExternalAppsQos.xml). It provides the `SecureExternalAppsQosLib::SecureSystemObserver` QoS snippet, which is intended to be composed into external DomainParticipants.
@@ -352,12 +353,12 @@ Check out the the [system_arch](./system_arch/) folder, where the system archite
 - [RTI XML-Based Application Creation](https://community.rti.com/static/documentation/connext-dds/7.7.0/doc/manuals/connext_dds_professional/xml_application_creation/xml_based_app_creation_guide/XMLAppCreationGSG_title.htm#)
 - [RTI System Designer](https://community.rti.com/static/documentation/connext-dds/7.7.0/doc/manuals/connext_dds_professional/tools/system_designer/index.html)
 - [RTI Core Libraries Users Manual](https://community.rti.com/static/documentation/connext-dds/7.7.0/doc/manuals/connext_dds_professional/users_manual/users_manual/title.htm#)
-- [RTI Security Plugins](https://community.rti.com/static/documentation/connext-dds/7.7.0/doc/manuals/connext_dds_secure/users_manual/index.html)
+- [RTI Security Plugins](https://community.rti.com/static/documentation/connext-dds/current/doc/manuals/connext_dds_secure/users_manual/index.html)
 - [RTI Connext Modern C++ API](https://community.rti.com/static/documentation/connext-dds/7.7.0/doc/api/connext_dds/api_cpp2/index.html) *, used in Module 01: Digital Operating Room*
 - [RTI Connext Python API](https://community.rti.com/static/documentation/connext-dds/7.7.0/doc/api/connext_dds/api_python/index.html) *, used in Module 01: Digital Operating Room*
 - [RTI Recording Service & Replay Service](https://community.rti.com/static/documentation/connext-dds/7.7.0/doc/manuals/connext_dds_professional/services/recording_service/introduction.html) *, used in Module 02: RTI Recording Service & RTI Replay Service*
 - [Connext Real-Time WAN Transport](https://community.rti.com/static/documentation/connext-dds/7.7.0/doc/manuals/connext_dds_professional/users_manual/users_manual/PartRealtimeWAN.htm) *, used in Module 03: Remote Teleoperation with RTI Real-Time WAN Transport*
 - [RTI Routing Service](https://community.rti.com/static/documentation/connext-dds/7.7.0/doc/manuals/connext_dds_professional/services/routing_service/index.html) *, used in Module 03: Remote Teleoperation with RTI Real-Time WAN Transport*
 - [RTI Cloud Discovery Service](https://community.rti.com/static/documentation/connext-dds/7.7.0/doc/manuals/addon_products/cloud_discovery_service/index.html) *, used in Module 03: Remote Teleoperation with RTI Real-Time WAN Transport*
-- [RTI Security Plugins Users Manual](https://community.rti.com/static/documentation/connext-dds/7.7.0/doc/manuals/connext_dds_secure/users_manual/index.html) *, used in Module 04: Security Threat Demonstration*
+- [RTI Security Plugins Users Manual](https://community.rti.com/static/documentation/connext-dds/current/doc/manuals/connext_dds_secure/users_manual/index.html) *, used in Module 04: Security Threat Demonstration*
 - [RTI Connext Third-Party Software](https://community.rti.com/static/documentation/connext-dds/7.7.0/doc/manuals/connext_dds_professional/release_notes_3rdparty/index.html)

modules/03-remote-teleoperation/README.md

@@ -37,7 +37,7 @@ Together, the RTI Real-Time WAN Transport, RTI Security Plugins, and RTI Cloud D
 
 - **Low-latency communication** across WAN connections
 - **Automatic NAT traversal** capabilities
-- **Secure data transmission** with built-in authentication, encryption and access control
+- **Secure data transmission** with domain-level protection (`ENCRYPT_WITH_ORIGIN_AUTHENTICATION` + PSK encryption) and topic-level encryption for sensitive topics (`t/Vitals`, `t/MotorControl`)
 - **Bandwidth optimization** for efficient data transfer (when compared to TCP-based communication)
 - **Connection resilience** with automatic reconnection
 

modules/04-security-threat/README.md

@@ -160,15 +160,21 @@ Watch the threat app's Activity Log: when the secured OR comes up, the injector'
 
 ### 2. Understanding Why Each Attack Is Blocked
 
-Each attack mode corresponds to a different stage of the DDS Security handshake:
+Each attack mode corresponds to a different stage of the DDS Security handshake. Even if an attacker passes one layer, subsequent layers still block the attack:
 
 | Mode | What happens | Why |
 | --- | --- | --- |
 | **Rogue CA** | Participant is created but never matches | The identity certificate is signed by an untrusted CA root. The OR participants do not list the rogue CA in their `identity_ca` trust store, so the authentication handshake fails. |
 | **Forged Permissions** | Participant is created but never matches | Authentication succeeds (identity signed by trusted CA), but the permissions document is signed by the rogue CA. Since the OR's `permissions_ca` is the trusted CA, the signature mismatch causes access control validation to fail. |
 | **Expired Certificate** | Participant creation fails immediately | The identity certificate was signed by the trusted CA but its `notAfter` field is in the past. The DDS Security authentication plugin validates certificate expiration during identity validation — for the local participant, this occurs during DomainParticipant creation, causing it to fail immediately. The status badge shows **ATTACK FAILED** (red). |
 
-For a deeper dive into the DDS Security handshake, refer to the [RTI Security Plugins User's Manual](https://community.rti.com/static/documentation/connext-dds/7.7.0/doc/manuals/connext_dds_secure/users_manual/index.htm).
+Beyond authentication and permissions, the system also enforces **cryptographic protection at multiple levels**:
+
+- **Domain-level protection from outsiders:** `rtps_psk_protection_kind=ENCRYPT` protects pre-authentication traffic, preventing passive eavesdropping before the handshake completes.
+- **Domain-level protection from insiders:** `rtps_protection_kind=ENCRYPT_WITH_ORIGIN_AUTHENTICATION` ensures all RTPS traffic is encrypted with per-writer keys and origin-authenticated — even an authenticated insider cannot forge another participant's messages.
+- **Topic-level protetion from insiders:** `t/Vitals` and `t/MotorControl` use `metadata_protection_kind=ENCRYPT`, meaning their submessage metadata is encrypted with keys shared only among authorized endpoints — a compromised participant without topic-level permissions cannot decrypt these topics.
+
+For a deeper dive into the DDS Security handshake, refer to the [RTI Security Plugins User's Manual](https://community.rti.com/static/documentation/connext-dds/current/doc/manuals/connext_dds_secure/users_manual/p2_core/authentication.html#handshake).
 
 ---
 

system_arch/qos/README.md

@@ -180,9 +180,9 @@ Both files contain only 1 QoS library: ***DpQosLib***. This QoS library contains
 
 [SecureAppsQos.xml](./SecureAppsQos.xml) defines secure profiles for the demo DomainParticipants and services in a similar way to **NonSecureAppsQos.xml**, but with security configuration added.
 
-[SecureAppsQos.xml](./SecureAppsQos.xml) defines a QoS snippet - *LanCommonSecurityConfig* defines common configuration to enable security for local domains (LAN connections). It references common permissions CA, identity CA, and governance files.
+[SecureAppsQos.xml](./SecureAppsQos.xml) defines a QoS snippet - *LanCommonSecurityConfig* defines common configuration to enable security for local domains (LAN connections). It references common permissions CA, identity CA, governance files, and the OperationalDomain PSK seed file. The governance uses `rtps_protection_kind=ENCRYPT_WITH_ORIGIN_AUTHENTICATION` with `rtps_psk_protection_kind=ENCRYPT` for domain-level protection, plus topic-level protection (`metadata_protection_kind=ENCRYPT`) on `t/Vitals` and `t/MotorControl`.
 
-[SecureAppsQos.xml](./SecureAppsQos.xml) defines a QoS snippet - *WanCommonSecurityConfig* defines common configuration to enable security for remote domains (WAN connections). It references common permissions CA, identity CA, and governance files.
+[SecureAppsQos.xml](./SecureAppsQos.xml) defines a QoS snippet - *WanCommonSecurityConfig* defines common configuration to enable security for remote domains (WAN connections). It references common permissions CA, identity CA, governance files, and the TeleopWanDomain PSK seed file. The same domain-level protection applies (`rtps_protection_kind=ENCRYPT_WITH_ORIGIN_AUTHENTICATION`, `rtps_psk_protection_kind=ENCRYPT`), but the WAN governance applies *stricter* topic-level protection: a catch-all `*` rule with `metadata_protection_kind=ENCRYPT` protects the submessage metadata of **every** topic, rather than only `t/Vitals` and `t/MotorControl`. The secure log topic `DDS:Security:LogTopicV2` keeps its own `SIGN`/`ENCRYPT`.
 
 ## External security snippets: [SecureExternalAppsQos.xml](SecureExternalAppsQos.xml)
 

system_arch/qos/SecureAppsQos.xml

@@ -87,6 +87,10 @@ inability to use the software. -->
               <name>dds.sec.access.governance</name>
               <value>file:$(RTI_SECURITY_ARTIFACTS_DIR)/domain_scope/OperationalDomain/governance/OperationalDomain/signed/TrustedPermissionsCa/OperationalDomain.p7s</value>
             </element>
+            <element>
+              <name>dds.sec.crypto.rtps_psk_secret_passphrase</name>
+              <value>file:$(RTI_SECURITY_ARTIFACTS_DIR)/domain_scope/OperationalDomain/OperationalDomain.psk</value>
+            </element>
           </value>
         </property>
       </domain_participant_qos>

system_arch/qos/SecureExternalAppsQos.xml

@@ -43,22 +43,12 @@ inability to use the software. -->
         </base_name>
         <property>
           <value>
-            <!-- Permissions CA: validates S/MIME signatures on governance and permissions XMLs.
-                 Points to the intermediate Permissions CA that signs these documents. -->
-            <element>
-              <name>dds.sec.access.permissions_ca</name>
-              <value>file:$(RTI_SECURITY_ARTIFACTS_DIR)/ca/TrustedPermissionsCa/certs/TrustedRootCa/TrustedPermissionsCa.crt</value>
-            </element>
             <!-- Identity CA: validates identity certificate chains.
                  Points to the intermediate Identity CA that signs participant certs. -->
             <element>
               <name>dds.sec.auth.identity_ca</name>
               <value>file:$(RTI_SECURITY_ARTIFACTS_DIR)/ca/TrustedIdentityCa/certs/TrustedRootCa/TrustedIdentityCa.crt</value>
             </element>
-            <element>
-              <name>dds.sec.access.governance</name>
-              <value>file:$(RTI_SECURITY_ARTIFACTS_DIR)/domain_scope/OperationalDomain/governance/OperationalDomain/signed/TrustedPermissionsCa/OperationalDomain.p7s</value>
-            </element>
             <element>
               <name>dds.sec.auth.identity_certificate</name>
               <value>file:$(RTI_SECURITY_ARTIFACTS_DIR)/identity/operating-room/SystemObserver/SystemObserver/certs/TrustedIdentityCa/SystemObserver.chain.pem</value>
@@ -67,10 +57,28 @@ inability to use the software. -->
               <name>dds.sec.auth.private_key</name>
               <value>file:$(RTI_SECURITY_ARTIFACTS_DIR)/identity/operating-room/SystemObserver/SystemObserver/private/SystemObserver.key</value>
             </element>
+
+            <!-- Permissions CA: validates S/MIME signatures on governance and permissions XMLs.
+                 Points to the intermediate Permissions CA that signs these documents. -->
+            <element>
+              <name>dds.sec.access.permissions_ca</name>
+              <value>file:$(RTI_SECURITY_ARTIFACTS_DIR)/ca/TrustedPermissionsCa/certs/TrustedRootCa/TrustedPermissionsCa.crt</value>
+            </element>
+            <element>
+              <name>dds.sec.access.governance</name>
+              <value>file:$(RTI_SECURITY_ARTIFACTS_DIR)/domain_scope/OperationalDomain/governance/OperationalDomain/signed/TrustedPermissionsCa/OperationalDomain.p7s</value>
+            </element>
             <element>
               <name>dds.sec.access.permissions</name>
               <value>file:$(RTI_SECURITY_ARTIFACTS_DIR)/domain_scope/OperationalDomain/permissions/SystemObserver/signed/TrustedPermissionsCa/SystemObserver.p7s</value>
             </element>
+
+            <!-- PSK: used to encrypt RTPS traffic. Points to the pre-shared key file. -->
+            <element>
+              <name>dds.sec.crypto.rtps_psk_secret_passphrase</name>
+              <value>file:$(RTI_SECURITY_ARTIFACTS_DIR)/domain_scope/OperationalDomain/OperationalDomain.psk</value>
+            </element>
+
             <!-- Read-only observer: it has no publish permissions, so it must not
                  emit to the distributed secure-log topic. Disable secure logging. -->
             <element>

system_arch/security/README.md

@@ -59,6 +59,7 @@ system_arch/security/
 │   └── TrustedPermissionsCa/                    #   Intermediate CA for permissions signing
 ├── domain_scope/                                # Per-domain governance & permissions
 │   ├── OperationalDomain/
+│   │   ├── OperationalDomain.psk                #     PSK passphrase seed (generated)
 │   │   ├── governance/<name>/<name>.xml         #     Governance XML (committed)
 │   │   │                └── signed/<issuer>/     #     Signed governance (.p7s)
 │   │   └── permissions/<role>/<role>.xml         #     Permissions XML (committed)
@@ -84,7 +85,9 @@ system_arch/security/
 - **Chain files:** Identity certificates include a `.chain.pem` containing both the leaf cert and its issuing CA cert, as required by the RTI Security Plugins.
 - **Signed XML:** Governance and permissions XML files are S/MIME-signed by the appropriate intermediate CA. The signed `.p7s` files are what Connext loads at runtime.
 - **Per-participant permissions:** Each participant has its own permissions document specifying the exact topics it may publish/subscribe to, with a default `DENY` rule. For example, the `SystemObserver` participant grants `subscribe` on any topic and no `publish` rule at all — a least-privilege, read-only observer that can watch the full data flow but can never write to the bus.
-- **PSK passphrases:** Pre-Shared Key seed files (`.psk`) are generated per domain scope and stored alongside the governance/permissions artifacts (e.g. `domain_scope/TeleopWanDomain/TeleopWanDomain.psk`). The file format is `<id>:<seed>` where `<id>` is an integer in [0, 254]. Participants load the passphrase via the `dds.sec.crypto.rtps_psk_secret_passphrase` property.
+- **PSK passphrases:** Pre-Shared Key seed files (`.psk`) are generated per domain scope and stored alongside the governance/permissions artifacts (e.g. `domain_scope/OperationalDomain/OperationalDomain.psk`, `domain_scope/TeleopWanDomain/TeleopWanDomain.psk`). The file format is `<id>:<seed>` where `<id>` is an integer in [0, 254]. Participants load the passphrase via the `dds.sec.crypto.rtps_psk_secret_passphrase` property. Both domains use `rtps_psk_protection_kind=ENCRYPT` in their governance to protect pre-authentication RTPS traffic.
+- **Domain-level protection:** Both `OperationalDomain` and `TeleopWanDomain` use the [Builtin Security Plugins for domain-level protection](https://community.rti.com/static/documentation/connext-dds/current/doc/manuals/connext_dds_secure/users_manual/p3_advanced/threat_modeling.html#dds-security-threat-protection) pattern: `rtps_protection_kind=ENCRYPT_WITH_ORIGIN_AUTHENTICATION` provides insider integrity and availability protection; `rtps_psk_protection_kind=ENCRYPT` secures pre-authentication traffic.
+- **Topic-level protection:** In the `OperationalDomain` (LAN) governance, the `t/Vitals` and `t/MotorControl` topics use `metadata_protection_kind=ENCRYPT` for [topic-level protection](https://community.rti.com/static/documentation/connext-dds/current/doc/manuals/connext_dds_secure/users_manual/p3_advanced/threat_modeling.html#dds-security-threat-protection), ensuring only participants with matching permissions can decrypt those topics' submessage metadata — even if authenticated to the domain. The `TeleopWanDomain` (WAN) governance is stricter: a catch-all `*` rule applies `metadata_protection_kind=ENCRYPT` to **every** topic, with the `DDS:Security:LogTopicV2` rule ordered ahead of it so the secure log retains its own `SIGN`/`ENCRYPT` protection.
 
 ## Good Practices for DDS Security
 

system_arch/security/domain_scope/OperationalDomain/governance/OperationalDomain/OperationalDomain.xml

@@ -22,8 +22,27 @@ inability to use the software. -->
             <enable_join_access_control>true</enable_join_access_control>
             <discovery_protection_kind>NONE</discovery_protection_kind>
             <liveliness_protection_kind>NONE</liveliness_protection_kind>
-            <rtps_protection_kind>ENCRYPT</rtps_protection_kind>
+            <rtps_protection_kind>ENCRYPT_WITH_ORIGIN_AUTHENTICATION</rtps_protection_kind>
+            <rtps_psk_protection_kind>ENCRYPT</rtps_psk_protection_kind>
             <topic_access_rules>
+                <topic_rule>
+                    <topic_expression>t/Vitals</topic_expression>
+                    <enable_discovery_protection>false</enable_discovery_protection>
+                    <enable_liveliness_protection>false</enable_liveliness_protection>
+                    <enable_read_access_control>true</enable_read_access_control>
+                    <enable_write_access_control>true</enable_write_access_control>
+                    <metadata_protection_kind>ENCRYPT</metadata_protection_kind>
+                    <data_protection_kind>NONE</data_protection_kind>
+                </topic_rule>
+                <topic_rule>
+                    <topic_expression>t/MotorControl</topic_expression>
+                    <enable_discovery_protection>false</enable_discovery_protection>
+                    <enable_liveliness_protection>false</enable_liveliness_protection>
+                    <enable_read_access_control>true</enable_read_access_control>
+                    <enable_write_access_control>true</enable_write_access_control>
+                    <metadata_protection_kind>ENCRYPT</metadata_protection_kind>
+                    <data_protection_kind>NONE</data_protection_kind>
+                </topic_rule>
                 <topic_rule>
                     <topic_expression>*</topic_expression>
                     <enable_discovery_protection>false</enable_discovery_protection>