(!) Please ask about problems and questions regarding this tutorial on answers.ros.org. Don't forget to include in your question the link to this page, the versions of your OS & ROS, and also add appropriate tags.

Running Keyserver

Description: This tutorial explains how to run the keyserver.

Keywords: SROS, Keyserver, PKI

Tutorial Level: INTERMEDIATE

Next Tutorial: SROS/Tutorials/ConfiguringKeyserver


This tutorial will introduce you to running the keyserver provided by SROS. Before new SROS nodes can connect to the ROS network, they will need to initialize a few PKI elements for their own local keystore and nodestore, including public certificates from trusted CA's, and personal certificates and keys. In fact, if the rosmaster and roslaunch nodes have not yet initialized their keystore/nodestores, then roscore will fail to communicate with itself during startup. This is why using a keyserver beforehand can help automate SROS's bootstrapping process.

Launching Keyserver

The keyserver can be launched using the sroskeyserver command.

$ sroskeyserver 
Starting an XML-RPC server to bootstrap SSL key distribution...
Certificate generated: root
Certificate generated: master
sleeping until keyserver has generated the initial keyring...
Horray, the keyserver is now open for business.

By default, the keyserver will search for its configuration file under the SROS_CONFIG_DIR path. If this file does not exist, SROS will copy one for you using a provided sample shipped in SROS. We will step through this configuration file in a later tutorial, but for now let's check that everything is working using the sample. Assuming the keyserver's keystore was uninitialized, you should see a brief message about the server starting up and generating a root and a master certificate authority, as prescribed by the configuration file. From using the tree command in a separate terminal, we should see something like this:

$ tree ~/.ros/sros
  ├── config
  │   ├── keyserver_config.yaml
  │   └── policy_config.yaml
  └── keystore
      ├── ca
      │   ├── master
      │   │   ├── master.cert
      │   │   └── master.pem
      │   └── root
      │       ├── root.cert
      │       └── root.pem
      ├── capath
      │   ├── d11d170d.0 -> /root/.ros/sros/keystore/ca/root/root.cert
      │   └── f4ad5f10.0 -> /root/.ros/sros/keystore/ca/master/master.cert
      └── utils
          └── keyserver
              ├── keyserver.cert
              └── keyserver.pem

  8 directories, 10 files

From this, we can see a new sros directory has been created in our local .ros path. Within the config directory we can see the sample keyserver configuration file, as well as the target policy file that is not yet being used. In the local keystore directory we can see the Certificate Authorities and linking CApath to be used for TLS libraries. Finally, we see a special utility folder that houses the nodestore specific to the keyserver.

Simply, the configuration file loaded on startup, instructed the keyserver to load the CA, and if nonexistent in the keystore, how to create it/them. Once the root and intermediate master CA's in this case have been initialized, the keyserver is told to load its own transport certificate and keypair. Again, because this doesn't yet exist, the keyserver is also informed by the config on how to use the CA's just loaded to make some for itself.

The keyserver then attempts to connect to itself using its own keys to verify API end of the keyserver is online and operational. Once this is done, the keyserver is ready for requests from connecting nodes.

Wiki: SROS/Tutorials/RunningKeyserver (last edited 2018-11-14 23:36:22 by JLev)