The following properties in the DDS_DomainParticipantQos property configure Logging:
Property Name (prefix with ‘com.rti.serv.secure.’)1 Assuming you used ‘com.rti.serv.secure’ as the alias to load the plugin. If not, change the prefix to match the string used with com.rti.serv.load_plugins, followed by the '.' character. |
Property Value Description |
applies to log file method only | |
logging.log_file |
Optional The file that log messages are printed to. If you specify a file in this property, Security Plugins will print to this file instead of to the Connext DDS builltin logging system or via DDS distribution. Default: NULL |
applies to all logging methods | |
logging.log_level (deprecated) |
Optional The logging verbosity level. This setting applies to all methods of security logging (the Connext DDS builtin logging system, a log file, and DDS distribution). All log messages at and below the logging.log_level setting will be logged. This property can take any of the following values:
Notes:
|
logging.verbosity |
Optional The logging verbosity level. This setting applies to all methods of security logging (the Connext DDS builtin logging system, a log file, and DDS distribution). All log messages at and below the verbosity level will be logged. This property can take any of the following values (case sensitive):
This property is incompatible with logging.log_level (i.e., they cannot be used simultaneously). |
applies to logging distribution over DDS method only | |
logging.distribute.enable |
Optional Controls whether security-related log messages should be distributed over a DDS DataWriter. If enable is true, then the Logging Plugin will create a Publisher and DataWriter within the same DomainParticipant that is setting this property. There is no option to use a separate DomainParticipant or to share a DataWriter among multiple DomainParticipants. To subscribe to the log messages, run rtiddsgen on resource/idl/builtin_logging_type.idl. Create a DataReader of type DDSSecurity::BuiltinLoggingType and topic DDS:Security:LogTopic. The DataReader must be allowed to subscribe to this topic according to its DomainParticipant’s permissions file. To subscribe to the log messages, run rtiddsgen on resource/idl/builtin_logging_type.idl. For example: rtiddsgen -language C -example x64Linux3gcc4.8.2 -unboundedSupport builtin_logging_type.idl IMPORTANT: You must use the command-line option -unboundedSupport. See 8.3.2 Using a Custom Subscriber for more information. Boolean. Default: FALSE |
logging.distribute.profile |
Optional QoS Library and QoS profile used to create logging-related entities (Publisher, Topic and DataWriter). Must be a string of the format QosLibraryName::QosProfileName. String. Default: empty string (uses default QoS profile) |
logging.distribute.writer_history_depth |
Optional History depth (in samples) of the logging DataWriter. Integer. Default: 64 |
logging.distribute.writer_timeout |
Optional Number of milliseconds to wait before giving up trying to write a log message. This property overwrites the max_blocking_time QoS of the logging DataWriter. Integer. Default: 5000 |
logging.distribute.queue.size |
Optional Size of the logging thread queue, in bytes. Integer. Default: 50688 |
logging.distribute.queue.message_count_max |
Optional Maximum number of log messages in the logging queue. Integer. Default: 64 |
logging.distribute.queue.message_size_max |
Optional Maximum serialized size of a log message in the logging queue. Integer. Default: 792 |
logging.distribute.thread.message_threshold |
Optional Number of bytes to preallocate for the logging message string in the logging thread, beyond which dynamic allocation will occur. Integer. Default: 256 |
logging.distribute.thread.plugin_method_threshold |
Optional Number of bytes to preallocate for the plugin method string in the logging thread, beyond which dynamic allocation will occur. Integer. Default: 256 |
logging.distribute.thread.message_threshold |
Optional Number of bytes to preallocate for the plugin class string in the logging thread, beyond which dynamic allocation will occur. Integer. Default: 256 |
Table 8.2 Log Messages lists security-related events and the log messages they generate.
Event |
Log Level |
Message |
Failed to allocate memory |
EMERGENCY |
insufficient memory |
allow_unauthenticated_participants = FALSE, and discovered remote participant that is unauthenticable, i.e. has not enabled security |
WARNING |
unauthenticated remote participant [participant ID] denied |
allow_unauthenticated_participants = TRUE, and discovered remote participant that is either unauthenticable or fails authentication |
WARNING |
allowing unauthenticated participant [participant ID] |
Received invalid X509 certificate, from either remote or local participant |
ERROR |
failed to decode certificate |
Couldn't verify certificate's signature against neither the certificate of the Identity Certificate Authority nor any alternative CAs |
ERROR |
failed to verify certificate |
Certificate appears in Certificate Revocation List |
ERROR2This log message is logged using Connext DDS's own builtin logging system, regardless of the logging method used. |
certificate revoked |
Upon receiving HandshakeReplyMessageToken or HandshakeFinalMessageToken, couldn't verify challenge's signature against peer's certificate. Peer likely has mismatched private and public keys, so it’s an imposter. |
ERROR |
failed to verify challenge signature |
Another participant has lost liveliness with this one before authentication was completed and is trying to re-authenticate itself (see 5.5 Re-Authentication ). A new authentication should restore communication once the ongoing authentication times out. Or: Network traffic corruption during authentication. Or: Misbehaving remote participant during authentication. |
NOTICE |
RTI_Security_Authentication_process_handshake:received unexpected handshake message, probably from a participant that lost liveliness with this one before ongoing authentication completed. Once current authentication times out, communication should be restored. |
RTI_Security_Authentication_process_handshake failed (see previous row). |
STATUS_REMOTE3This log message is logged using Connext DDS's own builtin logging system, regardless of the logging method used. |
DDS_DomainParticipantTrustPlugins_forwardProcessHandshake:!security function process_handshake returned VALIDATION_FAILED |
Couldn't verify permissions or governance file signature against either the certificate of the Permissions Authority or any alternative permissions authorities |
ERROR |
Document signature verification failed. Make sure document was signed by the right permissions authority. |
Received signed permissions document that is not an XML document |
ALERT |
received invalid signed permissions document |
Received signed governance document that is not an XML document |
ERROR |
received invalid signed governance document |
Couldn't parse the permissions file for some reason, such as duplicate grants for the same subject name or no grant for the intended subject name |
ALERT |
failed to parse permissions file |
Couldn't parse the governance file for some reason |
ALERT |
failed to parse governance file |
Denied participant because there is a deny rule explicitly prohibiting the participant |
ERROR |
participant not allowed: deny rule found |
Denied participant because there is no rule for the participant's domain ID, and the default is to deny |
ERROR |
participant not allowed: no rule found for the participant's domainId; default DENY |
Denied writer or reader because there is a deny rule explicitly prohibiting the writer or reader |
ERROR |
endpoint not allowed: deny rule found |
Denied writer or reader because there is no rule for the writer or reader, and the default is to deny |
ERROR |
endpoint not allowed: no rule found; default DENY |
Parsed publish/subscribe rule in permissions file that does not apply to the writer/reader because no topic expressions match the writer/reader's topic |
DEBUG |
This publish/subscribe rule doesn't apply because none of the rule's topic expressions match the endpoint's topic name of [topic name] |
Parsed publish/subscribe rule in permissions file that does not apply to the writer/reader because even though there's a matching topic expression, there are no matching partition expressions |
DEBUG |
This publish/subscribe rule doesn't apply because none of the rule's partition expressions match with any of the endpoint's partitions |
Another participant, which is not using is_rtps_protected = true or is not using security at all, has sent this one an unprotected RTPS message that is not a participant announcement, handshake message, or key exchange message. This participant is using is_rtps_protected = true, so it drops the message. Or: Network traffic corruption after key exchange. Or: Misbehaving remote participant after key exchange. |
STATUS_REMOTE4This log message is logged using Connext DDS's own builtin logging system, regardless of the logging method used. |
MIGInterpreter_parse:received unencoded rtps message. Unacceptable due to is_rtps_protected = true |
Received authenticated content that has been tampered with, i.e. EVP_DecryptFinal_ex failed because the GCM or GMAC tag verification failed |
ALERT |
DecryptFinal failed. Possible GCM authentication failure. |
Received submessage encrypted with a key whose MasterKeyId hasn't yet been exchanged via CryptoToken |
DEBUG |
received submessage from an endpoint that discovered me but that I haven't discovered yet; dropping submessage hoping it will be repaired. It will not be repaired if the endpoint did not properly share its MasterKeyId in its CryptoToken |
Writing a log message over the LogTopic fails due to insufficient logging queue size |
STATUS_LOCAL5This log message is logged using Connext DDS's own builtin logging system, regardless of the logging method used. |
Failed to write log message of size = [message size] because the logging queue is full. Try to increase logging.distribute.queue. |
Parsed publish/subscribe <allow_rule> in permissions file that does not apply to the writer/reader because even though there's a matching topicexpression, the partition expressions in the QoS are not a subset of the ones in the <allow_rule> |
DEBUG |
This publish/subscribe rule doesn't apply because endpoint's partitions are not a subset of the rule's partition expressions |
Log messages generated by the Logging Plugin in Security Plugins and those generated by the Connext DDS builtin logging system (which is the default method) have a different structure. For example, the Logging Plugin includes information about the process ID (procid) and the host (hostname, hostip). This information is lost when using the Connext DDS builtin logging system. The log level values used by these logging systems are also different. Table 8.3 Mapping between Logging Plugin and Connext DDS Builtin Logging System shows the mapping between Logging Plugin log values and the Connext DDS builtin logging system log values. For example, messages marked as "emergency," "alert," "critical," or "error" in Security Plugins are translated to "error" when using the builtin logging system.
Table 8.3 Mapping between Logging Plugin and Connext DDS Builtin Logging System
Logging Plugin (Security Plugins) log level values6These values correspond to the values listed in logging.verbosity. |
Connext DDS builtin logging system log level values7These values are described in Controlling Messages from Connext DDS, in the RTI Connext DDS Core Libraries User's Manual. |
---|---|
DDS_LOGGING_EMERGENCY_LEVEL DDS_LOGGING_ALERT_LEVEL DDS_LOGGING_CRITICAL_LEVEL DDS_LOGGING_ERROR_LEVEL |
NDDS_CONFIG_LOG_LEVEL_ERROR |
DDS_LOGGING_WARNING_LEVEL |
NDDS_CONFIG_LOG_LEVEL_WARNING |
DDS_LOGGING_NOTICE_LEVEL |
NDDS_CONFIG_LOG_LEVEL_STATUS_LOCAL |
DDS_LOGGING_INFORMATIONAL_LEVEL |
NDDS_CONFIG_LOG_LEVEL_STATUS_REMOTE |
DDS_LOGGING_INFORMATIONAL_DEBUG |
NDDS_CONFIG_LOG_LEVEL_DEBUG |
© 2020 RTI