Security Plugins Properties¶
RTI Security Plugins includes a set of builtin plugins that implement the plugins defined by the DDS Security specification. You can customize these builtin plugins: for example, to accommodate proprietary or FIPS 140-2 compliant cryptography solutions, take advantage of custom security hardware, or change the behavior of the plugins in any number of ways. The Security Plugins SDK enables customizing the Security Plugins to meet your system’s security requirements.
All the security properties (described in the com.rti.serv list of properties) are validated when the plugin is created. This validation is done in order to avoid using an unknown or incorrect property name (for example, due to a typo). Without this validation, Connext DDS ignores the unknown property name and you might not know why the property’s configuration isn’t being applied. You can find more information in the “Property Validation” section of the Core Libraries User’s Manual.
If you add a new property to the Property Qos Policy, the creation of the Security Plugins by default will fail with an error similar to the following:
DDS_PropertyQosPolicy_validate_plugin_property_suffixes:Unexpected property: com.rti.serv.secure.new_property. Closest valid property: com.rti.serv.secure.openssl_engine
RTI_Security_PluginSuite_create:Inconsistent QoS property: com.rti.serv.secure.
This problem can be solved in one of two ways:
Configuring the validation behavior¶
You can configure the behavior of the validation by setting the com.rti.serv.secure.property_validation_action
property (see Properties for Enabling Security) as follows:
<domain_participant_qos>
<property>
<value>
<element>
<name>com.rti.serv.load_plugin</name>
<value>com.rti.serv.secure</value>
</element>
<element>
<name>com.rti.serv.secure.property_validation_action</name>
<value>VALIDATION_ACTION_SKIP</value>
</element>
</value>
</property>
</domain_participant_qos>
Validating your own properties¶
The Security Plugins SDK properties are validated in the function RTI_Security_PluginSuite_create
:
if (!RTI_Security_Utility_validatePluginPropertySuffixes(
(struct DDS_PropertyQosPolicy *) properties,
prefix,
PROPERTY_PLUGIN_VALID_PUBLIC_PROPERTIES_SECURITY,
PROPERTY_PLUGIN_VALID_PRIVATE_PROPERTIES_SECURITY,
/*
* Do not validate the passed 'dds.sec' properties in the plugin creation,
* those are already validated by core.
*/
DDS_TRUST_PLUGIN_PROPERTY_PREFIX,
validationAction)) {
RTI_Security_Log_exception(
&RTI_LOG_INCONSISTENT_PROPERTY_s,
prefix);
return;
}
If you add a new property and still want to validate the properties, you will need to create a new list of properties to validate. The new list will be a combination of the Properties for Enabling Security and your new properties.
To create the new list of properties for validation, perform the following steps:
Add the following list into the Security Plugins SDK.
const char *PROPERTY_CUSTOM_PLUGIN_VALID_PUBLIC_PROPERTIES_SECURITY[] = {
PROPERTY_NAME_COM_RTI_SERV_SECURE_ACCESS_CONTROL_ALTERNATIVE_PERMISSIONS_AUTHORITY_FILES,
PROPERTY_NAME_COM_RTI_SERV_SECURE_ACCESS_CONTROL_USE_530_LOGGING_PROTECTION,
PROPERTY_NAME_COM_RTI_SERV_SECURE_ACCESS_CONTROL_USE_530_PARTITIONS,
PROPERTY_NAME_COM_RTI_SERV_SECURE_ACCESS_CONTROL_USE_530_PERMISSIONS_RULES_PRECEDENCE,
PROPERTY_NAME_COM_RTI_SERV_SECURE_ACCESS_CONTROL_USE_610_PERMISSIONS_RULES_PRECEDENCE,
PROPERTY_NAME_COM_RTI_SERV_SECURE_AUTHENTICATION_ALTERNATIVE_CA_FILES,
PROPERTY_NAME_COM_RTI_SERV_SECURE_AUTHENTICATION_CRL,
PROPERTY_NAME_COM_RTI_SERV_SECURE_AUTHENTICATION_KEYFORM,
PROPERTY_NAME_COM_RTI_SERV_SECURE_AUTHENTICATION_PARTICIPANT_DISCOVERY_PROTECTION_KEY,
PROPERTY_NAME_COM_RTI_SERV_SECURE_AUTHENTICATION_PROPAGATE_SIMPLIFIED_IDENTITY_CERTIFICATE,
PROPERTY_NAME_COM_RTI_SERV_SECURE_AUTHENTICATION_RSA_PSS_PAD,
PROPERTY_NAME_COM_RTI_SERV_SECURE_AUTHENTICATION_SHARED_SECRET_ALGORITHM,
PROPERTY_NAME_COM_RTI_SERV_SECURE_CREATE_FUNCTION,
PROPERTY_NAME_COM_RTI_SERV_SECURE_CREATE_FUNCTION_PTR,
PROPERTY_NAME_COM_RTI_SERV_SECURE_CRYPTOGRAPHY_ENCRYPTION_ALGORITHM,
PROPERTY_NAME_COM_RTI_SERV_SECURE_CRYPTOGRAPHY_MAX_BLOCKS_PER_SESSION,
PROPERTY_NAME_COM_RTI_SERV_SECURE_CRYPTOGRAPHY_MAX_RECEIVER_SPECIFIC_MACS,
PROPERTY_NAME_COM_RTI_SERV_SECURE_CRYPTOGRAPHY_RTPS_PROTECTION_KEY,
PROPERTY_NAME_COM_RTI_SERV_SECURE_CRYPTOGRAPHY_SHARE_KEY_FOR_METADATA_AND_DATA_PROTECTION,
PROPERTY_NAME_COM_RTI_SERV_SECURE_HMAC_ONLY_CRYPTOGRAPHY_KEY,
PROPERTY_NAME_COM_RTI_SERV_SECURE_HMAC_ONLY_CRYPTOGRAPHY_MAX_BLOCKS_PER_SESSION,
PROPERTY_NAME_COM_RTI_SERV_SECURE_HMAC_ONLY_ENABLED,
PROPERTY_NAME_COM_RTI_SERV_SECURE_LIBRARY,
PROPERTY_NAME_COM_RTI_SERV_SECURE_LICENSE_FILE,
PROPERTY_NAME_COM_RTI_SERV_SECURE_LICENSE_STRING,
PROPERTY_NAME_COM_RTI_SERV_SECURE_LOGGING_LOG_LEVEL,
PROPERTY_NAME_COM_RTI_SERV_SECURE_LOGGING_MODE_MASK,
PROPERTY_NAME_COM_RTI_SERV_SECURE_LOGGING_SECURITY_TOPIC_PROFILE,
PROPERTY_NAME_COM_RTI_SERV_SECURE_LOGGING_SECURITY_TOPIC_QUEUE_MESSAGE_COUNT_MAX,
PROPERTY_NAME_COM_RTI_SERV_SECURE_LOGGING_SECURITY_TOPIC_QUEUE_MESSAGE_SIZE_MAX,
PROPERTY_NAME_COM_RTI_SERV_SECURE_LOGGING_SECURITY_TOPIC_QUEUE_SIZE,
PROPERTY_NAME_COM_RTI_SERV_SECURE_LOGGING_SECURITY_TOPIC_THREAD_MESSAGE_THRESHOLD,
PROPERTY_NAME_COM_RTI_SERV_SECURE_LOGGING_SECURITY_TOPIC_THREAD_PLUGIN_METHOD_THRESHOLD,
PROPERTY_NAME_COM_RTI_SERV_SECURE_LOGGING_VERBOSITY,
PROPERTY_NAME_COM_RTI_SERV_SECURE_OPENSSL_ENGINE,
PROPERTY_NAME_COM_RTI_SERV_SECURE_PROPERTY_VALIDATION_ACTION,
"" /* Specify end of array */
};
Add your new properties to the list
PROPERTY_CUSTOM_PLUGIN_VALID_PUBLIC_PROPERTIES_SECURITY
.In the function
RTI_Security_Utility_validatePluginPropertySuffixes
, replacePROPERTY_PLUGIN_VALID_PUBLIC_PROPERTIES_SECURITY
withPROPERTY_CUSTOM_PLUGIN_VALID_PUBLIC_PROPERTIES_SECURITY
.Recompile the Security Plugins SDK.
Your properties will be validated.