9. Security
You can use symmetric cryptography using pre-shared keys to protect the communication between Cloud Discovery Service and the user’s DomainParticipants, as described in Security Considerations when Using Cloud Discovery Service.
Cloud Discovery Service uses the RTI Lightweight Security Plugins to protect the integrity and/or confidentiality
of RTPS messages. By operating at the RTPS level, the protection
is applied to all messages exchanged between the DomainParticipants and Cloud Discovery Service. These include
the participant announcements and the BINDING_PING
messages when using
the Real-Time WAN Transport.
Attention
In the prior releases, Cloud Discovery Service and Real-Time WAN Transport can be protected with
<<deprecated>> com.rti.serv.secure.cryptography.rtps_protection_key
and
<<deprecated>> com.rti.serv.secure.authentication.participant_discovery_protection_key
properties. They are still functional and intended for communicating with
legacy systems only. This functionality will be removed in the future and is
not suitable for new deployments. For detailed description about legacy
properties, please refer to Connext DDS Secure and Cloud Discovery Service
6.1.2 documentation.
9.1. Configuration
To configure security in Cloud Discovery Service, you can set the following properties:
com.rti.serv.secure.cryptography.rtps_protection_preshared_key
- This is the key value used by the RTI Lightweight Security Plugins inside Cloud Discovery Service to protect the integrity and/or confidentiality of RTPS messages. The value should be the same on all the DomainParticipants and Cloud Discovery Service. For further details, see Configuring the Lightweight Security Plugins.com.rti.serv.secure.cryptography.rtps_protection_preshared_key_algorithm
- This is the Pre-Shared Key Protection algorithm used by DomainParticipants and Cloud Discovery Service. The value should be the same on all the DomainParticipants and Cloud Discovery Service. For further details, see Configuring the Lightweight Security Plugins.dds.participant.discovery_config.signature_validation_persistent_state_file
- This property allows protection against a Cloud Discovery Service participant announcement replay attack. It is useful when a running Cloud Discovery Service instance configured with the above security properties could be restarted. For further details, see Protection Against a Cloud Discovery Service Participant Announcement Replay Attack.
In Cloud Discovery Service, set the above properties by updating the <property>
tag inside the <security>
tag
(see Configuration for Security).