9. Security

You can use symmetric cryptography using pre-shared keys to protect the communication between Cloud Discovery Service and the user’s DomainParticipants, as described in Security Considerations when Using Cloud Discovery Service.

Cloud Discovery Service uses the RTI Lightweight Security Plugins to protect the integrity and/or confidentiality of RTPS messages. By operating at the RTPS level, the protection is applied to all messages exchanged between the DomainParticipants and Cloud Discovery Service. These include the participant announcements and the BINDING_PING messages when using the Real-Time WAN Transport.

Attention

In the prior releases, Cloud Discovery Service and Real-Time WAN Transport can be protected with <<deprecated>> com.rti.serv.secure.cryptography.rtps_protection_key and <<deprecated>> com.rti.serv.secure.authentication.participant_discovery_protection_key properties. They are still functional and intended for communicating with legacy systems only. This functionality will be removed in the future and is not suitable for new deployments. For detailed description about legacy properties, please refer to Connext DDS Secure and Cloud Discovery Service 6.1.2 documentation.

9.1. Configuration

To configure security in Cloud Discovery Service, you can set the following properties:

• com.rti.serv.secure.cryptography.rtps_protection_preshared_key - This is the key value used by the RTI Lightweight Security Plugins inside Cloud Discovery Service to protect the integrity and/or confidentiality of RTPS messages. The value should be the same on all the DomainParticipants and Cloud Discovery Service. For further details, see Configuring the Lightweight Security Plugins.

• com.rti.serv.secure.cryptography.rtps_protection_preshared_key_algorithm - This is the Pre-Shared Key Protection algorithm used by DomainParticipants and Cloud Discovery Service. The value should be the same on all the DomainParticipants and Cloud Discovery Service. For further details, see Configuring the Lightweight Security Plugins.

• dds.participant.discovery_config.signature_validation_persistent_state_file - This property allows protection against a Cloud Discovery Service participant announcement replay attack. It is useful when a running Cloud Discovery Service instance configured with the above security properties could be restarted. For further details, see Protection Against a Cloud Discovery Service Participant Announcement Replay Attack.

In Cloud Discovery Service, set the above properties by updating the <property> tag inside the <security> tag (see Configuration for Security).

9.2. Pre-Shared Key Mutability

For a running Cloud Discovery Service instance, the RTI Lightweight Security Plugins also supports mutability for the com.rti.serv.secure.cryptography.rtps_protection_preshared_key property. You are allowed to change the pre-shared key dynamically. The reasons for changing the key could be overuse, leaks or compromise, or proactive prevention of these security problems.

To change the pre-shared key, leverage the Cloud Discovery Service Library API:

• C Library API - RTI_CDS_Service_update_rtps_protection_preshared_key.

• C++11 Library API - update_rtps_protection_preshared_key.