9. Security
Important
The RTI Security Plugins are required to use the security features available in Cloud Discovery Service. For information on how to obtain the Security Plugins package, check the RTI Customer portal, contact support@rti.com, or contact your account team.
You can use symmetric cryptography using pre-shared keys to protect the communication between Cloud Discovery Service and the active DomainParticipants, as described in Security Considerations when Using Cloud Discovery Service in the RTI Security Plugins User’s Manual.
Cloud Discovery Service uses the Lightweight Builtin Security Plugins to protect the integrity and/or confidentiality
of RTPS messages. By operating at the RTPS level, the protection
is applied to all messages exchanged between the DomainParticipants and Cloud Discovery Service. These include
the participant announcements and the BINDING_PING
messages when using
the Real-Time WAN Transport.
Attention
In the prior releases, Cloud Discovery Service and Real-Time WAN Transport can be protected with
<<deprecated>> com.rti.serv.secure.cryptography.rtps_protection_key
and
<<deprecated>> com.rti.serv.secure.authentication.participant_discovery_protection_key
properties. They are still functional and intended for communicating with
legacy systems only. This functionality will be removed in the future and is
not suitable for new deployments. For detailed description about legacy
properties, please refer to Security Plugins and Cloud Discovery Service
6.1.2 documentation.
9.1. Configuration
To configure security in Cloud Discovery Service, you can set the following properties:
dds.sec.crypto.rtps_psk_secret_passphrase
- This is the key value used by the Lightweight Builtin Security Plugins inside Cloud Discovery Service to protect the integrity and/or confidentiality of RTPS messages. The value should be the same on all the DomainParticipants and Cloud Discovery Service. For further details, see “Configuring the Lightweight Builtin Security Plugins,” in the RTI Security Plugins User’s Manual (here).dds.sec.crypto.rtps_psk_symmetric_cipher_algorithm
- This is the Pre-Shared Key Protection algorithm used by DomainParticipants and Cloud Discovery Service. The value should be the same on all the DomainParticipants and Cloud Discovery Service. For further details, see “Configuring the Lightweight Builtin Security Plugins,” in the RTI Security Plugins User’s Manual (here).dds.sec.access.rtps_psk_protection_kind
- This property indicates the type of protection (none, integrity, confidentiality and integrity) that DomainParticipants and Cloud Discovery Service apply to RTPS messages. The value should be the same on all the DomainParticipants and Cloud Discovery Service. For further details, “Configuring the Lightweight Builtin Security Plugins,” in the RTI Security Plugins User’s Manual (here).dds.participant.discovery_config.signature_validation_persistent_state_file
- This property allows protection against a Cloud Discovery Service participant announcement replay attack. It is useful when a running Cloud Discovery Service instance configured with the above security properties could be restarted. For further details, see Protection Against a Cloud Discovery Service Participant Announcement Replay Attack.
In Cloud Discovery Service, set the above properties by updating the <property>
tag inside the <security>
tag
(see Configuration for Security).