5.1. Interoperability
5.1.1. [Critical] Wrong out-of-the-box Governance configuration for legacy Builtin Secure Logging topic *
The Governance configuration for the DDS:Security:LogTopic
legacy
builtin topic was wrong in Security Plugins 7.2.0 out-of-the-box. This
issue prevented DDS:Security:LogTopic
DataReaders from being
interoperable with previous versions of Connext and with other
vendors. The workaround was to manually configure the topic-level
security attributes in the Governance Document:
<topic_rule>
<topic_expression>DDS:Security:LogTopic</topic_expression>
<enable_discovery_protection>false</enable_discovery_protection>
<enable_liveliness_protection>false</enable_liveliness_protection>
<enable_read_access_control>true</enable_read_access_control>
<enable_write_access_control>false</enable_write_access_control>
<metadata_protection_kind>SIGN</metadata_protection_kind>
<data_protection_kind>ENCRYPT</data_protection_kind>
</topic_rule>
Now there is no need to configure the builtin logging topic security attributes in the Governance Document. Subscriptions to both the legacy and non-legacy builtin logging topics should work out-of-the-box.
[RTI Issue ID SEC-2278]
5.1.2. [Major] Builtin Security Plugins incompatible with Lightweight Builtin Security Plugins when using non-default cryptographic algorithms *
Participant discovery matching between a DomainParticipant running the
Lightweight Builtin Security Plugins and a DomainParticipant running
the Builtin Security Plugins incorrectly evaluated as incompatible if
the latter modified the <allowed_security_algorithms>
tag in the
Governance Document (if present) in a way that excluded the default
security algorithms. (See allowed_security_algorithms (domain_rule),
in the RTI Security Plugins User’s Manual.)
Matching also failed if the DomainParticipant running the Builtin
Security Plugins required an algorithm that is not part of the default
set. For example, in the Governance Document of the Builtin Security
Plugins you can restrict the supported key-exchange algorithm to
ECDHE-CEUM+P384
and then configure the
com.rti.serv.secure.authentication.key_establishment_algorithm
property. This configuration would have resulted in the following error
message when trying to match with a Lightweight DomainParticipant:
ERROR [[...]{Entity=DR,MessageKind=DATA}|RECEIVE FROM [...]{Domain=0}|ASSERT REMOTE DP|
GET REMOTE DP SECURITY STATE|LC:DISC,SEC]
PRESParticipant_getRemoteParticipantInitialSecurityState:[...]
"security info for authenticated remote participant [...] does not match the one for local participant [...].
Dropping participant announcement..."}}
[RTI Issue ID SEC-2286]
* This bug does not affect you if you are upgrading from 6.1.x or earlier.