5.1. Interoperability

5.1.1. [Critical] Wrong out-of-the-box Governance configuration for legacy Builtin Secure Logging topic *

The Governance configuration for the DDS:Security:LogTopic legacy builtin topic was wrong in Security Plugins 7.2.0 out-of-the-box. This issue prevented DDS:Security:LogTopic DataReaders from being interoperable with previous versions of Connext and with other vendors. The workaround was to manually configure the topic-level security attributes in the Governance Document:

<topic_rule>
    <topic_expression>DDS:Security:LogTopic</topic_expression>
    <enable_discovery_protection>false</enable_discovery_protection>
    <enable_liveliness_protection>false</enable_liveliness_protection>
    <enable_read_access_control>true</enable_read_access_control>
    <enable_write_access_control>false</enable_write_access_control>
    <metadata_protection_kind>SIGN</metadata_protection_kind>
    <data_protection_kind>ENCRYPT</data_protection_kind>
</topic_rule>

Now there is no need to configure the builtin logging topic security attributes in the Governance Document. Subscriptions to both the legacy and non-legacy builtin logging topics should work out-of-the-box.

[RTI Issue ID SEC-2278]

5.1.2. [Major] Builtin Security Plugins incompatible with Lightweight Builtin Security Plugins when using non-default cryptographic algorithms *

Participant discovery matching between a DomainParticipant running the Lightweight Builtin Security Plugins and a DomainParticipant running the Builtin Security Plugins incorrectly evaluated as incompatible if the latter modified the <allowed_security_algorithms> tag in the Governance Document (if present) in a way that excluded the default security algorithms. (See allowed_security_algorithms (domain_rule), in the RTI Security Plugins User’s Manual.)

Matching also failed if the DomainParticipant running the Builtin Security Plugins required an algorithm that is not part of the default set. For example, in the Governance Document of the Builtin Security Plugins you can restrict the supported key-exchange algorithm to ECDHE-CEUM+P384 and then configure the com.rti.serv.secure.authentication.key_establishment_algorithm property. This configuration would have resulted in the following error message when trying to match with a Lightweight DomainParticipant:

ERROR [[...]{Entity=DR,MessageKind=DATA}|RECEIVE FROM [...]{Domain=0}|ASSERT REMOTE DP|
GET REMOTE DP SECURITY STATE|LC:DISC,SEC]
PRESParticipant_getRemoteParticipantInitialSecurityState:[...]
"security info for authenticated remote participant [...]  does not match the one for local participant [...].
Dropping participant announcement..."}}

Now the Builtin Security Plugins and the Lightweight Builtin Security Plugins properly interoperate when using a compatible configuration, as described in

Pre-Shared Key Protection in Lightweight Builtin Security Plugins vs. Pre-Shared Key Protection in Builtin Security Plugins, in the RTI Security Plugins User’s Manual.

[RTI Issue ID SEC-2286]

* This bug does not affect you if you are upgrading from 6.1.x or earlier.