Security Plugins
- 1. Overview
- 1.1. Description of DDS System Threats
- 1.2. Applying DDS Protection
- 1.3. Introduction to the Security Plugins
- 2. Using Security Plugins
- 3. Elements of a Security Plugins System
- 3.1. QoS Properties
- 3.2. Public Key Infrastructure (PKI)
- 3.3. Governance Document
- 3.4. Permissions Document
- 3.5. Security Builtin Topics
- 4. Authentication
- 4.1. Handshake
- 4.2. Authentication Builtin Topic (ParticipantStatelessMessage)
- 4.3. Related Governance Rules
- 4.4. Cryptographic Algorithms
- 4.5. Advanced Authentication Concepts
- 4.5.1. Protecting Participant Discovery
- 4.5.2. Identity Certificate Chaining
- 4.5.3. Re-Authentication
- 4.5.4. Guidelines for Minimizing Authentication Negotiation Times
- 4.5.5. Dynamic Certificate Revalidation
- 4.5.6. Dynamic Certificate Revocation of Remote DomainParticipants through Whitelisting
- 4.5.7. CRL Expiration
- 4.5.8. Dynamic Certificate Renewal of a DomainParticipant
- 4.6. Properties for Configuring Authentication
- 5. Access Control
- 6. Cryptography
- 6.1. Introduction
- 6.2. Cryptographic Algorithms
- 6.3. Secure Entities
- 6.4. Secure Key Exchange Channel (ParticipantVolatileMessageSecure Topic)
- 6.5. Securing DDS Messages on The Wire
- 6.6. Security Protections Applied by DDS Entities
- 6.7. Related Governance Rules
- 6.7.1. Understanding ProtectionKinds
- 6.7.2. Domain-Level Rules
- 6.7.2.1. rtps_protection_kind (domain_rule)
- 6.7.2.2. rtps_psk_protection_kind (domain_rule)
- 6.7.2.3. discovery_protection_kind (domain_rule)
- 6.7.2.4. liveliness_protection_kind (domain_rule)
- 6.7.2.5. monitoring_metrics_protection_kind (domain_rule)
- 6.7.2.6. monitoring_logging_protection_kind (domain_rule)
- 6.7.2.7. service_request_protection_kind (domain_rule)
- 6.7.2.8. instance_state_consistency_protection_kind (domain_rule)
- 6.7.2.9. allowed_security_algorithms (domain_rule)
- 6.7.3. Topic-Level Rules
- 6.8. Advanced Cryptography Concepts
- 6.8.1. Reliability Behavior When MAC Verification Fails
- 6.8.2. Configuring Reliability Protocol Settings of the Secure Key Exchange Topic
- 6.8.3. Securing Application-Level Acknowledgments
- 6.8.4. Origin Authentication Protection Implications
- 6.8.5. Reencoding Protected Data when Regenerating Keys
- 6.8.6. Interactions with Persistence Service
- 6.8.7. Interactions with FlatData and Zero Copy
- 6.8.8. Lightweight Security Pre-Shared Key RTPS Protection
- 6.8.9. Interactions with Instance State Consistency
- 6.9. Properties for Configuring Cryptography
- 7. Security Events and Logging
- 8. Data Tagging
- 9. Building and Running Security Plugins-Based Applications
- 9.1. Linking Applications with the Security Plugins
- 9.2. Mixing Libraries Not Supported
- 9.3. Properties for Enabling Security
- 9.4. Advanced Concepts
- 9.5. Platform-Specific Notes
- 9.6. Libraries Required for Using the Builtin Security Plugins
- 9.7. Libraries Required for Using the Lightweight Builtin Security Plugins
- 10. Design Considerations
- 10.1. Factors Affecting Performance and Scalability in General
- 10.2. Security Plugins’ Impact on Scalability at Startup
- 10.3. Security Plugins Impact on Scalability and Performance During Steady State
- 10.3.1. Overhead of the Different Protection Kinds
- 10.3.2. Factors Impacting Performance and Scalability During Steady State
- 10.3.2.1. Performance Impact of Different Protection Kinds
- 10.3.2.2. Interaction Between the Security Plugins and Batching QoS
- 10.3.2.3. Interaction Between the Security Plugins and Multicast
- 10.3.2.4. Interaction with Reliability
- 10.3.2.5. Scalability Considerations for Origin Authentication Protection
- 10.3.2.6. Interaction with Content Filtered Topics
- 10.3.2.7. Interaction with Topic Queries
- 10.3.2.8. Interaction with Asynchronous Publishing
- 10.3.2.9. Interaction with Compression
- 10.3.2.10. Interaction with CRC
- 10.3.2.11. Interaction with Transport UDPv4_WAN
- 10.4. Recommendations for usage with Observability Framework
- 11. Best Practices
- 11.1. Choosing the Granularity of Your Permissions Documents for DomainParticipants
- 11.2. Using Serialized Data Protection Along with Submessage/RTPS Protection
- 11.3. Using Separate Domains for Secure and Unsecure Participants
- 11.4. Keeping Governance and Permissions Compatibility Across Different Security Plugins Versions
- 12. Support for OpenSSL Engines
- 13. Support for OpenSSL Providers
- 14. What’s Different Between the Security Plugins and the OMG Security Specification
- 14.1. Differences Affecting Builtin Plugins to be Addressed by Next DDS Security Specification
- 14.2. Differences Affecting Builtin Plugins
- 14.3. Differences Affecting Custom Plugins
- 14.3.1. Authentication
- 14.3.2. Access Control
- 14.3.2.1. check_remote_topic
- 14.3.2.2. check_local_datawriter_register_instance
- 14.3.2.3. check_local_datawriter_dispose_instance
- 14.3.2.4. check_remote_datawriter_register_instance
- 14.3.2.5. check_remote_datawriter_dispose_instance
- 14.3.2.6. check_local_datawriter_match / check_local_datareader_match
- 14.3.2.7. Revocation
- 14.3.2.8. PermissionsToken
- 14.3.3. Cryptography
- 15. Pre-Shared Key Protection
- 16. The Lightweight Builtin Security Plugins
- 17. Relevant Connext APIs
- 18. DDS Security Data Visualization with RTI Administration Console
- 19. Support for RTI Infrastructure Services
- 20. Support for RTI Real-Time WAN Transport
- 21. Support for RTI Observability Framework
- 21.1. Creating a Governance Document for Observability Framework
- 21.2. Creating a Permissions Document for Collector Service
- 21.3. Creating a Permissions Document for Monitoring Library 2.0
- 21.4. Enabling Security Plugins in Collector Service
- 21.5. Enabling Security Plugins in Monitoring Library 2.0