15. HMAC-Only mode


Builtin Security Plugins’s HMAC-Only mode is deprecated, and Lightweight Builtin Security Plugins should be used instead (see The Lightweight Builtin Security Plugins for details). HMAC-Only mode remains functional in this release for integration with legacy systems only and should not be used in new deployments. For detailed information on Builtin Security Plugins’s HMAC-Only mode and its configuration, please refer to Security Plugins 6.1.2 documentation.

The Builtin Security Plugins library includes an alternative, now deprecated, set of plugins that allow running on HMAC-Only mode. These plugins allow RTPS messages to be protected with a user-provided HMAC Key while disabling all other security features (authentication, access control and encryption). This key is used to both protect the integrity of outgoing messages and authenticate incoming messages.

Table 15.1 Properties for Configuring HMAC-Only mode

Property Name (prefix with com.rti.serv.secure.) [1]

Property Value Description




Enables or disables the Builtin Security Plugins’s HMAC-Only mode.


When the HMAC-Only mode is enabled, the properties configuring the non-HMAC-Only mode-related options will be either ignored or cause a failure when creating the Builtin Security Plugins. Similarly, if the HMAC-Only mode is disabled, all of the other properties listed in this table will be ignored.


Default: FALSE


Required if hmac_only.enabled = TRUE


Pre-shared key from which the Builtin Security Plugins derive the HMAC Key used to compute message authentication codes. The pre-shared key can be either a plain text string (prefixed by str:) or an arbitrary binary string (prefixed by hex:). Empty keys are not allowed. DomainParticipants must set this property to the same value in order to communicate with each other.

This pre-shared key is also used to derive the HMAC Key used to compute message authentication codes over UDP WAN binding pings. String.

Default: not set




For protecting the integrity of RTPS messages, HMAC-Only mode uses a Session Key that derives from the HMAC Key and a Session ID. This Session ID is serialized as part of the protected RTPS message. This property sets the number of message blocks to protect before changing the Session ID. Note that the current message block size is fixed at 32 bytes. Therefore, this property controls the number of 32-byte blocks protected with the same Session Key.

Unsigned integer: [1 - MAX_UINT64]

Default: MAX_UINT64