18. DDS Security Data Visualization with RTI Administration Console

RTI Administration Console is compatible with RTI Security Plugins. Configuring security in Administration Console will allow you to visualize and troubleshoot your DDS Secure system. The security configuration is under Preferences > Security. There, you can secure Administration Console’s DomainParticipants by checking the Enable Security for specified Domains checkbox. The security preferences will only apply to the domains listed in the Domain Filter field. Note that a * in this field will apply security to all domains; you can also use patterns like 2,3 or 8,9-12,23.

After setting the Domain Filter to the desired domains where you want to visualize your DDS Secure system, you have to set the security artifacts that Administration Console’s DomainParticipants will use, as shown in Table 18.1, Table 18.2, Table 18.3, Table 18.4.

Note

As a prerequisite for using security in Administration Console, you need to install the RTI Security Plugins. For this, you can follow the instructions in the RTI Security Plugins Installation Guide.

Figure 18.1 is an example of the values to configure Administration Console to work with the “Security::SecureAllowAll” profile of Shapes Demo:

Security Panel in Admin Console's Preferences

Figure 18.1 Security Panel in Administration Console’s Preferences

The following tables describe the purpose of each field.

Note

If you are using Administration Console 5.3.x, make sure to click the Apply button. This is critical because the settings won’t be applied if you just click OK.

Table 18.1 Fields to Configure Authentication in Administration Console

Field

Description

Key Establishment Algorithm

Required

The algorithm used to establish a Shared Secret during authentication, as defined by the authentication.key_establishment_algorithm property.

For details, see Table 4.2.

Identity Certificate Authority

Required

Provides Administration Console’s DomainParticipants with the Identity CA, as defined by the dds.sec.auth.identity_ca property.

For details, see Table 4.1.

Certificate Revocation List

Optional

The Identity CA can maintain a certificate revocation list (CRL) with information about digital certificates that have been revoked before their scheduled expiration date and should no longer be trusted.

With this field you can provide the CRL to the Administration Console’s DomainParticipants, as defined by the authentication.crl property.

For details, see Table 4.2.

Private Key

Required

Provides Administration Console’s DomainParticipants with a Private Key, as defined by the dds.sec.auth.private_key property.

For details, see Table 4.1.

For details, see Table 4.1.

Private Key Password

Only required if the Private Key is encrypted

The password used to decrypt the Private Key. This field is interpreted as the Base64 encoding of the symmetric key that will be used to decrypt the Private Key, as defined by the dds.sec.auth.password property.

If the password is wrong, Administration Console will fail to create the secure participants and will report multiple errors in the Console Log.

Identity Certificate

Required

Provides Administration Console’s DomainParticipants with an Identity Certificate, as defined by the dds.sec.auth.identity_certificate property.

Security Advance Notice Expiration (seconds)

Required

Controls how much time in advance to notify the user when the local DomainParticipant’s certificate is about to expire. For more information, read the documentation on the dds.participant.trust_plugins.certificate_expiration_advance_notice_duration.sec property.

Table 18.2 Fields to Configure Access Control in Administration Console

Field

Description

Permissions Certificate Authority

Required

Provides Administration Console’s DomainParticipants with the Permissions CA, as defined by the dds.sec.access.permissions_ca property.

For details, see Table 5.3.

Governance Document

Required

Provides Administration Console’s DomainParticipants with the Governance Document, as defined by the dds.sec.access.governance property.

For details, see Table 5.3.

Permissions Document

Required

Provides Administration Console’s DomainParticipants with the Permissions Document, as defined by the dds.sec.access.permissions property.

For details, see Table 5.3.

Table 18.3 Fields to Configure Cryptography in Administration Console

Field

Description

Encryption Algorithm

Required

The algorithm that the Sender uses for the encryption transformation, as defined by the cryptography.encryption_algorithm property.

For details, see Table 6.8.

Key Revision Max History Depth

Optional

Number of key revisions used to encode samples in the DataWriter’s queues, as defined by the dds.participant.trust_plugins.key_revision_max_history_depth property. If the option is not selected, this property takes a value of 0 (key revisions are disabled). If the option is selected, the number must be between 7 and 1000000.

Pre-shared key

Only required if pre-shared key protection is enabled

Seed used to derive the pre-shared key (in combination with publicly available data). The key is used for encoding and decoding RTPS messages. It is only effective in RTI Security Plugins if the Governance Document configures the rtps_preshared_secret_protection_kind to a value different than NONE. Otherwise, it has no effect.

Table 18.4 Fields to Configure Logging in Administration Console

Field

Description

Security Logging Verbosity (local)

Required

The logging verbosity level, as defined by the logging.verbosity property.

For details, see Table 7.2.

18.1. RTI Administration Console and the Lightweight Security Plugins

Administration Console loads the full Security Plugins library (nddssecurity) when you check Enable Security for specified Domains in the Security panel of Administration Console’s preferences.

Currently, there is no Graphical User Interface option to load the Lightweight Security Plugins library (nddslightweightsecurity) instead of the full Security Plugins. However, you can still use Administration Console in combination with Lightweight Security Plugins if you set a custom QoS profile that loads the Lightweight Security Plugins library. To do so, follow the instructions in Using your own QoS profile in RTI Admin Console from our Knowledge Base. A simple QoS file would look like:

<?xml version="1.0"?>
<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:noNamespaceSchemaLocation="https://community.rti.com/schema/6.1.1/rti_dds_profiles.xsd">
  <qos_library name="ExampleAdminConsole">

    <qos_profile name="BaseProfile" base_name="BuiltinQosLib::Generic.Security">
      <!--
        Copy here the contents of the BaseProfile that you can find in
        $NDDSHOME/resource/xml/RTI_ADMIN_CONSOLE_EXAMPLE_PROFILE.xml

        It is important that now the profile inherits from
        "BuiltinQosLib::Generic.Security".
      -->
    </qos_profile>

    <qos_profile name="Default" base_name="ExampleAdminConsole::BaseProfile">
      <!--
        Copy here the contents of the Default that you can find in
        $NDDSHOME/resource/xml/RTI_ADMIN_CONSOLE_EXAMPLE_PROFILE.xml

        Nothing changes with respect to
        RTI_ADMIN_CONSOLE_EXAMPLE_PROFILE.xml.
      -->
    </qos_profile>

    <!--
      Load the lightweight Security Plugins and set the pre-shared key
      seed.
      You can configure additional QoS values here.
    -->
    <qos_profile name="PreSharedKey" base_name="ExampleAdminConsole::Default">
      <domain_participant_qos>
        <property>
          <value>
            <element>
              <name>com.rti.serv.secure.library</name>
              <value>nddslightweightsecurity</value>
            </element>
            <element>
              <name>com.rti.serv.secure.cryptography.rtps_protection_preshared_key</name>
              <value>UseYourOwnSecretSeed</value>
            </element>
          </value>
        </property>
      </domain_participant_qos>
    </qos_profile>
  </qos_library>
</dds>