Plugin configuration

Cyclone DDS gets the security configuration from XML configuration elements or from the participant QoS policies as stated in the OMG DDS Security specification (DDS security).

This behavior allows applications to use DDS Security without recompiling the binaries. Supplying a new configuration with DDS Security enabled is enough to switch from a non-secure to a secure deployment. The configuration is at domain level, which means that all participants created for that domain receive the same DDS security settings.

The configuration options for a domain are in the Cyclone DDS configuration (/Domain/Security). Every DDS Security plugin has its own configuration sub-section.

Authentication properties

To enable authentication for a node, it must be configured with an IdentityCertificate, which authenticates all participants of that particular Cyclone DDS domain. Associated with the identity certificate is the corresponding PrivateKey.

The private key is either a 2048-bit RSA key, or a 256-bit Elliptic Curve Key with a prime256v1 curve.

The certificate of identity CA, which is the issuer of the node’s identity certificate, is configured in IdentityCA.

The public key of the identity CA (as part of its certificate) is either a 2048-bit RSA key, or a 256-bit Elliptic Curve key for the prime256v1 curve. The identity CA certificate can be a self-signed certificate.

The identity certificate, private key and the identity CA should be a X509 document in PEM format. These values can be specified using one of the following URI schemes:

• file:: Reference to a PEM file on the filesystem (e.g., file:identity_cert.pem)

• data:,: Inline PEM data embedded directly in the configuration

• pkcs11:: Reference to an object on a PKCS#11 token or HSM (e.g., pkcs11:token=MyHSM;object=identity_cert)

For deployments requiring hardware-based key protection, the pkcs11: scheme enables storing private keys and certificates on Hardware Security Modules (HSMs). See PKCS#11 and Hardware Security Module (HSM) for configuration details.

Optionally, the private key can be protected by a password.

To enable multiple identity CAs throughout the system, you can configure a directory that contains additional identity CA’s that verify the identity certificates received from remote instances (TrustedCADirectory).

Access control properties

The following are are required for the access control plugin:

• A governance document (//CycloneDDS/Domain/Security/AccessControl/Governance).

• A permissions document (//CycloneDDS/Domain/Security/AccessControl/Permissions).

• The permissions CA certificate (//CycloneDDS/Domain/Security/AccessControl/PermissionsCA).

The permissions CA certificate supports the same URI schemes as the authentication properties, including pkcs11: for HSM-based storage.

The governance and permissions documents are signed XML policy files. These must be provided using file: or data:, URIs; PKCS#11 is not supported for retrieving these documents. Their integrity is protected by PKCS#7 signatures, which are verified using the permissions CA certificate.

Cryptography properties

The cryptography plugin has no configuration properties.