Plugin configuration

Cyclone DDS gets the security configuration from XML configuration elements or from the participant QoS policies as stated in the OMG DDS Security specification (DDS security).

This behavior allows applications to use DDS Security without recompiling the binaries. Supplying a new configuration with DDS Security enabled is enough to switch from a non-secure to a secure deployment. The configuration is at domain level, which means that all participants created for that domain receive the same DDS security settings.

The configuration options for a domain are in the Cyclone DDS configuration (/Domain/Security). Every DDS Security plugin has its own configuration sub-section.

Authentication properties

To enable authentication for a node, it must be configured with an IdentityCertificate, which authenticates all participants of that particular Cyclone DDS domain. Associated with the identity certificate is the corresponding PrivateKey.

The private key is either a 2048-bit RSA key, or a 256-bit Elliptic Curve Key with a prime256v1 curve.

The certificate of identity CA, which is the issuer of the node’s identity certificate, is configured in IdentityCA.

The public key of the identity CA (as part of its certificate) is either a 2048-bit RSA key, or a 256-bit Elliptic Curve key for the prime256v1 curve. The identity CA certificate can be a self-signed certificate.

The identity certificate, private key and the identity CA should be a X509 document in PEM format. It may either be specified directly in the configuration file (as CDATA, prefixed with data:,), or the configuration file should contain a reference to a corresponding file (prefixed with file:).

Optionally, the private key can be protected by a password.

To enable multiple identity CAs throughout the system, you can configure a directory that contains additional identity CA’s that verify the identity certificates received from remote instances (TrustedCADirectory).

Access control properties

The following are are required for the access control plugin:

• A governance document (//CycloneDDS/Domain/Security/AccessControl/Governance).

• a permissions document (//CycloneDDS/Domain/Security/AccessControl/Permissions).

• The permissions CA certificate (//CycloneDDS/Domain/Security/AccessControl/PermissionsCA).

These values can be provided as CDATA or by using a path to a file (Similar to the authentication plugin properties).

Cryptography properties

The cryptography plugin has no configuration properties.