This README describes the different files in this folder.
Use OpenSSL to generate keys and identity certificates, as well as signing of XML permissions & governance files.
To run the secure version of a module, you need the RTI Security Plugins installed (see the RTI Security Plugins Installation Guide).
Generate the security artifacts using OpenSSL. This includes identity certificates, private keys, and the signing of DDS Security XML permissions & governance files located in system_arch/security.
cd system_arch/security
./setup_security.shCertificate Authority files. The .cnf file will be used to create the CA private key and CA identity certificate.
Identities for all system participants that are generated by OpenSSL in the setup_security.sh script.
XML governance file for the domain and permissions documents for each participant. The signed versions of these will be in xml/signed.
- One governance document per system.
- One permissions document and identity certificate per application.
- Permissions document specifies exactly which topics can be published / subscribe to, and the default rule is to DENY. This ensures the strictest possible permissions for your system.
The security artifacts in this reference architecture show how applications can be easily modified to integrate features from RTI Security Plugins. This is not comprehensive cybersecurity advice for a production system.
Here are some considerations to keep in mind:
- For this reference architecture, we are using just one self-signed CA as the root-of-trust for simplicity. You can specify different CAs for identities vs permissions and governance XML files.
- For this reference architecture, all topics are configured with a common governance access rule for simplicity. A robust secure system should configure granular governance access rules and permissions grants, to ensure necessary data protection and access for each topic is enforced appropriately.
- In a deployed system, you wil need to manage the lifecycle of these certificates using a PKI or other security tools, not just self-signed certificates.
- You should also implement safeguards for certificate revocation based on your threat model, and implement other cybersecurity best practices like security information and event management (SIEM).
See the RTI Security Plugins User's Manual for more detail on Design Considerations and Best Practices.