Jump to content
OpenSplice DDS Forum
getviswa

MAC access policy

Recommended Posts

getviswa   

Hello All,

 

I am using OpenSpliceVersion : 6.1 evaluation

 

DDSServer has the list of trusted certificates of the users, i would like to restrict the users who are all not in the server trusted list.

How can i implement this ??

 

I have configured x509 authentication and MAC access policy. Really i am struggling to know how it will work. Please explain MAC access policy.

 

Following server configuration i done so far,

 

 

ospl.xml

<OpenSplice>
  <Domain>
  <Name>DDSServer</Name>
  <Id>0</Id>
  <Database>
	 <Size>10485760</Size>
  </Database>
  <Service enabled="true" name="networking">
	 <Command>snetworking</Command>
  </Service>
  <Service name="durability">
	 <Command>durability</Command>
  </Service>
  <Service name="cmsoap">
	 <Command>cmsoap</Command>
  </Service>
  </Domain>
  <NetworkService name="networking">
  <Partitioning>
	 <GlobalPartition Address="broadcast,x.x.x.x"  SecurityProfile="GlobalProfile"/>
  </Partitioning>
  <Security enabled="true" >
	<SecurityProfile Name="GlobalProfile"Cipher="aes128" CipherKey="716AC3C0333D38D61B4CA0734C7A7274" />
[b]	<AccessControl enabled="true" policy="file:///opt/PrismTech/OpenSpliceDDS/V6.1.1p1/HDE/x86_64.linux2.6-debug/etc/config/access_policy.xml">
<AccessControlModule enabled="true" type="MAC"/>
</AccessControl>[/b]
  	[b] <Authentication enabled="true">
		<X509Authentication>
		<Credentails>
			<Key>file:///opt/PrismTech/OpenSpliceDDS/V6.1.1p1/HDE/x86_64.linux2.6-debug/keyCerts/key.dds.test.pem</Key>
			<Cert>file:///opt/PrismTech/OpenSpliceDDS/V6.1.1p1/HDE/x86_64.linux2.6-debug/keyCerts/dds.test.pem</Cert>
		</Credentails>
		<TrustedCertificates>file:///opt/PrismTech/OpenSpliceDDS/V6.1.1p1/HDE/x86_64.linux2.6-debug/keyCerts/trusted/agent.test.pem</TrustedCertificates>
	    </X509Authentication>
	</Authentication>[/b]
  </Security>
   <Channels>
	 <Channel enabled="true" name="default" default="true">
		<PortNr>2020</PortNr>
	 </Channel>
  </Channels>
</NetworkService>
  <DurabilityService name="durability">
  <Network>
	 <Alignment>
		<TimeAlignment>FALSE</TimeAlignment>
		<RequestCombinePeriod>
		   <Initial>2.5</Initial>
		   <Operational>0.1</Operational>
		</RequestCombinePeriod>
	 </Alignment>
	 <WaitForAttachment maxWaitCount="10">
		<ServiceName>networking</ServiceName>
	 </WaitForAttachment>
  </Network>
  <NameSpaces>
	 <NameSpace name="defaultNamespace">
		<Partition>*</Partition>
	 </NameSpace>
	 <Policy nameSpace="defaultNamespace" durability="Durable" alignee="Initial" aligner="True"/>
  </NameSpaces>
  </DurabilityService>
  <TunerService name="cmsoap">
  <Server>
	 <PortNr>50000</PortNr>
  </Server>
  </TunerService>
</OpenSplice>

 

 

access_policy.xml

<accessControlPolicy>
<secrecyLevels> <!-- for MAC -->
<secrecyLevel>UNCLASSIFIED</secrecyLevel>
<secrecyLevel>RESTRICTED</secrecyLevel>
<secrecyLevel>CONFIDENTIAL</secrecyLevel>
<secrecyLevel>SECRET</secrecyLevel>
<secrecyLevel>TOP_SECRET</secrecyLevel>
</secrecyLevels>
<integrityLevels> <!-- for MAC -->
<integrityLevel>LEVEL_0</integrityLevel>
<integrityLevel>LEVEL_1</integrityLevel>
<integriyLevel>LEVEL_2</integrityLevel>
</integrityLevels>	
<users>
<user>
<id>123</id>
<clearance> <!-- for MAC -->
<secrecyLevel>RESTRICTED</secrecyLevel>
<integrityLevel>LEVEL_2</integrityLevel>
<compartments>
	<compartment>US</compartment>
</compartments>
</clearance>
<authentication>
	<x509Authentication>
	<subject>agent.test.com</subject>
	</x509Authentication>
</authentication>
</user>
</users>
<resources>
<resource>
<type>PARTITION</type>
<id>HelloWorld example</id>
<topics>
	<topic>HelloWorldData_Msg<topic>
<topics>
<classification> <!-- for MAC -->
<secrecyLevel>RESTRICTED</secrecyLevel>
<integrityLevel>LEVEL_2</integrityLevel>
<compartments>
	<compartment>US</compartment>
</compartments>
</classification>
<resource>
</resources>	
</accessControlPolicy>   

 

Thanks

-Viswa

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×