2018-09-27 08:16:17 +00:00
|
|
|
.. highlight:: kotlin
|
|
|
|
.. raw:: html
|
|
|
|
|
|
|
|
<script type="text/javascript" src="_static/jquery.js"></script>
|
|
|
|
<script type="text/javascript" src="_static/codesets.js"></script>
|
|
|
|
|
2018-10-17 16:24:27 +00:00
|
|
|
Compatibility zones
|
|
|
|
===================
|
2018-09-27 08:16:17 +00:00
|
|
|
|
2018-10-17 16:24:27 +00:00
|
|
|
Every Corda node is part of a "zone" (also sometimes called a Corda network) that is *permissioned*. Production
|
|
|
|
deployments require a secure certificate authority. Most users will join an existing network such as the main Corda
|
|
|
|
network or the Corda TestNet. We use the term "zone" to refer to a set of technically compatible nodes reachable
|
|
|
|
over a TCP/IP network like the internet. The word "network" is used in Corda but can be ambiguous with the concept
|
|
|
|
of a "business network", which is usually more like a membership list or subset of nodes in a zone that have agreed
|
|
|
|
to trade with each other.
|
2018-09-27 08:16:17 +00:00
|
|
|
|
|
|
|
To connect to a compatibility zone you need to register with its certificate signing authority (doorman) by submitting
|
|
|
|
a certificate signing request (CSR) to obtain a valid identity for the zone. You could do this out of band, for instance
|
|
|
|
via email or a web form, but there's also a simple request/response protocol built into Corda.
|
|
|
|
|
|
|
|
Before you can register, you must first have received the trust store file containing the root certificate from the zone
|
|
|
|
operator. For high security zones this might be delivered physically. Then run the following command:
|
|
|
|
|
|
|
|
``java -jar corda.jar --initial-registration --network-root-truststore-password <trust store password>``
|
|
|
|
|
|
|
|
By default it will expect the trust store file to be in the location ``certificates/network-root-truststore.jks``.
|
|
|
|
This can be overridden with the additional ``--network-root-truststore`` flag.
|
|
|
|
|
|
|
|
The certificate signing request will be created based on node information obtained from the node configuration.
|
|
|
|
The following information from the node configuration file is needed to generate the request.
|
|
|
|
|
|
|
|
* **myLegalName** Your company's legal name as an X.500 string. X.500 allows differentiation between entities with the same
|
|
|
|
name, as the legal name needs to be unique on the network. If another node has already been permissioned with this
|
|
|
|
name then the permissioning server will automatically reject the request. The request will also be rejected if it
|
|
|
|
violates legal name rules, see :ref:`node_naming` for more information. You can use the X.500 schema to disambiguate
|
|
|
|
entities that have the same or similar brand names.
|
|
|
|
|
|
|
|
* **emailAddress** e.g. "admin@company.com"
|
|
|
|
|
|
|
|
* **devMode** must be set to false
|
|
|
|
|
|
|
|
* **networkServices** or **compatibilityZoneURL** The Corda compatibility zone services must be configured. This must be either:
|
|
|
|
|
|
|
|
* **compatibilityZoneURL** The Corda compatibility zone network management service root URL.
|
|
|
|
* **networkServices** Replaces the ``compatibilityZoneURL`` when the doorman and network map services
|
|
|
|
are configured to operate on different URL endpoints. The ``doorman`` entry is used for registration.
|
|
|
|
|
|
|
|
A new pair of private and public keys generated by the Corda node will be used to create the request.
|
|
|
|
|
|
|
|
The utility will submit the request to the doorman server and poll for a result periodically to retrieve the
|
|
|
|
certificates. Once the request has been approved and the certificates downloaded from the server, the node will create
|
|
|
|
the keystore and trust store using the certificates and the generated private key.
|
|
|
|
|
|
|
|
.. note:: You can exit the utility at any time if the approval process is taking longer than expected. The request
|
|
|
|
process will resume on restart as long as the ``--initial-registration`` flag is specified.
|
|
|
|
|
|
|
|
This process only is needed when the node connects to the network for the first time, or when the certificate expires.
|