mirror of
https://github.com/corda/corda.git
synced 2025-01-08 22:12:58 +00:00
55 lines
3.3 KiB
ReStructuredText
55 lines
3.3 KiB
ReStructuredText
|
.. highlight:: kotlin
|
||
|
.. raw:: html
|
||
|
|
||
|
<script type="text/javascript" src="_static/jquery.js"></script>
|
||
|
<script type="text/javascript" src="_static/codesets.js"></script>
|
||
|
|
||
|
Connecting to a compatibility zone
|
||
|
==================================
|
||
|
|
||
|
Every Corda node is part of a network (also called a zone) that is *permissioned*. Production deployments require a
|
||
|
secure certificate authority. Most users will join an existing network such as the main Corda network or the Corda
|
||
|
TestNet.
|
||
|
|
||
|
To connect to a compatibility zone you need to register with its certificate signing authority (doorman) by submitting
|
||
|
a certificate signing request (CSR) to obtain a valid identity for the zone. You could do this out of band, for instance
|
||
|
via email or a web form, but there's also a simple request/response protocol built into Corda.
|
||
|
|
||
|
Before you can register, you must first have received the trust store file containing the root certificate from the zone
|
||
|
operator. For high security zones this might be delivered physically. Then run the following command:
|
||
|
|
||
|
``java -jar corda.jar --initial-registration --network-root-truststore-password <trust store password>``
|
||
|
|
||
|
By default it will expect the trust store file to be in the location ``certificates/network-root-truststore.jks``.
|
||
|
This can be overridden with the additional ``--network-root-truststore`` flag.
|
||
|
|
||
|
The certificate signing request will be created based on node information obtained from the node configuration.
|
||
|
The following information from the node configuration file is needed to generate the request.
|
||
|
|
||
|
* **myLegalName** Your company's legal name as an X.500 string. X.500 allows differentiation between entities with the same
|
||
|
name, as the legal name needs to be unique on the network. If another node has already been permissioned with this
|
||
|
name then the permissioning server will automatically reject the request. The request will also be rejected if it
|
||
|
violates legal name rules, see :ref:`node_naming` for more information. You can use the X.500 schema to disambiguate
|
||
|
entities that have the same or similar brand names.
|
||
|
|
||
|
* **emailAddress** e.g. "admin@company.com"
|
||
|
|
||
|
* **devMode** must be set to false
|
||
|
|
||
|
* **networkServices** or **compatibilityZoneURL** The Corda compatibility zone services must be configured. This must be either:
|
||
|
|
||
|
* **compatibilityZoneURL** The Corda compatibility zone network management service root URL.
|
||
|
* **networkServices** Replaces the ``compatibilityZoneURL`` when the doorman and network map services
|
||
|
are configured to operate on different URL endpoints. The ``doorman`` entry is used for registration.
|
||
|
|
||
|
A new pair of private and public keys generated by the Corda node will be used to create the request.
|
||
|
|
||
|
The utility will submit the request to the doorman server and poll for a result periodically to retrieve the
|
||
|
certificates. Once the request has been approved and the certificates downloaded from the server, the node will create
|
||
|
the keystore and trust store using the certificates and the generated private key.
|
||
|
|
||
|
.. note:: You can exit the utility at any time if the approval process is taking longer than expected. The request
|
||
|
process will resume on restart as long as the ``--initial-registration`` flag is specified.
|
||
|
|
||
|
This process only is needed when the node connects to the network for the first time, or when the certificate expires.
|