corda/docs/source/joining-a-network.rst

.. highlight:: kotlin
.. raw:: html

   <script type="text/javascript" src="_static/jquery.js"></script>
   <script type="text/javascript" src="_static/codesets.js"></script>

Connecting to a compatibility zone
==================================

Every Corda node is part of a network (also called a zone) that is *permissioned*. Production deployments require a
secure certificate authority. Most users will join an existing network such as the main Corda network or the Corda
TestNet.

To connect to a compatibility zone you need to register with its certificate signing authority (doorman) by submitting
a certificate signing request (CSR) to obtain a valid identity for the zone. You could do this out of band, for instance
via email or a web form, but there's also a simple request/response protocol built into Corda.

Before you can register, you must first have received the trust store file containing the root certificate from the zone
operator. For high security zones this might be delivered physically. Then run the following command:

``java -jar corda.jar --initial-registration --network-root-truststore-password <trust store password>``

By default it will expect the trust store file to be in the location ``certificates/network-root-truststore.jks``.
This can be overridden with the additional ``--network-root-truststore`` flag.

The certificate signing request will be created based on node information obtained from the node configuration.
The following information from the node configuration file is needed to generate the request.

* **myLegalName** Your company's legal name as an X.500 string. X.500 allows differentiation between entities with the same
  name, as the legal name needs to be unique on the network. If another node has already been permissioned with this
  name then the permissioning server will automatically reject the request. The request will also be rejected if it
  violates legal name rules, see :ref:`node_naming` for more information. You can use the X.500 schema to disambiguate
  entities that have the same or similar brand names.

* **emailAddress** e.g. "admin@company.com"

* **devMode** must be set to false

* **networkServices** or **compatibilityZoneURL** The Corda compatibility zone services must be configured. This must be either:

  * **compatibilityZoneURL** The Corda compatibility zone network management service root URL.
  * **networkServices** Replaces the ``compatibilityZoneURL`` when the doorman and network map services
    are configured to operate on different URL endpoints. The ``doorman`` entry is used for registration.

A new pair of private and public keys generated by the Corda node will be used to create the request.

The utility will submit the request to the doorman server and poll for a result periodically to retrieve the
certificates. Once the request has been approved and the certificates downloaded from the server, the node will create
the keystore and trust store using the certificates and the generated private key.

.. note:: You can exit the utility at any time if the approval process is taking longer than expected. The request
   process will resume on restart as long as the ``--initial-registration`` flag is specified.

This process only is needed when the node connects to the network for the first time, or when the certificate expires.
Documents default and configurable keystore passwords. Clean-up. (#3988) * Documents default and configurable keystore passwords. Clean-up. * Addresses review feedback. * Review feedback. Splitting up permissiong.rst. * Review feedback. 2018-09-27 08:16:17 +00:00			`.. highlight:: kotlin`
			`.. raw:: html`

			`<script type="text/javascript" src="_static/jquery.js"></script>`
			`<script type="text/javascript" src="_static/codesets.js"></script>`

			`Connecting to a compatibility zone`
			`==================================`

			`Every Corda node is part of a network (also called a zone) that is permissioned. Production deployments require a`
			`secure certificate authority. Most users will join an existing network such as the main Corda network or the Corda`
			`TestNet.`

			`To connect to a compatibility zone you need to register with its certificate signing authority (doorman) by submitting`
			`a certificate signing request (CSR) to obtain a valid identity for the zone. You could do this out of band, for instance`
			`via email or a web form, but there's also a simple request/response protocol built into Corda.`

			`Before you can register, you must first have received the trust store file containing the root certificate from the zone`
			`operator. For high security zones this might be delivered physically. Then run the following command:`

			``java -jar corda.jar --initial-registration --network-root-truststore-password <trust store password>``

			By default it will expect the trust store file to be in the location ``certificates/network-root-truststore.jks``.
			This can be overridden with the additional ``--network-root-truststore`` flag.

			`The certificate signing request will be created based on node information obtained from the node configuration.`
			`The following information from the node configuration file is needed to generate the request.`

			`* myLegalName Your company's legal name as an X.500 string. X.500 allows differentiation between entities with the same`
			`name, as the legal name needs to be unique on the network. If another node has already been permissioned with this`
			`name then the permissioning server will automatically reject the request. The request will also be rejected if it`
			violates legal name rules, see :ref:`node_naming` for more information. You can use the X.500 schema to disambiguate
			`entities that have the same or similar brand names.`

			`* emailAddress e.g. "admin@company.com"`

			`* devMode must be set to false`

			`* networkServices or compatibilityZoneURL The Corda compatibility zone services must be configured. This must be either:`

			`* compatibilityZoneURL The Corda compatibility zone network management service root URL.`
			* networkServices Replaces the ``compatibilityZoneURL`` when the doorman and network map services
			are configured to operate on different URL endpoints. The ``doorman`` entry is used for registration.

			`A new pair of private and public keys generated by the Corda node will be used to create the request.`

			`The utility will submit the request to the doorman server and poll for a result periodically to retrieve the`
			`certificates. Once the request has been approved and the certificates downloaded from the server, the node will create`
			`the keystore and trust store using the certificates and the generated private key.`

			`.. note:: You can exit the utility at any time if the approval process is taking longer than expected. The request`
			process will resume on restart as long as the ``--initial-registration`` flag is specified.

			`This process only is needed when the node connects to the network for the first time, or when the certificate expires.`