2016-11-28 18:00:03 +00:00
|
|
|
Node configuration
|
|
|
|
==================
|
2016-08-31 08:48:19 +00:00
|
|
|
|
2016-11-28 18:00:03 +00:00
|
|
|
File location
|
|
|
|
-------------
|
2016-08-31 08:48:19 +00:00
|
|
|
|
2017-01-06 19:38:48 +00:00
|
|
|
The Corda all-in-one ``corda.jar`` file is generated by the ``gradle buildCordaJAR`` task and defaults to reading configuration
|
|
|
|
from a ``node.conf`` file in the present working directory. This behaviour can be overidden using the ``--config-file``
|
|
|
|
command line option to target configuration files with different names, or different file location (relative paths are
|
|
|
|
relative to the current working directory). Also, the ``--base-directory`` command line option alters the Corda node
|
|
|
|
workspace location and if specified a ``node.conf`` configuration file is then expected in the root of the workspace.
|
2016-08-31 08:48:19 +00:00
|
|
|
|
2017-01-06 19:38:48 +00:00
|
|
|
The configuration file templates used for the ``gradle deployNodes`` task are to be found in the ``/config/dev`` folder.
|
|
|
|
Also note that there is a basic set of defaults loaded from the built in resource file ``/node/src/main/resources/reference.conf``
|
|
|
|
of the ``:node`` gradle module. All properties in this can be overidden in the file configuration and for rarely changed
|
|
|
|
properties this defaulting allows the property to be excluded from the configuration file.
|
2016-08-31 08:48:19 +00:00
|
|
|
|
2016-11-25 14:29:13 +00:00
|
|
|
Format
|
|
|
|
------
|
2016-08-31 08:48:19 +00:00
|
|
|
|
2016-12-22 14:48:27 +00:00
|
|
|
The Corda configuration file uses the HOCON format which is superset of JSON. It has several features which makes it
|
|
|
|
very useful as a configuration format. Please visit their `page <https://github.com/typesafehub/config/blob/master/HOCON.md>`_
|
|
|
|
for further details.
|
2016-08-31 08:48:19 +00:00
|
|
|
|
2016-11-25 14:29:13 +00:00
|
|
|
Examples
|
|
|
|
--------
|
2016-08-31 08:48:19 +00:00
|
|
|
|
|
|
|
General node configuration file for hosting the IRSDemo services.
|
|
|
|
|
2016-11-22 18:10:50 +00:00
|
|
|
.. literalinclude:: example-code/src/main/resources/example-node.conf
|
2016-11-28 18:00:03 +00:00
|
|
|
:language: javascript
|
2016-08-31 08:48:19 +00:00
|
|
|
|
|
|
|
NetworkMapService plus Simple Notary configuration file.
|
|
|
|
|
2016-11-28 18:00:03 +00:00
|
|
|
.. parsed-literal::
|
2016-08-31 08:48:19 +00:00
|
|
|
|
2017-06-20 15:58:00 +00:00
|
|
|
myLegalName : "CN=Notary Service,O=R3,OU=corda,L=London,C=GB"
|
2016-09-23 09:55:40 +00:00
|
|
|
keyStorePassword : "cordacadevpass"
|
|
|
|
trustStorePassword : "trustpass"
|
2017-03-17 10:32:14 +00:00
|
|
|
p2pAddress : "localhost:12345"
|
|
|
|
rpcAddress : "localhost:12346"
|
|
|
|
webAddress : "localhost:12347"
|
2017-06-08 13:54:50 +00:00
|
|
|
extraAdvertisedServiceIds : ["corda.notary.simple"]
|
2016-09-23 09:55:40 +00:00
|
|
|
useHTTPS : false
|
2016-11-28 18:00:03 +00:00
|
|
|
devMode : true
|
2016-11-24 16:38:40 +00:00
|
|
|
// Certificate signing service will be hosted by R3 in the near future.
|
2016-11-28 18:00:03 +00:00
|
|
|
//certificateSigningService : "https://testnet.certificate.corda.net"
|
2016-08-31 08:48:19 +00:00
|
|
|
|
2016-11-25 14:29:13 +00:00
|
|
|
Fields
|
|
|
|
------
|
2016-08-31 08:48:19 +00:00
|
|
|
|
2017-01-06 19:38:48 +00:00
|
|
|
The available config fields are listed below. ``basedir`` is available as a substitution value, containing the absolute
|
|
|
|
path to the node's base directory.
|
2016-08-31 08:48:19 +00:00
|
|
|
|
2016-12-22 14:48:27 +00:00
|
|
|
:myLegalName: The legal identity of the node acts as a human readable alias to the node's public key and several demos use
|
|
|
|
this to lookup the NodeInfo.
|
2016-08-31 08:48:19 +00:00
|
|
|
|
2016-12-22 14:48:27 +00:00
|
|
|
:keyStorePassword: The password to unlock the KeyStore file (``<workspace>/certificates/sslkeystore.jks``) containing the
|
|
|
|
node certificate and private key.
|
2016-08-31 08:48:19 +00:00
|
|
|
|
2016-12-22 14:48:27 +00:00
|
|
|
.. note:: This is the non-secret value for the development certificates automatically generated during the first node run.
|
|
|
|
Longer term these keys will be managed in secure hardware devices.
|
2016-08-31 08:48:19 +00:00
|
|
|
|
2016-12-22 14:48:27 +00:00
|
|
|
:trustStorePassword: The password to unlock the Trust store file (``<workspace>/certificates/truststore.jks``) containing
|
|
|
|
the Corda network root certificate. This is the non-secret value for the development certificates automatically
|
|
|
|
generated during the first node run.
|
2016-08-31 08:48:19 +00:00
|
|
|
|
2016-09-23 09:55:40 +00:00
|
|
|
.. note:: Longer term these keys will be managed in secure hardware devices.
|
2016-08-31 08:48:19 +00:00
|
|
|
|
2016-12-22 14:48:27 +00:00
|
|
|
:dataSourceProperties: This section is used to configure the jdbc connection and database driver used for the nodes persistence.
|
|
|
|
Currently the defaults in ``/node/src/main/resources/reference.conf`` are as shown in the first example. This is currently
|
|
|
|
the only configuration that has been tested, although in the future full support for other storage layers will be validated.
|
2016-08-31 08:48:19 +00:00
|
|
|
|
2017-03-17 10:32:14 +00:00
|
|
|
:messagingServerAddress: The address of the ArtemisMQ broker instance. If not provided the node will run one locally.
|
|
|
|
|
|
|
|
:p2pAddress: The host and port on which the node is available for protocol operations over ArtemisMQ.
|
2016-08-31 08:48:19 +00:00
|
|
|
|
2016-12-22 14:48:27 +00:00
|
|
|
.. note:: In practice the ArtemisMQ messaging services bind to all local addresses on the specified port. However,
|
|
|
|
note that the host is the included as the advertised entry in the NetworkMapService. As a result the value listed
|
2017-05-12 13:09:02 +00:00
|
|
|
here must be externally accessible when running nodes across a cluster of machines. If the provided host is unreachable,
|
|
|
|
the node will try to auto-discover its public one.
|
2016-08-31 08:48:19 +00:00
|
|
|
|
2017-03-17 10:32:14 +00:00
|
|
|
:rpcAddress: The address of the RPC system on which RPC requests can be made to the node. If not provided then the node will run without RPC.
|
2016-10-05 15:38:57 +00:00
|
|
|
|
2017-04-07 10:23:25 +00:00
|
|
|
:webAddress: The host and port on which the webserver will listen if it is started. This is not used by the node itself.
|
2016-09-23 09:55:40 +00:00
|
|
|
|
2016-12-22 14:48:27 +00:00
|
|
|
.. note:: If HTTPS is enabled then the browser security checks will require that the accessing url host name is one
|
|
|
|
of either the machine name, fully qualified machine name, or server IP address to line up with the Subject Alternative
|
|
|
|
Names contained within the development certificates. This is addition to requiring the ``/config/dev/corda_dev_ca.cer``
|
|
|
|
root certificate be installed as a Trusted CA.
|
2016-08-31 08:48:19 +00:00
|
|
|
|
2017-01-25 13:45:39 +00:00
|
|
|
.. note:: The driver will not automatically create a webserver instance, but the Cordformation will. If this field
|
|
|
|
is present the web server will start.
|
|
|
|
|
2016-12-22 14:48:27 +00:00
|
|
|
:extraAdvertisedServiceIds: A list of ServiceType id strings to be advertised to the NetworkMapService and thus be available
|
|
|
|
when other nodes query the NetworkMapCache for supporting nodes. This can also include plugin services loaded from .jar
|
|
|
|
files in the plugins folder. Optionally, a custom advertised service name can be provided by appending it to the service
|
|
|
|
type id: ``"corda.notary.validating|Notary A"``
|
2016-08-31 08:48:19 +00:00
|
|
|
|
2016-12-22 14:48:27 +00:00
|
|
|
:notaryNodeAddress: The host and port to which to bind the embedded Raft server. Required only when running a distributed
|
|
|
|
notary service. A group of Corda nodes can run a distributed notary service by each running an embedded Raft server and
|
|
|
|
joining them to the same cluster to replicate the committed state log. Note that the Raft cluster uses a separate transport
|
2017-06-07 15:14:01 +00:00
|
|
|
layer for communication that does not integrate with ArtemisMQ messaging services.
|
2016-10-25 15:45:08 +00:00
|
|
|
|
2017-01-06 19:38:48 +00:00
|
|
|
:notaryClusterAddresses: List of Raft cluster member addresses used to join the cluster. At least one of the specified
|
|
|
|
members must be active and be able to communicate with the cluster leader for joining. If empty, a new cluster will be
|
2016-12-22 14:48:27 +00:00
|
|
|
bootstrapped. Required only when running a distributed notary service.
|
2016-10-25 15:45:08 +00:00
|
|
|
|
2016-12-22 14:48:27 +00:00
|
|
|
:networkMapService: If `null`, or missing the node is declaring itself as the NetworkMapService host. Otherwise this is
|
|
|
|
a config object with the details of the network map service:
|
2016-08-31 08:48:19 +00:00
|
|
|
|
2016-12-22 14:48:27 +00:00
|
|
|
:address: Host and port string of the ArtemisMQ broker hosting the network map node
|
|
|
|
:legalName: Legal name of the node. This is required as part of the TLS host verification process. The node will
|
|
|
|
reject the connection to the network map service if it provides a TLS common name which doesn't match with this value.
|
2016-08-31 08:48:19 +00:00
|
|
|
|
2017-04-19 10:05:27 +00:00
|
|
|
:minimumPlatformVersion: Used by the node if it's running the network map service to enforce a minimum version requirement
|
|
|
|
on registrations - any node on a Platform Version lower than this value will have their registration rejected.
|
|
|
|
Defaults to 1 if absent.
|
|
|
|
|
2016-12-22 14:48:27 +00:00
|
|
|
:useHTTPS: If false the node's web server will be plain HTTP. If true the node will use the same certificate and private
|
|
|
|
key from the ``<workspace>/certificates/sslkeystore.jks`` file as the ArtemisMQ port for HTTPS. If HTTPS is enabled
|
|
|
|
then unencrypted HTTP traffic to the node's **webAddress** port is not supported.
|
|
|
|
|
|
|
|
:rpcUsers: A list of users who are authorised to access the RPC system. Each user in the list is a config object with the
|
2016-11-11 15:59:37 +00:00
|
|
|
following fields:
|
2016-08-31 08:48:19 +00:00
|
|
|
|
2017-04-07 10:23:25 +00:00
|
|
|
:username: Username consisting only of word characters (a-z, A-Z, 0-9 and _)
|
2016-11-11 15:59:37 +00:00
|
|
|
:password: The password
|
|
|
|
:permissions: A list of permission strings which RPC methods can use to control access
|
2016-08-31 08:48:19 +00:00
|
|
|
|
2017-07-04 11:12:50 +00:00
|
|
|
If this field is absent or an empty list then RPC is effectively locked down. Alternatively, if it contains the string
|
|
|
|
``ALL`` then the user is permitted to use *any* RPC method. This value is intended for administrator users and for developers.
|
2016-11-28 18:00:03 +00:00
|
|
|
|
2017-07-04 11:12:50 +00:00
|
|
|
:devMode: This flag sets the node to run in development mode. On startup, if the keystore ``<workspace>/certificates/sslkeystore.jks``
|
2016-12-22 14:48:27 +00:00
|
|
|
does not exist, a developer keystore will be used if ``devMode`` is true. The node will exit if ``devMode`` is false
|
2017-07-04 11:12:50 +00:00
|
|
|
and the keystore does not exist. ``devMode`` also turns on background checking of flow checkpoints to shake out any
|
|
|
|
bugs in the checkpointing process.
|
2016-11-28 18:00:03 +00:00
|
|
|
|
2017-06-23 10:42:55 +00:00
|
|
|
:detectPublicIp: This flag toggles the auto IP detection behaviour, it is enabled by default. On startup the node will
|
|
|
|
attempt to discover its externally visible IP address first by looking for any public addresses on its network
|
|
|
|
interfaces, and then by sending an IP discovery request to the network map service. Set to ``false`` to disable.
|
|
|
|
|
2016-12-22 14:48:27 +00:00
|
|
|
:certificateSigningService: Certificate Signing Server address. It is used by the certificate signing request utility to
|
|
|
|
obtain SSL certificate. (See :doc:`permissioning` for more information.)
|
2017-05-16 15:37:40 +00:00
|
|
|
|
|
|
|
:relay: If provided, the node will attempt to tunnel inbound connections via an external relay. The relay's address will be
|
|
|
|
advertised to the network map service instead of the provided ``p2pAddress``.
|
|
|
|
|
|
|
|
:relayHost: Hostname of the relay machine
|
|
|
|
:remoteInboundPort: A port on the relay machine that accepts incoming TCP connections. Traffic will be forwarded
|
|
|
|
from this port to the local port specified in ``p2pAddress``.
|
|
|
|
:username: Username for establishing a SSH connection with the relay.
|
|
|
|
:privateKeyFile: Path to the private key file for SSH authentication. The private key must not have a passphrase.
|
|
|
|
:publicKeyFile: Path to the public key file for SSH authentication.
|
|
|
|
:sshPort: Port to be used for SSH connection, default ``22``.
|