2017-11-24 18:06:01 +00:00
|
|
|
|
Network Permissioning
|
|
|
|
|
=====================
|
2016-11-24 16:38:40 +00:00
|
|
|
|
|
2017-11-24 18:06:01 +00:00
|
|
|
|
.. contents::
|
2016-11-24 16:38:40 +00:00
|
|
|
|
|
2017-11-24 18:06:01 +00:00
|
|
|
|
Corda networks are *permissioned*. To connect to a network, a node needs three keystores in its
|
|
|
|
|
``<workspace>/certificates/`` folder:
|
2016-11-24 16:38:40 +00:00
|
|
|
|
|
2017-11-24 18:06:01 +00:00
|
|
|
|
* ``truststore.jks``, which stores trusted public keys and certificates (in our case, those of the network root CA)
|
|
|
|
|
* ``nodekeystore.jks``, which stores the node’s identity keypairs and certificates
|
|
|
|
|
* ``sslkeystore.jks``, which stores the node’s TLS keypairs and certificates
|
2016-11-24 16:38:40 +00:00
|
|
|
|
|
2017-11-24 18:06:01 +00:00
|
|
|
|
In development mode (i.e. when ``devMode = true``, see :doc:`corda-configuration-file` for more information),
|
|
|
|
|
pre-configured keystores are used if the required keystores do not exist. This ensures that developers can get the
|
|
|
|
|
nodes working as quickly as possible.
|
2016-11-24 16:38:40 +00:00
|
|
|
|
|
2017-11-27 13:36:52 +00:00
|
|
|
|
However, these pre-configured keystores are not secure. Production deployments require a secure certificate authority.
|
|
|
|
|
Most production deployments will use an existing certificate authority or construct one using software that will be
|
|
|
|
|
made available in the coming months. Until then, the documentation below can be used to create your own certificate
|
|
|
|
|
authority.
|
2016-12-09 19:07:32 +00:00
|
|
|
|
|
2017-11-27 13:36:52 +00:00
|
|
|
|
Network structure
|
|
|
|
|
-----------------
|
|
|
|
|
A Corda network has three types of certificate authorities (CAs):
|
|
|
|
|
|
|
|
|
|
* The **root network CA**
|
|
|
|
|
* The **intermediate network CA**
|
|
|
|
|
|
|
|
|
|
* The intermediate network CA is used instead of the root network CA for day-to-day
|
|
|
|
|
key signing to reduce the risk of the root network CA's private key being compromised
|
|
|
|
|
|
|
|
|
|
* The **node CAs**
|
|
|
|
|
|
|
|
|
|
* Each node serves as its own CA in issuing the child certificates that it uses to sign its identity
|
2017-12-14 12:30:07 +00:00
|
|
|
|
keys and TLS certificates
|
|
|
|
|
|
|
|
|
|
We can visualise the permissioning structure as follows:
|
|
|
|
|
|
|
|
|
|
.. image:: resources/certificate_structure.png
|
|
|
|
|
:scale: 55%
|
|
|
|
|
:align: center
|
2017-11-27 13:36:52 +00:00
|
|
|
|
|
|
|
|
|
Keypair and certificate formats
|
|
|
|
|
-------------------------------
|
2017-11-24 18:06:01 +00:00
|
|
|
|
You can use any standard key tools or Corda's ``X509Utilities`` (which uses Bouncy Castle) to create the required
|
|
|
|
|
public/private keypairs and certificates. The keypairs and certificates should obey the following restrictions:
|
2016-11-24 16:38:40 +00:00
|
|
|
|
|
2017-11-24 18:06:01 +00:00
|
|
|
|
* The certificates must follow the `X.509 standard <https://tools.ietf.org/html/rfc5280>`_
|
2016-11-24 16:38:40 +00:00
|
|
|
|
|
2017-11-24 18:06:01 +00:00
|
|
|
|
* We recommend X.509 v3 for forward compatibility
|
2016-11-24 16:38:40 +00:00
|
|
|
|
|
2017-11-24 18:06:01 +00:00
|
|
|
|
* The TLS certificates must follow the `TLS v1.2 standard <https://tools.ietf.org/html/rfc5246>`_
|
2016-11-24 16:38:40 +00:00
|
|
|
|
|
2017-12-14 12:30:07 +00:00
|
|
|
|
* The root network CA, intermediate network CA and node CA keys, as well as the node TLS
|
|
|
|
|
keys, must follow one of the following schemes:
|
|
|
|
|
|
|
|
|
|
* ECDSA using the NIST P-256 curve (secp256r1)
|
|
|
|
|
|
|
|
|
|
* RSA with 3072-bit key size
|
|
|
|
|
|
2017-11-27 13:36:52 +00:00
|
|
|
|
Creating the root and intermediate network CAs
|
|
|
|
|
----------------------------------------------
|
2016-11-24 16:38:40 +00:00
|
|
|
|
|
2017-11-27 13:36:52 +00:00
|
|
|
|
Creating the root network CA's keystore and truststore
|
|
|
|
|
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
2016-11-24 16:38:40 +00:00
|
|
|
|
|
2017-11-24 18:06:01 +00:00
|
|
|
|
1. Create a new keypair
|
2017-04-24 21:16:00 +08:00
|
|
|
|
|
2017-11-27 13:36:52 +00:00
|
|
|
|
* This will be used as the root network CA's keypair
|
2017-04-24 21:16:00 +08:00
|
|
|
|
|
2017-11-24 18:06:01 +00:00
|
|
|
|
2. Create a self-signed certificate for the keypair. The basic constraints extension must be set to ``true``
|
2017-04-24 21:16:00 +08:00
|
|
|
|
|
2017-11-27 13:36:52 +00:00
|
|
|
|
* This will be used as the root network CA's certificate
|
2017-04-24 21:16:00 +08:00
|
|
|
|
|
2017-11-27 13:36:52 +00:00
|
|
|
|
3. Create a new keystore and store the root network CA's keypair and certificate in it for later use
|
2017-04-24 21:16:00 +08:00
|
|
|
|
|
2017-11-27 13:36:52 +00:00
|
|
|
|
* This keystore will be used by the root network CA to sign the intermediate network CA's certificate
|
2017-04-24 21:16:00 +08:00
|
|
|
|
|
2017-11-27 13:36:52 +00:00
|
|
|
|
4. Create a new Java keystore named ``truststore.jks`` and store the root network CA's certificate in it using the
|
|
|
|
|
alias ``cordarootca``
|
2017-04-24 21:16:00 +08:00
|
|
|
|
|
2017-11-27 13:36:52 +00:00
|
|
|
|
* This keystore will be provisioned to the individual nodes later
|
|
|
|
|
|
|
|
|
|
.. warning:: The root network CA's private key should be protected and kept safe.
|
|
|
|
|
|
|
|
|
|
Creating the intermediate network CA's keystore
|
|
|
|
|
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
2017-04-24 21:16:00 +08:00
|
|
|
|
|
2017-11-24 18:06:01 +00:00
|
|
|
|
1. Create a new keypair
|
2017-04-24 21:16:00 +08:00
|
|
|
|
|
2017-11-27 13:36:52 +00:00
|
|
|
|
* This will be used as the intermediate network CA's keypair
|
|
|
|
|
|
|
|
|
|
2. Obtain a certificate for the keypair signed with the root network CA key. The basic constraints extension must be
|
|
|
|
|
set to ``true``
|
2017-04-24 21:16:00 +08:00
|
|
|
|
|
2017-11-27 13:36:52 +00:00
|
|
|
|
* This will be used as the intermediate network CA's certificate
|
2017-04-24 21:16:00 +08:00
|
|
|
|
|
2017-11-27 13:36:52 +00:00
|
|
|
|
3. Create a new keystore and store the intermediate network CA's keypair and certificate chain
|
|
|
|
|
(i.e. the intermediate network CA certificate *and* the root network CA certificate) in it for later use
|
2016-11-24 16:38:40 +00:00
|
|
|
|
|
2017-11-27 13:36:52 +00:00
|
|
|
|
* This keystore will be used by the intermediate network CA to sign the nodes' identity certificates
|
2016-11-24 16:38:40 +00:00
|
|
|
|
|
2017-11-24 18:06:01 +00:00
|
|
|
|
Creating the node CA keystores and TLS keystores
|
2017-11-27 13:36:52 +00:00
|
|
|
|
------------------------------------------------
|
2016-11-24 16:38:40 +00:00
|
|
|
|
|
2017-11-24 18:06:01 +00:00
|
|
|
|
Creating the node CA keystores
|
2017-11-27 13:36:52 +00:00
|
|
|
|
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
2016-11-24 16:38:40 +00:00
|
|
|
|
|
2017-11-27 13:36:52 +00:00
|
|
|
|
1. For each node, create a new keypair
|
2016-11-24 16:38:40 +00:00
|
|
|
|
|
2017-11-27 13:36:52 +00:00
|
|
|
|
2. Obtain a certificate for the keypair signed with the intermediate network CA key. The basic constraints extension must be
|
2017-11-24 18:06:01 +00:00
|
|
|
|
set to ``true``
|
2016-11-24 16:38:40 +00:00
|
|
|
|
|
2017-11-27 13:36:52 +00:00
|
|
|
|
3. Create a new Java keystore named ``nodekeystore.jks`` and store the keypair in it using the alias ``cordaclientca``
|
|
|
|
|
|
|
|
|
|
* The node will store this keystore locally to sign its identity keys and anonymous keys
|
2017-03-28 16:27:53 +01:00
|
|
|
|
|
2017-11-24 18:06:01 +00:00
|
|
|
|
Creating the node TLS keystores
|
2017-11-27 13:36:52 +00:00
|
|
|
|
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
2017-03-28 16:27:53 +01:00
|
|
|
|
|
2017-11-27 13:36:52 +00:00
|
|
|
|
1. For each node, create a new keypair
|
2017-03-28 16:27:53 +01:00
|
|
|
|
|
2017-11-24 18:06:01 +00:00
|
|
|
|
2. Create a certificate for the keypair signed with the node CA key. The basic constraints extension must be set to
|
|
|
|
|
``false``
|
2017-03-28 16:27:53 +01:00
|
|
|
|
|
2017-11-27 13:36:52 +00:00
|
|
|
|
3. Create a new Java keystore named ``sslkeystore.jks`` and store the key and certificates in it using the alias
|
|
|
|
|
``cordaclienttls``
|
2017-03-28 16:27:53 +01:00
|
|
|
|
|
2017-11-27 13:36:52 +00:00
|
|
|
|
* The node will store this keystore locally to sign its TLS certificates
|
2017-03-28 16:27:53 +01:00
|
|
|
|
|
2017-11-27 13:36:52 +00:00
|
|
|
|
Installing the certificates on the nodes
|
|
|
|
|
----------------------------------------
|
|
|
|
|
For each node, copy the following files to the node's certificate directory (``<workspace>/certificates/``):
|
2017-03-28 16:27:53 +01:00
|
|
|
|
|
2017-11-27 13:36:52 +00:00
|
|
|
|
1. The node's ``nodekeystore.jks`` keystore
|
|
|
|
|
2. The node's ``sslkeystore.jks`` keystore
|
|
|
|
|
3. The root network CA's ``truststore.jks`` keystore
|