corda/docs/source/messaging.rst

Networking and messaging
========================

Corda uses AMQP/1.0 over TLS between nodes which is currently implemented using Apache Artemis, an embeddable message
queue broker. Building on established MQ protocols gives us features like persistence to disk, automatic delivery
retries with backoff and dead-letter routing, security, large message streaming and so on.

Artemis is hidden behind a thin interface that also has an in-memory only implementation suitable for use in
unit tests and visualisation tools.

.. note:: A future version of Corda will allow the MQ broker to be split out of the main node and run as a
   separate server. We may also support non-Artemis implementations via JMS, allowing the broker to be swapped
   out for alternative implementations.

There are multiple ways of interacting with the network. When writing an application you typically won't use the
messaging subsystem directly. Instead you will build on top of the :doc:`flow framework <flow-state-machines>`,
which adds a layer on top of raw messaging to manage multi-step flows and let you think in terms of identities
rather than specific network endpoints.

.. _network-map-service:

Network Map Service
-------------------

Supporting the messaging layer is a network map service, which is responsible for tracking public nodes on the network.

Nodes have an internal component, the network map cache, which contains a copy of the network map (which is just a
document). When a node starts up its cache fetches a copy of the full network map, and requests to be notified of
changes. The node then registers itself with the network map service, and the service notifies subscribers that a new
node has joined the network. Nodes do not automatically deregister themselves, so (for example) nodes going offline
briefly for maintenance are retained in the network map, and messages for them will be queued, minimising disruption.

Nodes submit signed changes to the map service, which then forwards update notifications on to nodes which have
requested to be notified of changes.

The network map currently supports:

* Looking up nodes by service
* Looking up node for a party
* Suggesting a node providing a specific service, based on suitability for a contract and parties, for example suggesting
  an appropriate interest rates oracle for an interest rate swap contract. Currently no recommendation logic is in place.

Message queues
--------------

The node makes use of various queues for its operation. The more important ones are described below. Others are used
for maintenance and other minor purposes.

:``p2p.inbound.$identity``:
   The node listens for messages sent from other peer nodes on this queue. Only clients who are authenticated to be
   nodes on the same network are given permission to send. Messages which are routed internally are also sent to this
   queue (e.g. two flows on the same node communicating with each other).

:``internal.peers.$identity``:
   These are a set of private queues only available to the node which it uses to route messages destined to other peers.
   The queue name ends in the base 58 encoding of the peer's identity key. There is at most one queue per peer. The broker
           creates a bridge from this queue to the peer's ``p2p.inbound.$identity`` queue, using the network map service to lookup the
   peer's network address.

:``internal.services.$identity``:
   These are private queues the node may use to route messages to services. The queue name ends in the base 58 encoding
   of the service's owning identity key. There is at most one queue per service identity (but note that any one service
   may have several identities). The broker creates bridges to all nodes in the network advertising the service in
   question. When a session is initiated with a service counterparty the handshake is pushed onto this queue, and a
   corresponding bridge is used to forward the message to an advertising peer's p2p queue. Once a peer is picked the
   session continues on as normal.

:``rpc.requests``:
   RPC clients send their requests here, and it's only open for sending by clients authenticated as RPC users.

:``clients.$user.rpc.$random``:
   RPC clients are given permission to create a temporary queue incorporating their username (``$user``) and sole
   permission to receive messages from it. RPC requests are required to include a random number (``$random``) from
   which the node is able to construct the queue the user is listening on and send the response to that. This mechanism
   prevents other users from being able listen in on the responses.

Security
--------

Clients attempting to connect to the node's broker fall in one of four groups:

#. Anyone connecting with the username ``SystemUsers/Node`` is treated as the node hosting the broker, or a logical
   component of the node. The TLS certificate they provide must match the one broker has for the node. If that's the case
   they are given full access to all valid queues, otherwise they are rejected.

#. Anyone connecting with the username ``SystemUsers/Peer`` is treated as a peer on the same Corda network as the node. Their
   TLS root CA must be the same as the node's root CA - the root CA is the doorman of the network and having the same root CA
   implies we've been let in by the same doorman. If they are part of the same network then they are only given permission
   to send to our ``p2p.inbound.$identity`` queue, otherwise they are rejected.

#. Every other username is treated as a RPC user and authenticated against the node's list of valid RPC users. If that
   is successful then they are only given sufficient permission to perform RPC, otherwise they are rejected.

#. Clients connecting without a username and password are rejected.

Artemis provides a feature of annotating each received message with the validated user. This allows the node's messaging
service to provide authenticated messages to the rest of the system. For the first two client types described above the
validated user is the X.500 subject of the client TLS certificate. This allows the flow framework to authentically determine
the ``Party`` initiating a new flow. For RPC clients the validated user is the username itself and the RPC framework uses
this to determine what permissions the user has.

The broker also does host verification when connecting to another peer. It checks that the TLS certificate subject matches
with the advertised X.500 legal name from the network map service.
Messaging: add docs on the messaging and protocol state machine systems. 2015-12-14 17:22:21 +00:00			`Networking and messaging`
			`========================`

Refresh the documentation site (developer guide): fresh docs are happy docs! 2016-08-24 13:38:43 +00:00			`Corda uses AMQP/1.0 over TLS between nodes which is currently implemented using Apache Artemis, an embeddable message`
			`queue broker. Building on established MQ protocols gives us features like persistence to disk, automatic delivery`
			`retries with backoff and dead-letter routing, security, large message streaming and so on.`
Messaging: add docs on the messaging and protocol state machine systems. 2015-12-14 17:22:21 +00:00
Refresh the documentation site (developer guide): fresh docs are happy docs! 2016-08-24 13:38:43 +00:00			`Artemis is hidden behind a thin interface that also has an in-memory only implementation suitable for use in`
			`unit tests and visualisation tools.`
Messaging: add docs on the messaging and protocol state machine systems. 2015-12-14 17:22:21 +00:00
Refresh the documentation site (developer guide): fresh docs are happy docs! 2016-08-24 13:38:43 +00:00			`.. note:: A future version of Corda will allow the MQ broker to be split out of the main node and run as a`
			`separate server. We may also support non-Artemis implementations via JMS, allowing the broker to be swapped`
			`out for alternative implementations.`
Messaging: add docs on the messaging and protocol state machine systems. 2015-12-14 17:22:21 +00:00
Refresh the documentation site (developer guide): fresh docs are happy docs! 2016-08-24 13:38:43 +00:00			`There are multiple ways of interacting with the network. When writing an application you typically won't use the`
Rename protocol to flow in docs 2016-11-22 16:30:17 +00:00			messaging subsystem directly. Instead you will build on top of the :doc:`flow framework <flow-state-machines>`,
			`which adds a layer on top of raw messaging to manage multi-step flows and let you think in terms of identities`
Refresh the documentation site (developer guide): fresh docs are happy docs! 2016-08-24 13:38:43 +00:00			`rather than specific network endpoints.`
Messaging: add docs on the messaging and protocol state machine systems. 2015-12-14 17:22:21 +00:00
Added tutorials on how to use & run a notary. 2016-11-25 15:11:19 +00:00			`.. _network-map-service:`

Document network map service 2016-04-27 16:58:39 +00:00			`Network Map Service`
			`-------------------`

			`Supporting the messaging layer is a network map service, which is responsible for tracking public nodes on the network.`

Refresh the documentation site (developer guide): fresh docs are happy docs! 2016-08-24 13:38:43 +00:00			`Nodes have an internal component, the network map cache, which contains a copy of the network map (which is just a`
			`document). When a node starts up its cache fetches a copy of the full network map, and requests to be notified of`
			`changes. The node then registers itself with the network map service, and the service notifies subscribers that a new`
			`node has joined the network. Nodes do not automatically deregister themselves, so (for example) nodes going offline`
			`briefly for maintenance are retained in the network map, and messages for them will be queued, minimising disruption.`
Document network map service 2016-04-27 16:58:39 +00:00
Refresh the documentation site (developer guide): fresh docs are happy docs! 2016-08-24 13:38:43 +00:00			`Nodes submit signed changes to the map service, which then forwards update notifications on to nodes which have`
			`requested to be notified of changes.`
Document network map service 2016-04-27 16:58:39 +00:00
Refresh the documentation site (developer guide): fresh docs are happy docs! 2016-08-24 13:38:43 +00:00			`The network map currently supports:`
Document network map service 2016-04-27 16:58:39 +00:00
			`* Looking up nodes by service`
			`* Looking up node for a party`
			`* Suggesting a node providing a specific service, based on suitability for a contract and parties, for example suggesting`
Unix vs Windows demo instructions. Duplicate SIMM page. Typos. Bad nesting. 2017-01-06 11:05:37 +00:00			`an appropriate interest rates oracle for an interest rate swap contract. Currently no recommendation logic is in place.`
Added security to RPC and P2P systems. 2016-11-07 14:30:40 +00:00
			`Message queues`
			`--------------`

			`The node makes use of various queues for its operation. The more important ones are described below. Others are used`
			`for maintenance and other minor purposes.`

Rename the inbox (#2360) Add changelog entry Address review comments Alternate solution to service queues Fixup after merge 2018-01-17 16:06:31 +00:00			:``p2p.inbound.$identity``:
Further fixes to messaging.rst 2016-12-06 21:14:21 +00:00			`The node listens for messages sent from other peer nodes on this queue. Only clients who are authenticated to be`
			`nodes on the same network are given permission to send. Messages which are routed internally are also sent to this`
			`queue (e.g. two flows on the same node communicating with each other).`
Added security to RPC and P2P systems. 2016-11-07 14:30:40 +00:00
Fixed formatting issues in messaging.rst 2016-12-05 22:03:00 +00:00			:``internal.peers.$identity``:
Further fixes to messaging.rst 2016-12-06 21:14:21 +00:00			`These are a set of private queues only available to the node which it uses to route messages destined to other peers.`
			`The queue name ends in the base 58 encoding of the peer's identity key. There is at most one queue per peer. The broker`
Rename the inbox (#2360) Add changelog entry Address review comments Alternate solution to service queues Fixup after merge 2018-01-17 16:06:31 +00:00			creates a bridge from this queue to the peer's ``p2p.inbound.$identity`` queue, using the network map service to lookup the
Further fixes to messaging.rst 2016-12-06 21:14:21 +00:00			`peer's network address.`
Added security to RPC and P2P systems. 2016-11-07 14:30:40 +00:00
Extend messaging.rst about service queues 2016-12-14 15:04:25 +00:00			:``internal.services.$identity``:
			`These are private queues the node may use to route messages to services. The queue name ends in the base 58 encoding`
			`of the service's owning identity key. There is at most one queue per service identity (but note that any one service`
			`may have several identities). The broker creates bridges to all nodes in the network advertising the service in`
Add ReceivedSessionMessage, DriverBasedTest re #57 2016-12-15 11:35:24 +00:00			`question. When a session is initiated with a service counterparty the handshake is pushed onto this queue, and a`
			`corresponding bridge is used to forward the message to an advertising peer's p2p queue. Once a peer is picked the`
			`session continues on as normal.`
Extend messaging.rst about service queues 2016-12-14 15:04:25 +00:00
Fixed formatting issues in messaging.rst 2016-12-05 22:03:00 +00:00			:``rpc.requests``:
Further fixes to messaging.rst 2016-12-06 21:14:21 +00:00			`RPC clients send their requests here, and it's only open for sending by clients authenticated as RPC users.`
Added security to RPC and P2P systems. 2016-11-07 14:30:40 +00:00
Fixed formatting issues in messaging.rst 2016-12-05 22:03:00 +00:00			:``clients.$user.rpc.$random``:
Further fixes to messaging.rst 2016-12-06 21:14:21 +00:00			RPC clients are given permission to create a temporary queue incorporating their username (``$user``) and sole
			permission to receive messages from it. RPC requests are required to include a random number (``$random``) from
			`which the node is able to construct the queue the user is listening on and send the response to that. This mechanism`
			`prevents other users from being able listen in on the responses.`
Added security to RPC and P2P systems. 2016-11-07 14:30:40 +00:00
			`Security`
			`--------`

			`Clients attempting to connect to the node's broker fall in one of four groups:`

Further fixes to messaging.rst 2016-12-06 21:14:21 +00:00			#. Anyone connecting with the username ``SystemUsers/Node`` is treated as the node hosting the broker, or a logical
			`component of the node. The TLS certificate they provide must match the one broker has for the node. If that's the case`
			`they are given full access to all valid queues, otherwise they are rejected.`
Added security to RPC and P2P systems. 2016-11-07 14:30:40 +00:00
Further fixes to messaging.rst 2016-12-06 21:14:21 +00:00			#. Anyone connecting with the username ``SystemUsers/Peer`` is treated as a peer on the same Corda network as the node. Their
			`TLS root CA must be the same as the node's root CA - the root CA is the doorman of the network and having the same root CA`
			`implies we've been let in by the same doorman. If they are part of the same network then they are only given permission`
Rename the inbox (#2360) Add changelog entry Address review comments Alternate solution to service queues Fixup after merge 2018-01-17 16:06:31 +00:00			to send to our ``p2p.inbound.$identity`` queue, otherwise they are rejected.
Added security to RPC and P2P systems. 2016-11-07 14:30:40 +00:00
Further fixes to messaging.rst 2016-12-06 21:14:21 +00:00			`#. Every other username is treated as a RPC user and authenticated against the node's list of valid RPC users. If that`
			`is successful then they are only given sufficient permission to perform RPC, otherwise they are rejected.`
Added security to RPC and P2P systems. 2016-11-07 14:30:40 +00:00
Further fixes to messaging.rst 2016-12-06 21:14:21 +00:00			`#. Clients connecting without a username and password are rejected.`
Added security to RPC and P2P systems. 2016-11-07 14:30:40 +00:00
			`Artemis provides a feature of annotating each received message with the validated user. This allows the node's messaging`
			`service to provide authenticated messages to the rest of the system. For the first two client types described above the`
Removed out-of-date warnings regarding the switchover to X.500 names 2017-07-24 16:59:32 +00:00			`validated user is the X.500 subject of the client TLS certificate. This allows the flow framework to authentically determine`
			the ``Party`` initiating a new flow. For RPC clients the validated user is the username itself and the RPC framework uses
			`this to determine what permissions the user has.`
Added security to RPC and P2P systems. 2016-11-07 14:30:40 +00:00
Removed out-of-date warnings regarding the switchover to X.500 names 2017-07-24 16:59:32 +00:00			`The broker also does host verification when connecting to another peer. It checks that the TLS certificate subject matches`
			`with the advertised X.500 legal name from the network map service.`