Merge pull request #701 from corda/os-merge-2792716

O/S merge from 2792716
This commit is contained in:
Shams Asari 2018-04-09 09:51:59 +01:00 committed by GitHub
commit 712bf6b43d
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
6 changed files with 127 additions and 16 deletions

View File

@ -1,4 +0,0 @@
myLegalName : "O=Notary Service,OU=corda,L=London,C=GB"
keyStorePassword : "cordacadevpass"
trustStorePassword : "trustpass"
p2pAddress : "my-network-map:10000"

View File

@ -18,4 +18,3 @@ rpcUsers : [
{ username=user1, password=letmein, permissions=[ StartFlow.net.corda.protocols.CashProtocol ] }
]
devMode : true
// certificateSigningService : "https://testnet.certificate.corda.net"

View File

@ -39,8 +39,7 @@ class ExampleConfigTest {
fun `example node_confs parses fine`() {
readAndCheckConfigurations<NodeConfiguration>(
"example-node.conf",
"example-out-of-process-verifier-node.conf",
"example-network-map-node.conf"
"example-out-of-process-verifier-node.conf"
) {
val baseDirectory = Paths.get("some-example-base-dir")
ConfigHelper.loadConfig(

View File

@ -1,9 +1,11 @@
Creating nodes locally
======================
.. contents::
Node structure
--------------
Each Corda node has the following structure:
A Corda node has the following structure:
.. sourcecode:: none
@ -23,6 +25,8 @@ In development mode (i.e. when ``devMode = true``, see :doc:`corda-configuration
directory is filled with pre-configured keystores if the required keystores do not exist. This ensures that developers
can get the nodes working as quickly as possible. However, these pre-configured keystores are not secure, to learn more see :doc:`permissioning`.
.. _node_naming:
Node naming
-----------
A node's name must be a valid X.500 distinguished name. In order to be compatible with other implementations
@ -101,7 +105,10 @@ in the `Kotlin CorDapp Template <https://github.com/corda/cordapp-template-kotli
// The notary will offer a validating notary service.
notary = [validating : true]
p2pPort 10002
rpcPort 10003
rpcSettings {
port 10003
adminPort 10023
}
// No webport property, so no webserver will be created.
h2Port 10004
// Includes the corda-finance CorDapp on our node.
@ -110,7 +117,10 @@ in the `Kotlin CorDapp Template <https://github.com/corda/cordapp-template-kotli
node {
name "O=PartyA,L=London,C=GB"
p2pPort 10005
rpcPort 10006
rpcSettings {
port 10006
adminPort 10026
}
webPort 10007
h2Port 10008
cordapps = ["$corda_release_distribution:corda-finance:$corda_release_version"]
@ -120,7 +130,10 @@ in the `Kotlin CorDapp Template <https://github.com/corda/cordapp-template-kotli
node {
name "O=PartyB,L=New York,C=US"
p2pPort 10009
rpcPort 10010
rpcSettings {
port 10010
adminPort 10030
}
webPort 10011
h2Port 10012
cordapps = ["$corda_release_distribution:corda-finance:$corda_release_version"]
@ -171,7 +184,7 @@ Following the previous example ``PartyB`` node will have additional configuratio
}
Specifying a custom webserver
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
By default, any node listing a webport will use the default development webserver, which is not production-ready. You
can use your own webserver JAR instead by using the ``webserverJar`` argument in a ``Cordform`` ``node`` configuration
block:
@ -189,8 +202,72 @@ The webserver JAR will be copied into the node's ``build`` folder with the name
.. warning:: This is an experimental feature. There is currently no support for reading the webserver's port from the
node's ``node.conf`` file.
Running deployNodes
~~~~~~~~~~~~~~~~~~~
The Dockerform task
-------------------
The ```Dockerform``` is a sister task of ```Cordform```. It has nearly the same syntax and produces very
similar results - enhanced by an extra file to enable easy spin up of nodes using ```docker-compose```.
Below you can find the example task from the ```IRS Demo<https://github.com/corda/corda/blob/release-V3.0/samples/irs-demo/cordapp/build.gradle#L111>```
included in the samples directory of main Corda GitHub repository:
.. sourcecode:: groovy
def rpcUsersList = [
['username' : "user",
'password' : "password",
'permissions' : [
"StartFlow.net.corda.irs.flows.AutoOfferFlow\$Requester",
"StartFlow.net.corda.irs.flows.UpdateBusinessDayFlow\$Broadcast",
"StartFlow.net.corda.irs.api.NodeInterestRates\$UploadFixesFlow",
"InvokeRpc.vaultQueryBy",
"InvokeRpc.networkMapSnapshot",
"InvokeRpc.currentNodeTime",
"InvokeRpc.wellKnownPartyFromX500Name"
]]
]
// (...)
task prepareDockerNodes(type: net.corda.plugins.Dockerform, dependsOn: ['jar']) {
node {
name "O=Notary Service,L=Zurich,C=CH"
notary = [validating : true]
cordapps = ["${project(":finance").group}:finance:$corda_release_version"]
rpcUsers = rpcUsersList
useTestClock true
}
node {
name "O=Bank A,L=London,C=GB"
cordapps = ["${project(":finance").group}:finance:$corda_release_version"]
rpcUsers = rpcUsersList
useTestClock true
}
node {
name "O=Bank B,L=New York,C=US"
cordapps = ["${project(":finance").group}:finance:$corda_release_version"]
rpcUsers = rpcUsersList
useTestClock true
}
node {
name "O=Regulator,L=Moscow,C=RU"
cordapps = ["${project.group}:finance:$corda_release_version"]
rpcUsers = rpcUsersList
useTestClock true
}
}
There is no need to specify the ports, as every node is a separated container, so no ports conflict will occur.
Running the task will create the same folders structure as described in :ref:`The Cordform task` with an additional
```Dockerfile`` in each node directory, and ```docker-compose.yml``` in ```build/nodes``` directory. Every node
by default exposes port 10003 which is the default one for RPC connections.
.. warning:: Webserver is not supported by this task!
.. warning:: Nodes are run without the local shell enabled!
Running the Cordform/Dockerform tasks
-------------------------------------
To create the nodes defined in our ``deployNodes`` task, run the following command in a terminal window from the root
of the project where the ``deployNodes`` task is defined:

View File

@ -15,6 +15,8 @@ Most production deployments will use an existing certificate authority or constr
made available in the coming months. Until then, the documentation below can be used to create your own certificate
authority.
.. note:: If you are looking for information on how to connect to the existing compatibility zone go to the section: `Connecting to a compatibility zone`_
Certificate hierarchy
---------------------
A Corda network has four types of certificate authorities (CAs):
@ -177,3 +179,39 @@ For each node, copy the following files to the node's certificate directory (``<
1. The node's ``nodekeystore.jks`` keystore
2. The node's ``sslkeystore.jks`` keystore
3. The root network CA's ``truststore.jks`` keystore
Connecting to a compatibility zone
----------------------------------
To connect to a compatibility zone you need to register with their certificate signing authority (doorman) by submitting
a certificate signing request (CSR) to obtain a valid identity for the zone.
Before you can register, you must first have received the trust store file containing the root certificate from the zone
operator. Then run the following command:
``java -jar corda.jar --initial-registration --network-root-truststore-password <trust store password>``
By default it will expect the trust store file to be in the location ``certificates/network-root-truststore.jks``.
This can be overridden with the additional ``--network-root-truststore`` flag.
The certificate signing request will be created based on node information obtained from the node configuration.
The following information from the node configuration file is needed to generate the request.
:myLegalName: Your company's legal name as an X.500 string. X.500 allows differentiation between entities with the same
name as the legal name needs to be unique on the network. If another node has already been permissioned with this
name then the permissioning server will automatically reject the request. The request will also be rejected if it
violates legal name rules, see :ref:`node_naming` for more information.
:emailAddress: e.g. "admin@company.com"
:devMode: must be set to false
:compatibilityZoneURL: Corda compatibility zone network management service root URL.
A new pair of private and public keys generated by the Corda node will be used to create the request.
The utility will submit the request to the doorman server and poll for a result periodically to retrieve the certificates.
Once the request has been approved and the certificates downloaded from the server, the node will create the keystore and trust store using the certificates and the generated private key.
.. note:: You can exit the utility at any time if the approval process is taking longer than expected. The request process will resume on restart.
This process only is needed when the node connects to the network for the first time, or when the certificate expires.

View File

@ -46,6 +46,8 @@ import java.security.KeyPair
import java.security.cert.CertPath
import java.security.cert.Certificate
import java.security.cert.X509Certificate
import java.util.concurrent.ConcurrentHashMap
import java.util.concurrent.ConcurrentSkipListSet
import java.util.zip.ZipEntry
import java.util.zip.ZipOutputStream
import javax.ws.rs.*
@ -132,8 +134,8 @@ class NodeRegistrationTest : IntegrationTest() {
@Path("certificate")
class RegistrationHandler(private val rootCertAndKeyPair: CertificateAndKeyPair) {
private val certPaths = HashMap<String, CertPath>()
val idsPolled = HashSet<String>()
private val certPaths = ConcurrentHashMap<String, CertPath>()
val idsPolled = ConcurrentSkipListSet<String>()
companion object {
val log = loggerFor<RegistrationHandler>()