mirror of
https://github.com/corda/corda.git
synced 2025-01-28 15:14:48 +00:00
Merge pull request #701 from corda/os-merge-2792716
O/S merge from 2792716
This commit is contained in:
commit
712bf6b43d
@ -1,4 +0,0 @@
|
|||||||
myLegalName : "O=Notary Service,OU=corda,L=London,C=GB"
|
|
||||||
keyStorePassword : "cordacadevpass"
|
|
||||||
trustStorePassword : "trustpass"
|
|
||||||
p2pAddress : "my-network-map:10000"
|
|
@ -18,4 +18,3 @@ rpcUsers : [
|
|||||||
{ username=user1, password=letmein, permissions=[ StartFlow.net.corda.protocols.CashProtocol ] }
|
{ username=user1, password=letmein, permissions=[ StartFlow.net.corda.protocols.CashProtocol ] }
|
||||||
]
|
]
|
||||||
devMode : true
|
devMode : true
|
||||||
// certificateSigningService : "https://testnet.certificate.corda.net"
|
|
||||||
|
@ -39,8 +39,7 @@ class ExampleConfigTest {
|
|||||||
fun `example node_confs parses fine`() {
|
fun `example node_confs parses fine`() {
|
||||||
readAndCheckConfigurations<NodeConfiguration>(
|
readAndCheckConfigurations<NodeConfiguration>(
|
||||||
"example-node.conf",
|
"example-node.conf",
|
||||||
"example-out-of-process-verifier-node.conf",
|
"example-out-of-process-verifier-node.conf"
|
||||||
"example-network-map-node.conf"
|
|
||||||
) {
|
) {
|
||||||
val baseDirectory = Paths.get("some-example-base-dir")
|
val baseDirectory = Paths.get("some-example-base-dir")
|
||||||
ConfigHelper.loadConfig(
|
ConfigHelper.loadConfig(
|
||||||
|
@ -1,9 +1,11 @@
|
|||||||
Creating nodes locally
|
Creating nodes locally
|
||||||
======================
|
======================
|
||||||
|
|
||||||
|
.. contents::
|
||||||
|
|
||||||
Node structure
|
Node structure
|
||||||
--------------
|
--------------
|
||||||
Each Corda node has the following structure:
|
A Corda node has the following structure:
|
||||||
|
|
||||||
.. sourcecode:: none
|
.. sourcecode:: none
|
||||||
|
|
||||||
@ -23,6 +25,8 @@ In development mode (i.e. when ``devMode = true``, see :doc:`corda-configuration
|
|||||||
directory is filled with pre-configured keystores if the required keystores do not exist. This ensures that developers
|
directory is filled with pre-configured keystores if the required keystores do not exist. This ensures that developers
|
||||||
can get the nodes working as quickly as possible. However, these pre-configured keystores are not secure, to learn more see :doc:`permissioning`.
|
can get the nodes working as quickly as possible. However, these pre-configured keystores are not secure, to learn more see :doc:`permissioning`.
|
||||||
|
|
||||||
|
.. _node_naming:
|
||||||
|
|
||||||
Node naming
|
Node naming
|
||||||
-----------
|
-----------
|
||||||
A node's name must be a valid X.500 distinguished name. In order to be compatible with other implementations
|
A node's name must be a valid X.500 distinguished name. In order to be compatible with other implementations
|
||||||
@ -101,7 +105,10 @@ in the `Kotlin CorDapp Template <https://github.com/corda/cordapp-template-kotli
|
|||||||
// The notary will offer a validating notary service.
|
// The notary will offer a validating notary service.
|
||||||
notary = [validating : true]
|
notary = [validating : true]
|
||||||
p2pPort 10002
|
p2pPort 10002
|
||||||
rpcPort 10003
|
rpcSettings {
|
||||||
|
port 10003
|
||||||
|
adminPort 10023
|
||||||
|
}
|
||||||
// No webport property, so no webserver will be created.
|
// No webport property, so no webserver will be created.
|
||||||
h2Port 10004
|
h2Port 10004
|
||||||
// Includes the corda-finance CorDapp on our node.
|
// Includes the corda-finance CorDapp on our node.
|
||||||
@ -110,7 +117,10 @@ in the `Kotlin CorDapp Template <https://github.com/corda/cordapp-template-kotli
|
|||||||
node {
|
node {
|
||||||
name "O=PartyA,L=London,C=GB"
|
name "O=PartyA,L=London,C=GB"
|
||||||
p2pPort 10005
|
p2pPort 10005
|
||||||
rpcPort 10006
|
rpcSettings {
|
||||||
|
port 10006
|
||||||
|
adminPort 10026
|
||||||
|
}
|
||||||
webPort 10007
|
webPort 10007
|
||||||
h2Port 10008
|
h2Port 10008
|
||||||
cordapps = ["$corda_release_distribution:corda-finance:$corda_release_version"]
|
cordapps = ["$corda_release_distribution:corda-finance:$corda_release_version"]
|
||||||
@ -120,7 +130,10 @@ in the `Kotlin CorDapp Template <https://github.com/corda/cordapp-template-kotli
|
|||||||
node {
|
node {
|
||||||
name "O=PartyB,L=New York,C=US"
|
name "O=PartyB,L=New York,C=US"
|
||||||
p2pPort 10009
|
p2pPort 10009
|
||||||
rpcPort 10010
|
rpcSettings {
|
||||||
|
port 10010
|
||||||
|
adminPort 10030
|
||||||
|
}
|
||||||
webPort 10011
|
webPort 10011
|
||||||
h2Port 10012
|
h2Port 10012
|
||||||
cordapps = ["$corda_release_distribution:corda-finance:$corda_release_version"]
|
cordapps = ["$corda_release_distribution:corda-finance:$corda_release_version"]
|
||||||
@ -171,7 +184,7 @@ Following the previous example ``PartyB`` node will have additional configuratio
|
|||||||
}
|
}
|
||||||
|
|
||||||
Specifying a custom webserver
|
Specifying a custom webserver
|
||||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||||
By default, any node listing a webport will use the default development webserver, which is not production-ready. You
|
By default, any node listing a webport will use the default development webserver, which is not production-ready. You
|
||||||
can use your own webserver JAR instead by using the ``webserverJar`` argument in a ``Cordform`` ``node`` configuration
|
can use your own webserver JAR instead by using the ``webserverJar`` argument in a ``Cordform`` ``node`` configuration
|
||||||
block:
|
block:
|
||||||
@ -189,8 +202,72 @@ The webserver JAR will be copied into the node's ``build`` folder with the name
|
|||||||
.. warning:: This is an experimental feature. There is currently no support for reading the webserver's port from the
|
.. warning:: This is an experimental feature. There is currently no support for reading the webserver's port from the
|
||||||
node's ``node.conf`` file.
|
node's ``node.conf`` file.
|
||||||
|
|
||||||
Running deployNodes
|
The Dockerform task
|
||||||
~~~~~~~~~~~~~~~~~~~
|
-------------------
|
||||||
|
|
||||||
|
The ```Dockerform``` is a sister task of ```Cordform```. It has nearly the same syntax and produces very
|
||||||
|
similar results - enhanced by an extra file to enable easy spin up of nodes using ```docker-compose```.
|
||||||
|
Below you can find the example task from the ```IRS Demo<https://github.com/corda/corda/blob/release-V3.0/samples/irs-demo/cordapp/build.gradle#L111>```
|
||||||
|
included in the samples directory of main Corda GitHub repository:
|
||||||
|
|
||||||
|
.. sourcecode:: groovy
|
||||||
|
|
||||||
|
def rpcUsersList = [
|
||||||
|
['username' : "user",
|
||||||
|
'password' : "password",
|
||||||
|
'permissions' : [
|
||||||
|
"StartFlow.net.corda.irs.flows.AutoOfferFlow\$Requester",
|
||||||
|
"StartFlow.net.corda.irs.flows.UpdateBusinessDayFlow\$Broadcast",
|
||||||
|
"StartFlow.net.corda.irs.api.NodeInterestRates\$UploadFixesFlow",
|
||||||
|
"InvokeRpc.vaultQueryBy",
|
||||||
|
"InvokeRpc.networkMapSnapshot",
|
||||||
|
"InvokeRpc.currentNodeTime",
|
||||||
|
"InvokeRpc.wellKnownPartyFromX500Name"
|
||||||
|
]]
|
||||||
|
]
|
||||||
|
|
||||||
|
// (...)
|
||||||
|
|
||||||
|
task prepareDockerNodes(type: net.corda.plugins.Dockerform, dependsOn: ['jar']) {
|
||||||
|
|
||||||
|
node {
|
||||||
|
name "O=Notary Service,L=Zurich,C=CH"
|
||||||
|
notary = [validating : true]
|
||||||
|
cordapps = ["${project(":finance").group}:finance:$corda_release_version"]
|
||||||
|
rpcUsers = rpcUsersList
|
||||||
|
useTestClock true
|
||||||
|
}
|
||||||
|
node {
|
||||||
|
name "O=Bank A,L=London,C=GB"
|
||||||
|
cordapps = ["${project(":finance").group}:finance:$corda_release_version"]
|
||||||
|
rpcUsers = rpcUsersList
|
||||||
|
useTestClock true
|
||||||
|
}
|
||||||
|
node {
|
||||||
|
name "O=Bank B,L=New York,C=US"
|
||||||
|
cordapps = ["${project(":finance").group}:finance:$corda_release_version"]
|
||||||
|
rpcUsers = rpcUsersList
|
||||||
|
useTestClock true
|
||||||
|
}
|
||||||
|
node {
|
||||||
|
name "O=Regulator,L=Moscow,C=RU"
|
||||||
|
cordapps = ["${project.group}:finance:$corda_release_version"]
|
||||||
|
rpcUsers = rpcUsersList
|
||||||
|
useTestClock true
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
There is no need to specify the ports, as every node is a separated container, so no ports conflict will occur.
|
||||||
|
Running the task will create the same folders structure as described in :ref:`The Cordform task` with an additional
|
||||||
|
```Dockerfile`` in each node directory, and ```docker-compose.yml``` in ```build/nodes``` directory. Every node
|
||||||
|
by default exposes port 10003 which is the default one for RPC connections.
|
||||||
|
|
||||||
|
.. warning:: Webserver is not supported by this task!
|
||||||
|
|
||||||
|
.. warning:: Nodes are run without the local shell enabled!
|
||||||
|
|
||||||
|
Running the Cordform/Dockerform tasks
|
||||||
|
-------------------------------------
|
||||||
To create the nodes defined in our ``deployNodes`` task, run the following command in a terminal window from the root
|
To create the nodes defined in our ``deployNodes`` task, run the following command in a terminal window from the root
|
||||||
of the project where the ``deployNodes`` task is defined:
|
of the project where the ``deployNodes`` task is defined:
|
||||||
|
|
||||||
|
@ -15,6 +15,8 @@ Most production deployments will use an existing certificate authority or constr
|
|||||||
made available in the coming months. Until then, the documentation below can be used to create your own certificate
|
made available in the coming months. Until then, the documentation below can be used to create your own certificate
|
||||||
authority.
|
authority.
|
||||||
|
|
||||||
|
.. note:: If you are looking for information on how to connect to the existing compatibility zone go to the section: `Connecting to a compatibility zone`_
|
||||||
|
|
||||||
Certificate hierarchy
|
Certificate hierarchy
|
||||||
---------------------
|
---------------------
|
||||||
A Corda network has four types of certificate authorities (CAs):
|
A Corda network has four types of certificate authorities (CAs):
|
||||||
@ -177,3 +179,39 @@ For each node, copy the following files to the node's certificate directory (``<
|
|||||||
1. The node's ``nodekeystore.jks`` keystore
|
1. The node's ``nodekeystore.jks`` keystore
|
||||||
2. The node's ``sslkeystore.jks`` keystore
|
2. The node's ``sslkeystore.jks`` keystore
|
||||||
3. The root network CA's ``truststore.jks`` keystore
|
3. The root network CA's ``truststore.jks`` keystore
|
||||||
|
|
||||||
|
Connecting to a compatibility zone
|
||||||
|
----------------------------------
|
||||||
|
To connect to a compatibility zone you need to register with their certificate signing authority (doorman) by submitting
|
||||||
|
a certificate signing request (CSR) to obtain a valid identity for the zone.
|
||||||
|
|
||||||
|
Before you can register, you must first have received the trust store file containing the root certificate from the zone
|
||||||
|
operator. Then run the following command:
|
||||||
|
|
||||||
|
``java -jar corda.jar --initial-registration --network-root-truststore-password <trust store password>``
|
||||||
|
|
||||||
|
By default it will expect the trust store file to be in the location ``certificates/network-root-truststore.jks``.
|
||||||
|
This can be overridden with the additional ``--network-root-truststore`` flag.
|
||||||
|
|
||||||
|
The certificate signing request will be created based on node information obtained from the node configuration.
|
||||||
|
The following information from the node configuration file is needed to generate the request.
|
||||||
|
|
||||||
|
:myLegalName: Your company's legal name as an X.500 string. X.500 allows differentiation between entities with the same
|
||||||
|
name as the legal name needs to be unique on the network. If another node has already been permissioned with this
|
||||||
|
name then the permissioning server will automatically reject the request. The request will also be rejected if it
|
||||||
|
violates legal name rules, see :ref:`node_naming` for more information.
|
||||||
|
|
||||||
|
:emailAddress: e.g. "admin@company.com"
|
||||||
|
|
||||||
|
:devMode: must be set to false
|
||||||
|
|
||||||
|
:compatibilityZoneURL: Corda compatibility zone network management service root URL.
|
||||||
|
|
||||||
|
A new pair of private and public keys generated by the Corda node will be used to create the request.
|
||||||
|
|
||||||
|
The utility will submit the request to the doorman server and poll for a result periodically to retrieve the certificates.
|
||||||
|
Once the request has been approved and the certificates downloaded from the server, the node will create the keystore and trust store using the certificates and the generated private key.
|
||||||
|
|
||||||
|
.. note:: You can exit the utility at any time if the approval process is taking longer than expected. The request process will resume on restart.
|
||||||
|
|
||||||
|
This process only is needed when the node connects to the network for the first time, or when the certificate expires.
|
||||||
|
@ -46,6 +46,8 @@ import java.security.KeyPair
|
|||||||
import java.security.cert.CertPath
|
import java.security.cert.CertPath
|
||||||
import java.security.cert.Certificate
|
import java.security.cert.Certificate
|
||||||
import java.security.cert.X509Certificate
|
import java.security.cert.X509Certificate
|
||||||
|
import java.util.concurrent.ConcurrentHashMap
|
||||||
|
import java.util.concurrent.ConcurrentSkipListSet
|
||||||
import java.util.zip.ZipEntry
|
import java.util.zip.ZipEntry
|
||||||
import java.util.zip.ZipOutputStream
|
import java.util.zip.ZipOutputStream
|
||||||
import javax.ws.rs.*
|
import javax.ws.rs.*
|
||||||
@ -132,8 +134,8 @@ class NodeRegistrationTest : IntegrationTest() {
|
|||||||
|
|
||||||
@Path("certificate")
|
@Path("certificate")
|
||||||
class RegistrationHandler(private val rootCertAndKeyPair: CertificateAndKeyPair) {
|
class RegistrationHandler(private val rootCertAndKeyPair: CertificateAndKeyPair) {
|
||||||
private val certPaths = HashMap<String, CertPath>()
|
private val certPaths = ConcurrentHashMap<String, CertPath>()
|
||||||
val idsPolled = HashSet<String>()
|
val idsPolled = ConcurrentSkipListSet<String>()
|
||||||
|
|
||||||
companion object {
|
companion object {
|
||||||
val log = loggerFor<RegistrationHandler>()
|
val log = loggerFor<RegistrationHandler>()
|
||||||
|
Loading…
x
Reference in New Issue
Block a user