ExternalVendorCode/corda
1
0
Fork 0
mirror of https://github.com/corda/corda.git synced 2025-06-18 15:18:16 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'remotes/open/master' into merges/june-29-10-20

Browse Source 
# Conflicts:
#	docs/source/upgrade-notes.rst
This commit is contained in:
sollecitom
2018-06-29 10:22:16 +01:00
parent 43e934beb3 62cb443892
commit ec4ec7e8c6
6 changed files with 79 additions and 41 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
docs/source/corda-configuration-file.rst
View File

@ -276,11 +276,13 @@ absolute path to the node's base directory.
.. note:: This is temporary feature for onboarding network participants that limits their visibility for privacy reasons.
:tlsCertCrlDistPoint: CRL distribution point (i.e. URL) for the TLS certificate. Default value is NULL, which indicates no CRL availability for the TLS certificate.
Note: If crlCheckSoftFail is FALSE (meaning that there is the strict CRL checking mode) this value needs to be set.
.. note:: This needs to be set if crlCheckSoftFail is false (i.e. strict CRL checking is on).
:tlsCertCrlIssuer: CRL issuer (given in the X500 name format) for the TLS certificate. Default value is NULL,
which indicates that the issuer of the TLS certificate is also the issuer of the CRL.
Note: If this parameter is set then the tlsCertCrlDistPoint needs to be set as well.
.. note:: If this parameter is set then `tlsCertCrlDistPoint` needs to be set as well.
:flowMonitorPeriodMillis: ``Duration`` of the period suspended flows waiting for IO are logged. Default value is ``60 seconds``.
@ -369,3 +371,22 @@ This is an example of adding/overriding the keyStore password :
.. sourcecode:: shell
java -Dcorda.rpcSettings.ssl.keyStorePassword=mypassword -jar node.jar
CRL Configuration
-----------------
The Corda Network provides an endpoint serving an empty certificate revocation list for the TLS-level certificates.
This is intended for deployments that do not provide a CRL infrastructure but still require a strict CRL mode checking.
In such a case use the following URL in `tlsCertCrlDistPoint` option configuration:
.. sourcecode:: kotlin
"https://crl.cordaconnect.org/cordatls.crl"
Together with the above configuration `tlsCertCrlIssuer` option needs to be set to the following value:
.. sourcecode:: kotlin
"C=US, L=New York, O=R3 HoldCo LLC, OU=Corda, CN=Corda Root CA"
This set-up ensures that the TLS-level certificates are embedded with the CRL distribution point referencing the CRL issued by R3.
In cases where a proprietary CRL infrastructure is provided those values need to be changed accordingly.