8.7 KiB
Node configuration
File location
The Corda all-in-one corda.jar
file is generated by the gradle buildCordaJAR
task and defaults to reading configuration from a node.conf
file in the present working directory. This behaviour can be overidden using the --config-file
command line option to target configuration files with different names, or different file location (relative paths are relative to the current working directory). Also, the --base-directory
command line option alters the Corda node workspace location and if specified a node.conf
configuration file is then expected in the root of the workspace.
The configuration file templates used for the gradle deployNodes
task are to be found in the /config/dev
folder. Also note that there is a basic set of defaults loaded from the built in resource file /node/src/main/resources/reference.conf
of the :node
gradle module. All properties in this can be overidden in the file configuration and for rarely changed properties this defaulting allows the property to be excluded from the configuration file.
Format
The Corda configuration file uses the HOCON format which is superset of JSON. It has several features which makes it very useful as a configuration format. Please visit their page for further details.
Examples
General node configuration file for hosting the IRSDemo services.
example-code/src/main/resources/example-node.conf
NetworkMapService plus Simple Notary configuration file.
myLegalName : "CN=Notary Service,O=R3,OU=corda,L=London,C=GB" keyStorePassword : "cordacadevpass" trustStorePassword : "trustpass" p2pAddress : "localhost:12345" rpcAddress : "localhost:12346" webAddress : "localhost:12347" extraAdvertisedServiceIds : ["corda.notary.simple"] useHTTPS : false devMode : true // Certificate signing service will be hosted by R3 in the near future. //certificateSigningService : "https://testnet.certificate.corda.net"
Fields
The available config fields are listed below. basedir
is available as a substitution value, containing the absolute path to the node's base directory.
- myLegalName
The legal identity of the node acts as a human readable alias to the node's public key and several demos use this to lookup the NodeInfo.
- keyStorePassword
The password to unlock the KeyStore file (
<workspace>/certificates/sslkeystore.jks
) containing the node certificate and private key.Note
This is the non-secret value for the development certificates automatically generated during the first node run. Longer term these keys will be managed in secure hardware devices.
- trustStorePassword
The password to unlock the Trust store file (
<workspace>/certificates/truststore.jks
) containing the Corda network root certificate. This is the non-secret value for the development certificates automatically generated during the first node run.Note
Longer term these keys will be managed in secure hardware devices.
- dataSourceProperties
This section is used to configure the jdbc connection and database driver used for the nodes persistence. Currently the defaults in
/node/src/main/resources/reference.conf
are as shown in the first example. This is currently the only configuration that has been tested, although in the future full support for other storage layers will be validated.- messagingServerAddress
The address of the ArtemisMQ broker instance. If not provided the node will run one locally.
- p2pAddress
The host and port on which the node is available for protocol operations over ArtemisMQ.
Note
In practice the ArtemisMQ messaging services bind to all local addresses on the specified port. However, note that the host is the included as the advertised entry in the NetworkMapService. As a result the value listed here must be externally accessible when running nodes across a cluster of machines. If the provided host is unreachable, the node will try to auto-discover its public one.
- rpcAddress
The address of the RPC system on which RPC requests can be made to the node. If not provided then the node will run without RPC.
- webAddress
The host and port on which the webserver will listen if it is started. This is not used by the node itself.
Note
If HTTPS is enabled then the browser security checks will require that the accessing url host name is one of either the machine name, fully qualified machine name, or server IP address to line up with the Subject Alternative Names contained within the development certificates. This is addition to requiring the
/config/dev/corda_dev_ca.cer
root certificate be installed as a Trusted CA.Note
The driver will not automatically create a webserver instance, but the Cordformation will. If this field is present the web server will start.
- extraAdvertisedServiceIds
A list of ServiceType id strings to be advertised to the NetworkMapService and thus be available when other nodes query the NetworkMapCache for supporting nodes. This can also include plugin services loaded from .jar files in the plugins folder. Optionally, a custom advertised service name can be provided by appending it to the service type id:
"corda.notary.validating|Notary A"
- notaryNodeAddress
The host and port to which to bind the embedded Raft server. Required only when running a distributed notary service. A group of Corda nodes can run a distributed notary service by each running an embedded Raft server and joining them to the same cluster to replicate the committed state log. Note that the Raft cluster uses a separate transport layer for communication that does not integrate with ArtemisMQ messaging services.
- notaryClusterAddresses
List of Raft cluster member addresses used to join the cluster. At least one of the specified members must be active and be able to communicate with the cluster leader for joining. If empty, a new cluster will be bootstrapped. Required only when running a distributed notary service.
- networkMapService
If null, or missing the node is declaring itself as the NetworkMapService host. Otherwise this is a config object with the details of the network map service:
- address
Host and port string of the ArtemisMQ broker hosting the network map node
- legalName
Legal name of the node. This is required as part of the TLS host verification process. The node will reject the connection to the network map service if it provides a TLS common name which doesn't match with this value.
- minimumPlatformVersion
Used by the node if it's running the network map service to enforce a minimum version requirement on registrations - any node on a Platform Version lower than this value will have their registration rejected. Defaults to 1 if absent.
- useHTTPS
If false the node's web server will be plain HTTP. If true the node will use the same certificate and private key from the
<workspace>/certificates/sslkeystore.jks
file as the ArtemisMQ port for HTTPS. If HTTPS is enabled then unencrypted HTTP traffic to the node's webAddress port is not supported.- rpcUsers
A list of users who are authorised to access the RPC system. Each user in the list is a config object with the following fields:
- username
Username consisting only of word characters (a-z, A-Z, 0-9 and _)
- password
The password
- permissions
A list of permission strings which RPC methods can use to control access
If this field is absent or an empty list then RPC is effectively locked down. Alternatively, if it contains the string
ALL
then the user is permitted to use any RPC method. This value is intended for administrator users and for developers.- devMode
This flag indicate if the node is running in development mode. On startup, if the keystore
<workspace>/certificates/sslkeystore.jks
does not exist, a developer keystore will be used ifdevMode
is true. The node will exit ifdevMode
is false and keystore does not exist.- detectPublicIp
This flag toggles the auto IP detection behaviour, it is enabled by default. On startup the node will attempt to discover its externally visible IP address first by looking for any public addresses on its network interfaces, and then by sending an IP discovery request to the network map service. Set to
false
to disable.- certificateSigningService
Certificate Signing Server address. It is used by the certificate signing request utility to obtain SSL certificate. (See
permissioning
for more information.)