Installation and usage of the platform

Precise platform configuration: TLS

In order to work with the node TLS, apart its configuration in the node config file, a user should get a keystore file itself with the use of the keytool utility:

keytool \
-keystore we.jks -storepass 123456 -keypass 123456 \
-genkey -alias we -keyalg RSA -validity 9999 \
-dname "CN=Waves Enterprise,OU=security,O=WE,C=RU" \
-ext "SAN=DNS:welocal.dev,DNS:localhost,IP:51.210.211.61,IP:127.0.0.1"

  • keystore - keystore file name.

  • storepass - keystore password, which should be stated in the keystore-password section of the node config file.

  • keypass - private key password, which should be stated in the private-key-password section of the config file.

  • alias - an alias name (upon a user decision).

  • keyalg - keypair generation algorithm.

  • validity - keypair validity time in days.

  • dname - distinguished name according to the X.500 standard, connected with the keystore alias.

  • ext - extensions that are used for key generation, all possible host names and IP addresses should be stated for work in different networks.

As a result of the keytool utility execution, the keystore file with the filename we.jks will be obtained. In order to connect with the node operating with the TLS, a user should also generate a client certificate:

keytool -export -keystore we.jks -alias we -file we.cert

The obtained certificate file we.cert should be imported into the trusted certificate storage. If the node is located in one network with a user, it will be enough to state a relative path to the we.jks file in the node config file, as demonstrated above.

In case the node is located in another network, a we.cert certificate file should be imported into the keystore:

keytool -importcert -alias we -file we.cert -keystore we.jks

Then also specify the relative path to we.jks in the tls section of the node configuration file.

The tls section contains the following parameters:

tls {
type = EMBEDDED
keystore-path = ${node.directory}"/we_tls.jks"
keystore-password = ${TLS_KEYSTORE_PASSWORD}
private-key-password = ${TLS_PRIVATE_KEY_PASSWORD}
}

  • type - TLS mode status. Possible options: DISABLED (disabled, in this case other options should be excluded or commented) and EMBEDDED (enabled, the certificate is signed by a node provider and packed within a JKS file (keystore); the certificate directory and keystore access parameters should be stated by a user in the fields below).

  • keystore-path - keystore relative path within the node directory: ${node.directory}"/we_tls.jks".

  • keystore-password - password for the node keystore. Specify the password you set earlier with the storepass flag for the keytool utility.

  • private-key-password - password for the private key. Specify the password you set earlier with the keypass flag for the keytool utility.

See also