Installation and usage of the platform
Precise platform configuration: TLS¶
In order to work with the node TLS, apart its configuration in the node config file, a user should get a keystore file itself with the use of the keytool utility:
keytool \
-keystore we.jks -storepass 123456 -keypass 123456 \
-genkey -alias we -keyalg RSA -validity 9999 \
-dname "CN=Waves Enterprise,OU=security,O=WE,C=RU" \
-ext "SAN=DNS:welocal.dev,DNS:localhost,IP:51.210.211.61,IP:127.0.0.1"
keystore
- keystore file name.storepass
- keystore password, which should be stated in thekeystore-password
section of the node config file.keypass
- private key password, which should be stated in theprivate-key-password
section of the config file.alias
- an alias name (upon a user decision).keyalg
- keypair generation algorithm.validity
- keypair validity time in days.dname
- distinguished name according to the X.500 standard, connected with the keystore alias.ext
- extensions that are used for key generation, all possible host names and IP addresses should be stated for work in different networks.
As a result of the keytool utility execution, the keystore file with the filename we.jks will be obtained. In order to connect with the node operating with the TLS, a user should also generate a client certificate:
keytool -export -keystore we.jks -alias we -file we.cert
The obtained certificate file we.cert
should be imported into the trusted certificate storage. If the node is located in one network with a user, it will be enough to state a relative path to the we.jks
file in the node config file, as demonstrated above.
In case the node is located in another network, a we.cert
certificate file should be imported into the keystore:
keytool -importcert -alias we -file we.cert -keystore we.jks
Then also specify the relative path to we.jks
in the tls
section of the node configuration file.
The tls
section contains the following parameters:
tls {
type = EMBEDDED
keystore-path = ${node.directory}"/we_tls.jks"
keystore-password = ${TLS_KEYSTORE_PASSWORD}
private-key-password = ${TLS_PRIVATE_KEY_PASSWORD}
}
type
- TLS mode status. Possible options:DISABLED
(disabled, in this case other options should be excluded or commented) andEMBEDDED
(enabled, the certificate is signed by a node provider and packed within a JKS file (keystore); the certificate directory and keystore access parameters should be stated by a user in the fields below).keystore-path
- keystore relative path within the node directory:${node.directory}"/we_tls.jks"
.keystore-password
- password for the node keystore. Specify the password you set earlier with thestorepass
flag for the keytool utility.private-key-password
- password for the private key. Specify the password you set earlier with thekeypass
flag for the keytool utility.