Installation and usage of the platform

Example of how to prepare artefacts for TLS¶

If you plan to use TLS, you must configure the TLS settings as part of the infrastructure setup.

To work with TLS for API you need to get a keystore file. Here is an example of using the standard keytool utility for this purpose:

keytool \
-keystore we.jks -storepass 123456 -keypass 123456 \
-genkey -alias we -keyalg RSA -validity 9999 \
-dname "CN=Waves Enterprise,OU=security,O=WE,C=RU" \
-ext "SAN=DNS:welocal.dev,DNS:localhost,IP:51.210.211.61,IP:127.0.0.1"

keystore – keystore file name;
storepass – keystore password, which should be stated in the keystore-password section of the node configuration file;
keypass – private key password, which should be stated in the private-key-password section of the config file;
alias – an alias name (upon a user decision);
keyalg – keypair generation algorithm;
validity – keypair validity time in days;
dname – distinguished name according to the X.500 standard, connected with the keystore alias;
ext – extensions that are used for key generation, all possible host names and IP addresses should be stated for work in different networks.

As a result of the keytool utility execution, the we.jks keystore file will be obtained. In order to connect to the node operating with the TLS, a user should also generate a client certificate:

keytool -export -keystore we.jks -alias we -file we.cert

The obtained certificate file we.cert should be imported into the trusted certificate storage. If a node is located in the same network with a user, it will be enough to state a relative path to the we.jks file in the node config file, as demonstrated above.

In case the node is located in another network, the we.cert certificate file should be imported into the keystore:

keytool -importcert -alias we -file we.cert -keystore we.jks