Installation and usage of the platform

# Precise platform configuration: TLS¶

In order to work with the node TLS, apart its configuration in the node config file, a user should get a keystore file itself with the use of the keytool utility:

keytool \
-keystore we.jks -storepass 123456 -keypass 123456 \
-genkey -alias we -keyalg RSA -validity 9999 \
-dname "CN=Waves Enterprise,OU=security,O=WE,C=RU" \
-ext "SAN=DNS:welocal.dev,DNS:localhost,IP:51.210.211.61,IP:127.0.0.1"

• keystore - keystore file name.

• storepass - keystore password, which should be stated in the keystore-password section of the node config file.

• keypass - private key password, which should be stated in the private-key-password section of the config file.

• alias - an alias name (upon a user decision).

• keyalg - keypair generation algorithm.

• validity - keypair validity time in days.

• dname - distinguished name according to the X.500 standard, connected with the keystore alias.

• ext - extensions that are used for key generation, all possible host names and IP addresses should be stated for work in different networks.

As a result of the keytool utility execution, the keystore file with the filename we.jks will be obtained. In order to connect with the node operating with the TLS, a user should also generate a client certificate:

keytool -export -keystore we.jks -alias we -file we.cert


The obtained certificate file we.cert should be imported into the trusted certificate storage. If the node is located in one network with a user, it will be enough to state a relative path to the we.jks file in the node config file, as demonstrated above.

In case the node is located in another network, a we.cert certificate file should be imported into the keystore:

keytool -importcert -alias we -file we.cert -keystore we.jks


Then also specify the relative path to we.jks in the tls section of the node configuration file.

The tls section contains the following parameters:

tls {
type = EMBEDDED
keystore-path = ${node.directory}"/we_tls.jks" keystore-password =${TLS_KEYSTORE_PASSWORD}
private-key-password = ${TLS_PRIVATE_KEY_PASSWORD} }  • type - TLS mode status. Possible options: DISABLED (disabled, in this case other options should be excluded or commented) and EMBEDDED (enabled, the certificate is signed by a node provider and packed within a JKS file (keystore); the certificate directory and keystore access parameters should be stated by a user in the fields below). • keystore-path - keystore relative path within the node directory: ${node.directory}"/we_tls.jks".

• keystore-password - password for the node keystore. Specify the password you set earlier with the storepass flag for the keytool utility.

• private-key-password - password for the private key. Specify the password you set earlier with the keypass flag for the keytool utility.