Release notes

CENM 1.2.6 fixes an urgent security issue caused by the Apache Log4j 2 dependency. In this fix, the Log4j dependency is updated to version v2.17.1.

  • The Log4j dependency has been updated to version 2.17.1 to fix pre-existing Log4j issues.

CENM 1.2.5 fixes an urgent security issue - CVE-2021-44228 - caused by the Apache Log4j 2 dependency. In this fix, the Log4j dependency is updated to version 2.16.0.

To get started with this upgrade, request the download link by raising a ticket with support.

We have updated the Log4j dependency to version 2.16.0 to mitigate CVE-2021-44228.

CENM 1.2.3 introduces fixes to known issues in CENM 1.2.

  • We have fixed an issue where the maximum length of a certificate’s serial number allowed by CENM was 28 digits (NUMBER(28) format in the database) - roughly about 93 bits of data. To extend the support (introduced in CENM 1.2) for third-party CAs such as SwissPKI, the Identity Manager Service can now handle certificate serial numbers with sizes up to 20 octets/bytes (160 bits) to comply with RFC 5280. In addition, the PKI Tool now generates certificates with serial number sizes of up to 16 octets/bytes.
  • We have fixed an issue where the PKI Tool would throw an error when using securosys HSM with multiple partitions.

CENM 1.2.2 introduces fixes to known issues in CENM 1.2.

  • Using csr_token as part of a node registration causes the registration to fail when the Identity Manager is set up to use a supported version of Oracle DB.
  • Creating and signing the CRL fails when upgrading from CENM 0.4 if the existing revoked certificates lacked a revocation reason.

Support for Docker and Kubernetes We are expanding our support for Docker to Corda Enterprise Network Manager.

Furthermore, we are introducing a first reference deployment with Helm and Kubernetes. Out of the box - you will be able to deploy in minutes an ephemeral representative test network to complement your development cycle.

See Kubernetes deployment documentation for more details.

Support for third party CAs

To satisfy clients who wish to use third party software or service providers to handle the supported lifecycle of certificates and network services signing events in a Corda network, the Signing Service has been separated into Signable Material Retriever Service (SMR) and CENM Signing Service in order to offer a pluggable interface.

The new service (SMR) extracts signable material from the Identity Manager and Network Map Services, and then delegates signing to a plugin. Customers can implement their own plugins to integrate with external signing infrastructure and return signed material back to SMR to pass to the relevant CENM service.

See Signing Services for more details. Also see EJBCA Sample Plugin for a sample open source CA implementation.

CRL Endpoint Check tool

As a diagnostic aid in case of problems with TLS connections, CENM 1.2 introduces a CRL Endpoint Check tool. This stand alone tool checks CRL endpoint health of all certificates in a provided keystore, as a simpler alternative to manually extracting CRL endpoints individually from the certificate and then verifying them.

See CRL Endpoint Check Tool for usage and further details.

Assisted Node Registration

We introduced a new field in both Corda and Network Manager that can be used to enable a variety of onboarding workflows that might start prior to and continue after the Certificate Signing Request of the Node. In doing so, a Network Operator can embed the node registration process as part of a larger onboarding workflow or simply speed up/automate the process of reviewing a CSR and issuing a certificate. This feature requires nodes on Corda or Corda Enterprise Edition 4.4 or above.

See identity.manager for more information on how to make use of this feature.

Bundled Service

While deploying services individually makes sense for production deployments at scale, for smaller deployments or testing purposes we introduce possibility of running multiple services in parallel from one Jar file. We call it Bundled Service. Users need to specify which services to run and the corresponding configuration files. It is possible to have service deduction from the configuration file which makes this feature backwards compatible with CENM 1.1.

Notary Whitelist

For high availability (HA) notaries only, the network map will now fetch the node info automatically from the identity manager, rather than requiring that the files are copied in manually. Support for non-HA notaries is not anticipated, customers are encouraged to deploy all notaries in a high availability configuration.

  • We have expanded our HSM supported list to include AWS Cloud HSM
  • Default log file paths now include the name of the service (i.e. “network-map”) that generates them, so if multiple services run from the same folder, their dump log filenames do not collide.
  • Shell interface (Signer and Identity Manager Services) no longer provide Java scripting permissions.
  • Remove private network maps - this functionality was never completed, and the changes should not be user visible. This does not yet remove them from the database schema, which will be in a future release. Related quarantined and staging node info tables are not used as of CENM 1.1.
  • Improve logging of database errors, so that the underlying cause is reported rather than only that a failure occurred.
  • Dump logs are now written into service specific folders, so that if multiple services run from the same directory, the logs files do not conflict.
  • Correct service healthcheck command when executed from the CRaSH shell.
  • Add new command to Network Map shell to view list of nodes that have accepted (or haven’t) a given parameters update (“view nodesAcceptedParametersUpdate accepted: <true/false>, parametersHash: ”), which can help to monitor the procedure of Updating the network parameters.
  • Add working directory argument for CENM services, which is a path prefix for config and certificate files.
  • Add run networkParametersRegistration, run flagDay and run cancelUpdate commands to the Network Map service shell, to enable running flag days without restarting the service. See Updating the network parameters for full details.
  • Add view publicNetworkNodeInfos command to Network Map Service shell, to see all public network participants’ node infos, including its’ platform version.
  • Bug fix: Certificate name rules are now enforced during issuance in accordance with Corda network rules, previously it was possible to register nodes with names which the node cannot use.
  • Registration Web Service (CSR and CRL) was returning incorrect HTTP Error Code 500 instead of 400 for requests with invalid client version or platform version.
  • Improved logs created by Registration Web Service - request validation exceptions (e.g. invalid character in a subject name, invalid platform version) are now logged with WARN level instead of ERROR level.
  • Bug fix: The configuration option ‘database.initialiseSchema’, which was used for H2 database only, is now deprecated, use ‘database.runMigration’ instead.
  • Shell interface (Signer and Identity Manager Services) no longer allow access to commands which allow scripting of Java.
  • Identity Manager’s WorkflowPlugin keeps trying to create new request in an external system, until the request is REJECTED or APPROVED. This means the external system needs to internally record which requests are currently being processed and reject surplus creation attempts. The Identity Manager Service records this in logs as warning: “There is already a ticket: ‘’ corresponding to Request ID = , not creating a new one.”

CENM 1.1.3 introduces fixes to known issues in CENM 1.1.

Fixed issues

  • Identity Manager upgrade from CENM 0.4:
    • causes Jira Workflow Plugin to stop existing tickets in ‘New’ or ‘In Progress’ status from being progressed
    • prevents rejected records from being cleared by workflow_*.
  • When multiple users are configured to use the Signing Service, the service authenticates all the credentials before checking whether the threshold is reached, which would result in multiple authentications for every user.
  • The process of creating and signing the CRL fails when upgrading from CENM 0.4 if the existing revoked certificates lacked a revocation reason.

CENM 1.1.1 introduces a fix to a known issue in CENM 1.1.

Fixed issues

  • Identity Manager upgrade from CENM 0.4 causes Jira Workflow Plugin to lose all pending tickets.

The R3 Network Services team is excited to announce the release of CENM 1.1, introducing support for a number of additional HSMs as well as adding support for Oracle DB. For deployments of pre-1.0 CENM a migration tool has been added to rewrite legacy configurations to be compatible with 1.1.

Oracle Database Support

Support has been added for Oracle DB versions 12cR2 and 11gR2 as a backend data store. For full setup instructions see CENM Databases.

Configuration Migration Tool

To simplify the upgrade process from early versions of CENM a configuration migration tool has been added. This is intended to upgrade v0.2.2 / v0.3+ configurations to v1.1, including both restructuring changes to the configuration file and updating the value of fields (such as database driver class). See Config migration tool for details on this tool.

Hardware Security Module Support

Support for HSMs has been significantly extended, and as part of this work the HSM Jar files are now dynamically loaded and should be provided by the user. Support has been added for Azure Key Vault, as well as for Gemalto and Securosys HSMs in both the PKI Tool and Signing Service.

  • CENM now supports encryption of passwords in configuration files, using encryption keys derived from hardware attributes. An obfuscation tool ships with CENM, to process configuration files and encrypt marked fields. For more details on usage see Config Obfuscation Tool.
  • Fixed an internal error which occurred when using H2 versions below 1.4.198 due to use of unsupported lock types.
  • Added run purgeAllStagedNodeInfos and run purgeStagedNodeInfo nodeInfoHash: <node_info_hash> commands to the Network Map interactive shell, allowing for the moving of nodes out of the staging table and into the main node info table of the Network Map. This provides a solution to the scenario whereby a node gets stuck in the staging table (see Troubleshooting Common Issues section).
  • Simplified configuration by removing configuration options for private network maps. This feature is being removed in preference of using subzones, and therefore these configuration options merely add complexity.
  • The PKI tool fails if the password for a key store and key are different. This only applies to local key stores. Please ensure key passwords match the key store password to avoid this issue.
  • Logging in case of Gemalto HSM call failures is limited, which complicates diagnosis. This is to be improved in a future version.
  • Config migration tool displays configuration output version as 1.0, actual target is 1.1.
  • Config migration tool does not generate a shell configuration section, and therefore the generated configurations may not be usable as-is. This is intentional in order as the operator needs to make decisions on this configuration, for example password.
  • PKI tool reports “Error whilst attempt to read config lines.” if it cannot find a configuration file, rather than a more specific error message.

R3 and The Network Services team are proud to deliver the inaugural release of the Corda Enterprise Network Manager version 1.0. The CENM can be used to operate a bespoke Corda network when the requirement for an entity to be in complete control of the consensus rules, identity, and deployment topology exists.

This is the same software used to operate the global Corda Network on behalf of the Corda Network Foundation since its launch in 2018.

Please note, whilst this is the first public release of the Corda Enterprise Network Manager, these release notes and any associated documentation should be read from the perspective of those coming fresh to the product but also those who are upgrading from pre-release versions.

The Signing Service

The Signing Service is a new addition to the suite of CENM services, sitting alongside the Identity Manager and Network Map. It provides a network operator with full control over the signing of node identity data (CSRs and CRRs) and global network data (Network Map and Network Parameters) and includes features such as HSM integration, signing scheduling and support for multiple Network Map Services. See Signing Services to learn more about this service.

Brand new PKI tooling

The PKI Tool enables a network operator to easily generate Corda-compliant certificate hierarchy (keys and certificates) as well as certificate revocation lists. The tool supports both local and HSM key stores and can be customized with the configuration file. See Public Key Infrastructure (PKI) Tool to learn about all the features of the PKI Tool.

Full End to End SSL communication

All CENM components now communicate over SSL with one another, this completes the removal of the “database as message queue” of older versions. See Configuring the ENM services to use SSL for more information.

Security And Performance Fixes

Postgresql Support

As well as SQLServer, the CENM suite now supports postgresql as a backend data store.

Protocol Separation

In pre release versions of CENM the user information REST endpoints shared a namespace with the core Corda Network Map protocol. This was done to better draw distinction between the protocol itself as required by Corda nodes, and the more free-form functionality offered to users. This will allow for future versioned changes to the protocol without changing that which the Corda nodes depend upon.

  • /network-map
  • /network-map-user

The Signing Service is a new addition to the suite of CENM services, sitting alongside the Identity Manager and Network Map. It provides a network operator with full control over the signing of node identity data (CSRs and CRRs) and global network data (Network Map and Network Parameters) and includes features such as HSM integration, signing scheduling and support for multiple Network Map Services. See Signing Services to learn more about this service.

Epoch Control

The PKI Tool enables a network operator to easily generate Corda-compliant certificate hierarchy (keys and certificates) as well as certificate revocation lists. The tool supports both local and HSM key stores and can be customized with the configuration file. See Public Key Infrastructure (PKI) Tool to learn about all the features of the PKI Tool.

Shell

Migrated the private network management utility tool into the Network Map interactive shell. The new command within the shell is an interactive command, allowing a user to run the same management tools without having to worry about passing in a configuration file or remembering the correct start up flag.

Config Debugability

Added multi-phase parsing of config files. Parsing and validation errors are now batched before being presented to the user, eliminating the frustration from having to address errors one by one.

Security And Performance Fixes

Postgresql Support

Due to the database schema separation outlined below, the 0.3 release now supports segregated sub zones. That is, sub-zones of nodes that operate in what appear to the nodes to be isolated networks, with their own notary(ies) and network parameters. Critically, however, their certificate governance remains under the jurisdiction of a global Doorman. This way, temporary benefits such as higher privacy, differential network parameters upgrade schedules or use of temporary private notaries can be delivered. Note that the ability to merge one sub-zone into another is not currently supported. See the Sub Zones documentation for more information.

Protocol Separation

In pre release versions of CENM the user information REST endpoints shared a namespace with the core Corda Network Map protocol. This was done to better draw distinction between the protocol itself as required by Corda nodes, and the more free-form functionality offered to users. This will allow for future versioned changes to the protocol without changing that which the Corda nodes depend upon.

The two top-level endpoints are now

  • /network-map
  • /network-map-user

see Network Map Overview for more information.

Another change that is introduced in the newest release is the ability to interact with the Doorman and Network Map services via a shell. The commands available currently mainly allow an operator to inspect the state of the service, for example by viewing the current set of nodes within the public network, or viewing the list of Certificate Signing Requests that are awaiting approval. See the Embedded Shell documentation for more information.

Added support for overriding the default “increment previous value by 1” behaviour for epoch values during network parameter updates/initialisation. This allows a user to specify the epoch within the parameter config file and it facilitates arbitrary jumps in epoch values. This is necessary for the day-to-day management of multiple sub-zones as well as the merging of one sub-zone into another.

Shell

Migrated the private network management utility tool into the Network Map interactive shell. The new command within the shell is an interactive command, allowing a user to run the same management tools without having to worry about passing in a configuration file or remembering the correct start up flag.

Config Debugability

Added multi-phase parsing of config files. Parsing and validation errors are now batched before being presented to the user, eliminating the frustration from having to address errors one by one.

The service-based architecture requires tooling around service state monitoring. Currently (i.e. with the 0.3 release), there is no dedicated utility that would address that issue. As for now, the network operator needs to rely only on service logs and manual service endpoint pinging in order to assess in what state the service is.

  • Identity Manager: http://<<IDENTITY_MANAGER_ADDRESS>>/status
  • Network Map: http://<<NETWORK_MAP_SERVICE_ADDRESS>>/network-map/my-hostname
  • Revocation Service (currently part of the Identity Manager): http://<<REVOCATION_SERVICE_ADDRESS>>/status

Click here to find all patches addressing the December 2021 Log4j vulnerability.

Was this page helpful?

Thanks for your feedback!

Chat with us

Chat with us on our #docs channel on slack. You can also join a lot of other slack channels there and have access to 1-on-1 communication with members of the R3 team and the online community.

Propose documentation improvements directly

Help us to improve the docs by contributing directly. It's simple - just fork this repository and raise a PR of your own - R3's Technical Writers will review it and apply the relevant suggestions.

We're sorry this page wasn't helpful. Let us know how we can make it better!

Chat with us

Chat with us on our #docs channel on slack. You can also join a lot of other slack channels there and have access to 1-on-1 communication with members of the R3 team and the online community.

Create an issue

Create a new GitHub issue in this repository - submit technical feedback, draw attention to a potential documentation bug, or share ideas for improvement and general feedback.

Propose documentation improvements directly

Help us to improve the docs by contributing directly. It's simple - just fork this repository and raise a PR of your own - R3's Technical Writers will review it and apply the relevant suggestions.