Angel Service
Introduction

The Angel Service is an adapter, which manages the lifecycle of other services such as the Network Map Service or the Identity Manager Service, to make them more compatible with packaging tools such as Docker. You do not need to run this service directly as it is typically packaged in a Docker image and it is run via Docker.
Running the Angel Service

To run the Angel Service, you must specify the following:
- The service to be run.
- The hostname/IP of the Zone Service.
- The port number of the Zone Service.
- The authentication token to present to the Zone Service.
You can also provide the following:
- A host and a port to display the health check API for the Angel Service (to be used by Kubernetes, for example).
- A poll timeout for how often the Zone Service should be checked for changes.
This should either be specified in a config file or on the command line. You can start the Angel Service with the following command:
java -jar angel-<VERSION>.jar -f angel.conf
Alternatively, you can start the Angel Service with the following command and arguments:
java -jar angel-<VERSION>.jar --zone-host zone.example.org --zone-port 5050 --token <zone-token> --service IDENTITY_MANAGER
The full list of arguments you can use when starting the Angel Service are described below:
--jar-name
: The name of the service JAR file. Optional.--webservice-host
: The IP address for the Angel Service’s web service to bind to. Optional.--webservice-port
: The port for the Angel Service’s web service to run. Optional, but must be specified for the web service to be started.--zone-host
: The host or IP address of the Zone Service.--zone-port
: The port number of the Zone Service.--token
: Authentication token to pass to the Zone Service.--polling-interval
: Time (in seconds) to wait before polling the Zone Service.--service
: The name of the service being managed. The possible values areIDENTITY_MANAGER
,NETWORK_MAP
, orSIGNER
.--network-truststore
: The network truststore file path. Optional, but must be specified if the managed service is Network Map, otherwise the Angel Service cannot execute the Flag Day workflow.--truststore-password
: The password for the network truststore file. Optional, but must be specified if the managed service is Network Map, otherwise the Angel Service cannot execute the Flag Day workflow.--root-alias
: The root alias. Optional, but must be specified if the managed service is Network Map, otherwise the Angel Service cannot execute the Flag Day workflow.--tls
: Defines whether TLS is used on listening sockets (CENM and admin). Defaults tofalse
if no value is provided.--tls-keystore
: The path for the TLS keystore. Required if--tls
is set totrue
.--tls-keystore-password
: The password for the TLS keystore. Required if--tls
is set totrue
.--tls-truststore
: The path for the TLS truststore. Required if--tls
is set totrue
.--tls-truststore-password
: The password for the TLS truststore. Required if--tls
is set totrue
.
Configuration

The Angel Service can either be configured via the command-line or with a configuration file. It then downloads the configuration of the managed service from the Zone Service.
The main elements that need to be configured for the Angel Service are:
Service

The service component of the Angel Service is the service that is started and managed by the Angel Service.
Type

The service type can be one of three services that the Angel Service can manage:
IDENTITY_MANAGER
NETWORK_MAP
SIGNER
The configuration for the IDENTITY_MANAGER
and SIGNER
managed service types are more or less the same. However, when running the Angel Service with the NETWORK_MAP
as the managed service type, then two additional configuration parameters need to be specified:
networkParametersFile

The network parameters are the set of values that every node participating in the network needs to agree on to interoperate with each other. See Network Parameters Configuration Parameters for a detailed explanation.
The file specified for this parameter needs to be the plain-text version of the network parameters used when setting the initial network parameters. This is not the binary network-parameters
file that Corda nodes use.
networkRootTrustStore

This should be set as the path for the network-root-truststore.jks
of the network (initially generated using the PKI tool).
The network root truststore should be configured inside the service
configuration block:
service = {
type = NETWORK_MAP
jarFile = "networkmap.jar"
...
networkRootTrustStore = {
rootAlias = "cordarootca"
location = "./certificates/network-root-truststore.jks"
password = "trustpass"
}
}
JAR File

The jarFile
parameter is the path to the JAR which the Angel Service uses to start a new Java process. There is a default file name for each managed service type:
identitymanager.jar
networkmap.jar
signer.jar
Zone

The zone
configuration block details the connection to the Zone Service. This is needed to download the configuration file for the managed service. To configure the zone
configuration, make sure you have generated a zone token for the corresponding managed service:
zone = {
host = "localhost"
port = 5063
token = "<zone token>"
}
Workflow
- On start-up, the Angel Service requests the configuration for its managed service from the Zone Service, providing the authentication token to identify itself.
- It then performs basic validation of the configuration, writes it to disk, and starts the managed service.
- Following this, at regular intervals, it polls the Zone Service for changes to the configuration, and if any are found:
- It backs up the existing configuration.
- It shuts down the managed service.
- It writes the new configuration.
- It starts the managed service.
If the managed service is Network Map, the Zone Service can reply with a lifecycle event (Flag Day). This is because only the Network Map Service holds the network parameters that Flag Days update. In this case, the Angel Service will automatically perform the required steps on the managed Network Map Service.
Service health checking via API

The Angel Service provides a REST API where its health and that of the managed service can be checked. The API is described in the table below.
Request method | Path | Description |
---|---|---|
Get | /angel/health | Check the health of the Angel Service. |
Get | /angel/service-health | Check the health of the managed service. |
Possible responses

/angel/health

Response code | Description |
---|---|
200 OK | Success - a response has been received from both the Zone Service and the managed service. Both services are considered healthy. |
502 Bad Gateway | Failure - no response has been received from the managed service. The services are not considered healthy. |
406 Not Acceptable | Unknown - a response has been received from the managed service, but the protocol does not match PING_RESPONSE . |
/angel/service-health

Response code | Description |
---|---|
200 OK | Success - the managed service responded to the ping request - it is considered healthy. |
502 Bad Gateway | Failure - the managed service did not respond to the ping request - it is not considered healthy. |
Was this page helpful?
Thanks for your feedback!
Chat with us
Chat with us on our #docs channel on slack. You can also join a lot of other slack channels there and have access to 1-on-1 communication with members of the R3 team and the online community.
Propose documentation improvements directly
Help us to improve the docs by contributing directly. It's simple - just fork this repository and raise a PR of your own - R3's Technical Writers will review it and apply the relevant suggestions.
We're sorry this page wasn't helpful. Let us know how we can make it better!
Chat with us
Chat with us on our #docs channel on slack. You can also join a lot of other slack channels there and have access to 1-on-1 communication with members of the R3 team and the online community.
Create an issue
Create a new GitHub issue in this repository - submit technical feedback, draw attention to a potential documentation bug, or share ideas for improvement and general feedback.
Propose documentation improvements directly
Help us to improve the docs by contributing directly. It's simple - just fork this repository and raise a PR of your own - R3's Technical Writers will review it and apply the relevant suggestions.