Storing node TLS keys in HSM without running the Corda Enterprise Firewall

You can store node TLS keys in HSM by using the optional tlsCryptoServiceConfig and tlsKeyAlias configuration fields in the enterpriseConfiguration configuration block of the node configuration file .

Configuration

Configuration fields in node.conf

  • tlsCryptoServiceConfig is an optional crypto service configuration to store node’s TLS private key in HSM. If this option is missing, the TLS private key will be stored in the file-based sslkeystore.jks. Parameters:

    • cryptoServiceName: the name of the CryptoService provider to be used.
    • cryptoServiceConf: the path to the configuration file for the CryptoService provider.
  • tlsKeyAlias is the alias of the TLS key. It can consist of up to 100 lowercase alphanumeric characters and the hyphen (-). Default value: cordaclienttls.

A file-based sslkeystore.jks is still required to store TLS certificates, even if corresponding TLS keys are stored in CryptoService.

Configuration example

node.conf:

enterpriseConfiguration = {
    tlsCryptoServiceConfig = {
       cryptoServiceName="AWS_CLOUD"
       cryptoServiceConf="aws_cloud.conf"
    }
}

Migration notes

To migrate from a file-based node’s TLS keystore to HSM:

  1. Add a tlsCryptoServiceConfig section the node configuration file.
  2. Renew the TLS certificate and keys, as described in the Renewing TLS certificates section in HA Utilities .

Was this page helpful?

Thanks for your feedback!

Chat with us

Chat with us on our #docs channel on slack. You can also join a lot of other slack channels there and have access to 1-on-1 communication with members of the R3 team and the online community.

Propose documentation improvements directly

Help us to improve the docs by contributing directly. It's simple - just fork this repository and raise a PR of your own - R3's Technical Writers will review it and apply the relevant suggestions.

We're sorry this page wasn't helpful. Let us know how we can make it better!

Chat with us

Chat with us on our #docs channel on slack. You can also join a lot of other slack channels there and have access to 1-on-1 communication with members of the R3 team and the online community.

Create an issue

Create a new GitHub issue in this repository - submit technical feedback, draw attention to a potential documentation bug, or share ideas for improvement and general feedback.

Propose documentation improvements directly

Help us to improve the docs by contributing directly. It's simple - just fork this repository and raise a PR of your own - R3's Technical Writers will review it and apply the relevant suggestions.