Configuring Mutual TLS
As described in the mutual TLS introduction, you can configure the clusters in a dynamic network to connect using mutual TLS. This requires additional steps when onboarding an MGM or member into the dynamic network.
- Mutual TLS is set per cluster. It must apply to all groups that the cluster hosts and all clusters that host those groups. You can not onboard a member unless the TLS type of the MGM cluster is aligned with the TLS type of the member cluster.
- Changing the TLS type after a member or an MGM was onboarded makes any TLS connection with that member unusable.
- A virtual node can only be configured with a single TLS certificate that will be used as both a client and a server certificate.
- A gateway accepts a TLS connection that uses a certificate associated with any member of any application network (partially) hosted in that cluster.
Modify the Cluster Configurations
To configure a cluster to use mutual TLS, you must set the sslConfig.tlsType flag in the corda.p2p.gateway configuration section to MUTUAL for the following:
- The MGM cluster before registering the MGM
- All member clusters before uploading the CPI
Enable Mutual TLS Using Bash
If using Bash, perform the following steps to enable mutual TLS by configuring the gateway SSL:
Retrieve the current gateway configuration version:
curl --insecure -u admin:admin -X GET $API_URL/config/corda.p2p.gatewayStore the version number from the response:
export CONFIG_VERSION=<configuration-version>Using that version number, send the following request:
curl -k -u admin:admin -X PUT -d '{"section":"corda.p2p.gateway", "version":"'$CONFIG_VERSION'", "config":"{ \"sslConfig\": { \"tlsType\": \"MUTUAL\" } }", "schemaVersion": {"major": 1, "minor": 0}}' $API_URL"/config"This command overwrites the revocation check setting. If you chose to disable revocation checks, use the following command instead:
curl -k -u admin:admin -X PUT -d '{"section":"corda.p2p.gateway", "version":"'$CONFIG_VERSION'", "config":"{ \"sslConfig\": { \"tlsType\": \"MUTUAL\" , \"revocationCheck\": {\"mode\" : \"OFF\"} } }", "schemaVersion": {"major": 1, "minor": 0}}' $API_URL"/config"
Enable Mutual TLS Using PowerShell
If using PowerShell, perform the following steps to enable mutual TLS by configuring the gateway SSL:
$CONFIG_VERSION = (Invoke-RestMethod -SkipCertificateCheck -Headers @{Authorization=("Basic {0}" -f $AUTH_INFO)} -Uri "$API_URL/config/corda.p2p.gateway").version
Invoke-RestMethod -SkipCertificateCheck -Headers @{Authorization=("Basic {0}" -f $AUTH_INFO)} -Method Put -Uri "$API_URL/config" -Body (ConvertTo-Json -Depth 4 @{
section = "corda.p2p.gateway"
version = $CONFIG_VERSION
config = @{
sslConfig = @{
tlsType = "MUTUAL"
}
}
schemaVersion = @{
major = 1
minor = 0
}
})
This command overwrites the revocation check setting. If you chose to disable revocation checks, use the following command instead:
$CONFIG_VERSION = (Invoke-RestMethod -SkipCertificateCheck -Headers @{Authorization=("Basic {0}" -f $AUTH_INFO)} -Uri "$API_URL/config/corda.p2p.gateway").version
Invoke-RestMethod -SkipCertificateCheck -Headers @{Authorization=("Basic {0}" -f $AUTH_INFO)} -Method Put -Uri "$API_URL/config" -Body (ConvertTo-Json -Depth 4 @{
section = "corda.p2p.gateway"
version = $CONFIG_VERSION
config = @{
sslConfig = @{
revocationCheck = @{
mode = "OFF"
}
tlsType = "MUTUAL"
}
}
schemaVersion = @{
major = 1
minor = 0
}
})
Set the TLS Type in the MGM Context
To register an MGM in a mutual TLS cluster, you must explicitly set the TLS type in the registration context. That is, the corda.group.tls.type field must be Mutual. If the field is not set, it defaults to one-way TLS. For example:
export REGISTRATION_CONTEXT='{
"corda.session.key.id": "'$SESSION_KEY_ID'",
"corda.ecdh.key.id": "'$ECDH_KEY_ID'",
"corda.group.protocol.registration": "net.corda.membership.impl.registration.dynamic.member.DynamicMemberRegistrationService",
"corda.group.protocol.synchronisation": "net.corda.membership.impl.synchronisation.MemberSynchronisationServiceImpl",
"corda.group.protocol.p2p.mode": "Authenticated_Encryption",
"corda.group.key.session.policy": "Combined",
"corda.group.pki.session": "NoPKI",
"corda.group.pki.tls": "Standard",
"corda.group.tls.type": "Mutual",
"corda.group.tls.version": "1.3",
"corda.endpoints.0.connectionURL": "https://'$P2P_GATEWAY_HOST':'$P2P_GATEWAY_PORT'",
"corda.endpoints.0.protocolVersion": "1",
"corda.group.truststore.tls.0" : "'$TLS_CA_CERT'"
}'
Update the MGM Allowed Certificate Subject List
To add a member TLS certificate subject to the MGM allowed list, run the following, where CN=CordaOperator,C=GB,L=London,O=Org is the subject of the TLS certificate created as part of member onboarding:
curl -k -u admin:admin -X PUT "$MGM_API_URL/mgm/$MGM_HOLDING_ID/mutual-tls/allowed-client-certificate-subjects/CN=CordaOperator,C=GB,L=London,O=Org"
Invoke-RestMethod -SkipCertificateCheck -Headers @{Authorization=("Basic {0}" -f $AUTH_INFO)} -Uri "$MGM_API_URL/mgm/$MGM_HOLDING_ID/mutual-tls/allowed-client-certificate-subjects/CN=CordaOperator,C=GB,L=London,O=Org" -Method Put
The allowed-client-certificate-subjects API also supports a DELETE and GET to manage the accepted list of certificates by the MGM. For example:
curl -k -u admin:admin -X DELETE "$MGM_API_URL/mgm/$MGM_HOLDING_ID/mutual-tls/allowed-client-certificate-subjects/CN=CordaOperatorTwo,C=GB,L=London,O=Org"
curl -k -u admin:admin -X PUT "$MGM_API_URL/mgm/$MGM_HOLDING_ID/mutual-tls/allowed-client-certificate-subjects/CN=CordaOperatorThree,C=GB,L=London,O=Org"
curl -k -u admin:admin "$MGM_API_URL/mgm/$MGM_HOLDING_ID/mutual-tls/allowed-client-certificate-subjects"
Was this page helpful?
Thanks for your feedback!
Chat with us
Chat with us on our #docs channel on slack. You can also join a lot of other slack channels there and have access to 1-on-1 communication with members of the R3 team and the online community.
Propose documentation improvements directly
Help us to improve the docs by contributing directly. It's simple - just fork this repository and raise a PR of your own - R3's Technical Writers will review it and apply the relevant suggestions.
We're sorry this page wasn't helpful. Let us know how we can make it better!
Chat with us
Chat with us on our #docs channel on slack. You can also join a lot of other slack channels there and have access to 1-on-1 communication with members of the R3 team and the online community.
Create an issue
Create a new GitHub issue in this repository - submit technical feedback, draw attention to a potential documentation bug, or share ideas for improvement and general feedback.
Propose documentation improvements directly
Help us to improve the docs by contributing directly. It's simple - just fork this repository and raise a PR of your own - R3's Technical Writers will review it and apply the relevant suggestions.