Configure Key Pairs and Certificates for the MGM
This section describes how to configure key pairs and certificates for the MGM. It contains the following:
- Generate a Session Initiation Key Pair
- Generate ECDH Key Pair
- Configure the Cluster TLS Key Pair
- Disable Revocation Checks
Generate a Session Initiation Key Pair
To assign a soft hardware security module (HSM) and generate a session initiation key The key for a virtual node, which is published in the `MemberInfo`, and used by Link Managers to authenticate and establish secure messaging sessions between network members. pair:
curl -k -u $REST_API_USER:$REST_API_PASSWORD -X POST $REST_API_URL/hsm/soft/$MGM_HOLDING_ID/SESSION_INIT
curl -k -u $REST_API_USER:$REST_API_PASSWORD -X POST $REST_API_URL/key/$MGM_HOLDING_ID/alias/$MGM_HOLDING_ID-session/category/SESSION_INIT/scheme/CORDA.ECDSA.SECP256R1
Invoke-RestMethod -SkipCertificateCheck -Headers @{Authorization=("Basic {0}" -f $AUTH_INFO)} -Method Post -Uri "$REST_API_URL/hsm/soft/$MGM_HOLDING_ID/SESSION_INIT"
$SESSION_KEY_RESPONSE = Invoke-RestMethod -SkipCertificateCheck -Headers @{Authorization=("Basic {0}" -f $AUTH_INFO)} -Method Post -Uri "$REST_API_URL/key/$MGM_HOLDING_ID/alias/$MGM_HOLDING_ID-session/category/SESSION_INIT/scheme/CORDA.ECDSA.SECP256R1"
$SESSION_KEY_ID = $SESSION_KEY_RESPONSE.id
If using Bash, the result contains the session key ID (for example, 3B9A266F96E2). Run the following command to save this ID for use in subsequent steps:
export SESSION_KEY_ID=<session-key-ID>
Generate ECDH Key Pair
To generate an Elliptic-Curve Diffie–Hellman ( ECDH Elliptic-curve Diffie–Hellman. A key sharing algorithm, most commonly used to send encrypted messages. ) key pair:
curl -k -u $REST_API_USER:$REST_API_PASSWORD -X POST $REST_API_URL/hsm/soft/$MGM_HOLDING_ID/PRE_AUTH
curl -k -u $REST_API_USER:$REST_API_PASSWORD -X POST $REST_API_URL/key/$MGM_HOLDING_ID/alias/$MGM_HOLDING_ID-auth/category/PRE_AUTH/scheme/CORDA.ECDSA.SECP256R1
Invoke-RestMethod -SkipCertificateCheck -Headers @{Authorization=("Basic {0}" -f $AUTH_INFO)} -Method Post -Uri "$REST_API_URL/hsm/soft/$MGM_HOLDING_ID/PRE_AUTH"
$ECDH_KEY_RESPONSE = Invoke-RestMethod -SkipCertificateCheck -Headers @{Authorization=("Basic {0}" -f $AUTH_INFO)} -Method Post -Uri "$REST_API_URL/key/$MGM_HOLDING_ID/alias/$MGM_HOLDING_ID-auth/category/PRE_AUTH/scheme/CORDA.ECDSA.SECP256R1"
$ECDH_KEY_ID = $ECDH_KEY_RESPONSE.id
export ECDH_KEY_ID=<ECDH-key-ID>
You can use the following schemes for ECDH key derivation:
- ECDSA_SECP256R1
- ECDSA_SECP256K1
- X25519
- SM2
Configure the Cluster TLS Key Pair
To set up the TLS Transport Layer Security. A protocol that establishes an encrypted session between two computers on the Internet. key pair and certificate for the cluster:
Create a TLS key pair at the cluster level by running this command:
curl -k -u $REST_API_USER:$REST_API_PASSWORD -X POST -H "Content-Type: application/json" $REST_API_URL/key/p2p/alias/p2p-TLS/category/TLS/scheme/CORDA.RSA
$TLS_KEY_RESPONSE = Invoke-RestMethod -SkipCertificateCheck -Headers @{Authorization=("Basic {0}" -f $AUTH_INFO)} -Method Post -Uri "$REST_API_URL/key/p2p/alias/p2p-TLS/category/TLS/scheme/CORDA.RSA" $TLS_KEY_ID = $TLS_KEY_RESPONSE.id
If using Bash, the endpoint returns the TLS key ID. Run the following command to save this ID for use in subsequent steps:
export TLS_KEY_ID=<TLS-key-ID>
Create a certificate for the TLS key pair. In order to do so, you must create a certificate signing request (CSR). To generate a CSR, run this command:
curl -k -u $REST_API_USER:$REST_API_PASSWORD -X POST -H "Content-Type: application/json" -d '{"x500Name": "CN=CordaOperator, C=GB, L=London, O=Org", "subjectAlternativeNames": ["'$P2P_GATEWAY_HOST'"]}' $REST_API_URL"/certificate/p2p/"$TLS_KEY_ID > "$WORK_DIR"/request1.csr
Invoke-RestMethod -SkipCertificateCheck -Headers @{Authorization=("Basic {0}" -f $AUTH_INFO)} -Method Post -Uri "$REST_API_URL/certificate/p2p/$TLS_KEY_ID" -Body (ConvertTo-Json @{ x500Name = "CN=CordaOperator, C=GB, L=London, O=Org" subjectAlternativeNames = @($P2P_GATEWAY_HOST) }) > $WORK_DIR/request1.csr
You can inspect the
request1.csr
file by running this command:openssl req -text -noout -verify -in ./request1.csr
The contents should resemble the following:
-----BEGIN CERTIFICATE REQUEST----- MIIDkjCCAfwCAQAwLjELMAkGA1UEBhMCR0IxDzANBgNVBAcTBkxvbmRvbjEOMAwG A1UEAxMFQWxpY2UwggGiMA0GCSqGSIb3DQEBAQUAA4IBjwAwggGKAoIBgQChJ9CW 9bpnlKOg0OkRRSEPuo2CBMY4r9hDqgLPiadHqBh+QcXqZv23ftHDgFl7CnidG9xc 1t8oCcOYSd9SfLTuxINF+eUoBZ5n4Igj210z1kp20bGc31qi7chzNHiLgpDXrh0x 5AItxnHV+/grD4y3FxOxA6M0rGjMHsVWrxytTchEVN1cCEwUXWG0sjO3y4loctln nBAQyjxo0au1K5r9jzjz8dorkgCALYuSpr4eyjRij+/DuStH9VHcz+XdFz9MlW/B k4c8VzpqGhXs8w5UagnB81ZOmm+xoQOrELeZ1RPAEqCV8kAOO0xjfpTUIzOqz5bC U0luWEM0Gw0BsNdrdaQtrpAs0mv3Rmq6pMD6jlXTqJ8NbravrAnP1DMqHZKKMWnU PEyAuDJB3ndukJfRA03UpRmonvus1UXvheUgRG2f0RIbefvBLUqt+MBucgkUNQmf qyPuD2XaCcOLfSZ+FTtMg2P2E4l2cAnhmzeGL3kHTvilm3ZWlWBUEfJ4BZ0CAwEA AaAhMB8GCSqGSIb3DQEJDjESMBAwDgYDVR0PAQH/BAQDAgeAMAsGCSqGSIb3DQEB DQOCAYEAYtt2Fpgelb81jAEDayLHKISuwRXThGQv3xuZtwxdiC3gWdJbV9H6IWzv cmlxXUrnaju30eQ/LkB8tzuy++p2fIctO8y8Hiw743hddy6dEd21PxQHsNTAS5Ko 1yikmzzRwT5JwMY+EZDxDxXfYViq0xaZoHPbcr3LmwkipqRnZo4e2i5jUCQjFMYq ZThLbl1NKHR98O2/akekmlpuGgtLFOLlSHYkZvZY7K1IEkLZAdbo4fhimDDxQg7T v59nY3SSGbNirFlqz4UfAjKpPyV+UVgRNcFNxJyA6/eL/J8Wedb3zqat2utilLb7 6nicgQ0S3Xb5gPsTUXcsHRuD+FVJG+eJ1qEvh2srIZ57Nnjr9FTy6mqqN4Ln3g31 k9GLOv2kll+tFWjAZEDSRX2VqxkVOlEuKeGXcdrJ2EXz3G444A0wtiTgppwdy9Az YCOEnQMQQUE3gXBax1UsQwl7M71it1/QuhtsBccLfX6rB8BNldwRibADPD16Y6PY LwkiaZXc -----END CERTIFICATE REQUEST-----
Provide the chosen CA Certificate Authority. The holders of a PKI trust root that can issue certificates to customers. with this CSR and request for certificate issuance.
To upload the certificate chain to the Corda cluster, run this command, where
certificate-folder
is the path to the folder in which you saved the certificate received from the CA:curl -k -u $REST_API_USER:$REST_API_PASSWORD -X PUT -F certificate=@<certificate-folder>/certificate.pem -F alias=p2p-tls-cert $REST_API_URL/certificate/cluster/p2p-tls
Invoke-RestMethod -SkipCertificateCheck -Headers @{Authorization=("Basic {0}" -f $AUTH_INFO)} -Method Put -Uri "$REST_API_URL/certificate/cluster/p2p-tls" -Form @{ certificate = Get-Item -Path <CERTIFICATE_FOLDER>\certificate.pem alias = "p2p-tls-cert" }
You can optionally omit the root certificate. If revocation is enabled and the root certificate does not have a CRL or OSCP endpoint, you must omit the root certificate.
If you upload a certificate chain consisting of more than one certificate, ensure that-----END CERTIFICATE-----
and-----BEGIN CERTIFICATE-----
from the next certificate are separated by a new line with no empty spaces in between.
Disable Revocation Checks
If the CA has not been configured with revocation (for example, via CRL or OCSP), you can disable revocation checks In the context of X.509 certificates, revocation checks refer to the process of verifying if a digital certificate is still valid and has not been revoked by the issuing Certificate Authority (CA). :
By default, revocation checks are enabled. You only need to disable revocation checks once per cluster.
Disable Revocation Checks Using Bash
If using Bash, to disable revocation checks, do the following:
- Retrieve the current gateway configuration version:
curl -k -u $REST_API_USER:$REST_API_PASSWORD -X GET $REST_API_URL/config/corda.p2p.gateway
- Save the displayed version number from the response as a variable:
export CONFIG_VERSION=<configuration-version>
- Send the following request to disable revocation checks for the specified gateway worker
A worker designed to communicate with external Corda clusters via HTTPS. They have restricted access only to specific topics on the Kafka bus and view only the minimum information needed for their role.
:
curl -k -u $REST_API_USER:$REST_API_PASSWORD -X PUT -d '{"section":"corda.p2p.gateway", "version":"'$CONFIG_VERSION'", "config":"{ \"sslConfig\": { \"revocationCheck\": { \"mode\": \"OFF\" } } }", "schemaVersion": {"major": 1, "minor": 0}}' $REST_API_URL"/config"
Disable Revocation Checks Using PowerShell
If using PowerShell, to disable revocation checks, run the following:
$CONFIG_VERSION = (Invoke-RestMethod -SkipCertificateCheck -Headers @{Authorization=("Basic {0}" -f $AUTH_INFO)} -Uri "$REST_API_URL/config/corda.p2p.gateway").version
Invoke-RestMethod -SkipCertificateCheck -Headers @{Authorization=("Basic {0}" -f $AUTH_INFO)} -Method Put -Uri "$REST_API_URL/config" -Body (ConvertTo-Json -Depth 4 @{
section = "corda.p2p.gateway"
version = $CONFIG_VERSION
config = @{
sslConfig = @{
revocationCheck = @{
mode = "OFF"
}
}
}
schemaVersion = @{
major = 1
minor = 0
}
})
Was this page helpful?
Thanks for your feedback!
Chat with us
Chat with us on our #docs channel on slack. You can also join a lot of other slack channels there and have access to 1-on-1 communication with members of the R3 team and the online community.
Propose documentation improvements directly
Help us to improve the docs by contributing directly. It's simple - just fork this repository and raise a PR of your own - R3's Technical Writers will review it and apply the relevant suggestions.
We're sorry this page wasn't helpful. Let us know how we can make it better!
Chat with us
Chat with us on our #docs channel on slack. You can also join a lot of other slack channels there and have access to 1-on-1 communication with members of the R3 team and the online community.
Create an issue
Create a new GitHub issue in this repository - submit technical feedback, draw attention to a potential documentation bug, or share ideas for improvement and general feedback.
Propose documentation improvements directly
Help us to improve the docs by contributing directly. It's simple - just fork this repository and raise a PR of your own - R3's Technical Writers will review it and apply the relevant suggestions.