github.com/hyperion-hyn/go-ethereum@v2.4.0+incompatible/docs/Privacy/Tessera/Configuration/TLS.md

github.com/hyperion-hyn/go-ethereum@v2.4.0+incompatible/docs/Privacy/Tessera/Configuration/TLS.md (about)

     1  ### Usage
     2  Communications via TLS/SSL can be enabled by setting `"tls": "STRICT"`. 
     3  
     4  If the value is set to `"OFF"`, the rest of the SSL configuration will not be considered.
     5  
     6  !!! warning
     7      If using TLS make sure to update the hostname of the node to use `https` instead of `http`
     8  
     9  ```json
    10  {
    11    "sslConfig": {
    12      "tls": "[Authentication mode : OFF,STRICT]",
    13             
    14      "serverTrustMode": "[Possible values: CA, TOFU, WHITELIST, CA_OR_TOFU, NONE]",
    15      "serverKeyStore": "[Path to server keystore]",
    16      "serverKeyStorePassword": "[Password required for server KeyStore]",
    17      "serverTrustStore": "[Server trust store path]",
    18      "serverTrustStorePassword": "[Password required for server trust store]",
    19      "serverTlsKeyPath": "[Path to server TLS key path]",
    20      "serverTlsCertificatePath": "[Path to server TLS cert path]",
    21      "serverTrustCertificates": [
    22        "[Array of truststore certificates if no truststore is defined.]"
    23      ],
    24      
    25      "clientTrustMode": "[Possible values: CA, TOFU, WHITELIST, CA_OR_TOFU, NONE]",
    26      "clientKeyStore": "[Path to client keystore. The keystore that is used when communicating to other nodes.]",
    27      "clientKeyStorePassword": "[Password required for client KeyStore]",
    28      "clientTrustStore": "[Path to client TrustStore]",
    29      "clientTrustStorePassword": "[Password required for client trust store]",
    30      "clientTlsKeyPath": "[Path to client TLS Key]",
    31      "clientTlsCertificatePath": "[Path to client TLS cert]",
    32      "clientTrustCertificates": [
    33        "[Array of truststore certificates if no truststore is defined.]"
    34      ],
    35      
    36      "knownClientsFile": "[TLS known clients file for the server. This contains the fingerprints of public keys of other nodes that are allowed to connect to this one.]",
    37      "knownServersFile": "[TLS known servers file for the client. This contains the fingerprints of public keys of other nodes that this node has encountered.]",
    38      "generateKeyStoreIfNotExisted": "[boolean]",
    39      "environmentVariablePrefix": "[Prefix to uniquely identify environment variables for this particular server ssl config]"
    40    }
    41  }
    42  ```
    43  
    44  When SSL is enabled, each node will need to have certificates and keys defined for both client-side and server-side. These can be defined in multiple ways:
    45  
    46  1. Secured & unsecured `.jks` (Java keystore) format files 
    47      * `serverKeyStore`, `serverKeyStorePassword`, `serverTrustStore`, `serverTrustStorePassword` 
    48      * `clientKeyStore`, `clientKeyStorePassword`, `clientTrustStore`, `clientTrustStorePassword`
    49  2. `.pem` format certificate and key files
    50      * `serverTlsKeyPath`, `serverTlsCertificatePath`, `serverTrustCertificates`
    51      * `clientTlsKeyPath`, `clientTlsCertificatePath`, `clientTrustCertificates`
    52  
    53  `.jks` files take precedence over `.pem` files if both are provided for client-side or server-side.
    54  
    55  #### Keystores
    56  ##### Passwords
    57  Passwords for secured `.jks` keystores can be provided in multiple ways, and in the following order of precedence:
    58  1. *Prefixed* environment variables
    59      * `<PREFIX>_TESSERA_SERVER_KEYSTORE_PWD`, `<PREFIX>_TESSERA_SERVER_TRUSTSTORE_PWD`
    60      * `<PREFIX>_TESSERA_CLIENT_KEYSTORE_PWD`, `<PREFIX>_TESSERA_CLIENT_TRUSTSTORE_PWD`
    61      
    62  2. Config file 
    63      * `serverKeyStorePassword`, `serverTrustStorePassword`
    64      * `clientKeyStorePassword`, `clientTrustStorePassword`
    65      
    66  3. *Global* environment variables
    67      * `TESSERA_SERVER_KEYSTORE_PWD`, `TESSERA_SERVER_TRUSTSTORE_PWD`
    68      * `TESSERA_CLIENT_KEYSTORE_PWD`, `TESSERA_CLIENT_TRUSTSTORE_PWD`
    69  
    70  The *global* environment variables, if set, are applied to all server configs defined in the configfile (i.e. if a P2P and ADMIN server are both configured with TLS then the values set for the global environment variables will be used for both).  These values are ignored if the passwords are also provided in the configfile or as prefixed environment variables.
    71  
    72  The *prefixed* environment variables are only applied to the servers with that `environmentVariablePrefix` value defined in their config.  This allows, for example, a P2P and ADMIN server to be configured with different prefixes, `P2P` and `ADMIN`.  Different keystores can then be used for each server and the individual passwords provided with `P2P_<...>` and `ADMIN_<...>`.
    73  
    74  ##### Generating keystores
    75  If keystores do not already exist, Tessera can generate `.jks` (Java keystore) files for use with non-CA Trust Modes (see Trust Modes).
    76  
    77  By setting `"generateKeyStoreIfNotExisted": "true"`, Tessera will check whether files already exist at the paths provided in the `serverKeyStore` and `clientKeyStore` config values.  If the files do not exist: 
    78  
    79  1. New keystores will be generated and saved at the `serverKeyStore` and `clientKeyStore` paths
    80  2. The keystores will be secured using the corresponding passwords if they are provided (see Passwords)
    81  
    82  #### PEM files
    83  Below is a config sample for using the `.pem` file format:
    84  ```json
    85  "sslConfig" : {
    86      "tls" : "STRICT",
    87      "generateKeyStoreIfNotExisted" : "false",
    88      "serverTlsKeyPath" : "server-key.pem",  
    89      "serverTlsCertificatePath" : "server-cert.pem",
    90      "serverTrustCertificates" : ["server-trust.pem"]
    91      "serverTrustMode" : "CA",
    92      "clientTlsKeyPath" : "client-key.pem",
    93      "clientTlsCertificatePath" : "client-cert.pem",
    94      "clientTrustCertificates" : ["client-trust.pem"]
    95      "clientTrustMode" : "TOFU",
    96      "knownClientsFile" : "knownClients",
    97      "knownServersFile" : "knownServers"
    98  }
    99  ```
   100  
   101  #### Trust Modes
   102  The Trust Mode for both client and server must also be specified. Multiple trust modes are supported: `TOFU`, `WHITELIST`, `CA`, `CA_OR_TOFU`, and `NONE`.
   103  
   104  * `TOFU` (Trust-on-first-use)  
   105      Only the first node that connects identifying as a certain host will be allowed to connect as the same host in the future. When connecting for the first time, the host and its certificate will be added to `knownClientsFile` (for server), or `knownServersFile` (for client). These files will be generated if not already existed, using the values specified in `knownClientsFile` and `knownServersFile`.
   106  
   107      A config sample for `TOFU` trust mode is:
   108  
   109      ```json
   110      "sslConfig" : {
   111          "tls" : "STRICT",
   112          "generateKeyStoreIfNotExisted" : "true",
   113          "serverKeyStore" : "server-keystore",
   114          "serverKeyStorePassword" : "tessera",
   115          "serverTrustMode" : "TOFU",
   116          "clientKeyStore" : "client-keystore",
   117          "clientKeyStorePassword" : "tessera",
   118          "clientTrustMode" : "TOFU",
   119          "knownClientsFile" : "knownClients",
   120          "knownServersFile" : "knownServers"
   121      }
   122      ```
   123  
   124  * `WHITELIST`   
   125      Only nodes that have previously connected to this node and have been added to the `knownClients` file will be allowed to connect. Similarly, this node will only be allowed to make connections to nodes that have been added to the `knownServers` file. This trust mode will not add new entries to the `knownClients` or `knownServers` files.
   126      
   127      With this trust mode, the whitelist files (`knownClientsFile` and `knownServersFile`) must be provided. 
   128      
   129      A config sample for `WHITELIST` trust mode is:
   130      
   131      ```json
   132      "sslConfig" : {
   133          "tls" : "STRICT",
   134          "generateKeyStoreIfNotExisted" : "true",
   135          "serverKeyStore" : "server-keystore",
   136          "serverKeyStorePassword" : "tessera",
   137          "serverTrustMode" : "WHITELIST",
   138          "clientKeyStore" : "client-keystore",
   139          "clientKeyStorePassword" : "tessera",
   140          "clientTrustMode" : "WHITELIST",
   141          "knownClientsFile" : "knownClients",
   142          "knownServersFile" : "knownServers"
   143      }
   144      ```
   145  
   146  * `CA` 
   147      Only nodes with a valid certificate and chain of trust are allowed to connect. For this trust mode, trust stores must be provided and must contain a list of trust certificates.
   148      
   149      A config sample for `CA` trust mode is:
   150      
   151      ```json
   152      "sslConfig" : {
   153          "tls" : "STRICT",
   154          "generateKeyStoreIfNotExisted" : "false", //You can't generate trust stores when using CA
   155          "serverKeyStore" : "server-keystore",
   156          "serverKeyStorePassword" : "tessera",
   157          "serverTrustStore" : "server-truststore",
   158          "serverTrustStorePassword" : "tessera",
   159          "serverTrustMode" : "CA",
   160          "clientKeyStore" : "client-keystore",
   161          "clientKeyStorePassword" : "tessera",
   162          "clientTrustStore" : "client-truststore",
   163          "clientTrustStorePassword" : "tessera",
   164          "clientTrustMode" : "CA",
   165          "knownClientsFile" : "knownClients",
   166          "knownServersFile" : "knownServers"
   167      }
   168      ```