TLS on AdminAPI

kctam · January 31, 2022, 3:14pm

Hi Team,

In the doc (link) it is shown that client certificate is supported on Admin-API. I completed testing on the server-side authentication and now start testing on client-side authentication. Assuming I am working on a participant node (participant1). Two questions.

(1) Why do we need to put the client’s credential (i.e. client’s private key and certificate) in the TLS configuration (client-auth) on participant1? This should be something issued by a CA and only known to the client, and should not be something configured on the particpant1. Participant1 should care only the server-side credential.

(2) If I am using remote console (remote-participants) to connect participant1, in which TLS client-auth is requierd, how can I configure participant1 in remote.conf such that I can use TLS client side authentication?

Thanks.

kc

Arne_Gebert · January 31, 2022, 9:42pm

Hi @kctam

(1) Fundamentally, client credentials are only needed by participant1 when using TLS mutual authentication. However, as mentioned in the documentation you linked, Canton additionally requires the private key (opposed to just the client certificate) as Canton itself connects to the Admin API (i.e. is the client) through various internal processes. Does that answer the question or are you looking for more detail here?

(2) ~~TLS for remote consoles/participants is configured in the same way it is configured for in-process consoles/participants.~~ This is not correct, please see this post.

Note that it is not possible to use TLS with only client authentication. If using TLS at all, the only available options for Ledger and Admin API are only server-side authentication or full mutual authentication.

Hope this helps!

Best,
Arne

kctam · February 1, 2022, 1:53pm

Hi @arne,

Thanks for your information. Yes, I understand it is either server authentication or server+client authentication, just like a typical TLS model.

I wish to see if my understanding about client/server in canton process is correct.

Assuming I’m just looking at the participant1, and access it with a remote console. My understanding is that

the canton process for participant1 is the TLS server side
the canton process for remote console accessing the participant1 is the TLS client side.

See if my understanding is correct. That is also why I wish to have client authentication, making sure only the remote console having the right client certificate can access to the participant1, not just any remote console who has the right configuration.

The process of bringing. up a TLS client authentication on participant1 is like this. And it works well when launching the process.

In test-tls.conf this works well when launching canton process.

    participant1 {
      admin-api {
        address = localhost
        port = 5012
        tls {
          cert-chain-file = "./adminapitls/participant1.cert"
          private-key-file = "./adminapitls/participant1.key"
          trust-collection-file = "./adminapitls/root.cert"
          client-auth = {
            type = require
            admin-client {
              cert-chain-file = "./adminapitls/client.cert"
              private-key-file = "./adminapitls/client.key"
            }
          }
        }
      }
      ledger-api.port = 5011
    }

In the remote.conf, I have configured the tls with this

    participant1 {
      admin-api {
        address = localhost
        port = 5012
        tls {
          trust-collection-file = "./adminapitls/root.cert"
          client-auth = {
            type = require
            admin-client {
              cert-chain-file = "./adminapitls/client.cert"
              private-key-file = "./adminapitls/client.key"
            }
          }
        }
      }
      ledger-api.port = 5011
      ledger-api.address = localhost
    }

And I got an error when launching this remote console

kctam@ubuntu:~/canton-enterprise-1.0.0-rc5$ ./bin/canton -c adminapitls/remote.conf 
ERROR c.d.c.CantonEnterpriseApp$ - GENERIC_CONFIG_ERROR(8,0): Cannot convert configuration to a config of class com.digitalasset.canton.config.CantonEnterpriseConfig. Failures are:
  at 'canton.remote-participants.participant1.admin-api.tls.client-auth':
    - (adminapitls/remote.conf: 9) Unknown key.
 err-context:{location=CantonConfig.scala:1262}

If you have a configuration for remote console using TLS client authentication, please share with me.
Thanks again.

kc

Arne_Gebert · February 2, 2022, 9:41pm

Hi @kctam,

Apologies I made a mistake - the TLS configuration for remote consoles is indeed slightly different than for in-process consoles. Something like the following should work:

participant1 {
      admin-api {
        address = localhost
        port = 5012
        tls {
          trust-collection-file = "./adminapitls/root.cert"
          client-cert = {
              cert-chain-file = "./adminapitls/client.cert"
              private-key-file = "./adminapitls/client.key"
            }
          }
        }
      ledger-api.port = 5011
      ledger-api.address = localhost
    }

I also added a note about this to the end of the TLS configuration section. Your understanding of the client-side/server-side for TLS in Canton is correct.

Best,
Arne

kctam · February 3, 2022, 1:02am

Thanks @Arne_Gebert this works well. Now I have a sample setup for TLS mutual authentication on the remote console.

cheers, kc

Topic		Replies	Views
Canton High Availability TLS configuration Questions ledger-api , canton	5	327	February 17, 2023
Access Token configuration for Canton console Questions canton	2	314	March 18, 2022
DAR file uploaded through canton remote console Questions canton	4	391	July 4, 2022
Canton configuration change after started Questions canton	2	284	January 24, 2022
Authorization in Canton Questions	13	457	July 10, 2022

TLS on AdminAPI

Related Topics