Hi @arne,
Thanks for your information. Yes, I understand it is either server authentication or server+client authentication, just like a typical TLS model.
I wish to see if my understanding about client/server in canton process is correct.
Assuming I’m just looking at the participant1, and access it with a remote console. My understanding is that
- the canton process for participant1 is the TLS server side
- the canton process for remote console accessing the participant1 is the TLS client side.
See if my understanding is correct. That is also why I wish to have client authentication, making sure only the remote console having the right client certificate can access to the participant1, not just any remote console who has the right configuration.
The process of bringing. up a TLS client authentication on participant1 is like this. And it works well when launching the process.
In test-tls.conf
this works well when launching canton process.
participant1 {
admin-api {
address = localhost
port = 5012
tls {
cert-chain-file = "./adminapitls/participant1.cert"
private-key-file = "./adminapitls/participant1.key"
trust-collection-file = "./adminapitls/root.cert"
client-auth = {
type = require
admin-client {
cert-chain-file = "./adminapitls/client.cert"
private-key-file = "./adminapitls/client.key"
}
}
}
}
ledger-api.port = 5011
}
In the remote.conf
, I have configured the tls with this
participant1 {
admin-api {
address = localhost
port = 5012
tls {
trust-collection-file = "./adminapitls/root.cert"
client-auth = {
type = require
admin-client {
cert-chain-file = "./adminapitls/client.cert"
private-key-file = "./adminapitls/client.key"
}
}
}
}
ledger-api.port = 5011
ledger-api.address = localhost
}
And I got an error when launching this remote console
kctam@ubuntu:~/canton-enterprise-1.0.0-rc5$ ./bin/canton -c adminapitls/remote.conf
ERROR c.d.c.CantonEnterpriseApp$ - GENERIC_CONFIG_ERROR(8,0): Cannot convert configuration to a config of class com.digitalasset.canton.config.CantonEnterpriseConfig. Failures are:
at 'canton.remote-participants.participant1.admin-api.tls.client-auth':
- (adminapitls/remote.conf: 9) Unknown key.
err-context:{location=CantonConfig.scala:1262}
If you have a configuration for remote console using TLS client authentication, please share with me.
Thanks again.
kc