Has been changed the RAFT implementation on Corda Version 3 or it is similar to Version 2 and is not possible to disabled TLS v1?
We know Corda use TLS v1.2 but v1 is still active and we need to completely disabled. Is there a way to perform that ?
Thanks!!
There haven't been any changes for that in Corda 3.0, and it's slightly outside our control since it's managed by an external libary we use, Copycat.
I'm just curious why you need to completely disable it – the Raft notary is configured to use TLS v1.2, and you could firewall the Raft ports to only be accessible to cluster members.
Related
I'm on a Corda V2 project (but will be migrating to V3 shortly). Per the docs
Artemis is hidden behind a thin interface...
But I'm exploring some business cases around the queue. Specifically is any of the following exposed for configuration? (Couldn't find anything specific in node config, but about to look at source.) Or would I need to do my own broker and specify with messagingServerAddress?
delivery retry rate
backoff rate
timeout, or when Artemis gives up on delivering the message
Sorry, might be separate question but can the internal queue be queried to see if a node has proposed tx's still waiting to be sent to a different node?
As of Corda 3, these settings are not configurable.
It is recommended not to try and interfere with these settings, as many Corda components do not have timeouts configured.
If your use case absolutely requires configuring these settings, please update to original question to explain why :)
we have realized our communications between nodes are using TLSv1. However checking ArtemisTcpTransport.kt class it looks like only v1.2 is supported:
val TLS_VERSIONS = listOf("TLSv1.2")
I would like to use v1.2 in our communications. Is that possible ?
Corda nodes do communicate using TLS 1.2. See https://docs.corda.net/permissioning.html#keypair-and-certificate-formats.
I am trying to enable TLS for kafka broker exchanges and had a thought regarding Zookeeper TLS. Currently, on Apache Kafka Documentation I cannot see much mentioned about ZK TLS setup (ok, probably because it's a different apache project) and any possible performance impact.
The question is, can I not have the ONLY broker-client and inter-broker exchanges secured? Do I also need to add TLS to zookeeper? Extra security isn't bad, but is it really necessary to it even for zookeeper?
Zookeeper with TLS is only available in Zookeeper 3.5 which is still in beta. Therefore, Kafka isn't supporting TLS connections to zookeeper yet. Doesn't mean you can't do it but it does mean you won't find much documentation on it and if you run in it on something important, you are putting yourself at risk. In this case, I would say the extra security could hurt.
What is the recommended way to make a TLS/SSL connection to Redis sentinel using spring-data-redis and Jedis?
I'm using spring-data-redis 1.8.3.RELEASE with Jedis 2.9.0.
I understand that Redis does not provide direct support for TLS/SSL and instead recommends a secure proxy like spiped or stunnel. So lets assume I have setup the appropriate secure tunnels.
I can see that JedisConnectionFactory has a setUseSsl(boolean useSsl) method, but the value only seems to be used in createRedisPool() and not createRedisSentinelPool(), which leads me to think it is currently not possible with Redis sentinel.
Additionally, even when using standalone Redis and setting useSsl to true, there doesn't appear to be a way to set the SSLSocketFactory or parameters, so it will likely end up relying on the JVM's SSL system properties which is problematic if those aren't the SSL properties you wanted to use to connection to the secure tunnel.
Just trying to confirm if my above assumptions are correct, and if not then looking for pointers in the right direction. Thanks.
I am using Kafka Version 0.10.2.0. Is there a way to secure communication between Zookeper Client i.e ZkClient and zookeper server with SSL. I found some way to do through SASL but i want it through SSL.
Zookeeper 3.5 includes SSL support but it is still in alpha so Kafka doesn't yet support it. The highest supported version is 3.4 which only includes sasl.
Ref: https://issues.apache.org/jira/browse/ZOOKEEPER-1000
This task can still be achieved by a simple workaround mentioned in the steps below;
Install zookeeper-3.5.1-alpha (to use the .jar files. version 3.5+ can be used)
Replace default zookeeper*.jar with /zookeeper-3.5.1-alpha/zookeeper-3.5.1-alpha.jar in <kafka-installation-folder>\libs
Copy /zookeeper-3.5.1-alpha/lib/netty-3.7.0.Final.jar into <kafka-installation-folder>\libs
Relevant changes to enable SSL on Zookeeper (https://cwiki-test.apache.org/confluence/display/ZOOKEEPER/ZooKeeper+SSL+User+Guide)