From 4e9b825ebda5ebb65ead9cb4c7153c92c97584de Mon Sep 17 00:00:00 2001 From: Enrique Lacal Date: Fri, 26 May 2023 16:46:14 +0100 Subject: [PATCH 1/3] docs: add mTLS section Signed-off-by: Enrique Lacal --- docs/overview/key_components/security.md | 2 +- docs/reference/tls.md | 63 ++++++++++++++++++++++++ 2 files changed, 64 insertions(+), 1 deletion(-) create mode 100644 docs/reference/tls.md diff --git a/docs/overview/key_components/security.md b/docs/overview/key_components/security.md index 0214b6795..6a70accd3 100644 --- a/docs/overview/key_components/security.md +++ b/docs/overview/key_components/security.md @@ -59,4 +59,4 @@ See the reference implementation > message queue based reliable delivery of messages, hub-and-spoke connectivity models, chunking > of very large file payloads, and end-to-end encryption. -Learn more about these private data flows in [Multiparty Process Flows](../multiparty/multiparty_flow.md). \ No newline at end of file +Learn more about these private data flows in [Multiparty Process Flows](../multiparty/multiparty_flow.md). diff --git a/docs/reference/tls.md b/docs/reference/tls.md new file mode 100644 index 000000000..bca69df97 --- /dev/null +++ b/docs/reference/tls.md @@ -0,0 +1,63 @@ +--- +layout: i18n_page +title: pages.tls +parent: pages.reference +nav_order: 11 +--- + +# TLS +{: .no_toc } + +## Table of contents +{: .no_toc .text-delta } + +1. TOC +{:toc} + +--- + +## TLS Overview + + +To enable TLS in Firefly, there is a configuration available to provide certificates and keys. + +The common configuration is as such: + +```yaml +tls: + enabled: true/false # Toggle on or off TLS + caFile: + certFile: + keyFile: + clientAuth: true/false # Only applicable to the server side, to toggle on or off client authentication + requiredDNAttributes: A set of required subject DN attributes. Each entry is a regular expression, and the subject certificate must have a matching attribute of the specified type (CN, C, O, OU, ST, L, STREET, POSTALCODE, SERIALNUMBER are valid attributes) +``` + +**NOTE** The CAs, certificates and keys have to be in PEM format. + +## Configuring TLS for the API server + +Using the above configuration, we can place it under the `http` config and enable TLS or mTLS for any API call. + +[See this config section for details](config.html#httptls) + +## Configuring TLS for the webhooks + +Using the above configuration, we can place it under the `events.webhooks` config and enable TLS or mTLS for any webhook call. + +[See this config section for details](config.html#eventswebhookstls) + + +## Configuring clients and websockets + +Firefly has a set of HTTP clients and websockets that communicate the external endpoints and services that could be secured using TLS. +In order to configure these clients, we can use the same configuration as above in the respective places in the config which relate to those clients. + +For example, if you wish to configure the ethereum blockchain connector with TLS you would look at [this config section](reference/config.html#pluginsblockchainethereumethconnecttls) + +For more clients, search in the [configuration reference](config.html) for a TLS section. + + +## Enhancing validation of certificates + +In the case where we want to verify that a specific client certificate has certain attributes we can use the `requiredDNAtributes` configuration as described above. This will allow you by the means of a regex expresssion matching against well known distinguished names (DN). To learn more about a DNs look at [this document](https://datatracker.ietf.org/doc/rfc4514/) From 19d8c3f4e6648777e722c24c7b0c93653963ab16 Mon Sep 17 00:00:00 2001 From: Enrique Lacal Date: Tue, 30 May 2023 09:44:30 +0100 Subject: [PATCH 2/3] fix: add i18n Signed-off-by: Enrique Lacal --- docs/_i18n/en.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/docs/_i18n/en.yml b/docs/_i18n/en.yml index 3d1c2b0eb..371beabf8 100644 --- a/docs/_i18n/en.yml +++ b/docs/_i18n/en.yml @@ -47,6 +47,7 @@ pages: remote_fabric_network: Remote Fabric Network release_notes: Release Notes security: Security + tls: TLS tools: Tools tutorials: Tutorials understanding_firefly: Understanding FireFly @@ -56,4 +57,4 @@ pages: fabric_test_network: Fabric-Samples Test Network xdc_testnet: XDC Testnet zksync_testnet: zkSync Testnet - rotate_dx_certs: Rotate Data Exchange Certificates \ No newline at end of file + rotate_dx_certs: Rotate Data Exchange Certificates From b2568e1c6d91eeebeb759c91fc07f0b68229e162 Mon Sep 17 00:00:00 2001 From: Enrique Lacal Date: Tue, 30 May 2023 10:09:41 +0100 Subject: [PATCH 3/3] fix: link Signed-off-by: Enrique Lacal --- docs/reference/tls.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/reference/tls.md b/docs/reference/tls.md index bca69df97..b709d429f 100644 --- a/docs/reference/tls.md +++ b/docs/reference/tls.md @@ -53,7 +53,7 @@ Using the above configuration, we can place it under the `events.webhooks` confi Firefly has a set of HTTP clients and websockets that communicate the external endpoints and services that could be secured using TLS. In order to configure these clients, we can use the same configuration as above in the respective places in the config which relate to those clients. -For example, if you wish to configure the ethereum blockchain connector with TLS you would look at [this config section](reference/config.html#pluginsblockchainethereumethconnecttls) +For example, if you wish to configure the ethereum blockchain connector with TLS you would look at [this config section](config.html#pluginsblockchainethereumethconnecttls) For more clients, search in the [configuration reference](config.html) for a TLS section.