-
Notifications
You must be signed in to change notification settings - Fork 517
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
FAB-10793 NodeSDK Update Mutual TLS doc
Update doc to reflect the improved process to add tls certs to the client and make them available to all endpoints it creates after that. Change-Id: I42303329326639171d47277152b74510d6b27d15 Signed-off-by: Bret Harrison <beharrison@nc.rr.com>
- Loading branch information
Showing
1 changed file
with
15 additions
and
23 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,49 +1,41 @@ | ||
This tutorial illustrates how to use the node SDK APIs to connect to an | ||
orderer or peer which has TLS client authentication enabled (aka "mutual TLS"). | ||
|
||
An orderer has TLS client authentication enabled if the | ||
An orderer has TLS client authentication enabled if the | ||
`ORDERER_GENERAL_TLS_CLIENTAUTHREQUIRED` environment variable is set to `true`. | ||
|
||
A peer has TLS client authentication enabled if the | ||
A peer has TLS client authentication enabled if the | ||
`CORE_PEER_TLS_CLIENTAUTHREQUIRED` environment variable is set to `true`. | ||
|
||
### Connecting to an orderer or peer with TLS client authentication enabled | ||
|
||
When creating an orderer, specify the `clientKey` and `clientCert` options with | ||
a value equal to the PEM-encoded private key and certificate, respectively. | ||
After retrieving the client certificate and client key, assign those to the | ||
Client instance. The Client instance will then assign the material to each | ||
orderer and peer it creates. | ||
|
||
For example, the following demonstrates how to connect to an orderer which has TLS | ||
client authentication enabled. This assumes that the client's PEM-encoded TLS key | ||
and certificate are at `somepath/tls/client.key` and `somepath/tls/client.crt`, respectively. | ||
For example, the following demonstrates how to assign to the client first. | ||
Then build an orderer and peer which will then | ||
have the TLS client authentication enabled. This assumes that the client's | ||
PEM-encoded TLS key and certificate are at `somepath/tls/client.key` and | ||
`somepath/tls/client.crt`, respectively. | ||
|
||
``` | ||
let serverCert = fs.readFileSync(path.join(__dirname, 'somepath/msp/tlscacerts/example.com-cert.pem')); | ||
let clientKey = fs.readFileSync(path.join(__dirname, 'somepath/tls/client.key')); | ||
let clientCert = fs.readFileSync(path.join(__dirname, 'somepath/tls/client.crt')); | ||
orderer = client.newOrderer( | ||
client.setTlsClientCertAndKey(Buffer.from(clientCert).toString(), Buffer.from(clientKey).toString()); | ||
let orderer = client.newOrderer( | ||
'grpcs://localhost:7050', | ||
{ | ||
'pem': Buffer.from(serverCert).toString(), | ||
'clientKey': Buffer.from(clientKey).toString(), | ||
'clientCert': Buffer.from(clientCert).toString(), | ||
'pem': Buffer.from(serverCert).toString() | ||
}); | ||
``` | ||
|
||
Similarly, the following demonstrates how to connect to a peer which has TLS | ||
client authentication enabled. This assumes that the client's PEM-encoded TLS key | ||
and certificate are at `somepath/tls/client.key` and `somepath/tls/client.crt`, respectively. | ||
``` | ||
let serverCert = fs.readFileSync(path.join(__dirname, 'somepath/msp/tlscacerts/org1.example.com-cert.pem')); | ||
let clientKey = fs.readFileSync(path.join(__dirname, 'somepath/tls/client.key')); | ||
let clientCert = fs.readFileSync(path.join(__dirname, 'somepath/tls/client.crt')); | ||
let peer = client.newPeer( | ||
'grpcs://localhost:7051', | ||
{ | ||
'pem': Buffer.from(serverCert).toString(), | ||
'clientKey': Buffer.from(clientKey).toString(), | ||
'clientCert': Buffer.from(clientCert).toString(), | ||
'pem': Buffer.from(serverCert).toString() | ||
} | ||
); | ||
``` |