Network Firewall Rules
Make sure firewall rules have been configured to alow the required network connections.
"Direction" of the network traffic is referenced to the network where the Contour Web or Corda Server is hosted, with assumption that the servers/databases are within the same network. Incoming as
Inbound, outgoing asOutbound, within/inside the network asInternal.
The Outbound traffic to the internet can be configured to go out directly from the server or via proxies depending on the traffic type, e.g.
- HTTP/HTTPS Proxy for
HTTPSandHTTPtraffic - SOCKS Proxy for
TCP/AMQPtraffic
The Inbound traffic can be configured to come through load balancers. BUT important to note the Corda peer-to-peer TCP/AMQP traffic relies on SSL Handshake between peer nodes and own corda node (float). Therefore, the SSL should NOT be terminated at load balancer.
Network Connections Overview
Web Server
| From | To | Direction | Protocol |
|---|---|---|---|
| User PC/Browser | Web Server | Inboud / Internal | HTTP/HTTPS |
| Web Server | Corda Server | Internal | RPC |
| Web Server | Database Server | Internal | JDBC |
| Web Server | Mail Server | Internal | SMTP |
| Web Server | essDocs API EndPoint | Outbound | HTTPS |
Corda Node
Without Corda Firewall
| From | To | Direction | Protocol |
|---|---|---|---|
| Corda Node | Database Server | Internal | JDBC |
| Corda Node | Corda Network Doorman | Outbound | HTTPS |
| Corda Node | Corda Network Network Map | Outbound | HTTPS |
| Corda Node | Corda Network tlsCertCrlDistrPoint | Outbound | HTTP |
| Corda Node | Corda Network Notary | Outbound | AMQP |
| Corda Node | Contour BNO | Inboud & Outbound | AMQP |
| Corda Node | Peer Contour Nodes | Inboud & Outbound | AMQP |
With Corda Firewall
More information on Corda Firewall can be found on Corda Docs.
| From | To | Direction | Protocol |
|---|---|---|---|
| Corda Node | Database Server | Internal | JDBC |
| Bridge & Float | Corda Network Doorman | Outbound | HTTPS |
| Bridge & Float | Corda Network Network Map | Outbound | HTTPS |
| Bridge & Float | Corda Network tlsCertCrlDistrPoint | Outbound | HTTP |
| Bridge | Corda Network Notary | Outbound | AMQP |
| Bridge | Contour BNO | Outbound | AMQP |
| Bridge | Peer Contour Nodes | Outbound | AMQP |
| Float | Corda Network Notary | Inboud | AMQP |
| Float | Contour BNO | Inboud | AMQP |
| Float | Peer Contour Nodes | Inboud | AMQP |
Connections on Contour Prod
Contour Beta/Prod environment is running on Corda Network Production. There are mainly 4 categories of services/nodes that a self-managed Contour node needs to connect to:
- Corda Network (tCN) services: Doorman, Network Map, CRL Distribution Endpoint;
- Notary services: Contour uses the Non-validating notary on Corda Network, managed by Corda Network Foundation (CNF);
- Contour BNO: Contour Business Network Operator node
- Peer Contour Nodes: these nodes can be hosted by Contour Company (Contour Cloud nodes), or by Contour customers themselves (Self-managed nodes).
Corda Network Services
The domain names of tCN services in Contour Production Network are given in the sample node.conf below.
- Note: The connection to the CRL Distribution Point as configued in Corda node
node.confis HTTP, instead of HTTPS. Therefore, if HTTP/HTTPS proxy is used, specify the proxy for bothHTTPSandHTTP.- e.g.
java -Dhttps.proxyHost=proxy_host -Dhttps.proxyPort=proxy_port -Dhttp.proxyHost=proxy_host -Dhttp.proxyPort=proxy_port -jar corda.jar
- e.g.
# sample `node.conf`
networkServices {
doormanURL="https://doorman.corda.network/ED5D077E-F970-428B-8091-F7FCBDA06F8C"
networkMapURL="https://prod-sub0-netmap-01.corda.network/SUB0CHKQ-8GCO-HS3S-KLZC-BINKKAGIMDRS"
}
tlsCertCrlDistPoint="http://crl.corda.network/nodetls.crl"
tlsCertCrlIssuer="CN=Corda TLS CRL Authority,OU=Corda Network,O=R3 HoldCo LLC,L=New York,C=US"
Notary services
Notary x500 name as configured in contour-cordapps-<version>.conf, and the domains (p2pAddresses) of these Highly-available Notary nodes are:
prod-notary-sub0-uks1-01.corda.networkprod-notary-sub0-ukw1-03.corda.networkprod-notary-sub0-euw1-05.corda.network
Note: The notary end point may change hence it's recommended not to do whitelisting.
# Production sample `contour-cordapps-<version>.conf`:
net.corda.businessnetworks.membership.notaryName="CN=Non-validating Prod SUB0 HA Notary, O=R3 HoldCo LLC, L=New York, C=US"
Contour BNO
- Contour BNO has domain name under sub-domain of
*.app.contournetwork.io.
Peer Contour Nodes (Contour Cloud)
- Contour cloud hosted peer nodes have their domain name under sub-domain of
*.app.contournetwork.io.
Peer Contour Nodes (Self-managed)
- Since these nodes are self-managed by customers. Contour is not able to provide the information.
Connections on Contour Staging
Corda Network Services
The domain names of tCN services in Contour Staging Network are given in the sample node.conf below.
- Note: The connection to the CRL Distribution Point as configued in Corda node
node.confis HTTP, instead of HTTPS. Therefore, if HTTP/HTTPS proxy is used, specify the proxy for bothHTTPSandHTTP.- e.g.
java -Dhttps.proxyHost=proxy_host -Dhttps.proxyPort=proxy_port -Dhttp.proxyHost=proxy_host -Dhttp.proxyPort=proxy_port -jar corda.jar
- e.g.
# sample `node.conf`
networkServices {
doormanURL="https://doorman.uat.corda.network/3FCF6CEB-20BD-4B4F-9C72-1EFE7689D85B"
networkMapURL="https://uat-sub1-netmap-01.uat.corda.network/SUB1CEP8-32UX-6ZXK-9C82-1FLR6268D75Z"
}
tlsCertCrlDistPoint : "http://crl.uat.corda.network/nodetls.crl"
tlsCertCrlIssuer : "CN=Corda TLS CRL Authority,OU=Corda UAT,O=R3 HoldCo LLC,L=New York,C=US"
Notary services
Notary x500 name as configured in contour-cordapps-<version>.conf, and the domains (p2pAddresses) of these Highly-available Notary nodes are:
uat-notary-sub1-uks1-01.uat.corda.networkuat-notary-sub1-ukw1-03.uat.corda.networkuat-notary-sub1-euw1-05.uat.corda.network
Note: The notary end points may change hence it's not recommended to do whitelisting.
# Staging sample `contour-cordapps-<version>.conf`
net.corda.businessnetworks.membership.notaryName="CN=Non-validating UAT SUB1 HA Notary, O=R3 HoldCo LLC, L=New York, C=US"
Contour BNO
- Contour BNO has domain name under sub-domain of
*.staging.contournetwork.io.
Peer Contour Nodes (Contour Cloud)
- Contour cloud hosted peer nodes have their domain name under sub-domain of
*.staging.contournetwork.io.
Peer Contour Nodes (Self-managed)
- Since these nodes are self-managed by customers. Contour is not able to provide the information.