Skip to content

Network Firewall Rules

Make sure firewall rules have been configured to alow the required network connections.

"Direction" of the network traffic is referenced to the network where the Contour Web or Corda Server is hosted, with assumption that the servers/databases are within the same network. Incoming as Inbound, outgoing as Outbound, within/inside the network as Internal.

The Outbound traffic to the internet can be configured to go out directly from the server or via proxies depending on the traffic type, e.g.

  • HTTP/HTTPS Proxy for HTTPS and HTTP traffic
  • SOCKS Proxy for TCP/AMQP traffic

The Inbound traffic can be configured to come through load balancers. BUT important to note the Corda peer-to-peer TCP/AMQP traffic relies on SSL Handshake between peer nodes and own corda node (float). Therefore, the SSL should NOT be terminated at load balancer.

Network Connections Overview

Web Server

From To Direction Protocol
User PC/Browser Web Server Inboud / Internal HTTP/HTTPS
Web Server Corda Server Internal RPC
Web Server Database Server Internal JDBC
Web Server Mail Server Internal SMTP
Web Server essDocs API EndPoint Outbound HTTPS

Corda Node

Without Corda Firewall

From To Direction Protocol
Corda Node Database Server Internal JDBC
Corda Node Corda Network Doorman Outbound HTTPS
Corda Node Corda Network Network Map Outbound HTTPS
Corda Node Corda Network tlsCertCrlDistrPoint Outbound HTTP
Corda Node Corda Network Notary Outbound AMQP
Corda Node Contour BNO Inboud & Outbound AMQP
Corda Node Peer Contour Nodes Inboud & Outbound AMQP

With Corda Firewall

More information on Corda Firewall can be found on Corda Docs.

From To Direction Protocol
Corda Node Database Server Internal JDBC
Bridge & Float Corda Network Doorman Outbound HTTPS
Bridge & Float Corda Network Network Map Outbound HTTPS
Bridge & Float Corda Network tlsCertCrlDistrPoint Outbound HTTP
Bridge Corda Network Notary Outbound AMQP
Bridge Contour BNO Outbound AMQP
Bridge Peer Contour Nodes Outbound AMQP
Float Corda Network Notary Inboud AMQP
Float Contour BNO Inboud AMQP
Float Peer Contour Nodes Inboud AMQP

Connections on Contour Prod

Contour Beta/Prod environment is running on Corda Network Production. There are mainly 4 categories of services/nodes that a self-managed Contour node needs to connect to:

  1. Corda Network (tCN) services: Doorman, Network Map, CRL Distribution Endpoint;
  2. Notary services: Contour uses the Non-validating notary on Corda Network, managed by Corda Network Foundation (CNF);
  3. Contour BNO: Contour Business Network Operator node
  4. Peer Contour Nodes: these nodes can be hosted by Contour Company (Contour Cloud nodes), or by Contour customers themselves (Self-managed nodes).

Corda Network Services

The domain names of tCN services in Contour Production Network are given in the sample node.conf below.

  • Note: The connection to the CRL Distribution Point as configued in Corda node node.conf is HTTP, instead of HTTPS. Therefore, if HTTP/HTTPS proxy is used, specify the proxy for both HTTPS and HTTP.
    • e.g. java -Dhttps.proxyHost=proxy_host -Dhttps.proxyPort=proxy_port -Dhttp.proxyHost=proxy_host -Dhttp.proxyPort=proxy_port -jar corda.jar
# sample `node.conf`

networkServices {
    doormanURL="https://doorman.corda.network/ED5D077E-F970-428B-8091-F7FCBDA06F8C"
    networkMapURL="https://prod-sub0-netmap-01.corda.network/SUB0CHKQ-8GCO-HS3S-KLZC-BINKKAGIMDRS"    
}
tlsCertCrlDistPoint="http://crl.corda.network/nodetls.crl"
tlsCertCrlIssuer="CN=Corda TLS CRL Authority,OU=Corda Network,O=R3 HoldCo LLC,L=New York,C=US"

Notary services

Notary x500 name as configured in contour-cordapps-<version>.conf, and the domains (p2pAddresses) of these Highly-available Notary nodes are:

  • prod-sub0-notary-01.corda.network
  • prod-sub0-notary-02.corda.network
  • prod-sub0-notary-03.corda.network
  • prod-sub0-notary-04.corda.network
  • prod-sub0-notary-05.corda.network

Contour BNO

  • Contour BNO has domain name under sub-domain of *.app.contournetwork.io.

Peer Contour Nodes (Contour Cloud)

  • Contour cloud hosted peer nodes have their domain name under sub-domain of *.app.contournetwork.io.

Peer Contour Nodes (Self-managed)

  • Since these nodes are self-managed by customers. Contour is not able to provide the information.

Connections on Contour Staging

Corda Network Services

The domain names of tCN services in Contour Staging Network are given in the sample node.conf below.

  • Note: The connection to the CRL Distribution Point as configued in Corda node node.conf is HTTP, instead of HTTPS. Therefore, if HTTP/HTTPS proxy is used, specify the proxy for both HTTPS and HTTP.
    • e.g. java -Dhttps.proxyHost=proxy_host -Dhttps.proxyPort=proxy_port -Dhttp.proxyHost=proxy_host -Dhttp.proxyPort=proxy_port -jar corda.jar
# sample `node.conf`

networkServices {
    doormanURL="https://doorman.uat.corda.network/3FCF6CEB-20BD-4B4F-9C72-1EFE7689D85B"
    networkMapURL="https://uat-sub1-netmap-01.uat.corda.network/SUB1CEP8-32UX-6ZXK-9C82-1FLR6268D75Z"
}
tlsCertCrlDistPoint : "http://crl.uat.corda.network/nodetls.crl"
tlsCertCrlIssuer : "CN=Corda TLS CRL Authority,OU=Corda UAT,O=R3 HoldCo LLC,L=New York,C=US"

Notary services

Notary x500 name as configured in contour-cordapps-<version>.conf, and the domains (p2pAddresses) of these Highly-available Notary nodes are:

  • uat-sub1-notary-01.uat.corda.network
  • uat-sub1-notary-02.uat.corda.network
  • uat-sub1-notary-03.uat.corda.network
  • uat-sub1-notary-04.uat.corda.network
  • uat-sub1-notary-05.uat.corda.network

Contour BNO

  • Contour BNO has domain name under sub-domain of *.staging.contournetwork.io.

Peer Contour Nodes (Contour Cloud)

  • Contour cloud hosted peer nodes have their domain name under sub-domain of *.staging.contournetwork.io.

Peer Contour Nodes (Self-managed)

  • Since these nodes are self-managed by customers. Contour is not able to provide the information.