docs(tessera): CLI and configfile updates (#929)

Consensys · Feb 10, 2020 · d16b9d2 · d16b9d2
1 parent 4b4874e
commit d16b9d2
Show file tree

Hide file tree

Showing 10 changed files with 621 additions and 133 deletions.
diff --git a/docs/FAQ.md b/docs/FAQ.md
@@ -49,6 +49,14 @@
 
     **Note:** While every Quorum v2 client will be able to connect to any other v2 client, the usefullness will be severely degraded. <span style="color:red;">Red color</span> signifies that while connectivity is possible, <span style="color:red;">red colored</span> versions will be unable to send public or private txns to the rest of the net due to the EIP155 changes in the signer implemented in newer versions.
 
+### Tessera FAQ
+
+??? question "What does enabling 'disablePeerDiscovery' mean?"
+    It means the node will only communicate with the nodes defined in the configuration file. Upto version 0.10.2, the nodes still accepts transactions from undiscovered nodes. From version 0.10.3 the node blocks all communication with undiscovered nodes.
+
+??? info "Upgrading to Tessera version 0.10.+ from verion 0.9.+ and below"
+    Due to 'database file unable to open' issue with H2 DB upgrade from version 1.4.196 direct to version 1.4.200 as explained  [here](https://github.com/h2database/h2database/issues/2263), our recommended mitigation strategy is to upgrade to version 1.4.199 first before upgrading to version 1.4.200 i.e., first upgrade to Tessera 0.10.0 before upgrading to higher versions. 
+
 ### Raft FAQ
 
 ??? question "Could you have a single- or two-node cluster? More generally, could you have an even number of nodes?"

diff --git a/docs/Privacy/Tessera/Configuration/Keys.md b/docs/Privacy/Tessera/Configuration/Keys.md
@@ -6,7 +6,45 @@
 Tessera uses cryptographic keys to provide transaction privacy.  
 
 You can use existing private/public key pairs as well as use Tessera to generate new key pairs for you.  See [Generating & securing keys](../../Tessera%20Services/Keys/Keys) for more info.
-```json
+
+```json tab="v0.10.3 onwards"
+"keys": {
+    "passwordFile": "Path",
+    "keyVaultConfig": [
+        {
+            "keyVaultType": "Enumeration: AZURE, HASHICORP, AWS",
+            "properties": "Map[string]string"
+        }
+    ],
+    "keyData": [
+        {
+            // The data for a private/public key pair
+        }
+    ]
+}
+```
+
+```json tab="v0.10.2"
+"keys": {
+    "passwordFile": "Path",
+    "azureKeyVaultConfig": {
+        "url": "Url"
+    },
+    "hashicorpKeyVaultConfig": {
+        "url": "Url",
+        "approlePath": "String",
+        "tlsKeyStorePath": "Path",
+        "tlsTrustStorePath": "Path" 
+    },
+    "keyData": [
+        {
+            // The data for a private/public key pair
+        }
+    ]
+}
+```
+
+```json tab="v0.10.1 and earlier"
 "keys": {
     "passwords": [],
     "passwordFile": "Path",
@@ -19,6 +57,12 @@ You can use existing private/public key pairs as well as use Tessera to generate
         "tlsKeyStorePath": "Path",
         "tlsTrustStorePath": "Path" 
     },
+    "keyVaultConfig": {
+        "keyVaultConfigType": "AWS",
+        "properties": {
+            "endpoint": "Url"
+        }
+    },
     "keyData": [
         {
             // The data for a private/public key pair
@@ -74,7 +118,32 @@ The key pair data is provided in plain text in the configfile.  The plain text p
 #### Protected
 The public key is provided in plain text.  The private key must be password-protected using Argon2.  The corresponding encrypted data is provided in the `config` json object.
 
-```json
+```json tab="v0.10.2 onwards"
+"keys": {
+    "passwordFile": "/path/to/pwds.txt",
+    "keyData": [
+        {
+            "config": {
+                "data": {
+                    "aopts": {
+                        "variant": "id",
+                        "memory": 1048576,
+                        "iterations": 10,
+                        "parallelism": 4,
+                    },
+                    "snonce": "x3HUNXH6LQldKtEv3q0h0hR4S12Ur9pC",
+                    "asalt": "7Sem2tc6fjEfW3yYUDN/kSslKEW0e1zqKnBCWbZu2Zw=",
+                    "sbox": "d0CmRus0rP0bdc7P7d/wnOyEW14pwFJmcLbdu2W3HmDNRWVJtoNpHrauA/Sr5Vxc"
+                },
+                "type": "argon2sbox"
+            },
+            "publicKey": "/+UuD63zItL1EbjxkKUljMgG8Z1w0AJ8pNOR4iq2yQc="
+        }
+    ]
+}
+```
+
+```json tab="v0.10.1 and earlier"
 "keys": {
     "passwords": ["password"],
     "passwordFile": "/path/to/pwds.txt",
@@ -110,7 +179,20 @@ Passwords must be provided so that Tessera can decrypt and use the private keys.
 
 ### Filesystem key pairs   
 The keys in the pair are stored in files:
-```json
+
+```json tab="v0.10.2 onwards"
+"keys": {
+    "passwordFile": "/path/to/pwds.txt",
+    "keyData": [
+        {
+            "privateKeyPath": "/path/to/privateKey.key",
+            "publicKeyPath": "/path/to/publicKey.pub"
+        }
+    ]
+}
+```
+
+```json tab="v0.10.1 and earlier"
 "keys": {
     "passwords": ["password"],
     "passwordFile": "/path/to/pwds.txt",
@@ -122,6 +204,7 @@ The keys in the pair are stored in files:
     ]
 }
 ```
+
 The contents of the public key file must contain the public key only, e.g.: 
 ```
 /+UuD63zItL1EbjxkKUljMgG8Z1w0AJ8pNOR4iq2yQc=
@@ -166,7 +249,27 @@ Passwords must be provided so that Tessera can decrypt and use the private keys.
 
 ### Azure Key Vault key pairs
 The keys in the pair are stored as secrets in an Azure Key Vault.  This requires providing the vault url and the secret IDs for both keys:
-```json
+
+```json tab="v0.10.3 onwards"
+"keys": {
+    "keyVaultConfig": {
+        "keyVaultType": "AZURE",
+        "properties": {
+            "url": "https://my-vault.vault.azure.net"
+        } 
+    },
+    "keyData": [
+        {
+            "azureVaultPrivateKeyId": "Key",
+            "azureVaultPublicKeyId": "Pub",
+            "azureVaultPublicKeyVersion": "bvfw05z4cbu11ra2g94e43v9xxewqdq7",
+            "azureVaultPrivateKeyVersion": "0my1ora2dciijx5jq9gv07sauzs5wjo2"
+        }
+    ]
+}
+```
+
+```json tab="v0.10.2 and earlier"
 "keys": {
     "azureKeyVaultConfig": {
         "url": "https://my-vault.vault.azure.net"
@@ -189,7 +292,29 @@ This example configuration will retrieve the specified versions of the secrets `
 
 ### Hashicorp Vault key pairs
 The keys in the pair are stored as a secret in a Hashicorp Vault.  Additional configuration can also be provided if the Vault is configured to use TLS and if the AppRole auth method is being used at a different path to the default (`approle`):
-```json
+
+```json tab="v0.10.3 onwards"
+"keyVaultConfig": {
+    "keyVaultType": "HASHICORP",
+    "properties": {
+        "url": "https://localhost:8200",
+        "tlsKeyStorePath": "/path/to/keystore.jks",
+        "tlsTrustStorePath": "/path/to/truststore.jks",
+        "approlePath": "not-default"
+    }
+},
+"keyData": [
+    {
+        "hashicorpVaultSecretEngineName": "engine",
+        "hashicorpVaultSecretName": "secret",
+        "hashicorpVaultSecretVersion": 1,
+        "hashicorpVaultPrivateKeyId": "privateKey",
+        "hashicorpVaultPublicKeyId": "publicKey",
+    }
+]
+```
+
+```json tab="v0.10.2 and earlier"
 "hashicorpKeyVaultConfig": {
     "url": "https://localhost:8200",
     "tlsKeyStorePath": "/path/to/keystore.jks",
@@ -219,6 +344,34 @@ Tessera requires TLS certificates and keys to be stored in `.jks` Java keystore
 !!! info
     If using a Hashicorp Vault additional environment variables must be set and a version 2 K/V secret engine must be enabled.  For more information see [Setting up a Hashicorp Vault](../../Tessera%20Services/Keys/Setting%20up%20a%20Hashicorp%20Vault).
 
+### AWS Secrets Manager key pairs
+The keys in the pair are stored as secrets in the _AWS Secrets Manager_.  This requires providing the secret IDs for both keys.  The endpoint is optional as the _AWS SDK_ can fallback to its inbuilt property retrieval chain (e.g. using the environment variable `AWS_REGION` or `~/.aws/config` file - see [the AWS docs](https://docs.aws.amazon.com/sdk-for-java/v2/developer-guide/credentials.html) for similar behaviour explained in the context of credentials):
+
+```json tab="v0.10.3 onwards"
+"keys": {
+        "keyVaultConfig": {
+            "keyVaultConfigType": "AWS",
+            "properties": {
+                "endpoint": "https://secretsmanager.us-west-2.amazonaws.com"
+            }
+        },
+        "keyData": [
+            {
+                "awsSecretsManagerPublicKeyId": "secretIdPub",
+                "awsSecretsManagerPrivateKeyId": "secretIdKey"
+            }
+        ]
+    }
+```
+
+This example configuration will retrieve the secrets `secretIdPub` and `secretIdKey` from the _AWS Secrets Manager_ using the endpoint `https://secretsmanager.us-west-2.amazonaws.com`.
+
+!!! info
+    A `Credential should be scoped to a valid region` error when starting means that the region specified in the `endpoint` differs from the region the AWS SDK has retrieved from its [property retrieval chain](https://docs.aws.amazon.com/sdk-for-java/v2/developer-guide/credentials.html).  This can be resolved by setting the `AWS_REGION` environment variable to the same region as defined in the `endpoint`.
+
+!!! info
+    Environment variables must be set if using an _AWS Secrets Manager_, for more information see [Setting up an AWS Secrets Manager](../../Tessera%20Services/Keys/Setting%20up%20an%20AWS%20Secrets%20Manager)
+
 ## Providing key passwords at runtime
 Tessera will start a CLI password prompt if it has incomplete password data for its locked keys.  This prompt can be used to provide the required passwords for each key without having to provide them in the configfile itself.  
 
@@ -240,10 +393,28 @@ If wished, multiple key pairs can be specified for a Tessera node. In this case,
 Note that multiple key pairs can only be set up within the configuration file, not via separate filesystem key files.
 
 ## Viewing the keys registered for a node
-An ADMIN API endpoint `/config/keypairs` exists to allow you to view the public keys of the key pairs currently in use by your Tessera node.  This requires configuring an ADMIN server in the node's configuration file, as described in [Configuration Overview](../Configuration%20Overview).
+For Tessera v0.10.2 onwards the ThirdParty API `/keys` endpoint can be used to view the public keys of the key pairs currently in use by your Tessera node. 
+
+For Tessera v0.10.1 and earlier, an ADMIN API endpoint `/config/keypairs` exists to allow you to view the public keys of the key pairs currently in use by your Tessera node.  
 
 A sample response for the request `adminhost:port/config/keypairs` is:
-```json
+
+```json tab="v0.10.2 onwards"
+request: thirdpartyhost:port/keys
+{
+   "keys" : [
+      {
+         "key" : "oNspPPgszVUFw0qmGFfWwh1uxVUXgvBxleXORHj07g8="
+      },
+      {
+         "key" : "ABn6zhBth2qpdrJXp98IvjExV212ALl3j4U//nj4FAI="
+      }
+   ]
+}
+```
+
+```json tab="v0.10.1 and earlier"
+request: adminhost:port/config/keypairs
 [
    {
       "publicKey" : "oNspPPgszVUFw0qmGFfWwh1uxVUXgvBxleXORHj07g8="
@@ -253,3 +424,5 @@ A sample response for the request `adminhost:port/config/keypairs` is:
    }
 ]
 ```
+
+The corresponding server must be configured in the node's configuration file, as described in [Configuration Overview](../Configuration%20Overview).
diff --git a/docs/Privacy/Tessera/Configuration/Sample Configuration.md b/docs/Privacy/Tessera/Configuration/Sample Configuration.md
@@ -4,9 +4,77 @@ Tessera configuration varies by version as new features are added or changed. Be
 
 | Version       |
 | ------------- |
-| [0.10.2 - latest release](../Tessera%20v0.10.2%20sample%20settings) |
+| [0.10.3](../Tessera%20v0.10.3%20sample%20settings) |
+| [0.10.2](../Tessera%20v0.10.2%20sample%20settings) |
 | [0.10](../Tessera%20v0.10.0%20sample%20settings) |
 | [0.9](../Tessera%20v0.9%20sample%20settings) |
 | [0.8](../Tessera%20v0.8%20sample%20settings)      |
 | [0.7.3](../Tessera%20v0.7.3%20sample%20settings)      |
 
+## Changelist
+### 0.10.3
+- The `keys.azureKeyVaultConfig` and `keys.hashicorpKeyVaultConfig` fields are now deprecated.  Instead, the generic `keys.keyVaultConfig` should be used.  See [Keys Config](../Keys) for more info.
+
+### 0.10.2
+- The `keys.keyData.passwords` field is no longer supported.  Instead, use `keys.keyData.passwordFile` or utilise the [CLI password prompt](../Keys#providing-key-passwords-at-runtime) when starting the node.
+
+- Added configuration to choose alternative curves/symmetric ciphers. If no encryptor configuration is provided it will default to NaCl (see [Supporting alternative curves in Tessera](../Configuration Overview#supporting-alternative-curves-in-tessera) for more details).
+
+    e.g.
+    ```json
+    {
+        "encryptor": {
+            "type":"EC",
+            "properties":{
+                "symmetricCipher":"AES/GCM/NoPadding",
+                "ellipticCurve":"secp256r1",
+                "nonceLength":"24",
+                "sharedKeyLength":"32"
+            }
+        },
+        ...
+    }
+    ``` 
+
+### 0.10
+- Added feature-toggle for remote key validation.  Disabled by default.
+    ```json
+    {
+        "features": {
+            "enableRemoteKeyValidation": false
+        },
+        ...
+    }
+    ```
+### 0.9
+- Collapsed server socket definitions into a single property `serverAddress`, e.g.
+    ```json
+    {
+        "serverConfigs": [
+            {
+                "serverSocket": {
+                    "type":"INET",
+                    "port": 9001,
+                    "hostName": "http://localhost"
+                },
+                ...
+            }
+        ],
+        ...
+    }
+    ```
+    becomes
+    ```json
+    {
+        "serverConfigs": [
+            {
+                "serverAddress": "http://localhost:9001",
+                ...
+            }
+        ],
+        ...
+    }
+    ```
+
+### 0.8
+- Added modular server configurations