6.1. Configure TLS for client-peer communication (torii)

By default, client-peer communication is not encrypted. To enable it, you need to:

  1. Generate a key/certificate pair for each peer
  2. Distribute the certificate to all clients
  3. Configure irohad to use these keys
  4. [Re]start irohad

6.1.1. Generating keys

Keys must be presented in PEM format. To generate them you can use openssl:

$ openssl genpkey -algorithm rsa -out server.key
$ openssl req -new -key server.key -x509 -out server.crt

You can use any algorithm you want instead of rsa, as long as your openssl supports it. To find out which are supported, you can use

$ openssl list-public-key-algorithms

If you need to use plain IP addresses to connect to the node, you need to specify subjectAltName in your server certificate, for that you need to add a subjectAltName directive to v3_ca section of your openssl config before generating the certificate. For example, for the default installation, /etc/ssl/openssl.cnf:

[ v3_ca ]

Fields in the certificate don’t really matter except for the Common Name (CN), it would be checked against the client’s hostname, and TLS handshake will fail if they do not match (e.g. if you connect to example.com:50051, then irohad at example.com would need to have example.com in common name of the certificate).

6.1.2. Configuring irohad

To configure iroha to use your keys, you need to modify the torii_tls_params config parameter.

It should look like the following block:

"torii_tls_params": {
    "port": 55552,
    "key_pair_path": "/path/to/server"

port - set this to any port you would like (but usually you would want 55552)

key_pair_path - set this to full path to the key/certificate pair, such that if you have a key at /path/to/server.key and a certificate at /path/to/server.crt, you need to specify torii_tls_keypair=/path/to/server


In the examples directory there are sample certificates, but to enable TLS you need to have a new certificate for your server (the sample will not work).