Hello Team,
I am trying to deploy a multi party private network with notary using Corda Enterprise Network Manager. Currently facing an issue related to SSL handshake between Bridge component & Notary. The problem seems to be related to how SSL certificates are generated by Corda, using the legal name specified for Notary & Transacting Party nodes. All my deployment is in same VPC. I am trying to connect with Notary node using it's private IP address. The Legal name of Notary does not include Common Name (CN), as official documentations suggests that Common Name (CN) in legal name for Corda Node is optional.
What should be the best practice to specify legal name for an Corda node? Is it required to include IP address of the node in Common Name (CN) of the legal name of Corda Node, particularly in this case? Please guide me on this. Thank you.
Background:
Transacting Party A and Transacting Party B are deployed behind single shared Corda Firewall. SSL certificates for both parties are available in ssl-keystore of Bridge. The deployed Notary node does not share the Firewall with transacting parties. A sample CorDapp (corda-finance) is deployed on the nodes in order to verify the deployment.
Problem Statement:
Transacting party A initiates Payment flow with Transacting Party B. The flow execution does not complete. There is an Error on Bridge component tries while connecting with Notary node.
--------------------------------------------------------------------------------------------------------------------------------------
flow start CashPaymentFlow amount: $5, recipient: "O=Transacting Party B, L=Delhi, C=IN", anonymous: true, notary: "O=Notary HQ, L=London, C=GB"
--------------------------------------------------------------------------------------------------------------------------------------
The logs on Transacting Party A suggest that the flow is waiting to connect with Notary.
--------------------------------------------------------------------------------------------------------------------------------------
[INFO ] 2020-01-21T14:01:59,351Z [pool-13-thread-1] statemachine.FlowMonitor.logFlowsWaitingForParty - Flow with id 9e0a1005-6e1f-400a-892e-e86c238e8d54 has been waiting for 2287 seconds to receive messages from parties [O=Notary HQ, L=London, C=GB]. {}
--------------------------------------------------------------------------------------------------------------------------------------
The logs on Bridge component suggest that there is SSL handshake time-out.
--------------------------------------------------------------------------------------------------------------------------------------
[WARN ] 2020-01-21T12:03:03,521Z [nioEventLoopGroup-2-2] netty.AMQPChannelHandler. - SSL Handshake timed out {allowedRemoteLegalNames=O=Notary HQ, L=London, C=GB, localCert=null, remoteAddress=elb-notaryhq.us-east-2.elb.amazonaws.com/XX.XXX.XXX.XX:10002, remoteCert=null, serverMode=false}
[ERROR] 2020-01-21T12:03:03,521Z [nioEventLoopGroup-2-2] netty.AMQPChannelHandler. - Handshake failure: handshake timed out {allowedRemoteLegalNames=O=Notary HQ, L=London, C=GB, localCert=null, remoteAddress=elb-notaryhq.us-east-2.elb.amazonaws.com/XX.XXX.XXX.XX:10002, remoteCert=null, serverMode=false}
--------------------------------------------------------------------------------------------------------------------------------------
My Analysis (so far)
1. The SSL certificate chain for Transacting Party A & Notary node has been verified using keytool. It has common trusted root certificate.
2. The Bridge component node can communicate with Notary HQ node on any port. There is no restriction currently.
3. From the source code on github, it seems SSLException has been thrown.
https://github.com/corda/corda/blob/release/os/4.4/node-api/src/main/kotlin/net/corda/nodeapi/internal/protonwrapper/netty/AMQPChannelHandler.kt
4. When the notary node is deployed behind same Corda Firewall shared by other transacting parties, there is no issue with connection and transaction completes successfully.
