Commit 1cae3f17 authored by Gari Singh's avatar Gari Singh Committed by Gerrit Code Review
Browse files

Merge "[FAB-14323] Improve Operations documentation" into release-1.4

parents f5210b5c 2ebbedba
......@@ -47,7 +47,9 @@ section of ``core.yaml``:
key:
file: tls/server.key
# require client certificate authentication to access all resources
# most operations service endpoints require client authentication when TLS
# is enabled. clientAuthRequired requires client certificate authentication
# at the TLS layer to access all resources.
clientAuthRequired: false
# paths to PEM encoded ca certificates to trust for client authentication
......@@ -61,8 +63,11 @@ can be omitted.
The ``tls`` section is used to indicate whether or not TLS is enabled for the
operations service, the location of the service's certificate and private key,
and the locations of certificate authority root certificates that should be
trusted for client authentication. When ``clientAuthRequired`` is ``true``,
clients will be required to provide a certificate for authentication.
trusted for client authentication. When ``enabled`` is true, most of the operations
service endpoints require client authentication, therefore
``clientRootCAs.files`` must be set. When ``clientAuthRequired`` is ``true``,
the TLS layer will require clients to provide a certificate for authentication
on every request. See Operations Security section below for more details.
Orderer
~~~~~~~
......@@ -90,7 +95,9 @@ section of ``orderer.yaml``:
# Paths to PEM encoded ca certificates to trust for client authentication
RootCAs: []
# Require client certificate authentication to access all endpoints
# Most operations service endpoints require client authentication when TLS
# is enabled. ClientAuthRequired requires client certificate authentication
# at the TLS layer to access all resources.
ClientAuthRequired: false
The ``ListenAddress`` key defines the host and port that the operations server
......@@ -100,8 +107,11 @@ can be omitted.
The ``TLS`` section is used to indicate whether or not TLS is enabled for the
operations service, the location of the service's certificate and private key,
and the locations of certificate authority root certificates that should be
trusted for client authentication. When ``ClientAuthRequired`` is ``true``,
clients will be required to provide a certificate for authentication.
trusted for client authentication. When ``Enabled`` is true, most of the operations
service endpoints require client authentication, therefore
``RootCAs`` must be set. When ``ClientAuthRequired`` is ``true``,
the TLS layer will require clients to provide a certificate for authentication
on every request. See Operations Security section below for more details.
Operations Security
~~~~~~~~~~~~~~~~~~~
......@@ -111,17 +121,15 @@ to the Fabric network, it does not use the Membership Services Provider for
access control. Instead, the operations service relies entirely on mutual TLS with
client certificate authentication.
It is highly recommended to enable mutual TLS by setting the value of ``clientAuthRequired``
to ``true`` in production environments. With this configuration, clients are
required to provide a valid certificate for authentication. If the client does
not provide a certificate or the service cannot verify the client’s certificate,
the request is rejected. Note that if ``clientAuthRequired`` is set to ``false``,
clients do not need to provide a certificate; if they do, however, and the service
cannot verify the certificate, then the request will be rejected.
When TLS is disabled, authorization is bypassed and any client that can
connect to the operations endpoint will be able to use the API.
When TLS is enabled, a valid client certificate must be provided in order to
access all resources unless explicitly noted otherwise below.
When clientAuthRequired is also enabled, the TLS layer will require
a valid client certificate regardless of the resource being accessed.
Log Level Management
~~~~~~~~~~~~~~~~~~~~
......@@ -194,7 +202,7 @@ In the current version, the only health check that is registered is for Docker.
Future versions will be enhanced to add additional health checks.
When TLS is enabled, a valid client certificate is not required to use this
service unless ``requireClientAuth`` is set to ``true``.
service unless ``clientAuthRequired`` is set to ``true``.
Metrics
-------
......
......@@ -630,7 +630,9 @@ operations:
key:
file:
# require client certificate authentication to access all resources
# most operations service endpoints require client authentication when TLS
# is enabled. clientAuthRequired requires client certificate authentication
# at the TLS layer to access all resources.
clientAuthRequired: false
# paths to PEM encoded ca certificates to trust for client authentication
......
......@@ -322,7 +322,9 @@ Operations:
# PrivateKey points to the location of the PEM-encoded key
PrivateKey:
# Require client certificate authentication to access all resources
# Most operations service endpoints require client authentication when TLS
# is enabled. ClientAuthRequired requires client certificate authentication
# at the TLS layer to access all resources.
ClientAuthRequired: false
# Paths to PEM encoded ca certificates to trust for client authentication
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment