Skip to main content

Configuration file

The configuration file is a JSON file that must be specified when starting Tessera.

Configuration items can be overridden from the command line.

Example configuration file

{
"useWhiteList": "boolean",
"jdbc": {
"url": "String",
"username": "String",
"password": "String",
"autoCreateTables": "boolean"
},
"serverConfigs": [
{
"app": "ENCLAVE",
// Defines us using a remote enclave, leave out if using built-in enclave
"serverAddress": "http://localhost:9081",
//Where to find the remote enclave
"communicationType": "REST"
},
{
"app": "ThirdParty",
"serverAddress": "http://localhost:9081",
"bindingAddress": "String - url with port e.g. http://127.0.0.1:9081",
"communicationType": "REST",
"cors": {
"allowedMethods": ["GET", "POST", "PUT", "DELETE", "OPTIONS", "HEAD"],
"allowedOrigins": ["http://localhost:63342"],
"allowedHeaders": ["content-type"],
"allowCredentials": true
}
},
{
"app": "Q2T",
"serverAddress": "unix:/tmp/tm.ipc",
"communicationType": "REST"
},
{
"app": "P2P",
"serverAddress": "http://localhost:9001",
"bindingAddress": "String - url with port e.g. http://127.0.0.1:9001",
"sslConfig": {
"tls": "enum STRICT,OFF",
"generateKeyStoreIfNotExisted": "boolean",
"sslConfigType": "Enumeration: SERVER_ONLY, CLIENT_ONLY, SERVER_AND_CLIENT",
"serverKeyStore": "Path",
"serverTlsKeyPath": "Path",
"serverTlsCertificatePath": "Path",
"serverKeyStorePassword": "String",
"serverTrustStore": "Path",
"serverTrustCertificates": ["Path..."],
"serverTrustStorePassword": "String",
"serverTrustMode": "Enumeration: CA, TOFU, WHITELIST, CA_OR_TOFU, NONE",
"clientKeyStore": "Path",
"clientTlsKeyPath": "Path",
"clientTlsCertificatePath": "Path",
"clientKeyStorePassword": "String",
"clientTrustStore": "Path",
"clientTrustCertificates": ["Path..."],
"clientTrustStorePassword": "String",
"clientTrustMode": "Enumeration: CA, TOFU, WHITELIST, CA_OR_TOFU, NONE",
"knownClientsFile": "Path",
"knownServersFile": "Path"
},
"communicationType": "REST",
"properties": {
"partyInfoInterval": "Long",
"enclaveKeySyncInterval": "Long",
"syncInterval": "Long",
"resendWaitTime": "Long"
}
}
],
"peer": [
{
"url": "url e.g. http://127.0.0.1:9000/"
}
],
"keys": {
"passwordFile": "Path",
"keyVaultConfigs": [
{
"keyVaultType": "Enumeration: AZURE, HASHICORP, AWS",
"properties": "Map[string]string"
}
],
"keyData": [
{
"config": {
"data": {
"aopts": {
"variant": "Enum : id,d or i",
"memory": "int",
"iterations": "int",
"parallelism": "int"
},
"bytes": "String",
"snonce": "String",
"asalt": "String",
"sbox": "String",
"password": "String"
},
"type": "Enum: argon2sbox or unlocked. If unlocked is defined then config data is required. "
},
"privateKey": "String",
"privateKeyPath": "Path",
"azureVaultPrivateKeyId": "String",
"azureVaultPrivateKeyVersion": "String",
"publicKey": "String",
"publicKeyPath": "Path",
"azureVaultPublicKeyId": "String",
"azureVaultPublicKeyVersion": "String",
"hashicorpVaultSecretEngineName": "String",
"hashicorpVaultSecretName": "String",
"hashicorpVaultSecretVersion": "Integer (defaults to 0 (latest) if not set)",
"hashicorpVaultPrivateKeyId": "String",
"hashicorpVaultPublicKeyId": "String"
}
]
},
"alwaysSendTo": ["String..."],
"bootstrapNode": false,
"unixSocketFile": "Path",
"features": {
"enableRemoteKeyValidation": false,
"enablePrivacyEnhancements": false
},
"encryptor": {
"type": "Enumeration: NACL, EC",
"properties": {
"symmetricCipher": "String (defaults to AES/GCM/NoPadding if type = EC)",
"ellipticCurve": "String (defaults to secp256r1 if type = EC)",
"nonceLength": "String (defaults to 24 if type = EC)",
"sharedKeyLength": "String (defaults to 32 if type = EC)"
}
}
}

Configuration items

mode

Set the mode to orion to use Tessera as the privacy manager when using Hyperledger Besu (versions earlier than 25.1.0) in non-GoQuorum mode. Enabling this mode changes Tessera's behavior. This property is optional.

useWhiteList

Use the useWhiteList field to restrict connections to Tessera to specified peers. If set to true, then only nodes listed in the peer list are allowed to connect.

jdbc

Use the jdbc property to connect to the database. You can also specify an external database. Any valid JDBC URL can be specified.

FieldRequiredDescription
urlRequiredJDBC URL of the database.
usernameRequiredDatabase username.
passwordRequiredDatabase password. You can also encrypt the password using Jasypt.
autoCreateTablesOptionalAutomatically generates the required database tables. If false, then users must manually create the required tables using the supplied DDLs. Defaults to false.

serverConfigs

Use the serverConfigs property to configure the following servers:

Each server can also be configured to:

  • Secure communication using TLS.
  • Store API metrics in an InfluxDB.

ENCLAVE

Defines an optional remote enclave. Leave out if using a local enclave.

FieldRequiredDescription
appRequiredType of server being configured. Set to ENCLAVE.
serverAddressRequiredServer address.
bindingAddressOptionalSpecify a bind to an internal IP while advertising an external IP using serverAddress.
communicationTypeRequiredType of server communication. Only REST is currently supported.
influxConfigOptionalConfigure the server to use InfluxDB.
sslConfig OptionalSecure communication with TLS.

P2P

The peer-to-peer (P2P) server is used to perform discovery and send and receive encrypted payloads.

FieldRequiredDescription
appRequiredType of server being configured. Set to P2P.
serverAddressRequiredServer address.
bindingAddressOptionalSpecify a bind to an internal IP while advertising an external IP using serverAddress.
communicationTypeRequiredType of server communication. Only REST is currently supported.
influxConfigOptionalConfigure the server to use InfluxDB.
sslConfig OptionalSecure communication with TLS.

Q2T

The Quorum-to-Tessera (Q2T) server is used to check if the Tessera node is running, and to send and receive private transactions.

FieldRequiredDescription
appRequiredType of server being configured. Set to Q2T.
serverAddressRequiredServer address.
bindingAddressOptionalSpecify a bind to an internal IP while advertising an external IP using serverAddress.
communicationTypeRequiredType of server communication. Only REST is currently supported.
influxConfigOptionalConfigure the server to use InfluxDB.
sslConfig OptionalSecure communication with TLS.

ThirdParty

Tessera uses the ThirdParty server to store encrypted payloads for external applications.

FieldRequiredDescription
appRequiredType of server being configured. Set to ThirdParty.
serverAddressRequiredServer address.
bindingAddressOptionalSpecify a bind to an internal IP while advertising an external IP using serverAddress.
communicationTypeRequiredType of server communication. Only REST is currently supported.
corsOptionalConfigure CORS to control access to resources outside the domain.
influxConfigOptionalConfigure the server to use InfluxDB.
sslConfig OptionalSecure communication with TLS.

influxConfig

Configure an InfuxDB server to record metrics.

FieldRequiredDescription
serverAddressRequiredInfluxDB server address.
dbNameRequiredInfluxDB database name.
pushIntervalInSecsRequiredHow often, in seconds, Tessera pushes metrics to the database.
sslConfigOptionalConfigure one-way TLS. If TLS is enabled, clients can validate the identity of the InfluxDB server.

sslConfig

FieldRequiredDescription
tlsRequiredSetting to STRICT enables TLS. Setting to OFF disables TLS.
generateKeyStoreIfNotExistedOptionalTessera checks whether files exist in the serverKeyStore and clientKeyStore paths. If the files don't exist, new key stores are generated in the serverKeyStore and clientKeyStore paths.
sslConfigTypeOptionalTLS configuration type based on server configuration, options are SERVER_ONLY, CLIENT_ONLY, SERVER_AND_CLIENT
serverKeyStoreOptionalPath to server key store.
serverKeyStorePasswordOptionalPassword required for serverKeyStore.
serverTlsKeyPathOptionalFile containing the private key for the server TLS certificate.
serverTlsCertificatePathOptionalFile containing the server TLS certificate.
serverTrustStoreOptionalPath to the server truststore.
serverTrustStorePasswordOptionalPassword for the server trust store.
serverTrustCertificatesOptionalArray of trust store certificates if serverTrustStore is undefined.
serverTrustModeRequiredTrust mode for the server, options are TOFU, WHITELIST, CA, CA_OR_TOFU, and NONE.
clientKeyStoreOptionalPath to client key store.
clientKeyStorePasswordOptionalPassword for the client key store.
clientTlsKeyPathOptionalPath to client TLS key.
clientTlsCertificatePathOptionalPath to client TLS certificate.
clientTrustStoreOptionalPath to client trust store.
clientTrustStorePasswordOptionalPassword for the client trust store.
clientTrustCertificatesOptionalArray of trust store certificates if clientTrustStore is undefined.
clientTrustModeRequiredTrust mode for the client, options are TOFU, WHITELIST, CA, CA_OR_TOFU, and NONE.
knownClientsFileOptionalKnown clients file for the server. This contains the fingerprints of public keys of other nodes that are allowed to connect to this node.
knownServersFileOptionalKnown servers file for the client. This contains the fingerprints of public keys of other nodes that this node has encountered.
environmentVariablePrefixOptionalPrefix to uniquely identify environment variables for this server SSL configuration.

cors

Configure cross-origin resource sharing (CORS) to control access to resources outside the domain.

!!! important

CORS is only supported with the ThirdParty server type.

FieldRequiredDescription
allowedMethodsOptionalList of methods to allow. Options are GET, POST, PUT, DELETE, OPTIONS, and HEAD. If not included, all methods are allowed.
allowedOriginsOptionalList of comma-separated origin domain URLs for CORS validation. Each entry in the list can contain the “*” (wildcard) character to match any sequence of characters. For example, *localhostmatcheshttp://localhostorhttps://localhost.
allowedHeadersOptionalList of allowed headers. If not included, the request Access-Control-Request-Headers are copied into the response as Access-Control-Allow-Headers.
allowCredentialsOptionalThe value for the Access-Control-Allow-Credentials response header. The default is true.

peer

List of Tessera node URLs used to discover other nodes.

keys

Configure access to your keys.

FieldRequiredDescription
passwordFileOptionalPath to the password file.
keyVaultConfigsOptionalConfiguration details of the vault being used.
keyDataRequiredDetails to access the private and public key pair.

keyVaultConfigs

Configuration details for the vault used.

FieldRequiredDescription
keyVaultTypeOptionalType of vault. Options are HASHICORP, AWS, and AZURE.
propertiesOptionalProperties to access AWS Secrets Manager, Azure Key Vault, or HashiCorp Vault.

keyData

Configuration details to access the private key and public key.

FieldRequiredDescription
configOptionalConfiguration details for the protected or unprotected inline key pairs.
privateKeyOptionalPrivate key in plain text.
privateKeyPathOptionalPath to the private key file.
publicKeyOptionalPublic key in plain text.
publicKeyPathOptionalPath to the public key file.
awsSecretsManagerPublicKeyIdOptionalID of the public key secret in AWS Secrets Manager.
awsSecretsManagerPrivateKeyIdOptionalID of the private key secret in AWS Secrets Manager.
azureVaultPrivateKeyIdOptionalID of the private key secret in Azure Key Vault.
azureVaultPrivateKeyVersionOptionalVersion of the private key to access in Azure Key Vault.
azureVaultPublicKeyIdOptionalID of the public key secret in Azure Key Vault.
azureVaultPublicKeyVersionOptionalVersion of the private key to access in Azure Key Vault.
hashicorpVaultSecretEngineNameOptionalName of the HashiCorp Vault secrets engine.
hashicorpVaultSecretNameOptionalName of the secret in the HashiCorp Vault secrets engine.
hashicorpVaultSecretVersionOptionalVersion of the secret in the HashiCorp Vault secrets engine.
hashicorpVaultPrivateKeyIdOptionalID of the private key secret in HashiCorp Vault.
hashicorpVaultPublicKeyIdOptionalID of the public key secret in HashiCorp Vault.

alwaysSendTo

Comma-separated list of public keys to include as recipients for every transaction sent through the node. This allows you to configure a node that is sent a copy of every transaction, even if it isn't specified as a party to the transaction.

This can be used, for example, to send a copy of every transaction to a node for audit purposes.

bootstrapNode

If set to true, the node functions as a bootstrap for other nodes.

unixSocketFile

Path to the Unix socket file.

features

Enables additional security and privacy features.

FieldRequiredDescription
enableRemoteKeyValidationOptionalChecks that a remote node owns the public keys being advertised. The default is false.
enablePrivacyEnhancementsOptionalEnable privacy enhancements. The default is false.
enableMultiplePrivateStatesOptionalEnable multiple private states. The default is false.

encryptor

Configure Tessera to use alternative curves and symmetric ciphers. If an encryptor configuration is not specified, the default NaCl encryptor is used.

FieldDescription
typeThe encryptor type. Possible values are EC, NACL, and CUSTOM. The default is NACL.

If type is set to EC, the following properties fields can also be configured:

FieldDefaultDescription
ellipticCurvesecp256r1The elliptic curve to use. See SunEC provider for other options. Depending on the JCE provider you use, there may be additional curves available.
symmetricCipherAES/GCM/NoPaddingThe symmetric cipher to use for encrypting data (GCM is mandatory as an initialization vector is supplied during encryption).
nonceLength24The nonce length (used as the initialization vector (IV) for symmetric encryption).
sharedKeyLength32The key length used for symmetric encryption (the key derivation operation always produces 32-byte keys and the encryption algorithm must support it).