Running a Node (Production Network)

For the running of a production node we advise that a few extra steps are taken. These include configuring HTTPS, enabling message signing and running against a relational database.

HTTPS

Running the OCN Node in prod mode (by default or with the configuration setting ocn.node.dev=false) will require HTTPS. On startup in this mode, the OCN Node will look to see if HTTPS is enabled and properly working. If not, the node will shutdown.

We personally recommend a Nginx reverse proxy and Let’s Encrypt certificate, but other solutions are not discouraged.

Message Signing

This feature allows recipients to verify the integrity of the data they are receiving. When enabled, request senders should include an OCN-Signature header that all entities that the request passes through (i.e. OCN Nodes and the recipient) to verify that the data has not been modified without consent. Likewise, for responses, an ”ocn_signature” property should be placed in the JSON response body by the recipient.

In some cases an OCN Node will need to modify data (typically to make URLs work for recipients). The signature can be modified by an OCN Node, but they must state the properties that they changed and sign any new data. More information about message signing and verification can be found here: Make your backend service OCN-ready (OCPI 2.2 API + OCN Signature)

By default message signing is turned on, but it can also be set with ocn.node.signatures=true if not.

Database

The default dev properties configuration file only connects to an in-memory database, for ease of quickly testing the OCN Node. When running a Node on the test or production environment, a database should be set up to persist data across restarts. The example application.prod.properties file provided with the OCN Node provides the configuration necessary to use PostgreSQL.

Load Balancing

If necessary, the OCN Node can be load balanced. To do so, the nodes operating under the load balancer should have the same configuration:

1 2 3 ocn.node.url = https://balancer.server.net ocn.node.privatekey = 0x...45d1 ocn.node.apikey = supersecretkey

The operator should also list the load balancer as the domain name using the same private key in the registry listing:

1 ocn-registry set-node https://balancer.server.net --signer 0x...45d1