Network Configuration
Overview
This page explains how SST turns one .graph topology into Auth properties, Auth databases, credentials, and entity runtime configs.
SST examples are generated from a topology file called a .graph file. The graph describes the network once, then scripts generate the credentials, Auth properties, Auth databases, and entity configs needed to run that network.
Configuration layers
| Layer | File type | Who reads it | Purpose |
|---|---|---|---|
| Deployment configuration | .graph | examples/*.js generators | Describes Auths, entities, trust relationships, access policies, assignments, ports, crypto, and file sharing policy. |
| Auth runtime config | .properties | Java Auth server | Tells Auth which ID, ports, database, credentials, and trusted CA paths to use. |
| Auth database | SQLite | Java Auth server | Stores registered entities, communication policies, trusted Auths, file sharing policy, and session keys. |
| C entity config | .config properties file | C API init_SST() | Provides entity identity, Auth address, key paths, target server address, protocol, and crypto options. |
| Node entity config | .config JSON file | Node accessors | Provides entity info, Auth info, crypto specs, migration info, and server/target details. |
Generate the default network
Run from examples/:
./cleanAll.sh
./generateAll.sh
The default graph is:
examples/configs/default.graph
To use a custom graph:
./generateAll.sh -g configs/your_custom_network.graph
Useful options:
| Option | Meaning |
|---|---|
-g, --graph <file> | Use a specific .graph topology. |
-gc, --gen-cred-config-only | Generate credentials/configs, but skip Auth DB generation. |
-gd, --gen-db-only | Generate Auth DBs from existing credentials/configs. |
-lc, --leave-cred-config | Keep intermediate config files after DB generation. |
-p, --password <value> | Provide a credential-generation password for examples. Do not use this for deployment secrets. |
--policy <file> | Generate only communication policies defined in a policy JSON file. |
Generated outputs
After generation, the most important outputs are:
| Output | Typical path |
|---|---|
| Auth credentials | auth/credentials/ |
| Auth properties | auth/properties/exampleAuth101.properties |
| Auth databases | auth/databases/auth101/ |
| Entity credentials | entity/credentials/ |
| Node configs | entity/node/example_entities/configs/net1/client.config |
| C server/client configs | entity/c/examples/server_client_example/c_client.config and c_server.config |
By default, some intermediate Auth database config files are removed after DB generation. Use ./generateAll.sh -lc if you need to inspect them.
C config shape
C configs are Java-properties-style files:
entityInfo.name=net1.client
entityInfo.purpose={"group":"Servers"}
entityInfo.number_key=3
authInfo.id=101
sessionKey.encryptionMode=AES_128_CBC
authInfo.pubkey.path=../../../../auth_certs/Auth101EntityCert.pem
entityInfo.privkey.path=../../../../credentials/keys/net1/Net1.ClientKey.pem
auth.ip.address=127.0.0.1
auth.port.number=21900
entity.server.ip.address=127.0.0.1
entity.server.port.number=21100
network.protocol=TCP
The C API loads these with:
SST_ctx_t* ctx = init_SST("../c_client.config");
Node config shape
Node configs are JSON documents with a .config extension:
{
"entityInfo": {
"name": "net1.client",
"group": "Clients",
"distProtocol": "TCP",
"usePermanentDistKey": false,
"connectionTimeout": 5000,
"privateKey": "../../credentials/keys/net1/Net1.ClientKey.pem"
},
"authInfo": {
"id": 101,
"host": "localhost",
"port": 21900,
"publicKey": "../../auth_certs/Auth101EntityCert.pem"
},
"cryptoInfo": {
"distributionCryptoSpec": {
"cipher": "AES-128-CBC",
"mac": "SHA256"
},
"sessionCryptoSpec": {
"cipher": "AES-128-CBC",
"mac": "SHA256"
}
}
}
Node accessors load these in their constructors:
const SecureCommClient = require('../accessors/SecureCommClient');
const client = new SecureCommClient('configs/net1/client.config');
Best practices
- Treat the
.graphfile as the source of truth for examples. - Regenerate configs after changing ports, entity names, assignments, crypto settings, or Auth trust.
- Use
./cleanAll.shbefore regenerating examples when debugging stale credentials. - Avoid editing generated configs by hand unless you are intentionally testing a local override.
- Keep passwords, generated private keys, and local databases out of public commits unless they are explicit example fixtures.