Block proposal permissioning

info

Only private networks using the QBFT consensus protocol support block proposal permissioning.

Block proposal permissioning is an early access feature, and functionality and options may be updated between releases.

You can configure block proposal permissioning to ensure only authorized validator nodes can propose blocks in the network.

Use certificates issued by a trusted authority to ensure validators are authorized to propose blocks.

Configure block proposal permissioning

Prerequisites:

• A configured network. For example, see steps 1 to 5 in the QBFT tutorial.
• A keystore containing the certificate and key for each network node.
• A truststore containing all the trusted certificates for the network.

Start Besu and include the following command line options on the required nodes:

besu --Xpki-block-creation-enabled=true \
--Xpki-block-creation-keystore-type="pkcs12" \
--Xpki-block-creation-keystore-file="keystore" \
--Xpki-block-creation-keystore-password-file="keystore.password" \
--Xpki-block-creation-crl-file="crl2.pem" \
--Xpki-block-creation-keystore-certificate-alias="validator" \
--Xpki-block-creation-truststore-type="pkcs12" \
--Xpki-block-creation-truststore-file="truststore" \
--Xpki-block-creation-truststore-password-file="truststore.password"

In the command line:

• Enable block proposal permissioning using --Xpki-block-creation-enabled=true.
• Specify the keystore type and keystore file using Xpki-block-creation-keystore-type and --Xpki-block-creation-keystore-file.
• Specify the text file containing the password to unlock the keystore file using Xpki-block-creation-keystore-password-file.
• Specify the optional certificate revocation list (CRL) file using Xpki-block-creation-crl-file.
• Specify the alias of the certificate to be included in blocks proposed by this validator using Xpki-block-creation-keystore-certificate-alias.
• Specify the truststore type and truststore file using Xpki-block-creation-truststore-type and Xpki-block-creation-truststore-file.
• Specify the text file containing the password to unlock the truststore file using Xpki-block-creation-truststore-password-file.

Command line options

Xpki-block-creation-crl-file

Syntax

--Xpki-block-creation-crl-file=<FILE>

Example

--Xpki-block-creation-crl-file=/home/cert/cert.crl.pem

Environment variable

BESU_XPKI_BLOCK_CREATION_CRL_FILE=/home/cert/cert.crl.pem

Path to the optional certificate revocation list (CRL) file.

Xpki-block-creation-enabled

Syntax

--Xpki-block-creation-enabled[=<true|false>]

Example

--Xpki-block-creation-enabled=true

Environment variable

BESU_XPKI_BLOCK_CREATION_ENABLED=true

Enable PKI integration. The default is false.

Xpki-block-creation-keystore-certificate-alias

Syntax

--Xpki-block-creation-keystore-certificate-alias=<NAME>

Example

--Xpki-block-creation-keystore-certificate-alias=validatorA

Environment variable

BESU_XPKI_BLOCK_CREATION_KEYSTORE_CERTIFICATE_ALIAS=validatorA

Alias of the certificate to be included in the blocks proposed by this validator. The default is validator.

Xpki-block-creation-keystore-file

Syntax

--Xpki-block-creation-keystore-file=<FILE>

Example

--Xpki-block-creation-keystore-file=/home/cert/keystore.jks

Environment variable

BESU_XPKI_BLOCK_CREATION_KEYSTORE_FILE=/home/cert/keystore.jks

Keystore file containing the key and certificate for PKI block creation.

Xpki-block-creation-keystore-password-file

Syntax

--Xpki-block-creation-keystore-password-file=<FILE>

Example

--Xpki-block-creation-keystore-password-file=/home/cert/password.txt

Environment variable

BESU_XPKI_BLOCK_CREATION_KEYSTORE_PASSWORD-FILE=/home/cert/password.txt

Text file containing the password to unlock the keystore file.

Xpki-block-creation-keystore-type

Syntax

--Xpki-block-creation-keystore-type=<TYPE>

Example

--Xpki-block-creation-keystore-type=JKS

Environment variable

BESU_XPKI_BLOCK_CREATION_KEYSTORE_TYPE=JKS

PKI keystore type. Valid options are JKS and PKCS12. The default is JKS.

Xpki-block-creation-truststore-file

Syntax

--Xpki-block-creation-truststore-file=<FILE>

Example

--Xpki-block-creation-truststore-file=/home/cert/truststore.jks

Environment variable

BESU_XPKI_BLOCK_CREATION_TRUSTSTORE_FILE=/home/cert/truststore.jks

Truststore containing the trusted certificates for PKI block creation.

Xpki-block-creation-truststore-password-file

Syntax

--Xpki-block-creation-truststore-password-file=<FILE>

Example

--Xpki-block-creation-truststore-password-file=/home/cert/password.txt

Environment variable

BESU_XPKI_BLOCK_CREATION_TRUSTSTORE_PASSWORD_FILE=/home/cert/password.txt

Text file containing the password to unlock the truststore file.

Xpki-block-creation-truststore-type

Syntax

--Xpki-block-creation-truststore-type=<TYPE>

Example

--Xpki-block-creation-truststore-type=JKS

Environment variable

BESU_XPKI_BLOCK_CREATION_TRUSTSTORE_TYPE=JKS

PKI truststore type. Valid options are JKS and PKCS12. The default is JKS.