diff --git a/docs/private-networks/concepts/pki.md b/docs/private-networks/concepts/pki.md index f1c5b2171f8..f2555d544b9 100644 --- a/docs/private-networks/concepts/pki.md +++ b/docs/private-networks/concepts/pki.md @@ -29,17 +29,4 @@ When receiving connection requests, the incoming connection must be from another [Configure TLS for the P2P communication using the Besu command line options](../how-to/configure/tls/p2p.md). -## Block proposal permissioning -:::caution - -Only private networks using the [QBFT consensus protocol] support block proposal permissioning. - -::: - -Use certificates issued by a trusted authority to ensure only authorized validator nodes can propose new blocks in the network. The block hash is signed by the validator private certificate and included in the header of the proposed block as a [CMS (Cryptographic Message Syntax)]. This is used by other validators to verify that the proposer is authorized to create a block in the network. - -[Configure block proposal permissioning using the Besu command line options](../how-to/configure/block-proposal-permissioning.md). - -[QBFT consensus protocol]: ../how-to/configure/consensus/qbft.md -[CMS (Cryptographic Message Syntax)]: https://en.wikipedia.org/wiki/Cryptographic_Message_Syntax diff --git a/docs/private-networks/how-to/configure/block-proposal-permissioning.md b/docs/private-networks/how-to/configure/block-proposal-permissioning.md deleted file mode 100644 index 848025d634b..00000000000 --- a/docs/private-networks/how-to/configure/block-proposal-permissioning.md +++ /dev/null @@ -1,349 +0,0 @@ ---- -title: Block proposal permissioning -description: Block proposal permissioning -sidebar_position: 7 -tags: - - private networks ---- - -import Tabs from '@theme/Tabs'; -import TabItem from '@theme/TabItem'; - -# Block proposal permissioning - -:::info - -Only private networks using the [QBFT consensus protocol] support block proposal permissioning. - -Block proposal permissioning is an early access feature, and functionality and options may be updated between releases. - -::: - -You can configure [block proposal permissioning](../../concepts/pki.md#block-proposal-permissioning) to ensure only authorized validator nodes can propose blocks in the network. - -Use certificates issued by a trusted authority to ensure validators are authorized to propose blocks. - -## Configure block proposal permissioning - -**Prerequisites**: - -- A configured network. For example, [see steps 1 to 5 in the QBFT tutorial](../../tutorials/qbft.md). -- A keystore containing the certificate and key for each network node. -- A truststore containing all the trusted certificates for the network. - -Start Besu and include the following command line options on the required nodes: - -```bash -besu --Xpki-block-creation-enabled=true \ ---Xpki-block-creation-keystore-type="pkcs12" \ ---Xpki-block-creation-keystore-file="keystore" \ ---Xpki-block-creation-keystore-password-file="keystore.password" \ ---Xpki-block-creation-crl-file="crl2.pem" \ ---Xpki-block-creation-keystore-certificate-alias="validator" \ ---Xpki-block-creation-truststore-type="pkcs12" \ ---Xpki-block-creation-truststore-file="truststore" \ ---Xpki-block-creation-truststore-password-file="truststore.password" -``` - -In the command line: - -- Enable block proposal permissioning using [`--Xpki-block-creation-enabled=true`](#xpki-block-creation-enabled). -- Specify the keystore type and keystore file using [`Xpki-block-creation-keystore-type`](#xpki-block-creation-keystore-type) and [`--Xpki-block-creation-keystore-file`](#xpki-block-creation-keystore-file). -- Specify the text file containing the password to unlock the keystore file using [`Xpki-block-creation-keystore-password-file`](#xpki-block-creation-keystore-password-file). -- Specify the optional [certificate revocation list (CRL)] file using [`Xpki-block-creation-crl-file`](#xpki-block-creation-crl-file). -- Specify the alias of the certificate to be included in blocks proposed by this validator using [`Xpki-block-creation-keystore-certificate-alias`](#xpki-block-creation-keystore-certificate-alias). -- Specify the truststore type and truststore file using [`Xpki-block-creation-truststore-type`](#xpki-block-creation-truststore-type) and [`Xpki-block-creation-truststore-file`](#xpki-block-creation-truststore-file). -- Specify the text file containing the password to unlock the truststore file using [`Xpki-block-creation-truststore-password-file`](#xpki-block-creation-truststore-password-file). - -## Command line options - -### `Xpki-block-creation-crl-file` - - - - - -```bash ---Xpki-block-creation-crl-file= -``` - - - - - -```bash ---Xpki-block-creation-crl-file=/home/cert/cert.crl.pem -``` - - - - - -```bash -BESU_XPKI_BLOCK_CREATION_CRL_FILE=/home/cert/cert.crl.pem -``` - - - - - -Path to the optional certificate revocation list (CRL) file. - -### `Xpki-block-creation-enabled` - - - - - -```bash ---Xpki-block-creation-enabled[=] -``` - - - - - -```bash ---Xpki-block-creation-enabled=true -``` - - - - - -```bash -BESU_XPKI_BLOCK_CREATION_ENABLED=true -``` - - - - - -Enable PKI integration. The default is `false`. - -### `Xpki-block-creation-keystore-certificate-alias` - - - - - -```bash ---Xpki-block-creation-keystore-certificate-alias= -``` - - - - - -```bash ---Xpki-block-creation-keystore-certificate-alias=validatorA -``` - - - - - -```bash -BESU_XPKI_BLOCK_CREATION_KEYSTORE_CERTIFICATE_ALIAS=validatorA -``` - - - - - -Alias of the certificate to be included in the blocks proposed by this validator. The default is `validator`. - -### `Xpki-block-creation-keystore-file` - - - - - -```bash ---Xpki-block-creation-keystore-file= -``` - - - - - -```bash ---Xpki-block-creation-keystore-file=/home/cert/keystore.jks -``` - - - - - -```bash -BESU_XPKI_BLOCK_CREATION_KEYSTORE_FILE=/home/cert/keystore.jks -``` - - - - - -Keystore file containing the key and certificate for PKI block creation. - -### `Xpki-block-creation-keystore-password-file` - - - - - -```bash ---Xpki-block-creation-keystore-password-file= -``` - - - - - -```bash ---Xpki-block-creation-keystore-password-file=/home/cert/password.txt -``` - - - - - -```bash -BESU_XPKI_BLOCK_CREATION_KEYSTORE_PASSWORD-FILE=/home/cert/password.txt -``` - - - - - -Text file containing the password to unlock the keystore file. - -### `Xpki-block-creation-keystore-type` - - - - - -```bash ---Xpki-block-creation-keystore-type= -``` - - - - - -```bash ---Xpki-block-creation-keystore-type=JKS -``` - - - - - -```bash -BESU_XPKI_BLOCK_CREATION_KEYSTORE_TYPE=JKS -``` - - - - - -PKI keystore type. Valid options are `JKS` and `PKCS12`. The default is `JKS`. - -### `Xpki-block-creation-truststore-file` - - - - - -```bash ---Xpki-block-creation-truststore-file= -``` - - - - - -```bash ---Xpki-block-creation-truststore-file=/home/cert/truststore.jks -``` - - - - - -```bash -BESU_XPKI_BLOCK_CREATION_TRUSTSTORE_FILE=/home/cert/truststore.jks -``` - - - - - -Truststore containing the trusted certificates for PKI block creation. - -### `Xpki-block-creation-truststore-password-file` - - - - - -```bash ---Xpki-block-creation-truststore-password-file= -``` - - - - - -```bash ---Xpki-block-creation-truststore-password-file=/home/cert/password.txt -``` - - - - - -```bash -BESU_XPKI_BLOCK_CREATION_TRUSTSTORE_PASSWORD_FILE=/home/cert/password.txt -``` - - - - - -Text file containing the password to unlock the truststore file. - -### `Xpki-block-creation-truststore-type` - - - - - -```bash ---Xpki-block-creation-truststore-type= -``` - - - - - -```bash ---Xpki-block-creation-truststore-type=JKS -``` - - - - - -```bash -BESU_XPKI_BLOCK_CREATION_TRUSTSTORE_TYPE=JKS -``` - - - - - -PKI truststore type. Valid options are `JKS` and `PKCS12`. The default is `JKS`. - -[QBFT consensus protocol]: ./consensus/qbft.md -[certificate revocation list (CRL)]: https://www.securew2.com/blog/certificate-revocation-crl-explained