Block proposal permissioning

info

Only private networks using the QBFT consensus protocol support block proposal permissioning.

Block proposal permissioning is an early access feature, and functionality and options may be updated between releases.

You can configure block proposal permissioning to ensure only authorized validator nodes can propose blocks in the network.

Use certificates issued by a trusted authority to ensure validators are authorized to propose blocks.

Configure block proposal permissioning

Prerequisites:

A configured network. For example, see steps 1 to 5 in the QBFT tutorial.
A keystore containing the certificate and key for each network node.
A truststore containing all the trusted certificates for the network.

Start Besu and include the following command line options on the required nodes:

besu --Xpki-block-creation-enabled=true \
--Xpki-block-creation-keystore-type="pkcs12" \
--Xpki-block-creation-keystore-file="keystore" \
--Xpki-block-creation-keystore-password-file="keystore.password" \
--Xpki-block-creation-crl-file="crl2.pem" \
--Xpki-block-creation-keystore-certificate-alias="validator" \
--Xpki-block-creation-truststore-type="pkcs12" \
--Xpki-block-creation-truststore-file="truststore" \
--Xpki-block-creation-truststore-password-file="truststore.password"

In the command line:

Enable block proposal permissioning using --Xpki-block-creation-enabled=true.
Specify the keystore type and keystore file using Xpki-block-creation-keystore-type and --Xpki-block-creation-keystore-file.
Specify the text file containing the password to unlock the keystore file using Xpki-block-creation-keystore-password-file.
Specify the optional certificate revocation list (CRL) file using Xpki-block-creation-crl-file.
Specify the alias of the certificate to be included in blocks proposed by this validator using Xpki-block-creation-keystore-certificate-alias.
Specify the truststore type and truststore file using Xpki-block-creation-truststore-type and Xpki-block-creation-truststore-file.
Specify the text file containing the password to unlock the truststore file using Xpki-block-creation-truststore-password-file.

Command line options

`Xpki-block-creation-crl-file`

Syntax
Example
Environment variable

--Xpki-block-creation-crl-file=<FILE>

--Xpki-block-creation-crl-file=/home/cert/cert.crl.pem

BESU_XPKI_BLOCK_CREATION_CRL_FILE=/home/cert/cert.crl.pem

Path to the optional certificate revocation list (CRL) file.

`Xpki-block-creation-enabled`

Syntax
Example
Environment variable

--Xpki-block-creation-enabled[=<true|false>]

--Xpki-block-creation-enabled=true

BESU_XPKI_BLOCK_CREATION_ENABLED=true

Enable PKI integration. The default is false.

`Xpki-block-creation-keystore-certificate-alias`

Syntax
Example
Environment variable

--Xpki-block-creation-keystore-certificate-alias=<NAME>

--Xpki-block-creation-keystore-certificate-alias=validatorA

BESU_XPKI_BLOCK_CREATION_KEYSTORE_CERTIFICATE_ALIAS=validatorA

Alias of the certificate to be included in the blocks proposed by this validator. The default is validator.

`Xpki-block-creation-keystore-file`

Syntax
Example
Environment variable

--Xpki-block-creation-keystore-file=<FILE>

--Xpki-block-creation-keystore-file=/home/cert/keystore.jks

BESU_XPKI_BLOCK_CREATION_KEYSTORE_FILE=/home/cert/keystore.jks

Keystore file containing the key and certificate for PKI block creation.

`Xpki-block-creation-keystore-password-file`

Syntax
Example
Environment variable

--Xpki-block-creation-keystore-password-file=<FILE>

--Xpki-block-creation-keystore-password-file=/home/cert/password.txt

BESU_XPKI_BLOCK_CREATION_KEYSTORE_PASSWORD-FILE=/home/cert/password.txt

Text file containing the password to unlock the keystore file.

`Xpki-block-creation-keystore-type`

Syntax
Example
Environment variable

--Xpki-block-creation-keystore-type=<TYPE>

--Xpki-block-creation-keystore-type=JKS

BESU_XPKI_BLOCK_CREATION_KEYSTORE_TYPE=JKS

PKI keystore type. Valid options are JKS and PKCS12. The default is JKS.

`Xpki-block-creation-truststore-file`

Syntax
Example
Environment variable

--Xpki-block-creation-truststore-file=<FILE>

--Xpki-block-creation-truststore-file=/home/cert/truststore.jks

BESU_XPKI_BLOCK_CREATION_TRUSTSTORE_FILE=/home/cert/truststore.jks

Truststore containing the trusted certificates for PKI block creation.

`Xpki-block-creation-truststore-password-file`

Syntax
Example
Environment variable

--Xpki-block-creation-truststore-password-file=<FILE>

--Xpki-block-creation-truststore-password-file=/home/cert/password.txt

BESU_XPKI_BLOCK_CREATION_TRUSTSTORE_PASSWORD_FILE=/home/cert/password.txt

Text file containing the password to unlock the truststore file.

`Xpki-block-creation-truststore-type`

Syntax
Example
Environment variable

--Xpki-block-creation-truststore-type=<TYPE>

--Xpki-block-creation-truststore-type=JKS

BESU_XPKI_BLOCK_CREATION_TRUSTSTORE_TYPE=JKS

PKI truststore type. Valid options are JKS and PKCS12. The default is JKS.

Block proposal permissioning

Configure block proposal permissioning​

Command line options​

Xpki-block-creation-crl-file​

Xpki-block-creation-enabled​

Xpki-block-creation-keystore-certificate-alias​

Xpki-block-creation-keystore-file​

Xpki-block-creation-keystore-password-file​

Xpki-block-creation-keystore-type​

Xpki-block-creation-truststore-file​

Xpki-block-creation-truststore-password-file​

Xpki-block-creation-truststore-type​