Create Validator with Custom Authentication

Main Info

This is only used when choosing the Custom authentication option when creating a Canton Validator, the alternative is using a with Integrated Keycloak that automates the process as detailed in Create Validator With Integrated Keycloak

When installing Catalyst is configured Identity Provider that is used to authenticate Catalyst and the validators deployed through it.

This is a brief overview on how to setup Clients and users in your Identity Provider before setting the Validator. For a full description of requirements consult the Canton Validator OICD requirements.

The sections on secrets and other configuration on Kubernetes can ignored be as Catalyst creates them. When creating a validator the clients and users need to be setup beforehand.

Clients

The following clients are used by a Validator node, they need the proper flow allowed in your Identity provider.

It is recommended to allow all audiences for the clients when creating the validator, these can be limited after Catalyst generates the URLs and these can be consulted.

Validator Component

Open Id Flow

Fields required by Catalyst

Validator

Client Credentials Grant

Client Id, Client secret

Canton Name Service

Authorization Code

Client Id

Wallet

Authorization Code

Client Id

Users

A single user is needed to be created before with access to the clients created.

This user will be mapped to the main Validator party and will recevie rewards, these can be view from the Wallet.

1 - Main settings configuration:

At the first step of the new Validator setup wizard, please provide the following information.

  • Name

  • Onboard secret

  • Image tag

  • Image repo

  • Image pull secret

  • Postgres user

  • Postgres password

  • Requested CPU

  • CPU limit

  • Requested memory

  • Memory limit

  • Replicas

More info about these fields

  • Name The identifier or label for the validator node.

  • Onboard secret pass phrase obtained form the super validator in order to join the network.

  • Image tag The specific version or tag of the container image to be used.

  • Image repo The repository where the container image is stored.

  • Image pull secret Credentials required to pull the container image from a private registry. (secret docker-registry)

  • Postgres user Username for the Postgres database used by the validator.

  • Postgres password Password for the Postgres database user.

  • Requested CPU The minimum amount of CPU resources requested for the validator node.

  • CPU limit The maximum amount of CPU resources the validator node is allowed to use.

  • Requested memory The minimum amount of memory requested for the validator node.

  • Memory limit The maximum amount of memory the validator node is allowed to use.

  • Replicas The number of instances of the validator node to run.

Provide main settings
Figure 1. Provide main settings
An onboarding secret should be requested from your sponsoring SV in order to join the network.

Do not forget to set the Custom Authentication flag on as these instructions aim to guide you for a custom indetity provider configuration. If instead you want to follow an integrated Keycloak approach, please refer to the Create Validator With custom identuty provider section

Now, set the Validator Creation Fields

  • CNS Client Id: Client for the Canton Name Service

  • Wallet Client Id

  • Ledger API Client Id

  • Ledger API Client Secret

  • Ledger API User

More info about these fields

  • CNS Client Id: Client for the Canton Name Service

  • Wallet Client Id: Client for Wallet application

  • Ledger API Client Id: Client for Validator

  • Ledger API Client Secret: Secret part of Client Credentials Grant Flow for the Validator client

  • Ledger API User: User of the components described above

The value to set the Ledger API User depends on the Identity provider, the value should be what the Identity Provider puts as the subject field on the JWT token.

2 - Set up your cluster configuration

At the second step of your validator config, start by inserting the Cluster URL.

2.1 - Enable or disable each of the following fields:

  • Enable wallet

  • Fail on app version mismatch

  • Use sequencer connections from scan

2.2 - Fill in the remaining fields:

  • Cluster URL

  • Enable wallet

  • Fail on app version mismatch

  • Scan address

  • SV Sponsor Address

  • Party hint

  • Default JVM Options

  • Migration

    • Id

    • Attach PVC

    • Migrating

  • Top up

    • Enable

    • Top up min interval

    • Target throughput

2.3 - Enable or disable:

  • Participant identities dump import

  • Participant identities dump periodic backup

More info about these fields

  • Cluster URL The URL of the Kubernetes cluster where the validator node is deployed. clusterUrl value is used for looking up directory entries in the scan UI.

  • Enable wallet Turn this on to deploy a wallet UI with your validator.

  • Fail on app version mismatch If enabled, the deployment will fail if there is a mismatch between the validator and network application versions.

  • Scan address The address used for scanning and retrieving validator-related data.

  • SV Sponsor Address The URL of the SV app of the super validator sponsoring you. Typically provided by your SV sponsor and starts with "https://sv.sv-N" (N being a number).

  • Party hint Used as a prefix for the Party ID of your validator’s administrator. Must follow the format: <organization>-<function>-<enumerator>, e.g., myCompany-myWallet-1.

  • Default JVM Options Default configuration options for the Java Virtual Machine (JVM) running the validator.

  • Migration

    • Id Used to track database migrations. The migration ID starts at 0 for the initial deployment and increments by 1 with each migration.

    • Attach PVC Option to attach a Persistent Volume Claim (PVC) for data persistence during migration. Creates a Volume to store migration dumps (recommended).

    • Migrating Set to true when upgrading the validator to trigger the migration process.

Provide Cluster Settings
Figure 2. Provide Cluster Settings

3 - Set up your cluster participant configuration

  • Insert your default JVM configurations

  • Enable or disable

    • Auto init

    • Enable health probes

  • Insert your Node Identifier

More info about these fields

  • Node identifier A unique identifier for the validator node within the network.

  • Disable auto init Prevents the validator from automatically starting after deployment, allowing for pre-run actions to be performed before initialization.

  • Enable health probes Turns on health checks to monitor the validator’s status and ensure it is functioning properly.

  • Default JVM Options Default configuration options for the Java Virtual Machine (JVM) running the validator.

Provide Cluster Participant Settings
Figure 3. Provide Cluster Participant Settings

4 - Config environment variables

On this screen, you can override the values of the environment variables created during the wizard configuration for the following components:

  • Participant node

  • Validator backend

  • Canton Name Service UI

  • Wallet UI

More info about these fields

  • Participant node The node that interacts with the Canton ledger on behalf of participants.

  • Validator backend The backend service responsible for validating and processing transactions within the network.

  • Canton Name Service UI The user interface for managing and viewing Canton network names and identifiers.

  • Wallet UI User interface for interacting with the wallet associated with your validator.

Provide Validator Environment Variables
Figure 4. Provide Validator Environment Variables

This is a very specific configuration, if you are not sure about this step, please contact IntellectEU.

5 - Summary

Review your Validator configuration. Once you have confirmed the settings, click the Confirm button to finalize and proceed with the deployment.