Create Validator with Integrated Keycloak
Validator Management
Validators can be deployed on Catalyst and connected to the Canton Network.
Throughout this user guide, we explain how to configure your validator, including the required information fields and their meanings.
This is only used when choosing the Default authentication option with integrated Keycloak when creating a Canton Validator, To set a validator with Custom indetity provider, please refer to the Create Validator With custom identity provider section. |
How do I set up a Validator?
To set up a Validator, go to the Validators tab and click on the “Set up validator” button to open a side window.
For further details, expand to the collapsible "More Info" sections. |

1 - Main settings configuration:
At the first step of the new Validator setup wizard, please provide the following information.
-
Name
-
Onboard secret
-
Image tag
-
Image repo
-
Image pull secret
-
Postgres user
-
Postgres password
More info about these fields
-
Name The identifier or label for the validator node.
-
Onboard secret pass phrase obtained form the super validator in order to join the network.
-
Image tag The specific version or tag of the container image to be used.
-
Image repo The repository where the container image is stored.
-
Image pull secret Credentials required to pull the container image from a private registry. (secret docker-registry)
-
Postgres user Username for the Postgres database used by the validator.
-
Postgres password Password for the Postgres database user.

An onboarding secret should be requested from your sponsoring SV in order to join the network. |
Do not set the Custom Authentication flag on as these instructions aim to guide you for an integrated keycloak configuration. If instead you prefer to customize your indetity provider, please refer to the Create Validator With custom identuty provider section |
2 - Set up your cluster configuration
At the second step of your validator config, start by inserting the Cluster URL.
2.1 - Enable or disable each of the following fields:
-
Enable wallet
-
Fail on app version mismatch
-
Use sequencer connections from scan
2.2 - Fill in the remaining fields:
-
Cluster URL
-
Disable wallet
-
Fail on app version mismatch
-
Scan address
-
SV Sponsor Address
-
Party hint
-
Default JVM Options
-
Migration
-
Id
-
-
Top up
-
Enable
-
Top up min interval
-
Target throughput
-
2.3 - Enable or disable:
-
Participant identities dump import
-
Participant identities dump periodic backup
More info about these fields
-
Cluster URL The URL of the Kubernetes cluster where the validator node is deployed. clusterUrl value is used for looking up directory entries in the scan UI.
-
Disable wallet Turn this on to not deploy a wallet UI with your validator.
-
Fail on app version mismatch If enabled, the deployment will fail if there is a mismatch between the validator and network application versions.
-
Scan address The address used for scanning and retrieving validator-related data.
-
SV Sponsor Address The URL of the SV app of the super validator sponsoring you. Typically provided by your SV sponsor and starts with "https://sv.sv-N" (N being a number).
-
Party hint Used as a prefix for the Party ID of your validator’s administrator. Must follow the format: <organization>-<function>-<enumerator>, e.g., myCompany-myWallet-1.
-
Default JVM Options Default configuration options for the Java Virtual Machine (JVM) running the validator.
-
Migration
-
Id Used to track database migrations. The migration ID starts at 0 for the initial deployment and increments by 1 with each migration.
-
Attach PVC Option to attach a Persistent Volume Claim (PVC) for data persistence during migration. Creates a Volume to store migration dumps (recommended).
-
Migrating Set to true when upgrading the validator to trigger the migration process.
-

3 - Set up your cluster participant configuration
-
Insert your default JVM configurations
-
Enable or disable
-
Enable health probes
-
-
Insert your Node Identifier
More info about these fields
-
Node identifier A unique identifier for the validator node within the network.
-
Enable health probes Turns on health checks to monitor the validator’s status and ensure it is functioning properly.
-
Default JVM Options Default configuration options for the Java Virtual Machine (JVM) running the validator.

4 - Config Resources
Provide the following information: * Requested CPU * CPU limit * Requested memory * Memory limit * Replicas
More info about these fields
-
Requested CPU The minimum amount of CPU resources requested for the validator node.
-
CPU limit The maximum amount of CPU resources the validator node is allowed to use.
-
Requested memory The minimum amount of memory requested for the validator node.
-
Memory limit The maximum amount of memory the validator node is allowed to use.
-
Replicas The number of instances of the validator node to run.

5 - Config environment variables
On this screen, you can override the values of the environment variables created during the wizard configuration for the following components:
-
Participant node
-
Validator backend
-
Canton Name Service UI
-
Wallet UI
More info about these fields
-
Participant node The node that interacts with the Canton ledger on behalf of participants.
-
Validator backend The backend service responsible for validating and processing transactions within the network.
-
Canton Name Service UI The user interface for managing and viewing Canton network names and identifiers.
-
Wallet UI User interface for interacting with the wallet associated with your validator.

This is a very specific configuration, if you are not sure about this step, please contact IntellectEU. |
6 - Summary
Review your Validator configuration. Once you have confirmed the settings, click the Confirm button to finalize and proceed with the deployment.
7 - Create a permanent password on keycloack
To access the wallet UI, you must first define a new password and confirm it on keycloak. Save the credentials displayed on the pop-up window.

Once your node is up and running, click on the last link that contains the text wallet-web-ui
. Then click on the link at the top left part of the screen.

A pop-up will be shown asking you to re-autenticate. Close your session by clicking on the log out button.

Now insert the temporary credentials saved on the previous step to autenticate yourslelf.

Finally, define a new password and click submit. Once this has been done you will be forwarded to the wallet ui console of your new Validator.

Identity and Access management
As part of the validator provisioning process, Keycloak has been ser as the identity provider for authentication and authorization across the validator infrastructure. Each validator is assigned a dedicated user ($VALIDATOR_NAME_walletuser) within a specific realm (validator) for secure access to services.
We strongly recommend updating the password for this user after the initial setup to maintain security and reduce risks associated with default credentials. |
Resetting the Wallet User Password in Keycloak
To update the password for your validator’s wallet user in Keycloak, follow the steps below:
2 - Navigate to the validator realm:
-
From the top-left dropdown menu, select validator.
-
Locate the wallet user:
-
In the left sidebar, click on Users.
-
Use the search field to find the user named $VALIDATOR_NAME_walletuser.
4 - Access the user’s credentials:
-
Click on the user to open their settings.
-
Navigate to the Credentials tab.
5 - Reset the password:
-
Enter a new password and confirm it.
-
Toggle Temporary to OFF if you do not want the user to be forced to reset the password upon next login.
-
Click Reset Password.
6 - Verify the changes:
Test the new password by authenticating the service or using the Keycloak test login page (if enabled).
Make sure to store the new password securely and update any dependent services or configuration files if needed. |
For further details on managing users, resetting passwords, and securing your Keycloak setup, you may refer to the following official documentation: |