Skip to content
/ ex-secure-canton-infra Public

Reference deployment of a secure Canton infrastructure (PKI, JWT, HA)

License

View license
6 stars 1 fork Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

digital-asset/ex-secure-canton-infra

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

14 Commits
Documentation
Documentation
 
 
bot
bot
 
 
client-app
client-app
 
 
configs
configs
 
 
daml
daml
 
 
data/tmp
data/tmp
 
 
haproxy-conf
haproxy-conf
 
 
images
images
 
 
nginx-conf
nginx-conf
 
 
pg-initdb
pg-initdb
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
SECURITY.md
SECURITY.md
 
 
TODO.md
TODO.md
 
 
accounts.json
accounts.json
 
 
build.sh
build.sh
 
 
cleanup-all.sh
cleanup-all.sh
 
 
daml.yaml
daml.yaml
 
 
decode-jwks.sh
decode-jwks.sh
 
 
decode-jwt.sh
decode-jwt.sh
 
 
default_accounts.json
default_accounts.json
 
 
env-ports.sh
env-ports.sh
 
 
env.sh
env.sh
 
 
get-canton.sh
get-canton.sh
 
 
intermediate-ca.cnf.sample
intermediate-ca.cnf.sample
 
 
java.security
java.security
 
 
jwt-auth-service.py
jwt-auth-service.py
 
 
kill-ocsp.sh
kill-ocsp.sh
 
 
make-certs.sh
make-certs.sh
 
 
make-jwks.py
make-jwks.py
 
 
make-jwt.sh
make-jwt.sh
 
 
requirements.txt
requirements.txt
 
 
root-ca.cnf.sample
root-ca.cnf.sample
 
 
setup-accounts.py
setup-accounts.py
 
 
setup-jwt.sh
setup-jwt.sh
 
 
start-domain-manager.sh
start-domain-manager.sh
 
 
start-domain-ocsp.sh
start-domain-ocsp.sh
 
 
start-domain-root-ocsp.sh
start-domain-root-ocsp.sh
 
 
start-domain.sh
start-domain.sh
 
 
start-json-p1.sh
start-json-p1.sh
 
 
start-json-p2.sh
start-json-p2.sh
 
 
start-jwt-auth-p1.sh
start-jwt-auth-p1.sh
 
 
start-jwt-auth-p2.sh
start-jwt-auth-p2.sh
 
 
start-lb-json-p1.sh
start-lb-json-p1.sh
 
 
start-lb-json-p2.sh
start-lb-json-p2.sh
 
 
start-lb-participant1.sh
start-lb-participant1.sh
 
 
start-lb-sequencer.sh
start-lb-sequencer.sh
 
 
start-mediator.sh
start-mediator.sh
 
 
start-mediator2.sh
start-mediator2.sh
 
 
start-navigator-p1.sh
start-navigator-p1.sh
 
 
start-navigator-p2.sh
start-navigator-p2.sh
 
 
start-p1-ocsp.sh
start-p1-ocsp.sh
 
 
start-p1-root-ocsp.sh
start-p1-root-ocsp.sh
 
 
start-participant1.sh
start-participant1.sh
 
 
start-participant1b.sh
start-participant1b.sh
 
 
start-participant2.sh
start-participant2.sh
 
 
start-postgres-domain.sh
start-postgres-domain.sh
 
 
start-postgres-participant1.sh
start-postgres-participant1.sh
 
 
start-postgres-participant2.sh
start-postgres-participant2.sh
 
 
start-python-bot.sh
start-python-bot.sh
 
 
start-remote-domain-ha.sh
start-remote-domain-ha.sh
 
 
start-remote-domain.sh
start-remote-domain.sh
 
 
start-remote-participant1-ha.sh
start-remote-participant1-ha.sh
 
 
start-remote-participant1.sh
start-remote-participant1.sh
 
 
start-repl.sh
start-repl.sh
 
 
start-sequencer.sh
start-sequencer.sh
 
 
start-sequencer2.sh
start-sequencer2.sh
 
 
start-trigger.sh
start-trigger.sh
 
 
test-grpc.sh
test-grpc.sh
 
 
test-json.sh
test-json.sh
 
 
test-load.sh
test-load.sh
 
 
test-p1-ocsp.sh
test-p1-ocsp.sh
 
 
test-script.sh
test-script.sh
 
 
test-script2.sh
test-script2.sh
 
 

Repository files navigation

Secure Canton Infrastructure Reference App

This reference app demonstrates:

  • How to set up a Canton environment with full security (m/TLS, JWT). The components are shown in the diagram below.
  • User and Party Management within a User enabled Ledger (Daml 2.0 or later)
  • Operational Management of signing and encryption keys
  • HA configuration of Sequencer, Mediator and Participant nodes

Infrastructure Components

Infrastructure Layout

The specific features being tested include:

  • segregated Canton Domain components (Sequencer, Mediator, Domain Manager) and standalone Participant nodes.
  • separate PKI setups for the domain and each participant node
  • separate JWT signing keys
  • Daml Scripts to execute each step of the sample workflow on each participant in the context of each party.

Note that we do not cover the intricacies of PKI and JWT as these remain similar to the version provided in the Daml V1.x blogs and reference app (See References below). However we do call out the newer JWT formats for User Authentication.

Core Concepts

Core Concepts (Users, Parties, Namespaces, Domains, Participants)

Setup and Testing Steps

References

This example builds on the secure deployment of Daml V1.X document

Blogs:

Original Github Ref App:

ex-secure-daml-infra Github Repo

Copyright (c) 2024 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved. SPDX-License-Identifier: Apache-2.0

About

Reference deployment of a secure Canton infrastructure (PKI, JWT, HA)

Resources

Readme

License

View license

Security policy

Security policy
Activity
Custom properties

Stars

6 stars

Watchers

11 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published

Contributors 2

  •  
  •  

Languages