You are reading Hyperledger Besu development version documentation and some displayed features may not be available in the stable release. You can switch to stable version using the version box at screen bottom.
Date of last update: August 8, 2022

Block proposal permissioning

Important

Only private networks using the QBFT consensus protocol support block proposal permissioning.

Block proposal permissioning is an early access feature, and functionality and options may be updated between releases.

You can configure block proposal permissioning to ensure only authorized validator nodes can propose blocks in the network.

Use certificates issued by a trusted authority to ensure validators are authorized to propose blocks.

Configure block proposal permissioning

Prerequisites:

• A configured network. For example, see steps 1 to 5 in the QBFT tutorial.
• A keystore containing the certificate and key for each network node.
• A truststore containing all the trusted certificates for the network.

Start Besu and include the following command line options on the required nodes:

besu --Xpki-block-creation-enabled=true \
--Xpki-block-creation-keystore-type="pkcs12" \
--Xpki-block-creation-keystore-file="keystore" \
--Xpki-block-creation-crl-file="crl2.pem" \
--Xpki-block-creation-keystore-certificate-alias="validator" \
--Xpki-block-creation-truststore-type="pkcs12" \
--Xpki-block-creation-truststore-file="truststore" \


In the command line:

Command line options

Xpki-block-creation-crl-file

--Xpki-block-creation-crl-file=<FILE>

--Xpki-block-creation-crl-file=/home/cert/cert.crl.pem

BESU_XPKI_BLOCK_CREATION_CRL_FILE=/home/cert/cert.crl.pem


Path to the optional certificate revocation list (CRL) file.

Xpki-block-creation-enabled

--Xpki-block-creation-enabled[=<true|false>]

--Xpki-block-creation-enabled=true

BESU_XPKI_BLOCK_CREATION_ENABLED=true


Enable PKI integration. The default is false.

Xpki-block-creation-keystore-certificate-alias

--Xpki-block-creation-keystore-certificate-alias=<NAME>

--Xpki-block-creation-keystore-certificate-alias=validatorA

BESU_XPKI_BLOCK_CREATION_KEYSTORE_CERTIFICATE_ALIAS=validatorA


Alias of the certificate to be included in the blocks proposed by this validator. The default is validator.

Xpki-block-creation-keystore-file

--Xpki-block-creation-keystore-file=<FILE>

--Xpki-block-creation-keystore-file=/home/cert/keystore.jks

BESU_XPKI_BLOCK_CREATION_KEYSTORE_FILE=/home/cert/keystore.jks


Keystore file containing the key and certificate for PKI block creation.

Xpki-block-creation-keystore-password-file

--Xpki-block-creation-keystore-password-file=<FILE>

--Xpki-block-creation-keystore-password-file=/home/cert/password.txt

BESU_XPKI_BLOCK_CREATION_KEYSTORE_PASSWORD-FILE=/home/cert/password.txt


Text file containing the password to unlock the keystore file.

Xpki-block-creation-keystore-type

--Xpki-block-creation-keystore-type=<TYPE>

--Xpki-block-creation-keystore-type=JKS

BESU_XPKI_BLOCK_CREATION_KEYSTORE_TYPE=JKS


PKI keystore type. Valid options are JKS and PKCS12. The default is JKS.

Xpki-block-creation-truststore-file

--Xpki-block-creation-truststore-file=<FILE>

--Xpki-block-creation-truststore-file=/home/cert/truststore.jks

BESU_XPKI_BLOCK_CREATION_TRUSTSTORE_FILE=/home/cert/truststore.jks


Truststore containing the trusted certificates for PKI block creation.

Xpki-block-creation-truststore-password-file

--Xpki-block-creation-truststore-password-file=<FILE>

--Xpki-block-creation-truststore-password-file=/home/cert/password.txt

BESU_XPKI_BLOCK_CREATION_TRUSTSTORE_PASSWORD_FILE=/home/cert/password.txt


Text file containing the password to unlock the truststore file.

Xpki-block-creation-truststore-type

--Xpki-block-creation-truststore-type=<TYPE>

--Xpki-block-creation-truststore-type=JKS

BESU_XPKI_BLOCK_CREATION_TRUSTSTORE_TYPE=JKS


PKI truststore type. Valid options are JKS and PKCS12. The default is JKS.