Skip to content
You are reading Hyperledger Besu development version documentation and some displayed features may not be available in the stable release. You can switch to stable version using the version box at screen bottom.
Date of last update: August 8, 2022

Block proposal permissioning

Important

Only private networks using the QBFT consensus protocol support block proposal permissioning.

Block proposal permissioning is an early access feature, and functionality and options may be updated between releases.

You can configure block proposal permissioning to ensure only authorized validator nodes can propose blocks in the network.

Use certificates issued by a trusted authority to ensure validators are authorized to propose blocks.

Configure block proposal permissioning

Prerequisites:

  • A configured network. For example, see steps 1 to 5 in the QBFT tutorial.
  • A keystore containing the certificate and key for each network node.
  • A truststore containing all the trusted certificates for the network.

Start Besu and include the following command line options on the required nodes:

besu --Xpki-block-creation-enabled=true \
--Xpki-block-creation-keystore-type="pkcs12" \
--Xpki-block-creation-keystore-file="keystore" \
--Xpki-block-creation-keystore-password-file="keystore.password" \
--Xpki-block-creation-crl-file="crl2.pem" \
--Xpki-block-creation-keystore-certificate-alias="validator" \
--Xpki-block-creation-truststore-type="pkcs12" \
--Xpki-block-creation-truststore-file="truststore" \
--Xpki-block-creation-truststore-password-file="truststore.password"

In the command line:

Command line options

Xpki-block-creation-crl-file

--Xpki-block-creation-crl-file=<FILE>
--Xpki-block-creation-crl-file=/home/cert/cert.crl.pem
BESU_XPKI_BLOCK_CREATION_CRL_FILE=/home/cert/cert.crl.pem

Path to the optional certificate revocation list (CRL) file.

Xpki-block-creation-enabled

--Xpki-block-creation-enabled[=<true|false>]
--Xpki-block-creation-enabled=true
BESU_XPKI_BLOCK_CREATION_ENABLED=true

Enable PKI integration. The default is false.

Xpki-block-creation-keystore-certificate-alias

--Xpki-block-creation-keystore-certificate-alias=<NAME>
--Xpki-block-creation-keystore-certificate-alias=validatorA
BESU_XPKI_BLOCK_CREATION_KEYSTORE_CERTIFICATE_ALIAS=validatorA

Alias of the certificate to be included in the blocks proposed by this validator. The default is validator.

Xpki-block-creation-keystore-file

--Xpki-block-creation-keystore-file=<FILE>
--Xpki-block-creation-keystore-file=/home/cert/keystore.jks
BESU_XPKI_BLOCK_CREATION_KEYSTORE_FILE=/home/cert/keystore.jks

Keystore file containing the key and certificate for PKI block creation.

Xpki-block-creation-keystore-password-file

--Xpki-block-creation-keystore-password-file=<FILE>
--Xpki-block-creation-keystore-password-file=/home/cert/password.txt
BESU_XPKI_BLOCK_CREATION_KEYSTORE_PASSWORD-FILE=/home/cert/password.txt

Text file containing the password to unlock the keystore file.

Xpki-block-creation-keystore-type

--Xpki-block-creation-keystore-type=<TYPE>
--Xpki-block-creation-keystore-type=JKS
BESU_XPKI_BLOCK_CREATION_KEYSTORE_TYPE=JKS

PKI keystore type. Valid options are JKS and PKCS12. The default is JKS.

Xpki-block-creation-truststore-file

--Xpki-block-creation-truststore-file=<FILE>
--Xpki-block-creation-truststore-file=/home/cert/truststore.jks
BESU_XPKI_BLOCK_CREATION_TRUSTSTORE_FILE=/home/cert/truststore.jks

Truststore containing the trusted certificates for PKI block creation.

Xpki-block-creation-truststore-password-file

--Xpki-block-creation-truststore-password-file=<FILE>
--Xpki-block-creation-truststore-password-file=/home/cert/password.txt
BESU_XPKI_BLOCK_CREATION_TRUSTSTORE_PASSWORD_FILE=/home/cert/password.txt

Text file containing the password to unlock the truststore file.

Xpki-block-creation-truststore-type

--Xpki-block-creation-truststore-type=<TYPE>
--Xpki-block-creation-truststore-type=JKS
BESU_XPKI_BLOCK_CREATION_TRUSTSTORE_TYPE=JKS

PKI truststore type. Valid options are JKS and PKCS12. The default is JKS.