zolfa
/
tendermint
1
0
Fork 0
Code Issues 0 Pull Requests 0 Projects 0 Releases 221 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
9958 Commits
183 Branches
291 MiB
Tree: f992a7e740
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'f992a7e740'
${ noResults }
tendermint/docs/nodes/remote-signer.md

70 lines
3.7 KiB
Raw Normal View History

privval: add grpc (#5725) Co-authored-by: Anton Kaliaev <anton.kalyaev@gmail.com>
4 years ago
 
  1. ---
  2. order: 7
  3. ---
  4. 

  5. # Remote signer

  6. 

  7. Tendermint provides a remote signer option for validators. A remote signer enables the operator to store the validator key on a different machine minimizing the attack surface if a server were to be compromised.
  8. 

  9. The remote signer protocol implements a [client and server architecture](https://en.wikipedia.org/wiki/Client%E2%80%93server_model). When Tendermint requires the public key or signature for a proposal or vote it requests it from the remote signer.
  10. 

  11. To run a secure validator and remote signer system it is recommended to use a VPC (virtual private cloud) or a private connection. 
  12. 

  13. There are two different configurations that can be used: Raw or gRPC.
  14. 

  15. ## Raw

  16. 

  17. While both options use tcp or unix sockets the raw option uses tcp or unix sockets without http. The raw protocol sets up Tendermint as the server and the remote signer as the client. This aids in not exposing the remote signer to public network. 
  18. 

  19. > Warning: Raw will be deprecated in a future major release, we recommend implementing your key management server against the gRPC configuration.

  20. 

  21. ## gRPC

  22. 

  23. [gRPC](https://grpc.io/) is an RPC framework built with [HTTP/2](https://en.wikipedia.org/wiki/HTTP/2), uses [Protocol Buffers](https://developers.google.com/protocol-buffers) to define services and has been standardized within the cloud infrastructure community. gRPC provides a language agnostic way to implement services. This aids developers in the writing key management servers in various different languages.
  24. 

  25. GRPC utilizes [TLS](https://en.wikipedia.org/wiki/Transport_Layer_Security), another widely standardized protocol, to secure connections. There are two forms of TLS to secure a connection, one-way and two-way. One way is when the client identifies the server but the server allows anyone to connect to it. Two-way is when the client identifies the server and the server identifies the client, prohibiting connections from unknown parties.
  26. 

  27. When using gRPC Tendermint is setup as the client. Tendermint will make calls to the remote signer. We recommend not exposing the remote signer to the public network with the use of virtual private cloud.
  28. 

  29. Securing your remote signers connection is highly recommended, but we provide the option to run it with a insecure connection.
  30. 

  31. ### Generating Certificates

  32. 

  33. To run a secure connection with gRPC we need to generate certificates and keys. We will walkthrough how to self sign certificates for two-way TLS.
  34. 

  35. There are two ways to generate certificates, [openssl](https://www.openssl.org/) and [certstarp](https://github.com/square/certstrap). Both of these options can be used but we will be covering `certstrap` because it provides a simpler process then openssl.
  36. 

  37. - Install `Certstrap`:
  38. 

  39. ```sh
  40.   go get github.com/square/certstrap@v1.2.0
  41. ```
  42. 

  43. - Create certificate authority for self signing.
  44. 

  45. ```sh
  46.  # generate self signing ceritificate authority
  47.  certstrap init --common-name "<name_CA>" --expires "20 years"
  48. ```
  49. 

  50. - Request a certificate for the server.
  51.   - For generalization purposes we set the ip to `127.0.0.1`, but for your node please use the servers IP.
  52. - Sign the servers certificate with your certificate authority
  53. 

  54. ```sh
  55.  # generate server cerificate
  56.  certstrap request-cert -cn server -ip 127.0.0.1
  57.  # self-sign server cerificate with rootCA
  58.  certstrap sign server --CA "<name_CA>" 127.0.0.1
  59.   ```
  60. 

  61. - Request a certificate for the client.
  62.   - For generalization purposes we set the ip to `127.0.0.1`, but for your node please use the clients IP.
  63. - Sign the clients certificate with your certificate authority
  64. 

  65. ```sh
  66. # generate client cerificate

  67.  certstrap request-cert -cn client -ip 127.0.0.1
  68. # self-sign client cerificate with rootCA

  69.  certstrap sign client --CA "<name_CA>" 127.0.0.1
  70. ```