Tessera - Enterprise Implementation of Quorum's transaction manager

Build Status codecov Docker Pulls

Important: If using version 21.4.1 and earlier
Tessera is now released as a zipped distribution instead of an uber jar. If using version 21.4.1 and earlier, see the previous README.

Tessera is a stateless Java system that is used to enable the encryption, decryption, and distribution of private transactions for Quorum and/or Besu

Each Tessera node:

  • Generates and maintains a number of private/public key pairs

  • Self manages and discovers all nodes in the network (i.e. their public keys) by connecting to as few as one other node

  • Provides Private and Public API interfaces for communication:

    • Private API - This is used for communication with Quorum
    • Public API - This is used for communication between Tessera peer nodes

  • Provides two way SSL using TLS certificates and various trust models like Trust On First Use (TOFU), whitelist, certificate authority, etc.

  • Supports IP whitelist

  • Connects to any SQL DB which supports the JDBC client

Documentation

Docs

Artefacts

Runnable distributions

Tessera

Remote Enclave Server

Optional Artefacts

The following artefacts can be added to a distribution to provide additional functionality.

Key Vaults

  • Azure: Add support for key pairs stored in Azure Key Vault
  • AWS: Add support for key pairs stored in AWS Secret Store
  • Hashicorp: Add support for key pairs stored in Hashicorp Vault

Encryptors

  • jnacl: (already included in Tessera and Remote Enclave Server distributions) Add support for NaCl key pairs using jnacl library
  • Elliptical Curve: Add support for elliptic curve key pairs
  • kalium: Add support for NaCl key pairs using kalium library

Prerequisites

  • Java

    • Java 11+ (tested up to Java 14), code source is Java 11.

  • Optional: Gradle

    • If you want to use a locally installed Gradle rather than the included wrapper. Note: wrapper currently uses Gradle 7.0.2.

Building Tessera from source

To build and install Tessera:

  1. Clone this repo
  2. Build using the included Gradle Wrapper file 
    ./gradlew build

Installing Tessera

Download and unpack distribution:

$ tar xvf tessera-[version].tar
$ tree tessera-[version]
tessera-[version]
├── bin
│   ├── tessera
│   └── tessera.bat
└── lib
    ├── HikariCP-3.2.0.jar
    ...

Run Tessera (use correct /bin script for your system):

./tessera-[version]/bin/tessera help

Supplementing the distribution

Additional functionality can be added to a distribution by adding .jar files to the /lib directory.

Adding Tessera artefacts

Download and unpack the artefact:

$ tar xvf aws-key-vault-[version].tar
$ tree aws-key-vault-[version]
aws-key-vault-[version].tar
└── lib
    ├── annotations-2.10.25.jar
    ...

Copy the contents of the artefact's /lib into the distribution /lib (make sure to resolve any version conflicts/duplicated .jar files introduced during the copy):

 cp -a aws-key-vault-[version]/lib/. tessera-[version]/lib/

Supporting alternate databases

By default, Tessera uses an H2 database. To use an alternative database, add the necessary drivers to the lib/ dir:

For example, to use Oracle database:

cp ojdbc7.jar tessera-[version]/lib/

DDLs have been provided to help with defining these databases.

Since Tessera 0.7 a timestamp is recorded with each encrypted transaction stored in the Tessera DB. To update an existing DB to work with Tessera 0.7+, execute one of the provided alter scripts.

Docker images

Configuration

Config File

A configuration file detailing database, server and network peer information must be provided using the -configfile command line property.

An in-depth look at configuring Tessera can be found in the Tessera Documentation and includes details on all aspects of configuration including:

  • Cryptographic key config:
    • Using existing private/public key pairs with Tessera
    • How to use Tessera to generate new key pairs
  • TLS config
    • How to enable TLS
    • Choosing a trust mode

Obfuscate database password in config file

Certain entries in Tessera config file must be obfuscated in order to prevent any attempts from attackers to gain access to critical part of the application (i.e. database). For the time being, Tessera users have the ability to enable encryption for database password to avoid it being exposed as plain text in the configuration file.

In Tessera, jasypt library was used together with its Jaxb integration to encrypt/decrypt config values.

To enable this feature, simply replace your plain-text database password with its encrypted value and wrap it inside an ENC() function.

    "jdbc": {
        "username": "sa",
        "password": "ENC(ujMeokIQ9UFHSuBYetfRjQTpZASgaua3)",
        "url": "jdbc:h2:/qdata/c1/db1",
        "autoCreateTables": true
    }

Being a Password-Based Encryptor, Jasypt requires a secret key (password) and a configured algorithm to encrypt/decrypt this config entry. This password can either be loaded into Tessera from file system or user input. For file system input, the location of this secret file needs to be set in Environment Variable TESSERA_CONFIG_SECRET

If the database password is not being wrapped inside ENC() function, Tessera will simply treat it as a plain-text password however this approach is not recommended for production environment.

  • Please note at the moment jasypt encryption is only enabled on jdbc.password field.
Encrypt database password

Download and unzip the jasypt package. Redirect to bin directory and the follow commands can be used to encrypt a string

bash-3.2$ ./encrypt.sh input=dbpassword password=quorum

----ENVIRONMENT-----------------

Runtime: Oracle Corporation Java HotSpot(TM) 64-Bit Server VM 25.171-b11



----ARGUMENTS-------------------

input: dbpassword
password: quorum



----OUTPUT----------------------

rJ70hNidkrpkTwHoVn2sGSp3h3uBWxjb

Pick up this output and wrap it inside ENC() function, we should have the following ENC(rJ70hNidkrpkTwHoVn2sGSp3h3uBWxjb) in the config json file.

Further reading

  • The Tessera Documentation provides additional information on how Tessera works, migrating from Constellation to Tessera, configuration details, and more.
  • Quorum is an Ethereum-based distributed ledger protocol that uses Tessera to provide transaction privacy.
  • Follow the Quorum Examples to see Tessera in action in a demo Quorum network.

Reporting Security Bugs

Security is part of our commitment to our users. At Quorum we have a close relationship with the security community, we understand the realm, and encourage security researchers to become part of our mission of building secure reliable software. This section explains how to submit security bugs, and what to expect in return.

All security bugs in Quorum and its ecosystem (Tessera, Constellation, Cakeshop, ..etc) should be reported by email to [email protected]. Please use the prefix [security] in your subject. This email is delivered to Quorum security team. Your email will be acknowledged, and you'll receive a more detailed response to your email as soon as possible indicating the next steps in handling your report. After the initial reply to your report, the security team will endeavor to keep you informed of the progress being made towards a fix and full announcement.

If you have not received a reply to your email or you have not heard from the security team please contact any team member through Quorum slack security channel. Please note that Quorum slack channels are public discussion forum. When escalating to this medium, please do not disclose the details of the issue. Simply state that you're trying to reach a member of the security team.

Responsible Disclosure Process

Quorum project uses the following responsible disclosure process:

Once the security report is received it is assigned a primary handler. This person coordinates the fix and release process. The issue is confirmed and a list of affected software is determined. Code is audited to find any potential similar problems. If it is determined, in consultation with the submitter, that a CVE-ID is required, the primary handler will trigger the process. Fixes are applied to the public repository and a new release is issued. On the date that the fixes are applied, announcements are sent to Quorum-announce. At this point you would be able to disclose publicly your finding.

Note: This process can take some time. Every effort will be made to handle the security bug in as timely a manner as possible, however it's important that we follow the process described above to ensure that disclosures are handled consistently.

Receiving Security Updates

The best way to receive security announcements is to subscribe to the Quorum-announce mailing list/channel. Any messages pertaining to a security issue will be prefixed with [security].

Comments on This Policy If you have any suggestions to improve this policy, please send an email to [email protected] for discussion.

Contributing

Tessera is built open source and we welcome external contribution on features and enhancements. Upon review you will be required to complete a Contributor License Agreement (CLA) before we are able to merge. If you have any questions about the contribution process, please feel free to send an email to [email protected]. Please see the Contributors guide for more information about the process.

Getting Help

Stuck at some step? Please join our slack community for support.

Owner
ConsenSys Software
ConsenSys is the software engineering leader of the blockchain space. Our full-stack Ethereum products help developers build next-generation networks.
ConsenSys Software
https://github.com/jpmorganchase/tessera https://docs.tessera.consensys.net/
Comments
  • Fail during mvn install

    Fail during mvn install

    Hello. I was trying install and compile tessera.

    1. $ java -version java version "1.8.0_181" Java(TM) SE Runtime Environment (build 1.8.0_181-b13) Java HotSpot(TM) 64-Bit Server VM (build 25.181-b13, mixed mode)

    2. $ mvn --version Apache Maven 3.3.9 Maven home: /usr/share/maven Java version: 1.8.0_181, vendor: Oracle Corporation Java home: /usr/lib/jvm/java-8-oracle/jre Default locale: en_US, platform encoding: UTF-8 OS name: "linux", version: "4.15.0-1022-azure", arch: "amd64", family: "unix"

    3. Apache Tomcat/9.0.11

    I cloned this repo, switch folder and tried run mvn install but got error: screen shot 2018-09-10 at 15 28 41

    I used basic config.json screen shot 2018-09-10 at 15 29 43

    What did I do wrong?

  • Clarify peer discovery behaviour

    Clarify peer discovery behaviour

    Tessera Peer discovery docs here - https://docs.tessera.consensys.net/en/stable/HowTo/Configure/Peer-discovery/ Besu Multi-tenancy https://besu.hyperledger.org/en/stable/Tutorials/Privacy/Configuring-Multi-Tenancy/ (multiple tessera keys) GoQuorum multi-tenancy https://consensys.net/docs/goquorum/en/latest/concepts/multi-tenancy/ (this adds the "multiple private states" config)

    further context - https://github.com/ConsenSys/quorum/issues/1278

    Success criteria answers to these questions

    • [x] Basic peer discovery - if I have tessera nodes A and B, and then add node C to node A's config (peer section), do nodes B and C discover each other? (this can be verified without multi-tenancy just with multiple nodes)
    • [x] With Besu multi-tenancy - when I add another key to a tenant in tessera should it get propagated to other peers when peer discovery is on?
    • [x] Is this different with GoQuorum multi-tenancy (multiple private states)?
    • [x] clarifying updates to docs - in whatever format makes sense (eg gdoc writeup, raise a docs PR or create a docs ticket with relevant info)
  • Memory Leak?

    Memory Leak?

    Hi!! I got the OOM(Out of Memory) error yesterday. So, I did add APM agent for heap monitoring to Tessera.

    I found the memory leak as below link. (sample..) (I'm sorry. I can't post the real graph because the company policy)

    Heap memory usage is increasing gradually after GC on all node. https://i.stack.imgur.com/NlsbR.jpg

    Heap memory is increased 130MB for 8 hours.

    Thank you.

  • Issue with tessera in k8s

    Issue with tessera in k8s

    Hy there I use your quorum and tessera as a private blockchain network. When working in the docker composite, everything works fine. However, at the start of 2 pods of tessera in the Kubernetes, a problem arose. Services normally start and see each other only when using internal IP docker addresses

    cat tessera-config.json:

    .....
   "peer": [
     {
       "url": "http://172.17.0.5:9000"
     }

    ...

    15:43:42.658 [grizzly-http-server-0] INFO  c.q.tessera.api.filter.LoggingFilter - Enter Request : POST : /resend
15:43:42.759 [grizzly-http-server-0] INFO  c.q.t.t.EncryptedTransactionDAOImpl - Fetching all EncryptedTransaction database rows
15:43:42.964 [grizzly-http-server-0] INFO  c.q.tessera.api.filter.LoggingFilter - Exit Request : POST : /resend
15:43:42.965 [grizzly-http-server-0] INFO  c.q.tessera.api.filter.LoggingFilter - Response for resend : 200 OK
15:43:42.975 [grizzly-http-server-1] INFO  c.q.tessera.api.filter.LoggingFilter - Enter Request : POST : /resend
15:43:42.978 [grizzly-http-server-1] INFO  c.q.t.t.EncryptedTransactionDAOImpl - Fetching all EncryptedTransaction database rows
15:43:42.979 [grizzly-http-server-1] INFO  c.q.tessera.api.filter.LoggingFilter - Exit Request : POST : /resend
15:43:42.979 [grizzly-http-server-1] INFO  c.q.tessera.api.filter.LoggingFilter - Response for resend : 200 OK

    If you use the Kubernetes services:

    cat tessera-config.json:

    tessera-config.json:
  "peer": [
     {
       "url": "http: // tessera-1-ip-service: 9000"
     }

    Tessera starts, but do not see each other.

    15:45:40.282 [main] INFO  o.g.g.http.server.NetworkListener - Started listener bound to [0.0.0.0:9000]
15:45:40.284 [main] INFO  o.g.grizzly.http.server.HttpServer - [HttpServer] Started.
15:45:40.286 [main] INFO  c.quorum.tessera.server.JerseyServer - Started http://0.0.0.0:9000
15:45:40.286 [main] INFO  c.quorum.tessera.server.JerseyServer - WADL http://0.0.0.0:9000/application.wadl
15:47:52.016 [pool-3-thread-1] WARN  com.quorum.tessera.sync.SyncPoller - Server error java.net.ConnectException: Connection timed out (Connection timed out) when connecting to http://tessera-1-ip-service:9000
15:47:52.016 [pool-1-thread-1] WARN  c.q.tessera.node.PartyInfoPoller - Server error java.net.ConnectException: Connection timed out (Connection timed out) when connecting to http://tessera-1-ip-service:9000

    The network is configured correctly, the port is open

    root@tessera-2-59bd677566-v6pn6:/opt/tessera# nc -vz tessera-1-ip-service 9000
tessera-1-ip-service.default.svc.cluster.local [10.101.33.216] 9000 (?) open

    This behavior does not allow to switch to the use of tessera in Kubernetes, since when POD restarting, its internal IP can change and there is no possibility to make it static. The use of a single tessera is undesirable since it will make impossible scaling and reduce the fault tolerance of the service.

    ┆Issue is synchronized with this Trello card

  • Added CLI options to output server URIs to file.

    Added CLI options to output server URIs to file.

    Added a CLI option to write server URIs to a specified directory. The use case for this change is to enable an external process to locate running Tessera servers, without requiring foreknowledge of the Tessera configuration.

  • Error: EOF undefined while trying to transact privately between 2 peers

    Error: EOF undefined while trying to transact privately between 2 peers

    Geth version: 1.8.18-stable Quorum version: 2.2.3 Go:1.10.3 Tessera version: 0.9

    I have used the latest tessera docs https://goquorum.readthedocs.io/en/latest/Privacy/Tessera/Configuration/Configuration%20Overview/

    To set up 3 peers. Below is the tessera-config.json for node 1(similar for node 2 and node 3 with only changes in ip):

    { "useWhiteList": false, "jdbc": { "username": "sa", "password": "", "url": "jdbc:h2:/home/ubuntu/node/db;MODE=Oracle;TRACE_LEVEL_SYSTEM_OUT=0", "autoCreateTables": true }, "serverConfigs": [ { "app": "P2P", "enabled": true, "serverAddress": "http://ip1:9001", "bindingAddress": "http://0.0.0.0:9001", "sslConfig": { "tls": "OFF" }, "communicationType": "REST" }, { "app": "Q2T", "enabled": true, "serverAddress": "unix:/home/ubuntu/node/datadir/tm.ipc", "communicationType": "REST" } ],

    "peer": [
 {
"url": "http://ip1:9001"

    }, { "url": "http://ip2:9001" }, { "url": "http://ip3:9001" } ], "keys": { "passwords": [], "keyData": [ { "privateKeyPath": "/home/ubuntu/node/tessera-key-pair/node.key", "publicKeyPath": "/home/ubuntu/node/tessera-key-pair/node.pub" } ] },

    "alwaysSendTo": [],

"unixSocketFile": "/home/ubuntu/node/datadir/tm.ipc"

    I have also put the below commands to turn up geth(similar for node 2 and node 3):

    ARGS="--nodiscover --verbosity 5 --raft --rpc --rpcaddr 0.0.0.0 --rpcapi admin,db,eth,debug,miner,net,shh,txpool,personal,web3,quorum,raft --emitcheckpoints" PRIVATE_CONFIG=datadir/tm.ipc nohup geth --datadir datadir $ARGS --raftport 50401 --rpcport 22000 --port 21000 --identity 'QUORUM01' --unlock 0 --password passwords.txt 2>>datadir/logs/node.log &

    I have also did admin.addPeer() from node 1 using node 2 and node 3 enode. Now the problem is I am not able to transact private transactions from geth console with passing "privateFor:[public key of node 2]" from node 1. However I am able to successfully transact public transactions from all the peers.

    Please help!!!!

  • How to add mysql to 7nodes example?

    How to add mysql to 7nodes example?

    I have installed mysql on local machine I have downloaded the jar(version 8.0.12) about mysql jdbc and saved at /home/vagrant/tessera/mysql.jar I have run the ddl(https://github.com/jpmorganchase/tessera/blob/master/ddls/mysql-ddl.sql) of mysql

    I modify the tessera-init.sh as follwoing and change the jdbc url to mysql

    #!/usr/bin/env bash echo "[*] Initialising Tessera configuration"

    currentDir=$(pwd) for i in {1..7} do DDIR="qdata/c$i" mkdir -p ${DDIR} mkdir -p qdata/logs cp "keys/tm$i.pub" "${DDIR}/tm.pub" cp "keys/tm$i.key" "${DDIR}/tm.key" rm -f "${DDIR}/tm.ipc" #change tls to "strict" to enable it (don't forget to also change http -> https) cat < ${DDIR}/tessera-config${i}.json { "useWhiteList": false, "jdbc": { "username": "root", "password": "123456", "url": "jdbc:mysql//127.0.0.1:3306/quorum?useSSL=false" }, "server": { "port": 900${i}, "hostName": "http://localhost", "sslConfig": { "tls": "OFF", "generateKeyStoreIfNotExisted": true, "serverKeyStore": "${currentDir}/qdata/c${i}/server${i}-keystore", "serverKeyStorePassword": "quorum", "serverTrustStore": "${currentDir}/qdata/c${i}/server-truststore", "serverTrustStorePassword": "quorum", "serverTrustMode": "TOFU", "knownClientsFile": "${currentDir}/qdata/c${i}/knownClients", "clientKeyStore": "${currentDir}/qdata/c${i}/client${i}-keystore", "clientKeyStorePassword": "quorum", "clientTrustStore": "${currentDir}/qdata/c${i}/client-truststore", "clientTrustStorePassword": "quorum", "clientTrustMode": "TOFU", "knownServersFile": "${currentDir}/qdata/c${i}/knownServers" } }, "peer": [ { "url": "http://localhost:9001" }, { "url": "http://localhost:9002" }, { "url": "http://localhost:9003" }, { "url": "http://localhost:9004" }, { "url": "http://localhost:9005" }, { "url": "http://localhost:9006" }, { "url": "http://localhost:9007" } ], "keys": { "passwords": [], "keyData": [ { "config": $(cat ${currentDir}/qdata/c${i}/tm.key), "publicKey": "$(cat ${currentDir}/qdata/c${i}/tm.pub)" } ] }, "alwaysSendTo": [], "unixSocketFile": "${currentDir}/qdata/c${i}/tm.ipc" } EOF done

  • ThirdParty server hangup problem with 7nodes example

    ThirdParty server hangup problem with 7nodes example

    follow the suggest on https://github.com/jpmorganchase/tessera/issues/954. i use the latest realease of qurom and tessera deploy quorum-examples with 7 nodes. but ThirdParty server 9081-9087 port hangup again. this is my deploy and test steps, maybe can help reappear the bug.

    1、prepare host server, operate system version:CentOS Linux release 7.3.1611 x86_64 2、download geth_v2.4.0_linux_amd64.tar.gz, url:https://github.com/jpmorganchase/quorum/releases 3、download tessera-app-0.10.2-app.jar,url:https://oss.sonatype.org/service/local/repositories/releases/content/com/jpmorgan/quorum/tessera-app/0.10.2/tessera-app-0.10.2-app.jar 4、download quorum-examples-master.zip,url: https://codeload.github.com/jpmorganchase/quorum-examples/zip/master 5、mkdir -p /home/cpap/app/blockchain/lib cp tessera-app-0.10.2-app.jar /home/cpap/app/blockchain/lib cp geth_v2.4.0_linux_amd64.tar.gz /home/cpap/app/blockchain/lib cd /home/cpap/app/blockchain/lib tar -xvf geth_v2.4.0_linux_amd64.tar.gz cp geth /usr/local/bin chmod 777 /usr/local/bin/geth [root@hadoop-1 lib] geth --version Incorrect Usage. flag provided but not defined: -version NAME: geth - the go-ethereum command line interface Copyright 2013-2018 The go-ethereum Authors USAGE: geth [options] command [command options] [arguments...] VERSION: 1.8.18-stable-20c95e5d QUORUM OPTIONS: --permissioned If enabled, the node will allow only a defined list of nodes to connect ... 6、mkdir -p /home/cpap/app/blockchain cp quorum-examples-master.zip /home/cpap/app/blockchain cd /home/cpap/app/blockchain unzip quorum-examples-master.zip cd quorum-examples-master/examples/7nodes/ vi ./tessera-init.sh delete the cros config of P2P server in tessera-config-09-${i}.json,because tessera-app-0.10.2 only can config cros on the ThirdParty Server

    7、start 7nodes ./raft-init.sh ./raft-start.sh tessera --tesseraOptions "--tesseraJar /home/cpap/app/blockchain/lib/tessera-app-0.10.2-app.jar" ... All nodes configured. See 'qdata/logs' for logs, and run e.g. 'geth attach qdata/dd1/geth.ipc' to attach to the first Geth node. To test sending a private transaction from Node 1 to Node 7, run './runscript.sh private-contract.js'

    8、test 9081 port on 7nodes, every 10 minutes

    first try everything is ok [root@hadoop-1 7nodes] curl -s http://localhost:9081/upcheck curl -s http://localhost:9082/upcheck I'm up![root@hadoop-1 7nodes] curl -s http://localhost:9082/upcheck I'm up![root@hadoop-1 7nodes] curl -s http://localhost:9083/upcheck I'm up![root@hadoop-1 7nodes] curl -s http://localhost:9084/upcheck I'm up![root@hadoop-1 7nodes] curl -s http://localhost:9085/upcheck I'm up![root@hadoop-1 7nodes] curl -s http://localhost:9086/upcheck I'm up![root@hadoop-1 7nodes] curl -s http://localhost:9087/upcheck I'm up![root@hadoop-1 7nodes] date 2020-01-08 13:03:36 CST

    the second try 9081-9087 hangup [root@hadoop-1 7nodes]# curl -s http://localhost:9081/upcheck curl -s http://localhost:9082/upcheck curl -s http://localhost:9083/upcheck curl -s http://localhost:9084/upcheck curl -s http://localhost:9085/upcheck curl -s http://localhost:9086/upcheck curl -s http://localhost:9087/upcheck ^C [root@hadoop-1 7nodes]# date 2020-01-08 13:15:17

    2020-01-08 13:15:17 bug reappear !!!

  • Tests are making the installation to loop forever

    Tests are making the installation to loop forever

    When I tried to install the project using maven 3.6 with the command mvn install at some point the installation kind of "stopped" without proceeding for about 7 hours. After that I stopped it manually. When providing the clean install with no tests - mvn clean install -DskipTests=true it was installed successfully.

  • Tessera process continue to throw exceptions and private transactions don't go through on distributed node/+ tessera setup

    Tessera process continue to throw exceptions and private transactions don't go through on distributed node/+ tessera setup

    System information Geth version: 1.8.18-stable Quorum version:quorum-v2.2.3 Tessera version: quorumengineering/tessera:0.9.1 OS & Version: Linux/OSX Ubuntu 18.04.2 LTS (GNU/Linux 4.15.0-47-generic x86_64)

    We have Geth+Tessera nodes deployed on distributed machines. Peer tessera nodes are mentioned in the peer list of tessera-config.json of each tessera node. The issue is, the tessera node discovers peer nodes outside the specified peer network too. If the discovered peer list seems to have an issue with connectivity, it throws exceptions and it continues.

    {"log":"06:50:22.272 [pool-1-thread-1] ERROR c.q.t.t.TesseraScheduledExecutor - Error when executing action PartyInfoPoller\n","stream":"stdout","time":"2019-05-09T06:50:22.272856945Z"}
{"log":"06:50:22.272 [pool-1-thread-1] ERROR c.q.t.t.TesseraScheduledExecutor - Error when executing action\n","stream":"stdout","time":"2019-05-09T06:50:22.272869291Z"}
{"log":"javax.ws.rs.ProcessingException: java.net.NoRouteToHostException: Host is unreachable (Host unreachable)\n","stream":"stdout","time":"2019-05-09T06:50:22.272872429Z"}
{"log":"\u0009at org.glassfish.jersey.client.internal.HttpUrlConnector.apply(HttpUrlConnector.java:284) ~[tessera-app.jar:na]\n","stream":"stdout","time":"2019-05-09T06:50:22.272892301Z"}
{"log":"\u0009at org.glassfish.jersey.client.ClientRuntime.invoke(ClientRuntime.java:278) ~[tessera-app.jar:na]\n","stream":"stdout","time":"2019-05-09T06:50:22.272895579Z"}
{"log":"\u0009at org.glassfish.jersey.client.JerseyInvocation.lambda$invoke$0(JerseyInvocation.java:753) ~[tessera-app.jar:na]\n","stream":"stdout","time":"2019-05-09T06:50:22.272897997Z"}
{"log":"\u0009at org.glassfish.jersey.internal.Errors.process(Errors.java:316) ~[tessera-app.jar:na]\n","stream":"stdout","time":"2019-05-09T06:50:22.272900301Z"}
{"log":"\u0009at org.glassfish.jersey.internal.Errors.process(Errors.java:298) ~[tessera-app.jar:na]\n","stream":"stdout","time":"2019-05-09T06:50:22.272902551Z"}
```
Tessera should have mechanism to filter out unreachable nodes. 

Subsequently, we can not execute any private transactions on such tessera nodes.
  • Query on constellation to tessera migration

    Query on constellation to tessera migration

    We have existing instances running on constellation with Quorum.

    Future Roadmap

    QuorumConstellationTessera
    Since inceptionver. 2.0.1ver. 0.3.2-
    May 2019ver. 2.2.1ver. 0.3.2-
    Future releasever. 2.2.1-ver. 0.9

    We have completed a POC for migration from constellation to tessera and have found that the blockNumber changes from the earlier number e.g. 2012 to 1. The old transactions are present and seems that a new leveldb file was created.

    Is this the expected behavior. Should the block number not be retained correctly. Please advise.

  • Tessera AWS Secret Manager integration

    Tessera AWS Secret Manager integration

    I want to integrate AWS Secrect Manager with Tessera (v 22.10.0). I am using JDK 19 . Configured AWS Key vault plugin properly and able to create the Pub and Key keypair in Secret Manager. (reference https://docs.tessera.consensys.net/en/stable/HowTo/Configure/KeyVault/AWS-Secrets-Manager/). While retrieving the tessera is giving below exception -

    tessera -configfile tessera.conf

    ERROR: Config validation issue: keys No AWS keyVaultConfig was specified but AWS keyData was provided ERROR: Config validation issue: keys.keyVaultConfigs[0].keyVaultType may not be null

    tessera.conf file is attached. Please help to resolve the same.

    Thank You! tessera.zip

  • update jackson and jackson-databind to 2.14.1

    update jackson and jackson-databind to 2.14.1

    Signed-off-by: Sally MacFarlane [email protected]

    Update versions

    Documentation

    • [x] I thought about documentation and added the doc-change-required label to this PR if updates are required.

    Changelog

    • [x] I thought about adding a changelog entry, and added one if I deemed necessary.
  • tessera 22.10.0 is having vulnerabilities for libexpat, login and passwd libraries

    tessera 22.10.0 is having vulnerabilities for libexpat, login and passwd libraries

    we are getting below vulnerabilities for latest tessera 22.10.0 image. Please let us know when the new image will be available with the fixes for this vulnerabilities.

    image

  • Build failed by JaCoCo

    Build failed by JaCoCo

    ./gradlew build

    [ant:jacocoReport] Rule violated for class com.quorum.tessera.config.cli.KeyGenCommand: lines covered ratio is 0.9, but expected minimum is 1.0
[ant:jacocoReport] Rule violated for class com.quorum.tessera.config.cli.KeyGenCommand: instructions covered ratio is 0.9, but expected minimum is 1.0

FAILURE: Build failed with an exception.

    java --version

    java 17.0.5 2022-10-18 LTS
Java(TM) SE Runtime Environment (build 17.0.5+9-LTS-191)
Java HotSpot(TM) 64-Bit Server VM (build 17.0.5+9-LTS-191, mixed mode, sharing)

    gradle --version

    ------------------------------------------------------------
Gradle 7.6
------------------------------------------------------------

Build time:   2022-11-25 13:35:10 UTC
Revision:     daece9dbc5b79370cc8e4fd6fe4b2cd400e150a8

Kotlin:       1.7.10
Groovy:       3.0.13
Ant:          Apache Ant(TM) version 1.10.11 compiled on July 10 2021
JVM:          17.0.5 (Homebrew 17.0.5+0)
OS:           Mac OS X 12.6 x86_64
  • Fetch tessera secrets from AWS KMS using IAM roles

    Fetch tessera secrets from AWS KMS using IAM roles

    To enable tessera to use AWS Secrets Manager, we need to configure 3 environment variables namely - AWS_REGION, AWS_SECRET_ACCESS_KEY& AWS_ACCESS_KEY_ID. But if an organisation has restricted to get only AWS_REGION & AWS_ACCESS_KEY_ID from AWS environment. Instead of AWS_SECRET_ACCESS_KEY, we have IAM role. Hope this would be best practice too for security reasons. Now, the question is how to use IAM role instead of AWS_SECRET_ACCESS_KEY to enable tessera to use AWS Secrets Manager?

    https://docs.tessera.consensys.net/en/stable/HowTo/Configure/KeyVault/AWS-Secrets-Manager/

Related tags
Cryptography java privacy encryption peer-to-peer blockchain quorum
This plugin enhances Hashicorp Vault Service with cryptographic operations to create, import and sign using different type of keypairs and Ethereum wallets, including signing operation for public ethereum transaction, EEA and Quorum
 This plugin enhances Hashicorp Vault Service with cryptographic operations to create, import and sign using different type of keypairs and Ethereum wallets, including signing operation for public ethereum transaction, EEA and Quorum

Quorum Hashicorp Vault plugin The Quorum plugin enhances Hashicorp Vault Service with cryptographic operations under Vault engine, such as: Create and

Jan 7, 2023
Transaction processor for the Elrond Blockchain

Elrond Ledger Transactions Processor Elrond Ledger Transactions Processor processes transactions block by block on the Elrond ledger. This codebase is

Jun 27, 2022
Api for getting blockchain block and transaction details in Go.

Getting Blockchain Data Api for getting blockchain block and transaction details Things you need Go: brew install go Install docker Setup go folder in

Dec 14, 2021
Signature-server - stores transaction blobs and uses predefined secret key to sign and verify those transactions

Signature Server Signature server stores transaction blobs and uses predefined s

Feb 14, 2022
Go language implementation of a blockchain based on the BDLS BFT protocol. The implementation was adapted from Ethereum and Sperax implementation

BDLS protocol based PoS Blockchain Most functionalities of this client is similar to the Ethereum golang implementation. If you do not find your quest

Oct 14, 2022
A simple and lightweight encrypted password manager written in Go.
 A simple and lightweight encrypted password manager written in Go.

Osiris Password Manager A simple and lightweight encrypted password manager written in Go

Jun 16, 2022
Minilotus - A simple wallet manager of lotus

A simple wallet manager of lotus. Refer to https://github.com/filecoin-project/l

Jan 5, 2022
Arche - Smart Hybrid Workforce Manager: A system that aims to provide companies an easy to use platform for managing company resources by allowing employees to book company spaces and resources.
 Arche - Smart Hybrid Workforce Manager: A system that aims to provide companies an easy to use platform for managing company resources by allowing employees to book company spaces and resources.

Description Smart Hybrid Workforce Manager is a system that aims to provide companies an easy to use system for managing company resources by allowing

Dec 8, 2022
Go implementation of BLAKE2 (b) cryptographic hash function (optimized for 64-bit platforms).

Go implementation of BLAKE2b collision-resistant cryptographic hash function created by Jean-Philippe Aumasson, Samuel Neves, Zooko Wilcox-O'Hearn, an

Jul 11, 2022
An implementation of JOSE standards (JWE, JWS, JWT) in Go

Go JOSE Package jose aims to provide an implementation of the Javascript Object Signing and Encryption set of standards. This includes support for JSO

Jan 8, 2023
Go implementation of SipHash-2-4, a fast short-input PRF created by Jean-Philippe Aumasson and Daniel J. Bernstein.

SipHash (Go) Go implementation of SipHash-2-4, a fast short-input PRF created by Jean-Philippe Aumasson and Daniel J. Bernstein (http://131002.net/sip

Dec 25, 2022
A simplified blockchain implementation in Golang

A simplified blockchain implementation in Golang

Dec 31, 2022
A full node Bitcoin (BSV) implementation written in Go

bsvd bsvd is a full node Bitcoin (BSV) implementation written in Go (golang). This project is a port of the bchd codebase to Bitcoin (BSV). It provide

Dec 25, 2022
Merchant API reference implementation

mAPI More details available in the BRFC Spec for Merchant API. The old golang (v1.1) implementation is no longer being maintained and has been moved t

Dec 14, 2022
`age-plugin-yubikey` implementation, encrypt things with a Yubikey/any PIV card

This is an age plugin for PIV cards/Yubikey. Your secret is kept safe on the tamperproof hardware, while letting you use the age command-line.

Aug 10, 2022
Interblockchain communication protocol (IBC) implementation in Golang.

ibc-go Interblockchain communication protocol (IBC) implementation in Golang built as a SDK module. Components Core The core/ directory contains the S

Jan 7, 2023
Implementation of the Filecoin protocol, written in Go
 Implementation of the Filecoin protocol, written in Go

Project Lotus - 莲 Lotus is an implementation of the Filecoin Distributed Storage Network. For more details about Filecoin, check out the Filecoin Spec

Jan 9, 2023
Go implementation of Ethereum proof of stake

Prysm: An Ethereum Consensus Implementation Written in Go This is the core repository for Prysm, a Golang implementation of the Ethereum Consensus spe

Jan 1, 2023
Pure Go implementation of the NaCL set of API's

go-nacl This is a pure Go implementation of the API's available in NaCL: https://nacl.cr.yp.to. Compared with the implementation in golang.org/x/crypt

Dec 16, 2022