The Client node communicates with the Replica node to access data in the State Machine.

The communication between the Client and Replica nodes must be secured to avoid malicious attacks. VMware Blockchain implements various cryptographic algorithms to ensure that the communication is secure.

Replica Network Security

The communication between the Replica nodes in the network occurs over a TLS connection, which is authenticated on both sides using pinned certificates. These certificates are installed during the trusted setup phase.

Each Replica node maintains its private keys for signing the Concord-BFT consensus protocol messages and additional keys for signing the execution outcome. See Key Management.

Replica Node to Client Node Security

The connection between the Client node and the Replica nodes in the write path is secured using a TLS connection authenticated on both sides with pinned certificates. The connection between the Client node and Replica Network and the read and write requests are secured using TLS 1.2.

Each Client node maintains a private authentication key, which allows it to self-authenticate to the Replica node.

Client Node Ledger API Authentication

Client nodes support the optional auth-jwt-rs256-jwks authorization mechanism configuration. In this configuration, the Client node is supplied with a JWKS endpoint URL to validate the JWT tokens the DAML Ledger API receives.