Perform Data Integrity Assessment

The operator container uses the ObjectStore tool for data integrity assessment. The data integrity evaluation includes proof of origination and tamper-detection capabilities of the data stored on the ObjectStore.

Prerequisites

Verify that the operator container is instantiated. See Instantiate the operator container.

Procedure

Access the ObjectStore tool.
./object_store_utility

There are three types of configuration options you can use:
- MANDATORY_OPTIONS
- validate
- restore

Configure the ObjectStore tool MANDATORY_OPTIONS.

Option	Description
--keys-file arg	Add the file path for the cryptography keys configuration. The blockchain configuration should reflect the existing Replica Network, excluding the Full Copy Client nodes, and include the BFT F and C values. You can retrieve the encrypted Replica Network keys. curl -X GET 127.0.0.1:8546/api/encryption/key {"algorithm":"AES/CBC/PKCS5Padding","key":"1ecc5e7d046bb68b5d02dff9d4dbd68dfa0601bc4db0eebcf7bc6a04494ec3d1","iv":"19cc85cc393f3d0d2eb939c05c632924","key_length":256,"additional_info":null}vmbc@014fd7b0-e7c7-44a3-ae14-dca2ee4 The most recent set of Replica node RSA keys must be specified. Sample key file. $ cat config-local/keys.yaml #number of replica nodes in cluster num_replicas: 4 #SBFT F value f_val: 1 #SBFT C value c_val: 0 # RSA non-threshold replica node public keys rsa_public_keys: - 30820120300D06092A864886F70D01010105000382010D00308201080282010100CD3ECF19EEACC3B6706B068E7A6716A10E2ED62CC30040D70E44A18419253E9BFA7C1E073F6BABD048A02D1327856A655FC96A234081F8EDA1B7D00BB3DE2D72FEBBDBBC2753DA20E5FE2746D435B8D83FA4534A97F1FF92DF447587BE05CAACF9BB5DF3C7C5B3A8FDD3ADA3DF2542B09A71F1857669B9D376C4EB3305EF7510B3FC13C539DF5361CF4EA73DDA2D343FE6D2E9722074C25EBCA365A9D33AF161EBCBFBF0C322EE280A00B6B48BF1CC58428C184F069762E6ECD535B9F3C9F65FE6CF05E9C37C48712EF40BFB3AFEB5AAF36445D2BE21F9F851261FE905536E052E09457560365CD24AC5644EA4F150F6CC1DB8D6CAA586FFF37A932C88BD65B9020111 - 30820120300D06092A864886F70D01010105000382010D00308201080282010100D2432A361F62956DD92E35729C9082071057DD0217D868BC128543583F7CFE5B0E6982DC48BC236E838679383A2DE15839F16657FD868D9AB23409D0FA86F9320AA460F39EA28120D29817C1982D7BC487C937AB6E320E1BBBFC8570CBB03B59CDADBB122469201333D95216B43A3025A74CACDB719CE860DCB7D09C77E7449F01E04114A7ED648EC0AE01351E78FF4BAA12FF69D39004ABD339A31E44A1908D36122C5AD3020983D698E2738046EFD86952605DF5740F4C23301453E261503FFD355F3D5C9033D4F63EEE0D8B66F3B724A17812A824A540B20520EA24EEC827D1858232E818675C5877A6DEAEF6E80AAC54CD3D7885B99D82B109AAEEE4FB51020111 - 30820120300D06092A864886F70D01010105000382010D00308201080282010100BEF5C7B949ECBC33291800B91734EAAD3E71CB31647398F74FB5DD2902E845786A8E6E49B3C16C2B154FAADF9E14C681AD7B741DBDC87257B22837A13BF2D499C0DB4EB51532704C9BCBB38253DE7B71992718E9CE2B6E3EA8617853EEA573192EDB013C24D11DFBCC84681B26D89D92512D59D608D5CDAF429E6FAB60D24631F375E282B464E16B9151680ABFE28FFF744A7312C128869ED0FE660812C50D893304E4243341B3E0439BCEA2984C2EE56F5563EB9B78B8F441BDDAF5C6A1101C6A5E961921F4FE2161569818DF57347CEC4D0965D31629A009A8BF22C0377BF2EB99D7C70BDCC53551920413E9B47DB1526C77221C1EFE0679B6B5B0D3F5C583020111 - 30820120300D06092A864886F70D01010105000382010D00308201080282010100BAB189C206B85F27A35E1F8F10D87F89969445B4C26C80E2CAB9205F38BE8AF2A59B2B21674AE200B473B2D3F886F2B0BA637C409C218AE9F568EA36C96D3B39050436A821F1003141E426D9E91E0665EBABFF8C7FEC0A2D48C393F9B447D4E4C1C5AB87458DBCB788972CA4D83D04DE2F9921FDADB9D3CCDE8AB0438C4F2C1822C138296C76E7F3E7E75DA0BBBB4185AB4B59F7DF8FE2C1DC5FF2AC87DCA171A20FCAA947B10C9BFB540CA469D19C4A8E984D58E569ADFBC07AC78056301373DE1A44913B7786B5EA20F16F3F789660949B16E2FFB0CFD3732C894DA113E9ECEF59CB4ED8BC0724DCEE1E79F804DE547771000D5C460C37A2F8554601304A03020111
--s3-config-file arg	Add the S3 ObjectStore configuration file path. The S3 ObjectStore configuration is used for blockchain replication. Note: Validate that the S3 ObjectStore configuration file parameter is running and accessible from the operator container node to avoid connection errors. Sample S3 ObjectStore configuration file. $ cat config-local/s3_object_store_config.txt # S3 Object Store Configuration s3-bucket-name: blockchain s3-access-key: concordbft s3-protocol: HTTP s3-url: minio:9000 s3-secret-key: concordbft # optional s3-path-prefix: concord

Option

Description

--keys-file arg

Add the file path for the cryptography keys configuration.

The blockchain configuration should reflect the existing Replica Network, excluding the Full Copy Client nodes, and include the BFT F and C values.

You can retrieve the encrypted Replica Network keys.

curl -X GET 127.0.0.1:8546/api/encryption/key
{"algorithm":"AES/CBC/PKCS5Padding","key":"1ecc5e7d046bb68b5d02dff9d4dbd68dfa0601bc4db0eebcf7bc6a04494ec3d1","iv":"19cc85cc393f3d0d2eb939c05c632924","key_length":256,"additional_info":null}vmbc@014fd7b0-e7c7-44a3-ae14-dca2ee4

The most recent set of Replica node RSA keys must be specified.

Sample key file.

$ cat config-local/keys.yaml
#number of replica nodes in cluster
num_replicas: 4
#SBFT F value
f_val: 1
#SBFT C value
c_val: 0
 
# RSA non-threshold replica node public keys
rsa_public_keys:
  - 30820120300D06092A864886F70D01010105000382010D00308201080282010100CD3ECF19EEACC3B6706B068E7A6716A10E2ED62CC30040D70E44A18419253E9BFA7C1E073F6BABD048A02D1327856A655FC96A234081F8EDA1B7D00BB3DE2D72FEBBDBBC2753DA20E5FE2746D435B8D83FA4534A97F1FF92DF447587BE05CAACF9BB5DF3C7C5B3A8FDD3ADA3DF2542B09A71F1857669B9D376C4EB3305EF7510B3FC13C539DF5361CF4EA73DDA2D343FE6D2E9722074C25EBCA365A9D33AF161EBCBFBF0C322EE280A00B6B48BF1CC58428C184F069762E6ECD535B9F3C9F65FE6CF05E9C37C48712EF40BFB3AFEB5AAF36445D2BE21F9F851261FE905536E052E09457560365CD24AC5644EA4F150F6CC1DB8D6CAA586FFF37A932C88BD65B9020111
  - 30820120300D06092A864886F70D01010105000382010D00308201080282010100D2432A361F62956DD92E35729C9082071057DD0217D868BC128543583F7CFE5B0E6982DC48BC236E838679383A2DE15839F16657FD868D9AB23409D0FA86F9320AA460F39EA28120D29817C1982D7BC487C937AB6E320E1BBBFC8570CBB03B59CDADBB122469201333D95216B43A3025A74CACDB719CE860DCB7D09C77E7449F01E04114A7ED648EC0AE01351E78FF4BAA12FF69D39004ABD339A31E44A1908D36122C5AD3020983D698E2738046EFD86952605DF5740F4C23301453E261503FFD355F3D5C9033D4F63EEE0D8B66F3B724A17812A824A540B20520EA24EEC827D1858232E818675C5877A6DEAEF6E80AAC54CD3D7885B99D82B109AAEEE4FB51020111
  - 30820120300D06092A864886F70D01010105000382010D00308201080282010100BEF5C7B949ECBC33291800B91734EAAD3E71CB31647398F74FB5DD2902E845786A8E6E49B3C16C2B154FAADF9E14C681AD7B741DBDC87257B22837A13BF2D499C0DB4EB51532704C9BCBB38253DE7B71992718E9CE2B6E3EA8617853EEA573192EDB013C24D11DFBCC84681B26D89D92512D59D608D5CDAF429E6FAB60D24631F375E282B464E16B9151680ABFE28FFF744A7312C128869ED0FE660812C50D893304E4243341B3E0439BCEA2984C2EE56F5563EB9B78B8F441BDDAF5C6A1101C6A5E961921F4FE2161569818DF57347CEC4D0965D31629A009A8BF22C0377BF2EB99D7C70BDCC53551920413E9B47DB1526C77221C1EFE0679B6B5B0D3F5C583020111
  - 30820120300D06092A864886F70D01010105000382010D00308201080282010100BAB189C206B85F27A35E1F8F10D87F89969445B4C26C80E2CAB9205F38BE8AF2A59B2B21674AE200B473B2D3F886F2B0BA637C409C218AE9F568EA36C96D3B39050436A821F1003141E426D9E91E0665EBABFF8C7FEC0A2D48C393F9B447D4E4C1C5AB87458DBCB788972CA4D83D04DE2F9921FDADB9D3CCDE8AB0438C4F2C1822C138296C76E7F3E7E75DA0BBBB4185AB4B59F7DF8FE2C1DC5FF2AC87DCA171A20FCAA947B10C9BFB540CA469D19C4A8E984D58E569ADFBC07AC78056301373DE1A44913B7786B5EA20F16F3F789660949B16E2FFB0CFD3732C894DA113E9ECEF59CB4ED8BC0724DCEE1E79F804DE547771000D5C460C37A2F8554601304A03020111

--s3-config-file arg

Add the S3 ObjectStore configuration file path.

The S3 ObjectStore configuration is used for blockchain replication.

Note:

Validate that the S3 ObjectStore configuration file parameter is running and accessible from the operator container node to avoid connection errors.

Sample S3 ObjectStore configuration file.

$ cat config-local/s3_object_store_config.txt
# S3 Object Store Configuration
s3-bucket-name: blockchain
s3-access-key: concordbft
s3-protocol: HTTP
s3-url: minio:9000
s3-secret-key: concordbft
# optional
s3-path-prefix: concord

Validate the data integrity of the blockchain.

A CheckPoint is created when there is an agreement of f+1 Replica nodes. The signed CheckPoints are saved on the ObjectStore. As part of the data integrity validation, the ObjectStore tool verifies the existence of these signed CheckPoints.

Option	Description
--all	Validates the entire blockchain data integrity from the block specified in the latest CheckPoint descriptor up to the genesis block. ./object_store_utility --keys-file config-local/keys.yaml --s3-config-file config-local/s3_object_store_config.txt validate --all
--range arg	Validates the blockchain data integrity starting from the block specified in the latest CheckPoint descriptor to the block specified by the --range argument. $ ./object_store_utility --keys-file config-local/keys.yaml --s3-config-file config-local/s3_object_store_config.txt validate --range 500
--key arg	Validates a specific key. The validation starts with the latest block the key resides in and the process parses the block and extracts the key value. Note: This validation option is deactivated by default. $ ./object_store_utility --keys-file config-local/keys.yaml --s3-config-file config-local/s3_object_store_config.txt validate --key 0000000000000061

Option

Description

--all

Validates the entire blockchain data integrity from the block specified in the latest CheckPoint descriptor up to the genesis block.

./object_store_utility --keys-file config-local/keys.yaml --s3-config-file config-local/s3_object_store_config.txt validate --all

--range arg

Validates the blockchain data integrity starting from the block specified in the latest CheckPoint descriptor to the block specified by the --range argument.

$ ./object_store_utility --keys-file config-local/keys.yaml --s3-config-file config-local/s3_object_store_config.txt validate --range 500

--key arg

Validates a specific key.

The validation starts with the latest block the key resides in and the process parses the block and extracts the key value.

Note:

This validation option is deactivated by default.

$ ./object_store_utility --keys-file config-local/keys.yaml --s3-config-file config-local/s3_object_store_config.txt validate --key 0000000000000061

Restore the RocksDB data.

The RocksDB directory might contain a RocksDB snapshot created by a backup and restore procedure. The restore process starts at the block specified in the latest CheckPoint descriptor and ends at the last_reachable_block in the RocksDB.

If the RocksDB directory does not exist or is empty, the entire blockchain is restored to the RocksDB directory.

Option	Description
--db-path arg	Add the local file system RocksDB directory path. The command restores the blockchain to the default version 4. ./object_store_utility --keys-file config-local/keys.yaml --s3-config-file config-local/s3_object_store_config.txt restore --db-path /tmp/db
--blockchain-version arg	Add the blockchain version. The supported versions are 1 and 4. The command restores the blockchain to version 1. ./object_store_utility --keys-file config-local/keys.yaml --s3-config-file config-local/s3_object_store_config.txt restore --db-path /tmp/db --blockchain-version 1

Option

Description

--db-path arg

Add the local file system RocksDB directory path.

The command restores the blockchain to the default version 4.

./object_store_utility --keys-file config-local/keys.yaml --s3-config-file config-local/s3_object_store_config.txt restore --db-path /tmp/db

--blockchain-version arg

Add the blockchain version.

The supported versions are 1 and 4.

The command restores the blockchain to version 1.

./object_store_utility --keys-file config-local/keys.yaml --s3-config-file config-local/s3_object_store_config.txt restore --db-path /tmp/db --blockchain-version 1