The Client node communicates with the Replica Network to access the blockchain data.

The communication between the Client and Replica nodes must be secured to avoid malicious attacks. VMware Blockchain implements various cryptographic algorithms to ensure that the communication is secure.

Replica Network Security

The communication between the Replica nodes in the network occurs over a TLS connection, authenticated on both sides using pinned certificates. These certificates are installed during the trusted setup phase.

Each Replica node maintains its private keys for signing the Concord-BFT consensus protocol messages and additional keys for signing the execution outcome. All the keys are EdDSA (Edwards-curve Digital Signature Algorithm) keys. See Key Management.

Replica Node to Client Node Security

The connection between the Client node and the Replica nodes in the write path is secured using a TLS 1.3 connection authenticated on both sides with pinned certificates.

Each Client node maintains a private authentication key, which allows it to self-authenticate to the Replica node.

Client Node Ledger API Authentication

Client nodes support the optional auth-jwt-rs256-jwks authorization mechanism configuration. In this configuration, the Client node is supplied with a JWKS endpoint URL to validate the JWT tokens the Daml Ledger API receives.