CCPEDIAby Unity Nodes
Discussions/App Development/Security in versions above 2.0.0Forum ↗

Security in versions above 2.0.0

App Development3 posts212 views1 likesLast activity Aug 2022
DE
DerekOP
Jul 2022

Hello community,

I have a question regarding the Daml version above 2.0.0:

How is the encryption of communication between Domain and Participants done? When capturing traffic with the wireshark tool, the messages I can capture between the domain and the participant only contain information up to the transport layer (TCP protocol). Is there any filter available to capture these messages?

Thank you,

Derek

MA
MatthiasSchmalz
Jul 2022

Hi @Derek

In a production environment, messages floating between participant and domain are encrypted using TLS. By default, TLS is disabled.
Even with TLS disabled, the message payload is encrypted with an ephemeral key, because the sequencer is not allowed to see payloads. You can choose between the crypto providers Tink and JCE, but you can’t choose “no encryption”. (Perhaps you can configure Tink / JCE to skip encryption, but I haven’t tried that out.)

For educational purposes, we have created config options that will dump message payloads to the log. Try to include this into your Canton config:

canton.monitoring.logging {
  event-details = true
  api.message-payloads = true
}

Make sure to enable debug logging when running canton:

bin/canton -v -c myConfig.conf

I hope this helps!
Matthias

MA
MatthiasSchmalz
Aug 2022

Detailed logging is also explained here:
https://docs.daml.com/canton/usermanual/monitoring.html#detailed-logging

← Back to Discussions