Adding trusted nodes to a network

In the previous chapters, we have started our own node and then a network with multiple nodes but what if we want to control which nodes enter the network? 

Meaning only authorized nodes are allowed to enter the network.

In this chapter, we will learn how to do exactly that and in the next chapter we will build upon this to create a complete permissioned blockchain network. So we’re essentially building up on the knowledge that we have gained in the previous sections.

Generate account and keys

Open up a terminal and change directory into the project where you have compiled the node.

Now we will generate a random secret phase and keys by running the following command - 

./target/release/node-template key generate --scheme Sr25519 --password-interactive

It will ask you to enter a password and you can do that now.

This command will generate a seed phrase that you can save for later reference.

You can now use the seed phrase to derive keys using the Ed25519 signature scheme.

For example, run a command similar to the following - 

./target/release/node-template key inspect --password-interactive --scheme Ed25519 "pig giraffe ceiling enter weird liar orange decline behind total despair fly"

Where the last bit is the secret seed.

You will now be asked to type the password, enter the same password you used to create the key earlier and you will now have the key for finalizing blocks using grandpa.

Create a custom chain specification 

After you generate the keys to use with your blockchain, you are ready to create a custom chain specification using those key pairs then share your custom chain specification with trusted network participants called validators.

Instead of writing a completely new chain specification, you can modify the predefined local chain specification.

Cd into the folder where you have compiled the node and export the local chain specification to a file named customSpec.json with the following command - 

./target/release/node-template build-spec --disable-default-bootnode --chain local > customSpec.json

We will make some changes to the customSpec.json file, so open it up in a text editor.

Modify the name field, for example - 

"name": "My Custom Testnet",

Modify the aura field to these values - 

"aura": { "authorities": [
   "5CfBuoHDvZ4fd8jkLQicNL8tgjnK8pVG9AiuJrsNrRAx6CNW", 
   "5CXGP4oPXC1Je3zf5wEDkYeAqGcGXyKWSRX2Jm14GdME5Xc5"
 ]
},

Modify the grandpa field to these values - 

"grandpa": {
   "authorities": [
     [
       "5CuqCGfwqhjGzSqz5mnq36tMe651mU9Ji8xQ4JRuUTvPcjVN",
       1
     ],
     [
       "5DpdMN4bVTMy67TfMMtinQTcUmLhZBWoWarHvEYPM4jYziqm",
       1
     ]
   ]
 },

What we have done is, we’ve added address keys in the aura field for the validator nodes that can create blocks and we’ve added address keys in the grandpa field for the validator nodes that have the authority to finalize blocks.

In this way we can specifically define which nodes can do what in the network.

After you prepare a chain specification with the validator information, you must convert it into a raw specification format before it can be used.

Distributing a raw chain specification ensures that each node stores the data using the proper storage keys.

To convert a chain specification to use the raw format:

• Open a terminal shell on your computer.
• Change to the root directory where you compiled the Substrate node template.
• Convert the customSpec.json chain specification to the raw format with the file name customSpecRaw.json by running the following command:

./target/release/node-template build-spec --chain=customSpec.json --raw --disable-default-bootnode > customSpecRaw.json

Prepare for launch

After you distribute the custom chain specification to all network participants, you're ready to launch your own private blockchain.

Let’s start the first node - 

./target/release/node-template
  --base-path /tmp/node01
  --chain ./customSpecRaw.json
  --port 30333
  --ws-port 9945
  --rpc-port 9933
  --telemetry-url "wss://telemetry.polkadot.io/submit/ 0"
  --validator
  --rpc-methods Unsafe
  --name MyNode01
  --password-interactive

You will now be asked for a password, use the same password that you used to generate the keys

Adding keys to keystore

For each node:

• Add the aura authority keys to enable block production.
• Add the grandpa authority keys to enable block finalization.

There are several ways you can insert keys into the keystore. For this tutorial, you can use the key subcommand to insert locally-generated secret keys.

./target/release/node-template key insert --base-path /tmp/node01
  --chain customSpecRaw.json
  --scheme Sr25519
  --suri <your-secret-seed>
  --password-interactive
  --key-type aura

Replace <your-secret-seed> with the secret phrase or secret seed for the first key pair that you generated

You will again be asked for the password, and you can enter that.

Insert the grandpa secret key generated from the key subcommand by running a command similar to the following:

./target/release/node-template key insert
  --base-path /tmp/node01
  --chain customSpecRaw.json
  --scheme Ed25519
  --suri <your-secret-key>
  --password-interactive
  --key-type gran

Again, replace <your-secret-key> and type in the password after you are prompted for the same.

Now all we need to do is, verify whether our keys are there in the keystore for node01 by running the following command - 

ls /tmp/node01/chains/local_testnet/keystore

**After this, an important step is to restart the node once you have entered the grandpa key as substrate nodes require a restart at this point.

Enable other participants to join

Now we have to allow other validators to join the network.

In the previous section, we have one of our authorized nodes with aura and grandpa keys, so now we can start another node.

Run the following command to start the second node - 

./target/release/node-template
  --base-path /tmp/node02
  --chain ./customSpecRaw.json
  --port 30334
  --ws-port 9946
  --rpc-port 9934
  --telemetry-url "wss://telemetry.polkadot.io/submit/ 0"
  --validator
  --rpc-methods Unsafe
  --name MyNode02
  --bootnodes /ip4/127.0.0.1/tcp/30333/p2p/12D3KooWLmrYDLoNTyTYtRdDyZLWDe1paxzxTw5RgjmHLfzW96SX
  --password-interactive

Add aura key -

./target/release/node-template key insert --base-path /tmp/node02
  --chain customSpecRaw.json
  --scheme Sr25519
  --suri <second-participant-secret-seed>
  --password-interactive
  --key-type aura

Replace <second-participant-secret-seed> with the secret phrase or secret seed that you generated. You will be prompted for a password, so we need to enter it.

Now add the grandpa secret key - 

./target/release/node-template key insert --base-path /tmp/node02
  --chain customSpecRaw.json
  --scheme Ed25519 --suri <second-participant-secret-seed>
  --password-interactive
  --key-type gran

Again replace the secret seed and enter the password.

You may have noticed the similarities between the process for starting the first node and this second node. That’s because it’s the same process, and using this same repeatable process you can add as many nodes you like to your network. This is what makes substrate special, you can also write custom bash scripts to automate this repeatable process.

Verify that your keys are in the keystore for node02 - 

ls /tmp/node02/chains/local_testnet/keystore

Just like the previous node, we now have to restart this node as well since we’ve entered the grandpa key.

You can use this command to restart - 

./target/release/node-template
  --base-path /tmp/node02
  --chain ./customSpecRaw.json
  --port 30334
  --ws-port 9946
  --rpc-port 9934
  --telemetry-url 'wss://telemetry.polkadot.io/submit/ 0'
  --validator
  --rpc-methods Unsafe
  --name MyNode02
  --bootnodes /ip4/127.0.0.1/tcp/30333/p2p/12D3KooWLmrYDLoNTyTYtRdDyZLWDe1paxzxTw5RgjmHLfzW96SX
  --password-interactive

After both nodes have added their keys to their respective keystores—located under /tmp/node01 and /tmp/node02—and been restarted, you should see the same genesis block and state root hashes.