Canton High Availability behavior

Hi team,
I have couple questions about Canton in High Availability configuration.
We have two separate Mediators(active-passive). two separate Sequencers(active-active). two separate Participants(active-passive) and one Domain-Manager. Initialization for domain we start from Canton remote-console using bootstrap.canton script.

1 question:
Do we have some settings for remote-participants for enable unsecure connection without setting TOKEN? For example sequencer has transport-security = false.
2 question:
According to HA architecture when we run separated sequencers, active participant must connect to all sequencers. But in our case active participant connect only to one sequencer. If we start another active participant, he can connect to another sequencer but not to both in the same time.

One case:

Status for Sequencer 'sequencer0':
Sequencer id: ...
Connected Participants:
        PAR::participant::1220415f4e64...
Sequencer: SequencerHealthStatus(isActive = true)
details-extra: None

Status for Sequencer 'sequencer1':
Sequencer id: ...
Connected Participants: None
Sequencer: SequencerHealthStatus(isActive = true)
details-extra: None

Another case:

Status for Sequencer 'sequencer0':
Sequencer id: ...
Connected Participants: None
Sequencer: SequencerHealthStatus(isActive = true)
details-extra: None

Status for Sequencer 'sequencer1':
Sequencer id: ...
Connected Participants:
        PAR::participant::1220415f4e64...
Sequencer: SequencerHealthStatus(isActive = true)
details-extra: None

participant domains.list_registered() looks good in both cases:

res1: Seq[(DomainConnectionConfig, Boolean)] = Vector(
  (
    DomainConnectionConfig(
      domain = Domain 'domain',
      sequencerConnection = GrpcSequencerConnection(
        endpoints = Seq(http://sequencer-1:4401, http://sequencer-0:4401),
        transportSecurity = false,
        customTrustCertificates = None()
    ),
    true
  )
)

Is it normal behavior/state?
Thanks for advise.

Hi @Maksym_Zhovanyk

What version of Canton Enterprise are you using, and how are you running it? Natively, in a VM or containerised (Docker/K8s)?

Hi @Ben_M
I am using Canton Enterprise version 2.4.0 now. And I am running it in K8s using Helm Chart which I created.
Thanks.

Hi @Maksym_Zhovanyk,

I’m not sure that I understand completely what you ask here. Remote-participants is a configuration stub to define remote console connections to already running participant nodes. If those participant nodes require TLS than the remote-participant definition will also have to include valid TLS client configuration, otherwise it should able to connect without any credential.

If there is a remote-sequencer node also defined in the same configuration set, the sequencer reference will have a sequencerConnection value that reflects that configuration, if TLS is required by the real sequencer node but it is not included in the remote-sequencer definition, a connection attempt on the remote console using purely the remote-sequencer reference will fail.

A participant only connect to a single sequencer at a time. What you enable by listing multiple sequencers in the sequencer connection is for the participant node to fail over to another sequencer if the previously connected one becomes unhealthy.

Kind Regards,
Mate

@Mate_Varga
It is ok explanation for me about connection remote-participant to remote-sequencer. Thanks for it.
And also about TLS is clear(I tested these approaches and all now ok).
Thanks for reply.