Upload DAR to SSL-Enabled Sandbox via CLI

raphson93 · August 7, 2023, 12:27am

Hi, I was trying to run my unit test to test the sandbox’s SSL features.
This is command that I used:

daml sandbox --dar xxx.dar --cacrt -xxx.crt --pem xxx.pem --key xxx.key

I tried with different command and got the error attached below:

According to this thread, it seems like daml sandbox was able to accept tls related arguments (such as --pem etc).

stefanobaghino-da · August 7, 2023, 6:54am

This was for the sandbox that shipped with Daml 1.x (specifically Daml 1.11 in the thread you pointed to). Since Daml 2.0, the “sandbox” is a thin wrapper around a single-node Canton ledger. To configure SSL you’ll have to run daml sandbox -c <path/to/canton.conf>. You can find more details on how to configure SSL for the Ledger API here.

raphson93 · August 7, 2023, 7:01am

Hi @stefanobaghino-da , below is the sample config:

canton.participants.sandbox.ledger-api {
  address = vincent.canton.app
  port = 8888
  tls {
    // the certificate to be used by the server
    cert-chain-file = "./vincekey/participant.crt"
    // private key of the server
    private-key-file = "./vincekey/participant.pem"
    // trust collection, which means that all client certificates will be verified using the trusted
    // certificates in this store. if omitted, the JVM default trust store is used.
    trust-collection-file = "./vincekey/root-ca.crt"
    // define whether clients need to authenticate as well (default not)
    client-auth = {
      // none, optional and require are supported
      type = require
      // If clients are required to authenticate as well, we need to provide a client
      // certificate and the key, as Canton has internal processes that need to connect to these
      // APIs. If the server certificate is trusted by the trust-collection, then you can
      // just use the server certificates. Otherwise, you need to create separate ones.
      admin-client {
        cert-chain-file = "./vincekey/admin-client.crt"
        private-key-file = "./vincekey/admin-client.pem"
      }
    }
  }
}

Output as below:

But if I did it separately,

Upload dar without the key:

With the key, it can upload successfully.

stefanobaghino-da · August 7, 2023, 7:11am

For anything more complex than quick local development and testing, I would recommend you use the Canton Console (reference). It offers a more complete set of options and commands to interact with Canton and it’s also what you’ll likely use against a production ledger. See here for example how to upload DARs.

Topic		Replies	Views
Daml v2.0: Sandbox with authorization Questions daml	1	281	March 17, 2022
Uploaded a dar compiled with a 1.dev target Features & Bugs sdk , canton	2	383	October 3, 2022
Can I specify several dars to be uploaded when using the `daml start` command? Questions	3	179	June 21, 2022
Run Daml Script agains Canton (in docker) Questions daml , grpc , docker , json-api , ledger-api , canton	5	356	August 8, 2022
When running the sandbox in a container I can not access its ledger-api from the host machine Questions sandbox , canton	3	242	August 22, 2022

Upload DAR to SSL-Enabled Sandbox via CLI

Related topics