Run rippled as a Validator
rippled validator that participates in the Consensus process is simple:
- Enable validation on your
- At first, your server is an untrusted validator. Others can see the validations your server issues, but they disregard them in the consensus process.
- Share the public key with the public, especially other
- When other
rippledoperators add your public key to their list of trusted servers, you have become a trusted validator.
- Also see Properties of a Good Validator for best practices.
validator-keys tool (included in the
rippled RPM) is the recommended means to securely generate and manage your validator keys.
Generate a validator key pair:
$ /opt/ripple/bin/validator-keys create_keys
Warning: Store the generated
validator-keys.jsonkey file in a secure but recoverable location, such as an encrypted USB flash drive. Do not modify its contents.
Generate a validator token and edit your
rippled.cfgfile to add the
$ /opt/ripple/bin/validator-keys create_token --keyfile /path/to/your/validator-keys.json
If you had previously configured your validator without using the
validator-keystool, you must also delete the
rippled.cfgfile. This changes your validator public key.
$ sudo service rippled restart
validator-keys-tool GitHub repository for more information about managing validator keys.
To protect a production validator from DDoS attacks, you can use a stock
rippled server as a proxy between the validator and the outside network.
Configure the validator and stock
rippledservers to be clustered with each other.
Make the following configuration changes to your validator:
- Copy the
[ips_fixed]list and paste it under
[ips]. These fields should contain only the IP addresses and ports of the public-facing rippled(s). The validator connects to only these peers.
1to prevent its IP address from being forwarded.
- Copy the
Configure the validator host machine's firewall to only accept inbound connections from its public-facing rippled(s).
Remember to restart
rippled for config changes to take effect.
Take care not to publish the IP address of your validator.
Network participants are unlikely to trust validators without knowing who is operating them. To address this concern, validator operators can associate their validator with a web domain that they control.
Find your validator public key by running the following on the validator server:
$ /opt/ripple/bin/rippled server_info -q | grep pubkey_validator
Sign the validator public key (from step 1) using the SSL private key used for your domain. The SSL private key file does not need to be stored on the validator server.
$ openssl dgst -sha256 -hex -sign /path/to/your/ssl.key <(echo <your-validator-public-key>)
validator-keystool (included in the
rippledRPM), sign the domain name:
$ /opt/ripple/bin/validator-keys --keyfile /path/to/your/validator-keys.json sign <your-domain-name>