---
title: "Using Fortanix Ignite One-Time Signer Solution"
slug: "using-fortanix-ignite-one-time-signer-solution"
updated: 2024-07-17T13:28:36Z
published: 2024-07-17T13:28:36Z
canonical: "support.fortanix.com/using-fortanix-ignite-one-time-signer-solution"
---

> ## Documentation Index
> Fetch the complete documentation index at: https://support.fortanix.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Using Fortanix Ignite One-Time Signer Solution

## 1.0 Introduction

This article describes how the **Fortanix “Ignite One-Time Signer”** solution improves the security of Proof-of-Stake blockchains that use the Ignite (previously known as Tendermint) software stack. The solution provides operators of validator nodes with a mechanism to prevent the double-signing of proposals and votes. This solution comprises a plugin that is securely deployed inside Fortanix-Data-Security-Manager (DSM) Software-as-a-Service (SaaS) and a shim which facilitates communication between the validator and the plugin.

### 1.1 Getting Started Video

[Embedded content](https://www.youtube.com/embed/DSyey1017jU)

### 1.2 Fortanix One-Time Signer Plugin

The Fortanix “Ignite One-Time Signer” solution validates that the proposals and votes are well-formed, tracks the state of the consensus protocol, and ensures that double-signing is prevented since it can be harmful to the blockchain network. The plugin can be used to sign blockchain consensus messages of the following types:

- PrevoteType = 0x01
- PrecommitType = 0x02
- ProposalType = 0x20

The plugin is protected by a quorum policy that involves multiple admin users. Once deployed, the plugin code cannot be modified without explicit permissions from multiple administrators. The solution offers the following benefits:

- High availability and disaster recovery.
- Secure key management.
- Secure execution of critical code.

> [!NOTE]
> NOTE
> 
> - The `shim` utility is installed in the same environment as the validator node. It allows the validator node to interface with the “Tendermint One Time Signer” plugin. *Refer to*[*Section 3.0*](/v1/docs/using-fortanix-ignite-one-time-signer-solution#30-set-up-and-start-the-shim)*for more details*.

## 2.0 Set Up Plugin

### 2.1 Create a Fortanix DSM Group

1. To use the Fortanix “Tendermint One Time Signer” plugin in Fortanix DSM, you must first create a Fortanix DSM group and add the Plugin to this group.

![Create-Signer-Plugin.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/create-signer-plugin.png)

**Figure 1: Import plugin**

*Refer to the User’s Guide: Plugin Library for steps to*[*access*](/v1/docs/users-guide-plugin-library)*and*[*install*](/v1/docs/users-guide-plugin-library)*the plugin from the Fortanix DSM Plugin Library.*

![SignerPluginLibrary.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/signerpluginlibrary.png)

**Figure 2: Install the plugin from the plugin library**
2. Copy the UUID of the plugin to add it to the `shim` configuration file later. *Refer to*[*Section 3.1*](/v1/docs/using-fortanix-ignite-one-time-signer-solution#31-set-up-shim).

![CopyPluginUUID.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/copypluginuuid.png)

**Figure 3: Plugin UUID**
3. In the detailed view of the group, click the **INFO** tab and in the “Key metadata policy” section, click **ADD POLICY** to add a Key metadata policy for the group.

![KeyMetaPolicy.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/keymetapolicy.png)

**Figure 4: Add key metadata policy**
4. In the policy, add the following custom attributes as **Required**. These attributes maintain the state of the key for consensus signing.

> [!NOTE]
> NOTE
> 
> The custom attributes are case-sensitive.

![SignerCustomAtt.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/signercustomatt.png)

**Figure 5: Create custom attributes**
  1. Name: `round` **Required**
  2. Name: `height` **Required**
  3. Name: `req_type` **Required**

### 2.2 Configure a Quorum Policy for the Group

After creating the Fortanix DSM group and adding the “Tendermint One Time Signer” plugin to this group, configure a Quorum Policy for the group to protect the plugin. This will ensure that the plugin code cannot be modified without the approval of the Group Administrator.

1. Go to the detailed view of the group, and click the **INFO** tab.
2. In the "Quorum approval policy" section, click **ADD POLICY** to add a new quorum policy.
3. Configure the Quorum approval policy and click **SAVE POLICY**.

![SignerQP.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/signerqp.png)

**Figure 6: Configure Quorum approval policy**

### 2.3 Create an App In Fortanix DSM

Create an app in Fortanix DSM of type **REST API** for the “Tendermint One Time Signer” plugin and copy the app’s **API KEY**. This API Key is added to the `shim` configuration file later. *Refer to*[*Section 3.1*](/v1/docs/using-fortanix-ignite-one-time-signer-solution#31-set-up-shim).

![APiKeyApp.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/apikeyapp.png)**Figure 7: Create an app and copy the API key**

### 2.4 Generate a Key

1. Generate a key called **consensus-key** in the same group created in [*Section 2.1*](/v1/docs/using-fortanix-ignite-one-time-signer-solution#21-create-a-fortanix-dsm-group) so that the API key of the app created in [*Section 2.3*](/v1/docs/using-fortanix-ignite-one-time-signer-solution#23-create-an-app-in-fortanix-dsm) can be used to access this key. The key type must be **EC** of Curve **Ed25519** since the `shim` accepts keys of this format only. This key is used by the validator for consensus signing.

> [!NOTE]
> NOTE
> 
> It is mandatory for the key name to be **consensus-key**.

![Signer-Consensus-Key.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/signer-consensus-key.png)

**Figure 8: Consensus key**
2. Copy the Key ID of this key to add it to the `shim` configuration file later. *Refer to*[*Section 3.1*](/v1/docs/using-fortanix-ignite-one-time-signer-solution#31-set-up-shim). ![Copy_Key_ID.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/copy_key_id.png)**Figure 9: Copy key ID**

Alternatively, you can also import an existing Ignite key. *Refer to the section “*[*Script to Convert Tendermint key to DER format*](https://github.com/fortanix/sdkms-plugin-library/tree/master/tendermint-one-time-signer#script-to-convert-tendermint-key-to-der-format)*” in the Plugin readme to convert an Ignite key to Fortanix DSM accepted key format*. The readme also has an example Ignite key.
3. In the detailed view of the key, click the **ATTRIBUTES/TAGS** tab and notice that the key has the custom attributes that were defined in the Key metadata policy while creating the group. For all the attributes, set the value as **-1**.

![KeyCustomAtt.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/keycustomatt.png)

**Figure 10: Key custom attributes**

## 3.0 Set Up and Start the Shim

### 3.1 Set Up Shim

To configure and use the `shim`, refer to the steps [here](https://github.com/fortanix/tendermint_shim/blob/main/README.md). This contains the instructions to compile the `shim` utility and generate a `shim` executable.

`shim` requires a configuration file that contains the authentication details needed to authenticate to Fortanix DSM with an API key. The file `shim.toml` contains this configuration. The configuration file expects the following additional details:

- Fortanix DSM “Tendermint One Time Signer” plugin UUID – Add the Plugin UUID copied in [*Section 2.1*](/v1/docs/using-fortanix-ignite-one-time-signer-solution#21-create-a-fortanix-dsm-group) to the `shim.toml`file.
- Fortanix DSM App API Key – Add the API Key copied in [*Section 2.3*](/v1/docs/using-fortanix-ignite-one-time-signer-solution#23-create-an-app-in-fortanix-dsm) to the `shim.toml`configuration file.
- Fortanix DSM Key UUID – Add the Key UUID coped in [*Section 2.4*](/v1/docs/using-fortanix-ignite-one-time-signer-solution#24-generate-a-key) to the `shim.toml`configuration file.

### 3.2 Running Shim

The `shim.toml` configuration file now has the details required for the Fortanix DSM Signer configuration:

- The Fortanix DSM “Tendermint One Time Signer” plugin ID for double-signing check.
- The Fortanix DSM App API Key to authenticate to Fortanix DSM.
- The Fortanix DSM Key ID is used by the Validator for consensus signing.

The configuration file also has the configuration for the Validator, which tells the Validator to use the Fortanix DSM Signer for consensus signing. To do this, you must pass the address of the `shim` for Ignite to listen for connections from the external validator process.

1. Run the shim configuration using the command `shim start -c&lt;/path/to/shim.toml&gt; `. The detailed steps to run the shim configuration are described [here](https://github.com/fortanix/tendermint_shim/blob/main/README.md).
2. Add the remote signer address for the Validator, for example, `tcp://127.0.0.1:26690`. This address must then be added to the `shim.toml` configuration file.
3. Start the Ignite Validator.
4. After the Validator starts, the proposal is now signed with a hash at a particular height, round, and step. These values are updated in the **consensus-key**’s custom attributes section.
5. The Validator receives the signature from the plugin.
6. Go to the detailed view of the plugin in Fortanix DSM and notice the **Activity Logs**section on the right. You will see the log showing that the Fortanix DSM app ran the plugin successfully.

![SignerPluginRan.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/signerpluginran.png)

**Figure 11: Plugin execution log**
7. Go to the detailed view of the **consensus-key** and in the **Activity Logs** section notice that this key is used by the Validator for consensus signing.

![SignerSORan.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/signersoran.png)

**Figure 11: Execution log for key**

Fortanix Data Security Manager (DSM) is the world’s first cloud service secured with Intel® SGX. With Fortanix DSM, you can securely generate, store, and use cryptographic keys and certificates, as well as other secrets such as passwords, API keys, tokens, or any blob of data. Your business-critical applications and containers can integrate with Fortanix DSM using legacy cryptographic interfaces (PKCS#11, CNG, and JCE) or using the native Fortanix DSM RESTful interface.

Fortanix Data Security Manager (DSM) is the world’s first cloud service secured with Intel® SGX. With Fortanix DSM, you can securely generate, store, and use cryptographic keys and certificates, as well as other secrets such as passwords, API keys, tokens, or any blob of data. Your business-critical applications and containers can integrate with Fortanix DSM using legacy cryptographic interfaces (PKCS#11, CNG, and JCE) or using the native Fortanix DSM RESTful interface.

## Related

- [Using Fortanix Signing Provider for Tendermint KMS](/using-fortanix-signing-provider-for-tendermint-kms.md)