Node Installation Guide

Installing and Configuring NoDe 20.04

Indicio NoDe 20.04 GC User Guide

This document describes the steps to take to deploy your own NoDe 20.04 Indy Node from Google Cloud Marketplace using the Indy Node Image provided by Indicio, PBC.

Please read all instructions before attempting to create an Indy Node, as there are many steps that vary from default values. Unless otherwise noted, these instructions do not include items that work with default or blank values. If you wish to create your own complete Indy Network, you will need to create multiple NoDe instances, and a full overview can be found in the NoDe Network Creation Guide.

Pre-deployment

Project

  1. Create a new GC Project for your node. 1. From the GC console (https://console.cloud.google.com/), select the drop down next to Google Cloud in the upper right 2. Click New Project in the upper left of the pop-up 3. All configurations are your choice, click CREATE when done

Networks

  1. Before creating the instance, you must configure the default and also an additional VPC network for your new node.

  2. From the Navigation Menu, scroll over VPC network and select VPC networks (If you haven’t already, you will need to click ENABLE to use the compute engine API)

  3. Before you begin, decide on a region to run your VM in that matches the jurisdiction of your company's corporate offices. Record the region selected for use throughout these instructions. You will use this same region later in the instructions when required.

  4. Under VPC networks click default to edit the network configurations:

  5. Click on the SUBNETS tab and then on ADD SUBNET and input the following values

    1. Name - client-subnet-9702 (or make a name according to your needs, making sure it is descriptive)

    2. Region - Your selected region

    3. IPv4 range - 10.0.1.0/24 (or enter another valid range according to your needs)

  6. Click ADD

  7. Click the back arrow next to VPC network details to go back to VPC Networks

  8. Click CREATE VPC NETWORK at the top of the screen to create a network for your node connection on your node.

    1. Name - your choice (e.g. node-vpc)

    2. Under Subnet creation mode select Custom

    3. Expand the New subnet section and enter the following values

      1. Name - your choice (e.g. node-subnet-9701)

      2. Region - Your selected region

      3. IPv4 range - Type in a valid new subnet block. (e.g. 10.0.2.0/24)

      4. Click DONE

    4. For Dynamic routing mode select Regional

    5. Click CREATE

Static IP addresses

  1. Navigate to VPC network then select IP addresses from the menu

  2. Click RESERVE EXTERNAL STATIC IP ADDRESS

    1. Name - node-external-ip or your choice

    2. Network Service Tier - Standard

    3. Region - Your selected region

    4. Attached to - None (it will be attached to your vm later during your creation of the main node vm)

    5. Click RESERVE

  3. Click RESERVE EXTERNAL STATIC IP ADDRESS

    1. Name - client-external-ip or your choice

    2. Network Service Tier - Standard

    3. Region - Your selected region

    4. Attached to - None (it will be attached to your vm later during your creation of the main node vm)

    5. Click RESERVE

Firewalls

  1. Navigate back to VPC network then VPC networks

  2. Under VPC networks click default to edit the network configurations for the NoDe’s “client” connection.

  3. Click the FIREWALLS tab at the top of the page, and then click ADD FIREWALL RULE to add SSH access through the Client VPC. Use the following values in the fields below:

    1. Name - your choice (e.g. ssh-for-admin-access)

    2. Direction of traffic - Ingress

    3. Action on match - Allow

    4. Targets - All instances in the network

    5. Source filter - IPv4 ranges

    6. Source IPv4 ranges - Enter the public IP addresses or ranges for your Node Administrators. (e.g. 67.199.174.247/32)

    7. Protocols and ports - Specified protocols and ports

      1. Select the TCP check box and enter 22 for the port

    8. Click Create

  4. Click Add firewall rule. Use the following values in the fields below:

    1. Name - your choice (e.g. client-access-9702)

    2. Network - default (should already be set)

    3. Targets - All instances in the network

    4. Source filter - IPv4 ranges

    5. Source IPv4 ranges - 0.0.0.0/0

    6. Protocols and ports - Specified protocols and ports

      1. Select the TCP check box and enter 9702 for the port.

    7. Click Create

  5. Navigate back to VPC Network then VPC Networks

  6. Click on the node-vpc network then click Firewalls

  7. Ask your network administrator for a list of node IPs to add to your whitelist as part of the following steps. For each node IP on the network, do the following.

    1. Click Add firewall rule

      1. Name - Name (alias) of the node you are adding

      2. Network - node-vpc

      3. Direction of traffic - Ingress

      4. Action on match - Allow

      5. Targets - All instances in the network

      6. Source filter - IPv4 ranges

      7. Source IPv4 ranges - Enter the public IP address matching the Node name that you are adding. (e.g. 68.179.145.150/32)

      8. Protocols and ports - Specified protocols and ports

        1. Select the TCP check box and enter 9701 for the port

      9. Click Create

  8. Repeat the last set of steps for each node in the node list, changing the node Name and IP address for each new rule (you may omit your own address)

  9. NOTE: If you do not yet have a list of Network nodes and IP’s for the network you will be joining, you can do that part later. For now, just open up port 9701 to “all” source IP’s (0.0.0.0/0) in the same way you did that for port 9702 in the “client” firewall. Be sure to enter the appropriate firewall entries when you get the list.

Snapshots

  1. From the Navigation Menu, select Compute Engine then Snapshots

    1. Select the SNAPSHOT SCHEDULES tab then click CREATE SNAPSHOT SCHEDULE

    2. Name - your choice (e.g. 'nodesnapweekly')

    3. Region - Select the same region chosen earlier in this guide.

    4. Snapshot location - Regional (default location)

    5. Schedule frequency - Weekly (then your choice of day and time.)

    6. Autodelete snapshots after - 60 days

    7. Deletion rule - your choice (e.g. Select Delete snapshots older than 60 days to remove the snapshots every 2 months)

    8. Click CREATE

Creating the VM Instance

  1. From the Navigation Menu, select Compute Engine, then select VM instances

  2. Click Create Instance at the top of the page

  3. Select Marketplace in the left hand menu

  4. In the search bar, type Indicio NoDe and hit enter

  5. Select the option that is named Indicio NoDe (Ubuntu 20.04)

  6. Click GET STARTED

  7. Agree to the terms by checking the box and clicking AGREE

  8. Click DEPLOY

  9. Deployment name - <your company name>

    1. This name will become the name of your node on the network as well (the node ALIAS) so including your company name in this is desired. Do NOT use "Indicio", "Sovrin”, “IDunion”, "CANDY", or the network owner's name in this name.

    2. i.e. use “<company name>", "<company name>-node", "<company name>-TestNet-Node", "<company name>-TestNet-Node1", or something similar

  10. Choose and record a zone from the same region as you used previously in this document (ex. us-east4-c)

  11. Machine configuration

    1. Network Technical Governance requirements determine the values in this step. 2 vCPUs and 8G memory are the minimum requirements for Indicio Networks.

    2. Series - N2

    3. Machine Type - n2-standard-2 (2 vCPUs and 8G memory)

  12. Boot disk

    1. Boot disk type - Standard persistent disk is adequate.

    2. Size - 250 GB

  13. Network interfaces

    1. Expand and change the existing default network interface. This will be your “client” interface.

      1. Network - default (or client-vpc)

      2. Subnetwork - select the subnet you created earlier for the Client (client-subnet-9702 10.0.1.0/24)

      3. External IP - select the external client IP you created earlier (client-external-ip)

      4. Click DONE (For this network interface)

    2. Click Add A Network Interface to add a second network interface. (Required)

      1. Network - node-vpc

      2. Subnetwork - select the subnet you created earlier for the node (node-subnet-9701)

      3. Primary internal IP - select the internal node IP you created earlier

      4. External IP - select the external node IP you created earlier

      5. Click DONE

    3. Click "Deploy" to create the new NoDe GC VM instance.

Optional configurations prior to initiating the validator node. (skip this step if desired)

  1. Once the VM is created, navigate to Compute Engine>VM instances

  2. Click on the name of the VM you just created to access it’s settings

  3. Click Edit at the top of the page

  4. To set up ssh keys:

    1. Scroll down to Security and access

    2. Check the Block project-wide SSH keys (recommended)

    3. Enter a public SSH key for each Admin user (at least your own)

      1. Click + ADD ITEM for each SSH key.

    4. To create an SSH key:

      1. You can use the following command to create a new SSH key pair on Linux or MAC that will work for this step. ssh-keygen -P "" -t rsa -b 4096 -m pem -f ~/pems/gcnode.pem

      2. Once a public key is created the following example can be used on MAC or Linux to display the public key and copy it to the form: cat ~/pems/gcnode.pem.pub

      3. Copy the results of the previous step and paste it into the space provided, being careful NOT to copy any leading or trailing whitespace.

  5. To enable deletion protection:

    1. Under Basic information select the Enable deletion protection box (recommended)

Connecting to the VM

  1. SSH into your new node VM

    1. You can navigate to Compute Engine then VM instances then click SSH towards the right of your NoDe Instance

    2. OR you can use the SSH key access setup from an earlier optional step.

  2. Setup 2FA for SSH access to the Node for your base user.

    1. Install Google Authenticator, Duo, or Authy on your phone.

    2. Configure the authenticator to allow both password and SSH key login with 2FA by changing the following file:

      1. sudo vim /etc/ssh/sshd_config

      2. uncomment the following line at the bottom of the file: AuthenticationMethods publickey,keyboard-interactive

      3. :wq

      4. sudo systemctl restart sshd

    3. Setup your base user to use 2FA by running the following from a terminal:

      1. google-authenticator

      2. Answer "y" to all questions asked during the setup

      3. Save the secret key, verification code and scratch codes in a safe place. These are all just for your user and can be used to login or to recover as needed.

      4. On your phone app add an account and then scan the barcode or enter the 16 character secret key from the previous steps output.

      5. Reboot the instance and login to make sure 2FA is configured properly.

  3. Add other administrative users:

    1. Send the other new admin users the following instructions for generating their own SSH keys:

      1. ssh-keygen -P "" -t rsa -b 4096 -m pem -f ~/pems/gcnode.pem

      2. Have the new users send you their public key (e.g. gcnode.pem.pub if they do the above command)

      3. Also have them send you their Public IP address so that you can add it to the GC firewall to allow them access. Optionally, have them send a preferred username also.

    2. Add their IP addresses to the GC firewall:

      1. From the GC VPC Networks screen (GC main menu -> VPC network->VPC networks), click on your Client VPC (e.g. client-vpc-9702)

      2. Click the "Firewall rules" tab (in about the middle of the screen).

      3. Click on the name of the rule that allows port 22 access for your admins (e.g. ssh-for-admin-access)

      4. Click "EDIT" at the top of the screen.

      5. Scroll down to the list of Source IP ranges and add the new Admins' IP addresses.

      6. Click "SAVE" (Note: Restart is not needed. As soon as you save, they should have access.)

    3. Add the users to the server:

      1. Login to the node as the base user.

      2. Run the following commands, substituting the username in for <newuser>

      3. sudo adduser <newuser>

        1. You can safely ignore messages like “sent invalidate(passwd) request, exiting“

        2. For “Enter new UNIX password:” input “password1” (This will be changed later)

        3. Enter a name (optional)

        4. Defaults are fine for the rest

      4. sudo usermod -aG sudo <newuser>

      5. Then create a file in the newusers home directory:

        1. sudo mkdir /home/<newuser>/.ssh

        2. sudo chown <newuser>:<newuser> /home/<newuser>/.ssh

        3. sudo vim /home/<newuser>/.ssh/authorized_keys

        4. Paste the users public key into the open file and then save it (:wq)

        5. sudo chown <newuser>:<newuser> /home/<newuser>/.ssh/authorized_keys

      6. Repeat the above for each new admin user you create.

    4. The new users are now able to login. Since 2FA is required, when you send the password to each of the new users, also send the following instructions (HINT: fill in the username, Client IP address, and password for them with the correct values):

      1. Thanks for agreeing to help with the administration of our Indy Validator Node. Please login to the node, change your password, and setup Two Factor Authentication (2FA) using the following instructions:

      2. ssh -i <your private SSH key file> <username>@<Client IP Addr>

      3. Type in password1 for your password

      4. On successful login, type in "passwd" to change your password on the Validator Node. Please use a unique password of sufficient length and store it in a secure place (i.e. a password manager).

      5. To set up 2FA, type in "google-authenticator"

        1. Answer "y" to all questions asked during the setup

        2. Save the secret key, verification code, and scratch codes in a safe place. These are all for your user and can be used to login or to recover as needed.

      6. Install Google Authenticator, Duo, Authy, or other google-authenticator compatible app on your phone or device. 2. On your 2FA phone app, add an account, and then scan the barcode or enter the 16 character secret key from step 4’s output. 3. Log out and then log back in to check and make sure it worked!

Configuring the VM

  1. Complete the network setup process

    1. Run the Oneshot startup process

      1. sudo /opt/indy-startup/Oneshot.sh

    2. sudo netplan generate

    3. sudo netplan apply

    4. sudo add-apt-repository "deb http://security.ubuntu.com/ubuntu bionic-security main"

  2. Before proceeding, verify the network directory name for the network that you will be joining with your network administrator. The default used for NoDe is “itn” which is the directory name for the Indicio TestNet. If you will be joining a different network, please run the following command (substitute in your network directory name for “<network>”).

    1. sudo -i -u indy sed -i -re "s/(NETWORK_NAME = ')\w+/\1<network>/" /etc/indy/indy_config.py

    2. For example, for the Indicio DemoNet, the directory name is “idn” and the command would be sudo -i -u indy sed -i -re "s/(NETWORK_NAME = ')\\w+/\\1idn/" /etc/indy/indy_config.py

  3. NOTE: The genesis files are pre-installed to the correct places if you are joining one of the Indicio networks, but if you are joining a different network, then please use the genesis files provided by your network administrator and install them in the directory name they provided.

  4. Run the following command

    1. sudo -i -u indy init_indy_node <ALIAS> <node ip> <node port> <client ip> <client port>

    2. TIP: run ip a to find your IP addresses needed here.

    3. For example: sudo -i -u indy init_indy_node Node8 10.0.2.2 9701 10.0.1.2 9702

    4. You can view an example that is tailored to your system by running the following

      1. cat /opt/indy-startup/init_indy_node_example

    5. Save the above init_indy_node command and all of the output in a safe place. You will need it later during onboarding and other actions.

  5. IPTables DDOS protection (required for most Indy Networks)

    1. sudo sed -i -re "s/(^CLIENT_CONNECTIONS_LIMIT=).*$/\115000/" /etc/indy/indy.env

    2. sudo DEBIAN_FRONTEND=noninteractive apt install -y -q iptables-persistent

    3. sudo setup_indy_node_iptables

  6. Since your node is Ubuntu 20.04 based, if you are joining a network that has Ubuntu 16.04 nodes on it (or has in the past) you must run the following:

    1. echo "REV_STRATEGY_USE_COMPAT_ORDERING = True" | sudo tee -a /etc/indy/indy_config.py

    2. If you are unsure, please check with your network administrator.

  7. Run the Technical Verification Script on the validator node:

    1. Download this script, upload it to your Validator node, and set the execution flag on it:

      1. ubuntu@validator$ cd ~

      2. ubuntu@validator$ curl -O https://raw.githubusercontent.com/Indicio-tech/indicio-network/main/nodeop-tools/nodeop-tech-check.py

      3. ubuntu@validator$ chmod +x nodeop-tech-check.py

      4. Execute it, answering the questions that it asks. There are no wrong answers; please be honest. Questions that can be answered by scripting are automatically completed for you.

      5. ubuntu@validator$ sudo python3 ./nodeop-tech-check.py

      6. After the script completes, copy the output beginning at '== Results for "A Node Operator MUST" ==', and paste it into an email addressed to [email protected] then send it.

  8. From this step onward you will need 2 machines, the Node VM that you just configured, and a separate machine to install and run the Indy CLI on: such as your workstation or a VM specifically for network administration tasks.

  9. On the machine you’ve chosen for the CLI, install indy-cli using instructions from Appendix A at this link: Indicio SelfServe Instructions

  10. Create a JSON Config file containing your taaAcceptanceMechanism. (You can also add plugins to this config file, but for now just set it up as basic as possible.) vi ~/cliconfig

    1. This example cliconfig file contains the line that sets the AML:

    {
        "taaAcceptanceMechanism": "for_session"
    }

  1. To start the indy-cli using your new config file, run the following: indy-cli --config ~/cliconfig

  2. Next, generate a Steward DID using the CLI machine you just installed. This will comprise a public and private key pair, generated from a seed. Knowing your seed will allow you to regenerate the key on demand. To keep this secure, you will need to have a very secure Steward seed that is not easy to guess.

    1. sudo apt install pwgen

    2. pwgen -s 32 1

    3. Record the output of the above command as the “Steward Seed”

  3. Next we run the indy-cli command line CLI by entering: indy-cli --config ~/cliconfig

  4. In the command line, enter the following to create your pool configuration and your wallet locally. When creating your wallet, you will need to provide a "key" that is any string desired. It will be the encryption key of your local wallet.

indy> pool create &lt;pool name (e.g. itn)&gt;
gen_txn_file=pool_transactions_&lt;Network Name (e.g. TestNet)&gt;\_genesis
indy> wallet create &lt;wallet name (e.g. itn_wallet)&gt; key

  1. Open your wallet and create a DID based on the “Steward Seed” created earlier.

    indy> wallet open &lt;wallet_name&gt; key
    indy> did new &lt;Steward Seed&gt; metadata=”steward DID”

  1. Provide Information to Trustees

    1. At this point you should have the following data available:

      1. Your Steward verkey and DID

      2. The Validator ‘node IP address’

      3. The Validator ‘client IP address’

      4. The Validator ‘node port’

      5. The Validator ‘client port’

      6. The Validator alias

      7. The Validator verkey

      8. The BLS key

    2. Please go to the Node Operator Validator Registration form for Indicio networks (or the equivalent for the network you are joining) and provide the requested information.

Note: You are done with the first part of the installation and onboarding. Send an email to [email protected] (or the equivalent) and the network administrator staff will help you to set up the rest.

Copyright 2025 Indicio PBC

PreviousGoogle Cloud InstallsNextProven Installation Guide

Last updated

Was this helpful?