Subzones

This is an internal feature. Running a network with multiple subzones is not a supported configuration.

Network from a Node’s Perspective

From the perspective of a node, a network is defined by the Identity Manager and Network Map services it is configured to connect to. It has no comprehension of subzones. It simply connects to the services configured within its configuration file and, once registered with both, interacts with other nodes and the apps deployed upon it via the RPC clients. This is summarised below:

node zone view — Network from a Node's Perspective

The node is unaware of other subzones - it sees only those nodes registered with the Network Map service that it has also registered with itself.

Network from a Zone’s Perspective

From the perspective of the operator of that zone however, things are a lot more interesting:

simple subzones — Network from a Zone's Perspective

In this example the zone operator is operating two public subzones, each with a different minimum platform version (the other network parameters shared by the two zones are omitted for brevity). Each subzone has a single notary, operated by the zone operator, whose node info is included in the whitelist of the network parameters representing that zone.

A zone always has only one instance of Signer. Multiple subzones can have different network maps but all share the same Signer and Identity Manager. Signer signs:

Certificate signing requests from the Identity Manager,
Changes to the network parameters,
Updates to the network map.

Interesting features:

All nodes are registered with the zone’s Identity Manager Service. This includes the notaries.
Each subzone is represented by a network map, each with its own database and network parameters file.
Node 1 is on the “older” subzone using a minimum platform version of 3. It is unaware that Nodes 2 and 3 even exist (just as they are unaware of it) but can use Notary 1.
Nodes 2 and 3 and Notary 2 can all intercommunicate as one would expect.

Segregated Subzones

The fundamental difference between a public subzone and a segregated one is that the operation of the notaries is deferred to a third party. The relationship between the zone operator and the notary operator is left to the discretion of the zone operator.

The important part from the perspective of CENM is that the signed node info is transferred from the notary operator to the zone operator.

This is shown in the following diagram:

segregated subzones — Segregated Subzones

‹‹ Prev | Next ››

Our use of cookies

CENM Auth Service Helm chart

CENM Gateway Service Helm chart

CENM Identity Manager Helm chart

CENM Network Map Service Helm chart

CENM Notary Helm chart

CENM Signing Service Helm chart

CENM Zone Service Helm chart

CENM Deployment AWS/EKS

Creating a new HSM using the AWS Console

Deploy CENM 1.4 with AWS and PostgreSQL

Public Key Infrastructure (PKI) Tool

CENM Services Command-line Interface

CENM User Admin tool

Certificate Revocation Request Submission Tool

CRL Endpoint Check Tool

Subzones

Network from a Node’s Perspective

Network from a Zone’s Perspective

Segregated Subzones