New versions of the Qredo API and Signing Agent are now available! To get started, just contact us here.
Qredo Logo

Signing Agent

Configure

TL;DR

  • The Signing Agent Docker image references a configuration file, config.yaml.
  • You can download a template for it from GitHub: config-template.yaml.

Configuration options

The following settings are configurable via the YAML file:

  • Base
  • Auto approval
  • Qredo WebSocket
  • HTTP
  • Logging
  • Load balancing
  • Store
  • Learn more about setting up cloud storage of secrets.

Configuration properties

Customize the properties of config.yaml to suit your needs.

The following table presents each property.

PropertySub-propertySub-property/OptionsDescription
baseControls connection properties
qredoApihttps://api-v2.qredo.network/api/v2Base domain for the production environment
autoApprovalEnables automatic approval of all transactions
enabledtrue, falseToggles automatic approval on/off
retryIntervalMaxSecMaximum time for which the Signing Agent retries approval attempts. Failure fallback applies after this period
retryIntervalSecInterval between approval attempts. Cycled until retryIntervalMaxSec is reached.
websocketThis is returned with agentID when the agent is registered
qredoWebsocketQredo provides a WebSocket to collect transaction approval requests from
reconnectTimeoutSecTimeout in seconds for connection attempt
reconnectIntervalSecInterval in seconds between connection attempts
pingPeriodSecThe ping period for the ping handler in seconds
pongWaitSecThe pong wait for the pong handler in seconds
writeWaitSecThe write wait in seconds
readBufferSizeThe WebSocket upgrader read buffer size in bytes
writeBufferSizeThe WebSocket upgrader write buffer size in bytes
http
addrThe address and port the service runs on
CORSAllowOrigins*Optional: The value assigned to the Access-Control-Allow-Origin of the responses of the build in API. If not required, pass *.
logAllRequeststrue, falseToggles logging of incoming requests to the build in API on/off
TLSTLS configurations for the internal HTTP server. Used to determine whether HTTP or HTTPS is applied.
enabledToggles whether TLS is enabled on/off with true, false
keyFileIf enabled is true, specifies the key file to use for the TLS server
certFileIf enabled is true, specifies the cert file to use for the TLS server
logging
formattext, jsonFile format for the log
leveldebug, info, warn, errorLog level; default is debug
loadBalancing
enabletrue, falseToggles whether load balancing logic is on/off
onLockErrorTimeoutMsOn lock timeout in milliseconds
actionIDExpirationSecExpiration of action_id variable in Redis in seconds
redis
hostRedis host
portRedis port
passwordRedis password
dbRedis database name
storeStore type holding private key information for the Signing Agent
typefile, oci, aws, gcp
fileIf store type is file, pass path to the storage file
ociIf store type is Oracle cloud configuration, details for the Oracle vault
compartmentOracle Cloud Identifier (OCID) where the vault and encryption key reside
vaultOCID of the vault where the secret will be stored
secretEncryptionKeyEncryption key used for both the secret and the data inside the secret
configSecretName of secret that will be used to store the data
awsAmazon cloud configuration to store the private keys in amazon secrets manager
regionIf using AWS Secrets Manager, AWS region where the secret is stored
configSecretIf using AWS Secrets Manager, name of the AWS Secrets Manager secret containing the encrypted data
gcpIf store type is Google Cloud Platform, details for its configuration
projectIDYour project ID
configSecretName of secret that will be used to store the data

Example configuration values

Note, this is not an example configuration file, as examples are provided for properties that would conflict, such as storing/passing the private key by different methods.

PropertySub-propertySub-propertyExample
base
qredoApisandbox-api.qredo.network
pin0
autoApproval
enabledfalse
retryIntervalMaxSec300
retryIntervalSec5
websocket
qredoWebsocketwss://sandbox-api.qredo.network/api/v1/p/coreclient/feed
reconnectTimeoutSec300
reconnectIntervalSec5
pingPeriodSec5
pongWaitSec10
writeWaitSec10
readBufferSize512
writeBufferSize1024
http
addr0.0.0.0:8007
CORSAllowOrigins*
logAllRequestsfalse
TLS
enabledtrue
keyFiletls/domain.crt
certFiletls/domain.key
logging
formattext
leveldebug
loadBalancing
enablefalse
onLockErrorTimeoutMs300
actionIDExpirationSec6
redis
hostredis
port6379
password""
db0
store
typefile
file/volume/ccstore.db
oci
compartmentocid1.tenancy.oc1...
vaultocid1.vault.oc1...
secretEncryptionKeyocid1.key.oc1...
configSecretsigning_agent_config
aws
regionaws-region-...
configSecretsecrets_manager_secret...
gcp
projectIDsigning-agent-1234...
configSecretsecrets_manager_secret...

Cloud secret storage

An alternative to storing the Signing Agent configuration on-premises in a file is to use secure cloud-based storage.

In the sections below, you'll find the supported cloud-based solutions and correct configs for them. Further specifics of usage are best discussed with your cloud services admin department.

Oracle Cloud Vault

In order to use Oracle Cloud Vault storage, update your configuration storage setting, i.e. set the store: type to oci in the YAML configuration file.

For example, your YAML config should look something like the following:


store:
  type: oci
  oci:
    compartment: ocid1.tenancy....
    vault: ocid1.vault....
    secretEncryptionKey: ocid1.key....
    configSecret: signing_agent_config
  ...

AWS Cloud Secrets Manager

In order to use AWS for configuration storage, update your configuration storage setting, i.e. set the store:type to aws and provide the AWS Region and the name of the Secrets Manager secret in the YAML configuration file.

For example, your YAML config should look something like the following:

store:
  type: aws
  aws:
    region: eu-west-2
    configSecret: signing_agent_config
  ...

Google Cloud Platform

In order to use Google Cloud Platform for configuration storage, update your configuration storage setting, i.e. set the store: type to gcp and provide the project ID and the name of secret that will be used to store the data

For example, your YAML config should look something like the following:

store:
  type: gcp
  gcp:
    projectID: signing-agent-1234...
    configSecret: secrets_manager_secret...

Config Gottchas

HTTP/TLS

If you wish to configure the TLS settings, you must supply the certFile and keyFile to setup HTTPS.

Previous
Get started