> For the complete documentation index, see [llms.txt](https://docs.catalyx.solutions/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.catalyx.solutions/catalyx-blockchain-manager/canton-network/version-1.10/validator-management/create-validator-with-integrated-keycloak.md).
# Create Validator with Integrated Keycloak
{% hint style="info" %}
This guide is for the **Default** authentication option with integrated Keycloak. To set up a validator with a custom identity provider, see [Create Validator with Custom Identity Provider](broken://pages/9844ff1963d140a1f9c290677670d71bb72d16d0).
{% endhint %}
## Validator Management
Validators can be deployed on Catalyst and seamlessly connected to the Canton Network.
### Set Up a Validator
To set up a Validator, go to the **Validators** tab and click the **Set up validator** button to open a side window.
{% hint style="info" %}
For further details, expand the collapsible **"More Info"** sections on each step.
{% endhint %}
{% stepper %}
{% step %}
**Main Settings Configuration**
Provide the following information:
* Name
* Onboard secret
* Image tag
* Image repo
* Image pull secret
* Postgres user
* Postgres password
More info about these fields
| Field | Description |
| --------------------- | --------------------------------------------------------------------------------------------------- |
| **Name** | The identifier or label for the validator node |
| **Onboard secret** | Passphrase obtained from the super validator in order to join the network |
| **Image tag** | The specific version or tag of the container image to be used |
| **Image repo** | The repository where the container image is stored |
| **Image pull secret** | Credentials required to pull the container image from a private registry (`secret docker-registry`) |
| **Postgres user** | Username for the Postgres database used by the validator |
| **Postgres password** | Password for the Postgres database user |
{% hint style="info" %}
An onboarding secret should be requested from your sponsoring SV in order to join the network.
{% endhint %}
{% hint style="danger" %}
Do **not** set the Custom Authentication flag on — these instructions are for integrated Keycloak configuration. To use a custom identity provider, see [Create Validator with Custom Identity Provider](broken://pages/9844ff1963d140a1f9c290677670d71bb72d16d0).
{% endhint %}
{% endstep %}
{% step %}
**Cluster Configuration**
**2.1 — Enable or disable:**
* Enable wallet
* Fail on app version mismatch
* Use sequencer connections from scan
**2.2 — Fill in the remaining fields:**
* Cluster URL
* Disable wallet
* Fail on app version mismatch
* Scan address
* SV Sponsor Address
* Party hint
* Default JVM Options
* Migration: Id
* Top up: Enable, Top up min interval, Target throughput
**2.3 — Enable or disable:**
* Participant identities dump import
* Participant identities dump periodic backup
More info about these fields
| Field | Description |
| -------------------------------- | ------------------------------------------------------------------------------------------------------------------- |
| **Cluster URL** | URL of the Kubernetes cluster where the validator is deployed. Used for looking up directory entries in the scan UI |
| **Disable wallet** | Turn on to not deploy a wallet UI with your validator |
| **Fail on app version mismatch** | If enabled, deployment fails on validator/network version mismatch |
| **Scan address** | Address used for scanning and retrieving validator-related data |
| **SV Sponsor Address** | URL of the SV app of the super validator sponsoring you (starts with `https://sv.sv-N`) |
| **Party hint** | Prefix for the Party ID. Format: `--`, e.g., `myCompany-myWallet-1` |
| **Default JVM Options** | Default JVM configuration options for the validator |
| **Migration Id** | Starts at `0` for initial deployment, increments by 1 with each migration |
| **Attach PVC** | Attach a Persistent Volume Claim for data persistence during migration (recommended) |
| **Migrating** | Set to `true` when upgrading to trigger the migration process |
{% endstep %}
{% step %}
**Cluster Participant Configuration**
* Insert your default JVM configurations
* Enable or disable: **Enable health probes**
* Insert your **Node Identifier**
More info about these fields
| Field | Description |
| ------------------------ | ------------------------------------------------------------- |
| **Node identifier** | A unique identifier for the validator node within the network |
| **Enable health probes** | Turns on health checks to monitor the validator's status |
| **Default JVM Options** | Default JVM configuration options for the validator |
{% endstep %}
{% step %}
**Configure Resources**
* Requested CPU
* CPU limit
* Requested memory
* Memory limit
* Replicas
More info about these fields
| Field | Description |
| -------------------- | ------------------------------- |
| **Requested CPU** | Minimum CPU resources requested |
| **CPU limit** | Maximum CPU resources allowed |
| **Requested memory** | Minimum memory requested |
| **Memory limit** | Maximum memory allowed |
| **Replicas** | Number of instances to run |
{% endstep %}
{% step %}
**Configure Environment Variables**
Override environment variables for:
* Participant node
* Validator backend
* Canton Name Service UI
* Wallet UI
{% hint style="danger" %}
This is a very specific configuration. If you are not sure about this step, please contact IntellectEU.
{% endhint %}
{% endstep %}
{% step %}
**Summary**
Review your Validator configuration. Click **Confirm** to finalize and proceed with the deployment.
{% endstep %}
{% step %}
**Create a Permanent Password in Keycloak**
To access the wallet UI, you must first define a new password in Keycloak.
{% stepper %}
{% step %}
Save the credentials displayed in the pop-up window.
{% endstep %}
{% step %}
Once your node is up and running, click on the last link containing `wallet-web-ui`, then click the link at the top left of the screen.
{% endstep %}
{% step %}
A pop-up will ask you to re-authenticate. Close your session by clicking **Log out**.
{% endstep %}
{% step %}
Insert the temporary credentials saved in the previous step.
{% endstep %}
{% step %}
Define a new password and click **Submit**. You will be forwarded to the wallet UI console of your new Validator.
{% endstep %}
{% endstepper %}
{% endstep %}
{% endstepper %}
***
## Identity and Access Management
As part of the validator provisioning process, Keycloak is set as the identity provider. Each validator is assigned a dedicated user (`$VALIDATOR_NAME_walletuser`) within the `validator` realm.
{% hint style="danger" %}
We strongly recommend updating the password for this user after the initial setup to maintain security.
{% endhint %}
### Resetting the Wallet User Password in Keycloak
{% stepper %}
{% step %}
**Log in to the Keycloak admin console**
* **URL:** `https:///auth/admin/`
* Use an account with administrative access.
{% endstep %}
{% step %}
**Navigate to the validator realm**
From the top-left dropdown, select **validator**, then find `$VALIDATOR_NAME_walletuser` under **Users**.
{% endstep %}
{% step %}
**Reset the password**
Navigate to the **Credentials** tab, enter a new password, toggle **Temporary** to **OFF**, and click **Reset Password**.
{% hint style="warning" %}
Store the new password securely and update any dependent services or configuration files if needed.
{% endhint %}
{% endstep %}
{% endstepper %}
Additional Keycloak documentation resources
* [Keycloak Documentation – Managing Users](https://www.keycloak.org/docs/latest/server_admin/#admin-cli)
* [Keycloak Admin Console Guide](https://www.keycloak.org/docs/latest/server_admin/#admin-console)
* [Resetting Passwords via Admin Console](https://www.keycloak.org/docs/latest/server_admin/#resetting-passwords)
---
# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.
## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.catalyx.solutions/catalyx-blockchain-manager/canton-network/version-1.10/validator-management/create-validator-with-integrated-keycloak.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.