CASP Bot

A bot is provided that can be used to demonstrate one of the approval mechanisms in your CASPClosedUnbound’s Crypto Asset Security Platform (“CASP”) provides the advanced technology and the architecture to secure crypto asset transactions. system. This bot can be activated and then can approve pending operations.

Note
The bot must be enabled for listening before it can approve requests.

The CASPClosedUnbound’s Crypto Asset Security Platform (“CASP”) provides the advanced technology and the architecture to secure crypto asset transactions. bot provides the functions described in the following sections.

System Requirements

The CASPClosedUnbound’s Crypto Asset Security Platform (“CASP”) provides the advanced technology and the architecture to secure crypto asset transactions. bot runs on these platforms:

  • Linux RHEL/CentOS 7.2 and later

  • Ubuntu 16.04

Installation

Download and set up the CASPClosedUnbound’s Crypto Asset Security Platform (“CASP”) provides the advanced technology and the architecture to secure crypto asset transactions. bot package.

  1. Access the CASPClosedUnbound’s Crypto Asset Security Platform (“CASP”) provides the advanced technology and the architecture to secure crypto asset transactions. repository from the link provided to you by Unbound.

  2. Locate the CASPClosedUnbound’s Crypto Asset Security Platform (“CASP”) provides the advanced technology and the architecture to secure crypto asset transactions. SDK Package based on the target OS and version.
  3. Download the package: casp-sdk-package.<version>.<os>.tar.gz.
  4. Decompress the package.

The following files are provided for the CASPClosedUnbound’s Crypto Asset Security Platform (“CASP”) provides the advanced technology and the architecture to secure crypto asset transactions. bot in the bin folder:

  • BotSigner.jar
  • libcasp_signer_jni.so (for Linux)

These files must be copied to a location in your java.library.path.

Note
If you are upgrading the CASPClosedUnbound’s Crypto Asset Security Platform (“CASP”) provides the advanced technology and the architecture to secure crypto asset transactions. bot and using a directory different from the previous installation, you must copy the key file(s) from the old installation. Key files are found in: <bot directory>/bin/<key>.p12

Prerequisites

The CASPClosedUnbound’s Crypto Asset Security Platform (“CASP”) provides the advanced technology and the architecture to secure crypto asset transactions. bot requires one of the following prerequisites:

  • Oracle Java JDK 8
  • OpenJDK 11. OpenJDK can be obtained from several different sources. The recommended source is AdoptOpenJDK with the options for OpenJDK 11 and HotSpot.

Note
The bot communicates with CASPClosedUnbound’s Crypto Asset Security Platform (“CASP”) provides the advanced technology and the architecture to secure crypto asset transactions. over an HTTPS connection. If the bot is not able to connect to CASPClosedUnbound’s Crypto Asset Security Platform (“CASP”) provides the advanced technology and the architecture to secure crypto asset transactions. due to a certificate issue, add the root ca certificate of the CASPClosedUnbound’s Crypto Asset Security Platform (“CASP”) provides the advanced technology and the architecture to secure crypto asset transactions. HTTPS certificate to the Java Root CA store using the following command:
keytool -trustcacerts -keystore <java_path>/lib/security/cacerts -storepass changeit -noprompt -importcert -file chain.pem

Activation

Warning
When creating a user for the bot in CASPClosedUnbound’s Crypto Asset Security Platform (“CASP”) provides the advanced technology and the architecture to secure crypto asset transactions., make sure that you do not enable 2FAClosedTwo-factor authentication - Authentication method that requires both something a user has (for example, a certificate) and something the user knows (for example, a password) for that user.

To activate the bot participantClosedA member of any of the quorum groups.:

java -Djava.library.path=. -jar <path_to>/BotSigner.jar -u <https://casp_ip>/casp -p <participant_id> -c <activation_code> -w <KeyStore password>

Parameters:

This activates the bot and stores its share parts in a newly created KeyStore that is protected by the provided KeyStore password.

Warning
If an operator ID is used instead of a participantClosedA member of any of the quorum groups. ID, the bot will not work. See CASP Operators and Participants for more information about the different types of users in CASPClosedUnbound’s Crypto Asset Security Platform (“CASP”) provides the advanced technology and the architecture to secure crypto asset transactions..

Enable Listening

To start the bot listening to requests:

java -Djava.library.path=. -jar <path_to>/BotSigner.jar -u <https://casp_ip>/casp -p <participant_id> -w <KeyStore password>

This loads the bot in listening mode. When a new approval request is received, it is automatically approved.

The bot can also run in manual mode, where it asks the user to approve or decline requests. To run in manual mode, add the -m flag, as shown in the following command:

java -Djava.library.path=. -jar <path_to>/BotSigner.jar -u <https://casp_ip>/casp -p <participant_id> -w <KeyStore password> -m

Offline Bots

You can create a bot that can be used in an offline mode. This bot does not have any network connection and only sends and receives information when a human participantClosedA member of any of the quorum groups. manually transfers the data using hard media, such as a USB drive.

The following process shows how to create, activate, and manage offline bots. It involves using the Web Interface or running commands on a terminal that has a network connection to the CASPClosedUnbound’s Crypto Asset Security Platform (“CASP”) provides the advanced technology and the architecture to secure crypto asset transactions. service, which is called the base terminal in the examples, and transferring data to/from the bot device by a human participantClosedA member of any of the quorum groups.. The process is shown in the following figure.

Create and Activate the Offline Bot

  1. Create an offline bot.
    • If you are using the Web UI:
      1. On the Users screen, add a new participantClosedA member of any of the quorum groups.. There is a checkbox to designate that the participantClosedA member of any of the quorum groups. is offline. After clicking Create participantClosedA member of any of the quorum groups., a screen appears with the participantClosedA member of any of the quorum groups.'s details and a JSON file is downloaded
      2. Manually transfer the JSON file to the bot.
    • If you are using the base terminal:
      1. Set the offline field to true when creating the participantClosedA member of any of the quorum groups..
      2. For example, use this command from the base terminal.

        curl --request POST \
        --url http://localhost:8888/casp/api/v1.0/mng/accounts/a41fcfcd-3a4c-4586-a87b-9aea9d876f2f/participants \
        --header 'authorization: Bearer dXNlcjExMTE6NjZiOTg4YjgtMjAwMS00MWQxLWFlYzEtMmNkMWNiZGM5NjQ3' \
        --header 'content-type: application/json' \
        --data '{
        "name": "offline bot-364160696929",
        "email": "302600113578@unboundtech.com",
        "role":"offline bot",
        "offline":true
        }'

        Response:

        {
        "id": "93d4ed76-c3c5-4ff4-a1ae-a2553f472c76",
        "activationCode": "392399",
        "name": "offline bot-481094963642",
        "serverAuthenticationKey": "abcd1234abcd1234...abcd1234abcd1234",
        "serverEncryptionKey": "1234abcd1234abcd...1234abcd1234abcd"
        }

      3. Create a file called activation_request.json and put the response into it.

      4. Manually transfer activation_request.json from the base terminal to the bot.
  2. On the offline bot, activate the offline participantClosedA member of any of the quorum groups..
  3. Run the bot with following parameters. See Activation for information about the activation command.

    -o -a -i <JSON Activation Request File> -t activation_response.json -p <participantID> -w <KeyStore password>

    Explanation of parameters:

    • -o - Offline mode.
    • -a - Java provider password
    • -i - The input file, created in the previous step.
    • -t - The output file for the activation response.
    • -p, --participantID <arg> - The participantClosedA member of any of the quorum groups. ID.
    • -w, --keystorepass <arg> - Password for the KeyStore.
  4. Manually transfer the activation_response.json file to the base device.
  5. Send the activation response to the CASPClosedUnbound’s Crypto Asset Security Platform (“CASP”) provides the advanced technology and the architecture to secure crypto asset transactions. server.
    • If you are using the Web UI:

      On the Users screen, click the menu icon next to the participantClosedA member of any of the quorum groups. and select Upload activation data. Select the file and then click Upload. If the incorrect file is used, a JSON error is displayed.

    • If you are using the base terminal:
    • For example, from the base terminal use the following command.

      curl --request POST \
      --url http://localhost:8888/casp/api/v1.0/mng/participants/<participantid>/activateOffline \
      --header 'content-type: application/json' \
      --data '{"encActivationRequest":"AAIzRlkK483U0WbPhWMHwV7u9hXON6ET/DC8r...4rLkT+xQA=="}'

      The body of the request should contain the exact contents of the activation_response.json file.

    The participantClosedA member of any of the quorum groups. should now be active.

Add an Offline Bot to a Vault

Add this participantClosedA member of any of the quorum groups. to one of the quorumClosedOne or more groups, comprised of participants groups in the vault.

  1. Request server to add bot to vault.

    Place the response in a file called join_request.json.

  2. Manually transfer the JSON file to the bot and then approve joining the vault on the bot.
    Save the response into a file called join_response.json.

  3. Manually transfer the join_response.json file to the base terminal.
  4. From the base terminal, send the operation results to the CASPClosedUnbound’s Crypto Asset Security Platform (“CASP”) provides the advanced technology and the architecture to secure crypto asset transactions. server.

Approve Transactions with the Offline Bot

When executing operations involving an offline bot, the administrator needs to download the operation data and transfer it manually to the offline bot. After the offline bot approves the operations, the admin needs to manually transfer the offline bot response data back to the base terminal and send it to the CASPClosedUnbound’s Crypto Asset Security Platform (“CASP”) provides the advanced technology and the architecture to secure crypto asset transactions. service.

Note
If there is more than one pending operation for an offline bot, the request data contains them all and the response contains the data for the operations that were approved. This method may save some back and forth between the base terminal and the offline bot.

To approve a transaction (such as create, join vault, and sign):

  1. Retrieve the offline participantClosedA member of any of the quorum groups. operations.
    • If you are using the Web UI:
      On the Users screen, click the menu icon next to the participantClosedA member of any of the quorum groups. and select Download offline operation request. The file downloads.
    • If you are using the base terminal:
      Use this command to retrieve the operations.

      curl --request GET \
      --url http://localhost:8888/casp/api/v1.0/mng/participants/<participantid>/offlineoperations \
      --header 'authorization: Bearer dXNlcjExMTE6NjZiOTg4YjgtMjAwMS00MWQxLWFlYzEtMmNkMWNiZGM5NjQ3'

      Response:

      {
      "data":
      "lWqTPSCB8fkxRD7eywADd7hsbu70fo9Rx9qa3J8aiMI4BdRG4ZWSht/9xFBwC6c0jh6X5SITG1IA==",
      "tag": "nkOh4Yry7meHyywmV/B2aA==",
      "iv": "U66GvIQSEAIqOcRQ",
      "key": "OuvWP4CWXHJ2uD1M21g6T...twTCmNeb9w0vPmxjYS+A2KL6JBmHgz6tas7kI2sgk8g==",
      "participantId": "<participantid>",
      "sig": "0+g/+MK/oB1DQR7a/nS/41ioJGbQ8YTbUQg2rvc9FABp7vdeOqEVbNbpEVKzrq+hYWw=="
      }

      Place the response in a file called operations_request.json.

  2. Manually transfer the JSON file to the bot.
  3. Run the bot with following parameters. See Activation for information about the activation command.
  4. -o -q operations_request.json -n operations_response.json -p <participantid> -w 12345678 -m

    Parameter descriptions:

    • -o - offline mode
    • -q - the file from the previous step containing the operations.
    • -n - an output file for the response.
    • -p, --participantID <arg> - The participantClosedA member of any of the quorum groups. ID.

    • -w, --keystorepass <arg> - Password for the KeyStore.

    • -m - manual approval mode.

    In addition to the standard information that the bot displays, when working offline the bot prints out transaction information, including the hash to sign, the raw transaction, and which public keys are used. The bot then prompts you to approve or deny the operation.

    The following image shows an example of a sign operation.

  5. Manually transfer the operations_response.json file to the base terminal.
  6. Send the operation results to the CASPClosedUnbound’s Crypto Asset Security Platform (“CASP”) provides the advanced technology and the architecture to secure crypto asset transactions. server.
    • If you are using the Web UI:

      On the Users screen, click the menu icon next to the participantClosedA member of any of the quorum groups. and select Upload offline operation response. Select the file and then click Upload. If the incorrect file is used, a JSON error is displayed.

    • If you are using the base terminal:
    • Send the operation results to the CASPClosedUnbound’s Crypto Asset Security Platform (“CASP”) provides the advanced technology and the architecture to secure crypto asset transactions. server.

      curl --request POST \
      --url http://localhost:8888/casp/api/v1.0/mng/participants/<participantid>/offlineoperations \
      --header 'authorization: Bearer dXNlcjExMTE6NjZiOTg4YjgtMjAwMS00MWQxLWFlYzEtMmNkMWNiZGM5NjQ3' \
      --header 'content-type: application/json' \
      --data '{
      "data": "AANDs8Wf+1+oCWsjS3mIejpzHxUXqUFqY8/YYHdf+CAiadrS4eud/mPzNJJ0yhunQ3opSXy=",
      "sig": "MEYCIQD83JSMDxjdaxG/UCR1ojPu5hTtravJPtrwWcyCUoFz/wIhAMpe2seX/91Bmxkpg2fgJ"
      }'

      The body of the request should contain the exact contents of the operations_response.json file (created in the previous step).

Storing Keys in an External Security Provider

This section describes how to use the CASPClosedUnbound’s Crypto Asset Security Platform (“CASP”) provides the advanced technology and the architecture to secure crypto asset transactions. bot to store encryption and signing keys in an external security provider, such as an HSMClosedHardware Security Module - a physical computing device that safeguards and manages digital keys for strong authentication and provides cryptoprocessing or a smartcard. This solution uses the PKCSClosedPublic-Key Cryptography Standards - Industry-standard cryptography specifications.#11 standard through a Java interface that is used to communicate between the CASPClosedUnbound’s Crypto Asset Security Platform (“CASP”) provides the advanced technology and the architecture to secure crypto asset transactions. bot and the external security provider.

Implement the solution using this procedure:

  1. Set up the Java security provider, using either one of the following:
    1. If you have a Java security provider, then locate the Java provider name and password. They must be specified when starting the CASPClosedUnbound’s Crypto Asset Security Platform (“CASP”) provides the advanced technology and the architecture to secure crypto asset transactions. bot.
    2. If your security provider has a PKCSClosedPublic-Key Cryptography Standards - Industry-standard cryptography specifications.#11 library (an .so file), then configure it. Point the Sun PKCSClosedPublic-Key Cryptography Standards - Industry-standard cryptography specifications.#11 (that comes built-in with Java) to this provider. Provide the Sun PKCSClosedPublic-Key Cryptography Standards - Industry-standard cryptography specifications.#11 provider name and password that is configured to work with PKCSClosedPublic-Key Cryptography Standards - Industry-standard cryptography specifications.#11.
  2. Start the CASPClosedUnbound’s Crypto Asset Security Platform (“CASP”) provides the advanced technology and the architecture to secure crypto asset transactions. bot using the options to specify external key storage name and password.
  3. For example:

    java -Djava.library.path=. -jar <path_to>/BotSigner.jar \
    -u <https://casp_ip>/casp \
    -p <participant_id> \
    -c <activation_code> \
    -w <KeyStore password> \
    -d <Java provider name> \
    -a <Java provider password>