Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
These documents are specifically tailored for deploying Constellation Network nodes according to the configuration and integration requirements of each provider’s dashboard setup.
🚧Build AWS EC2 Instance🚧Build DigitalOcean Droplet🚧Build Hetzner ServerIf this is NOT your first time configuring delegated staking, and you are looking for a way to update your delegating staking parameters, you may skip to the next page.
If this is your first time configuring delegated staking on your node, you will be presented with a CONFIGURATION NOTICE screen.
Simply read through the notice and press any key to continue.
Node Operator's guide to enable delegated staking on your node.
To offer your node for delegation on the Constellation Network, you must complete the delegated staking configuration.
This process allows Node Operators to make their nodes available for delegation.
Follow the steps in this guide to properly set up and enable delegation.
Delegated staking on Constellation Network allows any $DAG holder to participate in network security and validation by staking their tokens with validators without needing to run a node. This enables more users to contribute to decentralization and governance while earning staking incentives. By choosing a validator, you help secure the network, support metagraph projects, and receive $DAG incentives for your participation. Some metagraph validators even offer additional L0 token rewards, increasing your potential incentives.
$DAG holders who participate in delegated staking may choose your node based on the commission percentage you set. This allows you, as a Node Operator, to generate additional rewards revenue from delegations.
In order to view your current delegated staking status, you may issue a status command at any time.
sudo nodectl delegate statusFor a valid configuration, your node should report all parameter matches as True.
If any match is not True, please review your desired configuration and issue an update as needed to ensure your desired settings and consistency with the cluster.
In the event that you have already issued an update with your current settings (no changes were necessary), nodectl will prevent an unnecessary cluster update, and decline your request.
DELEGATED UPDATE REQUEST CANCELLEDIf the nodectl utility responds without applying any changes, the most likely reason is that your node is already configured with the delegated staking settings you specified.
If this is not the case, review and update your configuration file and submit another update to ensure your desired changes are applied.
nodectl requires you to create a configuration file with the necessary parameters to properly enable delegated staking according to your preferences and requirements.
Regardless of whether this is your first time configuring your node for delegation, you must create or update the configuration file to define the specific parameters you want to use when offering your node for delegation.
If you wish to change any delegated staking parameters in the future, you must update the configuration file first before submitting a request to apply those changes to your node’s delegated staking settings.
Configuring delegated staking does not automatically commit your node to accept delegations.
The process involves two steps:
Create or update the configuration with your desired delegation parameters.
You should now have access to the Constellation Network Official Discord server via an invite provided for Node Operators.
At this point, your VPS should be fully configured and operating as a Constellation Validator Node.
If you believe any steps were missed, please revisit the previous documents to ensure all required tasks are completed before moving forward.
Return to or join the Constellation Network Discord server, and reach out to a Discord Administrator who holds the Admin or Team Lead role (visible next to their username).
Important Security Reminder
An Admin or Team Lead will never message you first, ask for money, request that you connect your wallet to third-party sites, or make any financial requests.
When contacting an Admin or Team Lead, be prepared to present your Node ID so they can submit it to the internal team for processing. You may be required to confirm your email, this should only be confirmed by an Official Constellation Network Team Member.
You will need to create and own a Stargazer Wallet
In order to qualify to run a node on Constellation Network's production MainNet Hypergraph cluster, or Dor metagraph cluster, you will need to collateralize your node through your Stargazer wallet.
Please follow guide to import your node’s wallet into your Stargazer Wallet, and transfer $DAG and or $DOR before attempting to join the cluster.
This step is required to meet the staking threshold and ensure your node is eligible for cluster participation.
To update your current delegated staking parameters or to commit them for the first time to the metagraph, you will need to implement an update.
This command finalizes your configuration by submitting it to the metagraph, making your node available for delegated staking based on the parameters you've set.
You should now be in the configurator and at the section where you're prompted to enter the necessary parameters to enable delegation.
These parameters will define how your node appears to other delegated staking participants, allowing them to discover and delegate to your node based on the options you set.
To stay fully informed and connected, you must join the Constellation Network Official Discord server.
This is the central hub for:
✅ Cluster update announcements
✅ Scheduled network restarts
✅ Operational instructions and technical alerts
✅ Validator program updates and governance notices
This section explains how to use the Constellation Network Command Line Interface (CLI) utility, which provides a simplified way to run a node without requiring technical expertise or in-depth knowledge of the Tessellation Protocol’s architecture and operation.
Pronounced node control, node-c-t-l, or node-cuttle.
nodectl is a command-line utility designed to simplify the deployment and management of Constellation Network Validator nodes.
The utility is packed with powerful features that abstract away the complexities of node management.
Your password or passphrase will require:
At least 10 characters
At least one number
At least on upper case character
At least one lower case character
At least on special character ( ! @ # % ^ & * ( ) _ + - = )
Do NOT use " (double quotes)
Do NOT use ' (single quotes)
Do NOT use $ (dollar sign)
Do NOT use § (sectional sign)
You should be:
Connected to your VPS remotely
VPS is updated, upgraded, and rebooted
nodectl is installed.
MainNet
Hypergraph
$DAG
250,000
IntegrationNet
Hypergraph
$DAG
250,000
Dor
metagraph
$DOR
1,000,000
Update configuration? [n]: yManually submit the configuration to the Metagraph to activate delegated staking.
-e edit mode
-cb confirm backup automatically
-d detailed mode
updateYou may skip this step if this is not your first update.
The nodectl utility will attempt to retrieve your current delegated staking parameters and determine whether this is your first update attempt.
If it detects a first-time update, you will receive a warning and be asked to confirm. If you have previously updated your node and still receive this prompt, it may indicate a potential issue (see warning).
Warning
If this is your first time updating the delegated staking settings on your node and you do not receive the first-time confirmation notice, please contact a Constellation Network representative via our official Discord server for assistance.
Likewise, if this is not your first time updating and you do receive a first-time warning, please report the issue as soon as possible through the same channel.
If you are confident that this is the first delegated staking update for this node, you may proceed with acknowledging the prompt.
During the initial update to the metagraph, your reference to your last update (none) will be set to all zeros.
The default option is n so we will change it to y and hit enter.
You will need to choose a short name for your node.
Must be no larger than 140 characters
Must be no smaller than 5 characters
This name will be publicly displayed on the DAG Explorer within the Delegated Staking section and should be:
Concise – keep it short and simple
Descriptive – reflect your identity or purpose
Unique – avoid names that could be confused with other nodes
A clear and recognizable name will help users quickly identify and delegate to your node within the Constellation Network ecosystem.
Must be no larger than 140 characters
Must be no smaller than 5 characters
You’ll need to provide a brief description of your node that will be publicly displayed on the DAG Explorer within the Delegated Staking section.
Keep it short and clear, highlighting your node’s strengths, unique features, or anything that sets it apart. This description is your opportunity to attract community members interested in delegated staking to delegate their $DAG to your node.
Decide on the commission percentage you would like to charge for allowing others to delegate to your node.
You must select a number (integer/float) value between 5 and 10. This percentage represents the portion of staking rewards your node will collect as a fee in exchange for providing delegation services. Do not include % sign.
You may use floating point values. 5, 5.1,5.2 ... 9.9, 10.
Choose a rate that aligns with your operational strategy, encourages community participation, and reflects the value your node offers.
Your configuration will be created or updated to match your requested parameters and final instructions will appear.
Press any key and you will be returned the main menu of the configurator.
Your configuration is complete, you may issue a q to exit the configurator and return to your node's command line interface.
D) Setup/Update Delegated Stakingsudo nodectl configure -e -cb -dPlease enter your p12 passphrase:sudo nodectl delegate updateIs this your first update? [n]: yQ) Quit✅ Peer collaboration and troubleshooting with other Node Operators
Participation in the Discord server ensures that you:
Receive real-time updates that may affect your node's performance or connectivity.
Get immediate access to official support channels and team leads.
Can coordinate with other Validators for best practices and knowledge sharing.
Make sure to verify your account and introduce yourself in the general channel once inside.
auto_restart feature enabled, your node may have already recovered automatically.Delegated Staking Requirements
Delegated staking is supported by nodectl starting with version v2.17.0.
Issue the version command to output the current version of nodectl.
Please follow the correct upgrade path to ensure your node remains manageable by nodectl and does not encounter compatibility issues.
If there are multiple versions between your current version and v2.17.0, you must follow the correct upgrade path.
Take note of each intermediate version and run the upgrade_nodectl command sequentially for each version step using the -v <version> option.
Upgrade one version at a time. Do not skip versions until you reach v2.17.0.
This ensures compatibility and prevents potential issues with configuration or functionality.
Example: sudo nodectl upgrade_nodectl -v v2.13.0
When you reach a version that can be directly upgraded to the latest v2.17.0 you may exclude the -v option.
If you are requested to upgrade the node, issue a Y and allow nodectl to upgrade the node so that all the features, changes, and updates can be properly applied.
This is important to ensure that all features of nodectl are enabled.
As a Node Operator, you can offer your node for delegation by following these steps:
The nodectl utility automates these steps for you. Follow this guide to complete the setup.
P12 Keystore
Delegated staking is tied to your node’s wallet public key (node ID).
If you rebuild or create a new node, your delegated staking status will remain unaffected as long as you retain your current p12 keystore, which holds the private and public keys designated for the Constellation Network Hypergraph or metagraph.
This guide will help you create your node using nodectl.
The following documentation will help guide a new Node Operator understand the differences between turning a newly created VPS into a Constellation Network validator node with the use of nodectl.
There are three options:
A normal installation is a more detailed and interactive method of installing nodectl on your VPS. The process will guide you through each step of the installation interactively with details on each step, along the way.
This installation method installs nodectl with minimal prompts or user interaction. You will only be asked a few questions:
Which cluster you would like your node to join
Whether you want to migrate an existing .p12 keystore
Passphrase for the .p12 keystore:
This new installation can be preformed if desired by advanced users.
nodectl is recommended.
Since delegated staking is a financial decision, the configurator will not automatically commit your node to become available for delegated staking.
ssh -i /path/to/ssh/private/key nodeadmin@<vps_ip_address> -p <port>Enter the passphrase if using an existing keystore
New password for the Node Administrator
auto_restart feature did not restart for any reason—for example, if you did not see the related messages—you may manually restart it to ensure it is functioning correctly.If you're running a single-layer Validator (Layer0 or Layer1 only), you can skip directly to the Confirm Status step below.
If your node operates in hybrid mode (participating in both Layer0 and Layer1):
You must wait for the Layer0 profile to reach the Ready state before attempting to connect Layer1.
Layer1 cannot join the cluster until the full Layer0 chain is downloaded and synchronized.
If you have the auto_restart feature enabled:
Your node will detect when Layer0 reaches Ready state.
It will automatically initiate the Layer1 connection.
sudo nodectl restart -p allsudo nodectl statusJOIN STATE Ready
IN CONSENSUS Truesudo nodectl versionsudo nodectl upgrade_pathsudo nodectl upgrade_nodectl -v <next_version_in_path>sudo nodectl upgrade_nodectlPress Y then [ENTER] to upgrade or N then [ENTER] to cancel: Ysudo nodectl upgrade --nisudo nodectl status -p dag-l0 -w 120sudo nodectl join -p dag-l0sudo nodectl statusJOIN STATE Ready
IN CONSENSUS Truessh -i /path/to/ssh/private/key nodeadmin@<vps_ip_address> -p <port>Delegated staking is permanent and cannot be disabled once it has been enabled.
There are no downsides to enabling delegated staking it simply allows you to earn additional rewards without impacting your existing node operations.
This is the logical flow of how delegation works on your node.
✅ Key Point: Collateral Requirement
To operate a node, you are required to allocate 250,000 $DAG as collateral. You will earn 100% of the rewards generated by your own collateral—these rewards are exclusively yours and are not shared.
👥 Delegators and Additional $DAG
When other community members choose to delegate their $DAG to your node, the total amount delegated is added to your node's effective stake, increasing your node's influence and overall earning potential.
💰 Example: Understanding Rewards from Delegation
Let’s say delegators collectively point X $DAG at your node.
Your node will now earn additional rewards based on this delegated stake.
You will receive a commission (a percentage you set between 5–10%) from the rewards generated by the delegated X $DAG.
The remaining rewards go back to the delegators, proportional to their contribution.
In Our Example
Let's say: 800 $DAG was earned in total from X $DAG delegated to your node for you and your delegators. This does not include rewards earned from your original 250,000 $DAG staked as collateral on your node.
You set a 10% commission charge.
Delegated Staking
800 $DAG
10%
80 $DAG
720 $DAG
Your Node's Collateral
600 $DAG
0%
600 $DAG
0 $DAG
Hetzner
This guide does not include cloud provider-specific steps or images. You may use the specific cloud provider documentation here.
There are many cloud providers available to choose from, and unfortunately, we cannot cover each one in these tutorials and guides.
We encourage you to research and select a provider that best fits your needs in terms of performance, pricing, reliability, and regional availability.
You may also:
Adapt an existing setup guide by intuitively translating the steps to match your chosen provider’s interface.
Ask for advice or recommendations in the Constellation Network Official Discord channel, where community members and team members can share their experience and guidance.
The right provider is the one that aligns best with your technical comfort level and validator node requirements.
While this guide provides generic, provider-agnostic steps to help you build a VPS on any cloud service, it is designed so you can follow along using intuitive actions regardless of the platform.
However, if you prefer a more tailored experience, you may choose to opt into service-specific guides that have been prepared for popular providers. These offer more detailed, platform-specific instructions to streamline the setup process.
Choose the path that best fits your comfort level and desired level of guidance.
It's recommended to create your firewall policy (also known as a Security Group) before launching your VPS. Doing this upfront allows you to immediately assign the correct firewall rules when the VPS is created, ensuring proper and secure access from the start.
Do NOT rely on software firewalls such as UFW (Uncomplicated Firewall) or IP Tables for securing your validator node.
Because your node will have direct Internet access, these tools are not sufficient as a primary IP packet security layer and can interfere with the proper operation of your node on the VPS.
Instead, always use your cloud provider’s built-in firewall or security group features to manage port access and protect your server at the network level.
If your cloud provider of choice does not offer built-in firewall or security group features, it is strongly advised not to use that provider for hosting your validator node.
This checklist is intended for advanced users who are not following a pre-configured cloud provider guide.
If you’re building your Validator node manually on a custom VPS or bare-metal environment, use this sequence to ensure a complete and secure setup.
These steps assumes familiarity with manual system setup, firewall management, and node operations. Be sure to follow official documentation closely when applying any configurations related to the Tessellation protocol or node lifecycle.
Refer to the Validator Specifications Document to determine the appropriate system configuration.
Choose a provider or hardware setup that meets or exceeds the minimum system requirements.
Constellation Network's Node Spec Requirements.
View specs starting here.
As with any cryptographic ecosystem, there are specific hardware requirements that must be met to ensure your node operates securely, efficiently, and reliably within the Constellation Network’s ecosystem.
Meeting these requirements is essential for maintaining node performance, ensuring compatibility with consensus protocols, and avoiding issues related to resource limitations.
Constellation Network currently supports two distinct types of nodes across its Hypergraph and metagraph infrastructure:
Constellation Network Hybrid Validator Node
Dor Validator Data Layer 1 Node
A VPS (Virtual Private Server) is a virtualized environment running on a physical machine that shares resources (tenancies) with other instances. This makes it a more cost-effective option for operators who are just getting started.
A group of these VPS instances forms what is commonly referred to as the "cloud."
In contrast, a dedicated bare metal server is a physical machine allocated to a single tenant. It offers exclusive access to all hardware resources and typically provides higher performance and configurability. Many cloud providers offer both VPS and dedicated server options, depending on your needs.
Constellation Network does not require or prefer one over the other.
You are free to choose the infrastructure that best fits your technical experience, performance expectations, and budget.
A bare metal server is a physical machine designed to run dedicated services for a single tenant. Unlike virtualized environments, bare metal servers provide full access to the underlying hardware, offering maximum performance, control, and customization.
You can run a bare metal server from various environments, including:
A personal data center
A colocation facility
A private office
Even from your home, if conditions allow
Because you have full control over both hardware and software, this setup is best suited for advanced operators who need:
Greater resource allocation
Custom system configurations
Specialized networking or storage requirements
Due to the complexity and responsibility involved, bare metal servers are not recommended for beginners or casual operators
A Hybrid Node is required to operate on both the:
Global Layer 0 – the global consensus and infrastructure layer
DAG Layer 1 – the native currency and transaction layer for the $DAG token
This dual-role node type is commonly referred to as a Hybrid Validator Node.
To ensure reliable and efficient performance hybrid nodes must meet the following minimum hardware specifications:
A Dor Node is required to operate on both the:
Data Layer 1 Metagraph – the data validation layer for the Dor metagraph
To ensure reliable and efficient performance hybrid nodes must meet the following minimum hardware specifications:
Linux Debian-based distribution
Ubuntu 24.04
Debian 12
Java 11
Constellation Network's Tessellation is developed to run on any Debian distribution with Java 11 installed.
The nodectl utility was developed to run specifically on Ubuntu 24.04 and Ubuntu 22.04.
Ubuntu uses the convention of .04 to represent versions of their Debian distribution that is LTS (long term support), and .10 for their more "experimental" short term support releases.
It is highly recommended to use a .04 version release.
How to connect to a brand new VPS created by using one of the Constellation Network VPS build guides.
You are using Debian Ubuntu as your distribution. If you are not, please substitute ubuntu for root throughout this document.
The username alice or Alice should be replaced with your actual local username on your Windows or Macintosh system.
Keep your private key secure: Never share it, and use a strong passphrase.
Use Keychain (macOS) or ssh-agent (Windows) to avoid re-entering the passphrase each session. ( Out of scope of this document ).
Regularly update your local OpenSSH client and your VPS’s OpenSSH server to the latest stable versions.
This guide outlines the steps required to collateralize your node’s hot wallet, meeting the staking requirements needed to join the Constellation Network Hypergraph or a metagraph.
Follow the connection guide to connect to your node.
You may begin transferring your $DAG or $DOR tokens to your newly imported wallet.
🚧 Proceed with caution
Start by sending a small test amount to ensure the transfer is successful before committing to a full transfer.
You can continue with multiple transfers or a single lump-sum transfer after the test is confirmed. There should be no fees associated with these transfers.
Manually download all the elements needed to run a node for advanced Node Operators.
If you’ve chosen to use nodectl to create your node, excellent choice! You should skip this section of the instructions.
Users leveraging nodectl do not need to perform any of the steps outlined here, as nodectl handles all of them dynamically and automatically.
To leave the cluster after a process has been started and joined.
Find the process(es) associated with your node
Kill the process(es)
This guide outlines how to enable nodectl's auto-restart feature along with auto-upgrade support.
Enabling this configuration allows your node to:
Automatically monitor and restart services if they become unresponsive or disconnected from the cluster
Automatically check for and apply updates via nodectl when new versions of Tessellation are available (based on your configuration preferences)
This ensures your node remains healthy, up-to-date, and engaged in network operations with minimal manual intervention.
Generate a secure key pair.
Lock down your SSH configuration to allow access only from known IP addresses.
Disable root login.
Local Administration:
Ensure you have non-root administrative access (e.g., a user in the sudo group).
Restrict SSH to trusted IPs only.
Deny all other traffic by default.
Install the Tessellation binaries and any Constellation-specific tooling.
Place and secure your keystore.
Configure the API endpoints needed for Layer0 and/or Layer1 connectivity.
Link your nodid for tax rewards.
Link your wallet for rewards.
Total
1,400 $DAG
680 $DAG
720 $DAG
Bandwidth
2 TB/month
10 TB/month
OS
Ubuntu 22.04 LTS (64-bit)
Ubuntu 24.04 LTS (64-bit)
Architecture
x86_64
x86_64
Bandwidth
1 TB/month
5 TB/month
OS
Ubuntu 22.04 LTS (64-bit)
Ubuntu 24.04 LTS (64-bit)
Architecture
x86_64
x86_64
CPU
8 vCPUs
Greater than 8 vCPUs
RAM
16 GB
32 GB
Disk
320Gb
500Gb
Storage Type
SSD
CPU
2 vCPUs
Greater than 2 vCPUs
RAM
2 GB
4 GB
Disk
40Gb
80Gb
Storage Type
SSD
NVMe / NVM
NVMe / NVM
We will choose the R from the Edit Menu.
Choose y to enable auto_restart
Choose y to enable auto_upgrade
Choose y to enable on_boot
Choose y to confirm selections.
Choose Q to exit back to the command line interface.
The nodectl utility includes several optional features designed to automate node recovery, version compliance, and startup behavior. These options help ensure your Validator node remains online, up-to-date, and resilient without requiring constant manual intervention.
When auto_restart is enabled, nodectl continuously monitors the health and cluster status of your node.
Key Functionality:
Detects if your node drops off the cluster due to issues such as network interruptions, process failures, or misconfigurations.
Automatically attempts to restart and rejoin the node to the cluster without user involvement.
Automatically attempts to return your node to consensus if it stops participating for a variety of reason.
This is especially helpful for maintaining high availability and reducing downtime.
Constellation Network requires all active Validator nodes to run the same version of Tessellation. If your node is not running the correct version during a cluster upgrade, it will be rejected from joining, regardless of its other credentials (e.g., collateral, seed list status).
nodectl will monitor the current cluster version.
If a version mismatch is detected, it will automatically upgrade your node to match the active cluster version.
This ensures version compliance and minimizes the risk of node rejection due to outdated software.
Enabling on_boot ensures that nodectl's auto-recovery features are initialized automatically when your VPS starts up, such as after:
A manual system reboot
An unexpected crash
Cloud maintenance or hardware restarts
On system boot, nodectl launches the auto_restart process.
If necessary, auto_upgrade also activates to bring the node back in sync with the cluster version.
This setup enables your node to recover and reconnect unattended after the VPS completes its boot sequence.
These automation features are highly recommended for production Validator nodes, as they enhance stability, uptime, and operational efficiency across the Constellation Network.
You should not export your private key when participating on IntegrationNet. The $DAG tokens used on IntegrationNet hold no intrinsic value.
Collateral requirements for this TestNet are validated through a connected wallet within your Lattice account that contains the required 250,000 $DAG collateral.
sudo nodectl configure -e -cb -dsudo nodectl auto_restart statussudo nodectl export-private-key -p dag-l0
This command requires manual re-entry of your p12 passphrase
You may press q + <enter> to quit
You will not see the q echoed to the screen.
Please enter your p12 passphrase to validate config_file:
WARNING THIS IS YOUR PRIVATE KEY
DO NOT EXPOSE TO ANYONE, AS YOUR HOT WALLET AND NODE CAN BE COMPROMISED!
PRIVATE KEY FOR [constellation-node01.p12]
=============================================================================================
13abcdef13abcdef13abcdef13abcdef13abcdef13abcdef13abcdef13abcdef
=============================================================================================suod nodectl export-private-key -p dor-dl1/home/alice/.ssh/node_private_keyed25519 SSH key pair ( replace with rsa otherwise )Termius: https://www.termius.com/
🍎 Press ⌘ Space, type Terminal and hit Enter.
🐧 From the GUI launch a terminal app.
If on the command line, no action needed.
This step assumes root as the default username created by the cloud provider for first time access. Depending on the cloud provider this username may be different. You may need to try all three options through process of elimination to gain initial access.
Remember we are using generic names, locations and IP address for your SSH key and VPS external IP address.
Retrieve the expected fingerprint from your VPS provider’s dashboard or control panel (most clouds show it when you create the instance).
Compare that value against what your SSH client displays.
In most cases, because you are manually making this connection, you can be confident you’re connecting to the correct host. However, when handling remote connections, always exercise extra caution.
Just to make sure everything is nicely updated on your Linux VPS, we will perform some updates and upgrades.
During the upgrade process, you may encounter a PURPLE dialog box asking you to select a few options. Since our node doesn’t require any special Debian configuration, just keep the default settings.
If you receive a purple box, on your keyboard hit the tab to move to the OK or CONTINUE, or CONFIRM options and then press Enter.
Please ensure your VPS meets the required specifications to run on Constellation's Hypergraph or metagraph networks.
Proper sizing is essential for performance, stability, and successful participation in consensus.
Please replace the download version with the latest available version, as version numbers may have changed between the time this document was written and when you are accessing it.
cl-dag-l1.jar - Layer1 Data or Currency jar
cl-node.jar - Global Layer0 Node jar
cl-keytool.jar - Key tool utility specific to Constellation Network's Tessellation
The values shown below are examples only. Do not use them as-is. Refer to the Environment Variable Chart for explanations of each variable.
CL_L0_PEER_HTTP_HOST
<layer0_peer_ipv4>
This is recommended to be your node's external IP address. Your node will be participating on both Layer0 and Layer1. The Layer1 should link through your Layer0 connection. Your node will be the most reliable node to be UP at the time your attempt to join the Hypergraph.
CL_L0_PEER_ID
<layer0_peer_nodeidr>
he node ID of the node you will be linking with on Layer0.
CL_L0_PEER_HTTP_PORT
<public_port>
The public port of the node you are linking to through Layer0.
CL_EXTERNAL
<public_facing_ipv4>
Our node's remote IP address
CL_KEYSTORE
<name_of_keystore>
This will be placed at the end of the path CL_KEYSTORE line in the file.
CL_PASSWORD
<p12_keystore_passphrase>
The password/passphrase you will use for your p12 keystore.
CL_KEYALIAS
<your_keystore_alias>
Do not use this example, come up with your own.
You are now ready to continue to connect to your node for the first time, install nodectl and turn your VPS into a Constellation Network Validator Node!
Before launching your validator node on DigitalOcean, it is recommended to add a valid payment method to your account.
You are now ready to continue to connect to your node for the first time, install nodectl and turn your Droplet (VPS) into a Constellation Network Validator Node!
Important notes to help remind us about the concepts of the three different passphrase/passwords we need to maintain and use on a daily basis to manage our node.
The following pages are essential reading before proceeding to any technical implementation. They are designed to help you organize your notes, confirm your virtual server specifications, and understand cloud provider requirements. Reviewing this information will ensure a smooth setup process and reduce the likelihood of configuration errors.
These sections are especially helpful for first-time Node Operators. However, experienced or technically proficient users may choose to skim or skip them as needed.
Topics covered in this section:
Setting Up Your Notes — Guidance on preparing and organizing the information you'll need throughout the node setup process.
Understanding Your VPS Specifications — Ensure that your virtual server meets the required hardware and system configuration.
Cloud Provider Specific Guides — Reference materials tailored to specific providers like AWS, DigitalOcean, and Heztner.
Take the time to review this material thoroughly before beginning any technical work.
This document suggests a method for keeping notes and tips accessible when preparing to or operating your node.
We hope that referring back to your notes for reminders on managing your node and recalling necessary passphrases or passwords will be time-saving, useful, and efficient.
There are 3 main passwords that we must have an understand and control of the concepts to make the administration of our nodes simple and less aggravating.
The following mediums are a good start to where you should record and maintain your notes.
Make sure to create backups that will be stored in a safe location.
🚑 PLEASE DO NOT 🚒
Do not use the same passphrases or other sensitive values/information as shown in this example.
These examples are public facing and may be used by a nefarious actor as a first attempt to access your node in a penetration attack.
The example values in these notes are fictitious, please replace usernames, passwords, passphrases, etc. with your own.
Just in Case
If you are using a Command Prompt verses PuTTy, you may want to copy the Macintosh notes 👆and replace Terminal with Command Prompt as necessary.
This guide walks you through connecting a Validator Node to a Constellation Network Hypergraph or metagraph cluster for the first time.
This guide assumes that you have properly created and connected to your VPS successfully and installed the nodectl utility.
Build Your Node💽The nodectl utilityBefore beginning, ensure you’ve reviewed the full checklist and profile documentation.
This guide uses dag-l0 as the profile name.
Replace dag-l0 with your node’s actual profile name if it differs.
For example dor-dl1 for Dor data layer1 validator nodes.
Use the following command to connect to your VPS via SSH:
To confirm that your node is recognized by the network, run:
Expected Output:
🛑 If you are not on the seed list, stop here and contact a Discord Administrator Team Lead via the Constellation Network Official Discord. You must wait for the next cluster restart that includes a seed list update before continuing.
Use the upgrade command to prepare your node for the cluster connection:
The
-niflag enables non-interactive mode, accepting default values automatically.
If you're operating a Layer1-only Metagraph Validator, you may skip directly to the Join Layer1 step at the bottom of this guide.
Hybrid nodes must reach a Ready state on Layer0 before joining Layer1.
⚠️ Expected Behavior:
After your node completes Layer0 connection steps, it will attempt to join the Layer1 profile and fail. This is expected and not a concern at this stage.
This happens because Layer1 participation is blocked until your node fully syncs the Layer0 snapshot chain.
During this period, your node will transition through the following statuses:
SessionStarted
DownloadInProgress
After upgrading, verify your node has reached the correct syncing phase:
Expected Output:
If you see SessionStarted, continue running the command periodically until it transitions to DownloadInProgress.
Your node will now download the entire snapshot chain from the Layer0 cluster. This process may take several days.
You have two options:
Wait for your node to reach the Ready state.
Proceed to the optional next step to speed up the snapshot process using the Starchiver utility.
To accelerate snapshot syncing:
👀 Monitor your node closely to ensure the process completes without error.
🚧 Caution:
Starchiveris a community-supported tool and not officially supported by Constellation Network. Use at your own risk. For issues, contact the tool's maintainer via GitHub or seek help on the Constellation Discord.
Once your node has completed downloading the snapshot chain, it will enter the Ready state and begin participating in consensus.
To verify:
Look for the following:
For Layer1:
🔄 To monitor the transition in real time:
Use the q key to exit the watch command gracefully.
If Layer1 displays ReadyToJoin, you may initiate the join process:
If your node is in any other state, restart the profile before retrying:
Once the above steps are complete and your node is fully synced and participating in consensus, your first-time connection process is complete.
Resolve IPv6-related Connection Issues on Your Validator Node
The EdgePointDown status typically indicates a failure in establishing communication between your node and the network’s edge points.
A known root cause is the system resolving outbound connections using IPv6 instead of IPv4, which can happen in scenarios such as:
The cloud provider defaults to IPv6 or uses IPv6-to-IPv4 translation
The network infrastructure between your VPS and Constellation’s edge points mishandles IPv6
DNS resolution or routing forces IPv6 where IPv4 is required for compatibility
⚠️ This guide addresses IPv6-related causes only.
As new root causes are discovered, this document will be updated.
⚠️ If either status is already
disabled, your issue is not IPv6-related. Stop here and seek assistance from a Team Lead via the .
To ensure the monitoring service is in sync with the updated configuration:
✅ Your node should now resume connection attempts using IPv4.
If the EdgePointDown issue was caused by IPv6, it should be resolved.
If problems persist, please reach out to the Constellation Network support team or a Team Lead in Discord.
Rebuild a Constellation Network node with an existing P12 keystore.
The authenticity of host '13.13.13.13 (13.13.13.13)' can't be established.
ECDSA key fingerprint is SHA256:AbCdEfGhIjKlMnOpQrStUvWxYz1234567890+=.
Are you sure you want to continue connecting (yes/no)?The authenticity of host '13.13.13.13 (13.13.13.13)' can't be established.
ECDSA key fingerprint is SHA256:AbCdEfGhIjKlMnOpQrStUvWxYz1234567890+=.
Are you sure you want to continue connecting (yes/no)? yesubuntu@your-vps-name:~$sudo apt -y update && sudo apt -y upgrade
sudo apt -y install haveged
sudo apt -y install default-jdksudo wget https://github.com/Constellation-Labs/tessellation/releases/download/v1.0.1/mainnet-seedlist -P /var/tessellation; sudo chmod +x /var/tessellation/cl-wallet.jar -O /var/tessellation/seed-list -o /dev/nullexport CL_EXTERNAL_IP=113.113.113.113
export CL_KEYALIAS="myConstellationAlias"
export CL_KEYSTORE="/home/nodeadmin/tessellation/myconstellation.p12"
export CL_APP_ENV="testnet"
export CL_PUBLIC_HTTP_PORT=9000
export CL_P2P_HTTP_PORT=9001
export CL_PASSWORD="my_p12_keystore_pass"java -jar /var/tessellation/cl-keytool.jar generatechmod 600 ~/tessellation/myconstellation.p12/usr/bin/java -jar '-Xms1024M' '-Xmx7G' '-Xss256K' /var/tessellation/cl-node.jar run-validator --seedlist /var/tessellation/seed-list & /usr/bin/java -jar '-Xms1024M' '-Xmx3G' '-Xss256K' /var/tessellation/cl-dag-l1.jar run-validator --public-port 9010 --p2p-port 9011 --cli-port 9012 &curl -X POST http://127.0.0.1:<private_cli_port>/cluster/leaveps -efkill <process_no>Choosing to upgrade your distribution via a fresh VPS (rather than an inline upgrade),
Switching cloud providers,
Or facing any other scenario that requires spinning up a new instance,
Rebuilding your node is not only possible, it’s encouraged.
This guide will walk you through the process of reinstalling your existing .p12 keystore on a new VPS instance so your validator node can resume operation quickly and securely.
By the end of this process, your new instance will be configured with your existing wallet, allowing you to seamlessly rejoin the network without starting from scratch.
Connect to your OLD VPS and backup ( obtain ) your current p12 keystore.
This step is critical for a successful reinstallation.
If you no longer have access to your old VPS and do not possess a valid backup of your .p12 keystore, please contact a system administrator immediately. In this case, you will need to rebuild a new node from scratch and follow the instructions in the normal installation guide.
$DAG tokens can still be accessed and recovered through your Stargazer Wallet, provided you retain access there. See the Collateralize Your Node guide for further details.
Rebuild your VPS
Restore your p12 to the new VPS prior to begin an installation.
Follow either the Quick Install or Normal Installation guide up to the migration section.
At that point:
When prompted, select y to proceed with the keystore migration.
nodectl will automatically scan your VPS for any available .p12 keystore files.
In this scenario, it should detect only one .p12 file, the one you uploaded during the earlier step.
Select the identified .p12 keystore and continue following the installation guide as normal to complete your validator node setup.
root
Digital Ocean or Hetzner may use this as the default.
ubuntu
AWS may use this as default.
admin
Debian 12 users may need to use the admin username as the default for initial connections.
ssh -i C:\Users\Alice\.ssh\node_private_key [email protected]ssh -i /Users/alice/.ssh/node_private_key [email protected]ssh -i /home/alice/.ssh/node_private_key [email protected]cl-wallet.jar - Wallet tool utility specific to Constellation Network's Tessellation
Please ensure you download the correct version for your Linux distribution. The background libraries required to compile and run nodectl differ between Ubuntu 22.04 and Ubuntu 24.04. Downloading the wrong version will result in an inoperable nodectl utility and numerous error messages.
Attempt to disable nodectl's auto restart feature if nodectl may already be installed on the system to avoid conflicts when attempting to download the nodectl utility. This command will produce an expected error that we can safely ignore.
The next command will use wget to download the nodectl utility and place it in the appropriate directory for seamless execution.
Next, the permissions of the nodectl binary will be set to executable, allowing you to run the command.
Finally, the last command in the sequence will run the version check, allowing you to verify that nodectl was successfully downloaded, placed in the correct location, has the proper permissions, and is running the expected version.
Password used to confirm authorization.
When issuing administrative commands on your node, you will be required to enter your sudo password associated with the nodeadmin user whenever a privileged action is executed or your session times out.
The nodectl utility operates with elevated privileges and therefore requires sudo access to perform many of its core functions.
PKCS#12, or PFX
The P12 keystore (also referred to as PKCS#12 or PFX) contains your cryptographic key pair, both the private and public keys. it is used for signing transactions on the node. These keys also serve as authentication credentials for managing your node’s hot wallet.
The passphrase protecting this keystore is critical: it is required to authorize actions related to rewards, collateral management, and token transfers. Store this passphrase securely, as losing it may result in permanent loss of access to these functions.
If you have previously imported your node’s private key into the Stargazer wallet, it is possible to recover access to your funds even if the P12 keystore is lost or the keystore passphrase is forgotten. This is because the private key alone is sufficient to restore control over the associated wallet and its assets.
Secured Software Manager
There are password managers that allow for keeping passwords, passphrases, notes, and documents. From LastPass, 1Password, Bitwarden, Dashlane, KeePass, to others.
USB Stick
Placing your information on a USB stick that is stored in a secure location such as a safe.
Physical Piece of Paper
Writing down your notes and storing in a secure location such as a safe.
sudo nodectl update && sudo nodectl upgradesudo wget https://github.com/Constellation-Labs/tessellation/releases/download/v1.0.1/cl-node.jar -P /var/tessellation; sudo chmod +x /var/tessellation/cl-node.jar
sudo wget https://github.com/Constellation-Labs/tessellation/releases/download/v1.0.1/cl-dag-l1.jar -P /var/tessellation; sudo chmod +x /var/tessellation/cl-dag-l1.jar
sudo wget https://github.com/Constellation-Labs/tessellation/releases/download/v1.0.1/cl-wallet.jar -P /var/tessellation; sudo chmod +x /var/tessellation/cl-wallet.jar
sudo wget https://github.com/Constellation-Labs/tessellation/releases/download/v1.0.1/cl-keytool.jar -P /var/tessellation; sudo chmod +x /var/tessellation/cl-keytool.jar[email protected]:~# sudo nodectl version
VERSION MAJOR MINOR PATCH CONFIG
vX.XX.X X X X vX.X.XConstellation Validator Node Notes:
To access our node:
open a terminal and enter:
ssh -i /home/myuser/.ssh/myprivatekey [email protected]
This command will attempt to SSH into our VPS/node
We will be challenged for access to supply the passphrase.
passphrase: efg6abc13efg6
If the command hangs or an error message stating
"refused" check to make sure that our firewall
on the VPS is properly setup to use the local
IP address of our system. During installation,
we restricted this down to a specific IP of our
local system, that may have changed.
www.whatismyip.com
To issue commands using nodectl we use sudo
We need to use our nodeadmin password here:
passphrase: efg6abc13efg6
If we need to access our p12 file (hot wallet)
passphrase: abc13efg6abc13
Reminders:
----------
ssh private key: myprivatekey
ssh public key: mypublickey.pub
ssh passphrase: efg6abc13efg6
location of keys:
- on this USB stick
- local mac directory: /home/myuser/.ssh/
p12 keystore name (hot wallet): myp12name.p12
p12 keystore passphrase: abc13efg6abc13
VPS IP: 113.113.113.113
VPS SSH port: 22
VPS username: mynodeadmin
VPS sudo password:
Access My Node
--------------
1. Open Terminal Session
2. ssh -i /Users/yourname/.ssh/myprivatekey [email protected]
* After typing in: sudo nodectl
you can double-tap the tab key for a list
of commands.
Key Commands
------------
sudo nodectl status
sudo nodectl restart -p all
sudo nodectl upgrade
sudo nodectl check_versions
sudo nodectl check_consensus
sudo nodectl dag -p dag-l0Constellation Validator Node Notes:
To access our node:
open PuTTy
select our saved session from the
PuTTy main menu, load, and then open
(or double click)
This command will attempt to SSH into our VPS/node
We will be challenged for access to supply the passphrase.
passphrase: efg6abc13efg6
If the command hangs or an error message stating
"refused" check to make sure that our firewall
on the VPS is properly setup to use the local
IP address of our system. During installation,
we restricted this down to a specific IP of our
local system, that may have changed.
www.whatismyip.com
To issue commands using nodectl we use sudo
We need to use our nodeadmin password here:
passphrase: hij678hij678&*()
If we need to access our p12 file (hot wallet)
passphrase: abc123abc123!@#
Reminders:
----------
ssh private key: myprivatekey
ssh public key: mypublickey.pub
ssh passphrase: efg345efg$%%^
location of keys:
- on this USB stick
- <enter saved location here>
p12 keystore name (hot wallet): myConstellationP12File.p12
p12 keystore passphrase: abc123abc123!@#
VPS IP: 113.113.113.113
VPS SSH port: 22
VPS username: nodeadmin
VPS sudo password: hij678hij678&*()
Access My Node
--------------
1. Open Terminal Session
2. ssh -i C:\Users\myuser\.ssh\myprivatekey [email protected]
* After typing in: sudo nodectl
you can double-tap the tab key for a list
of commands.
Key Commands
------------
sudo nodectl status
sudo nodectl restart -p all
sudo nodectl upgrade
sudo nodectl check_versions
sudo nodectl check_consensus
sudo nodectl dag -p dag-l0 (intnet-l0) (dor-dl1)ssh -i /path/to/ssh/private/key root@<vps_ip_address>sudo nodectl check_seedlist -p dag-l0NODE ID FOUND ON SEED LIST
Truesudo nodectl upgrade -nisudo nodectl status -p dag-l0JOIN STATE
DownloadInProgresssudo nodectl execute_starchiver -p dag-l0 --restartsudo nodectl status -p dag-l0Layer0
JOIN STATE Ready
IN CONSENSUS TrueLayer1
JOIN STATE ReadyToJoinsudo nodectl status -p dag-l0 -w 120sudo nodectl join -p dag-l1sudo nodectl restart -p dag-l1CPX51 is recommended
CX52 is also recommended is aviable
CPX41 may suffice however, you will run into disk space issues so be cautious.
Dor Data Layer 1 Nodes
CX22
CPX11
If the Name field does not populate, create a name for the key that will help you identify it later.
Click the Add SSH key button.
Select your SSH key if not already checked.
TCP22 rule.Please refer to Wide Open SSH Access document for details on the security implications of allowing any system that is connected to the internet to have access to your SSH port. This document contains instructions on how to determine your local IP address for entry in this section.
If you decide to leave your SSH access wide open you can skip to the next step.
Click on Any IPv4 it will turn red, click the delete to remove it.
Click on Any IPv6 it will turn red, click the delete to remove it.
Type in the IP address you retrieved that is allocated to your local system into the same box to replace the Any IPv4 and Any IPv6 entries, and hit enter.
Replace the Add description with SSH
Any IPv6Leave the TCP protocol type
Replace in 9010 for the Port
Replace in 9011 in the Port range
Replace Add description with Layer1
Repeat the previous step to add a rule for Layer0.
Ports 9000 and 9001.
Click on the Create Resource button.
Choose Servers.
320GbRecommended: 32Gb Memory configuration ( available with Premium Intel/AMD )
If the Name field does not populate, create a name for the key that will help you identify it later.
Click the Add SSH key button.
Select your SSH key if not already checked.
13.13.13.13/32Once you enter the IP address you will see an Add "13.13.13.13/32 ( similar ) which you will need to click on to populate the Sources for your SSH remote access.
Please refer to Wide Open SSH Access document for details on the security implications of allowing any system that is connected to the internet to have access to your SSH port. This document contains instructions on how to determine your local IP address for entry in this section.
9010-9011Leave the Sources as All IPv4 and All IPv6
9000-9001Leave the Sources as All IPv4 and All IPv6
hostname during the Finalize Details step above begin to type in that hostname and it should auto populate into the provided box. If you left the hostname as default type in u and wait for the box to auto populate with default ubuntu name
Select the droplet to populate the Apply to Droplets box.
This procedure modifies your VPS’s system configuration. If a misstep occurs, you may lose node connectivity.
You will be prompted to select between two available versions:
The latest version
The last known upgrade path version
⚠️ Important: Select the version that follows the recommended upgrade path. Skipping versions may result in misconfiguration or compatibility issues.
Press the corresponding number key (no need to press Enter).
Press y to confirm your selection.
Your node is now running the latest version of nodectl, fully updated and ready for continued participation in the Constellation Network.
You can confirm your version using:
Amazon Web Services Specific Build Process
Please make sure you created your SSH key pairs prior to starting these steps.
SSH Remote AccessCreating your account on AWS is a simple process similar to all other SaaS model services. At the current time, we will leave this process up to you.
You are now ready to continue to connect to your node for the first time, install nodectl and turn your EC2 instance (VPS) into a Constellation Network Validator Node!
Turn your VPS into a node using quick install guide
This guide walks you through the fully automated “quick-install” of a Constellation validator node using nodectl’s --quick-install mode. All defaults are recommended settings, and you’ll see a live progress bar throughout.
Turn your VPS into a node using a normal installation.
This guide will walk you through the steps required to convert a VPS or bare-metal server into a Constellation Validator Node.
A normal installation provides more customization options during setup, whereas the quick installation only prompts for essential inputs and uses recommended defaults for all other settings outlined in this guide.
🚩Node PrerequisitesYou will be prompted to specify the name of the Node Administrator account you will use for SSH remote access after installation.
The default username is nodeadmin, and all subsequent documentation will reference this default.
Enter the a custom user and press Enter
In 99% of the cases, your Constellation Validator Node will have direct access to the Internet.
To enhance security, it is recommended to disable access for commonly known default accounts, such as the root user and other special system users ( default ubuntu or admin accounts common preconfigured on default VPS images ).
You will be offered the ability to create a specific name for you p12 keystore that will be used to hold your private and public keys used for signature requests, wallet administration, and other validator node operations.
You may choose a name of your choosing and press Enter.
sudo nodectl versionsudo nodectl ipv6 status--------- * IPV6 STATUS * ---------
Interface found ................... eth0
IPv6 sysctl Status IPv6 GRUB Status
enabled enabledsudo nodectl ipv6 disable --ni --sysctlsudo nodectl auto_restart restartsudo nodectl versionsudo nodectl upgrade_nodectlSUCCESS - AUTHENTIC NODECTLINVALID SIGNATURE - WARNINGsudo nodectl auto_restart restartnodectl version
--user <username>
--user-password <password>
--p12-destination-path <path>
--p12-migration-path <path>
--confirm (auto-accept warnings)
Warning: If you use any of the options/flags to supply a password or passphrase at the command line, these sensitive flags end up in your shell's history.
It is strongly advised to clear your history after the installation completes with the history -c command ( -c= clear )
If you are performing a New Node Installation with .p12 Migration, you may press y at this prompt to allow nodectl to automatically scan your VPS for any available .p12 keystore files.
Once detected, you will be presented with a list to select from, choose the appropriate file to continue the installation.
Default username nodeadmin
Defaults p12 keystore name nodeadmin-node.p12
Default alias nodeadmin-alias
Reminder to use proper password requirements.
Enter and confirm the password.
Enter and confirm the passphrase.
--p12-alias <alias>
--user <username>
--user-password <password>
--p12-destination-path <path>
--p12-migration-path <path>
--confirm (auto-accept warnings)
If you are performing a New Node Installation with .p12 Migration, you may press y at this prompt to allow nodectl to automatically scan your VPS for any available .p12 keystore files.
Once detected, you will be presented with a list to select from, choose the appropriate file to continue the installation.
If you choose to use a custom username, please substitute it wherever nodeadmin is mentioned after completing this step.
Reminder to use proper password requirements.
Enter and confirm the password.
You will also be prompted to choose whether to disable root access via SSH, enhancing your server’s security.
Using the strongest security practices is essential in these scenarios to protect your node and its associated wallet.
We will choose y or just press Enter.
Local Bare Metal Server may use advanced methods for access control and should decided accordingly
Allow nodectl a moment to encrypt your passphrase.
Important
The alerting module is a community extension of nodectl and not officially supported.
Use at your own risk. Limited support is available, and advanced troubleshooting may not be provided.
Start by clearing the alerting module’s internal cache:
This resets any internal flags that may be preventing alert dispatch.
To test if the daily reporting mechanism works:
Check your inbox for the report. If not received, continue with the next steps.
Trigger an alert manually:
This simulates a node failure alert. Verify that the message is received by the configured email or SMS gateway.
Check the nodectl logs for any errors related to alert dispatch:
Look for entries that may indicate connection failures, authentication errors, or message rejection.
If alerts are routed to a standard email inbox:
Check your Spam or Junk folders
Add the configured sender (e.g., your Gmail alert account) to your email whitelist or safe senders list
Create filter rules in your email settings to allow all mail from that address to reach your inbox
Confirm your email provider hasn’t rate-limited or blacklisted your alerting Gmail account
If you’re routing alerts to a mobile number via email-to-SMS/MMS:
✅ Ensure MMS is supported and enabled on your phone
✅ Test sending a manual email to your mobile email address (e.g., [email protected])
⚠️ Contact your mobile carrier and request approval to receive messages from your node’s Gmail address—some providers block automated or high-frequency alerts
🚫 Mobile providers may "black hole" repetitive or unauthenticated email messages to prevent spam
If you've exhausted all basic troubleshooting steps:
Join the Constellation Network Official Discord
Navigate to the appropriate validator support channel
Provide details such as:
Your nodectl version
Email provider used for alerts
Mobile provider (if applicable)
Relevant error logs or symptoms
sudo nodectl install --quick-install ========================================
= CONSTELLATION NETWORK HYPERGRAPH =
= VERIFY NODECTL SPECS =
= PRE-INSTALLATION TOOL =
========================================
Code Name: Princess Warrior
Please choose node type to test:
H)ybrid Dual Layer
D)or Validator
Q)uit
KEY PRESS an option HYPERGRAPH or METAGRAPH
predefined choices
-------------------------------------------
1) mainnet [HyperGraph]
2) integrationnet [HyperGraph]
3) testnet [HyperGraph]
4) dor-metagraph-mainnet [metagraph]
Q)uit
KEY PRESS an option ------ * INSTALLATION COMPLETE * -------
CONGRATULATIONS!
Below you will find your nodeid which
was derived from your p12 file
Please report this nodeid to administrative
staff to gain access to the network via the
access list permissions.
HyperGraph/metagraph ..................... hypergraph
Environment .............................. mainnet
P12 Location ............................. /home/nodeadmin/tessellation
P12 Name ................................. nodeadmin-node.p12
P12 Alias ................................ nodeadmin-alias
----- * CHECK SEED LIST REQUEST * ------
NODE ID
<your_node_id_here>
NODE ID FOUND ON SEED LIST
False
DAG WALLET ADDRESS
<your_dag_wallet_address_here>sudo nodectl install ========================================
= CONSTELLATION NETWORK HYPERGRAPH =
= VERIFY NODECTL SPECS =
= PRE-INSTALLATION TOOL =
========================================
Code Name: Princess Warrior
Please choose node type to test:
H)ybrid Dual Layer
D)or Validator
Q)uit
KEY PRESS an option HYPERGRAPH or METAGRAPH
predefined choices
-------------------------------------------
1) mainnet [HyperGraph]
2) integrationnet [HyperGraph]
3) testnet [HyperGraph]
4) dor-metagraph-mainnet [metagraph]
Q)uit
KEY PRESS an option ------ * INSTALLATION COMPLETE * -------
CONGRATULATIONS!
Below you will find your nodeid which
was derived from your p12 file
Please report this nodeid to administrative
staff to gain access to the network via the
access list permissions.
HyperGraph/metagraph ..................... hypergraph
Environment .............................. mainnet
P12 Location ............................. /home/nodeadmin/tessellation
P12 Name ................................. nodeadmin-node.p12
P12 Alias ................................ nodeadmin-alias
----- * CHECK SEED LIST REQUEST * ------
NODE ID
<your_node_id_here>
NODE ID FOUND ON SEED LIST
False
DAG WALLET ADDRESS
<your_dag_wallet_address_here>sudo nodectl auto_restart clear_alertssudo nodectl auto_restart send_reportsudo nodectl auto_restart alert_testsudo nodectl logs -l nodectlIf you have not yet created your SSH keys, please follow the instructions at the link below to generate your public and private key pair:
Once you have successfully generated your SSH keys, return here and continue to the next step.
Choose Key Pairs from the Network & Security section
Choose Actions and Import key pair
Decide on a key pair name that you will use to identify your key pair later.
You should have already created your , if not, please do so and return to this step.
Click the Browse to navigate to your public key on your local system, select that key and choose Open
Import key pair
You will be returned to the Key pairs console and should see your key pair in the list (table) of the console with details about the key.
From the Inbound rules select Add rule
Select Type SSH
Please refer to document for details on the security implications of allowing any system that is connected to the internet to have access to your SSH port. This document contains instructions on how to determine your local IP address for entry in this section.
Destination choose Custom
Choose the Add rule again.
This rule is designed for both a Hypergraph hybrid layer validator DAG layer1 and a Dor data layer 1 nodes.
Select Type Custom TCP
Port Range 9010-9011
Destination Anywhere-IPv4
This rule is designed for validator Hypergraph layer0 nodes.
Choose the Add rule again
Select Type Custom TCP
Port Range 9000-9001
You will be returned to the security group console and you should see your security group in the list table.
Maintaining an up-to-date and secure backup of your .p12 file is essential for protecting access to your Validator node and wallet. This guide will walk you through securely backing up and restoring your .p12 file using a macOS or Windows system.
This guide is designed to help you troubleshoot and restore SSH access to your Validator node when it was previously working but is now unreachable.
♻️How to SSH into VPS✅ Verify the username for the VPS you're connecting to
e.g.) nodeadmin
✅ Check your SSH key pair file names
Private key must match the server's authorized key.
✅ Confirm correct permissions
private key should be read-only: chmod 400
✅ Ensure the public key exists on the server in the correct location
✅ Confirm the private key file exists locally
Is it correctly referenced by your SSH command.
Many ISPs assign dynamic IP addresses to customer routers.
A change in your IP may cause your cloud provider’s firewall to block your SSH attempts.
💡 Example:
Try connecting again after updating the rules.
Ensure the private key file:
Still exists in the expected location
Has not been renamed or moved
Is intact and not corrupted
Has the proper permissions
Important: Once resolved, create a backup of your SSH keys if you haven’t already.
If you can still access your VPS through your cloud provider's web console:
Re-Attempt to create an SSH connection to your node.
Visit your cloud provider’s main dashboard
Look for service alerts
If the console is also unreachable, check external outage reports
From the cloud console, check the status of your VPS instance
Ensure it’s running and not reporting hardware or OS-level errors
If you cannot connect to any external site or service, confirm your own network is online
Restart your router/modem if necessary and try again later
Monitor Your Validator Node and Receive Email Alerts
sudo nodect upgrade_pathsudo nodectl upgrade_nodectl -v <version_you_found_here>sudo nodectl upgrade --nisudo nodectl upgrade --niWe will assume you decided to use a static IP address, in this example our static IP address is 13.13.13.13/32 ( Do NOT use this address, it is an example only. ) Type in 13.13.13.13/32 into the box and the blue CIDR block item will auto-populate, select it.
Hypergraph Hybrid Nodes ONLY
Destination Anywhere-IPv4
Click the Create security group button
.p12 file offline, minimizing exposure to unauthorized access or system vulnerabilities. Acceptable storage methods include:Encrypted USB drives
Hardware wallets with secure storage
Air-gapped systems
Secured Encrypted Software Vaults
cd ~/constellation-backups
rm -f my-p12file.p12cd ~/constellation-backup
rm my-p12file.p12Copy your backed-up p12 keystore file to your local Macintosh or Windows system.
mkdir ~/constellation-backup
cp /Volumes/ColdStorage/my-p12file.p12 ~/constellation-backup/
cd ~/constellation-backup
ls -lConnect your backup device or connect to your backup medium to your Windows 11 system.
Use File Explorer to copy the file into your constellation backup directory under your local user's home directory.
Verify that you see your p12 file listed.
.ssh DirectoryYour SSH terminal or remote connection application sits idle and eventually shows Connection timed out messages.
Terminal or remote terminal application will how a blank screen only
No password or key prompts appear
Not entering the SSH connection string and attempting to run commands locally instead of through your SSH tunnel.
The nodectl utility's alerting feature depends on your node being reachable. If the VPS goes offline or loses internet access, alerts cannot be transmitted and will not be delivered.
nodectl must be installed and running on your node.
A Gmail account with:
2-Step Verification enabled
A dedicated App Password (email token) created for nodectl
Check your inbox. If it ends up in spam, mark it as "not spam."
If you are sending alerts to a mobile provider email, ( sending an email to your mobile phone number in order to obtain text (SMS/MMS) message alerts ). It is important to make sure your carrier allows the message through to your phone. Some carriers may silently block messages they flag as suspicious. This may require contacting your mobile provider support with a request to allow the emails, and remove any flags as non-nefarious.
If you don’t receive emails:
Confirm your App Password was entered correctly
Ensure your Gmail account is not blocking outbound activity
Double-check that your time zone string matches the official naming convention
Use a secondary email address to confirm if messages are being blocked by your provider
Once configured, your Validator node will monitor its cluster participation status and email you alert messages and daily status reports; helping you stay informed, even when you’re away.
Convert a Version 1 p12 keystore to Version 2 for operations on Constellation Network.
Constellation Network has introduced a new version 2 standard for .p12 keystore files. These updated keystores are now required to access the Hypergraph and metagraph clusters.
Version 1 .p12 files are no longer supported.
This guide is intended to help Node Operators still using version 1 .p12 files migrate their private key to the updated version 2 format, ensuring compatibility with current network requirements.
nodectlIf you already have nodectl running:
Upload your version 1 .p12 file using the restore process.
Refer to platform-specific steps:
Restore .p12 from macOS
⚠️ Caution: Do not overwrite an existing or active
.p12file in a running Validator node environment.
If you don’t have an existing node:
Provision a new Linux VPS (Debian-based preferred).
Upload your version 1 .p12 file.
Install nodectl following the official documentation.
💡 Note: This VPS will not be used to run a Validator node. Its purpose is solely to install the required tools for migration.
✅ Minimum Requirements:
30GB of disk space
Internet connectivity
SSH access
Alternatively, install the required components manually:
java
haveged
cl-keytool.jar
cl-wallet.jar
📎 Still ensure the VPS or machine has at least 30GB of available disk space.
Once setup is complete, proceed with the following steps.
.p12 FilePlace your original version 1 .p12 file (from macOS or Windows) into the working directory of your VPS.
Example path:
Export the following environment variables using your .p12 file details. Be precise—use double quotes and match spacing exactly.
Confirm the exports:
Expected output:
Run the following command to migrate the .p12 file to version 2 format:
✅ If successful, no output will appear. If there's an issue, an error will be printed.
List the directory to verify that a new version 2 .p12 file has been created:
Expected output (example):
.p12 FileUpdate your CL_KEYSTORE variable to point to the new file:
Now display the public key to confirm the file is valid:
Example output:
Your .p12 file is now migrated from version 1 to version 2.
🔒 Important: Store the original version 1 file in a secure, offline (air-gapped) location temporarily.
To fully validate your new .p12 file:
Connect to the appropriate Constellation cluster (Layer0 or Layer1).
Export and verify the private key.
Use the new file in your validator setup or wallet integration.
If you want to use the original filename, rename your new file:
nodectl Configuration (If Applicable)If you're using nodectl and kept the _v2 filename, make sure to update the configuration:
This ensures
nodectlreferences the correct.p12file for all future operations.
You have now successfully migrated and verified your .p12 keystore to the latest version, ensuring your validator remains compatible with Constellation Network's current infrastructure.
cd ~
mkdir constellation-backup
cd ~/constellation-backupsftp -i ~/.ssh/my-node-ssh-keyname [email protected]cd /home/nodeadmin/tessellation
ls -l-rw-r--r-- 1 nodeadmin nodeadmin 31 Jun 11 14:28 my-p12file.p12get my-p12file.p12100% 31 0.3KB/s 00:00exitsftp -i ~/.ssh/my-node-ssh-keyname [email protected]cd /home/nodeadmin/tessellationput my-p12file.p12Uploading my-p12file.p12 to /home/nodeadmin/tessellation/my-p12file.p12
100% 31 0.6KB/s 00:00exitls -l /root/.ssh/
ls -l /home/ubuntu/.ssh/
ls -l /home/admin/.ssh/sudo nodectl enable_root_sshsudo cp /root/.ssh/mypublickey.pub /home/nodeadmin/.ssh/mypublickey.pubsudo chown nodeadmin:nodeadmin /home/nodeadmin/.ssh/mypublickey.pubsudo nodectl disable_root_sshssh -i ~/.ssh/my_identity_file [email protected]
ssh: connect to host 13.13.13.13 port 22: Operation timed outcd ~/.ssh
ls -lsudo nodectl auto_restart alert_testconstellation-backup
Click the right-arrow (>) to open
Under Select app, choose Other (Custom name)
Enter a name (e.g., constellation_alerts)
Click Create
Copy the generated app password (token) and store it securely
⚠️ This password will only be shown once.
If lost, delete and recreate it.
Do not use shortcuts like EST or CET.
token
The App Password (token) you generated
send method
Use multi (recommended) or single
recipient emails
Comma-separated list of emails ([email protected],[email protected])
time zone
Your exact timezone string (e.g., America/Los_Angeles)
begin alerting hour
Start time for alerts in UTC (e.g., 0 for always)
end alerting hour
End time for alerts in UTC (e.g., 0 for always)
send report hour
Hour (UTC) to receive daily report (e.g., 13 for 1 PM UTC)
gmail account
The Gmail address used to send alerts
Restore .p12 from Windows
1
Live Constellation Validator Node
Utilize an existing Constellation Network validator node with all components already installed.
2
Ephemeral VPS with nodectl
Build a temporary VPS, install nodectl, use its utility to migrate your p12 from version 1 to version 2.
3
Load utilities necessary only
Use an existing or build a temporary VPS and only install the utilities necessary to complete this guide.
ssh -i /path/to/ssh/private/key nodeadmin@<vps_ip_address>sudo nodectl configure -e -cb -dN) Setup AlertingQ)uitsudo nodectl auto_restart send_report/home/nodeadmin/tessellation/export CL_KEYALIAS="myConstellationAlias"
export CL_KEYSTORE="/home/nodeadmin/tessellation/myconstellation.p12"
export CL_PASSWORD="my_password"
export CL_STOREPASS="my_storepass_passphrase"
export CL_KEYPASS="my_keystore_passphrase"env | grep CL_CL_KEYALIAS=myConstellationAlias
CL_KEYSTORE=/home/nodeadmin/tessellation/myconstellation.p12
CL_PASSWORD=my_password
CL_STOREPASS=my_storepass_passphrase
CL_KEYPASS=my_keystore_passphrasejava -jar /var/tessellation/cl-keytool.jar migratels -l-rw-r--r-- 1 nodeadmin nodeadmin 1094 May 26 12:17 myconstellation_v2.p12export CL_KEYSTORE="/home/nodeadmin/tessellation/myconstellation_v2.p12"java -jar /var/tessellation/cl-wallet.jar show-public-keyEC Public Key [ee:ff:aa:bb:cc:dd:ee:ff:11:22:33:44:55:66:77:88:99:aa:bb:cc]
X: abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890
Y: 111222333444555666777888999101010111111121212131313141414151515amv /home/nodeadmin/tessellation/myconstellation_v2.p12 /home/nodeadmin/tessellation/myconstellation.p12sudo nodectl configureIn some cases, when a new feature is introduced, it may require updating nodectl’s main configuration file, cn-config.yaml.
If the upgrade in progress does not require this step, you will not see any messages and can skip to the next step.
The migration ensures that nodectl can support the new features while preserving your existing configuration settings.
We can press Enter to accept the default y.
You will see nodectl backup your current configuration before continuing.
DANGER
If you did not encrypt you p12 keystore passphrase within the nodectl configuration file, the backup configuration yaml file MAY CONTAIN A CLEAR TEXT P12 PASSPHRASE.
FOR SECURITY PURPOSES, PLEASE REMOVE AS NECESSARY!
It is recommended to backup your p12 after the migration and upgrade completes.
The nodectl utility will attempt to identify the current version of Tessellation running on your node, as well as the latest version available on the cluster.
In most cases, you may simply press Enter to accept the default version.
Already on latest warning
If you attempt an upgrade to a version of Tessellation you are already running on your node, you may be presented with a warning message. If you intent is to upgrade to the same version over itself, you may press Enter to continue. Otherwise, you may take another action as desired.
The nodectl utility organizes your configured profiles into logical groups called environments.
Each environment typically represents a specific network cluster, such as:
MainNet
IntegrationNet
TestNet
DOR
During an upgrade process, nodectl allows you to upgrade one environment at a time. This ensures consistency and reduces risk when applying updates across network types.
Most validator nodes only have one environment configured, making the process straightforward.
When you initiate an upgrade, nodectl will display a summary showing:
The environment name
The list of associated profiles under that environment
Review this printout carefully before proceeding to ensure you’re upgrading the correct environment.
Example) dag-l1 profile.
Gracefully leaving the cluster is highly recommended before performing upgrades, maintenance, or reboots. This practice helps:
Prevent snapshot corruption
Reduce unnecessary load on the rest of the cluster
Maintain overall network health and stability
The nodectl utility automates this process by:
Issuing an internal API call to gracefully leave the cluster
Stopping the service(s) associated with the selected profile(s)
Bringing the node offline in a controlled and orderly fashion
This ensures your node exits the cluster cleanly and avoids disrupting consensus or data synchronization.
The nodectl utility will begin the upgrade process by performing several important housekeeping and system preparation steps:
Clean up abandoned utility-specific files
Removes outdated or unused internal files from previous versions
Rebuild essential configuration and support files
Ensures that all components are aligned with the latest version's requirements
Apply system-level updates
Installs the latest updates available for your current distribution
⚠️ Note: This does not upgrade the entire Linux distribution
Install or update required 3rd-party utilities
Adds or refreshes tools that nodectl depends on for proper operation
These steps help ensure that your node environment is clean, consistent, and fully prepared to run the latest version of nodectl effectively.
Similar to the backups you may have some files that were created in order to upload for diagnostics, logging, accounting, etc. We can clean up these files as well.
In the event that your node has files located in this special directory, you will be given a list of the files that will be removed and a confirmation prompt.
In most cases it is a good idea to clear your uploads. If you are in the mist of troubleshooting, you may want to retain these files.
Similar to backups, you may have accumulated a large number of log files.
Over time, these logs can consume significant disk space on your node.
Since your node also stores incremental history data and the tip of the blockchain, maintaining sufficient disk space is essential.
In most cases, it is a good idea to clear old logs; however, if you are actively troubleshooting an issue, you may want to retain these files.
The nodectl utility will attempt to determine whether the passphrase for your P12 keystore is encrypted within the cn-config.yaml configuration file.
If it detects the passphrase in plaintext, you will be prompted to encrypt it to enhance your node's security.
While encrypting your P12 passphrase is optional, it is strongly recommended.
Once a successful join is achieved, the node will begin catching up on any historical snapshots that were created while it was offline. It will complete the accumulation of historical data and retrieve the tip of the blockchain, ensuring the node's current state aligns with the cluster.
After your node completes the DownloadInProgress stage, it will transition through several additional states as it finalizes synchronization and prepares to join the network consensus rounds.
The typical progression is as follows:
WaitingForObserving
Observing
WaitingForReady
ReadyOnce your node completes these transitional stages, it will enter the Ready state.
At this point, your node is fully integrated into the network and eligible to begin participating in consensus and earning rewards.
A hybrid node includes both a Layer 1 (L1) and a Layer 0 (L0) profile running on the same VPS or server.
Layer0: DAG L0 global hypergraph layer0
Layer1 : DAG L1 currency layer
In this configuration, it's recommended to link the L1 profile to the local L0 profile. This is beneficial because, in a trustless environment, you can confidently trust the L0 node you control; essentially trusting yourself.
By linking locally in this way, you take advantage of trusted internal communication between layers while maintaining protocol integrity and minimizing external risk.
During the upgrade process, the system will attempt to join the DAG L1 (currency layer) profile to the cluster.
As explained in the previous step, the Layer 1 profile is configured to link to your local Layer 0 (dag-l0) profile. In order for this to succeed, your Layer 0 profile must first reach the Ready state.
In most cases, the Layer 0 profile takes longer to complete its startup and synchronization steps.
This means:
The Layer 1 profile may not detect the Layer 0 profile as Ready in time
As a result, it may fail to join automatically during the upgrade window
nodectl Handles ThisTo accommodate this, nodectl will:
Present a menu prompt asking whether you’d like to continue waiting or
Skip the join process and allow the upgrade to complete without joining Layer 1
If You Choose to Skip:
You can manually complete the join process later:
Use the following command to check the Layer 0 status:
Wait until it reaches Ready.
Once ready, you can either:
Run a manual join command for Layer 1:
This flexible design ensures your node upgrades cleanly, even if the timing of the Layer 0 readiness introduces delays.
After the join process completes, nodectl will:
Display summary metrics related to the upgrade operations
Restart the auto_restart feature, if it was enabled prior to the upgrade
This ensures your node continues to be monitored and automatically maintained moving forward
This final step confirms that your upgrade and cluster rejoin were successful, and your node is once again operating in a self-managed, resilient state.
sudo nodectl upgradeAre you sure you want to continue this upgrade? [y]: yUsing environment ............................. mainnetUsing environment ............................. integrationnetBacking up configuration ......................complete
Backup Date: YYYY-MM-DD-HH:MM:SSZ
Backup Location: /var/tessellation/backups/
Backup File Name: backup_cn-config_YYY-MM-DD-HH:MM:SSZ---- * VERIFY NODE UPGRADE * -----
Verify upgrade paths .......................... completeCheck permissions & versioning ................ warning
This is not a current stable version of nodectl.
Recommended to:
- Cancel this upgrade of Tessellation.
- Issue: sudo nodectl upgrade_nodectl
- Restart this upgrade of Tessellation.
WARNING non-interactive mode was detected, developer mode, or extra parameters were supplied to this upgrade.
It will continue at the node Operator's own risk and decision.Press enter to accept the default value between [] brackets.
Please enter version to upgrade to.........[v3.0.0] :Are you sure you want to clear the selected uploads? [n]: yAre you sure you want to clear the selected logs? [n]: y--------- * HANDLE PACKAGES * ----------
Download Tessellation Binaries................. running
backup files .................................. complete
Download version .............................. v3.0.0
Fetch [cl-keytool.jar -> global] .............. complete
Fetch [cl-wallet.jar -> global] ............... complete
Fetch [cl-node.jar -> dag-l0] ................. complete
Fetch [cl-dag-l1.jar -> dag-l1] ............... completeFetch [mainnet-seedlist -> dag-l0] ............ completed
Fetch [seedlist for -> dag-l1] ................ disabledStart request initiated [node_l0] ............. complete
Fetching Status [dag-l0] ......................ssh -i /path/to/ssh/private/key nodeadmin@<vps_ip_address> -p <port>auto_restart (if enabled) to detect readiness and automatically join Layer 1 when conditions are metAttempt update and migrate configuration file? [y]: yBacking up cn-config yaml ..................... completeVerify upgrade paths .......................... complete
p12 validated [dag-l0] ........................ using global
p12 validated [dag-l1] ........................ using global
Global p12 validated .......................... True
Obtaining node ID from p12 [global] ........... 11111....11111
Node IP address ............................... 113.113.113.113WARNING Tessellation is already on the latest known version.
If you are only upgrading the node's internal components because your node is exhibiting undesirable or unexpected behavior, you should accept the default and upgrade your node's version to the same version level by simply hitting <enter> here.====================
PROFILE: dag-l1
ENVIRONMENT: mainnet
METAGRAPH: hypergraph
Cluster mainnet for profile dag-l1 using v3.0.0Are you sure you want to clear the selected backups? [n]: yDo you want to encrypt the passphrase in your cn-config.yaml configuration file?
Enable encrypt? [y]:Reload the Node's services .................... complete
Starting versioning updater ................... completesudo nodectl status -p dag-l0sudo nodectl join -p dag-l1