Interoperability with other nodes

By default nodes in Canton run a tink provider that is not compatible with KMS provider that stores the Canton private keys. If you want to continue to have other nodes running a non-KMS Canton you are obliged to use a jce provider and you must explicitly configure it to use the KMS supported algorithms as the required algorithms. Here is an example on how to set it up for a simple distributed domain:

canton.domain-managers.domainManager1.crypto = {
    provider = jce
    signing.default = ec-dsa-p-256
    encryption.default = rsa-2048-oaep-sha-256
}
# necessary to inform all nodes that these are the required signing and encryption schemes
canton.domain-managers.domainManager1.init.domain-parameters = {
    required-signing-key-schemes = [ ec-dsa-p-256 ]
    required-encryption-key-schemes = [ rsa-2048-oaep-sha-256 ]
}

canton.sequencers.sequencer1.crypto = {
    provider = jce
    signing.default = ec-dsa-p-256
    encryption.default = rsa-2048-oaep-sha-256
}

canton.mediators.mediator1.crypto = {
    provider = jce
    signing.default = ec-dsa-p-256
    encryption.default = rsa-2048-oaep-sha-256
}

And here is an example for a participant:

canton.participants.participant2.crypto = {
    provider = jce
    signing.default = ec-dsa-p-256
    encryption.default = rsa-2048-oaep-sha-256
}

In other words, a node running with a kms provider (which is externally storing Canton private keys) is only ever able to communicate with other nodes running a kms or jce providers.

See this table for a description of cryptographic schemes supported by the KMS provider.