Professional Documents
Culture Documents
Block Chain
Block Chain
Important: Before you use an IBM Blockchain Platform offering, read the technical and support information in the
Disclaimer section.
Where do you want to deploy the platform? Multiple Kubernetes distributions A Kubernetes cluster on IBM
on a private, public, or hybrid Cloud
multicloud
See Supported
See Supported Platforms) configuration
Where can I learn more? See About IBM Blockchain See About IBM Blockchain
Platform 2.5.3 Platform for IBM Cloud
Ready to get started? See Step one: Install the IBM See Getting started with
Blockchain Platform IBM Blockchain Platform for
IBM Cloud
Next steps
After you deploy IBM Blockchain Platform in the environment of your choice, you can set up the network with consortium, nodes,
channels, smart contracts, and start transactions on it. For more information, see the task topics under the HOW TO section in
the left navigation of this documentation.
Getting support
IBM offers various support options on IBM-implemented blockchain solutions. For more information about IBM Blockchain
Platform support, see Getting support.
Target audience: This topic is designed for system administrators who are responsible for setting up a Kubernetes cluster on
IBM Cloud and for deploying IBM Blockchain Platform.
If you are interested in learning more about how to use IBM Blockchain Platform on Red Hat OpenShift Container Platform, Red
Hat Open Kubernetes Distribution (OKD), or Kubernetes, see Getting started with IBM Blockchain Platform 2.5.3.
If you are an experienced Hyperledger Fabric customer and are interested in learning more about how to use the IBM
Blockchain peer, CA, orderer, and smart contract containers images, see Using the IBM Blockchain images .
After you link your IBM Blockchain Platform to your Kubernetes cluster on IBM Cloud, you can launch the console to create and
manage your blockchain components and experience the following important benefits:
Control: You control and manage your blockchain components and certificates from one central console. Deploy only the
components needed for your business and add more as your need grow.
Flexible Kubernetes based deployment: You can take advantage of the compute (CPU, memory, storage) options for your
Kubernetes cluster and leverage built-in HA and DR options.
IBM Blockchain Platform Console (UI): This is the console that allows you to create and manage your blockchain
components. After you provision a service instance in IBM Cloud, you can deploy an instance of the IBM Blockchain
Hyperledger Fabric Components: The console is used to create and manage blockchain components that are based on
Hyperledger Fabric v1.4.12 and v2.2.5 Certificate Authority, peer, and ordering service images. These components are
deployed into your Kubernetes cluster and storage is provisioned for them using the default storage class when they are
deployed.
Considerations
Before you deploy the console, ensure that you understand the following considerations:
IBM Blockchain Platform for IBM Cloud is built with Hyperledger Fabric v1.4.12 and v2.2.5.
You have the option to link your IBM Blockchain Platform service instance to a free Kubernetes cluster for evaluation of
the offering, however capacity and performance are limited, none of your data can be migrated, and the cluster is deleted
after 30 days.
You are responsible for the management of health monitoring, security, and logging of your Kubernetes cluster. See this
information for details on what IBM Cloud manages and what you are responsible for.
You are also responsible for monitoring the resource usage of your Kubernetes cluster by using the Kubernetes
dashboard. If you need to increase storage capacity of your cluster, see this information on how to modify your existing
volume:
IBM File Storage
Portworx
Block storage
You are responsible for managing and securing your certificates and private keys. IBM does not store your certificates in
the Kubernetes cluster.
IBM Blockchain Platform is available in select regions. Refer to this topic on IBM Blockchain Platform locations for an
updated list.
IBM Blockchain Platform is compatible with a Kubernetes cluster on IBM Cloud running Kubernetes v1.23 - v1.24.
The default storage that is pre-selected for you when you provision a Kubernetes cluster in IBM Cloud isGold. If you do
not want to use the default File Storage that is pre-selected for you when you provision a Kubernetes cluster in IBM Cloud,
you can provision storage of your choice. See this topic on Persistent storage considerations to learn more.
If you decide to include IBM Cloud multi-zone support in your Kubernetes cluster, you must provision your own storage.
See Using Multizone (MZR) clusters with IBM Blockchain Platform for more details.
Kubernetes clusters that are configured with private VLANs are not supported.
Video tutorial
Watch the following video series to learn more about the IBM Blockchain Platform console and how you can get started to
deploy IBM Blockchain Platform for IBM Cloud.
Ensure that you have an IBM Cloud paid account. If you do not have an account:
1. Click the Sign up button.
2. After you create a free trial account, upgrade it to aPay-As-You-Go type by going to Manage > Billing and Usage >
Billing in the IBM Cloud console, and clicking Add Credit Card.
3. Ensure that the user has both Administrator and Manager roles for the Kubernetes cluster that they will link to their
blockchain service instance. See these steps on how to assign Kubernetes access roles for more information.
Tip: When you plan to use the service instance in the context of a broader organization-wide solution, it is recommended
that the participating organizations use a functional email address to create their network. In this case, access to the
network does not depend on any single individual's availability.
If you plan to use a Hardware Security Module (HSM) to generate and store the private key for your peer and ordering
nodes, you can configure the HSM before you deploy the platform. Along with deploying the HSM device itself, in order for
the blockchain components to access the HSM partition, you also need to publish an HSM client image to a container
registry. If you decide to publish an HSM client image to a container registry, you can enable HSM support for the platform
by providing the image URL when you link the service to your cluster. See the instructions in Configuring a node to use a
Hardware Security Module to learn how to deploy the HSM and publish the HSM client image. If the HSM device is not yet
available, you can always come back later and enable the HSM support for the platform when it is ready.
Zero downtime is an important goal of your blockchain network. Review the topic on High Availability for considerations
when configuring your Kubernetes cluster and blockchain components.
If you plan to use a Kubernetes cluster that contains multiple zones, ensure that VLAN spanning is enabled in your
account. This setting allows worker nodes to communicate between zones.
The user who links the service to the Kubernetes cluster must haveStorage Manage permissions. From the IBM Cloud
dashboard, navigate to Manage > Access (IAM), then choose Users, and click the user who will link the service to the
Kubernetes cluster. Click the Classic infrastructure tab, expand the Services twistie, and select Storage Manage. Click
Apply to add this permission for the user.
Browsers
The IBM Blockchain Platform console has been successfully tested on the following browsers:
Resources required
** Preview the IBM Blockchain Platform at no charge for 30 days when you link your IBM Blockchain Platform service instance to
an IBM Cloud Kubernetes free cluster. Performance will be limited by throughput, storage and functionality. IBM Cloud will
delete your Kubernetes cluster after 30 days and you cannot migrate any nodes or data from a free cluster to a paid cluster. Also
note that when components are deployed to a free cluster, the resource allocation for the nodes is sized smaller than a paid
cluster.
Note: These resources are sufficient for testing and experimentation. The Build a network tutorial, in which you create
Paid clusters
Production level deployments of the IBM Blockchain Platform will be deployed to a paid cluster of IBM Cloud Kubernetes
Service. The size and configuration of this cluster will depend on the needs of your particular use case. Bigger deployments will
necessarily need to be deployed on bigger clusters. How much bigger your cluster is than your projected deployment is up to
you. Having at least some headroom is desirable, as it will allow peers and ordering services to be a part of additional channels
and take on higher throughput without having to deploy additional resources into your Kubernetes cluster before adjusting the
size of your nodes. For more information about how these values are adjusted, see Reallocating resources.
Creating an initial deployment of sufficient size to allow growth is particularly important for users who will choose to not use the
Kubernetes Service or OpenShift autoscaler, which can take on some of the burden of deploying additional nodes and pods for
the user.
While it is simpler to have enough resources deployed to IBM Cloud Kubernetes Service and be able to expand your pods and
worker nodes as you see fit without having to increase your Kubernetes cluster deployment first, bigger Kubernetes cluster
deployments will cost more money. Users will have to consider their options carefully and recognize the tradeoffs they are
making regardless of the option they choose.
For a sense of how much storage and compute you will need in your cluster, refer to this chart, which contains the current
defaults for the peer, ordering node, and CA:
Peer (Hyperledger Fabric v1.4) 1.1 2.8 200 (includes 100GB for peer and 100GB for state database)
Peer (Hyperledger Fabric v2.x) 0.7 2.0 200 (includes 100GB for peer and 100GB for state database)
CA 0.1 0.2 20
Table 2. Recommended resources for nodes on IBM Blockchain Platform for IBM Cloud
Note that when smart contracts are installed on peers that run a Fabric v2.x image, the smart contract is launched in its own pod
instead of a separate container on the peer, which accounts for the smaller amount of resources required on the peer.
Tip: If you plan to deploy a five node Raft ordering service, note that the total of your deployment will increase by a factor
of five. So a total of 1.75 CPU, 3.5 GB of memory, and 500 GB of storage for the five Raft nodes. A 4x16 Kubernetes two
worker node cluster is minimally recommended to allow plenty of CPU for the Raft cluster and any other nodes you
deploy.
Every cluster on your Kubernetes cluster on IBM Cloud comes with predefined, default storage class that is used to provision
persistent storage on IBM Cloud. When you deploy a blockchain node to that cluster by using the IBM Blockchain Platform
console or the APIs, the node uses this default storage class to dynamically provision the amount of storage that you specify
on IBM Cloud.
Important: For IBM Cloud Kubernetes service, the default storage class is Gold File Storage backed by Endurance
File Storage. See Deciding on the File Storage configuration for more details. OpenShift clusters default to Gold Block
Storage. If you need to change your default storage class, see Ordering File Storage with pre-defined IOPS Tiers
(Endurance) and then follow instructions to configure a custom storage class.
Multizone-capable storage
If your Kubernetes cluster is configured with SDS (Portworx) storage, you can leverage multizone-capable storage for your
nodes. Without multizone-capable storage, if an entire zone goes down, any blockchain nodes in that zone cannot automatically
come up in another zone because their associated persistent storage is unavailable in the failed zone. When multizone-capable
storage is configured for high availability, if a zone failure occurs, the nodes can come up in another zone, with their associated
storage intact, ensuring high availability of the node. To learn more about multizone-capable storage, see the comparison of
persistent storage options for multizone clusters on OpenShift or IBM Cloud Kubernetes service. When you deploy a peer,
ordering service, or ordering node, select the advanced deployment option labeled Deployment zone selection and then select
Across all zones to configure the component for this high availability capability.
Important: After you deploy blockchain nodes to your cluster, you should not change the default storage class. This
will result in losing the storage for the CAs, peers, and ordering nodes that are already deployed. Therefore, you need to
decide on your storage before you deploy any blockchain nodes.
Note: If you are setting up an IBM Blockchain Platform network in an MZR cluster and want your components to
eventually fail over between data centers, you should select Portworx as your storage type. Otherwise, if you use File
Storage for your node in your MZR cluster and the zone fails, you will need to provision that component again later.
Currently, if a data center (or zone) goes down, the node will not automatically come up in another zone, regardless of the
storage type that is used for the node. However, if one of the nodes fails in a single zone, it will automatically failover to
another node in the same zone regardless of the storage type that is being used for that node.
After you create the storage class, run the kubectl patch storageclass command above to set the storage class of the
multizone region to be the default storage class.
IBM Cloud Catalog Use the IBM Cloud Catalog to deploy blockchain to an IBM Kubernetes service or OpenShift cluster in
IBM Cloud. With this software-as-a-service option, IBM manages the maintenance and the updates to the console for you,
but you can choose when to update your blockchain components.
Red Hat Marketplace OpenShift customers who are already familiar with the OpenShift Container (OC) CLI and the Red
Hat Marketplace may prefer to use this option. Note that with this option, you are responsible for the maintenance of your
console and blockchain components.
Multicloud Not running an OpenShift or Kubernetes cluster in IBM Cloud? The IBM Blockchain Platform 2.5.3 can be
installed on your OpenShift or Kubernetes cluster in your cloud or on-prem. With this option as well, you are responsible
for the maintenance of your console and blockchain components.
Deployment options
Target audience: This topic is designed for system administrators who are responsible for setting up a Kubernetes cluster on
IBM Cloud and for deploying IBM Blockchain Platform.
In the Cloud Catalog, find the Kubernetes Service tile and click it. Note that you have two types of Kubernetes clusters you can
deploy: an IBM Kubernetes Service cluster or an OpenShift cluster. The IBM Blockchain Platform can be linked to either one.
Your choice of cluster will be based on your use case.
For more information about the IBM Kubernetes Service, see Getting started with IBM Cloud Kubernetes Service.
For more information about OpenShift, see About the OpenShift Kubernetes Engine.
As both IBM Kubernetes Service clusters and OpenShift clusters are based on Kubernetes, you will find that many of the
underlying decisions about hardware and storage types will be the same regardless of which cluster provider you choose. Note
that the Kubernetes version of the cluster you deploy must be v1.23 - v1.24 to be compatible with the IBM Blockchain Platform.
Note that if you want high availability or disaster recovery, you will need to make a decision about the storage class you are
using. The default storage class on the cluster will be used by the dynamic provisioning. So, customers can set any storage
class as the default. For more information, see Deciding on the file storage configuration.
For instructions on what to do when your Kubernetes cluster expires, see this topic on Kubernetes cluster expiration.
Step two: Link the instance to your Kubernetes cluster on IBM Cloud
After you click Create to create your service instance, you'll be taken to the panel where you can link your service instance to
your cluster.
If you have not already created a Kubernetes cluster in IBM Cloud, clickCreate a Kubernetes cluster on IBM Cloud. You will be
taken to the catalog page and have to follow the process described in Deploy a Kubernetes cluster on IBM Cloud.
If you already have a cluster, you can link your service instance to it by clickingLink a Kubernetes cluster on IBM Cloud and
The cluster creation process can take up to 60 minutes to complete. If you created a cluster, allow some extra time until
the state of your cluster becomes Normal.
Clusters that are outside the supported regions are not visible and cannot be used.
Check to make sure you are not using the ESR version of Firefox. If you are, switch to another browser such as Chrome and
retry.
If you have a multi-zone region ( MZR) cluster you need to enable VLAN spanning.
If your cluster is available, select it and click Next. It might take a few minutes for the console to finish being linked to your
cluster. When the linking process has finished, click Launch the IBM Blockchain Platform console to open the console. You are
now ready to start exploring the console.
Figure 2: Deploying the IBM Blockchain Platform to a Kubernetes cluster on IBM Cloud.
Pod: When each Certificate Authority, peer, ordering service, or smart contract is deployed, a new Pod is created in a
worker node in your cluster. Every time you deploy a smart contract, a new pod is launched for the smart contract.
App containers: Containers are created inside the pods for each node that is deployed.
Persistent Storage: Storage for each node is dynamically provisioned from the Kubernetes clusterdefault storage class
every time a node is deployed.
The following illustration shows how the IBM Blockchain Platform components are deployed to the Kubernetes
cluster assuming Hyperledger Fabric v1.4 images are used by the peer.
Figure 3: Deploying the IBM Blockchain Platform to a Kubernetes cluster on IBM Cloud.
Pod: When each Certificate Authority, peer, or ordering service is deployed, a new Pod is created in a worker node in your
cluster.
App containers: Containers are created inside the pods for each node that is deployed.
Persistent Storage: Storage for each node is dynamically provisioned from the Kubernetes clusterdefault storage class
every time a node is deployed.
Next steps
Before you create any nodes, you need to decide on the storage plug-in for your Kubernetes cluster. If you are just getting
started and trying things out, Bronze file storage is suitable. However, if your cluster is running Kubernetes v1.19 or
higher, Gold File Storage is preselected for your cluster by default. To change the default storage for your cluster, see this
topic on Persistent storage considerations to learn more.
Now that your console is ready to use, you can go ahead to the Build a network tutorial. Consider bookmarking the URL of
your console so you can come back at a later time if needed. Otherwise, you can follow the steps in the Post-install
Important: Before upgrading to Kubernetes version v1.23 - v1.24, ensure that you have migrated to Kubernetes ingress
controllers.
You can check the Kubernetes version of your cluster in the Kubernetes clusters page on IBM Cloud, which lists all your clusters
in a table.
For instructions on how to update Kubernetes, see Updating clusters, worker nodes, and cluster components. For the list of IBM
Cloud Kubernetes Service supported versions and expiration dates see the release history.
You must wait for the update to complete before you can resume the IBM Blockchain Platform deployment.
$ 1. In the IBM Cloud dashboard, click the **Manage** drop-down list, then **Access (IAM)**.
2. In the left navigation menu, click **Users** and click the ID of user who will link the service
instance to the Kubernetes cluster.
3. Click **Access Policies**, then **Assign access**.
4. Click the tile **Assign access to resources**.
5. In the Services drop-down list, select **Kubernetes Service**.
6. Check the **Administrator** and **Manager** roles for this user.
7. Click **Assign**.
For more information about Kubernetes access control, see how to pick the right access policy and role for your users.
Post-install instructions
After you deploy your console, you can click the Launch the IBM Blockchain Platform button to open the console in your
browser. You can add the console URL as a bookmark to your browser.
1. In your browser, open IBM Cloud Resource list. You need to log in with your IBM ID.
2. Your IBM Blockchain Platform service instance is visible under the Services twistie. Locate the IBM Blockchain Platform
service instance that you deployed and click it.
3. On the subsequent panel, click Manage in the left navigation and then click Launch the IBM Blockchain Platform.
Important: If the service instance contains organizations that are participating in an active network, you should remove
the organization from the network before you delete the service instance. See Removing an organization for more details.
Important: Choose this option carefully. If you delete a service instance, the storage associated with each node is
deleted and cannot be restored. All your ledger data will be deleted.
If your service instance deletion fails, it could be because the Kubernetes cluster is not accessible. If this occurs, open a support
ticket to request the service instance deletion.
Red Hat Marketplace provides a simplified alternative method for deploying an instance of the IBM Blockchain Platform to your
cluster instead of the manual deployment steps or by using Ansible playbook scripts.
With just a few simple steps, you can get started with the IBM Blockchain Platform. After you install the operator to your
OpenShift project, you can create a subscription that allows you to deploy the blockchain console UI.
Important: Currently, you cannot deploy certificate authorities (CAs), peers, and ordering nodes directly, then, use the
console to deploy those nodes instead. This tutorial includes only instructions for installing the console.
To learn more about the Marketplace see the Red Hat documentation.
Limitations
IBM Blockchain Platform 2.5.3 is supported on Red Hat OpenShift 4.4+.
You are responsible for the management of health monitoring, logging, and resource usage of your blockchain
components.
IBM Blockchain Platform is not supported on OpenShift Online.
Mutual TLS is not supported between your applications and your blockchain nodes.
You cannot use the extended support release(EMC Symmetrix for R) version of Firefox to log in to the IBM Blockchain
Platform console.
Note: You must have the cluster administrator role to install the operators from the Red Hat Marketplace.
1. These instructions assume you already have a Kubernetes cluster available in OpenShift Container Platform v4.4+ and
that you created a project for your IBM Blockchain deployment. Unsure how to create a project? See Create a project for
9. Next, update the Security Context Constraint command settings to use the Fabric and Console namespaces.
Figure 3. Update Security Context Constraint command settings to use the Fabric and Console namespaces.
10. If your OpenShift cluster is behind a firewall, see Deploy from Red Hat Marketplace (airgap installation).
11. Continue to Step one: Apply the Security Context Constraint.
Copy and save the following security context constraint object to your local system as ibp-scc.yaml . Edit the file and replace
<PROJECT_NAME> with the name of your project.
allowHostDirVolumePlugin: false
allowHostIPC: false
allowHostNetwork: false
allowHostPID: false
allowHostPorts: false
allowPrivilegeEscalation: true
allowPrivilegedContainer: true
allowedCapabilities:
- NET_BIND_SERVICE
- CHOWN
- DAC_OVERRIDE
- SETGID
- SETUID
- FOWNER
apiVersion: security.openshift.io/v1
defaultAddCapabilities: []
fsGroup:
type: RunAsAny
groups:
- system:serviceaccounts:<PROJECT_NAME>
kind: SecurityContextConstraints
metadata:
name: <PROJECT_NAME>
readOnlyRootFilesystem: false
requiredDropCapabilities: []
runAsUser:
type: RunAsAny
seLinuxContext:
Run the following commands to add the file to your cluster and add the constraint to your project:
Replace <PROJECT_NAME> with the name that you want to use for your IBM Blockchain Platform deployment project.
When the command is successful, you see a response that is similar to the following example:
securitycontextconstraints.security.openshift.io/blockchain-project created
scc "blockchain-project" added to: ["system:serviceaccounts:blockchain-project"]
Note: The required global pull secret is automatically copied from the openshift-config namespace to the ibp
namespace. However, if the ibm-entitlement-keyimage pull secret is missing from the ibp namespace, manually
copy the secret to the ibp namespace and reference it in your YAML file, as described below.
5. In the YAML tab, you see the YAML code as follows. Right-click tocopy only the last two sets of codes. Those are the
secret data and the secret data handling type.
6. After you copied the two sets of codes, go to the left navigation, clickSecrets. Then, use the Create drop down from the
upper right of the page to switch to From YAML.
7. Paste your two sets of codes under the existing YAML code.
8. Replace the existing YAML code by copying the following:
kind: Secret
apiVersion: v1
metadata:
name: regcred
namespace: <Your Blockchain Platform namespace>
All customers need to deploy an instance of the IBP Console to simplify the deployment and management of their blockchain
networks. The console itself is free. You are only billed for the blockchain nodes that you create by using the console.
Important: Note that this tutorial only includes instructions for deploying an instance of theIBP Console. Currently, you
cannot deploy Certificate Authorities (CAs), peers, and ordering nodes directly, you should use the console to deploy
those nodes instead.
apiVersion: ibp.com/v1beta1
kind: IBPConsole
metadata:
name: ibpconsole
namespace: example
labels:
app.kubernetes.io/name: "ibp"
app.kubernetes.io/instance: "ibp"
app.kubernetes.io/managed-by: "ibm-ibp"
spec:
email: <EMAIL>
password: <PASSWORD>
imagePullSecrets:
- regcred
registryURL: cp.icr.io/cp
license:
accept: <ACCEPT>
networkinfo:
domain: <DOMAIN>
storage:
console:
class: ''
size: 5Gi
serviceAccountName: ibm-blockchain
usetags: true
version: 2.5.3
Accept the IBM Blockchain Platform license by replacing <ACCEPT> with the text true.
Replace <EMAIL> with the email address that you want to use for the console administrator.
Replace <PASSWORD> with the password of your choice. This password becomes the default password for the console
administrator but they are required to change it the first time they log in.
Replace <DOMAIN> with the name of your cluster domain. You can find this value from your OpenShift web console URL.
Examine the URL for the current page. It is similar to: https://console-openshift-console.pa-0803-ocp43-
0defdaa0c51bd4a2dcb024eab4bf04a1-0000.us-
south.containers.appdomain.cloud/k8s/ns/pa0804/clusterserviceversions/ibm-
blockchain.v2.5.3/ibp.com~v1beta1~IBPConsole/~new. The value of the domain then would be pa-0803-ocp43-
0defdaa0c51bd4a2dcb024eab4bf04a1-0000.us-south.containers.appdomain.cloud, after you remove console-
openshift-console and /k8s/ns/pa0804/clusterserviceversions/ibm-
blockchain.v2.5.3/ibp.com~v1beta1~IBPConsole/~new.
You also need to make additional edits to the file depending on your choices in the deployment process. For example, if you
created a new storage class for your network, provide the storage class that you created to the class: field.
Tip: If you are running OpenShift on Azure, you also need to change the storage class from default to azure-
standard , unless you created your own storage class.
When you are satisfied with your edits to the specification, click Create.
After you create the console, you can verify that the console deployment is succeeded. See Step four: Verify the console
installation for instructions on verifying and accessing the console.
apiVersion: ibp.com/v1beta1
kind: IBPConsole
metadata:
name: ibpconsole
namespace: your-project
labels:
app.kubernetes.io/name: "ibp"
app.kubernetes.io/instance: "ibp"
app.kubernetes.io/managed-by: "ibm-ibp"
spec:
email: <EMAIL>
password: <PASSWORD>
imagePullSecrets:
- regcred
registryURL: cp.icr.io/cp
license:
accept: <ACCEPT>
networkinfo:
domain: <DOMAIN>
storage:
console:
class: default
size: 5Gi
serviceAccountName: ibm-blockchain
usetags: true
version: 2.5.3
clusterdata:
zones:
resources:
console:
requests:
cpu: 500m
memory: 1000Mi
limits:
cpu: 500m
memory: 1000Mi
configtxlator:
limits:
cpu: 25m
memory: 50Mi
requests:
cpu: 25m
memory: 50Mi
couchdb:
limits:
cpu: 500m
memory: 1000Mi
requests:
cpu: 500m
memory: 1000Mi
deployer:
limits:
cpu: 100m
memory: 200Mi
requests:
cpu: 100m
memory: 200Mi
You can use the resources: section to allocate more resources to your console. The values in the example file are the
default values allocated to each container. Allocating more resources to your console allows you to operate a larger
If you plan to use the console with a multizone Kubernetes cluster, you need to add the zones to the
clusterdata.zones: section of the file. When zones are provided to the deployment, you can select the zone that a
node is deployed to using the console or the APIs. As an example, if you are deploying to a cluster across the zones of
dal10, dal12, and dal13, you would add the zones to the file by using the format below.
clusterdata:
zones:
- dal10
- dal12
- dal13
Important: Unlike the resource allocation, you cannot add zones to a running network. If you have already deployed a
console and used it to create nodes on your cluster, you will lose your previous work. After the console restarts, you need
to deploy new nodes.
You can use a Certificate Authority or tool to create the TLS certificates for the console. The TLS certificate needs to include the
hostname of the console and the proxy in the subject name or the alternative domain names. The console and proxy hostname
are in the following format:
Replace <PROJECT_NAME> with the name of your IBM Blockchain Platform deployment project.
Replace <DOMAIN> with the name of your cluster domain. You can find this value from your OpenShift web console URL.
Examine the URL for the current page. It is similar to: https://console-openshift-console.pa-0803-ocp43-
0defdaa0c51bd4a2dcb024eab4bf04a1-0000.us-
south.containers.appdomain.cloud/k8s/ns/pa0804/clusterserviceversions/ibm-
blockchain.v2.5.0/ibp.com~v1alpha2~IBPConsole/~new. The value of the domain then would be pa-0803-ocp43-
0defdaa0c51bd4a2dcb024eab4bf04a1-0000.us-south.containers.appdomain.cloud, after you remove console-
openshift-console and /k8s/ns/pa0804/clusterserviceversions/ibm-
blockchain.v2.5.0/ibp.com~v1alpha2~IBPConsole/~new.
Navigate to the TLS certificates that you plan to use on your local system. Name the TLS certificate tlscert.pem and the
corresponding private key tlskey.pem . Run the following command to create the Kubernetes secret and add it to your
OpenShift project. The TLS certificate and key need to be in PEM format.
Replace <PROJECT_NAME> with the name of your IBM Blockchain Platform deployment project.
After you create the secret, add the tlsSecretName field to the spec: section with one indent added, at the same level as the
apiVersion: ibp.com/v1beta1
kind: IBPConsole
metadata:
name: ibpconsole
namespace: your-project
labels:
app.kubernetes.io/name: "ibp"
app.kubernetes.io/instance: "ibp"
app.kubernetes.io/managed-by: "ibm-ibp"
spec:
email: <EMAIL>
password: <PASSWORD>
imagePullSecrets:
- regcred
registryURL: cp.icr.io/cp
license:
accept: <ACCEPT>
networkinfo:
domain: <DOMAIN>
storage:
console:
class: default
size: 5Gi
serviceAccountName: ibm-blockchain
usetags: true
version: 2.5.3
tlsSecretName: "console-tls-secret"
clusterdata:
zones:
- dal10
- dal12
- dal13
If your console deployment is successful, you can see ibpconsole added to the deployment table, with a status of 4/4 . The
console takes a few minutes to deploy. You might need to rerun the command and wait for the table to be updated.
The console consists of four containers that are deployed inside a single pod:
If there is an issue with your deployment, you can view the logs from one of the containers inside the pod. First, run the following
command to get the name of the pod the console is deployed in:
Then, use the following command to get the logs from one of the four containers:
Replace <PROJECT_NAME> with the name of your IBM Blockchain Platform deployment project.
As an example, a command to get the logs from the UI container would look like the following example:
You can find the URL of your blockchain console from the OpenShift cluster dashboard.
4. In the Data section, you see the HOST_URL field. This is the URL of your console that you can now use to log in. It looks
similar to the following example:
$ https://blockchain-project-ibpconsole-console.xyz.abc.com
For the User ID, use the value you provided for the email: field in the console specification in step two.
For the Password, use the value you encoded for the password: field in the console specification in step two. This
password becomes the default password for the console that all new users use to log in to the console. After you log in for
the first time, you are asked to provide a new password that you can use to log in to the console.
Important: Ensure that you are not using the ESR version of Firefox. If you are, switch to another browser such as Chrome
and log in.
The administrator who provisions the console can grant access to other users and restrict the actions they can perform. For
more information, see Managing users from the console in the IBM Blockchain Platform 2.5.3 documentation.
Important: If you want to delete the operator, make sure to delete any instances associated with it first.
To delete an instance, navigate to the Operators tab and then click Installed Operators. From here, click IBM Blockchain and
then the All instances tab. Find the instance you that want to delete and click the settings button to the right of the instance.
Then, click Delete (the name of your instance).
Alternatively, you can use the CLI to switch to the OpenShift project that you created for your blockchain network:
$ ```
oc project <PROJECT_NAME>
```
And then remove any instances or the IBM Blockchain operator by using the OpenShift CLI. For example, this command would
delete the operator:
$ ```
kubectl delete deployment ibp-operator
```
Next steps
When you access your console, you can use the Nodes tab of your console UI to create CAs, peers, or an ordering service. See
the Build a network tutorial to get started with the console.
To learn how to manage the users that can access the console, view the logs of your console and your blockchain components,
see Administering your console.
Support
Support is provided for the paid version of the Red Hat Marketplace offering and support cases can be opened through the Red
Hat Marketplace support portal. Customers that use the trial version from Red Hat Marketplace, can refer to self-help resources
for assistance.
If you are using the CLI, create a new project by the following command:
oc new-project <PROJECT_NAME>
Replace <PROJECT_NAME> with the name that you want to use for your IBM Blockchain Platform deployment project.
Important: It is required that you create a new OpenShift project for each blockchain network that you deploy with the
IBM Blockchain Platform. For example, if you plan to create different networks for development, staging, and production,
then you need to create a unique project for each environment. Each project creates a new Kubernetes namespace. Using
a separate namespace provides each network with separate resources and allows you to set unique access policies for
each network. You need to follow these deployment instructions to deploy a separate operator and console for each
project.
When you create a new project, a new namespace is created with the same name as your project. You can verify that the
existence of the new namespace by using the oc get namespace command:
$ $ oc get namespace
NAME STATUS AGE
blockchain-project Active 2m
A key benefit of the platform is that IBM tests the open source code for security vulnerabilities daily and provides 24x7x365
support with SLAs appropriate for production environments.
If you are interested in learning more about how to use IBM Blockchain Platform on Red Hat OpenShift Container Platform, Red
Hat Open Kubernetes Distribution, or any Kubernetes v1.23 - v1.24 container platform on x86_64 hardware, see Getting started
with IBM Blockchain Platform 2.5.3.
If you are an experienced Hyperledger Fabric customer and are interested in learning more about how to use the IBM
Blockchain peer, CA, orderer, and smart contract container images, see Using the IBM Blockchain images.
Watch the following video for an introduction to blockchain and the IBM® Blockchain Platform:
Video script
Video transcript
Deploy easily. Use Ansible Playbooks or the Red Hat Marketplace to deploy networks quicker than ever before.
Easily code your smart contracts in Node.js, Golang, Java, or JavaScript. Use the IBM Blockchain Platform Developer
Tools to easily develop smart contracts locally. Leverage SDK integration with the console, and learn from our rich
tutorials and samples.
Simplified DevOps allows you to move from development to test to production in a single environment by scaling up your
Kubernetes resources to add more components.
Up-to-date Fabric key features. Choose which version of Hyperledger Fabric you want to use when deploying peers or
ordering nodes. Leverage the latest features of Hyperledger Fabric v1.4.12 and v2.2.5:
Smart contract lifecycle
Raft ordering service
Private data collections that provide increased data privacy by ensuring that ledger data is shared to only
authorized peers via the gossip protocol.
Fabric Node OUs
Service discovery, allowing you to dynamically discover and update how your application interacts with your
network.
Channel access control lists that allow you additional control of the governance of your channels and smart
contracts.
Host or join a network. Deploy peers that are hosted in your cluster to multiple channels on multiple clouds, or invite
other organizations to join your consortium or channels while the organizations manage their nodes independently across
infrastructures.
Maintain complete control of your identities. Store and manage the keys that are used to administer your nodes.
Optionally, use a Hardware Security Module (HSM) to generate and store the private key of your nodes.
Run Anywhere. Thanks to the unified codebase of the IBM Blockchain Platform console, it is possible to run your
components on any environment supported by IBM Cloud and third-party public clouds.
Unified operation. The IBM Blockchain Platform console allows you to deploy and manage all of your organizations and
nodes in one console. You can also add or remove members from a blockchain consortium, create and join channels, and
deploy smart contracts from your console.
Dynamic signature collection that allows better control over collaborative governance over channel configurations.
Elimination of Docker-in-Docker for smart contracts allows smart contract pods to be run more securely, without peers
needing privileged access.
Manage access of the users who can administer or monitor your nodes.
Interact directly with your pods using the Kubernetes dashboard.
Direct access to the logs of your nodes from your IBM Kubernetes service. Use the IBM Log Analysis or any supported
third-party service to extract and analyze your logs.
Kubernetes service integration. Leverage services such as IBM Log Analysis for logging and Prometheus and IBM Cloud
Monitoring for monitoring. Leverage the built-in IBM Cloud services, such as IBM Cloud Kubernetes Service and OpenShift
dashboards, IBM Log Analysis, and IBM Cloud Identity and Access Management (IAM).
Upgrade the Fabric version of your nodes. Nodes running Fabric version 1.4.x can be upgraded to 2.x.
After which, the capabilities of your channels can also be increased to v2.0, allowing full access to the latest Fabric features like
the smart contract lifecycle.
Choose your compute. You have the flexibility to decide the amount of CPU, memory, and storage you want to provision in
your Kubernetes cluster. For more information, see Allocating resources.
Scale up and down the resources in your Kubernetes cluster, paying for only what you need. For more information, see
Pricing.
Disaster recovery and multi-region high availability (HA). This option duplicates your Kubernetes deployment across
zones and regions, enabling high availability (HA) of your components and disaster recovery (DR).
Connect to other Fabric networks: Join IBM Blockchain Platform peers to any network running Hyperledger Fabric
components. Similarly, you can invite Fabric peers to join channels hosted on an ordering service deployed on the IBM
Blockchain Platform. Note that you will need to use Hyperledger Fabric APIs or the CLI.
This offering is intended for experienced Fabric users who want to build and manage their own networks.
Have questions and want to speak to an IBM Blockchain Platform expert? Schedule a consult now to learn more about how
blockchain can transform your business.
Kubernetes
v1.23 - v1.24
Infrastructure
Classic
Hardware
Security Tested with Cloud HSM
Module
(HSM)
VLAN
VLAN spanning must be enabled for multi-zone clusters.
Because private ingress is not supported, a cluster with only private VLANs is not supported as a
public internet connection is required for a connection between the IBM Blockchain cluster and the
customer Kubernetes cluster. A cluster with private and public VLANs configured is supported.
Storage
File
Block
Portworx
Object (For backups only, not intended for live storage)
Important: Support for Hyperledger Fabric v1.4 is now deprecated, and support for Fabric v1.4 will be removed from
IBM Blockchain Platform on March 31, 2023. Users should therefore upgrade to Fabric v2.2 as soon as possible. Your
applications may require changes as a result of upgrading to v2.2, so please plan for appropriate testing. Note that Fabric
v1.4 has not been supported by the Hyperledger community since April of 2021. In addition, Fabric v1.4 uses Golang
v1.14, which is no longer receiving security updates from the Golang community.
The following support levels are provided for Hyperledger Fabric v1.4.12 (Deprecated), v2.2.4, v2.2.5, and Fabric CA v1.5.0 and
v1.5.2.
Important: Using IBM Certified Fabric Images, Kubernetes Operator, and Certified Fabric Operations Console are
required for support and provide Hyperledger Fabric clients with a verified production setup, simplified management and
support, and verified security patches.
IBM Certified Fabric images All Certified Fabric images include IBM fix support for supported Hyperledger
deployed using Kubernetes Operator Fabric versions.
and managed via the Certified Fabric
Operations Console image.
Supported Environments Recent Kubernetes and OpenShift versions on IBM Cloud, third-party Cloud or
local installations.
Hyperledger Fabric Labs Support Fabric Operations Console via Certified Image and deployed by Kubernetes
Operator is supported.
Hyperledger Fabric Open Source Open source projects are not included in support, with the exception of Ansible.
Projects - IBM Blockchain GitHub All other open source projects are community support only.
Hyperledger Fabric SDK and CLI Basic connectivity diagnostics is supported. Code support and SDK API usage and
tuning are not included in support - community support only.
Hyperledger Fabric Chaincode Basic chaincode diagnostics is supported. Code support and tuning are not
included in support - community support only.
Deployment Architecture and Design Basic deployment and management of highly available peer, orderer, and
Certificate Authority nodes via the Console are supported. Detailed Deployment
Architecture and Design are not included in support - see deployment options for
more information.
Solution Architecture and Design Deploying and managing smart contracts via the Console are supported. Solution
Architecture and Design are not included in support.
Performance Tuning Resource allocation via the Console is supported. Detailed performance analysis
and tuning of the environment or application code are not included in support -
see the documentation on creating highly available applications and using
indexes with CouchDB.
Certificate Renewal Automatic and Manual Certificate renewal via the Certified Console image is
supported. The user is responsible for keeping track of identities and performing
manual certificate renewal. Using IBM Secrets Manager is recommended for
keeping track of identities and certificates.
Considerations
Before you deploy the console, ensure that you understand the following considerations:
You are responsible for the management of health monitoring, security, and logging of your Kubernetes cluster on IBM
Cloud. See this information for details on what IBM Cloud manages and what you are responsible for.
You are also responsible for monitoring the resource usage of your Kubernetes cluster on IBM Cloud. To monitor your
Kubernetes resources, we recommend using the IBM Cloud Monitoring tool in combination with your IBM Cloud
Kubernetes dashboard. If you need to increase storage capacity or performance of your cluster, see this information on
how to modify your existing volume.
You are responsible for managing and securing your certificates and private keys. IBM does not store your certificates in
the Kubernetes cluster or in the console. They are only kept in the local storage of your browser. If you switch browsers,
you will have to import your created identities into that browser.
IBM Blockchain Platform is available in select regions. Refer to this topic on IBM Blockchain Platform locations for an
updated list.
The default storage that is pre-selected for you when you provision a Kubernetes cluster in IBM Cloud isGold. If you do
not want to use the default File Storage that is pre-selected for you when you provision a Kubernetes cluster in IBM Cloud,
you can provision storage of your choice. See this topic on Persistent storage considerations to learn more.
If you decide to include IBM Cloud multi-zone support in your Kubernetes cluster on IBM Cloud, you must provision your
own storage. See Using Multizone (MZR) clusters with IBM Blockchain Platform for more details.
You can preview the IBM Blockchain Platform at no charge for 30 days when you link your IBM Blockchain Platform
service instance to an IBM Cloud Kubernetes free cluster. Performance will be limited by throughput, storage and
functionality. IBM Cloud will delete your cluster after 30 days and you cannot migrate any nodes or data from a free cluster
to a paid cluster. If you choose a paid Kubernetes cluster instead of the limited free cluster, you will incur charges for the
Kubernetes service to your IBM Cloud account.
Getting started
For information about how to deploy IBM Blockchain Platform for IBM Cloud, see Getting started with IBM Blockchain Platform
for IBM Cloud.
For more information about how to use the console to start deploying nodes and building consortium, see the Building your
network tutorial. This tutorial guides you through the process of using the console to create a sample network with three
organizations, one ordering organization, two peer organizations, and a channel with two peers joined to it. You can use this
sample network to for demos or proofs of concept or adjust and expand the steps in the tutorial to create your own custom
blockchain configuration.
Architecture reference
The following illustrations show the components of your blockchain network and how they interact with your cluster.
Figure 1. Architecture diagram of IBM Blockchain Platform on IBM Cloud Kubernetes Service
Notice how a single instance of the console, also known as Operational Tooling, is created for each IBM Blockchain Platform
Service Instance. When a peer, orderer or CA node is deployed by using the console, it is deployed into the Kubernetes Cluster
Service Instance.
IBM Description
Blockchain
Platform
Kubernetes
Cluster
Operational Also known as the "console", this is your central user interface for operating all of your blockchain
Tooling components. With this console you can create CA, peer, and ordering nodes, create channels and use smart
contracts. The console is deployed in an IBM-owned cluster. There is no charge for this tooling or the
Kubernetes cluster on IBM Cloud where it runs.
Kubernetes Description
cluster on
IBM Cloud
instance
Ingress A Kubernetes object that allows access to the cluster resources from outside the cluster.
Peers, CAs, These are the nodes that are created. These nodes can also be imported from other consoles. Because
ordering the private keys are never stored by IBM, every peer and ordering node includes a gRPC web proxy that
nodes allows the console to communicate with each node by using the keys in the wallet.
RBAC Role based access control. The IBM Blockchain Platform configures Kubernetes RBAC in the cluster
which is required to manage blockchain components in the cluster.
Figure 2. Architecture diagram of IBM Blockchain Platform on Red Hat OpenShift in IBM Cloud
A single instance of the console, also known as Operational Tooling, is created for each IBM Blockchain Platform service
instance. When a peer, ordering node, or CA is deployed by using the console, it is deployed into the Red Hat OpenShift Cluster
Service Instance.
IBM Description
Blockchain
Platform Red
Hat
OpenShift
Cluster
Operational Also known as the console, this is your central user interface for operating all of your blockchain
Tooling components. With this console you can now create CA, peer, and ordering nodes, create channels and use
smart contracts. The console is deployed in an IBM-owned cluster. There is no charge for this tooling or
the Kubernetes cluster on IBM Cloud where it runs.
Table 4. Components that reside in the IBM Blockchain Platform Kubernetes Cluster
OpenShift Description
cluster
Routes An OpenShift route is a way to expose a service by giving it an externally reachable hostname.
Proxy The IBM Blockchain Platform proxy is responsible for routing traffic to the correct peer, CA and ordering nodes
by using host header routing.
Peers, These are the nodes that are created. Note: these nodes could also be imported from other Kubernetes
CAs, Cluster Service Instances. Because the keys are never stored by IBM, every peer and ordering node includes a
Ordering gRPC web proxy that allows the console to communicate with each node by using the keys in the wallet.
nodes
RBAC Role based access control. The IBM Blockchain Platform configures OpenShift RBAC in the cluster which is
required to manage blockchain components in the cluster.
Access control
Securely authenticate users and control access to all cloud resources using IBM Cloud Identity and Access Management
(IAM).
Monitoring
Use IBM Cloud Activity Tracker service to troubleshoot logs in real-time, diagnose issues, and identify problems in your
Kubernetes cluster on IBM Cloud.
Use IBM Cloud Monitoring to monitor the activity and the health of services and applications in the Kubernetes cluster on
IBM Cloud.
See this tutorial on how to Analyze logs and monitor application health with IBM Log Analysis and IBM Cloud Monitoring.
The IBM Blockchain Platform peers and orderers are automatically configured to expose a /metrics endpoint that
Prometheus can use to scrape a wide variety of blockchain metric data. Read more about using Prometheus in IBM Cloud.
Storage
Utilize IBM Cloud File or Block storage when blockchain nodes are provisioned. See the topic on Persistent storage
considerations to learn more about how blockchain integrates with IBM Cloud storage options.
Set up Portworx to manage local persistent storage across your containerized databases, or share data between pods
across multiple zones.
For more information about available IBM Cloud services and other third-party integrations, see this list of Supported IBM Cloud
and third-party integrations.
Compliance
For a list of the current security certifications that IBM Blockchain Platform adheres to, see the Software Compatibility Reports.
Getting support
For more information about how to get support on IBM Blockchain Platform for IBM Cloud, as well as free blockchain developer
resources and support forums that you can use to troubleshoot problems, see Getting support.
For a more comprehensive overview of Fabric networks and the interrelation of the components that comprise it, see this
document on the structure of a blockchain network from the Fabric community documentation, which shows how a network can
be started and matured.
For the purposes of this overview, we focus just on certificate authorities (CAs), orderers, peers, smart contracts, and
applications. As you can see from the Build a network tutorial, this sequence is not arbitrary; it reflects the proper order in which
components in a network based on Fabric are deployed.
Peers
At a conceptual level, a blockchain network is comprised mainly of organizations (as organizations decide on how a network is
structured, as well as owning nodes and managing identities). At a physical level, however, a blockchain network is comprised
primarily of peer nodes that are owned and administered by organizations. Peers are the fundamental elements of the network
because they host ledgers and smart contracts (which are contained in "chaincode"), and are therefore where transactions are
executed and validated.
More accurately, the peer hosts instances of the ledger, and instances of smart contracts. Because smart contracts and ledgers
are used to encapsulate the shared processes and shared information in a network, these aspects of a peer make them a good
starting point to understand what a Fabric network does.
To learn more about peers specifically, check out Peers from the Fabric community documentation.
The IBM Blockchain Platform console allows you to create peers, join them to channels, create anchor peers, install smart
contracts, and seamlessly upgrade your peers.
In Hyperledger Fabric, as well as the IBM Blockchain Platform, this component is the Certificate Authority (CA), which creates
identities in the form of x509 certificates as well defining of an organization through the creation of a Membership Services
Provider (MSP), which defines the permissions of identities at a component and channel level. These identities can include
attributes about them, for example, by linking them to a particular organization or organizational unit (OU).
An organization MSP, for example, has an MSP subfolder calledadmins. Any user whose certificate is inside that admin folder is
an admin of the organization. Because this MSP defines the organization, it is listed in the configuration on every channel of
which the organization is a member. As a result, whenever an admin of the organization tries to perform an action, the signing
certificate of the admin (which is attached to all of its interactions) is checked against the certificates listed in the MSP. Does the
certificate match the one listed in the channel configuration? If it does, the other organizations will validate it and the action can
be performed. If not, the request to execute the transaction is rejected.
For more information about how certificate authorities are used to establish identity and membership, see Hyperledger Fabric
documentation on identity and on membership.
Ordering services
Many distributed blockchains, such as Ethereum and Bitcoin, feature systems in which any node can participate in the process
where transactions are ordered and bundled into blocks. Because of this fact, these systems rely on probabilistic consensus
algorithms that eventually guarantee ledger consistency to a high degree of probability, but are still vulnerable to divergent
ledgers (also known as a ledger “fork”), where different participants in the network have a different view of the accepted order of
transactions.
Hyperledger Fabric works differently. It features a kind of a node that relies on deterministic consensus algorithms that is called
an “ordering node” or an "orderer", that does this transaction ordering. The collection of ordering nodes form the "ordering
service".
In addition to promoting finality, separating the endorsement of smart contract execution (which happens at the peers) from
ordering gives Fabric advantages in performance and scalability, eliminating bottlenecks that can occur when execution and
ordering are performed by the same nodes.
The ordering service performs one other key function: In networks that use a system channel the orderers maintain the
"consortium", the list of organizations that can create and join application channels. Because some aspects of the configuration
of application channels are inherited by default from the system channel (certain capability levels, for example), it is the job of
ordering service admins to establish these defaults. Note however that the ordering service organization can add additional
administrating organizations to the system channel.
Orderers that do not use a system channel have REST APIs, called Channel Participation APIs. These APIs replace the
application channel management features that the system channel provided.
The IBM Blockchain Platform uses an implementation of the Raft protocol, in which a leader node is dynamically elected among
the ordering nodes in a channel (this collection of nodes is known as the “consenter set”), and that leader replicates messages
to the follower nodes. Because the system can sustain the loss of nodes, including leader nodes, as long as there is a majority of
ordering nodes (what’s known as a “quorum”) remaining, Raft is said to be “crash fault tolerant” (CFT). In the IBM Blockchain
Platform, users have the ability to select a single node ordering service or a five node ordering service, though it is possible to
add or remove nodes from an ordering service and from channels later on. Similarly, it is possible for either one organization or
multiple organizations to manage the ordering service and contribute nodes.
For more information about the ordering service, see The Ordering Service.
Channels
A channel is a mechanism that provides a private layer of communication, allowing subsets of network members to create a
separate ledger for their transactions. Channels are not just private in the sense that network members who are not a part of the
channel are unable see the transactions, they are also secret in the sense that unless a network member is a part of the channel,
they will not even know that the channel exists.
Multiple channels can be created between members, thus supporting one of the many mechanisms to implement privacy. As
discussed in the section on peers, data in a blockchain network is stored on peers in a ledger. Each channel has a separate
ledger that holds the transactions (which include configuration transactions) for that channel.
For more information about channels and how to use them, see the Hyperledger Fabric documentation.
Smart contracts
Before businesses can transact with each other, a common understanding about rules and processes must be reached and
defined. Taken together, these contracts lay out the "business model" that governs all of the interactions between business
partners.
The same need exists in blockchain networks. The industry term for these business models on blockchain networks is "smart
contracts". Fabric networks contain these contracts in a larger structure that is known as "chaincode", which includes not just
the business logic but the underlying infrastructure that validates the identities of the users that attempt to invoke the smart
contract.
Where contracts in the business world are signed and filed with law firms, smart contracts are installed on peers and deployed
on a channel.
Applications
Client applications in a Fabric-based network like IBM Blockchain Platform leverage underlying infrastructures such as APIs,
SDKs, and smart contracts to allow client interactions (invokes and queries) at a higher level of abstraction.
For a look at how applications interact with a network based on Fabric, check out the Developing Applications topic in the
Hyperledger Fabric documentation. You can also view the creating applications topic to learn how to connect your applications
to IBM Blockchain Platform.
An example network
Figure 1 depicts an example of a deployed blockchain network that consists of four organizations, Org A, Org B, Org C, and Org D.
Each organization has their own Certificate Authority that is responsible for distributing cryptographic identity material. There is
also an ordering service with five Raft nodes that defines policies and network participants. Channel X includes all four
organizations, but Channel Y is restricted to Org C and Org D. Lastly, client applications in possession of a properly signed x509
certificate can send calls to their associated peers on the network.
Ledger X Ledger X
Ordering Service Org
Ledger Y
Org A Peer Org C Peer
Ledger
Certificate Authority
Channel Y
Ledger X Ledger Y
Ledger Y
Org B Peer Org D Peer
Figure 1. An example blockchain network with four members that leverage channels to isolate data
Pricing model
IBM Blockchain Platform introduces a new hourly pricing model that is based on virtual processor core (VPC) allocation. This
simplified model is based on the amount of CPU (or VPC) that your IBM Blockchain Platform nodes are allocated on an hourly
basis, at a flat rate of $0.29 USD/VPC-hour.
Note: A VPC is a unit of measurement that is used to determine the licensing cost of IBM products. It is based on the
number of virtual cores (vCPUs) that are available to the product. A vCPU is a virtual core that is assigned to a virtual
machine or a physical processor core. For IBM Blockchain Platform cost estimation purposes, 1 VPC = 1 CPU = 1 vCPU =
1 Core. The term "VPC" is also used to refer to a type of infrastructure on IBM Cloud and is unrelated to this topic.
For a total cost estimate, remember that your blockchain network consists of an Kubernetes cluster on IBM Cloud that contains
IBM Blockchain Platform components and uses storage of your choice. Your Kubernetes cluster on IBM Cloud and the storage
that you choose incur separate charges. You will not be charged for the cluster that the Operational Tooling instance, also known
as the console, is running on. See the Architecture reference topic for an illustration. More details on how to calculate charges
are described below.
In summary, these features remove the complexity of accounting for membership limitations or purchasing compute ahead of
your needs.
Performance will be limited by throughput, storage, and functionality. Read more about the limitations of free clusters.
IBM Cloud will delete your Kubernetes cluster after 30 days.
Only one blockchain console can be connected to a free cluster at a time.
You cannot migrate any nodes or data from a free cluster to a paid cluster.
After 30 days, your Kubernetes cluster is deleted along with all of your blockchain nodes and data.
IBM Blockchain Platform: Based on a flat rate of $0.29 USD/VPC-hour. This fee represents the charge for your blockchain
component VPC allocation in your Kubernetes cluster.
IBM Cloud Kubernetes Service: While you can link your IBM Blockchain Platform service instance to either an IBM Cloud
Kubernetes service cluster or an OpenShift cluster, this pricing model is based on the usage of an IBM Cloud Kubernetes
service cluster. The IBM Cloud Kubernetes service uses a tiered pricing model that is visible in IBM Cloud when you
provision your paid cluster. This includes the charges for your compute, that is, CPU and memory. IBM Cloud Kubernetes
Services are priced on a tiered model that is based on the number of hours of usage per month. Therefore, when you
examine pricing plans, consider that 24x7 usage is equivalent to 720 hours per month. Refer to the table on the
Kubernetes Service Catalog page for more details on cluster pricing. Customers who are interested in pricing OpenShift
clusters can review Red Hat OpenShift on IBM Cloud Pricing.
Storage: Choose the storage plan that works for your needs. See Understanding Kubernetes storage basics to learn more
about your storage class options and how much they cost. The IBM Blockchain Platform nodes use the default storage
class for the cluster. When you provision a Kubernetes cluster in IBM Cloud, it is preconfigured with Gold File storage as
the persistent storage plug-in.
Advanced features: Options that are available for Production networks for increased security, disaster recovery, and
health monitoring of the nodes. Costs vary depending on the options you choose.
Tip: When you allocate VPCs (or CPU) to a blockchain node, the node consumes CPUs from your Kubernetes cluster
allocation. Therefore the size of the Kubernetes cluster that is required directly depends on the size and quantity of the
blockchain nodes that you deploy.
Pricing examples
The following table provides two examples of pricing with default resource allocations unless otherwise noted. Both examples
assume an IBM Cloud Kubernetes service cluster and the default CouchDB database is used as the peer database. It also
The Test network scenario is suitable for getting started with your first use case with IBM Blockchain and testing smart
contracts.
The Join a network scenario includes two peers, and a Certificate Authority (CA) that is required for organization
membership.
These peers can join a production IBM Blockchain Platform network that is hosted elsewhere.
Nodes can always be dialed back to a minimal utilization state (0.001 CPU) when they are not in use to lower costs.
Because this scenario could be used for a production environment:
The default compute resources have been doubled to provide greater capacity.
The Silver storage class is chosen for faster performance.
** Preview the IBM Blockchain Platform at no charge for 30 days when you link your IBM Blockchain Platform service instance
to an IBM Cloud Kubernetes free cluster. Performance is limited by throughput, storage and functionality. IBM Cloud will delete
your Kubernetes cluster after 30 days and you cannot migrate any nodes or data from a free cluster to a paid cluster.
Note: Your actual costs will vary depending on additional factors such as transaction rate, the number of channels you
require, the payload size on the transactions, and the maximum number of concurrent transactions. The pricing examples
above are based on an IBM Cloud Kubernetes single-zone cluster only. If you chose a multi-zone cluster, there are extra
fees for the additional zones and the required multi-zone load balancer. IBM Cloud IP allocation charges are not included
and considered negligible.
There is no limit to the number of service instances that you can provision and associate to a single Kubernetes cluster. But you
need to ensure that adequate resources are available by monitoring the CPU, memory, and storage usage to avoid disruption of
service. The IBM Blockchain Platform nodes do not have to be in their own cluster. You can have other IBM Cloud services
running in the same cluster that your blockchain components are running in, but again you need to ensure that you have
adequate compute and storage to address all the requirements of all service instances.
Interested in more pricing examples? See the Reference topic on Detailed pricing scenarios for additional configurations and
prices.
Peer (Hyperledger Fabric v1.4) 1.1 2.8 200 (includes 100GB for peer and 100GB for state database)
Peer (Hyperledger Fabric v2.x) 0.7 2.0 200 (includes 100GB for peer and 100GB for state database)
CA 0.1 0.2 20
Table 2. Recommended resources for nodes on IBM Blockchain Platform for IBM Cloud
Note that when smart contracts are installed on peers that run a Fabric v2.x image, the smart contract is launched in its own pod
instead of a separate container on the peer, which accounts for the smaller amount of resources required on the peer.
Billing
Your IBM Blockchain Platform billing and invoices are based on the CPU and memory allocation for each node. When you are
done with your network and want to avoid any further charges, you need to delete your nodes from the console and then delete
your blockchain service instance from IBM Cloud. Storage that was provisioned for the node is automatically deleted when the
node is deleted.
1. Click the Download icon next to the invoice you want to view.
2. You will have the option to download your invoice in "PDF invoice" or "EXCEL invoice" format.
PDF invoice Select this format when limited detail is required. This format includes the line-item "Platform Services
Containers" that includes your IBM Cloud Kubernetes and Storage costs (as well as other container costs). The line
item "Platform Services Other Services" aggregates your blockchain cost with other service costs.
EXCEL invoice Select this format when you need more insight into your Kubernetes containers, storage instances,
and blockchain cost. Navigate to the Detailed Billing sheet in the downloaded invoice workbook to understand how
those specific line items break down, and see details of the specific containers/storage instances you got charged
for. The Blockchain Platform cost is visible under the Description line item "Platform Service Plan Feature Usage:
Note: The pie-chart visible on the Usage tab of the IBM Cloud Dashboard will not align with the invoices since it applies to
a different billing period.
Storage usage
If you are using IBM Cloud File storage, the costs are assessed monthly, so an estimate of storage costs is not visible until the
end of the month. However, the storage that you provisioned throughout the month is listed as line items in the Usage tile under
Sales > Orders. Look in the Items column for a description of the storage that was dynamically provisioned when you deployed
a peer, CA, or ordering node.
Delete unused peer and deploy a new one when needed. Because the ledger is stored on the ordering node, when you
deploy a new peer and join a channel, the peer receives a copy of the distributed ledger. The drawback to this approach is
that you need to generate new certificates and join the peer to the channels again.
Important: It is not recommended to ever delete a CA node because the data on it can never be recovered. Likewise,
if you have only a single ordering node, you should never delete it.
Monitor and adjust your resource allocation based on your needs. When you monitor your resource usage over time, you
might decide that you can scale down the resources that are allocated to a node while still ensuring adequate
performance. When you follow instructions for reallocating resources in the console, the effects on total VPC for the node
are updated and can be used to estimate revised monthly costs.
Target audience: This advanced topic is designed for architects and system administrators who are responsible for planning and
sizing the cost of an IBM Blockchain Platform network on IBM Cloud.
Important: The costs that are provided in this topic are based on the usage ofIBM Cloud Kubernetes service clusters.
The costs are guidelines and do not represent actual costs. They represent a starting point for estimates of costs that
would be incurred in environments with a similar configuration. Actual costs can vary by geography. The prices reflected
here are based on the resources required by Fabric v1.4 peer images and actual prices as of October 16, 2019. It is
possible the prices can change. The performance of your configuration depends on your smart contracts and the queries
Note: If you need to first learn more about the basic elements that factor into the cost a blockchain network, review the
topic on Pricing for IBM Blockchain Platform for IBM Cloud.
Scenario comparisons
The following table includes configuration and cost information for three types of environments:
Functional Test/Demo
Pilot
Production or Pre-Production
Click a tab to view the details for a configuration. Each tab contains two options:
Cost to host This column represents the cost to host a blockchain network, therefore the configuration includes an
ordering service, CAs, and peers.
Cost to join This column represents the cost to join an existing blockchain network by contributing peers or an new
organization with peers to the network. This configuration includes only CA and peer nodes.
For example, consider the scenario where a group oforganizations want to transact on a blockchain network. The network might
include buyers, suppliers, distributors, and banks. If you are hosting a network, you could host the ordering service and some
organizations such as the buyers, and suppliers. Or, if you are a distributor, you might prefer to simply join the existing network.
The tables below includes the costs for each type of scenario.
All storage costs are calculated based on IBM Cloud Bronze File Storage costs.
For IBM Blockchain Platform cost estimation purposes, 1 VPC = 1 CPU = 1 vCPU = 1 Core.
Goal: Production environment. Pre- Configuration Total estimated cost Total estimated cost
production should match production as includes: per month: $5,778 per month: $3,467
closely as possible in terms of size, USD USD
performance, HA, and capability. CouchDB
Includes: Includes:
This network would typically include 5 or File Storage (Silver)
more organizations. 5 node Raft ordering 2 CAs
HA with multi-zone service
region ( MZR) 2 x (.1 vCPU/2 GB RAM)
5 x (1 vCPU/1GB + (20 GB shared
Backup (Backup RAM/500GB Storage) storage)
test in pre-prod,
Run backups 4 CAs 2 Peers
regularly in Prod)
4 x (0.1 vCPU/0.2GB 2 x (3.7 vCPU/8.4GB
HA CA PostgreSQL RAM) + (2 x 20 GB RAM/ 750 GB Storage)
Database (2 CAs shared storage)
with 2 replica sets) Peer container: 1
2 Peers vCPU/2GB
Optional: RAM/250GB
HSM, 2 x (3.7 vCPU/8.4GB Storage
Log RAM/ 750 GB Storage) CouchDB
Analysis/Monitoring, container: 1
Dedicated hardware Peer container: vCPU/2GB
1 vCPU/2GB RAM/500GB
RAM/250GB Storage
Storage
Smart contract
CouchDB container: 1.5
container: 1 vCPU/4GB
vCPU/2GB RAM/0GB Storage
RAM/500GB
Storage Logging/gRPC
Web container:
Smart contract 0.2 vCPU/0.4GB
container: 1.5 RAM/0GB Storage
vCPU/4GB
RAM/0GB
Storage
Logging/gRPC
Web container:
0.2 vCPU/0.4GB
RAM/0GB
Storage
Approximate Total Cost HA CA PostgreSQL IBP: $2,671 USD IBP: $1,584 USD
(per month) config: IKS: $1,972 USD IKS: $1,332 USD
5 GB disk, 1 GB Storage (Silver):$871 Storage(Silver):$331
RAM, 10GB for USD USD
backups, 1 vCPU HA CA (PostGreSql):
$40 USD HA CA (PostGreSql):
Storage costs for $40 USD
backups:$224 USD Storage costs for
backups:$180 USD
Total Base Cost:
$5,778 USD Total Base Cost:
$3,467 USD
IBM Log Analysis:
$1.50/GB/Month (7 day IBM Log Analysis:
search) $1.50/GB/Month (7 day
search)
IBM Cloud Monitoring:
0.035/hour/node (up to IBM Cloud Monitoring:
20 containers) 0.035/hour/node (up to
20 containers)
Configuration of an IBM Blockchain Platform network includes deploying the blockchain console and then linking it to either a
new or existing customer Kubernetes cluster. The blockchain console can then be used to create blockchain nodes that reside in
the customer Kubernetes cluster.
Considerations include:
When the IBM Blockchain Platform console is provisioned, the email address of the IBM Cloud account owner is set as the
console administrator, known in IAM as the Manager role. All new access requests will be sent to this user. This console
administrator can then grant other IBMid users access to the console by using the IAM UI. For more information about IAM on
IBM Cloud, see What is IAM. For the steps required to add new users, see Adding and removing users from the console.
Ports
If you are using a client application to send requests to the console, either via the blockchain APIs or the Fabric SDKs, the
associated HTTPS console port needs to be exposed in your firewall. In IBM Cloud use the default port 443 .
Key management
The IBM Blockchain Platform network is based on trusted identities. Customers use the Certificate Authorities (CAs) in the
console to generate the identities and associated certificates that are required by all members to transact on the network. The
generated public and private keys are ECDSA with Curve P256 . These keys are stored in the browser when they are added to
the member's blockchain wallet so that the console can use them to manage blockchain components. However, it is
recommended that customers export these keys and import them into their own key management system in case they clear
their browser cache or switch browsers. Customers are responsible for the storage, backup, and disaster recovery of all keys that
they export.
If a private key is lost and cannot be recovered, you will need to generate a new private key by registering and enrolling a new
identity with your Certificate Authority. You should also then remove and replace your signCert in any components or
organizations where you had used the lost or corrupted identity. See Updating an organization MSP definition for detailed steps.
In order to secure private keys in a production environment, the IBM Blockchain Platform includes the option to configure a
Hardware Security Module (HSM) to generate and store the private keys for a node. An HSM is an optional hardware appliance
that performs cryptographic operations and ensures that the cryptographic keys never leave the HSM. You are responsible for
configuring an HSM device that implements the PKCS #11 standard. PKCS #11 is a cryptographic standard for secure
operations, generation, and storage of keys. You will also need to configure a PKCS #11 proxy to communicate with your HSM.
The platform supports ECDSA Sign and Verify cryptographic controls and EC Key generation. When an HSM is implemented for a
node, the private key for the node is not stored in the browser wallet. Rather, the private key is accessed from the HSM via the
proxy. When you register other node admin or client application identities with a CA by using the console, their private keys are
not stored inside the HSM because they need the private key to transact on the network. For instructions on how to use HSM
with the IBM Blockchain Platform, see Configuring a node to use a Hardware Security Module (HSM).
You also have the option to bring your own certificates from your own non-IBM Blockchain Platform CA when you create a peer
node or ordering service. If you use your own certificates, you will need to manually build the peer or ordering service MSP
definition file that includes those certificates and import the file into the console Organizations tab. See Using certificates from
an external CA with your peer or ordering node for the steps required.
MSPs also identify the root CA that generated the certificates for the organization and any other roles beyond administrator that
are associated with the organization (for example, members of a sub-organizational group), as well as setting the basis for
defining access privileges in the context of a network and channel (e.g., channel admins, readers, writers).
MSP folders for organization members are based on a Fabric defined structure and are used by Fabric components. For more
information about Fabric MSPs and their structure, see the Membership and Membership Service Provider Structure topics in
the Hyperledger Fabric documentation. The Fabric CA establishes this structure by creating the following folders inside the MSP
definition:
intermediatecerts These are the certificates of any intermediate CAs in your chain of trust (leading back to a
root CA or CAs). Because intermediate CAs are currently not supported by the IBM
Blockchain Platform, this field will be blank.
keystore Contains the private key that was generated alongside your public key. This key is used to
generate signatures by creating a cryptographic hash that can be verified using the public
key known to other users. This key is never shared, and you are responsible for securing and
managing it. If this key becomes compromised, it can be used to impersonate your identity,
making it crucial to keep this key safe.
signCerts Contains the public key that was generated alongside your private key. It is also known as a
"signing certificate" because it is used to verify signatures generated by other users.
tls Contains the TLS certs that you store for communicating with other network components.
Note that organization MSPs are stored in browser storage and must be exported to a local file system and secured by the
customer.
You can use the blockchain console to select which ACLs to apply to resources on a channel. See this information under
Creating a channel for instructions on how to configure access control for a channel.
API authentication
In order to use the blockchain APIs to create and manage network components, your application needs to be able to
authenticate and connect to your network. See this topic on API Authentication on IBM Cloud
The IBM Blockchain Platform console allows you to deploy and manage nodes on a Kubernetes cluster that you operate. The
If you are using IBM Cloud, you can review the topic on Security for the IBM Cloud Kubernetes Service or Red Hat OpenShift on
IBM Cloud.
Network security
IBM Cloud provides the underlying network, including the networks and routers, over which customers’ VLAN resides. The
customer configures their servers and uses gateways and firewalls to route traffic between servers to protect workloads from
network threats. Protecting your cloud network by using firewalls and intrusion prevention system devices is imperative for
protecting your cloud-based workloads.
Firewall configuration
Kubernetes clusters should be secured by a firewall to protect the network from unauthorized access from internet traffic. By
default IBM Cloud Kubernetes service clusters are preconfigured with a Calico network plug-in that secures the public network
interface of every worker node in the cluster. By configuring Kubernetes and Calico network policies you can easily control the
inbound and outbound network traffic. For more information, see Controlling traffic with network policies. In addition, you can
also configure Edge worker nodes on your IBM Cloud Kubernetes service clusters to restrict the worker nodes that are exposed
to the public internet. See Restricting network traffic to edge worker nodes to learn more. If your configuration includes a
network firewall, there are ports that need to be exposed to allow network traffic through. The following section describes how
to find the ports that can be exposed and what they are for.
Internet Ports
IBM Blockchain Platform exposes certain ports associated with each node type that are used by client applications, for example,
when sending transactions to peers or the ordering service. If you have configured a firewall, you will need to expose these ports
in your network for the transactions to reach their destination and for the nodes to be able to respond to the requests. IBM
Blockchain Platform supports the HTTPS IP Security protocol.
If your IBM Blockchain Platform instance is linked to an OpenShift cluster in IBM Cloud, port 443 needs to be exposed.
If your IBM Blockchain Platform instance is linked to an IBM Cloud Kubernetes service cluster, use the following table to
identify the ports that need to be exposed:
Fabric CA 7054 Port 7054 is exposed from the CA container. This is exposed all the way to the
customer application via the service.
Peer ports
Peer gRPC API 7051 This is the port used by the clients to communicate with the peer.
Smart contract 7052 This is the port used by the smart contract containers to communicate with the
containers peer.
Peer Operations 9443 This port is used to get to the health check endpoint and to the metrics endpoint of
the peer.
gRPC Web proxy 7443 This port is used by the UI to communicate with the peer via gRPC web APIs.
Ordering service
ports
Orderer gRPC API 7050 This is the port used by the clients to communicate with the orderer.
Orderer 8443 This port is used to get to the health check endpoint and to the metrics endpoint of
Operations the Orderer.
gRPC Web proxy 7443 This port is used by the UI to communicate with the orderer via gRPC web APIs.
UBI Linux: The Fabric Docker images use Red Hat UBI images, which is a smaller, lighter, and more secure version of
Linux.
Customer In order for the service components After generation, these Accessed only by the service
Kubernetes to access and manage the secrets never leave the component code and only in
cluster components that are deployed into IBM Kubernetes cluster response to customer requests to
access this cluster, the service components where the service deploy or manage components via
information generate a Kubernetes secret for components are running the blockchain console.
cluster access. Each Kubernetes and are deleted whenever Developers of the service do not
secret is tied to that specific a customer deletes the have access to the information in
customer cluster. associated cluster. the secrets.
Table 3. Types of keys and information used to access the customer Kubernetes cluster
Storage
When the blockchain console deploys a node, storage is dynamically provisioned from the default storageclass for that node
from persistent storage. You have the option of encrypting the persistent volume but there may be some performance
implications with encryption to consider.
Important: Customers are responsible for encrypting their own storage and the encryption must occur before any
blockchain components are deployed to the cluster.
The default persistent storage type is File storage, also known as Endurance storage. For more information about encryption on
all of the IBM Cloud storage options:
Data privacy
When you have data privacy requirements, Private Data collections provide a way to further isolate specific data from the rest of
the channel members. The combination of the use of channels and private data offer various solutions for achieving Data
Residency.
GDPR
In order to be GDPR compliant, it is recommended that you store PII data off chain.
TLS v1.2 communications TLS is embedded in the trust model of Hyperledger Fabric. By default, server-side TLS is
enabled for all communications using TLS certificates. TLS is used to encrypt the communication between your nodes and
between your nodes and your applications. TLS prevents man-in-the-middle and session hijacking attacks. All IBM
Blockchain Platform components use TLS to communicate with each other.
Transaction integrity: Fabric uses the cryptographic ECDSA standard to guarantee transaction integrity. With ECDSA, the
transaction originator, such as a client application, signs their message by using their private key, and the recipient, such
as a peer, uses the originator’s public key to verify the authenticity of the message. If a transaction is tampered with on its
way to the recipient, the signature verification fails.
Channels: While Fabric channels are a powerful mechanism for partitioning and isolating data, they also provide the
primary foundation for data privacy. Only members of the same channel can access the data of this channel. To ensure
channel security, the channel configuration update policy is configured to define the number of channel operators who
need to agree on the channel update request before a channel can be updated. Therefore, a clear process must exist for
defining the organizations that are allowed to join and update channel.
Ledger data: Implicit in the blockchain permissioned network is the notion that an agreed upon policy of multiple
endorsers is required to sign (approve) a transaction before it can be committed to the ledger. Before any information can
Smart contracts: All smart contracts should be reviewed by channel members before they are installed and executed on
peers in their organization. Likewise, all updates to smart contract should be reviewed before the updates are applied to a
peer. See this topic on Upgrading a smart contract for the steps that are required.
HSM integration: After you have configured an HSM for your environment, you have the option of configuring your nodes
to use the HSM to generate and store private keys. See Configuring a CA, peer, or ordering node to use the HSMfor more
information.
$ - name: IBPOPERATOR_CONSOLE_APPLYNETWORKPOLICY
value:"true"
When the option above is enabled, the operator will install two network policies during the console installation. These network
policies are meant to give basic defensive security mechanism, and opens only the ports that the offering uses. This by no
means is a policy that can replace a firewall. The policies applied provide ingress security, as blockchain network may require to
call npm, gradle, maven servers to get chaincode modules as well as to communicate with the orderers/peers/applications
running outside the cluster on internet we do not provide egress policies.
1. Deny-all-ingress.
This policy denies all ingress ( ingress: [] ) network traffic to the pods ( podSelector: {} ) in the namespace it applies to.
This ensure only the needed traffics go through.
$ kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
name: networkpolicy-denyall
namespace: <>
labels:
type: "ibp-console"
app.kubernetes.io/name: "ibp"
app.kubernetes.io/instance: "ibp-console"
app.kubernetes.io/managed-by: "ibp-operator"
release: "operator"
helm.sh/chart: "ibp"
spec:
podSelector: {}
ingress: []
1. Ingress.
This ingress network policy applies to network traffic coming from anywhere (from: []) . It applies to all pods that labels
app.kubernetes.io/name: "ibp" which are all the offering related pods. This policy only opens the ports that are required
for the blockchain components and the available management console from outside for them to connect to each other.
Target audience: This topic is designed for architects and system administrators who are responsible for planning and
configuring IBM Blockchain on IBM Cloud .
High availability is a core discipline in an IT infrastructure to keep your apps up and running, even after a partial or full site
failure. The main purpose of high availability is to eliminate potential points of failures in an IT infrastructure. For example, you
can prepare for the failure of one system by adding redundancy and setting up failover mechanisms.
You can achieve high availability on different levels in your IT infrastructure and within different layers of your cluster. The level
of availability that is right for you depends on several factors, such as your business requirements, the Service Level Agreements
that you have with your organizations, and the cost of redundancy.
Before proceeding, we recommend that you learn more about HA on Kubernetes by reviewing High availability for the IBM Cloud
Kubernetes service or OpenShift cluster.
Then, you can use this topic for details on blockchain-specific HA guidance along with the recommendations from the platform-
specific topic above.
To achieve maximum high availability, it is recommended that you build redundancy by provisioning peers and orderers in
Kubernetes clusters in multiple regions. When the components are spread across regions and the blockchain ledger is
distributed across those components, a failure in any single region will not impact processing of transactions. CAs are less
critical for daily transaction processing. After all the users have been registered and enrolled with the CA, it is no longer required
until the next time those services are required.
Peer considerations
HA for peers means always having redundant peers, that is at least two peers available for each organization on the same
channel to process requests from client applications. Multiple peers can be deployed to a single worker node, or spread across
worker nodes, zones (if you are using IBM Cloud), or even regions. Whenever you deploy multiple peers and join them to the
same channel, the peers act as HA pairs because the channel and the data are automatically synchronized across all peers in
the channel. By design, a blockchain network is meant to have multiple organizations that transact on the same channels.
Therefore, the common deployment model is that for any given channel, there are redundant peers for each organization spread
across several organization account clusters that are all synchronizing data between each other. Each organization can have a
peer in their own cluster in any region.
For even more robust HA coverage, you can stand up multiple clusters in multiple regions and deploy peers in all of them.
However, if high performance is desired, care must be taken when distributing peers to ensure the latency and bandwidth
between them is sufficient to achieve your performance targets.
Finally, your peer redundancy strategy needs to take into account your smart contract endorsement policies to ensure that you
always have enough peers available to satisfy the endorsement policy requirements. For example, if an endorsement policy
requires a specific number of endorsements, your peer HA strategy needs to ensure that there are always that number of peers
available. Alternatively, if the endorsement policy requires a MAJORITY of peers to endorse the transactions, then you need to
ensure that a majority of the peers are always available in order for transactions to continue to be processed.
HA Checklist
The following table contains a list of options to consider as you plan for increasing degrees of HA.
Redundant peers
Anti-affinity (peers)
Multi-zone (peers)
CA replica sets
Development or Test
environment
Production environment
** The default configuration for a Standard Kubernetes cluster on IBM Cloud is a 4 CPU x 16 GB RAM cluster that includes three
zones with three worker nodes each. You can scale up or down, by selecting a smaller or larger configuration, according to your
needs.
Tip: The IBM Blockchain Platform deployer attempts to spread peers, ordering nodes, and CA replica sets across
different worker nodes but cannot guarantee that it will happen due to resource limitations. You can also use the IBM
Blockchain Platform APIs or the blockchain console to deploy peers or ordering nodes to specific zones in order to ensure
that they are resilient to a zone failure. For more information see Multizone HA.
Single region HA
2
Region 1
Single Cluster
1 + anti-affinity
Region 1
Worker Pool
Worker Node 1
Single Cluster Peer1 Org1CACA
1 1 Peers
Ordering Node 1
Peers
R1 (Raft)
R2
Worker Pool
Worker Node
Peer1 Org1 CA 1 Peers Ordering Node 1
CA 1
Peers Worker Node 2
R1 (Raft)
R2
Peer2 Org1CACA
1 2 Peers Ordering Node 3
Peer2 Org1 CA 2 Peers Ordering Node 2 Peers
CA 1 R1 (Raft)
Peers R2
R1 (Raft)
R2
Ordering Node 2
Ordering Node 3
(Raft)
(Raft)
Ordering Node 4
Worker Node 3
(Raft)
Ordering Node 4
Ordering Node 5
(Raft)
(Raft)
Ordering Node 5
(Raft)
1. Component failure.
Every time that you deploy a blockchain component, such as a peer, ordering node, or CA, a new pod is created for the
component in a worker node. Containers and pods are, by design, short-lived and can fail unexpectedly. For example, a
container or pod might crash if an error occurs in your component. So, to make your node highly available, you must
ensure that you have enough instances of it to handle the workload plus extra instances in case of a failure.
Peers How many peers are required? In a production scenario, the recommendation is to deploy three peers from the same
organization to each channel. This configuration allows one peer to go down (for example, during a maintenance cycle)
and still maintain two highly available peers. Therefore, to compensate for a peer failure, and for the most basic level of
HA, you can achieve peer redundancy by simply deploying three peers per organization on a channel on your worker node.
Note that you need to ensure that you have adequate resources available on your node to support these components.
Ordering service As mentioned above, the HA ordering service is based on Raft, and contains five ordering nodes by default.
Because the system can sustain the loss of nodes, including leader nodes, as long as there is a majority of ordering nodes
(what’s known as a “quorum”) remaining, Raft is said to be “crash fault tolerant” (CFT). In other words, if you have five
nodes in a channel, you can lose two nodes (leaving three remaining nodes). When you deploy an ordering service from
the console, choose the five node service for HA.
CA You can configure replica sets, which are represented as shaded CA boxes in the diagram above, for your CA. Replica
sets guarantee that if the CA node goes down, the CA replica immediately begins processing requests. You must provision
an instance of a PostgreSQL database if you plan to use CA replica sets. See these instructions for more information about
how to configure CA replica sets.
This scenario uses redundant peers, ordering nodes, and CAs on a single worker node, which protects against component
failure, but cannot protect from node failure. Therefore, it is only suitable for development and testing purposes.
A worker node is a VM that runs on a physical hardware. Worker node failures include hardware outages, such as power,
cooling, or networking, and issues on the VM itself. You can account for a worker node failure by setting up multiple
worker nodes when you provision your cluster. When blockchain components are distributed across multiple worker
nodes, you are protected from a worker node failure.
Peers The IBM Blockchain Platform deployer anti-affinity policy distributes redundant peers, that is peers from the same
organization, across the worker nodes in their cluster.
Ordering service Whenever you deploy a Raft ordering service, the five ordering nodes are automatically distributed across
the worker nodes in your cluster, using the anti-affinity policy and based on resource availability on the nodes.
CAs Like peers and ordering nodes, if replica sets are chosen for a CA, an anti-affinity policy automatically distributes the CA
replica sets across worker nodes in the cluster, based on resource availability.
This scenario uses redundant peers, ordering nodes, and CA replica sets, across multiple worker nodes in a single cluster or
zone, which protects against node failure, but cannot protect from a cluster or zone failure. Therefore, it is not
recommended for production.
Multizone HA
Multizone Cluster
+ anti-affinity (across worker nodes)
WorkerPool
Worker Node 1 Worker Node 1 Worker Node 1
Worker Node 1 Worker Node 1
Peer 1 Org 1 CA 1 Peers Peer 3 Org 1 CA 1 Peers Ordering Node 4
R1 R2 (Rafts)
(Rafts) R1 R2
Zone failure.
Think of a zone as a data center. A zone failure affects all physical compute hosts and NFS storage. Failures include power,
cooling, networking, or storage outages, and natural disasters, like flooding, earthquakes, and hurricanes. To protect against a
zone failure, you must have clusters in at least two different zones that are load balanced by an external load balancer. By
default when you deploy a Kubernetes cluster in IBM Cloud, the cluster is configured with multi-zone support, including three
zones, although you can choose two zones.
A single zone is sufficient for a development and test environment if you can tolerate a zone outage. Therefore, to leverage the
HA benefits of multiple zones, when you provision your cluster, ensure that multiple zones are selected. Two zones are better
than one, but three are recommended for HA to increase the likelihood that the two additional zones can absorb the workload of
any single zone failure. When redundant peers from the same organization and channel, and ordering nodes, are spread across
multiple zones, a failure in any one zone should not affect the ability of the network to process transactions because the
workload will shift to the blockchain nodes in the other zones.
You can use the IBM Blockchain Platform console to specify the zone where a CA, peer, or ordering node is created. When you
deploy a CA, peer, or ordering service (or a single ordering node), check the Advanced deployment option that is labeled
Deployment zone selection to see the list of zones that is currently configured for your Kubernetes cluster.
If you're deploying a CA, peer, or ordering service, you have the option to select the zone from the list of zones available to your
cluster or to let your Kubernetes cluster decide for you by leaving the default selected. For a five node ordering service, these
nodes will be distributed into multiple zones by default, depending on the relative space available in each zone. You also have
the ability to distribute a five node ordering service yourself by unselecting the default option to have the zones chosen for you
and distributing these nodes into the zones you have available. If you are deploying a redundant node (that is, another peer
when you already have one), it is a best practice to deploy this node into a different zone. You can check which zone the other
node was deployed to by opening the tile of the node and looking under the Node location. Alternatively, you can use the APIs
to deploy a peer or orderer to a specific zone. For more information on how to do this with the APIs, see Creating a node within a
specific zone.
Other CA considerations: If you have multiple zones configured for your Kubernetes cluster, when you create a new CA with a
PostgreSQL database and replica sets, an anti-affinity policy ensures that the CA replica sets are automatically configured across
the zones. Replica sets are represented as shaded CA boxes in the diagram above. Adequate resources must exist in the other
zones in order for the anti-affinity policy to be used.
Multizone-capable storage:
Before you deploy any nodes, you have the additional option to configure your Kubernetes cluster to use multizone-capable
storage as your persistent storage. Without multizone-capable storage, if an entire zone goes down, any blockchain nodes in that
zone cannot automatically come up in another zone because their associated persistent storage is unavailable in the failed zone.
When multizone-capable storage is configured, if a zone failure occurs, peers and ordering nodes can come up in another zone,
with their associated storage intact, ensuring high-availability. In order to leverage this capability with the IBM Blockchain
Platform, you need to configure your cluster to use SDS (Portworx) storage. To learn more about multizone-capable storage, see
the Comparison of persistent storage options for multizone clusters on OpenShift or IBM Cloud Kubernetes service. When you
deploy a peer, ordering service, or ordering node, select the advanced deployment option labeled Deployment zone selection
and then select Across all zones.
This scenario uses redundant peers, ordering nodes, and CAs across multiple worker nodes and multiple zones, which protect
against zone failure, but does not protect from an unlikely entire region failure.
Important: If you choose to use a multi-zone configuration for CA, peers, or ordering nodes, then you are responsible for
configuring the storage for each zone and set the node affinity to zones.
Multi-region HA
This scenario offers the highest level of HA possible.
Region failure.
The likelihood of a full regional failure is low. However, to account for this failure, you can set up multiple clusters in different
regions where each cluster has its own linked console. If an entire region fails, redundant peers or ordering nodes in the other
This scenario uses redundant peers and ordering nodes across multiple worker nodes in multiple regions, which provide the
highest degree of HA. This approach is also a recommended scenario for a production network when your resiliency
requirements merit the investment. The five ordering nodes are spread across three clusters in a 2-1-2 pattern, meaning two
nodes in Region 1, one node in Region 2, and two nodes in Region 3. This configuration allows any single region, or all of the
ordering nodes in a region to go down, while still maintaining a quorum of nodes in the Raft cluster.
See the topics on setting up multi-region HA deployments for steps to configure your IBM Blockchain Platform peers and
ordering nodes across multiple regions.
It is recommended that you regularly back up the storage associated with every deployed component. Because the ledger is
shared across all the peers and ordering nodes, taking regular backups is critical. For example, if incorrect data is accidentally
propagated to a peer's ledger or if data is mistakenly deleted, the incorrect data might spread to the ledgers of some other
peers. This would require the restoration of the ledgers of all the peers from an established backup point to ensure
synchronicity. You can decide how often to perform the backups based your recovery needs, but a general guideline would be to
take daily backups.
IBM Cloud storage You can leverage the capability provided by IBM Cloud Kubernetes service or OpenShift.
solution
Portworx While a snapshot capability is available for taking backups, in order to get a reliable backup, the
nodes must be stopped.
When you need to restore a backup, the backups would need to be restored on every component across your network.
If you are using CA replica sets and your PostgreSQL database resides in IBM Cloud, backups are included in the service. See the
topic on Managing Backups for more information. Otherwise, you need to work with your third-party PostgreSQL database
provider to manage the database backups according to your DR needs.
Overview
To set up multiregion HA support for peers, you need to complete the following tasks:
Create multiple blockchain service instances that are each bound to a Kubernetes cluster in a different region.
Use the blockchain console or APIs to create your blockchain nodes in the different regions.
Use the node export and import actions to manage the nodes from a single console.
Configuration steps
To configure multiregion HA by creating redundant peers for each organization, complete the following steps when you configure
your blockchain network:
1. Create three Kubernetes clusters in IBM Cloud in the regions you prefer. These clusters can be located in any region you
want, although for high performance they should be relatively close together. For example, the regions, East Coast US, and
West Coast US, and Canada are better than the regions, West Coast US, London, and Tokyo.
2. Deploy a new IBM Blockchain Platform instance on the cluster in one of the regions. If you are using a Kubernetes cluster
on IBM Cloud, you need to link the service instance to the cluster. Repeat these steps in the second and third regions.
When you are finished, you have three separate IBM Blockchain Platform instances linked to three separate clusters, each
in a different region, and three separate consoles.
Important: This tutorial assumes that an ordering service exists with a channel defined that the peers can join.
Step one: Create the peer organization's CA and metadata in cluster one
1. Deploy a CA in the first cluster by following the instructions in the Build a network tutorial for Creating your peer
organization's CA. Make note of the values of the CA enroll ID and secret because you need to provide those values when
you import the CA into other clusters.
2. After the CA tile status indicator is green, Running, follow the instructions to Register identities with your CA. In those
instructions, you create two identities, one for the peer and another for the peer's organization admin identity.
3. Create the peer's organization MSP definition for the peer's organization in the first cluster.
4. Export the peer's organization definition and share it with an ordering service admin.
5. Similarly, the ordering service admin needs to follow the steps to import the peer's organization and add it to the
consortium. They will also need to complete the steps in those instructions to export the ordering service to a JSON file.
6. Import the ordering service JSON file to your console.
7. Create a peer in the first cluster.
8. Join your peer to the channel. Make this peer an anchor peer, as this allows service discovery, private data, and peer
gossip to be used. For HA, it is recommended that you add each redundant peer as an anchor peer. That way if one of the
peers is unavailable, gossip between organizations can continue.
9. Install and Propose smart contract on your peer.
After the smart contract definition has been proposed, it must be approved and committed.
Step two: Export the metadata and identities from cluster one
1. Export the CA definition to a JSON file.
Open the CA in the Nodes tab.
Click the download icon to generate the CA JSON file from your browser session.
2. Export the peer's organization MSP definition to a JSON file.
Open the MSP definition in the Organizations tab.
Click the download icon on the tile.
3. Export the peer's organization admin identity from your wallet.
Navigate to the Wallet tab.
Step three: Import the metadata and identities in to cluster two and three
1. In clusters two and three, import the CA JSON file that you exported from cluster one.
2. If you will need to use the CA to register other identities, you need to open the imported CA and associate the CA
administrator enroll ID and secret that you used when you deployed the CA on cluster one.
3. Import the peer organization MSP definition JSON file that you exported from cluster one.
In the Organizations tab click Import MSP definition.
Click Add file to upload the JSON file.
Click I have an administrator identity for the MSP definition checkbox to allow you to use this MSP definition when
you create new peers in other zones.
Click Import MSP definition.
4. Import the organization admin identity JSON file that you exported from cluster one into the console wallet on clusters
two and three.
5. In clusters two and three, import the ordering service JSON file to your console.
Step four: Create new peers in cluster two and three and join a channel
1. In clusters two and three, use the CA to register a new peer user, following the same steps that you took when you
registered the peer identity in cluster one. You only need to create the peer users, you do not need to re-create the
organization admin identity because you will import that in the next step.
2. Create new peers, by using the CA you that imported from cluster one as the peer's CA. Use the peer organization MSP
that you imported from cluster one as the peer organization MSP definition.
3. In cluster two and three, you can now repeat the steps that you ran to join the peers to the same channel as the peer in
cluster one.
4. After you install the smart contract on these redundant peers, they are able to transact and query the ledger.
5. Again, if you plan to use service discovery, private data, and peer gossip, you need to make each redundant peer an
anchor peer.
Your network is now configured such that a failure in any single region will not affect the peer workload.
Export the peers that you created in clusters two and three and import them into the console in cluster one. Then,
everything can be managed from a single cluster.
However, cluster one can fail. Therefore, to further account for a cluster failure, you can import all your peers into each of
the three consoles. Then if a cluster containing any one console fails, everything can still be managed from the consoles in
the other two clusters.
Setting up multiregion High Availability (HA) deployments for the ordering service
In this tutorial, you learn how to set up a Raft ordering service with five ordering nodes that span multiple regions for maximum
high availability.
The diagram shows a multiregion ordering service that includes five ordering nodes that are spread across three Kubernetes
clusters in three different regions. For simplicity, this tutorial assumes that all the ordering nodes are contributed by the same
organization. The setup requires a single Certificate Authority (CA), created in one cluster and imported into the blockchain
consoles on the other two clusters.
Note: Throughout this tutorial we refer to two types of nodes: "ordering nodes" and "worker nodes". Ordering nodes
belong to a Raft ordering service cluster. Worker nodes refer to the Kubernetes component that hosts the pods where the
ordering nodes are deployed.
After you understand how to spread the ordering nodes across regions, it is possible for separate organizations to contribute
ordering nodes and generate certificates by using their own CAs. This advanced configuration is not covered in this tutorial, but
you can learn more about it in the Next steps.
Although you cannot choose which worker node an ordering node is deployed to, the console is configured with an anti-
affinity policy. This means that for high availability, whenever you deploy a blockchain node on a multi-node cluster, the
console attempts to spread ordering nodes that belong to the same organization across the worker nodes if sufficient resources
are available. If your cluster is configured with multiple zones, you can designate which zone the ordering node is deployed to
when you create it, or you can let the console choose for you. In this case, it also leverages the anti-affinity policy across zones.
A minimum of five ordering nodes is recommended for a production ordering service. In Raft, a majority of the total number of
nodes is needed to form a quorum. In other words, if you have one node, you need that node available to have a quorum
because the majority of one is one. Similarly, if you have two nodes, you will need both available, since the majority of two is two.
In a similar vein, the majority of five is three. This means that in a five node configuration, the loss of two nodes can be tolerated
and ensures zero downtime. You can see in the diagram that Region 1 contains two ordering nodes, Region 2 contains one
ordering node, and Region 3 contains two ordering nodes. Spreading the nodes across the regions guarantees that if any single
region goes down, or if the ordering nodes within it need to be offline for maintenance, that quorum can be maintained by the
nodes in the other regions.
Tip: Choose the regions of your Kubernetes clusters carefully. While it is fine for the ordering nodes to span regions,
transaction latency can occur when the cluster regions are geographically far apart. For example, it is not recommended
to deploy some ordering nodes in Tokyo, some in Australia, and some in the United States.
Deploy an instance of the IBM Blockchain Platform in each cluster and verify that you can log in to the console.
We assume that you are already familiar with the console and using it to deploy a CA, register users, enroll identities, create
a Membership Service Provider (MSP), and create an ordering service. If you have not used the console before, you should
review the Build a Network tutorial because a similar process is used in throughout the following instructions.
Before we can deploy the ordering service, we create the ordering organization CA, register the ordering organization admin
users and the ordering node user, and create the organization Membership Service Provider (MSP). The bulk of the work to set
up an ordering service is performed in this section, making it simple in later steps to add ordering nodes from other regions.
Important: Depending on your cluster type, deployment of the CA can take up to ten minutes. When the CA is first
deployed, the status indicator box in the CA tile is a flashing gray box. When the CA is successfully deployed and is
running, this box turns green, indicating that it is "Running" and can be operated from the console. Before proceeding with
the steps below, you must wait until the CA status is "Running". If the gray box stops flashing, try reloading the page in
your browser to refresh the status.
After the CA is running, as indicated by the green box in the tile, complete the following steps:
1. Click the Multiregion OS CA tile in the Nodes tab. Then, click Associate identity on the CA overview panel.
2. On the side panel that opens, provide the Enroll ID of admin and Enroll secret of adminpw that you specified in the
preceding section. For the Identity display name, you can use the default value of Multiregion OS CA Admin .
3. Click Associate identity to add the identity into your console Wallet and associate the admin identity with your CA.
An organization admin: This identity allows you to operate the ordering nodes from the console.
ordering node user: This is the registered user that each ordering node will use. When the ordering node is subsequently
created, this user is enrolled, meaning that a certificate and private key are generated for the node.
Because you have already associated the CA admin identity, you can now use the CA tile to create these identities by completing
the following steps:
Tip: You could register a new user for each ordering node, but to keep things simple we will reuse the same user enroll ID
and secret for each ordering node. Reusing the enroll ID is acceptable in this case because a unique certificate is
generated when the ordering node is created and the identity is enrolled. But it is important to ensure that you have not
restricted the maximum enrollments for the user when it is initially registered so that a new certificate can be generated
when the user is enrolled when each ordering node is created. The default value of maximum enrollments is unlimited .
1. Navigate to the Organizations tab in the left navigation and click Create MSP definition.
2. Enter Multiregion OS MSP as the organization MSP display name and mrosmsp and as the MSP ID. Click Next.
3. Under Root Certificate Authority details, specify the CA you used to register the identities in the previous step,
Multiregion OS CA , and click Next.
4. Under Enroll ID and Enroll secret, select osadmin, and enter its associated secret, osadminpw.
5. Click the Generate button to enroll this identity as the admin of your organization and export theMultiregion OS MSP
Admin identity to the Wallet.
6. Click Export to export the admin certificates to your file system and then clickNext.
7. Review the information on the Summary panel and click Create MSP definition.
8. After the MSP is created, click on its tile and then clickExport to download the Multiregion OS MSP to your
local filesystem as a JSON file. You will need to send this MSP to all operators of the blockchain consoles in other regions.
After you create the MSP, you should be able to see the ordering service organization admin in yourWallet, which can be
accessed by clicking the Wallet tab in the left navigation.
CA Multiregion OS CA
It takes several minutes for the ordering service to be deployed to yourRegion 1 cluster. After the ordering service has been
successfully deployed, you are able to see it on the Nodes panel with a green status indicator. You may need to refresh your
browser.
CA Multiregion OS CA
To complete the process of adding the node, you need to add it to the consenter set of the system channel. After the ordering
node has been successfully added, a new tile with the name of OS2-Region1 appears on the Multiregion Ordering Service
Tip: Recall that the "consenter set" refers to the ordering service nodes actively participating in the ordering process on a
channel, while the "system channel", which is managed by the ordering service, forms the template for application
channels.
To add the node you created to the system channel, click the OS2-Region1 node. You will see an Add node to ordering service
button. Click this button. After the node has been added to the ordering service, the node is now part of the system channel.
Note that it will take a few minutes for the new node to sync with ordering service in the system channel. During this time,
you may see a message that your ordering service is down. This is normal --- the ordering service must come down while the
new node is syncing. After the node tile status is green, proceed to the next section.
Export components
In your Region 1 blockchain console, you have now configured a CA for the ordering service and registered the orderer
organization admin as well as an orderer user for the ordering nodes. You created an organization MSP definition that was used
to deploy a single-node ordering service and then added a second node from Region 1 to the ordering service. Next, we need
to export these components to your file system so they can be imported to the blockchain consoles in the Region 2 and Region 3
clusters.
When you created the orderer organization MSP, you already exported the Multiregion OS MSP definition and the
Multiregion OS MSP Admin identity, you also need to export the CA and the ordering service:
1. From the Nodes tab, open the Multiregion OS CA tile and click Export .
2. From the Nodes tab, open the Multiregion Ordering Service tile and click Export .
These actions download the components in JSON format to your local file system. You will need to share these four files with the
operators of the blockchain console in Region 2 and Region 3.
In this section, we create a third ordering node and then add it to the system channel (if applicable) as highlighted in yellow in
the diagram below:
Because all of the actions in this section are performed from the blockchain console inRegion 2, log in to the Region 2 console
now.
Import components
Before you can use the console in Region 2 to add an ordering node to the ordering service, you need to import the components
that you set up in the previous cluster.
Tip: After you import a node into your console, you can use it create or manage other components in your console. But it
is important to understand that the original node remains physically located in the console in Region 1. This means that if
you need to view the logs of an imported node, you would need to do that from the cluster in Region 1 where it resides.
CA Multiregion OS CA
To complete the process of adding the node to a system channel, you need to add it to the consenter set of the system channel.
Just as when we performed these steps in the console in Region 1, a new tile with the name of OS3-Region2 appears on the
Multiregion Ordering Service page with the label "Requires attention". Again, this state reflects the fact that, while the node
creation process has been successful, the node is not yet part of the consenter set of the system channel. The node must be
added to the system channel before it can be added to any of the application channels.
Click the node to open it and then clickAdd node to ordering service. After the node has been added to the ordering service,
this third node is now part of the system channel.
Wait until the OS3-Region2 node tile status turns green before proceeding to the next section.
Because all of the actions in this section are performed from the blockchain console inRegion 3, log in to the Region 3 console
now.
Import components
Repeat the steps to import the console components fromRegion 1, but this time import them into the Region 3 console:
CA Multiregion OS CA
Repeat this exact same set of steps for the fifth ordering node, but give it the name OS5-Region3 .
CA Multiregion OS CA
Add both ordering nodes to the consenter set of the system channel. Click each new ordering node, thenAdd node to ordering
service. After the nodes have been added to the ordering service, the nodes are now part of the system channel.
Open both new ordering nodes, OS4-Region3 and OS5-Region3 , and click Export to download the configuration
to a JSON file on your local system. Share these files with the operators of the consoles in Region 1 and Region 2.
1. In the Region 1 console, import the os3-Region2, os4-Region3, and os5-Region3 files.
From the Nodes tab, open the Multiregion Ordering Service tile and click the Ordering nodes tab.
Click Add another node and then Import an existing ordering node.
Click Add file and browse to the JSON file for one of the exported ordering nodes.
Repeat this process for the other two ordering node JSON files.
2. In the Region 2 console, import the os4-Region3, and os5-Region3 files by repeating the same steps that you used in
the Region 1 console.
3. In the Region 3 console, import the os3-Region2 file by repeating the same steps.
The ordering service is now synchronized in each console across each region and can be used to create application channels
between consortium members.
To summarize, anytime a new ordering node is added to the ordering service in a console, it needs to be exported and then
imported into the ordering service in the consoles in the other regions. When you subsequently create an application channel
based on this ordering service, under the advanced options, you can select which ordering nodes to include in the consenter set.
Therefore, it is important that your console is up to date with all of the available ordering nodes before creating the channel in
order to include them to the channel consenter set.
The following screen capture shows what the ordering service looks like on the console inRegion 1. Notice the Imported label
on the three tiles from the other clusters. The ordering service should be identical in Region 2 and Region 3 except for the
Imported labels, since they will vary by region.
Next steps
Create application channels
The multiregion ordering service is now configured for HA across regions and is ready for peer organizations to create
For simplicity, we use a single organization for all five ordering nodes in this tutorial. But it is possible when you build an HA
ordering service that multiple organizations will want to contribute their own ordering nodes to the ordering service. In that
case, the process is largely the same. The major difference is that each organization that wants to contribute an ordering
node needs to have their own CA and own organization MSP definition. The process to add ordering nodes from separate
organizations is described in the Adding and removing ordering service nodes topic and the resulting architecture in this
case would be similar to:
Clean up
Want to start fresh? You can remove the following resources that you created as a part of this tutorial:
From the Nodes tab, open the Multiregion OS CA and click the trash can .
From the Organizations tab, open the Multiregion OS MSP and click the trash can .
From the Nodes tab, open the Multiregion Ordering Service and click the trash can .
From the Wallet tab, open Multiregion OS CA Admin and click Remove identity.
From the Wallet tab, open Multiregion OS MSP Admin and click Remove identity.
Target audience: This topic is designed for network operators who are responsible for creating, monitoring, and managing the
blockchain network.
Important: If you are using IBM Blockchain Platform for IBM Cloud, HA CA configuration is only available in paid
Kubernetes clusters on IBM Cloud.
Considerations
CA replica sets are only possible when the PostgreSQL database is selected for the CA. The SQLite database is not
supported for use with CA replica sets.
Because you cannot switch a CA database from SQLite to PostgreSQL, only new CAs that use PostgreSQL can be
configured to be HA. Likewise, after a CA is deployed and configured to use a PostgreSQL database, it cannot be
reconfigured to use a different PostgreSQL instance or later configured to use SQLite.
CA replica sets are automatically spread across your worker nodes in a single zone according to available resources.
Replica sets are not available across zones.
Because creating a CA replica set results in a new CA pod, when you configure an additional replica set, the CPU and
memory requirements for the CA are doubled. If three replica sets are required, then the total CPU and memory
requirements triple, and so on. However, the storage allocation does not change because all of the replica sets use the
same PostgreSQL database. When you configure your CA, you can specify how many replica sets to create.
The number of replica sets can be scaled up or down over time according to your availability needs.
Replica sets are only available when PostgreSQL is selected as the CA database.
The ability to deploy a CA to a specific Kubernetes cluster zone is only available when SQLite is selected as the CA
database.
Databases for PostgreSQL. See the Getting Started tutorial for information on provisioning an instance of the service.
Hyper Protect DBaaS for PostgreSQL. See the tutorial on Getting started with IBM Cloud Hyper Protect DBaaS for
PostgreSQL for setup instructions.
Use of a third-party PostgreSQL database is also supported. If the third-party database is configured to use TLS, you will need to
provide at least one server certificate. If SSL client authentication (mutual TLS) is enabled, you also need to provide a client
certificate and a client key in .pem format. More information on how to provide this information is provided in the steps that
follow.
IBM Cloud Databases for PostgreSQL If you are using a PostgreSQL database from IBM Cloud Databases for PostgreSQL,
you need to generate Service Credentials from the PostgreSQL resources page in your IBM Cloud Databases for
Save the credentials that you copied to a file of type JSON on your local system. When you create your CA, you need to
provide this file.
IBM Cloud Hyper Protect DBaaS for PostgreSQL If you are using a PostgreSQL database from IBM Cloud Hyper Protect
DBaaS for PostgreSQL, then you need to manually build the JSON file by using the following template:
{
"connection": {
"postgres": {
"hosts": [
{
"hostname": "db_hostname",
"port": "db_port"
}
],
"database": "db_name",
"authentication": {
"username": "db_admin_username",
"password": "db_admin_password"
},
"query_options": {
"sslmode": "verify-full"
},
"certificate": {
"certificate_base64": "ssl_root_cert"
}
}
}
}
Enter the corresponding hostname , port , database , username , password , and certificate_base64 values for your
PostgreSQL database:
hostname and port can be found in the Connect to database panel of the Hyper Protect DBaaS for PostgreSQL
dashboard.
database is the value that you enter for the Cluster name field when you provision the service instance. Note that
hyphen (-), space, and .db are not allowed in the name.
username and password are the values you enter for the Database admin name and Database admin password
fields when you provision the service instance.
certificate_base64 is the one-row string base64 format of the certificate value in the CA file, which you can
download from the Connect to database panel of the Hyper Protect DBaaS for PostgreSQL dashboard. Ensure to
convert the certificate value to one row.
Save this information to a JSON file on your local system so that is can be provided when you create your CA.
{
"connection": {
"postgres": {
"hosts": [
{
"hostname": "db_hostname",
"port": 30000
}
],
"database": "db_name",
"authentication": {
"username": "db_user",
"password": "db_password"
},
"query_options": {
"sslmode": "verify-full"
},
"certificate": {
"certificate_base64": "tls_certificate"
},
"client": {
"certificate_base64": "client_tls_certificate",
"private_key_base64": "client_tls_private_key"
}
}
}
}
Enter the corresponding hostname , port , database , username , and password values for your PostgreSQL database.
Valid values for sslmode are listed in the Hyperledger Fabric CA PostgreSQL documentation.
The certificate and client fields are required only if you are using TLS to encrypt communications to the PostgreSQL
database. All certificate strings must be base64 encoded.
Important: If you are not using TLS, you need to remove the certificate and client elements from your JSON file.
If the third-party database is configured to use TLS, you will need to provide at least one servercertificate.
If SSL client authentication (mutual TLS) is enabled, you will need to provide thecertificate as well as the client
certificates, certificate_base64 and private_key_base64.
Save this information to a JSON file on your local system so that is can be provided when you create your CA.
Creating an HA CA
Create a new CA by using the IBM Blockchain Platform console.
1. Navigate to the Nodes tab on the left and click Add Certificate Authority.
2. Make sure that the option to Create a Certificate Authority is selected. Then click Next.
3. Give your CA a display name and enter your CA admin credentials by specifying a CA administrator enroll ID and secret.
4. Click the Database and replica sets selection checkbox under Advanced deployment options and click Next. If your
network is on IBM Cloud, this option is only available on paid clusters.
5. To use replica sets, select PostgreSQL as the CA database.
6. Click Add file and browse to the JSON file you created with the database connection information.
7. Choose the number of replica sets you need. Two replica sets ensure that if one CA replica becomes unavailable, the other
is always immediately ready to process requests. Three replica sets provide even greater redundancy. If two of the three
replica sets are unavailable, the third is ready to process requests. Because each additional replica set requires additional
Blockchain networks allow multiple organizations to use a distributed ledger to transact and share data in a way that is trusted
and secure. However, this implies that data can be distributed across the nodes of the network and the regions where those
nodes reside. Organizations can use several options to separate data from the rest of the network and achieve data residency:
Each approach provides an increased level of isolation and protection for your data, but requires additional effort to implement
and manage. To help you understand how each option can be used to achieve data residency, we provide an overview of how
data is shared within a Hyperledger Fabric network. We then present an example use case to illustrate how organizations within
a blockchain consortium would use each option to separate their data and prevent it from leaving their region.
Peers host ledgers and smart contracts, with the latter governing how changes to the former are made. Ledgers themselves
contain two distinct, though related, parts: a world state which records the current value of any key (such as an asset), and a
blockchain which contains a literal “chain of blocks” that contain the records of each transaction. Peers receive state updates in
the form of new blocks from the ordering service. They then use the blocks and the world state to confirm (or commit)
transactions, update the world state and add the log of transactions on the blockchain.
Ordering nodes form a Raft ordering cluster that comprises the ordering service of a channel. The ordering service literally
“orders” transactions into blocks that are sent to peers to be committed to their ledgers. Each ordering node stores a copy of the
blockchain portion of the channel ledger.
Channels are the place where organizations interact within a network. You cannot participate in a blockchain network without
joining a channel. Channels can be used by members of the network to create logical separation between business applications
and even to boost performance by limiting traffic. They can also be used by subsets of organizations in the consortium to
transact privately and separate data.
Peers maintain a separate ledger for each channel that they join. Only organizations that are members of the channel can join
their peers to the channel and receive ledger updates from the ordering service. As a result, each channel is bound to an
ordering service, which stores the blockchain portion of every channel ledger that it maintains. Client applications submit
transactions to the peers and ordering service of a given channel. These transactions are added to the transaction log within the
blockchain and include a read-write set that is used to update the key-value pairs in the world state.
If in-country data residency is a requirement, you need to consider the location of your peers and the ordering service, as well as
your client applications. You also need to know the location of the peers that belong to other organizations on your channels. If
Org A Org C
Fabric SDK
Fabric SDK
Channel X
Certificate Authority Certificate Authority Client App 3
Client App 1
Ledger X Ledger X
Ordering Service Org
Ledger
Certificate Authority
Ledger X
Figure 1. An example blockchain consortium with one ordering service and four organizations. The four
organizations are all members of one channel, Channel X.
Each peer joined to channel X stores a copy of the channel ledger, which is displayed inFigure 1 as Ledger X. Because peers
from the United States and Germany are joined to the channel, the data on the channel ledger resides in both geographies. The
blockchain portion of the ledger is also stored by the ordering service that is located in the United States.
If two organizations in the consortium create a second channel, Channel Y, a second ledger is created and stored on the peers of
channel members. Only the organizations that joined the channel have a copy of the channel data.
Org A Org C
Fabric SDK
Fabric SDK
Channel X
Certificate Authority Certificate Authority Client App 3
Client App 1
Ledger X Ledger X
Ordering Service Org
Ledger
Certificate Authority
Ledger X Ledger Y
Channel Y
Ledger Y Ledger Y
Org B Peer Org D Peer
Figure 2. Two organizations in the consortium have created and joined a second channel, Channel Y. A second
channel ledger is created and stored on the peers of Org B and Org D and the ordering service.
In Figure 2, Org B and Org D have joined channel Y. The peers of Org B and Org D now store a copy of ledger Y, in addition to
ledger X. Because the same ordering service was used to create channel X and channel Y, the ordering service now has a copy of
the blockchain portion of both channel ledgers. In both Figure 1 and Figure 2, data being created by applications in Germany is
stored in the United States, which is undesirable if data residency is required.
We can use the previous example to explore the options that organizations can use to achieve data residency. Assume that a
regulation in Germany requires some of the data that is created by Org C and Org D to remain within the country. The
organizations in Germany can use all four of the following options to prevent data from being stored in the United States.
Org A Org C
Fabric SDK
Fabric SDK
Channel X
Certificate Authority Certificate Authority Client App 3
Client App 1
Ledger X Ledger X
Ordering Service Org
CollectionOrg C-Org D
Certificate Authority
Ledger X
Figure 3. Org C and Org D use a private data collection to keep data from being distributed on channel X and from
leaving Germany. Hashes of data in the collection are stored on ledger X.
In Figure 3, Org C and Org D have created a private data collection, the OrgC-OrgD collection, that allows the organizations to
transact without having to share data with Org A, Org B, or the ordering service. The key-value state data inside this collection is
only stored on the peers of Org C and Org D and does not leave Germany. However, a hash of the data within the collection is
stored on ledger X and shared with the broader channel. This means that a hash of the data in the OrgC-OrgD collection is
stored on the peers and the ordering service in the United States.
When considering private data, it is important to understand the difference between hashed data and encrypted data.
Encryption uses a two-way function to transform data into a form that hides its original value, but can be converted back to the
original state. As an example, when data is sent over a network that is secured using TLS, the data is encrypted using a TLS
certificate. It is then sent over the network as crypto text, and then decrypted by the recipient. The encrypted text contains all
the original data, and can be decrypted using a private key. However, hashing is a one-way function that uses data to create a
unique string of numbers and letters. The hashed data cannot be converted back to the original form using the hash. To verify
the data that created the hash, a recipient needs to create a new hash of the original data using the same hash function, and
verify that the hash values match. A third party cannot use the hash without a copy of the original data.
It is important to be aware with this option that while Orgs A and B cannot see the actual ledger data because it is hashed, they
are still able to see that Orgs C and D are transacting and can see the volume of transactions that are occurring between them.
Also, consider that data inside a private data collection can be purged from the peers that store it. While data is stored on a
channel forever, collections allow members to specify how many blocks are committed to a channel before the private data is
purged. Once data is removed from the private data collection, the hash on the channel can no longer be used to verify the
transaction that created it. In the example network in Figure 3, Org C and Org D can use a block to live policy to ensure that
any data that does not need to persist forever is removed from the network entirely within a specified time period.
Org A Org C
Fabric SDK
Fabric SDK
Channel X
Certificate Authority Certificate Authority Client App 3
Client App 1
Ledger X Ledger X
Ordering Service Org Collection Org C-Org D
Ledger Y
Org A Peer Org C Peer
Ledger
Certificate Authority
Channel Y
Ledger X Ledger Y
Ledger Y
Org B Peer Org D Peer
Figure 4. Org C and Org D form a separate channel, Channel Y, and use a private data collection. Hashes of data in
the collection are stored on ledger Y, and is only stored by the peers in Germany but not on the peers in the United
States.
In Figure 4, Org C and Org D have formed a new channel, Channel Y, that does not contain any members in the United States. As
a result, hashes of data in the OrgC-OrgD collection is stored on ledger Y instead of ledger X, and is not stored on the peers in
the United States. Because the ordering service is located in the United States, a hash of the data that is created in Germany still
leaves the country.
Creating a separate channel can prevent transaction details from being shared with other organizations in the consortium. If the
organizations in Germany used a shared channel, Org A and Org B would be able to see the number of transaction hashes that
are committed to the channel ledger by the private data collection. This might provide those organizations visibility into the fact
that Orgs C and D are transacting and the volume of transactions that are generated between them. Consider though that
forming a new channel requires additional management expense to create and update it. Forming a new channel also makes it
harder for Org C and Org D to share data with Org A and Org B.
Org A Org C
Fabric SDK
Fabric SDK
Ledger X Ledger X
Ordering Service Org
Ledger Y
Org A Peer Org C Peer
Ledger
Certificate Authority
Channel Y
Ledger Y
Ledger Y
Org B Peer Org D Peer
Figure 5. Org C and Org D create a new channel using an ordering service located in Germany. All data is stored in
the country on Ledger Y.
In Figure 5, Org C and Org D have created a new channel for data that must not leave Germany. This requires the creation of a
new ordering service that is located in Germany to ensure that the orderer's copy of the channel ledger is stored inside the
country. Since in this case the ordering service, the OrgC-peer, and the OrgD-peer are located in Germany, Org C and Org D can
now keep the data public on the channel if they choose, or they could still decide to use private data collections to prevent the
full transaction data from being stored on the ordering service.
Creating a channel with all of the components in one country ensures that all of the data resides within one region, including the
key-value pairs, the blocks, and the hashes of any private data. However, this option requires the resources to maintain a new
channel and the costs that are associated with maintaining the ordering service.
Option four: A separate channel with only ordering nodes from one country
When you initially deploy an ordering service, you create a set of ordering nodes that will be available to the application channels
for transaction processing. A major benefit of the Raft ordering service is that you can configure a channel to only use specific
ordering nodes from the ordering service. That's why the console includes an Advanced Channel creation option to select a
subset of ordering nodes to include in the channel consenter set, where each ordering node that you select will contain a copy of
the channel ledger. Therefore, it is possible to restrict the channel ledger locations to only nodes that reside in country.
In Figure 6, the ordering nodes that participate in the Raft ordering service are spread across the two countries. Two ordering
nodes are located in the United States, and three ordering nodes are in Germany for a total of five ordering nodes. When Channel
X is created, all five ordering nodes are included in the consenter set, which wouldnot meet a data residency requirement as the
ledger data is spread across both countries. Channel Y however only includes the three ordering nodes that reside in Germany,
which guarantees that all ledger data for this channel stays in country. A minimum of three ordering nodes is recommended
because this configuration allows for one node to go down and two nodes to be available to maintain "quorum", the minimum
number of nodes that must be available (out of the total number) for the ordering service to process transactions. A more robust
configuration would be to include five ordering nodes in Germany for Channel Y, which means that two nodes could go down
without losing quorum.
The easiest way to achieve this configuration is to spread the ordering nodes across Kubernetes clusters in different regions, a
process that is described in the Setting up multiregion High Availability (HA) deployments for the ordering servicetutorial.
When you use your console to view the channel details, ledger data is visible in your browser. The ledger data is transmitted
directly from the Kubernetes cluster to your browser. It is not passed to the service instance running on IBM Cloud.
Therefore, to preserve data residency, the end user's browser and the Kubernetes cluster must reside in the same country.
Reference material
For a deeper understanding of the flow of data on the IBM Blockchain Platform network, refer to the Fabric documentation on
transaction flow.
You can get more information about Private data collections and Zero Knowledge Proof in the white paper about Private and
confidential transactions with Hyperledger Fabric.
What is the value of using IBM Blockchain Platform over native Hyperledger Fabric?
What version of Hyperledger Fabric is being used with IBM Blockchain Platform?
Can IBM Blockchain Platform components interoperate with Hyperledger Fabric components on the same network? And
vice versa? And what is the support policy for networks that include both IBM Blockchain Platform components and open
source components?
Blockchain components
Certificates
Where does IBM store the customer's logs and how long does IBM keep the audit logs for the blockchain platform
service?
Do we have access to logging services and what logs are available to me?
Where can I see the price breakdown for IBM Cloud Kubernetes Service, Storage, and Blockchain in my monthly invoice?
Is there a best practice for monitoring my blockchain resources?
What is the value of using IBM Blockchain Platform over native Hyperledger Fabric?
Hyperledger Fabric is a powerful, versatile, pluggable, open source, distributed ledger technology capable of addressing a wide
variety of use cases across many industries. IBM Blockchain Platform is IBM's commercial distribution of Hyperledger Fabric. A
key benefit of the platform is that IBM tests the open source code for security vulnerabilities daily and provides 24x7x365
support with SLAs appropriate for production environments. The platform is the commercial distribution of Hyperledger Fabric
and includes integrated tools that provide end to end features for developers and network operators to develop, test, operate,
monitor, and govern Fabric components by using an intuitive console UI. Quickly deploy an instance and use the streamlined
console UI to build a network, easily deploy smart contracts, govern your components, and govern your channel. Interested in
APIs? See the IBM Blockchain Platform API reference. With the IBM Blockchain Platform, it is easy to extend a basic network,
work with multicloud solutions, and receive IBM worldwide support when needed. Finally, the IBM Blockchain Platform provides
additional security benefits that are essential for running an enterprise-grade production network.
What version of Hyperledger Fabric is being used with IBM Blockchain Platform?
IBM Blockchain Platform for IBM Cloud uses Hyperledger Fabric v1.4.12 and v2.2.5.
Containers deployed from any of the above sources can be connected on a single channel and transact. You can join IBM
Blockchain Platform peers to any network running Hyperledger Fabric components. Similarly, you can invite Fabric peers to join
channels hosted on an ordering service deployed on the IBM Blockchain Platform. Note that you will need to use Hyperledger
Fabric APIs or the CLI. For more information about what is supported, see Support for IBM Blockchain Platform. For instructions
on how to configure interoperability see Connect the IBM Blockchain Platform to Hyperledger Fabric components.
The IBM Blockchain platform gives customers total control over their deployments, certificates, and private keys. The console
simplifies and accelerates the process of deploying components into a Kubernetes cluster on IBM Cloud that is managed and
controlled by the customer. As a reminder, because the customer owns the storage that is mounted to the containers, IBM does
not have access to or control over any of the data that the customer chooses to store in their ledger.
How can I estimate the IBM Blockchain Platform sizing requirements for my
development, test, and production environments?
After you understand how many CAs, peers, and ordering nodes are required, you can examine the default resource allocations
table for your nodes to get an approximate estimate of the CPUs (VPCs) required for your network. If you are purchasing IBM
Blockchain Platform on IBM Cloud, you can estimate your cost through this method, but you also have the ability to scale
dynamically if more sources are needed.
How does pricing work on the IBM Blockchain Platform for IBM Cloud?
IBM Blockchain Platform for IBM Cloud is priced based on the VPCs that you allocate to your blockchain nodes on the IBM
Kubernetes Service. For more information, see Pricing for IBM Blockchain Platform for IBM Cloud.
What are the limitations of the free IBM Blockchain Platform using the IBM Cloud
Kubernetes Service free cluster?
Preview the IBM Blockchain Platform at no charge for 30 days when you link your IBM Blockchain Platform service
instance to an IBM Cloud Kubernetes free cluster.
Performance will be limited by throughput, storage, and functionality. Read more about the limitations of free clusters.
IBM Cloud will delete your Kubernetes cluster after 30 days.
Only one blockchain console can be connected to a free cluster at a time.
You cannot migrate any nodes or data from a free cluster to a paid cluster.
See Find out how to preview the platform free for 30 daysfor more information on how to get started.
What regions or locations are available for the IBM Blockchain Platform for IBM
Cloud?
The available regions for IBM Blockchain Platform are listed in IBM Blockchain Platform locations. Note that you must create a
Kubernetes cluster on IBM Cloud in the same region as the blockchain service to recognize the cluster. Additional regions will be
available soon.
What persistent file storage does IBM Blockchain Platform for IBM Cloud use by
Is there a trial option available for using a Red Hat OpenShift cluster on IBM Cloud?
A free 30 day trial is available in the Red Hat Marketplace.. See Deploy from Red Hat Marketplace to learn more.
How can I find what version of the IBM Blockchain Platform that I am running?
View the Support page by clicking the question mark icon in the upper right corner of the page. The IBM Blockchain Platform
version is visible under the page heading.
How do I get the latest Fabric version and Fabric functionalities on my IBM
Blockchain Platform network?
Depending on the contents of a Fabric release and IBM Blockchain Platform, it might only be necessary to upgrade nodes to get
access to the latest features. However, often it is necessary to update channel configurations with the latest capabilities in order
to get access to the latest Fabric features. In these cases, it is important to upgrade components and channels in a particular
order:
1. Upgrade nodes to the latest Fabric versions. Note that nodes are always backward compatible with earlier versions and
earlier capabilities. For more information about upgrading nodes, see Upgrading to a new version of Fabric.
2. Update channels with any new channel capabilities. If you update capabilities to a capability level (such as 2.0) before
upgrading nodes to the Fabric version corresponding to a capability, the node may crash. For more information, see
Capabilities.
Tip: If you are moving from v1.4.x to v2.x, you may have to update your smart contracts to conform to new smart contract
lifecycle. For more information, see Upgrading to a new version of Fabric.
I am currently using Hyperledger Fabric v1.4.x and want to move to IBM Blockchain
What types of off-chain databases are supported with the IBM Blockchain
Platform?
As a best practice it is recommended that you do not query the entire blockchain ledger for the purpose of aggregation or
reporting. If you want to build a dashboard or collect large amounts of data as part of your application, you can query an off chain
database that replicates the data from your blockchain network. This allows you to understand the data on the blockchain
without degrading the performance of your network or disrupting transactions.
You can use block or smart contract events from your application to write transaction data to an off-chain database or analytics
engine. For each block received, the block listener application would iterate through the block transactions and build a data
store by using the key/value writes from each valid transaction's read-write set. The Peer channel-based event services provide
replayable events to ensure the integrity of downstream data stores. For an example of how you can use an event listener to
write data to an external database, see the Off chain data sample in the Fabric samples.
Blockchain solutions can use any RDBMS or NoSQL DB such as IBM Cloudant for offchain data storage. Hyperledger Fabric does
not govern, interact with, or manage off-chain databases. In most cases, the off-chain database is used for reference data and
non-transactional data. IBM has successfully built blockchain products and solution accelerators with Hyperledger Fabric and
NoSQL databases such as OrientDB.
Do ordering service Raft nodes use Transport Layer Security (TLS) for
communication?
Yes. The Raft ordering service nodes are configured to use TLS communication. TLS is embedded in the trust model of
Hyperledger Fabric. By default, server-side TLS is enabled for all communications using TLS certificates. TLS is used to encrypt
the communication between your nodes and as well as between your nodes and your applications. TLS prevents man-in-the-
middle and session hijacking attacks. All IBM Blockchain Platform components use TLS to communicate with each other.
As a result, "backing up" a component or a network is the process of saving a copy of the relevant persistent volumes, while
"restoring" a component or network involves bringing up components and pointing them to these saved volumes. For more
information, check out Backing up and restoring components and networks.
What benefits are available with the new smart contract lifecycle available on
nodes and channels running on Fabric v2.x?
The new smart contract lifecycle allows channel members to collaborate in the decision making process about smart contracts
like never before. Where previously smart contracts were instantiated on a channel by a single channel member and other
organizations only had the ability to choose whether to install the smart contract, the new lifecycle allows organizations to
propose, approve, and commit smart contracts at an organizational level.
This separation of concerns opens exciting new opportunities for collaborating organizations. For example, different
organizations can install smart contracts on their peers that contain only the code relevant to their business role and make minor
updates to these smart contracts where necessary, without needing to seek new approvals from other organizations.
For a tutorial on how this process is handled by the console, check out Deploy a smart contract using Fabric v2.x.
For information about to take advantage of the new lifecycle when writing a smart contract, check out Writing powerful smart
contracts.
How can I check and interpret the status of my components through the
Kubernetes command line?
To check the status of your component, run the following command:
Replace <CUSTOM_RESOURCE_TYPE> with the custom resource type of your component (ibpca, ibppeer, ibporderer, or
errorCode
lastHeartbeatTime: when the controller last reconciled the component
message: long explanation of the status type
reason: short explanation of the status
status: "true" or "false" based on if status is valid
version: the product (IBP) version of the component
versions: the operand version of the component
type: describes the current status of the component
Deploying: component pod(s) spinning up but not yet running and ready
Deployed: component pod(s) are running
Precreated: (specific to the Orderer) Orderer is waiting for the genesis block to be created
Error: component hit an error during reconcile, or a certificate has expired
Warning: one or more of the component's certificate will be expiring within 30 days (by default)
Initializing: component is being reconciled again due to spec updates in the pre-reconcile checks
Can I integrate my corporate LDAP server with the Certificate Authority (CA) in the
IBM Blockchain Platform?
You cannot currently directly integrate your LDAP server with the CA. However, you can use an external mechanism to generate
X.509 certificates for the LDAP users. To use those certificates with a peer or ordering service, see these topics on Using certs
from an external CA for your peer or ordering service and Manually building an organization MSP.
Note: Also, you cannot configure the blockchain console login authentication to use an LDAP user registry at this time.
What version of the IBM Blockchain Platform works with the Ansible collection?
Versions 2.1.3 and 2.5.x of the IBM Blockchain Platform can be used with the Ansible collection to deploy a Hyperledger Fabric
network.
How do I get support for running the IBM Blockchain Platform Ansible playbook?
Ansible is an open source technology and this product is not officially supported by IBM. For support related to the usage of the
IBM Blockchain Platform and Ansible playbooks use the GitHub repository.
Can the IBM Blockchain Platform monitor the health of a client application?
The IBM Blockchain Platform console does not monitor the health of blockchain client applications, but IBM Cloud does offer
tooling such as IBM Log Analysis and IBM Cloud Monitoring that can be used for their health monitoring.
Where does IBM store the customer's logs and how long does IBM keep the audit
logs for the blockchain platform service?
The logs are stored in the customer's Kubernetes cluster. IBM does not have access to the logs and it is up to the customer to
manage all of their log data including retention management.
Do we have access to logging services and what logs are available to me?
With IBM Blockchain Platform, you can now directly access logs from your Kubernetes dashboard. It is recommend that you take
advantage of the IBM Log Analysis service that allows you to easily parse the logs in real time.
Where can I see the price breakdown for IBM Cloud Kubernetes Service, Storage,
and Blockchain in my monthly invoice?
Actual cost breakdowns are visible from your Invoices in the IBM Cloud Dashboard. For detailed steps, see the Billing section in
the Pricing topic.
Tip: You should be aware that JavaScript and TypeScript smart contracts require more resources than contracts written
The architecture behind IBM Blockchain is the Linux Foundation's Hyperledger Fabric project. Each open-source community
contribution improves Hyperledger Fabric but can present adoption challenges. IBM cautions against defining or exchanging
financial assets directly on any Hyperledger Fabric blockchain network.
Note: IBM does not support networks that use Hyperledger Composer in production, including the Composer CLI,
JavaScript APIs, REST server, and Web Playground.
Open-source statement
IBM Blockchain offerings are built based on the Linux Foundation's Hyperledger Fabric stack. Hyperledger Project members,
including IBM, continue to contribute to various subprojects under the Hyperledger umbrella. All contributions are reviewed,
vetted, and tested by the community.
Lastly, it is not recommended to write non-deterministic chaincode, which introduces risk to data consistency and integrity. The
Hyperledger Fabric architecture is designed to counter against non-deterministic chaincode through a series of endorsement
and validation checks. However, you are still urged to code deterministic functions that are not reliant on non-static global
variables, such as time.
Target audience: This topic is designed for network operators who are responsible for creating, monitoring, and managing the
blockchain network.
If you have not already used the IBM Blockchain Platform console to deploy components to a Kubernetes cluster on IBM Cloud,
see Getting started with IBM Blockchain Platform for IBM Cloud. Note that the console itself does not reside in your cluster. It is
a tool that you can use to deploy components into your cluster.
Whether you deploy components to a paid or free Kubernetes cluster, pay close attention to the amount of available resources in
your cluster when you choose to deploy nodes and create channels. It is your responsibility to manage your Kubernetes cluster
and deploy additional resources when necessary. While components will successfully deploy to an IBM Cloud free cluster, the
more components you add, the slower your components will run. For more information about component sizings and how the
console interacts with your Kubernetes cluster on IBM Cloud, see Allocating resources.
Tip: If you are using a Kubernetes cluster on IBM Cloud, it is recommended that you provision at least a 4CPU x 16GB
RAM cluster to accommodate the components in this tutorial.
Note that while this tutorial shows how this process works with a paid Kubernetes cluster on IBM Cloud, the same basic flow
applies to free clusters, albeit with a few limitations (for example, you cannot size or resize nodes in a free cluster).
Build a network tutorial This tutorial guides you through the process of hosting a network by creating two organizations,
one for your peer and another for your ordering service, and a channel. Use this tutorial if you want to form a blockchain
consortium by creating an ordering service and adding organizations.
Join a network tutorial guides you through the process of joining an existing network by creating a peer and joining it to an
existing channel. Use this tutorial if you either do not intend to host a network by creating an ordering service, or want to
learn the process for joining other networks.
Deploy a smart contract on the network using Fabric v2.x shows how to write a smart contract and deploy it on a network.
Looking for a way to script the deployment of your nodes? If you are already familiar with the manual process to deploy the
components with the console, you can check out the Ansible playbooks, a powerful tool for scripting the deployment of
components in your blockchain network.
Ordering service CA
Ordering Service Org
Org2 CA
Org 2
This configuration is sufficient both for testing applications and smart contracts and as a guide for building components and
joining production networks that will suit your own use case. The network contains the following components:
This configuration isn't mandatory. The IBM Blockchain Platform is highly customizable. If you have resources available in your
Kubernetes cluster, you can use the console to deploy components in an endless array of configurations. This tutorial provides
the steps that you need to build your own network, with references to topics that provide a deeper dive into the IBM Blockchain
Platform and the console.
Important: You can deploy multiple peers that belong to the same organization MSP and multiple orderers that belong to
a different organization MSP. But the console does not prevent you from configuring peers and ordering nodes that belong
to a single same organization MSP. While it might seem that a single organization MSP for all your nodes would greatly
simplify deployment of your network, this configuration is problematic. Because the process to renew certificates is
different for peer and ordering nodes, when the renewal process is attempted after the node certificates expire in one
year, certificate renewal will fail. For that reason, using the same MSP for your peers and ordering nodes is strongly
discouraged.
In this Build a network tutorial, we build only a portion of the network above, a simple network that can be used to host an
ordering service and a single peer organization and peer on a single channel. The following illustration shows the portion of the
network above that we will build:
Org1 CA
Org1
Org1 MSP
Peer Org1
Ledger definition
X
Ordering service CA
Ordering Service Org
Ordering service
Channel 1 MSP definition
This configuration is useful for quickly getting started and testing a smart contract but is not very meaningful until you add other
organizations to transact with, creating a truly distributed network. Therefore, in the subsequent Join a network tutorial, we
show you how to create additional peer organizations and peers, and how to add a new organization to the channel.
Tip: Throughout this tutorial we supply recommended values for the fields in the console. This allows the names and
identities to be easier to recognize in the tabs and drop-down lists. These values are not mandatory, but you will find them
helpful, especially since you will have to remember certain values like IDs and secrets of registered users that you input in
previous steps. As these values are not stored in the console, if you forget them, you will have to register additional users
In this tutorial, we create two organizations, one which will own a peer and another which will own an ordering service. Each
organization needs a CA to issue its certificates, therefore we need to create two CAs. For the purpose of this tutorial, we will
create only one CA at a time.
Watch the following video to learn about the process to create the peer's organization and the peer (for video tutorials on how to
create an ordering service and a channel, see video series:
Video transcript
Important: Your CA issues the certificates and private keys for your organization's admins, client applications, and nodes.
These identities are not managed by IBM and the private keys are not stored in the console. They are only stored in your
browser local storage. Therefore, make sure to export your identities and the MSP of your organization. If you attempt to
access the console from a different machine or a different browser, you will need to import these identities and
organization definitions.
To create the CA that will issue certificates for your first organization, perform the following steps in your console:
1. Navigate to the Nodes tab on the left and click Add Certificate Authority. The side panels will allow you to customize the
CA that you want to create and the organization that this CA will issue keys for.
2. In this tutorial, we're creating nodes, as opposed to importing them, so make sure the option toCreate a Certificate
Authority is selected. Then click Next.
3. Use the side panel to give your CA a display name. Our recommended value for this CA is Org1 CA. Then give your CA
admin credentials by specifying a CA administrator enroll ID of admin and a secret of adminpw. Again, these are
recommended values.
4. The Advanced deployment options are only available in paid clusters and can be safely ignored for purposes of this
tutorial. For more information about these options, see the links below.
After you deploy the CA, you need to associate an admin identity. This will allow you to operate your CA and use it to create your
organization MSP, register users, and your peer.
Advanced users may already have their own CA, and not want to create a new CA in the console. If your existing CA can issue
certificates in X.509 format, you can use certificates from your own external CA instead of creating a new CA here. The CA
should sign using ECDSA and the defaults should be set to use P256 curve. See this topic on Using certificates from an external
CA with your peer or ordering node for more information.
Important: Depending on your cluster type, deployment of the CA can take up to ten minutes. When the CA is first
deployed (or when the CA is otherwise unavailable), the status indicator box in the CA tile is a flashing gray box. When the
CA is successfully deployed and is running, this box is green, indicating that it is "Running" and can be operated from the
console. Before proceeding with the steps below, you must wait until the CA status is "Running". If the gray box stops
blinking, you can try reloading the page in your browser to refresh the status.
After the CA is running, as indicated by the green box in the tile, complete the following steps:
1. Click the Org1 CA tile in the Nodes tab. Then click Associate identity on the CA overview panel.
2. On the side panel that opens, provide an Enroll ID of admin and an Enroll secret of adminpw. For the Identity display
name, you can use the default value of Org1 CA Admin.
3. Click Associate identity to add the identity into your console Wallet and associate the admin identity with your CA.
After setting the CA admin identity, you will be able to see the table of registered users in the CA overview panel.
Important: The identity is not stored in your console or managed by IBM. It is only stored in local browser storage. If you
change browsers, you will need to import this identity into your Wallet to be able to operate the CA. Click Export identity
to download the identity along with its certificate and private key.
An organization admin: This identity allows you to operate nodes using the platform console.
A peer identity: This is the identity of the peer itself. Whenever a peer performs an action (for example, endorsing a
transaction) it will sign using its certificate.
Once you have associated the CA admin, you can use the CA tile to create these identities by completing the following steps:
1. Click the Org1 CA tile and ensure the admin identity that you created for the CA is visible in the table. Then click the
Register user button.
2. First we'll register the organization admin, which we can do by giving anEnroll ID of org1admin and a secret of
org1adminpw. Then set the Type for this identity as admin. You can ignore the Maximum enrollments field. If you want to
learn more about enrollments, see Registering identities. Click Next.
3. This tutorial does not configure attributes on identities, see Registering identities if you want to learn more. Click Register
user.
4. After the organization admin has been registered, repeat this same process for the identity of the peer (also using the
Org1 CA). For the peer identity, give an enroll ID ofpeer1 and a secret of peer1pw. This is a node identity, so select peer
as the Type. You can ignore the Maximum enrollments field and, on the next panel, do not assign anyAttributes, as
before.
5. You can also register identities of type orderer with the TLS CA. Completing this optional step for your orderer's admin
identity allows viewing additional channel details for the orderer nodes that use this identity. Repeat steps 1-2 above,
changing the Certificate Authority drop-down selection from Root Certificate Authority to TLS Certificate
Authority.
Note: Registering these identities with the CA is only the first step in creating an identity. You will not be able to use these
identities until they have been enrolled. Enrollment is the process that generates the certificate and private key for the
registered user. For the org1admin identity, this will happen during the creation of the MSP, which we will see in the next
step. In the case of the peer1 identity, it happens during the creation of the peer.
1. Navigate to the Organizations tab in the left navigation and click Create MSP definition.
2. On the first panel, enter Org1 MSP as the organization MSP display name and org1msp and as the MSP ID. If you plan to
specify an MSP other than org1msp, make sure to review the guidelines for MSP names in the tooltip. Click Next.
3. On the Root Certificate Authority details panel, specify the CA you used to register the identities for this organization. If
this is your first time through this tutorial, you should only see one: Org1 CA. The CA root certificate and TLS CA root
certificate are displayed. Click Next.
4. On the Admin certificates panel, select the enroll ID you created for your organization admin from the drop-down list,
org1admin, and enter its associated secret, org1adminpw. Then, give this identity a display name, Org1 MSP Admin . Note:
the default display name for this identity is the name of your MSP and the word "Admin". If you select a different name for
your MSP, that will be reflected in the default.
5. Click the Generate button to enroll this identity as the admin of your organization and export the identity to the Wallet,
where it will be used when creating the peer and creating channels.
6. Click Export to export the admin certificates to your file system. As we said above, this identity is not stored in your
console or managed by IBM. It is only stored in local browser storage. If you change browsers, you will need to import this
identity into your Wallet to be able to administer the peer. Click Next.
Exporting your organization admin identity is important because you are responsible for managing and securing these
certificates. If you switch browsers, you will need to import this admin identity otherwise you will not be able to operate
Org1.
7. On the Review MSP information panel, make sure you have entered the correct information. When you are satisfied, click
Create MSP definition.
8. After the MSP has been created, click on the tile representing it. Thendownload the MSP to your local filesystem. You will
need to send this MSP to all of the organizations in the channels you join.
Root CA Org1 CA
After you have created the MSP, you should be able to see the peer organization admin in your consoleWallet.
Creating a peer
After you have created the Org1 CA, used it to register Org1 identities, and created the Org1 MSP, you're ready to create a peer
for Org1.
From a resource allocation perspective, it is possible to join the same peers to multiple channels. The design of the peer ensures
that the data from one channel cannot pass to another through the peer. However, because the peer will store a separate ledger
for each channel, it is necessary to ensure that the peer has enough processing power and storage to handle the transaction and
data load.
CA Org1 CA
Tip: In a production scenario, it is recommended that each organization deploy three peers to each channel. These can
be the same three peers joined to different channels or different peers. It is up to the organization. This is to allow one
peer to go down (for example, during a maintenance cycle) and still maintain highly available peers. To deploy more than
one peer for an organization, use the same CA you used to register your first peer identity. In this tutorial, that would be
Org1 CA . Then, register a new peer identity using a distinct enroll ID and secret. For example, org1secondpeer and
org1secondpeerpw . Then, when creating the peer, give this enroll ID and secret. As this peer is still associated with
Org1, choose Org1 CA , Org1 MSP , and Org1 MSP Admin from the drop-down lists. You may choose to give this new
peer a different admin, which can be registered and enrolled with Org1 CA , but this optional. This tutorial series will only
show the process for creating a single peer for each peer organization.
The ordering service is a key component in a network because it performs a few essential functions:
It literally orders the blocks of transactions that are sent to the peers to be written to their ledgers. This process is called
"ordering".
On orderers with a system channel, it maintains the consortium, the list of peer organizations permitted to create
channels, resides.
It enforces the policies decided by the consortium or the channel administrators. These policies dictate everything from
who gets to read or write to a channel, to who can create or modify a channel. For example, when a network participant
asks to modify a channel or consortium policy, the ordering service processes the request to see if the participant has the
proper administrative rights for that configuration update, validates it against the existing configuration, generates a new
For more information about ordering services and the role they play in networks based on Hyperledger Fabric, see The Ordering
Service.
In a paid cluster, you have the option between creating a one node ordering service (sufficient for testing purposes) and a crash
fault tolerant ordering service featuring five nodes tied to a single organization. In a free cluster, you will only be able to create a
single node ordering service. In this tutorial, we will show the one node ordering service.
However, just as with the peer, before we can create an ordering service, we need to create a CA to supply the identities and the
MSP of our ordering service organization.
Watch the following video to learn about the process to create the ordering service's organization and the ordering service (for
video tutorials on how how to create a peer and a channel, see video series:
Video transcript
Currently, the only crash fault tolerant configuration of ordering nodes currently available is five nodes. While it is possible to
create a crash fault tolerant ordering service with as little as three nodes, this configuration incurs risk. If a node goes down, for
example during a maintenance cycle, only two nodes would be left. If another node was lost during this cycle for any reason,
only one node would left. In that state, a one node ordering service when you started with three, you would no longer have a
majority of nodes available, also known as a "quorum". Without a quorum, no transactions can be pushed and the channel stops
functioning.
With five nodes, you can lose two nodes and still maintain a quorum, meaning that you can undergo a maintenance cycle while
maintaining high availability. As a result, paid clusters will only have the choice between one node and five nodes. Production
networks should choose the five node option, as a one node ordering service is, by definition, not crash fault tolerant.
The ordering service can be run by either one organization (as might be the case in founder-led networks or in cases where the
consortium chooses an independent neutral entity to run all of the ordering nodes), or by multiple organizations which may or
may not contribute a node. Similarly, channel members can decide how many ordering nodes they want to service a channel.
Two organizations might decide to create a channel only using ordering nodes they own.
In this tutorial, we will create a one node ordering service managed by a single organization. If you want to add additional nodes
to this deployment, see Adding and removing ordering service nodes.
As with the peer, advanced users may already have their own CA and not want to create a new CA using the console. If your
existing CA can issue certificates in X.509 format, you can use certificates from your own external CA instead of creating new
certificates here. See this topic on Using certificates from an external CA with your peer or ordering node.
Important: Depending on your cluster type, deployment of the CA can take up to ten minutes. When the CA is first
deployed (or when the CA is otherwise unavailable), the box in the tile for the CA will be gray box. When the CA has
successfully deployed and is running, this box will be green, indicating that it is "Running" and can be operated from the
console. Before proceeding with the steps below, you must wait until the CA status is "Running". If the gray box stops
blinking, you can try reloading the page in your browser to refresh the status.
After the CA is running, as indicated by the green box in the tile, complete the following steps:
1. Click the Ordering Service CA tile in the Nodes tab. Then click Associate identity on the CA overview panel.
2. On the side panel that opens, provide an Enroll ID of admin and an Enroll secret of adminpw. For the Identity display
name, you can use the default value of Ordering Service CA Admin .
3. Click Associate identity to add the identity into your console Wallet and associate the admin identity with your CA.
You should be able to see the CA admin in your Wallet. As we said above, the identity is not stored in your console or managed
by IBM. It is only stored in local browser storage. If you change browsers, you will need to import this identity into your console
Wallet to be able to operate the CA. Click the CA admin and then click Export identity to download the certificate and private
key.
Using your CA to register ordering service node and ordering service admin identities
As we did with the peer, we need to register two identities with our ordering service CA. After selecting your CA, you will need to
register an admin for our ordering service organization and an identity for the ordering service itself.
After you have associated the CA admin, you can use the CA tile to create these identities by completing the following steps:
1. Click the Ordering Service CA tile in the Nodes tab and ensure the admin identity that you created for the CA is visible
in the table. Then click the Register user button.
2. First we'll register the organization admin, which we can do by giving anEnroll ID of OSadmin and a secret of OSadminpw.
Then set the Type for this identity as admin. You can ignore the Maximum enrollments field. If you want to learn more
about enrollments, see Registering identities. Click Next.
3. This tutorial does not configure attributes on identities, see Registering identities if you want to learn more. Click Register
user.
4. After the organization admin has been registered, repeat this same process for the identity of the ordering service (also
using the Ordering Service CA ). For the ordering service node identities, give an enroll ID ofOS1 and a secret of OS1pw.
This is a node identity, so select orderer as the Type. You can ignore the Maximum enrollments field and, on the next
panel, do not assign any Attributes, as before.
For the purpose of this tutorial, we are only creating one node identity. This identity will be used by the one node that we will
deploy to create the ordering service. While you would not want to do this in a multi-organizational ordering service, it is
acceptable given that all of the ordering nodes are owned by the same organization.
1. Navigate to the Organizations tab in the left navigation and click Create MSP definition.
2. Enter Ordering Service MSP as the organization MSP display name and osmsp and as the MSP ID. If you want to specify
your own MSP ID in this field, make sure to review the instructions in the tool tip.
3. Under Root Certificate Authority details, specify the CA you used to register the identities in the previous step,Ordering
6. Click Export to export the admin certificates to your file system. As we said above, this identity is not stored in your
console or managed by IBM. It is only stored in local browser storage. If you change browsers, you will need to import this
identity into your Wallet to be able to administer the peer.
Exporting your organization admin identity is important because you are responsible for managing and securing these
certificates. If you export the ordering service and the ordering service MSP definition, they can be imported into another
console where another operator can create new channels on the ordering service or join peers to the channel.
8. After the MSP has been created, click on the tile representing it. Thendownload the MSP to your local filesystem. You will
need to send this MSP to all of the organizations in the channels you join.
After you have created the MSP, you should be able to see the ordering service organization admin in yourWallet, which can be
accessed by clicking on the Wallet in the left navigation.
CA Ordering Service CA
After the ordering service has been created, you are able to see it on theNodes panel.
As we noted earlier, a peer organization must be known to the ordering service before it can create a channel or be joined to a
channel when the channel is created. This act of being "known" to the ordering service is also known as "joining the consortium",
the list of organizations known to the ordering service. This is because channels are, at a technical level, messaging paths
between peers through the ordering service. Just as a peer can be joined to multiple channels without information passing from
one channel to another, so too can an ordering service have multiple channels running through it without exposing data to
organizations on other channels.
Because only ordering service admins can add peer organizations to the consortium, you will either need tobe the ordering
service admin or send MSP information to the ordering service admin.
Watch the following video to learn how to add a peer organization to the consortium, create the channel, and join a peer to the
channel. For video tutorials on how how to create a peer and an ordering service, see video series:
Video transcript
After the Ordering service tile has the green status indicator you can proceed with the following steps. Because you created the
ordering service admin using the console, this process is relatively straightforward:
When this process is complete, it is possible for Org1 to create or join a channel hosted on your Ordering Service .
In this tutorial, we can easily access the Org1 MSP because both the peer organization and the ordering service organization
were created in the same console. In a production scenario, the MSP definitions of other organization would be created by
different network operators in their own cluster using their own IBM Blockchain console. In those cases, when the organization
wants to join your consortium, the organization MSP definition of the organization will need to be sent to your console in an out of
band operation. Additionally, you will need to export your ordering service and send it to them so they can import it into their
console and join a peer to the channel (if they are added to the consortium, they will also be able to create a new channel). This
process is described in the Join a network tutorial under Exporting your organization information.
After you click the ordering cluster tile you may see a warning about missing a TLS identity. This identity is a different type than
we've used in the past and is only need for orderers that do not have a system channel. This identity is actually the same identity
the orderer is using when it enrolls on startup against the TLS CA. To get this identity:
1. From the Nodes tab, select the CA tile that this orderer cluster used (during create)
2. Find the row for the identity this orderer used and click the dot dot dot
3. On the enroll wizard select the TLS CA in the CA drop down (its important to select the TLS CA)
4. Type the enroll secret that was used earlier when creating the orderer
5. Follow any other directions in the enroll wizard and click submit
6. If you browse back to the nodes page and select the Orderer Cluster tile the TLS identity error should be gone
Important: In this tutorial, we will presume that users will not be attempting to edit any of the advanced options available
when creating a channel. For information about editing advanced options both before and after a channel has been
created, as well as more information about standard options, see Advanced channel deployment and management. Note
that to use the new 2.x lifecycle, you might need to use the advanced Capabilities option to increase the application
capability to 2_0 . For more information, check out Capabilities.
Although the members of a network are usually related business entities that want to transact with each other, there might be
instances when subsets of the members want to transact without the knowledge of the others. This is possible by creating a
channel on which these transactions will take place. Channels replicate the structure of a blockchain network in that they
contain members, peers, an ordering service, a ledger, policies, and smart contracts. But by restricting the membership, and
even the knowledge of the channel, to particular subsets of the network membership, channels ensure that network members
can leverage the overall structure of the network while maintaining privacy, where needed.
To join a peer from Org1 to a channel, Org1 must first be added to the consortium. After which, it can create a channel and join
a peer to it. If the organization is not a member of the consortium at channel creation time, it is possible to create the channel
and add the organization later by clicking the Settings button on the page of the relevant channel and editing the channel.
Important: After the channel has been created, subsequent organizations do not have to join the consortium before
being joined to a channel by the channel administrators through a channel configuration update. However, these
organizations will only be able to create their own channels if they are added to the consortium first.
For more information about channels and how to use them, see the Hyperledger Fabric documentation.
Watch Video 3 above to learn about the process to create channel and join your peer to the channel.
When you have created your CAs, identities, MSPs, ordering service, a peer, and have added your peer organization to the
consortium, navigate to the Channels tab in the left navigation. This is where channel creation and management are handled.
When you first navigate to this tab, it will be empty except for the Create channel and Join channel buttons. This is because you
1. Click the pending tile for channel1 to launch the side panel.
2. Select which peers you want to join to the channel. For purposes of this tutorial, click the box next toPeer Org1.
3. Leave the checkbox for Make anchor peer selected. It is a best practice for each organization to have at least one anchor
peer on each channel, as anchor peers bootstrap the inter-organizational communication that enables features like
Private Data and Service Discovery to work. While it is only necessary to have one anchor peer on each channel, it does
not hurt to make all peers anchor peers. The only downside will be a short-term increase in the stress on your
communication layer when new organizations join their peers to the channel, as these peers are designed to contact every
anchor peer in every organization to find out about the peers belonging to that organization. Note that you can also make a
peer an anchor peer later through the Channels tab.
4. Click Join channel.
Important: In this tutorial, we are only creating and joining a single peer to the channel. As a result, you don't have to
worry about a conflict between the database type used by your peer (which in this tutorial is CouchDB) and any other
peers on the channel. However, in a production scenario, a best practice will be to ensure that the peer you are joining to
this channel uses the same database type as other peers on the channel. For more information, see LevelDB vs CouchDB.
Next steps
After you have created and joined your peer to a channel, you have a basic, though fully functional, blockchain network. Use the
following steps to deploy a smart contract and begin submitting transactions:
Deploy a smart contract on your network using Fabric v2.x using the console.
After your smart contract has been installed, proposed, approved, and then committed, you can submit transactions using
your client application.
You can also create another peer organization by using the Join a network tutorial. You can add the second organization to your
channel to simulate a distributed network, with two peers that share a single channel ledger.
Join a network
IBM® Blockchain Platform is a blockchain-as-a-service offering that enables you to develop, deploy, and operate blockchain
applications and networks. You can learn more about blockchain components and how they work together by visiting the
Blockchain component overview. This tutorial is the second part in the sample network tutorial series and describes how to
create nodes in the IBM Blockchain Platform console and connect them to a blockchain consortium hosted in another cluster.
Target audience: This topic is designed for network operators who are responsible for creating, monitoring, and managing the
blockchain network.
If you have not already used the IBM Blockchain Platform console to deploy components to a Kubernetes cluster on IBM Cloud,
see Getting started with IBM Blockchain Platform for IBM Cloud. Note that the console itself does not reside in your cluster. It is
a tool that you can use to deploy components into your cluster.
Whether you deploy components to a paid or free Kubernetes cluster, pay close attention to the resources at your disposal when
you choose to deploy nodes and create channels. It is your responsibility to manage your Kubernetes cluster and deploy
additional resources if necessary. While components will successfully deploy to an IBM Cloud free cluster, the more components
Build a network tutorial guides you through the process of hosting a network by creating an ordering service and a peer.
Join a network tutorial (Current tutorial) Guides you through the process of joining an existing network by creating a peer
and joining it to a channel.
Deploy a smart contract using Fabric v2.x provides information on how to write a smart contract and deploy it on your
network.
You can use the steps in these tutorials to build a network with multiple organizations in one cluster for the purposes of
development and testing. Use the Build a network tutorial if you want to form a blockchain consortium by creating an ordering
service and adding organizations. Use the Join a network tutorial to connect a peer to the network. Following the tutorials with
different consortium members allows you to create a truly distributed blockchain network.
Looking for a way to script the deployment of your nodes? If you are already familiar with the manual process to deploy the
components with the console, you can check out the Ansible playbooks, a powerful tool for scripting the deployment of
components in your blockchain network.
This tutorial is meant to show how to join a peer to anexisting network. It presumes that an ordering service has already been
created using another IBM Blockchain Platform console (it is possible to join peers created in the IBM Blockchain Platform to
any network running Hyperledger Fabric based components using the Fabric APIs or the CLI, but we will not show that process
here). If you don't have an existing network to join, visit the Build a network tutorial to learn how to create one. The Join a
network tutorial takes you through the steps to create the following Org2 blockchain components, highlighted in the blue box:
Org1 CA
Org1
Org1 MSP
Peer Org1
Ledger definition
X
Orderer CA
Orderer Org
Org2 CA
Org2
Org2 MSP
Peer Org2 definition
Ledger
X
Perform the steps in the Join a network tutorial to create the following components and complete the following actions:
Tip: Throughout this tutorial we supply recommended values for some of the fields in the console. This allows the names
and identities to be easier to recognize in the tabs and drop-down lists. These values are not mandatory, but you will find
them helpful, especially since you will have to remember certain values, especially the IDs and secrets of registered
users, you input at a previous step. If you forget these values, you will have to register additional users for your admins
and components. We provide a table of the recommended values after each task and recommend that if you do not use
sample values that you record the values you do use somewhere as you proceed through the tutorial.
In this tutorial, we will create one organization. Therefore, we will need to createone CA.
Important: Your CA issues the certificates and private keys for your organization's admins, client applications, and nodes.
These identities are not managed by IBM and the keys are not stored in the console. They are only stored in your browser
local storage. Therefore, make sure to export your identities and the MSP of your organization. If you attempt to access
the console from a different machine or a different browser, you will need to import these identities and organization
definitions.
1. Navigate to the Nodes tab on the left and click Add Certificate Authority. The side panels will allow you to customize the
CA that you want to create and the organization that this CA will issue keys for.
2. In this tutorial, we're creating nodes, so make sure the option to Create a Certificate Authority is selected. Then click
Next.
3. Use the side panel to give your CA a display name. Our recommended value for this CA is Org2 CA. Then give your CA
admin credentials by specifying a CA administrator enroll ID of admin and a secret of adminpw.
4. The Advanced deployment options are only available in paid clusters and can be safely ignored for purposes of this
tutorial. For more information about these options, see the links below.
Database and replica sets (Creating an HA CA) This option is only available on paid clusters.
Hardware Security Module (HSM)
Deployment zone selection (Multizone HA) This option is only visible when your cluster is configured with multiple
zones.
Resource allocation
5. Review the Summary page, then click Add Certificate Authority. The Edit configuration JSON button allows you to
override configuration settings for the CA. For this tutorial, the default settings are sufficient. See Customizing a CA
configuration to learn more about the options that are available.
After you deploy the CA, you will use it when you create your organization MSP, register users, and to create your entry point to a
network, the peer.
Advanced users may already have their own CA, and not want to create a new CA in the console. If your existing CA can issue
certificates in X.509 format, you can use certificates from your own third-party CA instead of creating new certificates here. The
CA should sign using ECDSA and the defaults should be set to use P256 curve. See this topic on Using certificates from an
external CA with your peer or ordering node for more information.
Important: Depending on your cluster type, deployment of the CA can take up to ten minutes. When the CA is first
deployed (or when the CA is otherwise unavailable), the box in the tile for the CA will be gray box. When the CA has
successfully deployed and is running, this box will be green, indicating that it is "Running" and can be operated from the
console. Before proceeding with the steps below, you must wait until the CA status is "Running". If the gray box stops
blinking, you can try reloading the page in your browser to refresh the status.
Once the CA is running, as indicated by the green box in the tile, complete the following steps:
1. Click the Org2 CA tile in the Nodes tab. Then click Associate identity on the CA overview panel.
2. On the side panel that opens, provide an Enroll ID of admin and an Enroll secret of adminpw. For the Identity display
name, you can use the default value of Org2 CA Admin.
3. Click Associate identity to add the identity into your console Wallet and associate the admin identity with your CA.
After setting the CA admin identity, you will be able to see the table of registered users in the CA overview panel.
You can view the CA admin identity in your console wallet by clicking on theWallet in the left navigation. Click the identity to
view the certificate and private key of the CA admin. The identity is not stored in your console or managed by IBM. It is only
stored in local browser storage. If you change browsers, you will need to import this identity into your Wallet to be able to
operate the CA. Click Export identity to download the certificate and private key.
An organization admin: This identity allows you to operate nodes using the platform console.
A peer identity: This is the identity of the peer itself. Whenever a peer performs an action (for example, endorsing a
transaction) it will sign using its certificate.
Once you have associated the CA admin, you can use the CA tile to create these identities by completing the following steps:
1. Click the Org2 CA tile and ensure the admin identity that you created for the CA is visible in the table. Then click the
Register user button.
2. First we'll register the organization admin, which we can do by giving anEnroll ID of org2admin and a secret of
org2adminpw. Then set the Type for this identity as admin. You can ignore the Maximum enrollments field. If you want to
learn more about enrollments, see Registering identities. Click Next.
3. This tutorial does not configure attributes on identities, see Registering identities if you want to learn more. Click Register
user.
4. After the organization admin has been registered, repeat this same process for the identity of the peer (also using the
Org2 CA). For the peer identity, give an enroll ID ofpeer2 and a secret of peer2pw. This is a node identity, so select peer
as the Type. You can ignore the Maximum enrollments field and, on the next panel, do not assign anyAttributes, as
before.
5. You can also register identities of type orderer with the TLS CA. Completing this optional step for your orderer's admin
identity allows viewing additional channel details for the orderer nodes that use this identity. Repeat steps 1-2 above,
changing the Certificate Authority drop-down selection from Root Certificate Authority to TLS Certificate
Authority.
Note: Registering these identities with the CA is only the first step in creating an identity. You will not be able to use these
identities until they have been enrolled. For the org2admin identity, this will happen during the creation of the MSP,
which we will see in the next step. In the case of the peer2 identity, it happens during the creation of the peer.
1. Navigate to the Organizations tab in the left navigation and click Create MSP definition.
2. On the first panel, enter Org2 MSP as the organization MSP display name and org2msp and as the MSP ID. If you plan to
specify an MSP other than org2msp, make sure to review the guidelines for MSP names in the tooltip. Click Next.
6. Click Export to export the admin certificates to your file system. As we said above, this identity is not stored in your
console or managed by IBM. It is only stored in local browser storage. If you change browsers, you will need to import this
identity into your Wallet to be able to administer the peer. Click Next.
Exporting your organization admin identity is important because you are responsible for managing and securing these
certificates. If you switch browsers, you will need to import this admin identity otherwise you will not be able to operate
Org2.
7. On the Review MSP information panel, make sure you have entered the correct information. When you are satisfied, click
Create MSP definition.
8. After the MSP has been created, click on the tile representing it. Thendownload the MSP to your local filesystem. You will
need to send this MSP to all of the organizations in the channels you join.
Root CA Org2 CA
After you have created the MSP, you should be able to see the peer organization admin in yourWallet, which can be accessed by
clicking on the Wallet in the left navigation.
Creating a peer
After you have created a CA, used it to register identities, and created the peer organization MSP, you're ready to create a peer.
From a resource allocation perspective, it is possible to join the same peers to multiple channels. The design of the peer ensures
that the data from one channel cannot pass to another through the peer. However, because the peer will store a separate ledger
for each channel, it is necessary to ensure that the peer has enough processing power and storage to handle the transaction and
data load.
Tip: In a production scenario, it is recommended to deploy three peers to each channel. This is to allow one peer to go
down (for example, during a maintenance cycle) and still maintain highly available peers. To deploy more than one peer
for an organization, use the same CA you used to register your first peer identity. In this tutorial, that would be Org2 CA .
Then, register a new peer identity using a distinct enroll ID and secret. For example, org2secondpeer and
org2secondpeerpw . Then, when creating the peer, give this enroll ID and secret. As this peer is still associated with
Org2, choose Org2 CA , Org2 MSP , and Org2 MSP Admin from the drop-down lists. You may choose to give this new
peer a different admin, which can be registered and enrolled with Org2 CA , but this optional. This tutorial series will only
show the process for creating a single peer for each peer organization.
1. Navigate to the Organizations tab. You can see the organizations available for export are listed under Available
organizations. Click the Export button inside the Org2 MSP organization tile to download the JSON configuration file that
represents the MSP of the peer organization.
2. Send this file to Org1 in an out of band operation.
Then Org1 must complete the following steps in its own console:
1. If the Org2 MSP was created by using a different console and sent out of band, it needs to be imported into the console
where the ordering service resides. If the Org2 MSP is created in the same console where the ordering service resides, you
can skip this step: Click the Organizations tab then Import MSP definition. Click Add file and browse to the Org2 MSP json
file that was sent out of band. Click Import MSP definition. The administrator identity for the MSP definition is not
required.
2. Navigate to the Channels tab, click channel1.
3. Click the Settings icon to update the channel and add the peer organization to the channel.
4. In the Channel updater MSP drop-down list (under the Organization updating channel heading), select Org1 MSP. In the
Identity drop-down list, ensure that Org1 MSP Admin is selected.
5. In the Organizations section, open the Select a channel member drop-down list and select the peer organization MSP,
Org2 MSP.
6. Click Add and then assign permissions for that organization. We recommend you make them an Operator so that Org2
can operate the channel (this will allow them to sign channel updates, for example).
7. Under Update policy, select 2 out of 2 , meaning both of the organizations need to approve updates to the channel.
At this point no further changes are required on the channel. In the left navigation, clickReview channel information. On the
Review channel information panel, you can see that there are now two organization members on the channel, org1msp and
org2msp . In addition the channel update policy has been changed to 2 out of 2 . When you are ready, click Update channel
to submit your changes.
Important: Org1 must also export its own MSP, Org1 MSP , and send it to Org2 in an out of band operation.All members
of a channel should have the MSPs of the other channel members.
Tip: This step can be performed either by Org1 or the ordering service admin.
If the ordering service and its MSP are not yet present on the file system of either Org1 or the ordering service, complete the
following steps to Export the ordering service before it can be imported by the peer organization:
1. Navigate to the ordering service inside the Nodes tab. Click the Export button beneath the ordering service name to
download a JSON configuration file.
2. Send this file to Org2 in an out of band operation. The peer organization administrator can then use the configuration file
to add the ordering service to the console.
Tip: The rest of the actions in this section and Step three need to be performed from the console where the Org2 MSP
was created.
Note: If the Org2 MSP was created in the same console as the ordering service, this step can be skipped.
Complete the following steps to import the ordering service into your console:
1. If you are not already there, navigate to the Channels tab in the left navigation. There will not be any channel tiles visible
yet.
2. Click the Join channel button to launch the side panels.
3. Select Ordering Service and click Next.
4. Enter channel1 and click Next.
5. Select which peers you want to join the channel. For purposes of this tutorial, clickPeer Org2. Leave the tab for Make
anchor peer selected. It is a best practice for each organization to have at least one anchor peer on each channel, as
anchor peers bootstrap the inter-organizational communication that is necessary for Private Data and Service Discovery
to work. While it is only necessary to have one anchor peer on each channel, it does not hurt to make all peer anchor
peers. The only downside will be a short term increase in the stress on your communication layer when new organizations
join their peers to the channel, as these peers are designed to contact every anchor peer in every organization to find out
about the peers belonging to that organization. Note that you can also make a peer an anchor peer later through the
Channels tab.
6. Click Join channel.
Important: In these tutorials, we create all of our peers using default options, which means that every peer uses
CouchDB. As a result, you don't have to worry about a conflict between the database type used by your peer and any other
peers on the channel. However, in a production scenario, a best practice will be to ensure that the peer you are joining to
this channel uses the same database type as other peers on the channel. For more information, see LevelDB vs CouchDB.
Note: In this tutorial, we will presume that users will not be attempting to edit any of the advanced options. For
information about editing advanced options both before and after a channel has been created, see Advanced channel
deployment and management.
Because only ordering service admins can add peer organizations to the consortium, you need to either:
Be the ordering service admin. In which case you can add the peer organization you created to the consortium directly.
Send MSP information to the ordering service admin, who will add your organization to their consortium.
In the next step, we will show how to add your peer organization to a consortium hosted by an ordering service in another IBM
Blockchain Platform service instance. The tutorial assumes that you have created the ordering service and can follow every step
yourself. If the ordering service was created in another console, ensure that the ordering service admin follows the steps marked
with the blue "tip" box at the top.
If you followed the Build a network tutorial or if your console already includes the ordering service, you can skip ahead to Add
the peer's organization to the ordering service. You can then continue with Step two: Add the peer's organization to an existing
channel.
Once the MSP representing Org2 has been received, an administrator of the ordering service must import the JSON file by
navigated to the Organizations tab, clicking the Import MSP definition button, and selecting the JSON file that represents the
Org2 MSP peer organization MSP definition.
After the MSP representing Org2 has been imported, use these steps to add the peer organization to the consortium hosted by
the ordering service. Only ordering service admins, those who are listed under Ordering service administrators in the Details tab
of the ordering service, can add peer organizations to the consortium. You must have the ordering service organization admin
identity in your Wallet to perform this task.
Once your organization is a member of the consortium, you have the ability create a new channel. First, you will need to import
the MSP definition of other channel members. Use the steps below to create a channel with two members: the Org1 that was
created in the Build a network tutorial and the Org2 that was created in the steps above.
When you have created your CAs, identities, MSPs, ordering service, a peer, have added your peer organization to the
consortium, and have imported the MSPs of any organizations who will be joined to this channel, navigate to the Channels tab in
the left navigation. This is where channel creation and management are handled.
When you first navigate to this tab, it will be empty except for the Create channel and Join channel buttons. This is because you
haven't created a channel and joined a peer to it yet.
When you are ready, click Create channel. You will be taken back to the Channels tab and you can see a pending tile of the
channel that you just created.
Field Name
The next step is to join a peer to this channel. Click the pending tile and select the organization peers to be added to the channel.
Next steps
After you have joined your peer to a channel, use the following steps to deploy a smart contract and begin submitting
transactions to the blockchain:
Deploy a smart contract on your network using Fabric v2.x using the console.
After you have installed and instantiated your smart contract, you can submit transactions using your client application.
The commercial paper sample can be used to deploy an example smart contract and submit transactions from sample
application code.
Deploy a peer
Target audience: This topic is designed for network operators who are responsible for creating, monitoring, and managing the
blockchain network. Additionally, application developers might be interested in the sections that reference how to create a
smart contract.
Build a network tutorial guides you through the process of hosting a network by creating an orderer and peer.
Join a network tutorial guides you through the process of joining an existing network by creating a peer and joining it to a
channel.
Deploy a smart contract on the network (Current tutorial) Provides information on how to write a smart contract and
deploy it on your network.
You can use the steps in these tutorials to build a network with multiple organizations in one cluster for the purposes of
development and testing. Use the Build a network tutorial if you want to form a blockchain consortium by creating an orderer
node and adding organizations. Use the Join a network tutorial to connect a peer to the network. Following the tutorials with
different consortium members helps you create a truly distributed blockchain network.
Important: * Fabric v2.0 introduced a new distributed process to manage the lifecycle of a smart contract that allows for
decentralizing the governance of smart contracts on a channel. Whenever possible, it is recommended that customers
should move to using the new smart contract lifecycle to avoid any interruption of service in later upgrades when Fabric
no longer supports the v1.4 process for installing and instantiating smart contracts.
Target audience: This topic is designed for network operators who are responsible for creating, monitoring, and managing the
blockchain network. Additionally, application developers might be interested in the sections that reference how to create a
smart contract.
Build a network tutorial guides you through the process of hosting a network by creating an orderer and peer.
Join a network tutorial guides you through the process of joining an existing network by creating a peer and joining it to a
channel.
Deploy a smart contract on the network (Current tutorial) Provides information on how to write a smart contract and
deploy it on your network.
You can use the steps in these tutorials to build a network with multiple organizations in one cluster for the purposes of
development and testing. Use the Build a network tutorial if you want to form a blockchain consortium by creating an orderer
node and adding organizations. Use the Join a network tutorial to connect a peer to the network. Following the tutorials with
different consortium members helps you create a truly distributed blockchain network.
Important: While the terms "smart contract" and "chaincode" are often used interchangeably, "smart contracts" refers to
the business logic that governs transactions and access to its data, while "chaincode" refers to the larger infrastructure of
packages and other code that encompasses a smart contract.
If you prefer to continue to use the legacy smart contract deployment process, see Deploy a smart contract using Fabric v1.4.
Instead of a single organization administrator making decisions for all organizations about when a smart contract is updated,
what it contains, and where it runs, Fabric v2.0 introduced a new distributed process to manage the lifecycle of a smart contract
that allows for decentralizing the governance of smart contracts on a channel. The process for installing, proposing, and
updating a smart contract is known as the "lifecycle" of a smart contract. This lifecycle is necessarily ongoing, as it encompasses
changes to the smart contract itself as well as updates to a channel, as for example when a new member starts using the smart
contract, and is managed through a combination of processes inside and outside the console.
Attention! The IBM Blockchain Platform Extension for VS Code (VS Code extension) referenced throughout the
documentation is an open-source project which is no longer active, and therefore not officially supported by IBM. Refer to
the alternatives to the VS Code extension.
The diagram illustrates the smart contract lifecycle process. Org1 begins the process by packaging the smart contract using the
blockchain VS Code extension or the Fabric peer CLI. After packaging, all smart contract lifecycle management is performed
from the Channels tab in the console. Org1 proposes the smart contract definition to the channel and installs it on one or more
Org1 peers. The smart contract definition includes the definition name, version, endorsement policy, and optionally, private data
collections. As a proposer of the definition, Org1 attaches the smart contract package, which contains the agreed to business
logic that updates the ledger. The package can be shared with the channel members out of band, who can review the source
code. However, it's important to understand that channel members approve the smart contract definition, not the package.
Because Org1 is proposing the smart contract definition, their approval is automatically submitted with the proposal. The other
three organizations can approve or abstain. When channel members approve a smart contract definition, they are not required to
install the package on their peers. They have three options:
In the diagram, Org2 and Org4 approve the smart contract definition. Org3 abstains, perhaps because the owner of the Org3
admin identity is on vacation. After the approvals that are specified in the channel lifecycle endorsement policy are satisfied, any
channel member that has approved the definition can commit it to the channel (only one channel member needs to perform the
action). In this case, Org4 submits the commit transaction. It's important to note that Org3 can still come back later and approve
the definition and install the package on the Org3 peers.
For more information about advanced channel options, which includes setting the lifecycle policy for the channel and the default
endorsement policy that will be set for a smart contract if none is specified, check out the Advanced options section of our topic
on channels.
If your peer is running a Fabric v1.4.x image, you cannot use this tutorial to manage your smart contract. Instead, see the
Deploy a smart contract using Fabric v1.4 tutorial for instructions on how to deploy the smart contract on the channel or
upgrade the peer to use a Fabric v2.x image.
The best practice to add this endorsement policy to the MSP is to delete the MSP from the system channel and then re-add the
MSP. The console detects the fact that the MSP does not contain the endorsement policy and automatically adds it. Note that
this action can only be completed by an ordering service administrator. You do not need to delete and re-add the MSPs in the
configuration of any application channels that have already been created. For these MSPs, the endorsement policy is added as
part of the process of deploying the smart contract.
Important: If you are creating a new channel, ensure that you select Advanced channel configuration so that you have
the opportunity to specify the Channel Application Capability 2.0.0 or higher.
Limitations
Node
If your smart contract was written in Node, then you might need to update it. By default, a Fabric v1.4 peer will create a Node v8
runtime, and a Fabric v2.x peer creates a Node v12 runtime. In order for a smart contract to work with Node v12 runtime, the
fabric-contract-api and fabric-shim node modules must be at v1.4.5 or greater. If you are using a smart contract that
was originally written to work with Fabric 1.4, update the Node modules by running the following command before deploying the
smart contract on a Fabric v2.x peer. See Support and compatibility for fabric-chaincode-node for more information.
Go
Because Fabric v2.x peers do not have a "shim" (the external dependencies that allowed smart contracts to run on earlier
versions of Fabric), you need to vendor the shim and then repackage any smart contracts written in Golang (Go) that use the Go
SDK. "Vendoring the shim" effectively means that you are copying the dependencies into your project. Without this vendoring
and repackaging, the Go smart contract cannot run on a peer using a Fabric 2.x image. If you are using the IBM Developer Tools
to develop and package your smart contract, the tooling performs the vendoring for you. This process is not required for smart
Java
The build.gradle file for the smart contract must be updated:
1. If the smart contract uses the shadowjar 2.x plugin, then it should be updated to version 5 by using the following code:
plugins {
id 'com.github.johnrengelman.shadow' version '5.1.0'
id 'java'
}
2. The repositories section of the file must contain the maven URL for jitpack , for example:
repositories {
...
maven {
url 'https://jitpack.io'
}
}
Init functions
If the smart contract was written using the low-level APIs provided by the Fabric Chaincode Shim API, your smart contract
needs to contain an Init function that is used to initialize the chaincode. This function is required by the smart contract
interface, but does not necessarily need to be invoked by your applications. Because you cannot use the console to deploy a
smart contract that contains an Init function, you need to move that initialization logic into the smart contract itself and call it
separately. For example, the smart contract can use a reserved key to check whether the smart contract has already been
initialized or not. If not, then call the initialization logic, otherwise proceed as usual. If your smart contract needs to include the
Init function, the only way to deploy it is by using the Fabric peer lifecycle chaincode install command or the IBM Blockchain
Platform collection for Ansible. You can also refer to the Fabric documentation for more details on how to use an Init function
with the Fabric chaincode lifecycle.
Attention! The IBM Blockchain Platform Extension for VS Code (VS Code extension) referenced throughout the
documentation is an open-source project which is no longer active, and therefore not officially supported by IBM. Refer to
the alternatives to the VS Code extension.
After you have updated your smart contract, use v2 of the VS Code extension to repackage your smart contract.
Attention! The IBM Blockchain Platform Extension for VS Code (VS Code extension) referenced throughout the
documentation is an open-source project which is no longer active, and therefore not officially supported by IBM. Refer to
the alternatives to the VS Code extension.
To learn how smart contracts can be used to conduct transactions among multiple parties, see the Developing
applications topic in the Hyperledger Fabric documentation.
When you are ready to start building smart contracts, use the IBM Developer Tooling, by downloading the VS Code
extension locally. New to the VS Code extension? Check out Developing smart contracts with IBM Blockchain Platform
Developer Tools to get started using the extension to create smart contracts that run on the network and clients
When they are tested and ready to be deployed on the network, smart contracts must be packaged into a .tgz or tar.gz
format in order to be uploaded to the console. Because the smart contract packaging uses the tar format, organizations can
easily inspect their contents by using widely available tooling. When it is important to review the smart contract package before
approving the definition, the package can be shared out of band with organization members. There is no way to share the
package from the console. You can use either the IBM Developer Tooling or the peer lifecycle chaincode package CLI to
package your smart contract.
Tip: Smart contracts in .cds format cannot be used with the Fabric 2.0 lifecycle. They need to be repackaged into .tgz
format. See the VS Code tutorial for instructions on how to repackage your smart contract.
In Fabric v1.4.x, the Go chaincode shim and protocol buffers (protos) were included with the Fabric distribution and were
included in the Go chaincode runtime in the IBM Blockchain Platform. Starting with v2.0, Fabric now provides the chaincode
shim and protos as separate repositories that need to be imported or "vendored" in Go smart contracts before they can be
installed on a peer that runs a Fabric v2.x image. To vendor the shim for your Go smart contract, navigate to your smart contract
source folder and initialize the Go module by issuing the following command which creates a go.mod file:
go mod init
go test
$ module mysmartcontract
go 1.14
require (
github.com/hyperledger/fabric-chaincode-go v0.0.0-20200511190512-bcfeb58dd83a
github.com/hyperledger/fabric-protos-go v0.0.0-20200506201313-25f6564b9ac4
)
$ module github.com/hyperledger/fabric-samples/chaincode/fabcar/go
go 1.13
go mod tidy
go mod vendor
See the Go documentation to learn more about what these commands do.
Package Construction
The following example shows the folder structure of a "marbles" smart contract that uses the fabric-chaincode-go shim before
the vendoring process:
$ ├── META-INF
│ └── statedb
│ └── couchdb
│ └── indexes
│ └── indexOwner.json
├── marbles_chaincode.go
└── util
└── util.go
$
├── META-INF
│ └── statedb
│ └── couchdb
│ └── indexes
│ └── indexOwner.json
├── go.mod
├── go.sum
├── marbles_chaincode.go
├── util
│ └── util.go
└── vendor
├── github.com
│ ├── golang
│ │ └── protobuf
│ └── hyperledger
│ ├── fabric-chaincode-go
│ └── fabric-protos-go
├── golang.org
├── google.golang.org
└── modules.txt
Note: The source directory must be the smart contract name which is "marbles" in this case. Therefore, the import for the
util package in the smart contract would be:
import "marbles/util"
After you have completed these steps, you need to repackage your smart contract using the process that is described in
Packaging smart contracts.
Tip: Fabric-contract-api and fabric-shim node modules must be at v1.4.5 or greater to work with Node version 12. If you
are using a smart contract that was originally written to work with Fabric 1.4, check the node modules before deploying
your smart contract on a peer that runs a Fabric v2.x image.
All lifecycle actions are managed from the Channels tab in the console.
1. Navigate to the Channels tab, open the channel, and click Propose smart contract definition. This single action actually
performs two tasks. It installs a smart contract on one or more of your peers and proposes the smart contract definition to
the channel.
2. Because the console allows you to act as multiple organizations from a single console, you must first select the
organization that is proposing this smart contract definition and the associated peer admin identity. A peer admin identity
is required to install a smart contract. Not sure? Open the peer CA and verify that the identity associated with the peer has
the type admin in the list of CA users.
3. On the next panel, browse to your smart contract package and clickAdd file. You can install a new package or browse to
an existing package that was installed on another peer in your organization. Smart contract packages can also be installed
on a peer node directly by using the Install smart contract button. If you used that option, instead of clicking Add file,
click the Existing package tab and select the package that you installed on your peer.
4. On the Smart contract details panel you can specify a unique name and version to use for this smart contract definition.
The console extracts these values from the package name itself but you can override them and specify any values that
your organization prefers. Be careful how you name your proposal. If a proposal with the same name already exists on the
channel, this proposal replaces it.
5. On the Install smart contract panel, you can install the smart contract on all your peers on the channel or just a subset. In
a production network, for redundancy reasons, you should install the smart contract on at least two peers, or three when
you want to maintain redundancy but still allow for one peer to go down for maintenance. Since you are proposing the
smart contract, it must be installed on at least one peer.
6. On the Smart contract endorsement policy panel, you can designate how many organizations need to endorse a smart
contract transaction before it can be committed to the ledger. The default smart contract endorsement policy is inherited
from the application endorsement policy of the channel, but can be overridden here by selecting specific organizations
and the required number, or by pasting in your own policy JSON. Remember, this smart contract endorsement policy
becomes part of the proposal that must be agreed to by the other channel members before the smart contract can be
committed to the channel. The endorsement policy must follow the format that is specified in the Fabric documentation
endorsement policy syntax.
7. If your smart contract includes Fabric private data collections, you need to upload the associated collection configuration
JSON file on the Additional private data collection panel. Otherwise, you can skip this step. For more information, see
private data.
8. Your smart contract proposal definition is listed on the Summary panel. Everything that you selected on the previous
panels become part of the proposal definition. It also includes the list of organization members that will receive the
proposal notification. Once a proposal is created, the definition cannot be modified. Proposal definitions cannot be
9. When you are satisfied with the proposal, click Propose to install the smart contract on the selected peers and send an
approval notification to the channel members. When the proposal is successful, it is visible in the Channels tab under
Smart contract definitions with a status of Proposed on the tile. It is also visible to members of the channel lifecycle
endorsement policy under the console Notifications (bell) icon.
Tip: If other organizations will run the package on their peers, you need to share the name of the package with them out
of band, so they can select it and install it on their peers when they approve the smart contract definition. The smart
contract package name is included on the proposal Summary panel.
Proposal originators can view the proposal using the same mechanisms. However, by virtue of submitting the proposal, their
approval is automatic.
Channel members approve the smart contract definition, not the smart contract package, which contains the business logic
that runs on a peer. A smart contract proposal contains the following information:
2. Before you can approve a smart proposal, you are required to select your organization and the associatedpeer admin
identity that you want to use to approve or endorse the proposal.
Approve the definition, but do not install the package on any of their peers. Useful when the smart contract can
run on the channel but is not required for your organization.
Approve the definition and install the package on one or more peers in their organization.The proposal originator
needs to share the package file out of band with the channel members so they can upload it and install it on their
peers. Smart contract packages cannot be shared from the console.
Approve the definition but upload their own package and install it on one or more peers in their organization.
When an organization prefers to run their own version of the smart contract package on the channel (provided the
read/write set logic is the same), they can upload their own smart contract package file during the approval.
Approve the definition but select an existing package from another peer in their organization.When an
organization prefers to run their own version of the smart contract package on the channel, provided that the
read/write set logic is the same, and that package is already installed on another peer in their organization, they can
select the existing smart contract package during the approval.
If a member wants to reject the smart contract proposal, they should simply abstain from approving the
definition. Instead, they can create a new smart contract proposal with the definition they prefer and either upload
a new smart contract package or use the existing one from the original proposal. Note: The new proposal must use
a new smart contract definition name.
After you approve a smart contract proposal and while it is waiting for approvals from other members, you can still update the
package for your organization, or install it on additional peers if needed. Simply, reopen the proposal tile on the Channels tab
and click Update package details next to your organization to upload a new package. If you do upload a new package, when you
create the updated package, we recommend incrementing the third digit of the version on the package name to help you
differentiate the packages. For example, if the existing package is named MySmartContract@1.0.0.tar.gz , the new package
is named MySmartContract@1.0.1.tar.gz .
Note: The Begin approval process or Update package details buttons are not visible on the panel when the console user
does not have an identity in their wallet for a listed organization.
When enough organizations have approved the smart contract definition according to the channel lifecycle endorsement policy,
the status of the definition on the tile changes to Ready to commit.
All organizations on the channel that received the approval notification can click the tile to see the organizations that have
approved the definition and begin the commit process or they can update the package that will run on their peers after the
definition is committed.
Tip: Unsure what version of the smart contract is currently running on your organization peers? From the Nodes tile, open
the peer and scroll down to the Installed smart contracts table to view the list of smart contracts installed on the peer.
Click Download from the action menu to inspect the smart contract version.
1. Click Begin commit process when you are ready to commit the definition to the channel. After enough approvals have
been satisfied according to the channel lifecycle endorsement policy, only one organization has to commit the definition to
the channel.
2. You are required to select your organization and the associated peer admin identity that you want to use to commit the
definition.
When the smart contract definition is successfully committed to the channel, the status on the tile changes toCommitted.
How do I?
Based on the preceding steps, the following table provides a summary of the lifecycle actions that are required depending on
your goal:
Task Instructions
Deploy and run You need to package the smart contract into .tgz or .tar.gz format and then propose it to the
a smart contract channel. As part of the proposal process you must install the package on at least one peer.
on a channel Organizations who are members of the lifecycle endorsement policy (specified when the channel is
created or updated), must approve the definition. After the channel members specified in the lifecycle
endorsement policy approve the definition, any of them can commit the definition, at which point the
smart contract can start to process transactions on the peers.
Install a smart If the smart contract has not yet been proposed to the channel, navigate to theChannels tab and click
contract on my Propose smart contract definition. See Install and propose a smart contract for more details.
peers
Otherwise, open the smart contract tile on the Channels tab. Next to your organization, click Begin
approval process or Update package details (if you have already approved the proposal) and either
upload a package or select an existing package to install, then select one or more peers to install it on.
Note: It is still possible to install a smart contract on a peer from the peer tile on the Nodes tab. But
this only installs the smart contract on the peer, it does not propose it to the channel.
Propose a new From the Channels tab, click Propose smart contract definition. As the proposal originator, you are
smart contract required to either, upload a new smart contract package and install it on at least one peer, or select an
definition existing package from one of your organization peers. Because you are proposing a new smart
contract, a smart contract proposal with the same definition name cannot already exist. If it does, it
will get replaced by this proposal.
Update a smart I submitted the proposal, but need to update the smart contract package. If the agreed to business
contract logic has not changed, from the Channels tab, open the smart contract tile and click Update package
package after I details next to your organization. Click Add file to upload a new version of the smart contract.
submitted the
proposal
Approve a smart Open the smart contract tile on the Channels tab. Next to your organization, click Begin approval
contract process. You are required to select which admin identity from your organization will submit the
definition approval.
If you are ready to approve the smart contract but are not ready to install it on your peers at this time,
when prompted to upload or select an existing package, simply click No to skip this step. A package is
not required when you approve a smart contract definition.
Or, if you want to install the package that the proposal originator included, click Add file to upload the
smart contract package shared with you by the proposal originator out of band.
Lastly, you can install your own version of the smart contract, by clicking Add file to upload your own
package or Existing package if the package is already installed on another peer in your organization.
If you upload or select a new package, you can choose which peers to install it on.
Install the smart Forgot to install the package on a peer? Or perhaps you've added new peers? Open the smart
contract on contract tile on the Channels tab. Next to your organization, click Update package details. If you want
additional or to install the same package on the newly added peers, click Existing package and browse to the
newly added package that you want to install. Otherwise, you can click Add file to upload a new package. Then,
peers after I select which peers to install the package on.
approved it
Reject a smart Fabric does not include an option to reject a smart contract proposal. Rather, you can abstain from
contract approving, which can prevent the proposal from ever satisfying the lifecycle endorsement policy. Or,
proposal or you can make a new proposal with a new smart contract definition name, and include the terms that
definition you prefer.
Commit a smart After the proposal has reached the required number of approvals, the status of the proposal on the
contract Channels tab changes to Ready to commit. Any channel member can click the tile and then click
definition Commit to commit the definition to the channel. At that point, the associated smart contract can
begin accepting transactions on the peers.
Tip: If no changes are made to the agreed to business logic, then updates to the smart contract
package do not require approval of channel members. See the next task,Update a smart contract
package after the definition is committed to the channel.
To update any of these elements, you have to create a new proposal in order for the update to be
approved. You can additionally update the smart contract package but it is not required, for example if
you only need to change the endorsement policy.
Important: If the proposal includes a smart contract package that updates the agreed to business
logic, all organizations that are part of the smart contract endorsement policy should install that
package, or their own version of it, on their peers. Otherwise, after it is committed, the peers that are
running the previous version are no longer able to endorse transactions. This could cause transactions
not being committed to the ledger because there are not enough endorsements to satisfy the
endorsement criteria.
Because this is an update to an existing smart contract definition, you need to use the same smart
contract definition name but it is recommended to increment the version by a second digit. For
example, change the version from 1.1 to 1.2. This second digit version update is a best practice,
which signals channel members that this proposal is an update to an existing smart contract definition
and requires approval.
Update a smart Assuming there are no changes to the agreed to business logic, a smart contract package can be
contract updated without approval from channel members. If there is a change to the logic, see the previous
package after task Update a smart contract definition that has been committed to the channel for the process.
the definition is
committed to the From the Channels tab, open the smart contract tile and click Update package details next to your
channel organization. If you want to install a package that exists on another peer in your organization, select it
from the Existing package tab. Or, click Add file to upload your own version of the smart contract
package. Then select the peers to install it on. Since the smart contract definition is committed, the
peer can immediately begin to process requests for the updated smart contract.
Install the smart It's possible that you approved a smart contract for the channel, but elected to not install it on any of
contract on your peers. Later, you decide you do want to run the package on your peers. From the Channels tab,
peers in my open the smart contract tile and click Update package details next to your organization. If you want to
organization install the existing package, select it from the Existing package tab. Or, upload your own version of
after it has been the smart contract package. Then select the peers to install it on. Since the smart contract definition
committed is committed, the peer can immediately begin to process requests for the smart contract.
Install the smart After the smart contract definition is committed, maybe you need to install the smart contract
contract on package on additional peers or newly created peers. From the Channels tab, open the smart contract
additional or tile and click Update package details next to your organization. If you want to install the existing
new peers after package, select it from the Existing package tab. Or, upload your own version of the smart contract
it is committed package. Then select the peers to install it on. Since the smart contract definition is committed, the
to the channel peer can immediately begin to process requests for the smart contract.
Change the Because the smart contract endorsement policy of a smart contract is agreed to by members of the
smart contract channel before the smart contract can be committed to the channel, the endorsement policy cannot
endorsement be updated without approval of other channel members, as defined in the channel lifecycle
policy of a smart endorsement policy. Therefore, if you need to update the endorsement policy of a smart contract
contract proposal or a committed smart contract, then you need to submit a new proposal with the updated
definition endorsement policy. You do not have to update the smart contract package in this case,but it is
required to increment the smart contract version.
Change the From the Channels tab, click Channel details and click the Settings icon and then click through to the
lifecycle Lifecycle endorsement policy step.
endorsement
policy for the
channel
A new From the Channels tab, click the tile of the committed smart contract and clickBegin approval
organization process. After providing the identity from your wallet, click Add file to upload the package or Existing
joins the package to select a package that is already installed on another peer in your organization, and
channel and optionally choose which peers to install it on.
wants their peers
to be able to
endorse
transactions for a
committed smart
contract.
More details on the lifecycle deployment scenarios are available in the Fabric documentation
When you follow the steps to propose a smart contract definition, you can use the side panel to specify a contract's
endorsement policy after selecting the smart contract package. You have the option to select the default endorsement policy
inherited from the channel configuration or to select specific organizations that have to endorse the transactions as well as how
many endorsements are required. For information about setting a default endorsement policy for a channel, check out the
Advanced options section of our topic on channels.
Click the Advanced tab if you want to specify a custom policy in JSON format. Use this method when you need to specify more
complicated endorsement policies, such as requiring that a certain member of the channel must validate a transaction, along
with a majority of other members. You can more information about the required format in the endorsement policy syntax.
Endorsement policies are not updated automatically when new organizations join the channel and install a smart contract. For
example, if the endorsement policy requires two of five organizations to endorse a transaction, the policy will not be updated to
require two out of six organizations when a new organization joins the channel. Instead, the new organization will not be listed on
the policy, and they will not be able to endorse transactions. You can add another organization to an endorsement policy by
submitting a new proposal to update the smart contract endorsement policy that can be approved by the organizations that are
listed in the channel lifecycle endorsement policy.
What does the user type have to do with the smart contract endorsement policy?
It's worth clicking the Advanced button to review the endorsement policy that will be used for the smart contract. Every
organization that you select from the Members drop-down list on this panel will be included in the endorsement policy
(represented by the role mspId parameter in the policy). The value of the role name parameter indicates the type of identity
that is required to endorse transactions and can be any of client , peer , orderer , admin , or member . If it is set to member ,
then any of the other four roles will satisfy the criteria.
Unsure which type was selected when a peer identity was registered? From the console, you can open the CA where the peer
identity was registered and view the list of registered users and their associated type.
In order to facilitate the smart contract versioning process, package naming should be of the format:
[SMART_CONTRACT_NAME]_[VERSION]
n.n when the version requires approval across organizations in the channel. For example,mysmartcontract_1.0.
n.n.n when the version does not require approval from other organizations on a channel. For example,
mysmartcontract_1.0.1. Note that this updated version of the smart contract package cannot introduce any
modifications the to read/write set that could cause transaction endorsement to fail. Use this option to incrementally
patch your smart contract as needed. This means organizations can roll out minor fixes, for example slight variations such
as error checking, to the smart contract independent of other organizations. The important thing is that always, the smart
contract must implement the same reads and the same writes to the ledger across all organizations.
Important: Although this recommended convention is not enforced by Fabric, it provides a standard nomenclature for
you to update the smart contract on your organization's peers without requiring approval from other channel members.
Organizations on the channel can share their smart contract packages with other channel members, out of band, or each
organization can package their own version of the smart contract. But every organization needs to install a package with the
same business logic, to allow transaction endorsement to succeed across all peers on the channel. Each organization needs to
ensure that the smart contract transactions are deterministic. That is, each transaction must always generate the same
transaction response for a given set of transaction inputs. That's because the smart contract is run by multiple organizations,
each of whom must generate the same transaction response. If not, the resulting generated transaction will be captured in the
ledger as invalid, the world state is not updated, and the transaction has no effect on the ledger.
Finally, it is important to recognize that in addition to a smart contract package version, each smart contract definition on the
channel has its own version as well. The following example demonstrates their relationship.
Each row in the table represents a successive step in the smart contract lifecycle when the default channel lifecycle
endorsement policy is used (a majority of organizations must approve the smart contract definition).
Org3 Approve definition and install own smart contract package v1.0.0 smartcontract_1.0.1
version with additional logging for example
Org2 Propose update to smart contract definition with new v1.1.0 smartcontract_1.1.0
package
Org1 Approve definition and install own smart contract package v1.1.0 smartcontract_1.1.1
version with enhanced error checking for example
Org3 Update package details and uses own version of smart v1.1.0 smartcontract_1.1.1
contract package
Important: Whenever channel members agree to an update in the business logic, and channel members are running
different custom versions of the smart contract, each member needs to implement the updated business logic in their
own version of the smart contract and repackage it. Blindly installing a smart contract package from another organization
risks overwriting any customizations that you might have added to your version of the smart contract.
After updating a smart contract definition to use a use smart contract package and committing it to the channel, if there are
still peers on the channel running the previous version, those peers are no longer able to endorse transactions for the
smart contract. Also, you risk not having enough endorsements for transactions to be committed to the ledger, depending
on how the smart contract endorsement policy is defined. However, it is possible to install the new version of the smart
contract package on these peers after the smart contract definition is committed to the channel and the peers will again
be able to endorse transactions, effectively catching up.
The peers in that organization continue to store data in the private data collection until its ledger reaches the block that
removes its membership from the collection. After that occurs, the peers will not receive private data in any future
3. What happens to the existing chaincode-execution pod after I update my smart contract?
Whenever a transaction is submitted to a smart contract installed on peer, a chaincode-execution pod is launched if one
does not already exist. When you deploy a new version of your smart contract, the chaincode-execution pod for the
previous version of the smart contract continues to run but is no longer required. To save cluster resources, you can
manually delete the chaincode-execution pods for the prior smart contract versions. From your cluster namespace, run
the following command to see the list of chaincode-execution pods that are currently running:
kubectl get pod -n <NAMESPACE> | grep chaincode-execution | cut -d" " -f1 | xargs -I {} kubectl
get po {} -n <NAMESPACE> --show-labels
Replace <NAMESPACE> with the name of your cluster namespace. Your smart contract name and version is visible in the
output under the LABELS column next to chaincode-id . To delete the pod, run the following command:
Replace <CHAINCODE-EXECUTION-POD> with the name of the chaincode-execution pod for the prior version of the smart
contract that is visible in the output of the previous command.
Private data
Private data is a feature of Hyperledger Fabric networks at version 1.2 or higher and is used to keep sensitive information private
from other organization members on a channel. Data privacy is achieved by using private data collections. For example, several
wholesalers and a set of farmers might be joined to a single channel. If a farmer and a wholesaler want to transact privately,
they can create a channel for this purpose. But they can also decide to create a private data collection on the smart contract that
governs their business interactions to maintain privacy over sensitive aspects of the sale, such as the price, without having to
create a secondary channel. To learn more about when to use private data within a blockchain, visit the Private Data concept
article in the Fabric documentation.
In order to use private data with IBM Blockchain Platform, the following three conditions must be satisfied:
1. Define the private data collection. A private data collection file can be added to your smart contract. Then, at run time,
your client application can use private data-specific chaincode APIs to input and retrieve data from the collection. For
more information about how to use private data collections with your smart contract, see the Fabric Secured asset
transfer in Fabric.
2. Install, propose, approve and commit. After you define the smart contract private data collection, you need to use the
smart contract lifecycle process to install the smart contract package along with its private data collection on your
organization peers.
3. Configure anchor peers. Because cross-organizational gossip must be enabled for private data to work, an anchor peer
must exist for each organization in the collection definition. Refer to this information for how to configure anchor peers on
your network.
Target audience: This topic is designed for network operators who are responsible for creating, monitoring, and managing the
blockchain network. Additionally, application developers might be interested in the sections that reference how to create a
smart contract.
Important: While the terms "smart contract" and "chaincode" are often used interchangeably, "smart contracts" refers to
the business logic that governs transactions and access to its data, while "chaincode" refers to the larger infrastructure of
packages and other code that encompasses a smart contract.
Smart contracts are installed on peers and then instantiated on channels. All members that want to submit transactions or
read data by using a smart contract need to install the contract on their peer. A smart contract is defined by its name and
version. Therefore, both the name and version of the installed contract need to be consistent across all peers on the channel
that plan to run the smart contract.
After a smart contract is installed on the peers, a single network member instantiates the contract on the channel. The network
member needs to have joined the channel in order to perform this action. Instantiation updates the ledger with the initial data
that is used by the smart contract, and then starts smart contract pods. The peers can then use the smart contract.
In this tutorial, we go through the steps to use the IBM Blockchain Platform console to manage the deployment of smart
contracts on your network:
You must either build a network or join a network by using your IBM Blockchain Platform console.
Because smart contracts are installed onto peers, ensure that you add peers to your console.
Smart contracts are instantiated on a channel. Therefore, you must create a channel or join a channel by using your
console.
The IBM Blockchain Platform supports smart contracts written in JavaScript, TypeScript, Java, and Go. When you are
allocating resources to your peer node, it is important to note that JavaScript and TypeScript smart contracts require more
resources than contracts written in Go.
To learn how smart contracts can be used to conduct transactions among multiple parties, see the Developing
applications topic in the Hyperledger Fabric documentation.
When you are ready to start building smart contracts, you can use the IBM Blockchain Visual Studio code extension to
start building your own smart contract project. You can also use that extension to connect directly to your network from
Visual Studio Code and explore the inline tutorials.
For a quick tutorial on developing smart contracts, see Develop a smart contract with the IBM Blockchain Platform VS
Code extension.
For a more in-depth end-to-end tutorial about using an application to interact with smart contracts, see Hyperledger
Fabric Commercial Paper tutorial.
To learn about how to incorporate access control mechanisms into your smart contract, see Chaincode for Developers.
Important: Because Fabric v2.x peers do not have a "shim" (the external dependencies that allowed smart contracts to
run on earlier versions of Fabric), you will have to vendor the shim and then repackage any smart contracts written in
Golang (Go) that you installed on peers deployed using the 1.4.x Fabric image. Without this vendoring and repackaging,
the smart contract will not run on a peer using a Fabric 2.x image. You will not need to do this on smart contracts that are
written in Java or Node.js, nor for smart contracts written and packaged using the 2.0 package. See Vendoring smart
contracts for details.
When you are ready to install and instantiate your smart contract to the IBM Blockchain platform, the smart contract must be
packaged into .cds format. For more information, see Packaging smart contracts. Alternatively, you can use peer CLI
commands to build the package. For v1.4.x commands, see 1.4.x peer CLI commands.
In Fabric v1.4.x, the Go chaincode shim and protocol buffers (protos) were included with the Fabric distribution and were
included in the Go chaincode runtime in the IBM Blockchain Platform. Starting with v2.0, Fabric now provides the chaincode
shim and protos as separate repositories that need to be imported or "vendored" in Go smart contracts before they can be
installed on a peer that runs a Fabric v2.x image. To vendor the shim for your Go smart contract, navigate to your smart contract
source folder and initialize the Go module by issuing the following command which creates a go.mod file:
go mod init
go test
$ module mysmartcontract
go 1.14
require (
github.com/hyperledger/fabric-chaincode-go v0.0.0-20200511190512-bcfeb58dd83a
github.com/hyperledger/fabric-protos-go v0.0.0-20200506201313-25f6564b9ac4
)
go 1.13
You can then get the necessary dependencies to install the Go smart contract on a 2.x peer by issuing the following command
that completes the vendoring of the smart contract:
go mod tidy
go mod vendor
See the Go documentation to learn more about what these commands do.
Package Construction
The following example shows the folder structure of a "marbles" smart contract that uses the fabric-chaincode-go shim before
the vendoring process:
$ ├── META-INF
│ └── statedb
│ └── couchdb
│ └── indexes
│ └── indexOwner.json
├── marbles_chaincode.go
└── util
└── util.go
$
├── META-INF
│ └── statedb
│ └── couchdb
│ └── indexes
│ └── indexOwner.json
├── go.mod
├── go.sum
├── marbles_chaincode.go
├── util
│ └── util.go
└── vendor
├── github.com
│ ├── golang
│ │ └── protobuf
│ └── hyperledger
│ ├── fabric-chaincode-go
│ └── fabric-protos-go
├── golang.org
├── google.golang.org
└── modules.txt
Note: The source directory must be the smart contract name which is "marbles" in this case. Therefore, the import for the
util package in the smart contract would be:
import "marbles/util"
After you have completed these steps, you need to repackage your smart contract using the process that is described in
Packaging smart contracts.
Tip: Fabric-contract-api and fabric-shim node modules must be at v1.4.5 or greater to work with Node version 12. If you
1. Click the Smart contracts tab to install one or more smart contracts.
2. Click Install smart contract to upload the smart contract package file in .cds format. The smart contract package file must
be less than 25 MB in size. You can use the IBM Blockchain Visual Studio Code extension to create a smart contract
package. When you install the package from the Smart contracts tab, you can select one or more peer nodes to install the
smart contracts on.
If only one peer exists in the console, the smart contract will be installed on it. You are not prompted to select a peer to install
the smart contract on. You can navigate to the nodes tab and click a peer that is managed by your console to view the list of
smart contracts installed on an individual peer.
Tip: You can return to the Smart contracts tab later to install the smart contract on additional peers, even after the smart
contract was instantiated on the channel. If the version of the smart contract that you install is the same as the
instantiated version, these additional peers can process transactions just like the existing peers.
1. On the smart contracts tab, find the smart contract from the list of smart contracts that are installed on your peers and
click Instantiate from the overflow menu on the right side of the row.
2. On the side panel that opens, select a channel to instantiate the smart contract on. You can select the channel, named
channel1, which you created. Then, click Next.
3. Specify the endorsement policy for the smart contract, described in the following section. When multiple organizations
are members of the channel, you have the opportunity choose how many organizations are required to endorse the smart
contract transactions.
4. You also need to select the organization members to be included in the endorsement policy. If you are following along in
the tutorial, that would be org1msp and possibly org2msp if you completed both the Build a network and Join a network
tutorials.
5. On the Select peer panel, select a peer from the drop-down list that is from an organization that is a member of the
channel.
6. If your smart contract includes Fabric private data collections, you need to upload the associated collection configuration
JSON file, otherwise you can skip this step. For more information, see private data.
7. On the last panel, you are prompted to specify the name of the smart contract initialization function, along with the
associated arguments to pass to that function.
You can view all of the smart contracts that are instantiated on a channel by clicking the channel icon in the left navigation,
selecting a channel from the table, and then clicking the Channel details tab.
Tip: Be aware that if you use a free Kubernetes cluster on IBM Cloud, instantiation can take significantly longer than in a
paid cluster.Depending on the number of peers you have deployed in your cluster, the type of smart contract you are
instantiating, and the platform you are running on, instantiation can take several minutes. If the instantiation fails with a
timeout error, wait 5 minutes and then retry it again.
Click the Organization MSP tile for the organization that your client application interacts with. ClickCreate connection profile to
open a side panel where you can build and download your connection profile.
If you plan to use the client application to register and enroll users with the organization CA, you need to include the Certificate
Authority in the connection profile definition.
Select the peers to include in the connection profile definition. When a peer is not available to process requests from a client
application, service discovery ensures that the request is automatically sent to a different peer. Therefore, to accommodate for
peer downtime during a maintenance cycle for example, it is recommended that you select more than one peer for redundancy.
In addition to peers created by using the console or APIs, imported peers that have been imported into the console are eligible
to be selected as well.
The list of channels that the selected peers have joined is also provided for your information. If a channel is missing from the list,
it is likely because the peer joined to it is currently unavailable.
You can then download the connection profile to your local file system and use it with your client application to generate
certificates and invoke smart contracts.
Note: The connection profile that is downloaded from the IBM Blockchain Platform console can only be used to connect
to your network by using the Node.js (JavaScript and TypeScript) and Java Fabric SDKs.
The generated connection profile only supports Fabric CAs. If you manually built your organization MSP with certificates from an
When you follow the steps to instantiate a smart contract, you can use the side panel to set a contract's endorsement policy
after selecting the channel. Use this panel to specify a simple policy by selecting the peers that need to endorse the transaction
from the list of peers that have installed the smart contract on the channel. You can use this method to specify an endorsement
policy of all channel members, a majority of them, a single member, or a simple +1 preventing members from self-signing. The
default endorsement policy is set to 1 of x , meaning that only a single member of the channel is required to endorse a smart
contract transaction.
Click the Advanced button if you want to specify a policy in JSON format. You can use this method to specify more complicated
endorsement policies, such as requiring that a certain member of the channel must validate a transaction, along with a majority
of other members. You can find additional examples of advanced endorsement policies in the Hyperledger Fabric
documentation. For more information about writing endorsement policies in JSON, see Hyperledger Fabric Node SDK
documentation.
Endorsement policies are not updated automatically when new organizations join the channel and install a smart contract. For
example, if the endorsement policy requires two of five organizations to endorse a transaction, the policy will not be updated to
require two out of six organizations when a new organization joins the channel. Instead, the new organization will not be listed on
the policy, and they will not be able to endorse transactions. You can add another organization to an endorsement policy by
upgrading the relevant smart contract and updating the policy.
What does the user type have to do with the smart contract endorsement policy?
It's worth clicking the Advanced button to review the endorsement policy that will be used for the smart contract. Every
organization that you select from the Members drop-down list on this panel will be included in the endorsement policy
(represented by the role mspId parameter in the policy). The value of the role name parameter indicates the type of identity
that is required to endorse transactions and can be any of client , peer , orderer , admin , or member . If it is set to member ,
then any of the other four roles will satisfy the criteria.
When a peer role is specified, you should ensure that any peers that will be submitting endorsement transactions were
registered with the correct type. In the following endorsement policy example, peers who are members of org1msp can endorse
transactions if their enroll id was registered with the type of client , peer , orderer , or admin . However, for peers who are
members of org2msp , their enroll id must have been registered with a type of peer to be able to endorse transactions.
{
"identities": [
{
"role": {
"name": "member",
"mspId": "org1msp"
}
},
{
"role": {
"name": "peer",
"mspId": "org2msp"
Unsure which type was selected when a peer identity was registered? From the console, you can open the CA where the peer
identity was registered and view the list of registered users and their associated type.
1. You can upgrade the smart contract to add or remove functionality from its code and iterate on the logic of your business
network.
2. Whenever a new member is added to a channel, the endorsement policy of the instantiated smart contractsmust be
updated to include the new channel member. In order to work with the new channel member, the smart contract must be
repackaged with a new version number and instantiated on the channel, even if the smart contract itself is unchanged.
Otherwise, transaction endorsement cannot succeed.
3. When a private data collection has changed, for example an organization is added or removed you need to upgrade your
smart contract. Or, use this action whenever a new private data collection is added to the collection configuration JSON
file.
4. The smart contract initialization arguments have changed.
Note: Before you upgrade an instantiated smart contract, the new version of the smart contract must be installed on all
peers in the channel that are running the previous level of the smart contract.
Important: Be aware that after you have upgraded your peers to the v2.x image and switched your application channel
capability to 2.0, you can no longer upgrade your smart contract using the instructions in this topic. Instead, you need to
repackage your smart contract and deploy the smart contract on the network using Fabric v2.x.
When a new member that will run the smart contract joins the channel, it is mandatory to update the smart contract by installing
a new version on all the peers and instantiating it on the channel with a modified endorsement policy that includes the new
member.
Click the overflow menu on the right side of the smart contract row and clickUpgrade to perform the following steps:
After you upgrade the smart contract, you will change the version of the contract that is instantiated on the channel. If you are
using private data collections, be sure you have configured anchor peers on the channel.
When a smart contract is invoked on a peer, it attempts to run the version that is instantiated on the channel. If a previous
version is running on the peer, it results in an error. Therefore, before you upgrade a smart contract on a channel, it is a
best practice to install the latest version of the smart contract on all peers that are running the previous version.
2. Can a subsequent smart contract version still process data on the ledger from a prior version of the smart contract?
Yes. As long as the new smart contract code addresses the data in a compatible way (by adding new JSON fields and not
changing the semantics or type of the existing fields), any subsequent version of the smart contract can run against the
data from a prior version.
3. What happens to my peers if I forget to upgrade them to the latest version before updating the smart contract on the
channel?
After updating the channel to use the new version of the smart contract, if there are still peers on the channel running the
previous version, those peers are no longer able to endorse transactions for the smart contract. Also, you risk not having
enough endorsements for transactions to be committed to the ledger, depending on how the smart contract endorsement
policy is defined. However, it is possible to install the new version of the smart contract on these peers later and they will
again be able to endorse transactions, effectively catching up.
The peers in that organization continue to store data in the private data collection until its ledger reaches the block that
removes its membership from the collection. After that occurs, the peers will not receive private data in any future
transactions, and clients of that organization will no longer be able to query the private data using a smart contract from
any peer.
Private data
Private data is a feature of Hyperledger Fabric networks at version 1.2 or higher and is used to keep sensitive information private
from other organization members on a channel. Data privacy is achieved by using private data collections. For example, several
wholesalers and a set of farmers might be joined to a single channel. If a farmer and a wholesaler want to transact privately,
they can create a channel for this purpose. But they can also decide to create a private data collection on the smart contract that
governs their business interactions to maintain privacy over sensitive aspects of the sale, such as the price, without having to
create a secondary channel. To learn more about when to use private data within a blockchain, visit the Private Data concept
article in the Fabric documentation.
1. Define the private data collection. A private data collection file can be added to your smart contract. Then, at run time,
your client application can use private data-specific chaincode APIs to input and retrieve data from the collection. For
more information about how to use private data collections with your smart contract, see the Fabric SDK tutorial on Using
private data in the Fabric SDK documentation.
2. Deploy the smart contract. After you define the smart contract private data collection, you need to install the smart
contract on the peers that are members of the channel. When you instantiate the smart contract on the channel by using
the console, you need to upload the collection configuration JSON file. For more information on how to create a collection
definition JSON file see the Fabric SDK documentation topic.
Instead of using the console to install and instantiate your smart contract with a collection config file, you can also use the
Fabric SDK. Those instructions are also available under How to use private data in the Node SDK documentation.
Note: A client needs to be an admin of your peer in order to install or instantiate a smart contract by using the SDK.
Therefore, you need to download the certificates of the peer admin identity from your console wallet and pass the peer
admin's signing certificate and private key to directly to the SDK instead of creating an application identity. For an example
of how to pass a key pair to the SDK, see Connecting to your network by using low-level Fabric SDK APIs.
3. Configure anchor peers. Because cross organizational gossip must be enabled for private data to work, an anchor peer
must exist for each organization in the collection definition. Refer to this information for how to configure anchor peers on
your network.
Target audience: This topic is designed for application developers who are interested in developing client apps for an IBM
Blockchain Platform network, in Node.js, Go, or Java.
Important: Although legacy applications will continue to run on v2.5.3, upgrading development methods to use the v2.4
Fabric Gateway API as soon as possible is recommended.
Attention: The peer endpoint URL in the downloaded connection profile starts with grpcs:// , which is not recognized as part
of the endpoint URL. The endpoint URL is therefore the url field in the peer connection profile, with the grpcs:// prefix
removed. Peer node details in the organization connection profile will look similar to the following example:
$ "url": "grpcs://n257768-org1peer1.us-east.containers.appdomain.cloud:7051",
"tlsCACerts": {
"pem": "-----BEGIN CERTIFICATE-----
\nMIICCzCCAbKgAwIBAgIUYH1G2I60YOEZuiAQPsvSmWXABxUwCgYIKoZIzj0EAwIw\nZDELMAkGA1UEBhMCVVMxFzAVBgNVBAg
< MATERIAL REMOVED FOR BREVITY AND SECURITY>
DAQH/MB0GA1UdDgQWBBRDV6AdNnpIEGO9\n7mbUM5bk4U0/yTAKBggqhkjOPQQDAgNHADBEAiAxjAM3zkf4v0TXUlJZZgS4TFE5\nY7eO7e16X1rETFr
Click the Organization MSP tile for the organization that your client application interacts with. Click Create connection profile to
open a side panel where you can build and download your connection profile.
Attention: The remainder of this page describes the Fabric v2.2 and earlier methods for developing applications, which remain
supported in IBM Blockchain Platform v2.5.3 and Fabric v2.4. (IBM Blockchain Platform does not support Hyperledger Fabric
v2.3). The Fabric v2.2 and earlier development methods are described as the high-level programming model and SDKs and its
predecessor, the low-level programming model.
Important: This section describes the legacy model of developing applications, which was designed for Hyperledger
Fabric v2.2 and earlier. Refer to the previous section on using the v2.4 Fabric Gateway peer service for details on
developing new applications for Fabric v2.4.
Developing an application might require coordination between two distinct users of your network, the network operator and the
application developer:
The network operator is the administrator who uses the IBM Blockchain Platform console to deploy the nodes of your
organization and installs the smart contracts on your network.
The application developer builds the client application that is consumed by users. The developer uses the Hyperledger
Fabric SDKs to invoke transactions written in the smart contracts.
If you are the network operator, you will need to complete the following steps before the application developer can interact
with your network:
If you are the application developer, use the information that is provided by the network operator to complete following steps:
1. Generate a certificate and private key by using the enroll ID and secret of the application identity, along with CA endpoint
information inside your connection profile.
2. Configure a connection by using the Fabric SDK gateway and enable service discovery.
3. Use the connection profile, channel name, smart contract name, and application keys to invoke the smart contract.
Note: The connection profile that you downloaded from the IBM Blockchain Platform console can be used to connect to
your network by using the Node.js (JavaScript and TypeScript), Java, and Go Fabric SDKs.
The application developer can use two programming models to interact with the network, either the High-Level Programming
Model APIs or the Low-Level Fabric SDK APIs.
IBM recommends the High-level Fabric Gateway SDKs which allow client applications to interact with IBM Blockchain Platform
networks. These SDKs, available for Node, Java, and Go, allow a client application to invoke smart contracts for the purpose of
submitting transactions and evaluating queries. It is recommended that administrative tasks, such as creating channels,
deploying smart contracts, are done by using the console, APIs, or Ansible scripts.
Important: The SDKs use the concept of a "Gateway" object to represent the connection of a single identity (user) to a
blockchain network. For performance reasons, applications need to keep a gateway object instance in scope for as long as
it is required, and can use it to submit multiple transactions across different smart contracts and network channels. If an
application needs to handle multiple user identities, then a separate gateway object instance should be maintained for
each identity.
Java
Node
Go
For best practices and examples of how to use the SDKs see the Fabric Asset Transfer Sample
For information about migrating your applications created using the v1.4 SDK to the 2.x SDK, check out Migrating client
applications from v1.4 to v2.0.
Note: Client applications can leverage the capabilities of the Go SDK in the high-level programming model in the gateway
package
If you want to take advantage of the High-Level Fabric contract-APIs, you can also use this tutorial to complete the following
actions on an IBM Blockchain Platform network:
Network considerations
The CA for your organization. (You should never need to access the CA for another organization).
All organizations peers (where all organizations are the organizations that are required for endorsing transactions).
All ordering service nodes for all channels that you are transacting on.
You must ensure that the hostnames of these components are resolvable by DNS lookup (or /etc/hosts if you cannot correctly
configure DNS). You must also ensure that all of the network ports for these components are accessible to the systems that are
running your applications that are using the Hyperledger Fabric SDKs. The hostname and port for each node are visible in the
console. Open the CA, peer, or ordering node tile and then click the Info and usage tab. The API URL field contains the
hostname and port for the node.
Application compatibility
For your planning purposes, the following SDK and smart contract compatibility matrices have been tested and validated.
SDKs
Click the Java SDK or Node SDK tab for details.
Smart contracts
Click the Java Smart contract or Node Smart contract tab for details.
Note: Java and Node runtime versions are determined by IBM Blockchain Platform peer Fabric image and cannot be
changed. These runtimes are different from the default Hyperledger Fabric runtimes.
The network operator needs to use the organization's CA to register an application identity, which can then be used by the
application developer to generate a certificate and private key. The operator can provide the enroll ID and secret of the identity,
along the CA endpoint information, to be used by the SDK to generate certificates. By enrolling on the client side, the application
developer ensures that no other party has access to the private key of the application. During registration, the network operator
can set an enrollment limit of one for additional security. After the application developer enrolls, the enroll ID and secret cannot
be used to generate another private key.
If you are less worried about security, the network operator can enroll an application identity by using the CA tab. The operator
can then download the identity or export it to the console wallet. In order to use the certificates from the SDK, you need to
convert the keys from base64 into PEM format. You can decode the certs by running the following command on your local
system:
export FLAG=$(if [ "$(uname -s)" == "Linux" ]; then echo "-w 0"; else echo "-b 0"; fi)
echo <base64_string> | base64 --decode $FLAG > <key>.pem
The Hyperledger Fabric Transaction Flow spans multiple components, with the client applications collecting endorsements
from peers and sending endorsed transactions to the ordering service. The connection profile provides your application with the
endpoints of the peers and ordering nodes that it needs to submit a transaction. It also contains information about your
organization, such as your Certificate Authorities and your MSP ID. The Fabric SDKs can read the connection profile directly,
without you having to write code that manages the transaction and endorsement flow.
Click the Organization MSP tile for the organization that your client application interacts with. ClickCreate connection profile to
open a side panel where you can build and download your connection profile.
Select the peers to include in the connection profile definition. When a peer is not available to process requests from a client
application, service discovery ensures that the request is automatically sent to a different peer. Therefore, to accommodate for
peer downtime during a maintenance cycle for example, it is recommended that you select more than one peer for redundancy.
In addition to peers created by using the console or APIs, imported peers that have been imported into the console are eligible
to be selected as well.
The list of channels that the selected peers have joined is also provided for your information. If a channel is missing from the list,
it is likely because the peer joined to it is currently unavailable.
You can then download the connection profile to your local file system and use it with your client application to generate
certificates and invoke smart contracts.
Note: The connection profile that is downloaded from the IBM Blockchain Platform console can only be used to connect
to your network by using the Node.js (JavaScript and TypeScript) and Java Fabric SDKs.
The generated connection profile only supports Fabric CAs. If you manually built your organization MSP with certificates from an
external CA, the connection profile will not include any information in the "certificateAuthorities": section.
Service discovery
Service discovery allows your applications to dynamically find the peer and ordering endpoints of your network. If you do not use
service discovery, you need to manually add the endpoint information of peer and ordering nodes on your channel to your
connection profile or your application. You would need to edit your connection profile or update your application each time a
node is added or removed from your network.
Before you can take advantage of the Service Discovery feature of Hyperledger Fabric, you must configure anchor peers on the
channel. Service discovery allows your application to learn which peers on the channel outside your organization need to
endorse a transaction. Without service discovery, you will need to get the endpoint information of these peers out of band from
other organizations and add them to your connection profile. For more information, see Configuring anchor peers.
Later in this topic, we use the connection profile to build a Fabric gateway that is configured for service discovery.
2. Save the following code block as enrollUser.js in the same directory as your connection profile:
'use strict';
// Enroll the admin user, and import the new identity into the wallet.
const enrollment = await ca.enroll({ enrollmentID: '<app_enroll_id>', enrollmentSecret:
'<app_enroll_secret>' });
const identity = X509WalletMixin.createIdentity('<msp_id>', enrollment.certificate,
enrollment.key.toBytes());
await wallet.import('user1', identity);
console.log('Successfully enrolled client "user1" and imported it into the wallet');
} catch (error) {
console.error(`Failed to enroll "user1": ${error}`);
process.exit(1);
}
}
main();
Replace <CA_Name> with the name of your organizations CA. You can find your CA name in the "organizations"
section of your connection profile under "Certificate Authorities". Do not use the "caName" in the "Certificate
Authorities" section.
Replace <app_enroll_id> with the application enroll ID provided by your network operator.
Replace <app_enroll_secret> with the application enroll secret provided by your network operator.
Replace <msp_id> with the MSP ID of your organization. You can find your MSP ID under the "organizations" section
of your connection profile.
4. Navigate to enrollUser.js using a terminal and run node enrollUser.js . If the command runs successfully, you
should see the following output:
Note: The wallets that are used by the Fabric SDKs are different from the wallet in the IBM Blockchain Platform console.
The identities that are stored in your console wallet cannot be directly used by the SDK.
1. Save the following text on your local machine as invoke.js in the same directory as enrollUser.js .
'use strict';
// Parse the connection profile. This would be the path to the file downloaded
// from the IBM Blockchain Platform operational console.
const ccpPath = path.resolve(__dirname, 'connection.json');
const ccp = JSON.parse(fs.readFileSync(ccpPath, 'utf8'));
// Configure a wallet. This wallet must already be primed with an identity that
// the application can use to interact with the peer node.
const walletPath = path.resolve(__dirname, 'wallet');
const wallet = new FileSystemWallet(walletPath);
// Create a new gateway, and connect to the gateway peer node(s). The identity
// specified must already exist in the specified wallet.
const gateway = new Gateway();
await gateway.connect(ccp, { wallet, identity: 'user1' , discovery: {enabled: true,
asLocalhost:false }});
// Get the network channel that the smart contract is deployed to.
const network = await gateway.getNetwork('<channel_name>');
// Submit the 'createCar' transaction to the smart contract, and wait for it
// to be committed to the ledger.
await contract.submitTransaction('createCar', 'CAR12', 'Honda', 'Accord', 'Black', 'Tom');
console.log('Transaction has been submitted');
await gateway.disconnect();
} catch (error) {
console.error(`Failed to submit transaction: ${error}`);
process.exit(1);
}
}
main();
Replace <channel_name> with the name of the channel the smart contract was deployed on. You can find your CA
name under the "Certificate Authorities" section of your connection profile.
3. Navigate to invoke.js using a terminal and run node invoke.js . If the command runs successfully, you should see
the following output:
If you navigate to your channel by using the console, you are able to see that another block was added by the transaction.
Note: Your transaction might fail if you did not configure an anchor peer on your channel. Unless you manually updated
your connection profile, your application needs to use the Service Discovery feature to learn about the peers it needs to
submit the transaction to. For more information, see Configuring anchor peers.
You can also deploy the commercial paper tutorial sample code onto an IBM Blockchain Platform network. This allows you to
quickly get started interacting with your network and use the sample to download the necessary dependencies. The sample
code also includes examples of how you can import certificates into a wallet and use your connection profile to build a Fabric
gateway. The tutorial can be used by two different organizations to complete different transactions with a single asset. If you
used the Build a network tutorial to deploy two peer organizations that are connected to a channel, you can interact with the
tutorial by using both organizations.
Use the following steps to deploy the sample on your network. You can review the tutorial in the Fabric Documentation
commercial paper tutorial for more details about the smart contracts and the application structure.
Prerequisites
Before you can deploy the commercial paper sample, you need to install required tools on your local machine:
Git
Node.js
You will also need a use text editor to edit and save files in the sample. You can use many of the high-quality editors that are
available for free, such as Visual Studio Code, Atom, Sublime text, or Brackets.
After you download the Fabric Samples, run the following commands to ensure that you are using the version of the samples
compatible with Fabric v1.4.12 and v2.2.5.
cd fabric-samples
git checkout v1.4.9
cd $HOME/fabric-samples/commercial-paper
The tutorial contains two sample organizations, magnetocorp and digibank. Each organization has its own sample application
code, which is stored in two separate folders under the organization directory.
ls organization
digibank magnetocorp
In the course of the tutorial, you will first use the magnetocorp application code to issue a commercial paper. You can then use
the digibank application code to buy and redeem the paper. Both directories contain the same smart contract.
cd organization/magnetocorp/application
When you are inside the directory, you can download the application dependencies by running the following command:
npm install
Smart contracts running on peers using the Fabric v1.4.x image must be packaged in .cds format. These smart contracts are
installed and then instantiated on a channel. For information on using smart contracts with Fabric v1.4.x peers, check out
Deploy a smart contract using Fabric v1.4.x.
Smart contracts running on peers using a Fabric v2.x image must be packed using the .tar.gz format. These smart contracts
must be installed and proposed by you, then approved by other channel members before being committed on the channel. For
information on using smart contracts with Fabric v2.x peers, check out Deploying a smart contract using Fabric 2.x.
Attention! The IBM Blockchain Platform Extension for VS Code (VS Code extension) referenced throughout the
documentation is an open-source project which is no longer active, and therefore not officially supported by IBM. Refer to
the alternatives to the VS Code extension.
You can use the IBM Blockchain VS code extension to package the smart contract. After you install the extension, use Visual
Studio Code to open the contracts folder in your workspace. Open the IBM Blockchain Platform tab. In the IBM Blockchain
Platform pane, go to the smart contract packages section and clickPackage Open Project. The VS code extension uses the files
in the contracts folder to create a new package named papernet-js@.0.0.1.cds . Right-click this package to export it to
your local file system. You can then use your console to install your smart contract and either instantiate or propose it.
The original sample uses the addToWallet.js file to create a file system wallet using certificates from the fabric samples
Choose the CA of the organization you want to use to operate the tutorial as magnetocorp. For example, you can use Org1 if you
have completed the Build a network tutorial. Use the CA to create an application identity. Save the enroll ID and secret.
Use your console to download your connection profile. Save the connection profile to your local file system and rename it
connection.json . Then, issue the following command from the magnetocorp/application directory to move the
connection profile to a directory where it will be referenced by future commands.
mv $HOME/<path_to_creds>/connection.json ../gateway/connection.json
'use strict';
// Enroll the admin user, and import the new identity into the wallet.
const enrollment = await ca.enroll({ enrollmentID: '<app_enroll_id>', enrollmentSecret:
'<app_enroll_secret>' });
const identity = X509WalletMixin.createIdentity('<msp_id>', enrollment.certificate,
enrollment.key.toBytes());
await wallet.import('user1', identity);
console.log('Successfully enrolled client "user1" and imported it into the wallet');
} catch (error) {
console.error(`Failed to enroll "user1": ${error}`);
process.exit(1);
}
}
main();
Take a moment to study how this file works before we edit it. First, enrollUser.js imports the FileSystemWallet and
X509WalletMixin classes from the fabric-network library.
After you create the wallet, the code snippet uses the enroll ID and secret to enroll by using your organization CA. It then creates
an identity for the signing certificate and private key and imports them into the wallet. Notice how the file passes your
organization MSP ID into the wallet as well.
// Enroll the admin user, and import the new identity into the wallet.
const enrollment = await ca.enroll({ enrollmentID: '<app_enroll_id>', enrollmentSecret:
'<app_enroll_secret>' });
const identity = X509WalletMixin.createIdentity('<msp_id>', enrollment.certificate,
enrollment.key.toBytes());
wallet.import('user1', identity);
console.log('Successfully enrolled client "user1" and imported it into the wallet');
Replace <CA_Name> with the name of your organization's CA. You can find your CA name in the "organizations" section of
your connection profile under "Certificate Authorities". Do not use the "caName" in the "Certificate Authorities" section.
Replace <app_enroll_id> with the application enroll ID provided by your network operator.
Replace <app_enroll_secret> with the application enroll secret provided by your network operator.
Replace <msp_id> with the MSP ID of your organization. You can find this MSP ID under the "organizations" section of your
connection profile.
Save enrollUser.js and close it. In the magnetocorp directory, run the following command:
node enrollUser.js
When the command completes successfully, you should see the following output:
You can find the wallet that was created in the identity folder of the magnetocorp directory.
You have already downloaded your connection profile and used it to connect to your organization's Certificate Authority. Now we
use the connection profile to build a gateway.
Open the file issue.js in a text editor. Before you edit the file, notice that it imports the FileSystemWallet and Gateway
classes from fabric-network library.
You will need to import the path class to build the gateway from the connection profile you downloaded from your console.Add
the following line to the file to import the path class:
The FileSystemWallet class is used to load the wallet you created in the previous step. Edit the following line if you changed
the location of the wallet on your file system.
After you import your wallet, use the following code to pass your connection profile and wallet to the new gateway. You need to
make the following Edits to the code so it resembles the code snippet below. The lines that print logs have been removed for
brevity.
Update the userName to match the value that you selected for your identityLabel in enrollUser.js.
Update the discovery options to take advantage of service discovery on your network. Setdiscovery: { enabled:
true, asLocalhost: false, strategy: DefaultQueryHandlerStrategies.MSPID_SCOPE_ROUND_ROBIN }.
Update the section importing your connection profile. The console connection profile is in JSON format rather than a YAML
file used by the sample.
This code snippet uses the gateway to open gRPC connections to the peer and orderer nodes, and interact with your network.
To configure a client application to use service discovery, set the following options on the gateway.connect() call by defining
connectionOptions that include:
Edit the following line, and replace mychannel with your channel name.
Following a line of code that prints a message to your console, you can find a line that provides the gateway the smart contract
name. Edit the following line to change the name papercontract to the name of the contract you installed.
The gateway now has all the information that it needs to submit a transaction. The following line invokes theissue function in
the commercial paper contract, with the arguments defining the new commercial paper asset.
After it submits the transaction using the gateway, the issue.js file disconnects the gateway connection.
gateway.disconnect();
This command closes the gRPC connections opened by your gateway. Closing connections save network resources and improve
performance.
After completing the edits from this step and Step four, save issue.js and close it. Submit the transaction that creates the
new commercial paper by using the following command:
node issue.js
If the transaction is successful, you can see the following output in your terminal:
$ Transaction complete.
Disconnect from Fabric gateway.
Issue program complete.
Go to the digibank/application directory. You can follow the directions that are provided inStep three to create to generate
the certificates and wallet that will sign the transaction as Digibank. You can then use the buy.js file to purchase the
commercial paper from Magnetocorp, and then use redeem.js to redeem the paper. You can follow Step four and Step five to
edit those files so that they point to the correct connection profile, channel and smart contract.
The Fabric Node SDK documentation provides a tutorial on how to connect to your network using a connection profile. The
tutorial uses the CA endpoint information in your connection profile to generate keys using the SDK. You can also use your
console to generate a signing certificate and private key and convert the keys into PEM format. You can then set a user context
by passing your keys directly to the SDKs' Fabric Client class using the following code:
fabric_client.createUser({
username: 'admin',
mspid: 'org1',
cryptoContent: {
privateKeyPEM: fs.readFileSync(path.join(__dirname,'./privateKey.pem')),
signedCertPEM: fs.readFileSync(path.join(__dirname,'./certificate.pem'))
}});
If you are using low-level SDK APIs to connect to your network, there are additional steps that you can take to manage the
performance and availability of your application.
For more information about CouchDB and how to set up indexes, see CouchDB as the State Database in the Hyperledger Fabric
documentation. You can also find an example that uses an index with chaincode in the Fabric CouchDB tutorial.
Avoid using chaincode for queries that will result in a scan of the entire CouchDB database. Full length database scans result in
long response times and will degrade the performance of your network. You can take some of the following steps to avoid and
manage large queries:
You can find examples that demonstrate how queries use indexes and what type of queries will have the best performance in the
Fabric CouchDB tutorial.
Peers on the IBM Blockchain Platform have a set queryLimit, and will only return 10,000 entries from the state database. If your
query reaches the queryLimit, you can use multiple queries to get the remaining results. If you need more results from a range
query, start subsequent queries with the last key that is returned by the previous query. If you need more results from JSON
queries, sort your query by using one of the variables in your data, then use the last value from the previous query in a 'greater
than' filter for the next query.
Do not query the entire database for the purpose of aggregation or reporting. If you want to build a dashboard or collect large
You can use block or chaincode events from your application to write transaction data to an off-chain database or analytics
engine. For each block received, the block listener application would iterate through the block transactions and build a data
store by using the key/value writes from each valid transaction's rwset . The Peer channel-based event services provide
replayable events to ensure the integrity of downstream data stores. For an example of how you can use an event listener to
write data to an external database, see the Off chain data sample in the Fabric Samples.
Clock synchronization
Synchronizing your application with a Network Time Protocol (NTP) server is important because it ensures that all time-based
activities occur synchronously everywhere on the network. NTP is widely used to synchronize a computer to Internet time
servers or other sources. The IBM Blockchain Platform runs in IBM Cloud and uses an internal NTP server
servertime.service.softlayer.com .
The NTP server that you need to synchronize your application with depends on where your application is running:
If your application is running in IBM Cloud Classic infrastructure, set your NTP server to
servertime.service.softlayer.com.
If your application is running in IBM Cloud VPC infrastructure, set your NTP server totime.adn.networklayer.com.
If your application is not running in IBM Cloud, set your NTP server totime-a.nist.gov or time-b.nist.gov.
Additional Resources
IBM Developer
For tutorials, code patterns, and videos that help developers get started and learn best practices for developing blockchain
applications.
Why would I want to use an intermediate CA with my IBM Blockchain Platform network?
Intermediate CAs are optional. Because an intermediate CA has its root certificate issued by a root CA or another intermediate
authority, a “chain of trust” is established for any certificate that is issued by all CAs in the chain. Having one or more
intermediate CAs provides added security and allows you to protect your root of trust. This ability to track back to the root CA
not only allows the function of CAs to scale while still providing security, it also limits the exposure of the root CA, which, if
compromised, would endanger the entire chain of trust. If an intermediate CA is compromised, on the other hand, there will be a
much smaller exposure. A key benefit is that after the intermediate CAs are up and running, the root CA can be effectively turned
off, limiting its vulnerability even more.
Another reason to include an intermediate CA would be when you have a very large organization with multiple departments and
you don’t want a single CA to generate certificates for all of the departments. Intermediate CAs provide a mechanism for scoping
the certificates that a CA manages to a smaller department or sub-group. This pattern though incurs significant increase if there
will only be a small number of members in the organization.
As an alternative to deploying multiple intermediate CAs, you can limit the scope of a CA by overriding the CA configuration to
specify available affiliations (similar to departments) instead. When a CA is configured with affiliations, the affiliation of the
registrar must be equal to or a prefix of the affiliation of the identity being registered. See the Fabric CA topic on registering
identities for more details.
The following diagram illustrates how the root CA issues the certificates for the intermediate CA and the intermediate CA then
issues the certificates for the nodes and users in the organization.
Limitations
Currently, IBM Blockchain Platform only supports a single level of intermediate CAs. In other words, an intermediate CA cannot
be a parent server to another intermediate CA.
Process overview
The configuration process begins with the root CA. If one does not already exist, you need to create the root CA and then register
two identities that are needed by the intermediate CA. When you create an intermediate CA you need to provide a JSON that
overrides the default CA settings with the intermediate CA configuration. After your intermediate CA is active, you can use it for
all subsequent identity register and enrollment requests for the organization, and then effectively turn off the root CA. At a high
level, the following steps need to be performed:
Edit the example JSON override file by providing the root CA TLS signing cert and the intermediate CA identity enroll id and
secrets to the JSON override file.
After completing these steps, when you create organization MSPs for your peers or orderers, you can point to the intermediate
CA instead of the root CA.
Note: This process can be performed using the console or the APIs, if you are an experienced API user. The overall
process is the same regardless of which approach you choose. For clarity, this tutorial uses the console.
2. Register the intermediate CA admin identity with the root CA. In order for an intermediate CA to be able to register and
enroll identities, the intermediate CA admin identity must be registered with the root CA.
3. Register the intermediate TLS CA admin identity with the root CA. Because TLS communications are enabled on the
network, whenever you deploy a CA, a TLS CA is automatically deployed along side the CA, and uses the same endpoint
address. Therefore, you also need to register an identity that will serve as the intermediate TLS CA admin. Repeat the
actions that you performed in the previous step to register the admin identity, but this time specify a different enroll ID and
secret. For purposes of the tutorial, we use itlscaadmin and itlscaadminpw .
4. Export the root CA to a JSON file. Now that you have the intermediate CA admins registered with the root CA, there is one
last piece of information we need: the root CA TLS signed certificate. This certificate is shared with each node in the
organization and is used to secure the communications between the nodes. Therefore, in order for the intermediate CA to
communicate with the root CA, it has to be included in the intermediate CA configuration. To get the root CA TLS signed
certificate, simply export the root CA to a JSON file. Open the root CA and click the Export icon.
Open the downloaded JSON file and locate the value corresponding to the tls_cert element. You will need to
copy and paste the certificate in a later step. It will resemble:
$
"LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNvRENDQWtXZ0F3SUJBZ0lRWXZYRUgzUktMUVNiUnZTdnRLWU
JDVEFLQmdncWhrak9QUVFEQWpDQnB6RUwKTUFrR0ExVUVCaE1DVlZNeEZ6QVZCZ05WQkFnVERrNXZjblJvSUVOaGNtO
XNhVzVoTVE4d0RRWURWUVFIRXdaRQpkWEpvWVcweEREQUtCZ05WQkFvVEEwbENUVEVUTUJFR0ExVUJVaHAKVkM1VE5O
VzNqRzJkVVZwUUlkSmEvMWtDSVFEMGE0QWRzazJ0RlhDRFp1RFB0VG5lTkNZWnBDSzMxL2MrUTFLTQozLzVGdEE9PQo
tLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCga1",
Also make note of the value of the api_url in the JSON file. You will use the value of this URL to build the parent
server URL for the intermediate CA. It will resemble:
$ "api_url": "https://nb535a5-rootca.org1Cluster.us-south.containers.appdomain.cloud:7054",
To build the parent server URL, edit the URL and insert the intermediate CA admin enroll ID and secret using the
following format:
$ https://<INTERMEDIATE-CA-ADMIN>:<INTERMEDIATE-CA-ADMIN-PW>@<DOMAIN>:<PORT>
For example:
$ https://icaadmin:icaadminpw@nb535a5-rootca.org1Cluster.us-
south.containers.appdomain.cloud:7054
{
"ca": {
"debug": true,
"registry": {
"maxenrollments": -1,
"identities": [{
"name": "<INTERMEDIATE-CA-ADMIN>",
"pass": "<INTERMEDIATE-CA-ADMIN-PW>",
"type": "client",
"attrs": {
"hf.Registrar.Roles": "*",
"hf.Registrar.DelegateRoles": "*",
Notice there are settings for both the intermediate CA and the intermediate TLS CA. Replace the following parameters:
<INTERMEDIATE-CA-ADMIN> - with the enroll ID that you specified in Part One, step 2 when you registered the
intermediate CA admin identity.
<INTERMEDIATE-CA-ADMIN-PW> - with the enroll secret that you specified in Part One, step 2 when you registered the
intermediate CA admin identity.
<PARENT-CA-SERVER-URL> - with the value of the parent server that you built in Part One, step 4.
<TLS-CERT-FILE> - (two occurrences) with the value of the tls_cert, the certificate string that you downloaded from the
root CA in Part One, step 4.
<INTERMEDIATE-TLS-CA-ADMIN> - with the enroll ID that you specified in Part One, step 3 when you registered the
intermediate TLS CA admin identity.
<INTERMEDIATE-TLS-CA-ADMIN-PW> - with the enroll secret that you specified in Part One, step 3 when you registered
the intermediate TLS CA admin identity.
<PARENT-TLS-CA-SERVER-URL> - with the value of the parent server URL that you built in Part One, step 4; however you
need to replace the enroll ID and secret with the values that you specified when you registered the admin for the
$ {
"ca": {
"debug": true,
"registry": {
"maxenrollments": -1,
"identities": [{
"name": "icaadmin",
"pass": "icaadminpw",
"type": "client",
"attrs": {
"hf.Registrar.Roles": "*",
"hf.Registrar.DelegateRoles": "*",
"hf.Revoker": true,
"hf.IntermediateCA": true,
"hf.GenCRL": true,
"hf.Registrar.Attributes": "*",
"hf.AffiliationMgr": true
}
}]
},
"intermediate": {
"parentserver": {
"url": "https://icaadmin:icaadminpw@nb535a5-rootca.org1Cluster.us-
south.containers.appdomain.cloud:7054",
"caname": "ca"
},
"tls": {
"enabled": true,
"certfiles":
["LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNvRENDQWtXZ0F3SUJBZ0lRWXZYRUgzUktMUVNiUnZTdnRLWUJDVEFLQmdncWhrak9QUVFEQW
}
}
},
"tlsca": {
"debug": true,
"registry": {
"maxenrollments": -1,
"identities": [{
"name": "itlscaadmin",
"pass": "itlscaadminpw",
"type": "client",
"attrs": {
"hf.Registrar.Roles": "*",
"hf.Registrar.DelegateRoles": "*",
"hf.Revoker": true,
"hf.IntermediateCA": true,
"hf.GenCRL": true,
"hf.Registrar.Attributes": "*",
"hf.AffiliationMgr": true
}
}]
},
"intermediate": {
"parentserver": {
"url": "https://itlscaadmin:itlscaadminpw@nb535a5-rootca.org1Cluster.us-
south.containers.appdomain.cloud:7054",
"caname": "tlsca"
},
"tls": {
"enabled": true,
"certfiles":
["LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNvRENDQWtXZ0F3SUJBZ0lRWXZYRUgzUktMUVNiUnZTdnRLWUJDVEFLQmdncWhrak9QUVFEQW
1. From the Nodes tab, click Add Certificate Authority followed by Create a Certificate Authority.
2. Give your intermediate CA a meaningful name and then provide the intermediate CA admin enroll ID and secret that you
registered with the root CA. For example icaadmin and icaadminpw. You can leave the Advanced deployment options
deselected, none are required for an intermediate CA.
3. On the Summary panel, click Edit configuration JSON (Advanced).
4. Delete the existing content from the Configuration JSON box and paste the JSON that you built in Part Two, then click
Add Certificate Authority.
Tip: It will take a few minutes for the CA to deploy. You'll know it is ready when a green status indicator box is visible on
the tile. Depending on your cluster activity, you might need to refresh your browser for the status to turn green.
Next steps
If you want to learn more about creating MSPs, see Managing organizations.
By default, certificates generated by IBM Blockchain Platform CAs expire after one year and peer and ordering node TLS
certificates expire after 15 years. Exactly thirty days before peer and ordering node certificates are due to expire, the platform
automatically attempts to contact the CA and renew the certificates. If the CA is not online, the automatic renewal fails and
enrollment to generate a new certificate needs to be performed manually. If automatic renewal of these certificates is important
for your business, careful consideration should be given to scaling down a root CA or intermediate CA. See the topic on
Certificate expiration and renewal to learn more about the process.
While it is always possible to use a CA that you create with the console to generate identities, you can also use certificates that
were generated by a CA external to your network, one that is not hosted by IBM, and then build the required organization
Membership Service Provider (MSP) definition that is used by your blockchain components.
Objectives
Gather certificates.
Build MSP definition.
Import MSP into the console.
Create and import the organization admin identity to the wallet.
Deploy a blockchain node.
When you create a peer or ordering node, you need to provide the following four certificates in PEM format. When you request
these certificates from the third-party CA, you need to request a specific Node Organizational Unit (OU) attribute for some
certificates as indicated in the Node OU column.
2. Peer or The private key corresponding to the public signing certificate. Make sure to keep PEM
ordering this certificate safe, as it can be used to impersonate the node.
node
identity
private
key
3. Peer or The public signing certificate created by your external TLS CA that is used by the PEM
ordering peer or ordering node. The certificate needs to contain the x.509 Subject
service alternative name (SAN) for the peer or ordering nodes. If you are using the Fabric
TLS CA CA client to enroll the identity, you specify the SAN by passing the--csr.hosts
certificate parameter on the enroll command. If the hostname is not yet known, you can
specify a wildcard with the domain name, for example: --csr.hosts '*.ibpv2-
cluster.us-south.containers.appdomain.cloud,127.0.0.1'.
4.Peer or The private key corresponding to the signed certificate from your TLS CA that is PEM
ordering used by the peer or ordering node for secure communications with other members
service on the network.
TLS CA
private
key
1. CA root The root certificate of your external CA. You can also provide an base64
certificate intermediate CA root certificate or both.
2. TLS CA root The root certificate of your external TLS CA. You must provide either a TLS base64
certificate CA root certificate or an intermediate TLS CA certificate, you can also
provide both.
3. Intermediate The root certificate of your intermediate CA. You must provide either a CA base64
CA root root certificate or an intermediate CA root certificate, you can also provide
certificate: both.
(Optional)
4. Intermediate The TLS certificate if your TLS certificate is issued by an intermediate TLS base64
CA TLS certificate: CA. Upload the intermediate TLS CA certificate. You must provide either a
(Optional) TLS CA root certificate or an intermediate TLS CA certificate, you may also
provide both.
5. Peer or ordering The signing certificate from your external CA that the admin identity of this "admin" base64
organization peer or ordering service uses.
admin identity
certificate
6. Peer or ordering The private key corresponding to the signed certificate from your external base64
organization CA that the admin identity of this peer or ordering service uses.
admin identity
private key
Replace:
identity.1.pem with the name of the PKCS #1 private key .PEM file.
identity.8.pem with the name that you want to give your PKCS #8 private key.PEM file.
The MSP definition requires that all certificates are encoded in base64 format. If needed, you can convert the contents of a
certificate file, <cert.pem> from PEM format into a base64 string by running the following command on your local machine:
export FLAG=$(if [ "$(uname -s)" == "Linux" ]; then echo "-w 0"; else echo "-b 0"; fi)
cat <cert.pem> | base64 $FLAG
To build the MSP definition, create a JSON by copying the following text and saving it to a file of type JSON:
{
"name": "<organization_name>",
"display_name": "<organization_name>",
"msp_id": "<organization_id>",
"type": "msp",
"admins": [
"<admins>"
],
"root_certs": [
"<root_certs>"
],
"tls_root_certs": [
"<tls_root_certs>"
],
"fabric_node_ous": {
"enable": true,
"admin_ou_identifier": {
"certificate": "<ou_root_cert>",
"organizational_unit_identifier": "admin"
},
"client_ou_identifier": {
"certificate": "<ou_root_cert>",
"organizational_unit_identifier": "client"
},
"orderer_ou_identifier": {
"certificate": "<ou_root_cert>",
"organizational_unit_identifier": "orderer"
},
"peer_ou_identifier": {
"certificate": "<ou_root_cert>",
"organizational_unit_identifier": "peer"
}
},
"host_url": "<url>",
}
organization_name: Specify any name to be used to identify this MSP definition in the console.
organization_id: Specify an ID that is used to represent this MSP internally in the console.
root_certs: Paste in an array that contains one or more root certificates from the external CA inbase64 format. You must
The following additional fields are also available in your MSP definition but are not required:
intermediate_certs: (if an intermediate CA was used) Paste in an array that contains one or more certificates from the
external intermediate CA in base64 format. You must provide either a CA root certificate or an intermediate CA certificate,
you can also provide both.
tls_intermediate_certs: (if an intermediate TLS CA was used) Paste in an array that contains one or more certificates from
the intermediate TLS CA in base64 format. You must provide either an external TLS CA root certificate or an external
intermediate TLS CA certificate, you can also provide both.
organizational_unit_identifiers: A list of Organizational Units (OU) that valid members of this MSP should include in their
X.509 certificate. This is an optional configuration parameter that is used when multiple organizations leverage the same
root of trust and intermediate CAs, and they have reserved an OU field for their members. An organization is often divided
up into multiple organizational units (OUs), each of which has a certain set of responsibilities. For example, the ORG1
organization might have both ORG1-MANUFACTURING and ORG1-DISTRIBUTION OUs to reflect these separate lines of
business. When a CA issues X.509 certificates, the OU field in the certificate specifies the line of business to which the
identity belongs. See this topic in the Fabric documentation on Identity Classification for more information.
revocation_list: A list of certificates that are no longer valid. For X.509-based identities, these identifiers are pairs of
strings that are known as Subject Key Identifier (SKI) and Authority Key Identifier (AKI), and are checked whenever the
X.509 certificate is being used to make sure that the certificate has not been revoked. See this topic in the Fabric
documentation for more information about Certificate Revocation Lists.
{
"name": "org1msp",
"display_name": "org1msp",
"msp_id": "org1msp",
"type": "msp",
"admins": [
"LS0tLS1CRUd...LS0tLQo="
],
"root_certs": [
"LS0tLS1CRUd...LS0tLS0K"
],
"intermediate_certs": [],
"tls_root_certs": [
"LS0tLS1CRUd...LS0y=g"
],
"tls_intermediate_certs": [],
"fabric_node_ous": {
"admin_ou_identifier": {
"certificate": "LS0tLS1CRUd...LS0tLS0K",
"organizational_unit_identifier": "admin"
},
Step 4: Create and import the organization admin identity to the wallet
To be able to act as an administrator for an organization, import the identity that is listed in the MSP JSON "admins" section
into your console wallet, including both the public and private key. When you subsequently deploy a peer or ordering node, you
can designate this identity to be the node admin.
1. To import the identity, open the Wallet tab and click Add identity.
2. Give the identity a name.
3. Click Add certificate and browse to the .pem files for the organization admin identity certificate and private key.
Deploy peer
1. From the Nodes tab, click Add peer > Create peer.
2. Provide a name for your peer.
3. Under Advanced deployment options, check Use your own CA certificate and private key and click Next.
4. In the Certificate field, click Add certificate and browse to the peer enrollment certificate .pem file. This is certificate 1 in
the Node certificates table.
5. In the Private key field, click Add certificate and browse to the peer enrollment private key .pem file. This is certificate 2
in the Node certificates table.
6. In the MSP drop-down list, select the MSP that you imported into the console.
7. Select a Fabric version for your peer and click Next.
8. Provide the TLS certificate and key for the node. In theCertificate field, click Add certificate and browse to the peer TLS
certificate .pem file. This is certificate 3 in the Node certificates table.
9. In the Private key field, click Add certificate and browse to the peer TLS private key.pem file. This is certificate 4 in the
Node certificates table. Click Next.
10. From the Peer administrator identity drop-down list, select the organization admin identity that you imported into the
Note: Instead of creating an ordering service, if you prefer to contribute a single ordering node to an existing Raft ordering
service, open the ordering service and click the Ordering nodes tab. Click Add ordering node, give it a name then and
following the preceding steps.
It takes several minutes for peer and ordering node deployment to complete. When it is successful, you can see a green box on
the node tile in the console. You might need to refresh your browser for the box to turn from gray to green.
Next steps
Your blockchain nodes are ready to be used on the network. In order for the peer to participate on the network, the peer
organization needs to be part of a consortium on an ordering service so that the peer can join a channel.
You can now install smart contracts on your peer and join it to an existing channel.
While this tutorial focuses specifically on using IBM Cloud HSM, you can learn more about the overall configuration process for
using any HSM that supports PCKS #11 with the IBM Blockchain Platform, see Configuring a node to use a Hardware Security
Module.
Why would I want to use an HSM with my IBM Blockchain Platform network?
When a Certificate Authority (CA), peer, or ordering node is configured to use an HSM, their private key is generated by and
protected inside a tamper resistant HSM device. IBM Cloud HSM is a FIPS 140-2 Level 3 validated, single-tenant device that
implements Gemalto (Luna) HSM. When a CA is configured to use HSM, the CA root private key is stored in the HSM. This is the
key that is used to sign enrollment requests. After a peer or ordering node is configured to use HSM, the nodes are able to sign
and endorse transactions without ever exposing their private key.
Important: Because only the private keys of node identities are secured in the HSM, when you enroll other admin or
client application identities with a CA, their private keys are not stored inside the HSM because they will need their private
key to transact on the network.
Process overview
Part One: Set up the HSM device and HSM client
This process involves deploying an HSM and configuring a partition as well as deploying an HSM client that you will use to
configure the device. Throughout these instructions you will run some commands from the HSM server and others from
the HSM client. For clarity, we prefix these steps with either or .
Part Two: Configure communications between the HSM server and client
Communications between the HSM and client require a Network Trust Link (NTL) -- an encrypted, secure communications
channel between the HSM and client. NTL uses digital certificates that the client and HSM server can use to verify each
other's identity. You will run a command to get the HSM server certificate that allows the client to communicate with the
HSM server. Likewise, you will generate a certificate and private key for the client and then copy them to the HSM server.
After the secure communications are configured, you can register the client with the HSM server and then assign the HSM
partition to the client.
If you are using a Kubernetes cluster on IBM Cloud and IBM Cloud HSM, both services need to be deployed from the same IBM
Cloud account and on the same VLAN. If they are not on the same VLAN, then VLAN spanning must be enabled.
When the entire HSM configuration is complete, it resembles the following diagram:
The steps in this topic focus specifically on the creation of the Cloud HSM and the HSM Client in the diagram. When you deploy a
CA, peer, or ordering node to use the HSM, you need to provide the label and PIN of the HSM partition. This configuration
assumes you enabled HSM on your Kubernetes cluster when you deployed the service.
Important: Be sure to record the Label and PIN for the partition. You will need to provide these values later when
you configure a blockchain node to use this HSM partition. Also, save the IP address associated with the HSM
device. We will refer to this value throughout these instructions as <HSM_ADDRESS> .
2. Install the HSM client on your local machine. Make sure the client version that you are running matches the HSM server
version. Record the IP address or fully qualified host name where the HSM client is running. We will refer to this value
throughout these instructions as <CLIENT_ADDRESS> .
Tip: The client runs on AIX, Linux, Oracle Solaris, or Microsoft Windows, but is not supported on MacOS.
Part Two: Configure communications between the HSM server and client
In this section you will get the HSM server certificate and create the HSM client certificate-key pair in order for them to be
exchanged.
1. Run the following command using the HSM client to get the server certificate. This certificate enables the client to
communicate with the server.
Replace
2. Now, add the HSM server to the client configuration by running the following command:
Replace
3. Create the certificate and private key for the client by running the command:
Replace
<CLIENT_ADDRESS> with the IP address or fully qualified host name of the client.
The name of the generated certificates includes the <CLIENT_ADDRESS> . The output of this command looks similar
to:
4. Copy the client certificate and private key to the HSM server by running the command:
Replace
<CLIENT_ADDRESS> with the IP address or fully qualified host name of the client.
<HSM_ADDRESS> with the IP address of the HSM.
1. SSH into the HSM as the admin the HSM server and register the client by runningone of the following commands.
Replace
{CLIENT_NAME} with the name of the client. This value can be anything meaningful to you.
<CLIENT_ADDRESS> with either the IP address or fully qualified host name of the client.
2. Because network address translation (NAT) exists between the client and the HSM, we need to disable client source IP
address validation by the Network Trust Link Server (NTLS) upon Network Trust Link Agent (NTLA) client connection.
Disable ip check on the HSM server and then restart the NTLS service on the HSM server by running the following
commands:
3. Assign a partition to the newly created client on the HSM server by running the following command:
Replace
{PARTITION_NAME} with the name of the HSM partition you created in Part one, step 1.
You can verify the command worked by running the following command:
$ ClientID: hsmclient
IPAddress: 10.220.203.73
HTL Required: no
OTT Expiry: n/a
Partitions: "partition1"
4. Verify the client can connect to HSM server by running the command:
vtl verify
5. Create a configs folder on the client and then copy the server.pem certificate from Part two, step 1 and the
<CLIENT_ADDRESS>Key.pem and <CLIENT_ADDRESS>.pem files from Part two, step 3 into the folder:
Each HSM has its own configuration file that is typically named Chrystoki.conf . This is the main configuration file for the HSM
integration and controls many aspects of the HSM client operation. After you install the HSM client, you need to modify the
etc/Chrystoki.conf file to point to the hsm folder that contains the HSM shared object library and cryptographic material.
Chrystoki2 settings
LibUnix: Name of the Chrystoki2 library on x86 Linux/UNIX operating systems. The actual name of the library depends on
the type of HSM you are using.
LibUNIX64: Name of the Chrystoki2 library on 64-bit Linux/UNIX operating systems. The actual name of the library
depends on the type of HSM you are using.
LunaSA Client settings Typically no changes would be required here unless you have explicitly modified the names of these
files.
The following example shows what the file would look like if you were using IBM Cloud HSM. It provides the path to the HSM
shared object, certificate and keys. Note that the naming of these files depends on the HSM library that is being used.
Chrystoki2 = {
LibUNIX = /hsm/libCryptoki2.so;
LibUNIX64 = /hsm/libCryptoki2_64.so;
}
...
LunaSA Client = {
...
ClientPrivKeyFile = /hsm/key.pem;
ClientCertFile = /hsm/cert.pem;
ServerCAFile = /hsm/cafile.pem;
...
}
The HSM client image can be built with a Docker file similar to the following:
The following Docker file is for IBM Cloud HSM. If you are not using IBM Cloud HSM, you need to build your own Docker
file.
You should be aware that this Docker file automatically accepts the Gemalto client license.
Note that the 64 folder inside the Docker file is required for installing the HSM client.
FROM registry.access.redhat.com/ubi8/ubi-minimal
After the image is built, the next step is to push the image to your Docker registry (for example, Docker Hub). The commands
look similar to:
If the HSM client image that you published is not public, then the operator requires an image pull secret that contains a
valid username and password (or access token) for the container registry. If the image is public, the imagepullsecret is not
required and you can skip this command. To build the image pull secret named hsm-docker-secret , run the following
command in the namespace or project where you deployed the service:
Replace:
DOCKER_REGISTRY_SERVER - Registry server url where the HSM client image is hosted.
DOCKER_USER - Valid username with access to HSM client image in the container registry.
DOCKER_PASSWORD - Valid password or access token for the HSM client image in the container registry.
DOCKER_EMAIL - Email address for container registry user.
NAMESPACE - Name of the project or namespace that is visible on the consoleSupport page.
These instructions are obviously for the Docker registry. If you are using the IBM Container Registry, then you need to set up your
own image pull secret in your cluster:
$ - [Using an image pull secret to access images in other IBM Cloud accounts or external private
registries from non-default Kubernetes namespaces](/docs/containers?topic=containers-registry#other)
- [Copying an existing image pull secret](/docs/containers?topic=containers-
registry#copy_imagePullSecret)
- [Referring to the image pull secret in your pod deployment](/docs/containers?topic=containers-
images#pod_imagePullSecret)
The Kubernetes secret needs to be created in the IBM Blockchain Platform service instance namespace that is visible on the
console Support page. If you are using the IBM Cloud HSM, the command would be:
Replace <NAMESPACE> with the name of your service instance namespace or OpenShift project If you are not using IBM Cloud
HSM, you need to replace the values of the --from-file parameters with the set of certificates and configuration files that are
required for your HSM client image.
$ secret/hsmcrypto created
$ apiVersion: v1
data:
Chrystoki.conf: ""
cafile.pem: ""
cert.pem: ""
key.pem: ""
kind: Secret
metadata:
name: hsmcrypto
namespace: <NAMESPACE>
Configure the operator to work with an HSM that does not use a daemon
version: v1
type: hsm
resources:
limits: {}
requests: {}
securityContext:
privileged: false
runAsNonRoot: false
runAsUser: 0
library:
image: <HSM_IMAGE_URL>
auth:
imagePullSecret: <IMAGE_PULL_SECRET>
filepath: <HSM_LIBRARY_FILE_PATH>
envs:
- name: <ENVIRONMENT_VARIABLE_NAME>
value: <ENVIRONMENT_VARIABLE_VALUE>
mountpaths:
- mountpath: <MOUNTPATH>
name: <MOUNTPATH_NAME>
HSM_IMAGE_URL: URL of the HSM client image that you published to your container registry.
IMAGE_PULL_SECRET: (Optional) Name of the image pull secret hsm-docker-secret that you created in the same
namespace as your service. Only required if the HSM client image is not publicly available. Important: If an image pull
secret is not required, set this value to "".
ENVIRONMENT_VARIABLE_NAME - If there are any environment variables that need to be set for the HSM client, specify
them individually.
ENVIRONMENT_VARIABLE_VALUE - Value that corresponds to the ENVIRONMENT_VARIABLE_NAME.
HSM_LIBRARY_FILE_PATH: Path to the HSM library file, for example, /usr/lib/libCryptoki2_64.so.
MOUNTPATH: Location where the file or folder should be mounted.
MOUNTPATH_NAME: Name you want to use for the mountpath.
KEY: Name of the key inside the hsmcrypto Kubernetes secret.
PATH: Mount location of the file path where the key should be mounted.
HSM_CRYPTO_SECRET: Name of the Kubernetes secret that contains the keys and configuration files for the HSM that is
used by the mountpath.
Each HSM likely has a different set of keys that are required by the HSM client. Optionally replicate the "key " and " path "
sections according to the number required by your HSM client. Similarly, if multiple sets of folders need to be mounted, you can
replicate the " mountpath " section.
For example, if you are using IBM Cloud HSM, the file looks similar to:
version: v1
type: hsm
library:
image: us.icr.io/hsm/gemalto-client:v1.2.3-amd64
auth:
imagePullSecret: hsm-docker-secret
filepath: /usr/lib/libCryptoki2_64.so
mountpaths:
- mountpath: /hsm
name: hsmcrypto
paths:
- key: cafile.pem
path: cafile.pem
- key: cert.pem
path: cert.pem
- key: key.pem
path: key.pem
- key: server.pem
path: server.pem
secret: hsmcrypto
- mountpath: /etc/Chrystoki.conf
name: hsmconfig
secret: hsmcrypto
subpath: Chrystoki.conf
A second mountpath is included for the HSM /etc/Chrystoki.conf file. Because the HSM requires its config file in the /etc
folder, which is a system directory, we need to use the subpath parameter to avoid replacing the entire /etc directory. If the
subpath is not used, the entire /etc directory is replaced with the volume being mounted.
You have completed the HSM configuration for your blockchain network. Now when you deploy a new CA, peer, or ordering node,
you can configure it to use the HSM that you have configured here. See Configuring a CA, peer, or ordering node to use the HSM
for details.
If you configured an HSM daemon, the following sample configuration shows how to configure the openCryptoki zHSM on the
operator. You need to customize the settings according to your daemon.
daemon:
image: us.icr.io/ibp-test/opencryptoki-deamon:s390x-1.0.1
auth:
imagePullSecret: "ibprepo-key-secret"
resources:
limits:
cex.s390.ibm.com/ibp: 1
securityContext:
privileged: false
runAsNonRoot: false
runAsUser: 0
library:
filepath: /hsm/opencryptoki/libopencryptoki.so.0.0.0
image: us.icr.io/ibp-test/opencryptoki-deamon:s390x-1.0.1
auth:
imagePullSecret: "ibprepo-key-secret"
envs:
- name: LD_LIBRARY_PATH
value: /stdll
mountpaths:
- mountpath: /usr/sbin/pkcsslotd
name: pkcsslotd
volumeSource:
emptyDir:
medium: Memory
- mountpath: /var/run
name: varrun
volumeSource:
emptyDir:
medium: Memory
- mountpath: /var/lib/opencryptoki
name: tokeninfo
usePVC: true
- mountpath: /etc/opencryptoki
name: opencryptoki-config
volumeSource:
emptyDir:
medium: Memory
- mountpath: /var/lock/opencryptoki
name: lock
volumeSource:
emptyDir:
In the daemon: section, provide the URL of the HSM daemon image that you created. If the image is not hosted publicly,
then you need to create the appropriate pull secret and specify it here as well.
In the library: section, provide the URL of the HSM client image that you created in step two. This is the client that the
CA, peer, and ordering node will use to talk to the HSM daemon. The filepath: is the location of the shared object
library in the image. If the image is not hosted publicly then the user must create the appropriate pull secret and specify it
as well.
In the envs: section, provide the list of environment variables that are required to configure the HSM.
In the mountpaths: section, provide all the necessary artifacts such as config, shared object libraries, shared memory,
etc. that are needed to communicate with the HSM daemon. These settings are vendor-specific as it is your responsibility
to know what directories or files need to be mounted. When the CA, peer, and ordering nodes are deployed, these
mountpaths will be mounted on to their containers along with the HSM client. Most of these mountpaths can be of type
Memory , however, if there are files that need to persist, then set usePVC: true . When set, the operator stores the files in
the mountpath in a persistent medium, by leveraging the PVCs of the CA, peer, and ordering node as the persistent
medium.
Run the following command to create the configmap named ibp-hsm-config in your cluster namespace or project:
$ configmap/ibp-hsm-config created
What's next
After you have used these instructions to configure your IBM Cloud HSM and build theHSM client image, you are ready to
configure your blockchain nodes to use the HSM. When you create a CA, peer, or ordering node, select the HSM Advanced
deployment option to configure the node to use this HSM.
Important: When a node is configured with HSM, a temporary Kubernetes job is started to run this HSM "enrollment"
process. Before configuring a node to use HSM, ensure that you have enough resources in your cluster to support this job
that takes approximately 0.1CPU and 100M memory.
On the HSM configuration panel, the Use HSM client image toggle is visible. When it is on, you can enter the following values:
HSM label - Enter the name of the HSM partition to be used for this node.
HSM PIN - Enter the PIN for the HSM slot.
When the node is deployed, a private key for the specified node enroll ID and secret is generated by the HSM and stored
securely in the appliance.
Target audience: This topic is designed for network creators and system administrators who are responsible for planning and
configuring IBM Blockchain networks on IBM Cloud or on their own Kubernetes cluster and are new to Ansible playbooks.
What is Ansible
Ansible is a powerful open source automation language and in the context of the IBM Blockchain Platform can be used to script
deployments. It is a configuration management tool that automates the network deployment across multiple hosts by the use of
Ansible playbooks. Playbooks declare configurations and orchestrate the steps of any manual ordered process, synchronously
or asynchronously.
Each playbook is composed of one or more plays in a list. The goal of a playbook is to map a group of hosts to some well-defined
roles, represented by actions that Ansible calls tasks. Basically, a task is simply a call to an Ansible module.
Ansible Content Collections, or simply collections, are the mechanism for distributing, maintaining, and consuming the
automation. Combining multiple types of Ansible content (playbooks, roles, modules, and plug-ins) into a collection, adds
flexibility and scalability for automating your blockchain network deployment. The open source collections are published in
Ansible Galaxy where they can be freely downloaded. Check out their documentation for more education.
IBM Blockchain Platform offers an Ansible collection that includes the pertinent roles, modules, and documentation for rapidly
deploying, replicating, and tearing down blockchain networks in a reproducible fashion.
The Ansible collection includes a set of playbooks that automate the tasks that you would otherwise perform from the console
UI or by using the APIs, for example deploy a Certificate Authority (CA). But the playbooks are more robust than just that. The
playbooks automate a logical series of tasks that you would repeatedly perform in the console, for example create a CA, register
identities, create an organization MSP definition, and create a peer. And all of these steps can be performed by running a single
playbook.
Tip: This tutorial series is designed for users who are unfamiliar with how to use Ansible playbooks. Experienced Ansible
users can go directly to the collection documentation to get started.
Deploying your blockchain network After you deploy the IBM Blockchain Platform to a Kubernetes cluster on IBM Cloud,
1. Deploy your nodes and configure your network manually using the console user interface.This option is most
useful for getting started and learning about the platform and how the console works. It requires stepping through
multiple panels to configure all the settings for your nodes, organizations, channels, and smart contracts.
2. Use the IBM Blockchain Platform REST APIs to build your network. This option is for advanced users who want to
leverage the available REST APIs, often in conjunction with the Hyperledger Fabric APIs, to set up and administer
their blockchain network. Configuration is done through editing API parameters. Because the IBM Blockchain
Platform APIs are mainly for create, retrieve, update, and delete operations on a node, you may need to also learn
and use the Hyperledger Fabric APIs for some tasks.
3. Use the IBM Blockchain Platform Ansible Collection. After you are familiar with the process to set up the various
nodes, organizations, channels, and smart contracts, you might want to automate the process. The Ansible
playbooks provide a simple, straightforward, way to build and deploy a reproducible network. For getting started, a
set of scripts is provided that stitches the relevant playbooks together into a single executable shell script of
deployments to perform on your network. Configuration is done through editing .yml files. The Ansible playbooks
also automate some of the tasks performed by the Fabric APIs, such as creating a channel, joining a peer to a
channel, and installing and instantiating smart contracts. Even more, there are playbooks available for tearing down
the configuration so you can reset your network as needed. This option is a great option for setting up networks for
POCs, demos, development, and test networks.
The Ansible playbooks provide an easy-to-use, automated process to replicate your blockchain networks on-demand.
All components that are deployed with the playbooks are also visible in the console where you can interact with
them as normal and govern your network.
Getting started
There are multiple ways to install the Ansible collection. One option is to install all of the prerequisite software locally, which can
be cumbersome for first-time Ansible users. Another simpler option is to run the playbooks from a Docker image. Because using
a Docker image completely bypasses the need for the prerequisite setup (the prereqs are part of the Docker image), this
approach is by far the simplest option and is the process that we use throughout these tutorials. This option does require that
you install Docker before proceeding. To determine whether Docker is installed, run the command docker --version . If it is
installed, you'll see something similar to:
$ ```
Docker version 18.09.2, build 6247962
```
If you do not have Docker installed, see install Docker to download and install it. You can also check out the Docker site for
more education and documentation.
Advanced users can review the Ansible collection documentation for other installation options.
Target audience: This topic is designed for system administrators or operators who are responsible for creating or removing
components in an IBM Blockchain Platform network and are new to Ansible playbooks.
In this tutorial, we gather the connection information to your console and demonstrate how to use that information to configure
the playbooks. The playbooks group and automate common network deployment tasks so that you can bypass manually
configuring your network from the console. We teach you how to run an individual playbook and then how to run them
sequentially from a script. In just a few minutes, you can deploy an entire set of blockchain components that are ready to
process transactions on your IBM Blockchain Platform network.
The Ansible scripts can be used to build the following network that includes two organizations (Org1 and Org2) that each
contains one peer and an ordering service with a channel joined by both peers. It's a simple process to customize the playbooks
with your own component or organization names. They can also be used to deploy smart contracts on the channel. And as you
become more proficient, you can use the playbooks to build additional organizations, peers, ordering services, and channels
according to your use case.
Prerequisites
Before using the playbook, you need to complete the following steps:
Link an instance of the IBM Blockchain Platform to your Kubernetes cluster on IBM Cloud.
Review the topic on Getting started with Ansible playbooks on the IBM Blockchain Platform.
Install Docker.
When your cluster is running in IBM Cloud, you need to create service credentials for the IBM Blockchain Platform service
instance. The Ansible playbooks use the IBM Blockchain Platform REST APIs to interact with the console. The REST APIs use the
API key (api_key) and API endpoint (api_endpoint) to authenticate with the server and retrieve a Cloud Identity and Access
Management (IAM) access token. The values of the api_endpoint and api_key for the console can be found in the generated
service credentials.
Follow instructions on retrieving service credentials in IBM Cloud to gather these values now that are used with the playbooks
later in this topic.
$ ```
git clone https://github.com/IBM-Blockchain/ansible-collection.git
```
$ ```bash
cd ansible-collection/tutorial
```
The first thing that you notice is that the playbook .yml files are numbered. Because the playbooks build on each other, the
numbers help you understand the order that they should be run. When you want to change some of the configuration properties,
you can edit the .yml files and insert your own custom values, for example, if you want to customize a node name or use a
different enrollment ID. Each playbook includes either a role or a task. A role includes a set of tasks that in turn call the
associated modules that submit the requests to your cluster.
The next thing to notice is the set of variable files ordering-org-vars.yml (Ordering Org), org1-vars.yml (Org1), and
org2-vars.yml (Org2) that define the IBM Blockchain Platform console connection details for each organization. These
variable files are used by the playbook when you run it. This means that before you run a playbook, if it uses a variable file, you
need to customize the associated variable file with the connection information that you gathered in the previous step. When a
playbook requires a variables file, it is included in the playbook .yml file.
The variable files include the following four fields that define your connection information to your console:
$ ```
api_endpoint: https://ibp-console.example.org:32000
api_authtype: ibmcloud
api_key: xxxxxxxx
api_secret: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
```
api_endpoint - Set this value to the api_endpoint from your service credentials.
api_authtype - Because your cluster is in IBM Cloud, this value needs to be set toibmcloud.
api_key - to the value of api_key contained in the service credentials.
api_secret - This value is not used for clusters in IBM Cloud. No value is required here.
Refer to Gather console connection information for instructions on how to get the service credentials.
You can go ahead now and modify the ordering-org-vars.yml (Ordering Org), org1-vars.yml (Org1), and org2-vars.yml
files with your console connection information.
There is also a common variables file, common-vars.yml . You do not need to edit this variable file right now. This file contains
variables that are used by multiple organizations, for example the name of the channel that will be created, and the name of the
Note: These instructions assume that you have installed Docker) in order to use the Ansible playbooks. If you have
installed all of the prerequisites locally on your system instead, you can refer to the Ansible documentation for
instructions on how to run the playbooks.
1. We use a Docker command to run the first playbook that creates an ordering organization that is namedOrdering Org,
with a certificate authority named Ordering Org CA, and finally a single node ordering service named Ordering Service. If
you have not already, go ahead and modify the console connection variables inside the ordering-org-vars.yml by
using the instructions from the previous section. You are now ready to run an Ansible playbook from Docker.
where:
--rm tells Docker to remove the container when the command completes.
-v <FULLY-QUALIFIED-PATH-TO-PLAYBOOKS> is used to mount the tutorial folder into the Docker container.
Replace <FULLY-QUALIFIED-PATH-TO-PLAYBOOKS> with the fully qualified path to where the tutorial folder
resides on your local system. When you run the command from the tutorial folder you can replace this value with
$PWD.
ibmcom/ibp-ansible represents the tag of the Docker image that is published by IBM.
For example:
$ cd tutorial
docker run --rm -v $PWD:/playbooks ibmcom/ibp-ansible ansible-playbook /playbooks/01-
create-ordering-organization-components.yml
While the command is running, you see output from each task. You can safely ignore the following warning:
$ [WARNING]: provided hosts list is empty, only localhost is available. Note that the
implicit localhost does not match 'all'`.
When the playbook is finished, in the PLAY RECAP section, you see output similar to:
If the playbook completes successfully, you should see failed=0 . Go ahead now and log in to your console to
confirm that Ordering Org CA, Ordering Org organization, and Ordering Service was created.
2. The same instructions can be repeated for the next playbook, 02-create-endorsing-organization-components.yml .
This playbook creates an endorsing organization named Org1, with a certificate authority named Org1 CA, and then a peer
named Org1 Peer. When you open the playbook, notice in the comments that this playbook uses a different variables file
org1-vars.yml . Edit that file with your console connection information. And then run that playbook:
Again, if you check your console, you can see that the Org1 CA, Org1 organization, and Org1 Peer was created.
3. You can continue running each playbook individually in the list to stand up a basic network that contains an ordering
service, two peer organizations, two peers, and a channel. The playbooks also install smart contracts on the peers and
instantiate them on the channel.
Check out this topic on Exploring the playbooks for more information about how each playbook works.
By now, you are probably interested in scripting these commands together to stand up or even tear down the components. The
next section walks you through how to do that.
build_network.sh - This is a script that runs a set of playbooks that create an entire simple network, the same one that
can be created if you manually build the network by completing the Build a network tutorial. When you call the script with
the build option, it configures a single node ordering service, a peer organization and a peer. It installs theFabCar
smart contract on the peer, creates a channel and joins the peer to the channel. If you run the script with the destroy
option it removes all of these artifacts from your cluster. For details, see Building a network.
join_network.sh - Run this script when you want to join a peer organization to an existing channel. For more details see
Joining a network.
deploy_smart_contract.sh - This script can be used to install a smart contract on one or more peers in your
organization and instantiate it on a channel. For more details, see Deploying the smart contract.
Before running any script, you need to update the console connection settings in the ordering-org-var.yml , org1-
vars.yml , and org2-vars.yml files. Go ahead and try out the build_network.sh script by running the following Docker
command from your tutorial folder:
Notice that the playbooks will run even if the artifacts that you are deploying already exist. In that case, you can see in thePLAY
RECAP status that changed=0 , meaning the playbook detected that the node exists and did not try to re-create it. You can also
run the build_network.sh with the destroy option to remove all the nodes and metadata that were created when you ran
the build_network.sh script with the build option. Give it a try now by running the command:
Customizing The playbooks use the organization names that are defined in the common-vars.yml file. When you are
organization ready to configure your own organizations, you can edit the file and specify the preferred organization
names names for your network.
Customizing The default ordering service name is defined in the common-vars.yml file in the ordering_service_name
the name of parameter. Edit this value to specify the preferred name of the ordering service.
the ordering
service
Adjusting You can customize the resources that are allocated to a node by editing theresources block of its
node associated module. For example, to modify the CPU and memory that is allocated to a CA node, navigate
resources to your clone of the certificate_authority module on your local system. Scroll down to theresources
section and modify the values that are assigned to cpu and memory. Likewise, you can modify peer
resources in your clone of the peer module or the ordering service resources in the ordering service
module.
Using your By default, the 19-install-chaincode.yml and 20-instantiate-chaincode.yml playbooks use the
own smart Fabric 2.0 smart contract lifecycle with the FabCar sample smart contract. When you are ready to deploy
contract your own smart contract, you need to:
1. Include the smart contract package in the tutorial directory and name it using the format
<SMART-CONTRACT-NAME>@<VERSION>.tar.gz.
2. Refer to your smart contract by replacing the value of the smart_contract_base_name: and
smart_contract_version: parameters in the common-vars.yml file.
Using your When the playbooks deploy a node, it uses the enroll IDs specified in the 01-create-ordering-
own enroll organization-components.yml and 02-create-endorsing-organization-components.yml files. The
ID and associated enroll secrets are provided in the corresponding variable files ordering-org-vars.yml, org1-
secrets vars.yml, and org2-vars.yml. You can customize the values of the enroll ID and secrets in these files
according to your needs.
Next steps
Now that you have used the playbooks to deploy your components or even scripted the deployment of your network, you can
continue to use the console UI to interact with and govern your blockchain components. You will notice right away that the
Ansible scripts do not associate an identity with the nodes that it deploys. If you plan to operate the nodes from the console, you
need to use a manual process to upload the node identities to the console wallet and associate them with the nodes. The
generated node identities are JSON files and are stored in the tutorial folder.
Generated identities
The following table lists the names of the JSON files that contain the identities that are generated by the build_network.sh
script with the build option or the join_network.sh script for the case of Org 2. If you customized organization names inside
the playbook .yml files, it is possible that your JSON files will be named differently. In order to operate the nodes from the
console, you need to import all of the generated identities into the console wallet by using the following process:
Important: When you run the build_network.sh script with the destroy option, all of the nodes and associated
metadata are removed from your cluster, but any identities that you manually imported into the console wallet are not
removed. Before you run the build_network.sh script again with the build option, you need to manually remove each
identity, by opening it in the wallet and then clicking Remove identity.
Using the wallet identities from the preceding table, you can now follow the steps in the following table to associate identities for
each node type.
Table 2. CA identities
Summary
Congratulations. You have used the Ansible playbooks to configure IBM Blockchain Platform components on your cluster. You
know how to run a playbook individually and have some sample shell scripts that show how to run the playbooks together to
Target audience: This topic is designed for network and system administrators who are responsible for planning, configuring and
migrating IBM Blockchain networks.
What is happening?
In September, 2021, IBM released the IBM Support for Hyperledger Fabric edition, which provides certified images of
Hyperledger Fabric open source code, accelerators, and IBM support for Fabric-based blockchain solutions. Given the functional
overlap with the IBM Blockchain Platform Software and SaaS editions, IBM will be withdrawing the IBM Blockchain Platform
SaaS edition in July, 2023.
Why is it happening?
To maintain a focused development, delivery & support effort for IBM Blockchain Platform, it has been determined that the IBM
Support for Hyperledger Fabric Support best recognizes the opensource foundation of the core code and aligns IBM’s value with
the support, certification, and accelerators.
IBM Blockchain Platform SaaS subscription customers will be able to transition their license to IBM Support for Hyperledger
Fabric at the end of their current subscription commitment, or before July, 2023 (whichever comes first), with assistance from
their IBM Blockchain Support team or IBM Account Representative.
Documentation for the IBM Support for Hyperledger Fabric is a current IBM product offering; the documentation is available at
https://www.ibm.com/docs/en/hlf-support/1.0.0.
Next steps
Coming soon: Watch this space for details on how to migrate your IBM Blockchain Platform network to IBM Support for
Hyperledger Fabric.
1. Log in to IBM Cloud and open IBM Cloud Resource list. Ensure that you log in with your IBM ID.
2. Your IBM Blockchain Platform service instance is visible under the Services twistie. Locate and click the IBM Blockchain
Platform service instance that you deployed.
3. On the Welcome Back panel, click Refresh cluster. The operation could take a few minutes while it re-establishes
connectivity to your Kubernetes cluster and refreshes the management console.
4. Click Launch IBM Blockchain Platform again.
For instructions on how to add new user see Inviting users to an account with the following additional details:
Manager As a Manager, you have permissions beyond the Writer role. You can do everything a Reader and Writer can do
as well as:
Provision new components such as CAs, peers, and ordering services, by using the console or APIs.
Override configuration settings on components.
Delete provisioned components by using the console or APIs.
Change console logging levels by using the console or APIs.
Restart the console by using an API.
Link a blockchain service instance to a Kubernetes cluster.
Permissions are cumulative. If you select a Manager role, the user will also be able to perform all Writer and Reader actions, you
are not required to additionally check those roles. Likewise, a user with the Writer role will be able to perform all of the actions
in the Reader role. For console access, you need to only select a role under theService Access Roles, you do not need to select
anything under the Platform Access Roles. Check the corresponding role under Assign platform access role when it is
important that the service instance is visible in the invited user's IBM Cloud dashboard.
Important: After you add new users to the console, the users might not be able to view all the nodes, channels, or smart
contracts other users have deployed. To work with these components, each user needs to import the associated identities
into their own console wallet. For more information, see Storing identities in your console wallet.
1. From the menu bar, click Manage > Access (IAM) and then select Users.
2. Click the Actions menu next to the user you want to modify and selectAssign access.
3. Select the tile Assign access to resources.
4. From the Services drop-down list, select Blockchain Platform 2.0.
5. Scroll down to Select roles.
6. Under Assign service access roles, choose a role for the user, which can be Manager, Writer, and Reader.
7. Click Assign.
When you need to remove a user's access to the console, follow instructions in the IAM Removing users topic.
Individual users
You might have a specific user that needs more or less permissions than the rest of your team. You can customize
permissions on an individual basis so that each person has the permissions that they need to complete their tasks. You can
assign more than one IBM Cloud IAM role to each user.
You can create a group of users and then assign permissions to that group. For example, you can group all team leaders and
assign administrator access to the group. Then, you can group all developers and assign only write access to that group. You
can assign more than one IBM Cloud IAM role to each access group. When you assign permissions to a group, any user that
Note: The users that you add in IAM are simply email addresses of users who can log in to the console. They have no
relationship to the Available Organizations in the Organizations tab or the identities stored by the console wallet.
To update the email address of the console administrator that was configured when the console was deployed, you must be
logged in as the console administrator. Navigate to the Users tab and click Configure on the IBM ID tile. In the panel that opens,
specify a new email address for the console administrator.
1. From the console, open the CA that is associated with the node. If you imported the node and its associated CA is not in
your console, you need to open the CA from the console where it resides.
2. Click the actions menu icon next to the user and then click Enroll identity.
3. On the side panel that opens, select TLS Certificate Authority from the Certificate Authority list.
4. Enter the Enroll secret that is associated with the Enroll ID for the user and click Next.
5. Provide a display name for the identity and then Export the identity to your file system.
6. Click Add identity to Wallet.
The TLS certificate now exists in your console wallet and you are ready to customize the node logging.
Customize logging
The process to customize the log settings is the same for a peer or ordering node. Open the node and click theSettings
icon. Click Log settings to open the panel.
If you prefer a different default logging level than Information for all loggers on the node, select a new logging level ( Fatal ,
Panic , Error , Warning , Information , Debug ) from the Default logging level list. All loggers for the node will use use the
selected default log level unless overridden on this panel by providing the specific log levels for the loggers that you need for
debugging. There is no “master list” of loggers, and this panel does not validate whether the loggers exist. You can see the
Important: A word on the logging specification syntax. Notice that the terms are separated by a colon. If a term does not
include a specific logger, for example info: then it is applied as the default log level, regardless of what is specified on
the Simple tab. This means that the string
info:dockercontroller,endorser,chaincode,chaincode.platform=debug sets the Default log level to
Information for all loggers and then the dockercontroller , endorser , chaincode ,and chaincode.platform
loggers are set to Debug .
Note that smart contract logging is the responsibility of the developer who defines the smart contract loggers. Debug your smart
contracts by providing the name of the smart contract logger and the desired log level on the Simple or Advanced tabs.
Tip: When you need to reset the logging for the node back to the Fabric default, delete any custom logger settings on the
Simple and Advanced tabs and set the Default log level to Information .
See the Fabric topic on Logging Control for more information. Read on for more information on how to view the node and smart
contract logs.
Note: In addition to the console and node logs that are available in the customer clusters, IBM keeps logs regarding IBM
Cloud account activity on the IBM Blockchain Platform instance. These logs are not available in customer clusters or their
containers. If you need these service management logs, open a support ticket.
Navigate to the Settings tab in the console browser to change the logging settings. The console logs are collected from two
separate sources:
Client logging: These logs are collected when commands are sent from your browser to the console.
Server logging: These logs are collected when the console sends commands to your nodes and from the console
deployment. These logs include the Hyperledger Fabric logging output.
Set the amount of collected logs by using the drop-down list under each log type. For example,Error and Warning collect the
least amount of logs, while Debug and All collect the most.
You can view only the console logs if you are logged in as a console administrator. To view the logs from theSettings tab,
replace the word settings in the browser URL with api/v1/logs . For example, if your console URL is
localhost:3001/settings , you can view your logs by navigating to localhost:3001/api/v1/logs . Client and server logs
are collected in separate files. The most recent logs are at the top of the page.
The namespace is the first part of the URL beginning with the letter n and followed by a random string of six alphanumeric
characters. So in the example above the value of the namespace is n2734d0 .
1. Open the IBM Cloud dashboard and navigate to the overview screen of your IBM Kubernetes Service cluster.
2. Above the cluster overview screen, click Kubernetes Dashboard.
3. Inside the Kubernetes dashboard, use the left navigation Namespace drop-down list to change to the namespace for your
IBM Blockchain Platform service instance that you discovered above.
4. On the left navigation, click Pods to view the list of node pods that you have deployed.
5. Click on a pod. Then click the View logs icon on the top menu to open the logs of your node. Above the logs, you can use
the drop-down menu after Logs from to view the logs from the different containers within the pod. For example, your peer
and the state database (CouchDB for example) run in different containers and generate different logs.
Important: While the terms "smart contract" and "chaincode" are often used interchangeably, "smart
contracts" refers to the business logic that governs transactions and access to its data, while "chaincode" refers to the
larger infrastructure of packages and other code that encompasses a smart contract.
If your peer is based on the Hyperledger Fabric v2.x image, you can run the following set of kubectl commands to view the smart
contract logs.
If you don't already know it, you need to find your Kubernetes cluster namespace. From the console, open any CA node and click
the Info and Usage icon. View the value of the API URL. For example: https://nf85a2a-soorg10524.ibpv2-cluster.us-
south.containers.appdomain.cloud:7054 . The namespace is the first part of the URL beginning with the letter n and
followed by a random string of six alphanumeric characters. So in the example above the value of the namespace is nf85a2a .
Next, get a list of all of the smart contract pods running in your cluster:
kubectl get po -n <NAMESPACE> | grep chaincode-execution | cut -d" " -f1 | xargs -I {} kubectl get po
{} -n <NAMESPACE> --show-labels
Your smart contract name and version is visible next to the chaincode-id .
Then, to view the logs for a specific smart contract pod, run the command:
Replace
<SMART_CONTRACT_POD> with the name of the pod where the smart contract is running.
<NAMESPACE> with the name of your cluster namespace.
For example:
1. Open your Kubernetes dashboard, filter on your namespace, and click the peer pod where the smart contract is running.
2. Click the Logs link from your dashboard. By default it points to peer container.
3. Switch to the dind container by selecting it from the drop-down list.
All of your smart contract logs are visible in this window and can be downloaded using the download icon on the panel.
See the Red Hat OpenShift documentation. Access the logs for the peer pod where the smart contract is running and select the
dind container.
Note: The best practice is to apply upgrades to one node at a time. While the upgrade is being applied, the node is
unavailable to process requests or transactions. Therefore, to avoid any disruption of service, whenever possible you
should ensure another node of the same type is available to process requests. Upgrading a node takes about a minute to
complete and when the update is complete, the node is ready to process requests.
For information about how to upgrade a node, check out Upgrading to the latest version of Fabric.
1. In your IBM Cloud dashboard, click the menu icon and open the Resource List.
2. Scroll to the Services twistie and expand it to view your service instance.
3. If your instance is listed, click the action menu for the service instance, thenDelete, to delete this service instance.
4. Scroll to the Kubernetes Clusters twistie and expand it to view your free cluster.
5. If your free cluster is listed, click the action menu for the cluster and then clickDelete to delete the free cluster.
When these actions are complete, you can follow the original steps to create a new Kubernetes cluster and blockchain service
instance from the IBM Cloud catalog page.
Target audience: This topic is designed for advanced network operators who are familiar with Hyperledger Fabric and are
responsible for creating, monitoring, and managing their components in the blockchain network.
Important: Before attempting to deploy a node, it is the network operator's responsibility to monitor the cluster CPU,
memory, and storage usage, and ensure that adequate resources are available in the cluster for the node.
Allocating resources
Because your instance of the IBM Blockchain Platform console and your Kubernetes cluster do not communicate directly about
the resources that are available, the process for deploying components by using the console must follow this pattern:
1. Size the deployment that you want to make. The Resource allocation panels for the CA, peer, and ordering node in the
console offer default CPU, memory, and storage allocations for each node. You may need to adjust these values according
to your use case. If you are unsure, start with default allocations and adjust them as you understand your needs. Similarly,
the Resource reallocation panel displays the existing resource allocations. For a sense of how much storage and compute
you will need in your cluster, refer to the chart after step 3 that contains the current defaults for the peer, orderer, and CA:
2. Check whether you have enough resources in your Kubernetes cluster. If you are using a Kubernetes cluster that is
hosted in IBM Cloud, we recommend using the IBM Cloud Monitoring tool in combination with your IBM Cloud Kubernetes
dashboard. If you do not have enough space in your cluster to deploy or resize resources, you need to increase the size of
your cluster. For more information about how to increase the size of a cluster, see scaling Kubernetes or OpenShift
clusters. If you have enough space in your cluster, you can continue with step 3.
3. Use the console to deploy or resize your node. If your Kubernetes pod is large enough to accommodate the new size of
the node, the reallocation should proceed smoothly. If the worker node that the pod is running on is running out of
resources, you can add a new larger worker node to your cluster and then delete the existing working node.
Peer (Hyperledger Fabric v1.4) 1.1 2.8 200 (includes 100GB for peer and 100GB for state database)
CA 0.1 0.2 20
** Actual VPC allocations are visible in the blockchain console when a node is deployed.
Note that when smart contracts are installed on peers that run a Fabric v2.x image, the smart contract is launched in its own pod
instead of a separate container on the peer, which accounts for the smaller amount of resources required on the peer.
While users of a free cluster must use default sizes for the containers associated with their nodes, users of paid clusters can set
these values while the node is being created by clicking the Resource allocation box during the creation of their nodes. If this
box is not checked, the default resource allocations, which can be seen below, will be used.
For cases when a user wants to minimize charges without stopping or deleting a node, it is possible to scale the node down to a
minimum of 0.001 CPU (1 milliCPU). Note that the node will not be functional when using this amount of CPU.
Tip: While the figures in this topic endeavor to be precise, be aware that there are times when a node may not deploy
even when it appears that you have enough space in your cluster. Make sure to reference your Kubernetes dashboard to
see when components deploy and for error messages when they don't. In cases where a component doesn't deploy for a
lack of resources, even if there seems to be enough space in the cluster, you will likely have to deploy additional cluster
resources for the component to deploy.
The Resource allocation panel in the console provides default values for the various fields that are involved in creating a node.
These values are chosen because they represent a good way to get started. However, every use case is different. While this topic
provides guidance for ways to think about these values, it ultimately falls to the user to monitor their nodes and find sizings that
work for them. Therefore, barring situations in which users are certain that they need values different from the defaults, a
practical strategy is to use these defaults at first and adjust them later. For an overview of performance and scale of Hyperledger
Fabric, which the IBM Blockchain Platform is based on, see Answering your questions on Hyperledger Fabric performance and
scale.
Important: After you have deployed the node, you need to monitor the resource consumption of the node. Configure a
monitoring tool such as IBM Cloud Monitoring to observe the nodes and ensure that adequate resources are available to
the node containers when processing transactions.
All of the containers that are associated with a node have CPU and memory, while certain containers that are associated with
the peer, ordering node, and CA also have storage. For more information about storage, see Persistent storage considerations.
Note that when your Kubernetes cluster is configured to use any of the IBM Cloud storage classes, the smallest storage amount
that can be allocated to a node is 20Gi.
You are responsible for monitoring your CPU, memory, and storage consumption in your cluster. If you do happen to request
more resources for a blockchain node than are available, the node will not start. However, existing nodes will not be affected. If
you are using IBM Cloud as your cloud provider, CPU and memory can be changed by using the console and Kubernetes cluster
Every node has a gRPC web proxy container that bootstraps the communication layer between the console and a node. This
container has fixed resource values and is included on the Resource allocation panel to provide an accurate estimate of how
much space is required on your Kubernetes cluster in order for the node to deploy. Because the values for this container cannot
be changed, we will not discuss the gRPC web proxy in the following sections.
CA deployment
When you deploy a CA, the following advanced deployment options are available:
CA container: Encapsulates the internal CA processes, such as registering and enrolling nodes and users, as well as
storing a copy of every certificate it issues.
As we noted in our section on Considerations before you deploy a node, it is recommended to use the defaults for the CA
container and adjust them later when it becomes apparent how they are being utilized by your use case.
CA container CPU and memory When you expect that your CA will be bombarded with registrations and enrollments.
CA storage When you plan to use this CA to register a large number of users and applications.
Customizing a CA configuration
In addition to the CA settings that are provided in the console when you provision a CA, you have the option to override some of
the settings. If you are familiar with the Hyperledger Fabric CA server, these settings are configured in the fabric-ca-server-
config.yaml file when a CA is deployed. The IBM Blockchain Platform console configures these fields for you with default
settings. Therefore, many of these fields are not exposed by the console. But the console also includes a panel where you can
edit a JSON to override a set of these parameters before a CA is deployed.
Note: The ability to override the CA configuration by using the console or APIs is available only in paid clusters.
{
"ca": {
"cors": {
"enabled": false,
"origins": [
"*"
]
},
"debug": false,
"crlsizelimit": 512000,
"tls": {
"certfile": null,
"keyfile": null,
"clientauth": {
"type": "noclientcert",
"certfiles": null
}
},
"ca": {
"keyfile": null,
"certfile": null,
"chainfile": null
},
"crl": {
"expiry": "24h"
},
"registry": {
"maxenrollments": -1,
"identities": [
{
"name": "<<<adminUserName>>>",
"pass": "<<<adminPassword>>>",
"type": "client",
"attrs": {
"hf.Registrar.Roles": "*",
"hf.Registrar.DelegateRoles": "*",
Alternatively, if you do check any of the advanced options when you configure the CA, those settings are included in the JSON on
the Summary panel and can be additionally customized.
Any edits that you make to the JSON override what was specified in the console UI. For example, if you specified a Maximum
enrollments value of 10 in the console, but then provided the maxenrollments value of -1 in the JSON , then the value in
the JSON file is used when the CA is deployed. It is the settings that are visible in the JSON on the Summary page that are used
when the CA is deployed.
Here is an example of the minimum required JSON parameters for any override when a CA is deployed.
{
"ca": {
"csr": {
"cn": "<COMMONNAME>",
"keyrequest": {
"algo": "ecdsa",
"size": 256
},
"names": [
{
"C": "US",
"ST": "North Carolina",
"L": "Location",
"O": "Hyperledger",
"OU": "Fabric"
}
],
"hosts": [
"<HOSTNAME>"
You can insert additional fields or modify the JSON that is visible in the Configuration JSON box. For example, if you want to
deploy a CA and override only the csr names values, you can edit the values in the JSON . But if you wanted to change the
value of the passwordattempts field you would insert it into the JSON as follows:
{
"ca": {
"csr": {
"cn": "<COMMONNAME>",
"keyrequest": {
"algo": "ecdsa",
"size": 256
},
"names": [
{
"C": "US",
"ST": "North Carolina",
"L": "Location",
"O": "Hyperledger",
"OU": "Fabric"
}
],
"hosts": [
"<HOSTNAME>"
],
"ca": {
"expiry": "131400h",
"pathlength": 1024
}
},
"debug": false,
"registry": {
"maxenrollments": -1,
"identities": [
{
"name": "<ADMIN_ID>",
This snippet is provided only as an example of what the modified JSON would resemble. Do not copy and edit this snippet, as it
does not contain the custom values for your configuration. Rather, edit the JSON from your console Configuration JSON box
because it includes the settings for your node.
export FLAG=$(if [ "$(uname -s)" == "Linux" ]; then echo "-w 0"; else echo "-b 0"; fi)
cat <CERT_FILE> | base64 $FLAG
Replace <CERT_FILE> with the name of the file that you need to encode.
{
"ca":{
"cors": {
"enabled": false,
"origins": [
"*"
]
},
"debug": false,
"crlsizelimit": 512000,
"tls": {
"certfile": null,
"keyfile": null,
Paste the modified JSON that contains only the parameters that you want to update into theConfiguration JSON box. For
example, if you only needed to update the value for the passwordattempts field you would paste in this JSON :
{
"ca": {
"cfg": {
"identities": {
"passwordattempts": 3
}
}
}
}
If you need to enable deletion of registered users from a CA you would insert "allowremove": true into the JSON as follows:
{
"ca": {
"cfg": {
"identities": {
"passwordattempts": 10,
"allowremove": true
}
}
}
}
Note: The ability to update a CA configuration is not available for CAs that have been imported into the console.
Peer deployment
When you deploy a peer, the following advanced deployment options are available:
State database - Choose the database for your peers where ledger transactions are stored.
Deployment zone selection - In a multi-zone cluster, select the zone where the node is deployed.
External Certificate Authority configuration - Use certificates from a third-party CA.
Resource allocation - Configure the CPU, memory, and storage for the node.
Hardware Security Module - Configure the peer to use an HSM to generate and store private keys.
Peer configuration override - Choose this option when you want to override peer configuration.
Important: You also have the ability to choose the version of Fabric that will be used to deploy your peer. It is
recommended to always choose the latest version, as this version will have the latest fixes and improvements. However,
note that you might have to re-vendor your smart contract if it was written in Golang. For more information, see Write and
package your smart contract.
State database
During the creation of a peer, it is possible to choose between two state database options:LevelDB and CouchDB. Recall that
the state database keeps the latest value of all of the keys (assets) stored on the blockchain. For example, if a car has been
owned by Varad and then Joe, the value of the key that represents the ownership of the car would be "Joe".
Because it can be useful to perform rich queries against the state database (for example, searching for every red car with an
This support for rich queries is why CouchDB is the default database unless a user selects the State database selection box
during the process of adding a peer selects LevelDB on the subsequent tab.
Important: Because the data is modeled differently in a Couch database than in a Level database,the peers in a channel
must all use the same database type. If data written for a Level database is rejected by a Couch database (which can
happen, as CouchDB keys have certain formatting restrictions as compared to LevelDB keys), a state fork would be
created between the two ledgers. Therefore, take extreme care when joining a channel to know the database type
supported by the channel. It might be necessary to create a new peer that uses the appropriate database type and join it
to the channel. Note that the database type cannot be changed after a peer has been deployed.
If you are deploying a redundant node (that is, another peer when you already have one), it is a best practice to deploy this node
into a different zone. You can determine the zone that the other node was deployed to by opening the tile of the node and
looking under the Node location. Alternatively, you can use the APIs to deploy a peer or orderer to a specific zone. For more
information on how to do this with the APIs, see Creating a node within a specific zone.
If multizone-capable storage is configured for your Kubernetes cluster, when a zone failure occurs, the nodes can come up in
another zone with their associated storage intact, ensuring high availability of the node. In order to leverage this capability with
the IBM Blockchain Platform, you need to configure your cluster to use SDS (Portworx) storage. And when you deploy a peer,
select the advanced deployment option labeled Deployment zone selection and then select Across all zones. To learn more
about multizone-capable storage, see the Comparison of persistent storage options for multizone clusters on OpenShift or IBM
Cloud Kubernetes service.
Peer container: Encapsulates the internal peer processes (such as validating transactions) and the blockchain (in other
words, the transaction history) for all of the channels it belongs to. Note that the storage of the peer also includes the
smart contracts that are installed on the peer.
CouchDB container: Where the state databases of the peer are stored. Recall that each channel has a distinct state
database.
Smart contract container: Recall that during a transaction, the relevant smart contract is "invoked" (in other words, run).
Note that all smart contracts that you install on the peer will run in a separate container inside your peer pod, which is
known as a Docker-in-Docker container.
Smart contract launcher container: Used to launch a separate pod for each smart contract, eliminating the need for a
Docker-in-Docker container in the peer pod. Note that the smart contract launcher container is not where smart contracts
actually run, and is therefore given a smaller default resource than the "smart contracts" container that used to be
deployed along with a peer. It only exists to help create the pods where smart contracts run. You must make your own
allowances in your deployment for the containers for smart contracts, as the pods spun up by the smart contract launcher
are not bound by strict resource limitations. The pod will use as many resources as it needs depending on the size of a
smart contract and the processing load it encounters. For more information, see Resource Quotas.
Important: Note that a separate pod will be created for each smart contract that is installed on each peer, even if you
The peer also includes a gRPC web proxy container, you cannot adjust the compute for this container.
As we noted in our section on Considerations before you deploy a node, it is recommended to use the defaults for these peer
containers and adjust them later when it becomes apparent how they are being utilized by your use case.
Peer When you anticipate installing many smart contracts on this peer and to join it to many channels. Recall that
storage this storage will also be used to store smart contracts from all channels the peer is joined to. Keep in mind
that we estimate a "small" transaction to be in the range of 10,000 bytes (10k). As the default storage is
100G, this means that as many as 10 million total transactions will fit in peer storage before it will need to be
expanded (as a practical matter, the maximum number will be less than this, as transactions can vary in size
and the number does not include smart contracts). While 100G might therefore seem like much more storage
than is needed, keep in mind that storage is relatively inexpensive, and that the process for increasing it is
more difficult (require command line) than increasing CPU or memory.
CouchDB When you anticipate a high volume of queries against a large state database. This effect can be mitigated
container somewhat by using indexes. Nevertheless, high volumes might strain CouchDB, which can lead to query and
CPU and transaction timeouts.
memory
CouchDB When you expect high throughput on many channels and don't plan to use indexes. However, like the peer
(ledger storage, the default CouchDB storage is 100G, which is significant.
data)
storage
Smart When you expect a high throughput on a channel, especially in cases where multiple smart contracts will be
contract invoked at the same time. You should also increase the resource allocation of your peers if your smart
container contracts are written in JavaScript or TypeScript.
CPU and
memory
Smart Because the smart contract launcher container streams logs from smart contracts back to a peer, the more
contract smart contracts are running the greater the load on the smart contract launcher.
launcher
container
CPU and
memory
Important: The IBM Blockchain Platform supports smart contracts that are written in JavaScript, TypeScript, Java, and
Go. When you are allocating resources to your peer node, it is important to note that JavaScript and TypeScript smart
contracts require more resources than contracts written in Go. The default storage allocation for the peer container is
sufficient for most smart contracts. However, when you instantiate a smart contract, you should actively monitor the
resources consumed by the pod that contains the smart contract in your cluster by using a tool like IBM Cloud Monitoring
to ensure that adequate resources are available.
For more details on the resource allocation panel in the console see Allocating resource.
Note: The ability to override the peer configuration by using the console or APIs is available only in paid clusters.
{
"peer": {
"id": "jdoe",
"networkId": "dev",
"keepalive": {
"minInterval": "60s",
"client": {
"interval": "60s",
"timeout": "20s"
},
"deliveryClient": {
"interval": "60s",
"timeout": "20s"
}
},
"gossip": {
"useLeaderElection": true,
"orgLeader": false,
"membershipTrackerInterval": "5s",
"maxBlockCountToStore": 100,
"maxPropagationBurstLatency": "10ms",
"maxPropagationBurstSize": 10,
"propagateIterations": 1,
"propagatePeerNum": 3,
"pullInterval": "4s",
"pullPeerNum": 3,
"requestStateInfoInterval": "4s",
"publishStateInfoInterval": "4s",
"stateInfoRetentionInterval": null,
"publishCertPeriod": "10s",
"skipBlockVerification": false,
"dialTimeout": "3s",
"connTimeout": "2s",
"recvBuffSize": 20,
"sendBuffSize": 200,
"digestWaitTime": "1s",
"requestWaitTime": "1500ms",
"responseWaitTime": "2s",
"aliveTimeInterval": "5s",
"aliveExpirationTimeout": "25s",
"reconnectInterval": "25s",
"election": {
"startupGracePeriod": "15s",
"membershipSampleInterval": "1s",
"leaderAliveThreshold": "10s",
"leaderElectionDuration": "5s"
},
"pvtData": {
Alternatively, if you do check any of the advanced options when you configure the peer, those settings are included in the JSON
on the Summary panel and can be additionally customized with other fields as needed. Any edits that you make will override
what was specified in the console. For example, if you selected to use a LevelDB as the state database, but then overrode the
setting to use CouchDB as the state database in the JSON , then the CouchDB database settings would be used when the peer is
deployed. The override settings that are visible in the JSON on the Summary page are what is used when the peer is deployed.
You don't need to include the entire set of available parameters in the JSON , only the advanced deployment options that you
selected in the console along with the parameters that you want to override. For example, if you want to deploy a peer and
override the chaincode startup timeout and specify a different port for the statsd address , you would paste in the
following JSON :
{
"peer": {
"chaincode": {
"startuptimeout": "600s"
}
},
"metrics": {
"statsd": {
"address": "127.0.0.1:9443"
}
}
}
{
"peer": {
"id": "jdoe",
"networkId": "dev",
"keepalive": {
"minInterval": "60s",
"client": {
Paste the modified JSON that contains only the parameters that you want to update into theConfiguration JSON box. For
example, if you only need to update the value for the executetimeout field you would paste this JSON into the Configuration
JSON box:
{
"chaincode": {
"executetimeout": "30s"
}
}
Note: The ability to update override settings for a peer configuration is not available for peers that have been imported
into the console.
Number of ordering nodes - Decide how many ordering nodes are needed.
Deployment zone selection - In a multi-zone cluster, select the zone where the node is deployed.
External Certificate Authority configuration - Use certificates from a third-party CA.
Resource allocation - Configure the CPU, memory, and storage for the node.
Hardware Security Module - Configure the ordering node to use an HSM to generate and store private keys.
Orderer configuration override - Choose this option when you want to override ordering node configuration.
Important: You also have the ability to choose the version of Fabric that will be used to deploy your ordering nodes. It is
recommended to always choose the latest version, as this version will have the latest fixes and improvements. Note that it
is currently not possible to enable any v2.0 Fabric capabilities.
This is why, by default, the console offers two options: one node or five nodes. Recall that the majority of five is three. This
means that in a five node configuration, the loss of two nodes can be tolerated. Users who know that they will be deploying a
production solution should therefore choose the five node option.
However many nodes a user chooses to deploy, they have the ability to add more nodes to their ordering service. For more
information, see Adding and removing ordering service nodes.
For a five node ordering service, these nodes will be distributed into multiple zones by default, depending on the relative space
available in each zone. You also have the ability to distribute a five node ordering service yourself by clearing the default option
to have the zones that are chosen for you and distributing these nodes into the zones you have available. You can check which
zone a node was deployed to by opening the tile of the node and looking under the Node location. Alternatively, you can use the
APIs to deploy an ordering node to a specific zone. For more information on how to do this with the APIs, see Creating a node
within a specific zone.
If multizone-capable storage is configured for your Kubernetes cluster when a zone failure occurs, the nodes can come up in
another zone, with their associated storage intact, ensuring high availability of the node. In order to leverage this capability with
the IBM Blockchain Platform, you need to configure your cluster to use SDS (Portworx) storage. And when you deploy an
ordering service or an ordering node, select the advanced deployment option labeled Deployment zone selection and then
select Across all zones. To learn more about multizone-capable storage, see the Comparison of persistent storage options for
multizone clusters on OpenShift or IBM Cloud Kubernetes service.
Similar to the CA, an ordering node has only one associated container that we can adjust (if you are deploying a five-node
ordering service, you will have five separate ordering node containers, as well as five separate gRPC containers):
Ordering node container: Encapsulates the internal orderer processes (such as validating transactions) and the
blockchain for all of the channels it hosts.
As we noted in our section on Considerations before you deploy a node, it is recommended to use the defaults for the ordering
node container and adjust them later as it becomes apparent how they are being utilized.
Ordering When you anticipate that this ordering node will be part of an ordering service on many channels. Recall
node storage that the ordering service keeps a copy of the blockchain for every channel they host. The default storage
of an ordering node is 100G, same as the container for the peer itself.
If you plan to deploy a five node Raft ordering service, note that the total of your deployment will increase by a factor of five, a
total of 1.75 CPU, 3.5 GB of memory, and 500 GB of storage for the five Raft nodes. A 4 CPU Kubernetes single worker node
cluster is the minimum recommended to allow enough CPU for the ordering service cluster and any other nodes you deploy.
Important: If an ordering service is overstressed, it might hit timeouts and start dropping transactions, requiring
transactions to be resubmitted. This causes much greater harm to a network than a single peer struggling to keep up. In a
Raft ordering service configuration, an overstressed leader node might stop sending heartbeat messages, triggering a
leader election, and a temporary cessation of transaction ordering. Likewise, a follower node might miss messages and
attempt to trigger a leader election where none is needed.
For more details on the resource allocation panel in the console see Allocating resource.
Note: The ability to override the ordering service configuration by using the console or APIs is available only in paid
clusters.
{
"General": {
"Keepalive": {
"ServerMinInterval": "60s",
"ServerInterval": "7200s",
"ServerTimeout": "20s"
},
"BCCSP": {
"Default": "SW",
"SW": {
"Hash": "SHA2",
"Security": 256,
"FileKeyStore": {
"KeyStore": null
}
}
Alternatively, if you do check any of the advanced options when you configure the ordering service, those settings are included in
the JSON on the Summary panel. Any edits that you make to the JSON override what was specified in the console. You can insert
additional fields or modify the generated JSON . The overrides that are visible in the JSON on the Summary page are what is
used to override the default settings when the ordering node is deployed. If you are deploying multiple ordering nodes, then
the overrides are applied to each ordering node.
You don't need to include the entire set of available parameters in the JSON , only any advanced deployment options that you
selected in the console along with the parameters that you want to override. For example, if did not select any advanced options
in the console and you want to deploy the ordering nodes with your own value for the ServerTimeout and the statsd
address port, you would paste the following JSON into the Configuration JSON box:
{
"General": {
"Keepalive": {
"ServerTimeout": "60s"
}
},
"metrics": {
"statsd": {
"address": "127.0.0.1:9446"
}
}
}
Paste the modified JSON that contains only the parameters that you want to update into theConfiguration JSON box. For
example, if you only needed to update the value for the ServerTimeout field you would paste this JSON into the Configuration
JSON box:
{
"General": {
"Keepalive": {
"ServerTimeout": "20s"
}
}
}
Note: The ability to update an ordering node configuration is not available for ordering nodes that have been imported
into the console.
Peer or ordering node identity certificate This is the signing certificate from your external CA that the peer or
ordering node will use. This certificate must contain the Organizational Unit (OU) attribute "peer" or "orderer"
depending on the type of node it is used for.
Peer or ordering node identity private key This is your private key corresponding to the signed certificate from your
third-party CA that this peer or ordering node will use.
Peer or ordering service TLS CA certificate This is the public signing certificate created by your external TLS CA
that will be used by this peer or ordering node. The certificate needs to contain the x.509 Subject alternative name
2. Import the generated peer or ordering service organization MSP definition file into the console, by clicking the
Organizations tab followed by Import MSP definition.
Now you have the choice of creating a peer or single-node ordering service node, or ,if you have a paid cluster, a five node
ordering service.
openssl pkcs8 -topk8 -inform PEM -outform PEM -nocrypt -in identity.1.pem -out identity.8.pem
Replace:
identity.1.pem with the name of the PKCS #1 private key .PEM file.
identity.8.pem with the name that you want to give your PKCS #8 private key.PEM file.
Now the private key can be used by the console. If you plan to include it in an organization MSP file, it needs to be encoded in
base64 format.
Option 1: Create a new peer or single-node ordering service using certificates from an external CA
Note: You can skip to Option 2 if you want to create a new five node ordering service. The following instructions are only
for creating a peer or single-node ordering service with certificates from your external CA.
Now that you have gathered all the necessary certificates, you are ready to create a peer or ordering service that uses those
certificates. Follow these instructions to create the peer or single-node ordering service with certificates from an external CA.
11. After you have created the peer or ordering node, you can upload the orderer admin identity to the IBM Blockchain
console. On the Wallet tab, click Add identity:
In the Name field, enter an identity name that is used for your reference only.
In the Certificate field, upload a file that contains the admin identity's signing certificate (in base64 or PEM format).
In the Private Key field, upload a file that contains the admin identity's private key (in base64 or PEM format).
After you upload the certificate and private key of the identity to the console, you can use the console associate the identity
with the peer or ordering node.
Option 2: Create a five node ordering service using certificates from an external CA
When you have a paid Kubernetes cluster on IBM Cloud, you have the additional option of deploying a five node ordering service
that uses the Raft consensus protocol. Before you deploy a five node ordering service, you need to build a JSON file that
contains all of the certificates for the five nodes by using the following instructions:
Using the certificates that you gathered above, paste in the corresponding certificate in the fields below, in base64 format.
You can convert the contents of your certificate file, <cert.pem> from PEM format into a base64 string by running the following
command on your local machine:
export FLAG=$(if [ "$(uname -s)" == "Linux" ]; then echo "-d"; else echo "-b 0"; fi)
cat <cert.pem> | base64 $FLAG
[
{
"msp": {
"component": {
"keystore": “<cert>“,
"signcerts": “<cert>“,
"cacerts": [“<cert>“],
"admincerts": [“<cert>“],
"intermediatecerts": [“<cert>“]
},
"tls": {
Create the ordering service and use the certificates from the external CA for each ordering node
After you create the JSON file with all of the certificates for the ordering nodes, you are ready to create the ordering service.
9. After you have created the ordering service, you can upload the orderer admin identity to the IBM Blockchain console. On
the Wallet tab, click Add identity:
In the Name field, enter an identity name that is used for your reference only.
In the Certificate field, upload a file that contains the admin identity's signing certificate (in base64 or PEM format).
In the Private Key field, upload a file that contains the admin identity's private key (in base64 or PEM format).
After you upload the certificate and private key of the identity to the console, you can use the console associate the
identity with your ordering node.
What's next
You have gathered all of your peer or ordering service certificates from your third-party CA, created their corresponding
organization MSP definition and created a peer or ordering service. If you are following along in the tutorials, you can return to
the next step.
If you created the peer node, the next step is to Create the node that orders transactions.
If you created the node to join an existing network, the next step is to Add your organization to list of organizations that
can transact.
If you created an ordering service, the next step is to Create a channel.
1. Deploy an HSM. Utilize the HSM appliance that is available in IBM Cloud or configure your own HSM. Record the value of
the HSM partition and PIN to be used in the subsequent steps.
If you plan to use IBM Cloud HSM see this tutorial for an example of how to configure IBM Cloud HSM 6.0 with the
IBM Blockchain Platform. After that is completed you can skip to Part 3 Configure the node to use HSM.
2. Configure an HSM client image See Build a Docker image.
3. Configure the node to use HSM. From the APIs or the console, when you deploy a peer, CA, or ordering node, you can
select the advanced option to use an HSM. See Configure the node to use the HSM.
Next we build a Docker file that contains the HSM client image. These instructions assume that you have successfully configured
your HSM appliance and HSM client. Use these steps to generate an image that is consumable by the IBM Blockchain Platform
operator.
Chrystoki2 settings
LibUnix: Name of the Chrystoki2 library on x86 Linux/UNIX operating systems. The actual name of the library depends on
the type of HSM you are using.
LibUNIX64: Name of the Chrystoki2 library on 64-bit Linux/UNIX operating systems. The actual name of the library
depends on the type of HSM you are using.
LunaSA Client settings Typically no changes would be required here unless you have explicitly modified the names of these
files.
The following example shows what the file would look like if you were using IBM Cloud HSM. It provides the path to the HSM
shared object, certificate and keys. Note that the naming of these files depends on the HSM library that is being used.
Chrystoki2 = {
LibUNIX = /hsm/libCryptoki2.so;
LibUNIX64 = /hsm/libCryptoki2_64.so;
}
...
LunaSA Client = {
...
ClientPrivKeyFile = /hsm/key.pem;
ClientCertFile = /hsm/cert.pem;
ServerCAFile = /hsm/cafile.pem;
...
}
The following Docker file is for IBM Cloud HSM. If you are not using IBM Cloud HSM, you need to build your own Docker
file.
You should be aware that this Docker file automatically accepts the Gemalto client license.
Note that the 64 folder inside the Docker file is required for installing the HSM client.
FROM registry.access.redhat.com/ubi8/ubi-minimal
If the HSM client image that you published is not public, then the operator requires an image pull secret that contains a
valid username and password (or access token) for the container registry. If the image is public, the imagepullsecret is not
required and you can skip this command. To build the image pull secret named hsm-docker-secret , run the following
command in the namespace or project where you deployed the service:
Replace:
DOCKER_REGISTRY_SERVER - Registry server url where the HSM client image is hosted.
DOCKER_USER - Valid username with access to HSM client image in the container registry.
DOCKER_PASSWORD - Valid password or access token for the HSM client image in the container registry.
DOCKER_EMAIL - Email address for container registry user.
NAMESPACE - Name of the project or namespace that is visible on the consoleSupport page.
These instructions are obviously for the Docker registry. If you are using the IBM Container Registry, then you need to set up your
own image pull secret in your cluster:
$ - [Using an image pull secret to access images in other IBM Cloud accounts or external private
registries from non-default Kubernetes namespaces](/docs/containers?topic=containers-registry#other)
- [Copying an existing image pull secret](/docs/containers?topic=containers-
registry#copy_imagePullSecret)
- [Referring to the image pull secret in your pod deployment](/docs/containers?topic=containers-
images#pod_imagePullSecret)
The Kubernetes secret needs to be created in the IBM Blockchain Platform service instance namespace that is visible on the
console Support page. If you are using the IBM Cloud HSM, the command would be:
Replace <NAMESPACE> with the name of your service instance namespace or OpenShift project If you are not using IBM Cloud
HSM, you need to replace the values of the --from-file parameters with the set of certificates and configuration files that are
required for your HSM client image.
$ secret/hsmcrypto created
$ apiVersion: v1
data:
Chrystoki.conf: ""
cafile.pem: ""
cert.pem: ""
key.pem: ""
kind: Secret
metadata:
name: hsmcrypto
namespace: <NAMESPACE>
version: v1
type: hsm
resources:
limits: {}
requests: {}
securityContext:
privileged: false
runAsNonRoot: false
runAsUser: 0
library:
image: <HSM_IMAGE_URL>
auth:
imagePullSecret: <IMAGE_PULL_SECRET>
filepath: <HSM_LIBRARY_FILE_PATH>
envs:
- name: <ENVIRONMENT_VARIABLE_NAME>
value: <ENVIRONMENT_VARIABLE_VALUE>
mountpaths:
- mountpath: <MOUNTPATH>
name: <MOUNTPATH_NAME>
secret: <HSM_CRYPTO_SECRET>
paths:
- key: <KEY>
path: <PATH>
HSM_IMAGE_URL: URL of the HSM client image that you published to your container registry.
IMAGE_PULL_SECRET: (Optional) Name of the image pull secret hsm-docker-secret that you created in the same
namespace as your service. Only required if the HSM client image is not publicly available. Important: If an image pull
secret is not required, set this value to "".
ENVIRONMENT_VARIABLE_NAME - If there are any environment variables that need to be set for the HSM client, specify
them individually.
ENVIRONMENT_VARIABLE_VALUE - Value that corresponds to the ENVIRONMENT_VARIABLE_NAME.
HSM_LIBRARY_FILE_PATH: Path to the HSM library file, for example, /usr/lib/libCryptoki2_64.so.
MOUNTPATH: Location where the file or folder should be mounted.
MOUNTPATH_NAME: Name you want to use for the mountpath.
KEY: Name of the key inside the hsmcrypto Kubernetes secret.
PATH: Mount location of the file path where the key should be mounted.
HSM_CRYPTO_SECRET: Name of the Kubernetes secret that contains the keys and configuration files for the HSM that is
used by the mountpath.
Each HSM likely has a different set of keys that are required by the HSM client. Optionally replicate the "key " and " path "
sections according to the number required by your HSM client. Similarly, if multiple sets of folders need to be mounted, you can
replicate the " mountpath " section.
For example, if you are using IBM Cloud HSM, the file looks similar to:
version: v1
type: hsm
library:
image: us.icr.io/hsm/gemalto-client:v1.2.3-amd64
auth:
imagePullSecret: hsm-docker-secret
filepath: /usr/lib/libCryptoki2_64.so
mountpaths:
- mountpath: /hsm
name: hsmcrypto
paths:
- key: cafile.pem
path: cafile.pem
- key: cert.pem
path: cert.pem
- key: key.pem
path: key.pem
- key: server.pem
path: server.pem
secret: hsmcrypto
- mountpath: /etc/Chrystoki.conf
name: hsmconfig
secret: hsmcrypto
subpath: Chrystoki.conf
In this example, the first mountpath contains four configuration files (cafile.pem, cert.pem, key.pem, server.pem) and the
hsmcrypto secret, and all of them are mounted to the mountpath /hsm . The actual name of the mountpath is hsmcrypto , and
it contains an exact mapping of the key value pair to the Kubernetes secret and the location to mount it to. For example,
A second mountpath is included for the HSM /etc/Chrystoki.conf file. Because the HSM requires its config file in the /etc
folder, which is a system directory, we need to use the subpath parameter to avoid replacing the entire /etc directory. If the
subpath is not used, the entire /etc directory is replaced with the volume being mounted.
Run the following command to create the configmap named ibp-hsm-config in your cluster namespace or project:
$ configmap/ibp-hsm-config created
Important: When a node is configured with HSM, a temporary Kubernetes job is started to run this HSM "enrollment"
process. Before configuring a node to use HSM, ensure that you have enough resources in your cluster to support this job
that takes approximately 0.1CPU and 100Mi memory.
Then you are ready to deploy a new CA, peer, or ordering node that uses the HSM.
When you deploy a new node from the console, ensure that you select the advanced deployment optionHardware security
module (HSM). This option is only available on paid clusters.
If you published an HSM client image and created the HSM configmap, theUse HSM client image toggle is visible. When it is on,
you can enter the following values:
HSM label - Enter the name of the HSM partition to be used for this node.
HSM PIN - Enter the PIN for the HSM slot.
If you did not create the HSM configmap, an additional field is required:
Lastly, on the CA Summary panel, you can override the default HSM configuration, for example if you want to customize which
crypto library implementation to use. Click Edit configuration JSON (Advanced) on the Summary panel to view the JSON . Scroll
down to the BCCSP (Blockchain Crypto Service Provider) section where you can modify the crypto library settings.
When the node is deployed, a private key for the specified node enroll ID and secret is generated by the HSM and stored
securely in the appliance.
Tip: The roles played by the various participants in channel creation, as well as the underlying method used to create and
update the channel configuration, is inherited from the Hyperledger Fabric processes for creating and editing a channel.
The parameters that govern how channels function, from the organizations on the channel to their permissions to the policies,
are all contained in the channel configuration. When you create a channel, you are asked to decide on a number of these
parameters. Some options, such as the channel name, cannot be changed after a channel has been created, while other options
can only be changed after the channel has been created.
General options
For an overview of the channel creation process that ignores the advanced options, see Step four: Create a channel.
Channel name. Channels should be given distinctive names relevant to the purpose of the channel. Each ordering service
can only have a single channel with a given name. If you see an error that a name has already been given to a channel on
that ordering service, you will have to select a new name.
Ordering service. Channels are hosted on a single ordering service and cannot be migrated from one ordering service to
another.
Organizations. This section of the panel is how organizations are added or removed from a channel. Organizations that
can be added can be seen in the drop-down list. Note that an organization must be a member of the consortium of the
ordering service before it can be added to a channel. For more information about how to add an organization to the
consortium, see Add your organization to list of organizations that can transact.
A channel operator has permission to create and sign channel configuration updates. There must be at least one operator
in each a channel.
A channel writer can update the ledger by invoking a smart contract. A channel writer can also instantiate a smart
contract on a channel.
A channel reader can only query the ledger, by invoking a read only function in smart contract for example.
Update policy. The update policy of a channel specifies how many organizations (out of the total number of operators in
the channel), who must approve of an update to the channel configuration. To ensure a good balance between
collaborative administration and efficient processing of channel configuration updates, consider setting this policy to a
majority of admins. For example, if there are five admins in a channel, choose 3 out of 5 .
Advanced options
By clicking the box under advanced options, users can access parameters that users should take caution in updating. Note that if
you are attempting to change any parameter that requires the signature of ordering service admins (for example, the Block
cutting parameters or ordering service consenters) and are one of the ordering service admins on this channel, you will see a
field for the ordering service organization. Select the MSP of the relevant ordering service organization from the drop-down list (if
you are not an ordering service admin, the MSP will have to be exported to you). If you are not an admin of the ordering service
organization, you can still make a request to change one of the block cutting parameters, but the request must be signed by an
ordering service admin.
Tip: If the signature of an ordering service org admin is required, you will not see a pending tile for the channel in your
Capabilities. If you're unfamiliar with capabilities, check out Channel capabilities in the Fabric documentation. Note that
there is a strict relationship between the Fabric version of your nodes and the levels of certain capabilities that must be
followed to ensure that nodes do not crash and desired functionalities are available. Currently, only application and
orderer capabilities can be set during channel creation. For information about channel capabilities (which are a level of
capabilities that span both ordering nodes and peers and do not refer to "capabilities on the channel") and how to change
them, check out the Capabilities section below.
Lifecycle endorsement policy. (Only available on networks using v2.0 application capabilities) This defines how many
channel members must approve a smart contract definition before the smart contract can be used on the channel. This is
different from the endorsement policy of the smart contract itself as it has nothing to do with the transactions invoke
against the smart contract. Rather, the lifecycle endorsement policy is the criteria by which the organizations on the
channel collaboratively decide to use a particular smart contract and agree on certain parameters. It is possible to make
the lifecycle endorsement policy ALL (which means every channel member must approve the definition), ANY (which
means any channel member can approve the definition), or to define a specific set of organizations. Note that if you don't
specify a lifecycle endorsement policy, it defaults to MAJORITY, which means that a majority of Admins on the channel
will have to approve smart contract definitions. For more information about smart contract lifecycle endorsement, see
Deploy a smart contract using Fabric v2.x.
Smart contract endorsement policy. (Only available on networks using v2.0 capabilities) If a smart contract definition
does not define an endorsement policy for its transactions, the endorsement policy defined here will become the
endorsement policy of the smart contract. By default this policy is MAJORITY, which means a majority of endorsing
organizations will have to approve transactions that are invoked against this smart contract. However, as with the lifecycle
endorsement policy, it is possible to make the endorsement policy ALL, ANY, or to define a specific set of organizations.
For more information about default endorsement policies, see Install and propose a smart contract.
Block cutting parameters. These fields determine the conditions under which the ordering service cuts a new block. For
information on how these fields affect when blocks are cut, see the Block cutting parameters section below. Note that
changing these parameters will require the signature of an ordering service admin. If you are an ordering service admin,
you can sign this update using the Ordering service organization panel.
Ordering administrator (only available when updating a channel). This section shows the ordering service administrator
organizations for this channel.
Ordering cluster with a system channel - By default, all ordering organizations that are administrators are added to
an application channel at channel creation time. If an ordering service organization was added as an administrator of
the system channel after this application channel was created, it must be added to the channel before any nodes
belonging to it can be added as application channel consenters. Note: if your console is at a build before 2.1.3-104 ,
you will not see this option. To see the version of your build, click on the support icon in the upper right corner (it
resembles a question mark). The version will be listed below IBM Blockchain Platform version on the upper left.
Ordering cluster without a system channel - Ordering organizations that are administrators were added to the
application channel at channel creation. If an ordering service organization was created and intended to be an
administrator after the application channel was created, it must be added to the channel before any nodes
belonging to it can be added as application channel consenters.
Consenter set. The ordering service nodes on a particular channel are known in a Raft consensus mechanism as a
"consenter set". For this reason, the ordering nodes in a consenter set are sometimes referred to as "consenters". The
orderer's system channel (when applicable) will always contain all of the possible consenters available in a network (its
consenter set is "all consenters"), while application channels might have all consenters or some subset of consenters. It is
possible to add or remove particular nodes from this consenter set during both the creation of an application channel and
through a channel update. For example to add newly created orderers, if a system channel is being used they are first
added to the system channel, then to the consenter set of an application channel. To add a node to the consenter set, first
Ordering service signature. If changes to the configuration are made that require the signature of an ordering service org
admin (for example, to the block cutting parameters, orderer capability, or consenter set), this panel will allow you to send
the change to the relevant ordering service admin organization. The console where the ordering service organization MSP
was created will see a signature notification. After the ordering service organization signs the channel update request, it is
sent back to the organization that requested the channel update to be submitted.
Access control lists (ACLs). To specify a finer grained control over resources, you can restrict access to a resource to an
organization and a role within that organization. For example, setting access to the resource ChaincodeExists to
Application/Admins would mean that only the admin of an application would be able to access the ChaincodeExists
resource. Users have the option to edit the access control list one at a time or by uploading a JSON containing the list. For
more information about Access Control, see Access Control Lists (ACLs) in the Fabric documentation.
Important: If you restrict access to a resource to a particular organization, be aware that only that organization will be
able to access the resource. If you want other organizations to be able to access the resource, you will have to add
them one by one. As a result, consider your access control decisions carefully. Restricting access to certain
resources in certain ways can have a highly negative effect on how your channel functions.
The other organizations have the choice of whether to participate in this channel (for example, whether to join peers to it), but it
is assumed that the collaborative process of deciding on the channel configuration will happen out of band, before an
organization creates the channel.
Updating a channel is different. Rather than an organization acting alone, channel updates follow the collaborative governance
procedures that are fundamental to the way the IBM Blockchain Platform functions. This collaborative process involves sending
the channel configuration update requests to operator organizations that have an administrative role in the channel.
Because selecting Anchor peers and Joining a peer to a channel are actions that only require the signature of the organization
performing the action, they are updated through the Channel details panel inside a channel. To update other parameters, you
must click on the Settings button next to the channel name at the top of the page and initiate a channel configuration update
transaction. A panel will appear that looks very similar to the panel you use to create a channel.
Important: For signatures to be verified, all of the organizations on a channel (including the ordering service
organizations) should export the MSPs representing their organizations to the other organizations on the channel. To
export an MSP, click the download button on your MSP (on the Organizations tab), then send it to other organizations out
Whenever a channel request is made that requires signatures (whether it is during channel creation, as when an ordering service
admin signature is required, or during a channel update, when channel operators will likely need to sign), it will be sent to the
organizations in the channel whose signatures are required. For example, if there are five operators (channel admins) in a
channel, an update request will be sent to all five. For the channel request to be approved, the number of channel operators
listed in the channel update policy must be satisfied. If this policy says 3 out of 5 , the new channel configuration update will
take effect after three organizations have signed it and it has been submitted.
This process of knowing when you have an update to sign, as well as signing it, is handled through theNotifications button
(which looks like a bell) in the top right of the console. When you see a blue dot on the Notifications button, it means that you
either have a pending request to evaluate or are being notified of a channel-related event.
When you click on the Notifications button, you may have one or more actions you have the ability to take:
Needs attention: a request needs to be signed or submitted (if all required signature have already been collected). The
request might be to either your peers or ordering service, depending on the organizations in your console.
Open: includes everything that needs attention as well as requests that have been signed by the user but still need to be
signed by one or more other channel members.
Closed: requests that have been submitted. No actions to be taken on these items. They can only be viewed.
All: includes both open and closed requests.
If a channel configuration update request has been made, you have the ability to click onReview and update channel
configuration and see the changes to the channel configuration update that are being proposed or have been made (if the new
channel configuration has been approved). If you are an operator on the channel, and not enough signatures have been gathered
to approve the channel configuration update request, you will have the ability to sign the update request.
Note: You are not required to sign a channel configuration update, however note that there is no way to signagainst a
channel update. If you do not approve of a channel configuration update, you can simply close the panel and reach out to
other channel operators out of band to voice your concerns. However, if enough operators in the channel approve of the
update to satisfy the channel update policy, the new configuration will take effect.
First thing you will see is the Organization updating channel panel. Here you will specify the organization (MSP) and admin
identity that will be submitting this channel configuration update. From here, you can navigate down to the parameter you want
to change, which includes all of the same parameters you specified when creating the channel other than the channel
capabilities and the ordering service administrator, which are only available when updating a channel.
Tip: If your console is at a build before 2.1.3-104 , you will not see the ordering service administrator option. To see
the version of your build, click on the support icon in the upper right corner (it resembles a question mark). The version will
be listed below IBM Blockchain Platform version on the upper left.
If you are attempting to change any parameter that requires the signature of ordering service admins (for example, theBlock
cutting parameters or ordering service consenters) and are one of the ordering service admins on this channel, you will see a
field for the ordering service organization. Select the MSP of the relevant ordering service organization from the drop-down list. If
you are not an admin of the ordering service organization, you can still make a request to change these fields, but the request
When you are done making your updates, the Review channel information panel will allow you to review your changes and then
submit them.
Anchor peers
Because cross organizational gossip must be enabled for service discovery and private data to work, each organization should
specify at least one anchor peer on each channel. This anchor peer is not a special type of peer. It is just the peer that
bootstraps cross organizational gossip.
Note that while anchor peers are a channel configuration parameter, they are not set through the normal process of creating and
editing a channel configuration.
To configure a peer to be an anchor peer, click theChannels tab and open the channel where the smart contract was deployed.
As with the process for joining any peer to any channel, make sure that the database type of this peer is compatible with the
database type of the channel. Similarly, ensure that the Fabric level of this peer is at the application and channel capability
levels of the channel.
Note that after a peer is removed from a channel, it might still show as being joined to the channel. This is because the ledger
information of the channel up to the point the peer was removed is still available on the peer. Removing the peer from the
channel means that the peer will receive no new channel updates, including the update that indicates that it is no longer a part
of the channel. If you have any other peers joined to the channel, you can check the ledger height of those peers as compared to
the peer that was removed to confirm that the removed peer is not receiving new blocks.
Capabilities
Tip: For a thorough look at what capabilities are how they work, check out Channel capabilities.
The capability levels of a channel and the Fabric versions in the nodes on that channel must be coordinated in order for nodes
and channels to function properly. That is because both nodes and capabilities work together to ensure that transactions are
handled deterministically (that is, that all of the nodes process a transaction the same way). While the Fabric versions of a node
are compatible with lower levels of capabilities, capabilities cannot be processed by lower levels of nodes. If a v1.4.x node
attempts to read a configuration block containing a v2.x capability, the node will crash. For this reason, the console will attempt
to ascertain the nodes that will be affected by a capability update and either warn you (or stop you) from updating a capability if
it will cause a node to crash. More on this later.
1. Upgrade all of the nodes in the channel. For more information, check out Upgrading to a new version of Fabric.
2. Update the relevant capabilities of the channel. Do not attempt to edit the capabilities until you are sure your nodes are at
the appropriate Fabric versions.
3. To use the 2.x smart contract lifecycle, an organization must have an endorsement policy defined. If any organization in
the consortium (the list of organizations maintained by the ordering service that are allowed to create channels) do not
have an endorsement policy defined, a warning message will appear on the Details page of the ordering service with a list
of organization MSPs that must be updated. The best practice to add this endorsement policy to the MSP is to delete the
MSP from the system channel and then re-add the MSP. The console detects the fact that the MSP does not contain the
endorsement policy and automatically adds it. Note that this action can only be completed by an ordering service
administrator. You do not need to delete and re-add the MSPs in the configuration of any application channels that have
already been created. For these MSPs, the endorsement policy is added as part of the process of deploying the smart
contract using the v2.x lifecycle.
Tip: The application and channel capabilities are relevant to peers, while the orderer and channel capabilities
are relevant to the ordering service.
While all capabilities can be edited as part of a channel configuration update request, you have the opportunity to edit these
capabilities in a few places:
Note that what you see in this section will depend on the configuration of your channel and the Fabric level of your peers and
ordering nodes, as only valid and possible capability upgrades will appear. For example, if your channel, orderer, and
application capabilities are already at the highest level, you will only see the capability levels that have been selected. Similarly,
you will not see potential capability updates if your nodes in the channel are not at a sufficient Fabric level to process the
capability. Note that in orderers that use a system channel the default orderer capability shown is inherited from the system
channel. Orderers that do not use a system channel will default to using v2_0 capabilities. While the default application
capability is set to a reasonable level that will ensure that peers who attempt to join the channel will not crash. The application
capability can always be updated later.
Important: To ensure that you will always be able to see and propose updates to get a channel to the latest capability
levels, it is a best practice to upgrade your peers and ordering nodes to the latest Fabric version as soon as it is
available in the console. From a channel management perspective, it is also a best practice to discuss capability updates
with other organizations before proposing a change. This will allow organizations to update nodes, as necessary, before
the channel update request is submitted.
Tip: In order to edit the orderer or channel capabilities in the system channel, your organization must be an ordering
service administrator.
To edit these capabilities, click on the Settings button inside the ordering service. Then click Capabilities. Note that the channel
Important: It is not possible to update the orderer or channel capabilities to a level that will crash your ordering
nodes. If you want to update your capabilities on the system channel screen, you must first upgrade your nodes.
If you attempt create a channel with a orderer capability other than the default, the channel creation request must be signed
by an ordering service organization. If this capability is incompatible with the Fabric version of your ordering nodes, the console
blocks the signature from completing, as a successful signature would crash any ordering nodes at the lower Fabric version. You
must upgrade all of the relevant nodes before the channel creation request can be signed.
Similarly, the console will block any attempt to join a peer to a channel with an application or channel capability it is
incompatible with to prevent the peer from crashing. The peer must be upgraded before it can be joined to the channel.
Because channel creation requests cannot be edited, if a capability is selected in error, a new channel creation request must be
made. {tip}
The following table shows the compatibility levels of peer image versions with the application capability level of a channel and
which smart contract deployment process is used:
Peer Uses legacy smart contract Uses Fabric 2.x smart contract
image
2.x deployment flow and requires smart contract in .cds lifecycle and requires smart contract in .tgz file
file format. format.
A peer that runs a Fabric 1.4.x image can join a channel that is configured with application capability 1.4.x. But that peer
cannot join a channel that is configured with application capability 2.x.
If a channel application capability level is upgraded to 2.x before the peer 1.4.x image is upgraded to 2.x, the peer stops
functioning and needs to be upgraded to the 2.x image.
It is possible for a peer that is running a 2.x image to join a channel with application capability 1.4 and another channel
with application capability 2.x at the same time. But smart contracts on the peer in .cds format use the legacy smart
contract deployment process where they have to be instantiated on the channel withapplication capability 1.4. Smart
contracts on the peer in tar.gz format follow the Fabric 2.x smart contract lifecycle process on the channel with
application capability 2.x.
Like the orderer and channel capabilities, the application capability level can be edited through a channel configuration update.
Important: If you are using the SDK to create or edit a channel, take caution to not submit a channel configuration with
an invalid application capability. Because application capabilities are not validated by the ordering service, invalid
application capabilities are not flagged. Because the peers cannot process capabilities that do not exist, the peers will
crash when attempting to read the configuration block containing an invalid capability. Because the peers will be unable to
progress beyond this configuration block, it will not be possible to reverse this configuration block and submit another one
to "fix" the problem. A channel in this state is unrepairable.
The following parameters are available in the console by clicking the orderer node in theNodes tab and then clicking its Settings
icon. Click the Advanced button to open the Advanced channel configuration for the orderer.
Absolute max bytes Set this value to the largest block size in bytes that can be cut by the orderer. No transaction may be
larger than the value of Absolute max bytes . Usually, this setting can safely be two to ten times larger than your
Preferred max bytes . Note: The maximum size permitted is 99MB.
Max message count Set this value to the maximum number of transactions that can be included in a single block.
Preferred max bytes Set this value to the ideal block size in bytes, but it must be less thanAbsolute max bytes . A
minimum transaction size, one that contains no endorsements, is around 1KB. If you add 1KB per required endorsement,
a typical transaction size is approximately 3-4KB. Therefore, it is recommended to set the value of Preferred max bytes
to be around Max message count * expected averaged tx size . At run time, whenever possible, blocks will not
exceed this size. If a transaction arrives that causes the block to exceed this size, the block is cut and a new block is
created for that transaction. But if a transaction arrives that exceeds this value without exceeding the Absolute max
bytes, the transaction will be included. If a block arrives that is larger thanPreferred max bytes , then it will only
contain a single transaction, and that transaction size can be no larger than Absolute max bytes .
Batch timeout
Set the Timeout value to the amount of time, in seconds, to wait after the first transaction arrives before cutting the block. If you
set this value too low, you risk preventing the batches from filling to your preferred size. Setting this value too high can cause the
orderer to wait for blocks and overall performance to degrade. In general, we recommend that you set the value of Batch
timeout to be at least max message count / maximum transactions per second .
Important: When you modify these parameters, you do not affect the behavior of existing channels on the orderer; rather,
any changes you make to the orderer configuration apply only to new channels you create on this orderer.
Important: Because ordering nodes that use a system channel can only belong to a single ordering service, if you create
an ordering service node from the main Nodes panel, you will not be able to add it to an existing ordering service. If you
want to add a node to an existing ordering service, the node must be created specifically for that purpose using the
process described below. Also, be aware that adding nodes to an ordering service does not automatically add them to
any existing channel. That is a separate process that must take place after the node has been added to the ordering
service. For more information, see Adding and removing ordering service consenters.
In Raft, a majority of the total number of nodes is needed to form a quorum. In other words, if you have one node, you need
that node available to have a quorum, because the majority of one is one. Similarly, if you have two nodes, you will need both
available, since the majority of two is two (for this reason, a configuration of two nodes is discouraged; there is no advantage to a
two node configuration). In a similar vein, the majority of three is two, the majority of four is three, the majority of five is three,
and so on.
While satisfying the quorum will make sure the ordering service is functioning, production networks also have to think about
deployment configurations that are highly available (in other words, configurations in which the loss of a certain number of
nodes can be tolerated by the system). Typically, this means tolerating two nodes failing: one node going down during a normal
maintenance cycle, and another going down for any other reason (such as a power outage or error).
This is why, by default, the console offers two options: one node or five nodes. Recall that the majority of five is three. This
means that in a five node configuration, the loss of two nodes can be tolerated. If your configuration features four nodes, only
one node can be down for any reason before another node going down means a quorum has been lost and the ordering service
will stop processing transactions.
For this reason, it is considered a best practice to have an odd number of nodes in an ordering service. There is nothing wrong
with an even number of nodes, but they add costs without making the ordering service more highly available.
Overview
Adding a node to the ordering service is, at a high level, a three step process.
If you have already created an ordering service, you can reuse the CA, MSP, node identity, and admin identity you created as part
of that process when creating the new node and can skip down to the Create the node section below. If you are creating the
node using either a separate console and separate organization (or both), proceed to Create the node using a separate org and
console.
Important: As part of describing the process for creating a new node from a separate console, we will refer to "Console
1" and "Console 2". Console 1 is the originating console; it's where the ordering service was originally created. Console 2
is where a user is attempting to create a new node for this ordering service using a different organization in a different
console.
Unless you have already created new nodes for this ordering service, do not reuse an existing CA and MSP.
The process of creating a CA, registering identities, and creating an MSP is identical to the process described in Creating your
ordering service organization CA from the Build a network tutorial. However, use the following values:
After your CA has been created and your identities have been registered, create the MSP representing your organization and an
admin representing that organization using the following values:
Until your organization is an administrator of the ordering service, you cannot add a new node to it.
This MSP can then be added as an ordering service administrator by clicking on the tile representing the ordering service and
then the Add ordering service administrator tab and selecting Ordering Service 2 MSP from the drop-down list.
Tip: While it is also possible to upload a JSON representing the MSP by clicking theUpload JSON tab, be aware that if you
do this, the MSP will not appear in the Organizations tab and will therefore not be selectable later (for example, when
updating an application channel to add the MSP as an ordering service administrator). For this reason, the best practice is
to import the MSP through the Organizations tab first.
After the MSP has been added as an ordering service administrator, the operator of Console 1 must export the ordering service
to Console 2. To export a node, navigate to the node and click on the "download" button (the button looks the same as it does in
the above image showing the download of Ordering Service2 MSP ). Then send the JSON file representing the ordering
service to the operator of Console 2.
After Console 2 has imported the Ordering Service , they will be able to create the new node.
Tip: While it is not possible to ensure that the ordering service is available (that is, that a quorum of nodes are up and that
a leader has been elected) without Viewing your node logs, it is a best practice to minimally ensure the likelihood that a
quorum exists by verifying that the pods where the nodes have been deployed are available. This can be done by checking
to make sure the relevant pods are active in the Kubernetes dashboard or by issuing kubectl get pods -n
<namespace> and checking on the pods. If you do not have access to the cluster where all of the ordering nodes were
created, contact the administrator of the relevant clusters. If a quorum of nodes is not available, it will not be possible
to add another node to the ordering service.
To add a node, click on the tile representing the ordering service in theNodes panel. Then click on the Ordering nodes panel
and the Add another node tile. Then click Create an ordering node. This will open a series of panels similar to the process for
creating an ordering service.
Give the node a display name. A best practice will be to give the node a display name that matches the pattern used for
the other nodes in the ordering service. By default, nodes are given the name <name of ordering service>_1 , <name
of ordering service>_2, and so on.
Select a CA. This should be the CA used to create your MSP.
Enter an enroll ID and secret. Again, if you created an enroll ID and secret for your existing ordering nodes, you may use
the same enroll ID and secret here.
Select an MSP. If you are adding to an ordering service you created in your console, reuse the MSP you used when
creating that ordering service. If the new node is being added to an ordering service created elsewhere, use the MSP you
exported to that console.
Choose a Fabric version for the new node. Note that this must be the same Fabric version used by the other nodes in the
ordering service. If you choose a different Fabric version, the new node will be unable to join the consenter set.
Associate identity. You will only have to associate an identity if you are using a different MSP from the MSP that was
originally used when creating the ordering service.
Tip: The TLS Certificate Signing Request (CSR) hostname is an option available to advanced users who to want specify a
custom domain name that can be used to address the ordering service endpoint. Custom domain names are not a part of
this tutorial, so leave the TLS CSR hostname blank for now.
CA Ordering Service2 CA
After reviewing the Summary page, click Add another node. This will submit the creation request.
To complete the process of adding the node, you need to add it to the consenter set of the system channel (if applicable). For
information about how to do that, proceed to the next section. Ordering clusters that do not use a system channel can skip to the
step Add Ordering Service2 MSP to channel1
Important: This step must be completed in the console that created the new node. If you followed the steps for creating
a node from a different console, this would be Console 2.
After the ordering node has been successfully added, a new tile with the name of the node will appear on theOrdering nodes
page. It will say it "Requires attention". This state reflects the fact that, while the node creation process has been successful, the
node is not yet part of the consenter set of the system channel. The node must be added to the system channel before it can be
added to any of the application channels.
Tip: Recall that the "consenter set" refers to the ordering service nodes actively participating in the ordering process on a
channel, while the "system channel", which is managed by the ordering service, forms the template for application
channels.
To add the node you created to the system channel, click on the node. You will see aAdd node to ordering service button. Click
this button. After the node has been added to the ordering service, the node should now be part of the system channel.
Note that it will take a few minutes for the new node to sync with ordering service in the system channel. During this time,
you may see a message that your ordering service is down. This is normal --- the ordering service must come down while the
new node is syncing. Any transactions proposed during this time will fail and will have to be resubmitted by the client
application.
If you created this new node and added it to the system channel from a different console (Console 2), you must then export it to
the console that originated the ordering service (Console 1). If the new node was added in Console 1, you can skip down to
Adding the node to the application channel.
To do this, click on the node and then on the "download" button. This will download a JSON representing the node to your
filesystem. This JSON can then be sent to other network members out of band.
Note that adding a new node to the system channel does not automatically add the node to any application channels.If you
want to add this node to any existing application channels, you will have to add them to the consenter set of each of those
channels separately. For information about how to do that, see Adding an ordering node to the consenter set of a channel.
To do this, click on the tile representing the ordering service, which in this tutorial is called Ordering Service. Then click on
the Ordering nodes tab and then the Add another node tab.
Then click Import an existing node. After clicking Add file, find the JSON representing the Ordering Service_2 node that was
sent to you by the operator of Console 2. After you have added the Ordering Service_2 node, you should see it on the
Ordering nodes page.
Update channel1 to add the Ordering Service2 MSP and the Ordering Service_2 node
Because this tutorial presumes that a user is adding a node to a channel that was created as part of theBuild a network tutorial,
the channel the Ordering Service_2 node is being added to, channel1 , does not yet have the newly created ordering service
organization, Ordering Service2 MSP , as one of the administrators of the channel. While a new ordering node can be added
to a channel even if the organization that owns the node is not an administrator of the ordering service, it is a best practice to add
the organization that owns the node when you add the node.
Because you are editing a part of the channel configuration that is governed by ordering service organization admins, you will be
asked to send the channel configuration update to an ordering service organization admin to be signed as part of the
configuration update process. This organization can be any of the organizations that is an admin of the ordering service, not
just one of the organizations that owns one of the consenters that is already in the channel. In this tutorial, that means selecting
Ordering Service MSP . Do not select Ordering Service2 MSP here as it is being added as part of this channel
configuration update.
Important: If your console is at a build before 2.1.3-104 , you will not see this option. To see the version of your build,
click on the support icon in the upper right hand corner (it resembles a question mark). The version will be listed below
IBM Blockchain Platform version on the upper left.
After the organization has been added, we can add the consenter.
Tip: It is possible to add a node to the consenter and add the MSP of the organization that owns the node as part of the
same channel configuration update.
After the Ordering Service MSP has signed the channel configuration update, the organization that initiated the channel
update will get a notification that it must sign and submit the channel configuration update. This notification, like all notifications,
will be located in the upper right of the screen behind the Notifications icon, which resembles a bell. For more information about
how signature collections work, see Signature collection flow.
It will take a few minutes for the new node to sync with the consenter set of the application channel. The time involved
depends on a number of factors, including the number of blocks in a channel. During this time, the ordering service may be
down. After the node has been successfully added to the application channel, you will see it in the Ordering nodes tab.
Joining an orderer to an application channel will make it either a follower or a consenter . It will be a consenter if the node is
found in the the channel's config block in the consenters section. Otherwise the orderer will be a follower . Both types of
orderers will receive transaction/block data, but only a consenter can vote and play a role in the consensus algorithm. A node
can be promoted from a follower to a consenter by first joining it to the channel, and then editing the channel's config to
add it as a consenter. Similarly these steps can be reversed to demote an orderer and unjoin it completely if need be.
Joining an orderer to the application channel can be started by clicking the cluster's tile. Next click either the plus sign on a
channel tile or the Join channel blue button. Follow the prompts and select which orderer nodes to join. Then click Submit .
Once an orderer has joined it will begin downloading blocks to catch up to the current level.
As part of this same process, make sure to reach out to the other console operators to let them know that the node has been
deleted so they can remove the tile from their console.
Important: Note: if you remove all of the ordering nodes that originally formed the consenter set of a channel, you might
have to create a mapping from the old ordering nodes to the new nodes by editing the configuration of any new peers you
attempt to join to the channel. For more information, see Mapping to existing ordering nodes.
If none of the ordering nodes that were consenters on the channel are still up, any peer attempting to join the channel will try
and fail to connect to the nodes listed in the genesis block and be unable to proceed past that point.
In these cases, it is necessary to edit the configuration of the peer itself with a code snippet provided by the console. This code
snippet will point the peer to one of the ordering nodes servicing the channel and allow the ledger of the channel to be pulled
from that node.
When you see this screen, copy the code snippet. Note the addressOverrides section. It should contain the address of one of
the original ordering nodes as well as the address of one of the nodes now servicing the channel.
Then, paste the code snippet into the configuration of the peer. To do this:
The peer will automatically restart. When it is back up, you should be able to join the channel.
Note that you may have to edit the configuration of a peer multiple times, depending on the status of the ordering nodes on
different channels. The override logic is designed to handle more than one "override" section in the peer configuration.
Important: Don't copy the configuration snippet used as an override for one peer and use it on any other peers. Similarly,
don't open the configuration of the peer and copy the section from that peer into another peer. Use the code snippet
provided on the Join a peer to a channel screen and paste it into the peer configuration for each peer. This will ensure
that the orderer override will work properly.
Target audience: This topic is designed for network operators who are responsible for creating, monitoring, and managing the
blockchain network.
While it is no longer necessary to associate an admin identity when importing a node, there are cases where you will want to
import the admin identity associated with a node or MSP.
$ 1. A node will be deployed in one console and operated from another. In these cases, the relevant
admin identity must be exported and imported, or a new admin identity for the node must be created.
With the exception of upgrading the version of a node, it is possible to perform many of the same
administrative actions on an imported node as on a node that was created within a console.
2. A node or MSP simply has to be known by a console so that it can be selected from a drop down
list. For example, when creating a channel, it is necessary to choose which ordering service the
channel will be hosted on. Similarly, when performing many channel actions, it can be necessary to
specify one or more MSPs. In neither case is the person selecting the MSP an admin of the node or the
organization. However, they do require the tile representing the node or MSP in their console so it
can be selected from the drop down list.
Note that when you import a component, you do not actually import the physical component into your cloud provider. Instead,
the console uses the information in the JSON to build a representation of the component that can be operated from the console.
Likewise, when you delete an imported node from the console, the node itself, which is still running at the location where it was
deployed, is not deleted. It is simply removed from the console where it was imported.
After you import a node into the console, you can also modify its connection information by using the node'sSettings tab.
As you will see below, there are two ways to export and import components and identities: in bulk, or one at a time. Each fulfills a
different use case and has different considerations and limitations.
Limitations
While importing nodes provides the ability to perform many of the actions that can be performed on the console where a node or
identity was created, there are a few limitations on the ability to administer imported components:
All nodes to be imported must have been deployed by using the IBM Blockchain Platform console or IBM Blockchain
APIs.
You cannot patch nodes that have been imported into the console.
You cannot delete nodes that you imported into the console from the cluster where they were deployed. You can only
remove the node from the console it was imported to.
You cannot override the settings of an imported node by using the Edit configuration button to update the JSON.
If you are importing a node that is deployed on a network deployed locally, you must ensure that the gRPC web proxy port
used by the component is externally exposed to the console. For more information, see Importing nodes from a locally
deployed network.
When you open the tile of an imported node, the Fabric version is not visible and theUsage and info tab is not available,
even if you have also imported the admin identity.
While exporting and importing components in bulk is highly convenient for some use cases, there are important considerations
to keep in mind:
While you have the option to check or deselect the boxes representing peers, CAs, ordering services, MSPs, and identities,
you cannot, for example, choose to export only some peers and not others. If the peer box is checked, every peer will be
included in the ZIP, and likewise for other components.
If a console has already imported some of the information contained in a bulk transfer, for example a few of the peers,
duplicate representations of these components will appear in the console after performing the import. These duplicates
If you import a bulk data transfer of nodes and do not also import identities, you will have to perform the separate step of
associating identities with the nodes. There are a few ways to procure an identity that can operate a node. For more
information about, see Gathering certificates or credentials. Regardless of the process used to acquire the identity, after the
bulk import has been completed you will need to click on each imported node. For peers and ordering nodes, a box on the left of
the screen will say Identity not associated with (peer or ordering node), depending on the node in question. After clicking on
this box, you will be able to associate the relevant identity by selecting it from your Wallet. Note that this process is distinctly
different than the process for importing individual nodes, where you will be asked to associate an identity as part of the import
process.
You will also need to associate an admin identity for the CA. This process is similar to the peer and ordering node process except
that after you click on the imported CA you will see a separate screen asking you to associate an identity rather than a box on the
left.
For cases where bulk data transfers are impractical or inadvisable, you can follow the steps below to export and import
components and identities one at a time.
Important: Because identities contain private keys, be careful when exporting them to ensure they are handled securely.
If a private key is compromised, it can be used to perform malicious actions.
Each IBM Blockchain Platform component is deployed with the signing certificate of an administrator inside. When actions
requiring the permission level of an admin are performed against the component, the signing certificate of the entity attempting
the action is checked against the signing certificate inside the node. If they don't match, the action is denied. In this way, these
certificates, which are also known as "keys", allow the administrator to operate their components.
1. Import the admin identity into your Wallet before importing the node itself (the administrator of the console where the
node was created will need to export the node and the admin identity).
2. If the admin of the node does not want to share their admin identity, there are two other ways to become an admin of the
node:
The administrator of the console where the node was created can create a new admin identity, associate it with the
node as an additional admin identity, and export that identity to your console along with the node.
The other option has five steps:
The admin of the CA that was used to create the relevant identities for the peer and peer organization can register a
new identity.
Then, they can send the enroll ID and secret of that identity to the importing console, as well as exporting the CA.
The importing console can then take the imported CA and use the enroll ID and secret to create a new identity.
In either case, because this new admin identity would only be an admin of the peer and not the organization that owns the peer,
it preserves a separation of roles between the organization admin (the sign cert listed in the MSP, which might also be the peer
admin in the console where the peer was created), and the new admin of the peer which was just created and associated. This
peer admin would not be an organization admin by default. However, if it fits a use case to make an identity the admin of both
the organization and an imported peer, this is achievable, see Updating an organization MSP definition.
Note that this flow would be most practical for a peer, since the admins of ordering nodes do not have many responsibilities in
the IBM Blockchain Platform.
If you don't intend to operate the node (or in the case of a multi-node ordering service, the nodes), you do not have to import and
associate an admin identity.
To import a new identity, open the Wallet tab and click Add identity. If you want to upload .pem certificates manually, click
New identity and use the fields under Manual entry to give the identity a name and to upload the signing certificate and private
key of the identity. If you have a JSON that was exported from another console, click Upload JSON and then Add files, then
select the appropriate JSON from your local file system and click Add identity. While you will have this option between entering
certificates manually or using a JSON for each node, in this topic it is assumed that you have the relevant JSON handy.
After you complete the Add identity panel, you can view the new admin identity in your Wallet and select this identity when
importing any nodes it is associated with. You will also be able to use this identity when creating new MSPs and components.
To act as an administrator for an organization, you must have an identity in your Wallet listed in the MSP as an admin of the
organization. This means either importing the identity listed in the MSP or by following the process listed in Updating an
organization MSP definition. This MSP can then be exported to the console where the added identity was created, making the
exported identity able to act as an admin of the organization.
The exports and imports of MSPs are performed in the Organizations tab.
1. Navigate to the Organizations tab and click your organization MSP tile.
4. Share this file with the other organization admins of your channel.
Note: Under some circumstances, it is possible that the Node OU checkbox may be visible and checked when you import an
MSP into your console. If that occurs, it is recommended that you leave it checked so that it enables Fabric Node OU support for
the MSP, which simplifies the certificate renewal process for you in the future.
Repeat these steps for each organization that is included in your channel.
Importing a peer
A peer is the blockchain component that maintains a ledger and runs a smart contract to perform query and update operations
on the ledger. Organization members own and maintain peers. Each organization that joins a consortium should deploy at least
one peer and minimally two for High Availability (HA) on each channel. You can learn more about peers in the overview of
blockchain components.
After you import a peer into the console, you can install smart contracts on the peer and join the peer to channels.
Note: If you want to add more peers or create additional admin identities for a peer or peer organization, you need to import the
relevant CA (the one that was used to create the MSP and identities for the peer organization) and then use that CA to register
and enroll identities.
Note: If you see the location field during import, you can choose whether to specify the location where the peer was
created or to have the peer re-exported, in which case the console will not ask for this information.
After you import the peer into the console, you can install smart contracts on the peer and join the peer to channels in your
blockchain.
Importing a CA
A CA node is the blockchain component that issues certificates to all network entities (peers, ordering services, clients, and so
on) so that these entities can communicate, authenticate, and ultimately transact. Each organization has their own CA that acts
as their root of trust. You should add your organizations whether you are joining or building a blockchain consortium. You can
learn more about CAs in the overview of blockchain components.
After you import a CA, you can use it to register and enroll users or create organization definitions exactly as you would with any
other CA.
To import a CA to the IBM Blockchain Platform console and operate it, the network operator must have already exported the CA
from the IBM Blockchain Platform where it was deployed. Importing a CA allows you to register new users and enroll identities.
How to import a CA
Navigate to the Nodes tab.
1. Click Add Certificate Authority, followed by Import an existing Certificate Authority, and click Next.
2. Click Add file to upload the CA JSON file that was exported from the console where it was originally deployed.
3. If you want to operate the CA, after it has been added, click on it in theNodes panel. Then click Associate identity and
select the CA admin identity from your Wallet.
Note: If you see the location field, you can choose whether to specify the location where the CA was created or to have
the CA re-exported, in which case the console will not ask for this information.
After you have imported the CA into the console, you can use your CA to create new identities and generate the necessary
certificates to operate your components and submit transactions to the network. To do this, you will need to associate an admin
identity with the CA. To learn more, see Managing certificate authorities.
Tip: If you are having trouble with an ordering service you imported, it might be because it was exported too long ago for
the JSON representing it to have all of the latest necessary fields in it that allow certain features to work. Reach out to the
administrator of the console where the ordering service was created and ask them to re-export the ordering service.
If your orderers are using a system channel, it is far more useful to become an admin of the ordering organization itself. This role
gives you administrative rights over the ordering service (allowing you to add organizations to the consortium or nodes to the
ordering service) as well as over the system channel, giving you the permission to modify system channel capabilities.
Note that it is not necessary for your organization to become an ordering service administrator. You will still need to import the
ordering service if you want to create or edit a channel (your organization must be added to the consortium by an ordering
service administrator first), as your console must know about the ordering service before you can select it from the drop down
list.
1. If you have not already done so, navigate to theOrganizations tab and export the MSP of one or more peer organizations.
Then, send this MSP, which represents your organization, to an administrator of the ordering service (which in this case is
not necessarily an admin of any ordering nodes, but an organization with administrative control over the system channel).
This ordering service administrator can make your organization one of the ordering service organizational admins or add
your MSP to the consortium (giving your organization the ability to create channels), or both. Note that if your organization
has been made one of the ordering service organizational admins, you have the ability to add your own organization to the
consortium.
2. After your MSP has been added as an ordering service administrator or to the consortium (or both), import the JSON
representing the ordering service (as with the other nodes, this ordering service must be exported from the console where
the ordering service was created). Then, navigate to the Nodes panel. Click Add ordering service, followed by Import an
existing ordering service. Then click Next.
3. Click Add file to upload the ordering service JSON. Note that regardless of how many nodes are in this ordering service,
the JSON representing this ordering service will be one file.
It is not necessary to associate an identity with an ordering service in order to create a channel on an ordering service or to join
members to the consortium (the latter is handled by ordering service organizations, not the ordering node itself).
Note: If you see the location field, you can choose whether to supply the location or to have the ordering service re-
exported, in which case the console will not ask for this information.
After you have imported the ordering service into the console, you can add new organization members to the consortium (if your
MSP was added as an admin of the ordering service) and select the ordering service when creating new channels (if your
organization has been added to the consortium).
As an example, you can find the JSON file of a peer below. To communicate with the peer from another console, you need to
ensure that the grpcwp_url port, port 32403 in this example, is open to external traffic.
{
"name": "peer",
"grpcwp_url": "https://9.30.252.107:32403", \\ensure that port 32403 is externally exposed
"api_url": "grpcs://9.30.252.107:30891",
"operations_url": "https://9.30.252.107:30222",
"type": "fabric-peer",
"msp_id": "org1msp",
"pem":
"LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNGekNDQWI2Z0F3SUJBZ0lVUi9zMGxGTG5ZNmdWRmV1Mlg5ajkrY3JDZFBr
d0NnWUlLb1pJemowRUF3SXcKWFRFTE1Ba0dBMVVFQmhNQ1ZWTXhGekFWQmdOVkJBZ1REazV2Y25Sb0lFTmhjbTlzYVc1aE1SUXdFZ
1lEVlFRSwpFd3RJZVhCbGNteGxaR2RsY2pFUE1BMEdBMVVFQ3hNR1JtRmljbWxqTVE0d0RBWURWUVFERXdWMGJITmpZVEFlCkZ3MH
hPVEEyTVRBeE9USXhNREJhRncwek5EQTJNRFl4T1RJeE1EQmFNRjB4Q3pBSkJnTlZCQVlUQWxWVE1SY3cKRlFZRFZRUUlFdzVPYjN
KMGFDQkRZWEp2YkdsdVlURVVNQklHQTFVRUNoTUxTSGx3WlhKc1pXUm5aWEl4RHpBTgpCZ05WQkFzVEJrWmhZbkpwWXpFT01Bd0dB
MVVFQXhNRmRHeHpZMkV3V1RBVEJnY3Foa2pPUFFJQkJnZ3Foa2pPClBRTUJCd05DQUFUYUtyN2srUHNYeXFkWkdXUHlJUXlGMGQxU
kFFdmdCYlpkVnlsc3hReWZOcUdZS0FZV3A0SFUKVUVaVHVVNmtiRXN5Qi9aOVJQWEY0WVNGbW8reTVmSkhvMXd3V2pBT0JnTlZIUT
hCQWY4RUJBTUNBUVl3RWdZRApWUjBUQVFIL0JBZ3dCZ0VCL3dJQkFUQWRCZ05WSFE0RUZnUVUrcnBNb2dRc3dDTnZMQzJKNmp2cEl
QOExwaE13CkZRWURWUjBSQkE0d0RJY0VDUjc4YTRjRXJCRE5DakFLQmdncWhrak9QUVFEQWdOSEFEQkVBaUJGWmpMWU9XZUMKLy92
L2RNMHdYNUxZT3NCaHFFNnNQZ1BSWWppOTZqT093QUlnZEppZDU0WmxjR2h0R3dEY3ZoZE02RVlBVFpQNwpmS29IMDZ3ZFhpK3VzV
XM9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K"
}
Target audience: This topic is designed for network operators who are responsible for creating, monitoring, and managing the
blockchain network.
When you create a CA by using the IBM Blockchain Platform console, two CAs are created with the same endpoint URL: a root
CA and a TLS CA. The root CA provides keys to your nodes and applications. The TLS CA provides certificates that are used to
protect the communication within your network. To learn more about TLS on your network, see Using your TLS CA.
When you create your nodes, you need to use your root CA to create the following identities that are required to deploy, operate,
and interact with your network:
CA admin: Your CA contains a default CA admin identity. This identity has an enroll ID and secret, which are analogous to
a username and password, that you specify during the deployment of your CA. You can use this admin username and
password to operate your CA and create new identities. The CA admin of your root CA is also the admin of the TLS CA.
Peers or orderers: You need to register an identity for each of the peers and orderers that belong to your organization.
Your nodes will then use these identities during deployment to generate the keys they need to participate in the network.
You can use the console to create these identities by using the registration process. After you register your admin identities, you
need to issue each identity a signing certificate and private key, provide the signing certificate to your organization MSP
definition, and add the identity to your console wallet. You can complete these steps for one admin identity when you create
your organization MSP. You can use separate identities as org admins or node admins, or you can use one identity to do both
tasks. The Build a network tutorial uses one identity to be an admin for each organization created in the tutorial.
You can view the enroll ID of the associated admin on the left side of the CA panel, below the CA name, Node location, and
Fabric version. You can use this identity to create other identities by using the Register button. The CA admin also allows you to
get the list of registered identities, and then use these identities to generate certificates by using the Enroll button.
To use a different identity as the CA admin, click the identity that is associated with the CA admin. This opens theAssociate
identity side panel. You can use the Enroll an identity tab to provide the enrollID and secret of another CA admin. You can
specify an identity that exists in the wallet by using the Select an existing identity tab.
Note: You can only use admin identities to register new users. You can create new admins with restrictions on the type of
users they are allowed to create. As a result, you can let another user operate your CA by providing them an admin that is
not able to create admins or deploy nodes. This allows other members or departments of your organization to access your
CA without compromising your network. For more information, see Creating new CA admins.
Registering identities
The first step in creating an identity is known as registration. During registration, an enroll ID and secret are created which can
be used by a node or an org administrator to enroll this identity by generating a signing certificate and private key.
You need to enter the following information when you register a new identity with your CA.
Enroll ID and Enroll Secret: This identity has an ID and secret, which is analogous to a username and password, that you
specify during the deployment of your CA. You can use this admin ID and secret to create certificates with this identity by
using this console or the Fabric CA client.
Type: When the CA was deployed, the administrator specified the types of identities issued by the CA. Common examples
of identity types include peer, orderer, admin, and client (applications). Select the identity type for this user from the list of
available types.
Affiliation: (Optional) Advanced users only. This field is only visible if affiliations are defined for your CA. An affiliation is
the part of an organization that you want to associate with this user. For example, this could be a department or unit that
operates an application or a peer. It is possible to restrict a particular CA admin to be able to register only users within
their own department within an organization by setting their affiliation. CA affiliations are defined by using the Fabric CA
Affiliation Command. The default affiliation that is available when you clear the Use root affiliation checkbox is ibp.
Maximum Enrollments: Optionally, enter the number of times that you can enroll or generate certificates by using this
Click the Register user button on the CA overview panel to create a new user. Be sure that you have set the identity to a CA
admin that has the ability to register new users before you attempt this task. In general, this is your admin user. If the button is
gray, you have either not set an identity, or that the identity cannot create new identities.
1. On the first side panel, enter the Enroll ID and Enroll Secret of the new identity. Save these values, as they are not stored
by the console.
2. Select the identity Type. The drop-down list contains the list of types that the CA supports. If you are registering an
identity that will serve as an admin of a node, select type admin. If you are registering a peer identity select peer and
likewise for an ordering node identity select orderer. When you need to register an identity for a client application select
the type client.
3. You can associate an affiliation with the user. Check the Use root affiliation checkbox for the user if you want them to
have the root affiliation and be able to see all other users registered with this CA. When you deselect Use root affiliation,
you can select a specific affiliation from the list to associate with this user. The platform includes the default affiliation
ibp.
4. Enter the Maximum Enrollments allowed for this identity. If not specified, the value defaults to unlimited enrollments.
5. On the last side panel, add the Attributes of the identity you are creating.
After you click Register, the new identity will be added to the list ofAuthenticated users that have been created by your CA. The
identities are listed by their Enroll ID, along with their Type and Affiliation. Clicking on an identity in the table opens a side panel
that displays the number of Maximum Enrollments and Attributes that were created during registration.
Deleting a user
If you need to delete a registered user, click the action menu next to any user and select Delete user. If that option is not
available, it can be enabled on your CA by overriding the CA configuration. See an example of how to enable this feature in
Modifying a CA configuration after deployment. Note this action does not revoke the associated certificates for the user. If you
need to do that you would need to insert the associated signed certificate into the organization MSP under the
"revocation_list": section. And then update that MSP definition everywhere that it occurs on the network.
On the second side panel, click the Add Attribute button. Provide an attribute name of hf.Registrar.Roles . Enter an
attribute value of * . You can also use this panel to create an identity that can register only certain identity types, such as clients
or peers, or within a certain affiliation. You can also create an identity that has the ability to revoke an identity and all the
certificates that the identity has been issued. You can see a full list of the attributes in the Registering a new identity section of
the Fabric CA users guide.
Enrolling an identity
You can generate the signing certificate and private key for each user that is registered with your CA. If you registered additional
admin identities with your CA, you can generate the certificate and key for the admin identity and then include the certificate
when you create your organization MSP.
Before you enroll an identity, you need to Associate the identity of the CA admin to be able to operate the CA. If the identity is
not set, you will not be able to view the Registered Users table on the CA panel. In the Registered users table, navigate to the
You can also use the Fabric CA client or Fabric SDKs to enroll the identities you create in the console. The console provides you
with all of the information that need to compete these steps. Ensure that you have saved the Enroll ID and Enroll secret that you
specified during registration.
Each CA created by the IBM Blockchain Platform console contains a root CA and a TLS CA. Both of these CAs use the same
database and share the list of registered users. As a result, each identity that is registered with your root CA is automatically
registered with your TLS CA as well. The CA admin of your root CA is also the admin for your TLS CA.
You can use each identity in the Registered Users table to generate TLS certificates. Follow the same process as you used to
enroll an identity by using your root CA. However, on the Enroll identity panel, select the TLS Certificate Authority from the
Certificate Authorities drop-down list.
Each peer or orderer node that you deploy needs to generate a public TLS certificate. When you create peer or orderer nodes,
you can use the same enroll ID and secret that you used to generate the peer or orderer identity as the TLS enroll ID and secret
because the TLS CA uses the same user repository as the organization CA. The node then uses this identity to generate its TLS
certificate during deployment. This certificate is required by any application that needs to communicate with the orderer or peer.
You can find the TLS certificate of a node by navigating to the node overview panel and clicking Settings. You can also find the
TLS Certs of your peers and orderers in the connection profile that can be downloaded from the organization MSP tile on the
organizations tab.
When creating a peer or orderer with your console, you can also use the TLS CA to specify an additional domain name for each
node. Enter the new domain name in the TLS CSR hostname field when deploying your orderer or peer. This hostname will be
added to the list of common names in the TLS certificate issued to your node.
Important: The wallet is a component of the console and not a separate service. It stores your keys in the local storage of
the browser that you use to access the console instead of your local file system. If you access your console from a
different browser, or start a private browsing session, you will not be able to access the identities stored in the wallet. It is
recommended that you export your admin identities from the console and store them in a safe place.
Adding identities
You can add an admin identity to your wallet when you create your organization MSP. A CA managed by the console can also
add an identity to your wallet during the enrollment process.
You can use the Add identity button on the overview panel to import an identity directly into the wallet. Clicking this button
opens up a side panel that allows you to add an identity's signing certificate and private key.
Name: Enter an identity name that is used for your reference only.
Certificate: Upload a file that contains the identity's signing certificate (in base64 or PEM format) that you generated by
using your CA.
Private Key: Upload a file that contains the identity's private key (in base64 or PEM format) that you generated by using
your CA.
You can also add an identity by uploading a JSON file in the format below. You can also use theUpload JSON button to upload
multiple identities at once.
{
"name": "peerAdminCerts",
"private_key":
"LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tDQpNSUdIQWdFQU1CTUdCeXFHU000OUFnRUdDQ3FHU000OUF3RUhCRzB3YXdJQkFR
UWdIVk5Kc0tHYnl6eTVZWEQ2DQovaEhKOVZlR0QrZVhmenpxUi9PQWVZYnY5UWloUkFOQ0FBUmZ1WlB1OTRzNnJQSEVCMjJlWFhpS
Wozd0lKYkg4DQpRYVpaRkJlNFp5SnU5UllHbkxQWUdLRnhETkRVMUZkU1NxUGNLcnczUXpxT3hXNU1NZDVWbEtVdw0KLS0tLS1FTk
QgUFJJVkFURSBLRVktLS0tLQ0K",
"cert":
"LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tDQpNSUlCNURDQ0FZdWdBd0lCQWdJVUhhUFNNdlcxOEwyaGNTeGlJK1ZqT1d0Wnly
Z3dDZ1lJS29aSXpqMEVBd0l3YTHJNM1o5TUZicGt3SGthYnB0MmZBekFLQmdncWhrak9QUVFEQWdOSEFEQkVBaUFmdUhjY2R6WExq
Z3BLDQplVFhnNmNNcnRzRUs4ZVlKTVFMNlZLU0xwUXIvN3dJZ1hyK2ZuVjUrb2RHWnNRUU94SjZ1aDVTV0tJVkdZQ2ZGDQp1Ykw4V
mJNdnRRZz0NCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0NCg=="
}
If you did not enroll an identity from the console, but instead by using the Fabric CA client or the Fabric SDKs, your keys need to
be converted from PEM format into base64 format. You can convert certificates into base64 format by running the following
export FLAG=$(if [ "$(uname -s)" == "Linux" ]; then echo "-w 0"; else echo "-b 0"; fi)
cat $HOME/<path-to-certificate>/cert.pem | base64 $FLAG
Clicking an identity opens a side panel that displays its certificates and private keys in base64 format. Click the download button
to export both the certificate and the private key as a .pem file to your local file system.
Click Update to change the identity name in the wallet or paste a new set of keys into the panel. ClickRemove when you no
longer need to use this identity and want to delete its keys.
IBM Blockchain Platform can auto-renew the enrollment (signing) certificates for the peer and ordering nodes and the peer TLS
certificate. For the other certificates, you can see certificate types and actions to learn on how to maintain them.
A one-stop solution is available for easy management and maintenance of your certificates; see IBM Secrets Manager for
details.
Downloading certificates
You can download IBM Blockchain Platform certificates from the console, in PEM format, for viewing certificate expirations. This
includes all peer, Certificate Authority (CA) and orderer node certificates.
Navigate to the console tab for the desired node and select the download icon forEnrollment Cert Expiration or TLS Cert
Expiration.
You can then save the downloaded PEM file for viewing or importing.
There are three ways you can use an HSM with the IBM Blockchain Platform:
After you have configured an HSM, you need to configure a HSM proxy that allows the blockchain node to communicate with the
HSM. Then when you configure a blockchain node, you will need to provide three pieces of information:
Proxy endpoint: ClusterIP address that is generated for the HSM when the HSM proxy is configured.
Label: Corresponds to the HSM Partition.
PIN: The PIN associated with the HSM slot.
After HSM is configured for a node, the HSM becomes the cryptographic service provider for the node. When the HSM is
subsequently used to generate and store a node's private key, and the node identity is exported or stored in the wallet, the
private key is not visible.
For more information about how to deploy the HSM proxy and use HSM with a CA, peer, or ordering node, see Configuring a
node to use HSM
Associating identities
You need to provide the signing certificate of your organization and node admins to your organization MSP definition. The nodes
or channels that are created by the console uses the certificates from the MSP definition to check who is a valid administrator. As
a result, the same signing certificate and private key that you used to add an admin cert to the MSP definition needs to be stored
inside your console wallet.
Replace <certificate.pem> with the sign cert file and the output will resemble the following content:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
68:b9:6d:d3:00:1e:1b:9d:4b:99:1e:ab:ed:05:48:be:28:51:69:3d
Signature Algorithm: ecdsa-with-SHA256
Issuer: C=US, ST=North Carolina, O=Hyperledger, OU=Fabric, CN=fabric-ca-server
Validity
Not Before: Nov 20 19:08:00 2019 GMT
Not After : Nov 19 19:13:00 2020 GMT
Subject: OU=client, OU=org1, OU=department1, CN=user1
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:11:0c:c9:9e:47:d8:38:aa:c7:24:65:90:98:a3:
42:a8:b0:18:3e:03:43:13:ae:64:6a:18:93:6e:06:
23:30:09:c1:93:66:5f:0d:d6:37:1b:a0:c4:e9:cb:
9b:70:63:9a:af:08:20:f2:96:b8:de:3b:c5:6e:58:
a9:9e:fa:d6:de
ASN1 OID: prime256v1
NIST CURVE: P-256
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:
E4:86:14:C1:58:21:D8:6F:B4:79:E5:41:3B:14:9B:3D:C6:36:87:36
X509v3 Authority Key Identifier:
keyid:70:CA:7D:2E:5A:75:A2:90:27:8C:5D:7D:C7:AF:F1:2C:E1:25:59:70
1.2.3.4.5.6.7.8.1:
{"attrs":
{"hf.Affiliation":"org1.department1","hf.EnrollmentID":"user1","hf.Type":"client"}}
Signature Algorithm: ecdsa-with-SHA256
30:44:02:20:1a:38:64:47:69:6b:31:e4:96:bc:52:06:71:75:
9e:01:57:a4:bd:b0:15:f0:19:c4:23:37:29:14:b1:66:e3:ce:
02:20:7a:34:af:7b:fb:65:6c:b8:22:a2:39:78:5d:30:5c:3c:
b0:9b:0e:14:d8:76:78:9a:34:2b:bb:d2:97:d4:ce:81
Managing organizations
You can use the IBM® Blockchain Platform console to create a formal organization definition that is known as a Membership
Services Provider (MSP). Your organization's MSP definition allows other members of the blockchain consortium to verify the
identity of your nodes and applications. Your MSP definition also contains your organization's admin certificates.
Figure 1. You can use the organizations panel to create, import, and manage organization MSP definitions
Target audience: This topic is designed for network operators who are responsible for creating, monitoring, and managing the
blockchain network.
Understanding MSPs
The IBM Blockchain Platform is based on Hyperledger Fabric and builds permissioned blockchain networks. Participants need to
be known to the network before they can submit transactions and interact with the assets on the ledger. Fabric recognizes
identity through a group of invited organizations at the channel level. Organizations in the consortium are able to issue valid
credentials to their members and let them become participants in the network. The participants can then operate blockchain
nodes and submit transactions from client applications.
Each organization in a network needs to operate a Certificate Authority to create all of the identities for the admins and nodes
that belong to your organization. These public-private keys pairs are issued by the CA and used by the members of your
organization to sign and verify their actions. When an organization joins a channel, the public key of the CA associated with that
organization allows other organizations to verify that your peers and applications are valid participants. For more information
about membership in Hyperledger Fabric, see the Membership concept topic in the Fabric documentation.
Before your organization can join a consortium, it needs to create an organization definition that is known as aMembership
Services Provider (MSP). The MSP contains the following information:
A certificate signed by your root Certificate Authority. This certificate is used to verify the identity of your nodes, channels,
and applications.
A certificate signed by your TLS CA. A root TLS certificate allows your peers to participate in cross organization gossip,
which is necessary to take advantage of the Private data collections and Service Discovery features of Hyperledger Fabric.
The MSP ID. The MSP ID is the formal name of your organization. You need to remember the MSP ID for your applications
or when using the SDK to submit transactions.
The MSP display name. This is an informal name that is given to your organization, which is used to identity your MSP in
the console.
The Admin certificates of your Organization Admin identities. These certificates are passed to the ordering service and
are used to verify which identities in your organization are allowed to create or edit channels. When you use your console
to create an ordering node or peer, the admin certificates inside the MSP are deployed within the new node, making your
organization admin identities your peer or orderer admins as well. You can use these identities to operate your node, such
as by installing a smart contract on a peer or joining a peer to a channel, from your console or a client application.
You can view all of the MSPs that you created or imported underAvailable organizations. You can use the MSP definitions in the
organizations tab for important functions within your console:
If you are creating peer or ordering nodes, the MSP of your organization is used to identify the organization that the node
belongs to.
MSPs are used by organizations to verify the signatures of actions by other organizations. For this reason, you should
export your MSP to every organization in the channel and likewise import the MSP of every organization.
If your organization is one of the admins of the ordering service, you can add new organizations to the consortium.
If you are a member of the channel, you can import the MSPs of other organization into your console and then add the
members to new or existing channels.
You can click an MSP definition in the organizations tab to view all of the nodes in the console that belong to each organization.
Because each node was deployed with the administrator certificate from the MSP definition inside, you can use this panel to
know which nodes are managed by which organization administrator.
The MSP definition details tab is where you provide a display name and an MSP ID for the MSP. Use the tooltip to learn
about the restrictions for the MSP ID.
Important: If your organization is joining an ordering service with other organizations, to avoid confusion, it is strongly
recommended that every organization have a unique MSP ID. In other words, you should never use the same MSP ID to
represent different organizations on a network.
The Root Certificate Authority details tab is where the CA for your organization is specified. This is the CA that you use to
register all of the identities associated for your organization. Before creating an MSP, you must register the admin of the
MSP. If you use intermediate CAs, this is the CA that you used to create those CAs. Select your CA from the list of CAs
managed by using your console. If you created a CA using the console, selecting a CA will also display the root TLS
certificate of your TLS CA, which was deployed alongside your CA.
You can also use the Admin certificates tab to generate the identity of your organization admin. If you already have an
admin identity you want to make your organization admin, click Existing identity and select the identity from the drop-
down list. If you want to use the panel to generate a new admin identity, you need to register your organization admin with
your CA. You then need to complete the following steps in order to use these identities to operate your network:
1. Enter the Enroll ID and Enroll secret of an admin identity that is registered with your CA. After you enter the enroll
ID and enroll secret, choose a Display name. This name is used to represent the identity in the console.
2. Click Generate. This generates a certificate and private key and automatically add the keys to your Wallet. You can
then find your admin identity in your Wallet by using the name that you selected on this panel. These keys are only
stored in your browser local storage. Therefore, if you change browsers, they will not be in your Wallet. This is why
you should click Export to export this identity to your local file system. If you switch browsers, you will need to
import the identity from your file system into the Wallet of your new browser.
3. Then, click Export to download the key pair to your file system and secure them.
The Administrators certificate section of the side panel contains the signing certificates keys of your admins. The
certificate that you generated by clicking Generate in the section above can be found in the first row of the field. If you
want to use multiple admin identities to operate your network, you can paste additional certificates into admin certificate
fields.
On the Review MSP information panel, review the information that you specified for this MSP.
After you have selected your CA, MSP ID, and either specified or created an admin, clickCreate MSP definition. It should now be
listed as an organization in the Organizations tab. Because an MSP is the representation of an organization in the network, you
select the MSP definition when you deploy your nodes (identifying the organization the node belongs to), are joined to the
consortium (by an ordering service admin), create a channel, join a channel, edit a channel, or perform any action where you
have to specify the organization that is performing the action.
Click the Organization MSP tile for the organization that your client application interacts with. ClickCreate connection profile to
open a side panel where you can build and download your connection profile.
If you plan to use the client application to register and enroll users with the organization CA, you need to include the Certificate
Authority in the connection profile definition.
Select the peers to include in the connection profile definition. When a peer is not available to process requests from a client
application, service discovery ensures that the request is automatically sent to a different peer. Therefore, to accommodate for
peer downtime during a maintenance cycle for example, it is recommended that you select more than one peer for redundancy.
In addition to peers created by using the console or APIs, imported peers that have been imported into the console are eligible
to be selected as well.
The list of channels that the selected peers have joined is also provided for your information. If a channel is missing from the list,
it is likely because the peer joined to it is currently unavailable.
You can then download the connection profile to your local file system and use it with your client application to generate
certificates and invoke smart contracts.
Note: The connection profile that is downloaded from the IBM Blockchain Platform console can only be used to connect
to your network by using the Node.js (JavaScript and TypeScript) and Java Fabric SDKs.
If the CA that is associated with the MSP resides in a different console, when you attempt to download the connection profile
you see a warning message and the "certificateAuthorities:" section of the generated connection profile is empty.
Figure 3. You can use the organizations panel to create, import, and manage organization MSP definitions
$ {
"name": "org1profile",
"description": "Network on IBP v2",
"version": "1.0.0",
"client": {
"organization": "org1"
},
"organizations": {
"org1": {
"mspid": "org1",
"certificateAuthorities": [
"xyz-ca.openshift-ibpv2-test-1-0001.us-south.containers.appdomain.cloud:443"
],
"peers": [
"va0414-ba-peer.openshift-ibpv2-test-1-0001.us-south.containers.appdomain.cloud:443",
"va0414-peer.openshift-ibpv2-test-1-0001.us-south.containers.appdomain.cloud:443"
]
}
},
"peers": {
"xyz-peer.openshift-ibpv2-test-1-0001.us-south.containers.appdomain.cloud:443": {
"url": "grpcs://xyz-peer.openshift-ibpv2-test-1-0001.us-
south.containers.appdomain.cloud:443",
"tlsCACerts": {
"pem": "-----BEGIN CERTIFICATE-----nnnnnn-----END CERTIFICATE-----\n"
},
"grpcOptions": {
"ssl-target-name-override": "xyz-peer.openshift-ibpv2-test-1-0001.us-
south.containers.appdomain.cloud"
}
},
"va0414-peer.openshift-ibpv2-test-1-0001.us-south.containers.appdomain.cloud:443": {
"url": "grpcs://va0414-peer.openshift-ibpv2-test-1-0001.us-
south.containers.appdomain.cloud:443",
"tlsCACerts": {
But if the "certificateAuthorities" section is empty and client application needs to register and enroll identities with the
CA from the connection profile, then you must manually add the CA information to the generated connection profile. To get the
CA connection information, simply export the CA, from the console where it resides, to a JSON file:
Figure 4. Click the export icon to download the CA configuration to a JSON file.
{
"display_name": "brian ca",
"api_url": "https://xyz-ca.openshift-ibpv2-test-1-0001.us-
south.containers.appdomain.cloud:443",
"operations_url": "https://xyzca-operations.openshift-ibpv2-test-1-0001.us-
south.containers.appdomain.cloud:443",
"type": "fabric-ca",
"ca_name": "ca",
"tlsca_name": "tlsca",
"tls_cert": "LS0tLS1...bE1UQm1OVGd",
"name": "brian ca",
"pem": "LS0tLS1...bE1UQm1OVGd",
"ca_url": "https://xyz-ca.openshift-ibpv2-test-1-0001.us-
south.containers.appdomain.cloud:443"
}
3. Open the generated connection profile that you downloaded. Edit the "certificateAuthorities": section:
$ "certificateAuthorities": {
"<CA_HOST_PORT>": {
"url": "<API_URL>",
"caName": "<CA_NAME>",
"tlsCACerts": {
"pem": ["<TLS_CERT>"]
}
}
}
<CA_HOST_PORT> with the value of the "certificateAuthorities": from the "organizations": section of the
generated connection profile. For example, xyz-ca.openshift-ibpv2-test-1-0001.us-
south.containers.appdomain.cloud:443.
<API_URL> with the value of the "api_url" from the downloaded JSON file.
<CA_NAME> with the value of the "ca_name" from the downloaded JSON file.
<TLS_CERT> with the value of the "tls_cert" from the downloaded JSON file.
If the organization MSP was manually created by using certificates from an external CA, then there is no reason to add the CA to
the connection profile. You cannot register and enroll users with an external CA from a client application.
Important: It is recommended that you do not change the msp_id field as this might cause breaking changes to your
network.
Export the existing MSP definition from the Organizations tab and edit the generated JSON file to modify the display
name, the existing certificates, or add new certificates.
Click your MSP definition in the Organizations tab to open it and then click theSettings icon.
If the MSP was created in this console and Node OU support is not enabled, theNode OU checkbox is selected because
you have the opportunity to enable the support now. If you only want to enable Node OU support on the MSP, you do not
need to add a new JSON file, you can go ahead and click Update MSP definition now. This action inserts the
"fabric_node_ous": section into the JSON along with the appropriate certificates for the organization. Be aware that this
action also updates the organization admin certificates on the nodes configured with this MSP definition and each node is
restarted to reflect the update.
(Optional) If you made updates to the MSP JSON definition, click Add file to upload the new JSON file.
Click Update MSP definition.
It is very important to re-export this MSP now and share it with all of the members of the consortium so they can import it
into their console and ensure they are using the latest copy of the MSP definition and certificates.
If you need to add a new admin certificate to an existing organization MSP definition, refer to the topic on managing certificates.
If you prefer to use certificates for your peer or ordering service from anexternal CA, one that is not hosted by IBM, you need to
build an MSP definition JSON file that represents the peer or ordering service organization MSP definition.
You can convert the contents of your certificate file, <cert.pem> from PEM format into a base64 string by running the following
command on your local machine:
export FLAG=$(if [ "$(uname -s)" == "Linux" ]; then echo "-w 0"; else echo "-b 0"; fi)
cat <cert.pem> | base64 $FLAG
{
"name": "<organization_name>",
"display_name": "<organization_name>",
"msp_id": "<organization_id>",
"type": "msp",
"admins": [
"<admins>"
],
"root_certs": [
"<root_certs>"
],
"tls_root_certs": [
"<tls_root_certs>"
],
"fabric_node_ous": {
"enable": true,
"admin_ou_identifier": {
"certificate": "<ou_root_cert>",
"organizational_unit_identifier": "admin"
},
"client_ou_identifier": {
"certificate": "<ou_root_cert>",
"organizational_unit_identifier": "client"
},
"orderer_ou_identifier": {
"certificate": "<ou_root_cert>",
"organizational_unit_identifier": "orderer"
},
"peer_ou_identifier": {
"certificate": "<ou_root_cert>",
"organizational_unit_identifier": "peer"
}
},
"host_url": "<url>",
}
organization_name: Specify any name to be used to identify this MSP definition in the console.
organization_id: Specify an ID that is used to represent this MSP internally in the console.
root_certs: Paste in an array that contains one or more root certificates from the external CA inbase64 format. You must
provide either a CA root certificate or an intermediate CA certificate. You can also provide both.
admins: Paste in the signing certificate of the organization admin in base64 format.
tls_root_certs: Paste in an array that contains one or more root certificates from the TLS CA inbase64 format. You must
provide either an external TLS CA root certificate or an external intermediate TLS CA certificate, you can also provide both.
ou_root_cert: Specify the trusted CA root certificate for each role. Typically this value would be the same as the
root_certs.
host_url: Specify the URL of the blockchain console where this MSP will collect signatures.
fabric_node_OUs: Fabric-specific OUs that enable identity classification. NodeOUs contain information for how to
distinguish clients, peers, and orderers based on their OU. If the check is enforced, by setting Enabled to true, the MSP
considers an identity valid only if it is an identity of type client, a peer, an admin, or an orderer. An identity should have
only one of these special OUs, which are assigned to an identity when it is registered with the CA. See this topic for an
example of how to specify the fabric_node_OU in an MSP in the Fabric Service Discovery documentation. Or learn more
about using Node OUs in Fabric.
The following additional fields are also available in your MSP definition but are not required:
intermediate_certs: (if an intermediate CA was used) Paste in an array that contains one or more certificates from the
external intermediate CA in base64 format. You must provide either a CA root certificate or an intermediate CA certificate,
you can also provide both.
tls_intermediate_certs: (if an intermediate TLS CA was used) Paste in an array that contains one or more certificates from
the intermediate TLS CA in base64 format. You must provide either an external TLS CA root certificate or an external
intermediate TLS CA certificate, you can also provide both.
organizational_unit_identifiers: A list of Organizational Units (OU) that valid members of this MSP should include in their
{
"name": "org1msp",
"display_name": "org1msp",
"msp_id": "org1msp",
"type": "msp",
"admins": [
"LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUIzRENDQVlPZ0F3SUJBZ0lVRklDZjhkbFZPbEowazJ1V0RjbEh0MzFJbk1F
d0NnWUlLb1pJemowRUF3SXcKV2pFTE1Ba0dBMVVFQmhNQ1ZWTXhGekFWQmdOVkJBZ1REazV2Y25Sb0lFTmhjbTlzYVc1aE1SUXdFZ
1lEVlFRSwpFd3RJZVhCbGNteGxaR2RsY2pFUE1BMEdBMVVFQ3hNR1JtRmljbWxqTVFzd0NRWURWUVFERXdKallUQWVGdzB5Ck1EQT
FNVGt5TVRBNE1EQmFGdzB5TVRBMU1Ua3lNVEV6TURCYU1DRXhEekFOQmdOVkJBc1RCbU5zYVdWdWRERU8KTUF3R0ExVUVBeE1GWVd
SdGFXNHdXVEFUQmdjcWhrak9QUUlCQmdncWhrak9QUU1CQndOQ0FBVFhRc3puMzVVdwpNaDl3ZHNVSTgwNWo0T2cvdUo0OXBza3VD
U3RhNXI0R3NaSlNMYW1jdzlZY0RXcDRNMnVkbzFFdzQzQXAwbjgvCksxOHg3MTd4c3J3RW8yQXdYakFPQmdOVkhROEJBZjhFQkFNQ
0I0QXdEQVlEVlIwVEFRSC9CQUl3QURBZEJnTlYKSFE0RUZnUVUxQ3cwUDdlNk13aDh6T1k1NmdnaE9zbVNyd2d3SHdZRFZSMGpCQm
d3Rm9BVWwvNkpmck0xVXRjbQp6cFJzRTFNWEVieVovcVF3Q2dZSUtvWkl6ajBFQXdJRFJ3QXdSQUlnRWs3aEJMQ21pZDlZSGpzTk5
QSFdlZFF2Cm5tU1hsS3VWUWQ4b3kwc3pLaFlDSUdjY083R0JBWVVFL1BaaUw4Unk4QTRPL3RCZVlQN1J5WENxZU44ZmE1T1gKLS0t
LS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo="
],
"root_certs": [
"LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNDVENDQWErZ0F3SUJBZ0lVZityblZxMG93WXBIemhXQzBudEJVTnJhS1NJ
d0NnWUlLb1pJemowRUF3SXcKV2pFTE1Ba0dBMVVFQmhNQ1ZWTXhGekFWQmdOVkJBZ1REazV2Y25Sb0lFTmhjbTlzYVc1aE1SUXdFZ
1lEVlFRSwpFd3RJZVhCbGNteGxaR2RsY2pFUE1BMEdBMVVFQ3hNR1JtRmljbWxqTVFzd0NRWURWUVFERXdKallUQWVGdzB5Ck1EQT
FNVGt4T0RJMU1EQmFGdzB6TlRBMU1UWXhPREkxTURCYU1Gb3hDekFKQmdOVkJBWVRBbFZUTVJjd0ZRWUQKVlFRSUV3NU9iM0owYUN
CRFlYSnZiR2x1WVRFVU1CSUdBMVVFQ2hNTFNIbHdaWEpzWldSblpYSXhEekFOQmdOVgpCQXNUQmtaaFluSnBZekVMTUFrR0ExVUVB
eE1DWTJFd1dUQVRCZ2NxaGtqT1BRSUJCZ2dxaGtqT1BRTUJCd05DCkFBU3VWQ0tqUk5nWndpanZoWjJiMStxZjZjbmE5ZWxrazFFb
Gl4akVXQ0l2bE9jZFUyOUpYNFdzTGcwOXdaa0EKUmdmL2tRZVpLMXdxbWRuV2xxYTl6L1VkbzFNd1VUQU9CZ05WSFE4QkFmOEVCQU
1DQVFZd0R3WURWUjBUQVFILwpCQVV3QXdFQi96QWRCZ05WSFE0RUZnUVVsLzZKZnJNMVV0Y216cFJzRTFNWEVieVovcVF3RHdZRFZ
SMFJCQWd3CkJvY0Vmd0FBQVRBS0JnZ3Foa2pPUFFRREFnTklBREJGQWlFQXZEcVhkN3JjSnV2TDBPcGZvZ0lRVmpZMDVoTHgKSno2
NzVOYjhUc2VFc2NFQ0lBUWZpeHFxVmpVUU1hNnh5Qld1QUNXOHUzQjdzNlhNYnNKTUVKVFVoSE1PCi0tLS0tRU5EIENFUlRJRklDQ
VRFLS0tLS0K"
],
"intermediate_certs": [],
"tls_root_certs": [
"LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUIvakNDQWFTZ0F3SUJBZ0lVUjY0d3MrbEkwVndjR3IxdWY0RDF2K3ZXc2gw
d0NnWUlLb1pJemowRUF3SXcKWFRFTE1Ba0dBMVVFQmhNQ1ZWTXhGekFWQmdOVkJBZ1REazV2Y25Sb0lFTmhjbTlzYVc1aE1SUXdFZ
1lEVlFRSwpFd3RJZVhCbGNteGxaR2RsY2pFUE1BMEdBMVVFQ3hNR1JtRmljbWxqTVE0d0RBWURWUVFERXdWMGJITmpZVEFlCkZ3MH
lNREExTVRreE9ESTFNREJhRncwek5UQTFNVFl4T0RJMU1EQmFNRjB4Q3pBSkJnTlZCQVlUQWxWVE1SY3cKRlFZRFZRUUlFdzVPYjN
KMGFDQkRZWEp2YkdsdVlURVVNQklHQTFVRUNoTUxTSGx3WlhKc1pXUm5aWEl4RHpBTgpCZ05WQkFzVEJrWmhZbkpwWXpFT01Bd0dB
MVVFQXhNRmRHeHpZMkV3V1RBVEJnY3Foa2pPUFFJQkJnZ3Foa2pPClBRTUJCd05DQUFSdHpyOFRpMlh5WENSc1ljbXFPVW5GSDdnV
UpnWFBSS3dpUjBVN2N4eHJoU2lYcTh1UTJpanIKRkdhMk95SVhtUVJBbmZUMElIaW5iS29qMmlJL00vc3dvMEl3UURBT0JnTlZIUT
hCQWY4RUJBTUNBUVl3RHdZRApWUjBUQVFIL0JBVXdBd0VCL3pBZEJnTlZIUTRFRmdRVXFyNDN6dWRjVUpOeVF0TkNOSlIvMGdUdnR
Jd3dDZ1lJCktvWkl6ajBFQXdJRFNBQXdSUUloQU9hSTBKbVkvNW1Cb080ZTM3QWUrNkxyTXRzR3NqdERXakNnZk5aNzVRRCsKQWlC
UmdDSDA3RVJlUkMrRGhlN3BLUkdCVlUvenhvYkZqNlV2cjgzUU1RZUJ3Zz09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K"
],
"tls_intermediate_certs": [],
"fabric_node_ous": {
"admin_ou_identifier": {
"certificate":
"LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNDVENDQWErZ0F3SUJBZ0lVZityblZxMG93WXBIemhXQzBudEJVTnJhS1NJ
d0NnWUlLb1pJemowRUF3SXcKV2pFTE1Ba0dBMVVFQmhNQ1ZWTXhGekFWQmdOVkJBZ1REazV2Y25Sb0lFTmhjbTlzYVc1aE1SUXdFZ
1lEVlFRSwpFd3RJZVhCbGNteGxaR2RsY2pFUE1BMEdBMVVFQ3hNR1JtRmljbWxqTVFzd0NRWURWUVFERXdKallUQWVGdzB5Ck1EQT
FNVGt4T0RJMU1EQmFGdzB6TlRBMU1UWXhPREkxTURCYU1Gb3hDekFKQmdOVkJBWVRBbFZUTVJjd0ZRWUQKVlFRSUV3NU9iM0owYUN
You have constructed an MSP definition, which defines the organization for your peer or ordering service nodes, and uses
certificates from an external CA. You can now return to the instructions that describe How to use certificates from an external
CA with your peer or ordering node.
After an administrator creates an MSP definition, they can use the Organizations tab to download the MSP in JSON format to
their local file system. They can then send you the MSP JSON file in an out of band operation. Navigate to the Organizations tab
and use Import MSP Definition to import the MSP file into your console. Once an MSP definition is visible in theAvailable
organizations section, you can then navigate to your orderer node to add the organization to the consortium.
If you are the administrator of the ordering service, you can use the console to add an organization to the consortium. Navigate
to the Nodes tab and click the ordering service. On the ordering service panel, underConsortium members, click Add
organization. A side panel opens where you can select from the list of available MSP definitions that you imported into your
organizations tab. You can also use the Upload JSON option to import the MSP definition file created by another org directly.
After your organization is added to a consortium, you can create a channel by using the following steps:
1. Import the ordering service that hosts the consortium into your console. You do not need to be an administrator of the
ordering service; but you need to provide the ordering node name and endpoint information in your console.
2. Import the MSPs of organizations that you want to add to the new channel into your console in theOrganizations tab.
Note that organizations need to be added to the consortium before they can be added to a channel.
3. Navigate to the Channels tab and click Create channel. This opens a side panel that allows you to specify the channel
name, membership, and channel policies. You can add any organizations that were added to the consortium to the new
channel.
For more information about these steps, see creating a channel in the Build a network tutorial.
Removing an organization
If you want to stop using an instance of the IBM Blockchain Platform, you need to remove your organization from the blockchain
network before you delete your service instance. This ensures that the removed organization is not affecting the governance of
1. Remove your organization from channels that you joined. You need to update the endorsement policy of the smart
contracts that are deployed on the channel to remove your organization from the policy. If you do not update the
endorsement policy, your organization might be required to endorse transactions after you have left the channel, causing
transactions to fail.
You can then update to the channel to remove your organization from the list of channel members. Navigate to the Channels
tab and click the Settings icon. You can use the Organizations section to remove your organization from the channel. The
channel update policy is updated to remove your organization automatically. When you are ready, click Update channel to
submit a channel update request. The request starts the process for collecting the signatures that are required to update
the channel, depending on your update policy.
After you remove your organization from the channel, you can delete your peers on the IBM Blockchain Platform. If
transactions can be successfully submitted to the network after you remove your peers, your organization is no longer
required to endorse transactions.
2. Have your organization removed from the consortium hosted by the ordering service. After you are removed from the
consortium, your organization can no longer be added to new channels. This action needs to be completed by an ordering
service administrator.
Navigate to the Nodes tab and click the ordering service of your network. On the ordering service panel, find the organization
to be removed in the list of Consortium members. Click the Delete button in the corner of the organization MSP definition
tile.
3. Delete your ordering nodes. If you operate ordering nodes that are part of a multi-node ordering service, you need to
remove your ordering nodes from the network before you remove your ordering organization. Your ordering nodes need to
be removed from the consenter set of each channel before they are removed from the ordering service.
Navigate to the Channels tab and click the Settings icon to update the channel. You can use the Consenter Set section to
remove your ordering node from the channel. When you are ready, click Update channel to submit the channel update
request. The update request starts the process for collecting the signatures that are required to update the channel,
depending on the channel update policy. After you have you removed your ordering nodes, you can use the Ordering
service administrators section to remove your organization from the set of orderer administrators.
After you remove your ordering nodes from the consenter set of each channel, you can remove your nodes from the ordering
service. Navigate to the Nodes tab and click the ordering service of your network. On theOrdering service panel, click the
Ordering nodes tab. Click your ordering node and then click Delete. Because Raft consensus requires that a majority of
ordering nodes are up to maintain a quorum, you need to remove one ordering node at a time. After you have deleted your
ordering nodes, you can remove your organization from the set of ordering service administrators. Find your organization
MSP definition on the list of Orderer administrators and click the Delete icon in the corner of the organization definition
tile.
After you complete these steps, your organization will no longer affect the governance of the network. You can safely delete your
service instance of the IBM Blockchain Platform.
Managing certificates
IBM® Blockchain Platform is based on Hyperledger Fabric and builds permissioned blockchain networks. Participants are known
as members of the network, and their activities and access to network resources are verified continuously. Learn how to manage
a member's identity in the form of a trusted x509 digital certificate.
Target audience: This advanced topic is designed for system administrators or operators who are responsible for registering
IBM Blockchain Platform manages most of the certificate operations without users needing to handle their certificates. However,
there are instances when you need to manage the certificates that allow you to communicate with the network, such as for
developing applications or renewing certificates before they expire. This topic is a short guide to your Certificate Authority and
the underlying certificate infrastructure. This information can help you understand the certificates that you will be working with
and the tasks you are responsible for.
For details on Hyperledger Fabric certificates, including certificate names, types, and locations, see the Certificates
Management Guide.
Each organization in the network has their own CA. Your organization CA signs requests for all of the entities and components
that you own, such as your admin, peers, or applications. If you want to add a node or new application to your network, you need
to register the new user with your Certificate Authority (registration). Then, via the enrollment process, the CA generates a public
and private key pair. The "enrollment certificate", also known as the signed certificate or public key, is shared with the network.
Overview
The following diagram shows all of the certificates that need to be managed and where they reside on your network.
The left column includes the certificates for the blockchain CA, peer, and ordering nodes. There are two certificates that are
included on the CA node, the CA root certificate and the CA TLS cert. The root certificate is included here for completeness, but
The IBM Blockchain Platform can automatically renew the enrollment certs for the peer and ordering nodes and the TLS
certificate for the peer. But the MSP admin identities have to be manually renewed. If the MSP is enabled for Node
Organizational Units (Node OUs), no further action is required. More information about Node OU support and how to determine
whether the MSP is enabled for it is provided in this topic.
The right column shows the certificates that are relevant to the system channel and the application channel. When the MSP is
not enabled for Node OU support, additional steps are required to update these certificates on the system and application
channels and are provided here.
Important: Because the certificate renewal process is different for peers and ordering nodes, the certificate renewal
tooling described in this topic cannot be used on networks where the peers and ordering nodes share the same
organization MSP definition.
Node OU support
When you register a user with the CA, you need to select a user Type of client , peer , orderer , or admin , that is used to
confer a "role" onto the identity. Roles are referred to as Organizational Units (OU) inside a certificate and MSPs can be
configured to recognize these roles. The admin and orderer types were added to the IBM Blockchain Platform when Fabric
v1.4.3 was included and contains support for Node OUs in MSPs and channels.
This new capability means that when the MSP admin identity is enrolled during MSP creation, the generated signed certificate
includes the admin type as an OU inside the certificate. This admin designation means that the signed cert of the identity does
not need to be included in the MSP defining the organization. You can learn more about the benefits of Node OUs in the Fabric
documentation on the Membership Service Provider.
Because this functionality was not yet available when the IBM Blockchain Platform service was initially offered, all MSP admin
identities that were enrolled before Node OU support was added to the platform in December 2019, do not contain the admin
OU in their signed certificate. Instead, when the MSP was created, the signed cert, or certificate, for the MSP admin was placed
in the admins section. The platform supports both patterns, but if the Node OU configuration was not enabled when the
organization MSP was created, additional steps are required after certificate renewal to update the MSP and any channels that
the MSP is part of. Therefore, if your MSPs currently are not configured with Node OU support, it is recommended that you add
Node OU support now, to avoid the extra updates steps that are required in one year when the certificates expire again.
Note: If your certificates have already expired, you are not able to complete these steps, but should come back and do
this after you renew the certificates.
Prerequisite: Before you can take advantage of Node OU support, ensure that your CAs are at Fabric v1.4.3 or higher. Open the
CA tile to view the Fabric version. If the CA is not at v1.4.3 or higher, you should upgrade it now.
Enabling Node OU support for an MSP definition is a two-part process. First, you have to update the MSP definition itself, then
you have to update the same MSP definition on the channel.
2. Click the Settings icon for the MSP. The checkbox to add Node OU is selected by default. You do not have to add a new
JSON file, you can simply click Update MSP definition to enable Node OU support for the MSP.
The MSP is also automatically updated on any peer or ordering nodes that are configured to use this MSP. There is a brief
downtime when the node is automatically restarted to use the updated MSP.
Important: Because you likely still have admin certificates in the MSP that will expire, you still need to follow the manual
steps in this topic to update them. But after you complete that process, you do not have to follow the manual steps again
next year after the certificates expire, since you have now enabled the Node OU support on the MSP.
If the CA is offline, unreachable, or the CA TLS certificate has expired, the certificates cannot be automatically renewed. The peer
or ordering node displays a warning message indicating that certificate expiration is approaching or has occurred and you need
to take action.
Peer and ordering node enrollment certificates can be renewed from the console, by opening the node tile and clicking the
Settings icon. Click Update certificates to renew either the enrollment or TLS certificate. See detailed instructions for the peer
and ordering node enrollment and TLS certificates. Note that when a certificate is updated, the node is restarted.
Admin certificates
Organization MSP admin certificates cannot be automatically renewed. Instead, you need to follow the manual certificate
renewal process, included in this topic, to update these certificates. If you have a large number of channels on your network,
Ansible playbooks, also described later in this topic, are available to update admin certificates that have not yet expired across
the channels on your network in a bulk action.
The following tables describe the types of certificates that you need to manage, how to view their expiration date, and how to
maintain them.
CA TLS certificate
Peer certificates
Certificate Description How Default How to view How to Impact if What to do
generated expiration expiration renew expires if expired
Peer The public key Generated 1 year Open Automatic Production Manually
enrollment that is used to when the console renewal is outage update the
certificate verify that the peer is peer node attempted peer
(signcert) signatures that deployed and view 30 days Peers can certificates.
nodes attach to based on Enrollment before no longer
communications the peer Cert expiration. connect to
were generated enroll ID Expiration orderers or
by the node's and secret field. If to each
private key. that is automatic other.
provided. renewal
fails,
manually
update the
peer
certificates.
Peer TLS When TLS is Generated 2.5.x: 15 Open Automatic Production Manually
certificate enabled on a when the years 3 console renewal is outage update the
(signcert) network, each peer is peer node attempted peer
node must deployed. 2.1.x: 1 and view 30 days SDK does certificates.
register a user year TLS Cert before not allow
and enroll an Expiration expiration. connection
identity with the field. when TLS
TLS CA. This is If certificates
the TLS automatic are
certificate for renewal expired.
the peer from fails,
that process and manually
is required for update the
the peer to start. peer
certificates.
Orderer certificates
Orderer The public key Generated 1 year Open Automatic Production Manual
enrollment that the when the console renewal is outage certificate
certificate orderer uses to ordering ordering attempted renewal
(signcert) sign node is node and 30 days Orderers
transactions. deployed view before can no
based on Enrollment expiration. longer work.
the Cert
ordering Expiration If
service field. automatic
enroll ID renewal
and secret fails, see
that is Manual
provided. certificate
renewal
Certificate Description How Default How to view How to Update Update Update
generated Expiration expiration renew MSP node admin channel
Ordering The admin Generated 1 year Wallet tab: Enroll No action No action No action
service certificate when you Click the new is required is required is required
organization that is used create the ordering identity when when when
admin to organization service Node OU Node OU Node OU
certificate administer MSP and admin is enabled is enabled is enabled
the ordering provide the identity tile for the for the for the
service and admin to view the MSP. MSP. MSP.
submit or identity enroll expiration
approve ID and date of the Otherwise, Otherwise, Otherwise,
channel secret. In certificate Append Associate Update
updates. addition to and private the admin new ordering
The being part of key. certificate admin service
associated the ordering to the MSP identity on admin
admin service MSP tab: definition. orderer
identity is configuration, Open the or
enrolled this MSP ordering
with the certificate service Bulk
organization can also be organization admin
CA before included in MSP tile certificate
the node the ordering and the update
and service admin with
organization channels. certificate Ansible
MSP are expiration playbooks
created. date is
listed in left
column.
CA TLS certificate
Peer and ordering node enrollment and TLS certificates, only when automatic renewal is not successful
MSP admin certificates
Certificates from an external CA.
If the admin certificates have been stored or imported into the console wallet, you can monitor the exact date of expiration for
each identity. Click an admin identity tile to view the expiration date of the certificate and private key.
Otherwise, if certificates expire within five years, their expiration date is visible from the peer, ordering node, MSP, and channel
tiles.
CA TLS certificate
Peer enrollment and TLS Certificates
Ordering node enrollment and TLS certificates
MSP Admin certificate
Certificates from an external CA
The process to renew the CA TLS certificate is same regardless of whether it has expired or not, although it is not available on an
imported CA. In that case, the update needs to be performed from the console where the CA was deployed.
Important: This update requires a brief restart of the associated nodes. For zero downtime and to ensure nodes are still
available to process transactions, it is recommended that the updates are performed on one node at a time.
Tip: Because the console only shows CA TLS certificate expiration dates if they are within five years, it is possible that the
While you can use the following steps to renew certificates before or after they expire, to avoid an interruption of service, it is
best to renew the certificates before they expire. Check the expiration date of your peer enrollment and TLS certificates by
opening the peer node.
4. When you click Update certificates, the peer is restarted. Verify the renewal is successful by clicking the refresh icon and
examining the updated enrollment and TLS certificate expiration dates.
An alternative to renewing these certificates is to simply deploy a new peer, and then delete the peer with expired certificates.
You would need to configure the new peer on the network in the same way the existing peer is configured, namely:
Important: Because this certificate renewal process restarts the ordering node, and in the case of a TLS certificate
renewal, the node can no longer participate in the application channel consenter set, you need to pay particular attention
to maintaining quorum on the application channel throughout this process. Before attempting these steps, and to avoid
any interruption of service, ensure that you still have enough ordering nodes available to maintain quorumwhile this
node is restarted or offline, in the case of a TLS certificate update.
The process to renew the enrollment certificate is the same for the ordering node as it is for the peers. But when you renew the
ordering node TLS certificate, additional steps are required. Before proceeding, if you have a single-node ordering service and
5. When you click Update certificates, the ordering node is restarted. Verify renewal is successful by clicking the certificate
refresh button next to the Settings icon and examining the updated enrollment and TLS certificate expiration dates. Notice
that the ordering node TLS certificate expiration date is in 15 years, so that renewal of this TLS certificate is not required
again next year. However, the enrollment certificate expires again in one year, so you will need to renew it again before
that date.
6. If you only updated the ordering node enrollment certificate then you are done. But as mentioned earlier, if you updated
the ordering node TLS certificate, additional steps are required to update the consenter set on the ordering service system
and application channels with the new TLS certificate.
Update the consenter set on the ordering service system channel (TLS certificate renewal only)
When you update the TLS certificate, you also need to update the consenter set on the ordering service system channel. This
action ensures that any new application channels which include this ordering node as a consenter will use the updated TLS
certificate.
Note: In order to update the ordering service, you must have the ordering service organization admin identity in your
wallet.
1. Go back to the Ordering service page and scroll down to the Ordering service consenters table.
2. Click the action menu next to the URL, and click Update orderer certificates.
3. After you copy and paste the name of the ordering service consenter set, displayed at the top of the side panel, and click
Update consenter, the base-64 encoded TLS certificate is added to the consenter set of the ordering service system
channel.
Update the consenter set on the application channel (TLS certificate renewal only)
Next we have to update the TLS certificate for this ordering node on all application channels that include this ordering node as a
consenter. Until you complete these steps and enough channels members approve the generated channel update request, the
ordering node is not able to act as a consenter on the channel. Therefore, ensure there are enough other ordering nodes
available in the consenter set to maintain quorum while this node is unavailable.
Note: In order to update the application channel, you need to have the channel member admin identity in your wallet.
1. From the Channels tab, open the application channel that you need to update and click theChannel details tab.
2. Scroll down to the Ordering service consenters table and click the action menu , next to the URL and click
Update orderer certificates.
3. Copy and paste the name of the consenter set, displayed at the top of the side panel.
4. To submit this update request to the channel members, you need to select the ordering service MSP from the drop-down
list and then the associated orderer organization admin identity from your wallet. When you click Update consenter a
channel update notification is sent to the consortium members for approval.
Ordering node TLS certificate not expired - If the ordering node TLS certificate has not expired, you should upgrade the
Fabric v1.4.x node to 1.4.9 or Fabric v2.x node to 2.2.1. Then use the reenroll button which is now visible in the console
and follow the normal steps to Renew ordering node enrollment and TLS certificates.
Important: To avoid problems, do not mix Fabric v1.4 and v2.x nodes in your Raft cluster. All ordering nodes should be
running v1.4.x or all should be running v2.x.
Ordering node TLS certificate expired - If the ordering node TLS certificate has expired then theEnroll button is blocked.
Open a support ticket to address the problem.
If the certificates were generated from the Fabric CA client or Fabric SDKs, then they need to be renewed where they were
generated. You can now use the updated certificates when you follow instructions in subsequent steps.
Tip: If you reach the enrollment limit for an identity, simply use the console to register a new user and enroll an identity
and then use the generated certificate in subsequent steps.
If the CA admin identity expires, you are not able to update any of the identities in the CA table.And when you open the CA
node, there is a message that indicates the users cannot be listed. To fix this problem, click Associated identity for root CA. In
the side panel that opens, click the Enroll ID tab to enroll a new admin identity for the CA admin by providing the originalEnroll
ID and secret and a new display name for the identity, then click Associate identity. You can now proceed with the steps to
enroll a new identity for other users in the table by clicking Enroll identity from their action menu.
If this is an MSP admin identity, and the associated MSP Node OU support was disabled when the identity was originally
enrolled, then you need to perform the following additional steps:
Important: Before attempting these steps, be aware that these actions trigger a restart of the peer or ordering nodes that
are configured with this MSP.
11. Click Update MSP definition. All Peer and ordering nodes in this console that include this MSP as their node admin are
automatically updated with the new MSP and restarted.
12. Export this updated MSP, and in an out of band action, share the file with all of the members of the network who must
import it into their console. It is important for them to import the updated MSP, so when they create a new channel, they
are using the MSP definition with the latest admin certificate.
To verify that the update worked, open the MSP tile and view the updated expiration date.
Tip: To verify that this update worked successfully on the peer, after you associate the identity, you should be able to see
the list of channels that the peer is on and list the smart contracts that are installed on the peer.
Important: As with all application channel updates, this update needs to be performed by a channel operator and the
change will follow the channel update approval process according to the policy that was configured when the channel was
created.
If the peer organization MSP was not originally created with the Node OU configuration enabled, you also need to update all
application channels that include the MSP so that it uses the new admin certificate. When the Node OU configuration is enabled,
the MSP uses the value of the OU inside the certificate to determine if the identity is an admin in addition to checking the admin
section of the MSP definition.
If this is a peer admin MSP that is an ordering service consortium member, the ordering service admin needs to update the
ordering service system channel. Because the ordering service system channel serves as a template for new application
channels, taking this action keeps it current as the associated MSPs are updated. Before attempting these steps, the ordering
service admin should have already imported the updated MSP from step two into their console.
1. From the Nodes tab, the ordering service admin opens the ordering service tile.
2. Delete the existing consortium member that contains the original MSP definition, and then add the consortium again with
the new admin certificate by clicking Add organization. Browse to the new MSP JSON file from step two.
Step six: Update ordering service admin on ordering service system channel
If your cluster does not use a system channel, skip this step. To verify if a cluster uses a system channel, click the cluster tile and
check the Orderer Type.
If the updated certificate is for the ordering service MSP admin, you need to update the ordering service.
3. From the Existing MSP ID tab, select the MSP that needs to be updated and then select theoriginal identity to sign the
request. You must use the original identity for this step because it's the only one with permission to make channel
updates. This action replaces the existing MSP definition for the ordering service admin with the updated MSP with the
new admin certificate.
Important: Similar to step four, this update needs to be performed by a channel operator and the change will follow the
channel update approval process according to the policy that was configured when the channel was created.
If the orderer organization MSP was not originally created with the Node OU configuration enabled, you also need to update all
application channels that include the MSP so that it will use the new admin certificate. When the Node OU configuration is
enabled, the MSP uses the value of the OU inside the certificate to determine if the identity is an admin in addition to checking
the admin section of the MSP definition.
Orderer organization admin identities cannot update an application channel. Therefore, a consortium member needs to import
the updated orderer organization admin MSP into their console and then complete the following steps:
1. Open the peer or ordering node tile and click theSettings icon and then Update certificates:
2. Click Add certificate and browse to the updated certificate .pem files. You do not have to replace all of them, but if you
provide an enrollment certificate, you also need to provide the associated key file. And likewise, if you provide a TLS
certificate you also need to provide the associated key.
3. When you click Update certificates, the peer or ordering node is restarted. Verify the renewal is successful by examining
the updated enrollment and TLS certificate expiration dates.
If you updated the ordering node TLS certificate, the following additional steps are required:
Update the consenter set on the ordering service system channel (TLS certificate renewal only)
When you update the TLS certificate, you also need to update the consenter set on the ordering service system channel. This
action ensures that any new application channels which include this ordering node as a consenter will use the updated TLS
certificate.
Note: In order to update the ordering service, you must have the ordering service organization admin identity in your
wallet.
1. Go back to the Ordering service page and scroll down to the Ordering service consenters table.
2. Click the action menu next to the URL, and click Update orderer certificates.
3. After you copy and paste the name of the ordering service consenter set, displayed at the top of the side panel, and click
Update consenter, the base-64 encoded TLS certificate is added to the consenter set of the ordering service system
channel.
Update the consenter set on the application channel (TLS certificate renewal only)
Next we have to update the TLS certificate for this ordering node on all application channels that include this ordering node as a
consenter. Until you complete these steps and enough channels members approve the generated channel update request, the
ordering node is not able to act as a consenter on the channel. Therefore, ensure there are enough other ordering nodes
available in the consenter set to maintain quorum while this node is unavailable.
Note: In order to update the application channel, you need to have the channel member admin identity in your wallet.
Expired certificates
When certificates expire, it is likely that peer, orderer, and channel operations will fail, but it is still possible to update the
certificates. The process to address them depends on whether they are MSP admin certificates or enrollment certificates.
Register a new user and enroll the identity for a new peer organization or orderer organization admin identity with the same CA
that the existing peer or orderer organization admin was registered with.
Fabric includes a setting that allows the channel to ignore expiration checks in order for channel updates to be applied to fix
expired certificates. You need to override the NoExpirationChecks setting on each ordering node in the ordering service.
1. Open the ordering service and click the Ordering nodes tab.
2. Open the first ordering node and click the Settings icon.
3. In the side panel, click Edit configuration JSON (Advanced)
{
"General": {
"Authentication": {
"NoExpirationChecks": true
}
}
}
6. Repeat these steps for each ordering node in the ordering service.
Now you are able to update the expired certificates in the channel, see steps 4 - 7 for details. When you are finished, you need
to remove the override by using the same process but this time setting the override snippet to:
$ ```json
{
"General": {
"Authentication": {
"NoExpirationChecks": false
}
}
}
```
export FLAG=$(if [ "$(uname -s)" == "Linux" ]; then echo "-w 0"; else echo "-b 0"; fi)
echo <base64_string> | base64 --decode $FLAG > <key>.pem
Run the following command to display the PEM encoded certificate in a human-readable form:
$ Certificate:
Data:
Version: 3 (0x2)
Serial Number:
20:3d:3e:c5:31:4f:85:7a:30:9f:b5:67:47:3d:b0:10:70:80:f6:18
Signature Algorithm: ecdsa-with-SHA256
Issuer: C=US, ST=North Carolina, O=Hyperledger, OU=Fabric, CN=fabric-ca-server-org1CA
You can find the expiration date in the Validity section and follows Not After: . In this example, the certificate expires on
November 28, 2019.
Export an MSP
MSPs can be exported from the console to your local file system. Navigate to theOrganizations tab and click the MSP that you
want to export. Click the Export icon to download the MSP to a JSON file on your local system.
Share the JSON file with all of the members of the network who must import it into their console. It is important for them to
import the updated MSP, so that when they create a new channel, they are using the MSP definition with the latest admin
certificate.
Import an MSP
When another organization member shares their MSP with you, importing it into your console is important to ensure you are
using the latest version of their organization MSP.
If you previously imported the MSP into your console, you need to update the definition.
1. If a certificate expires in more than five years, the expiration date is not visible from the console.↩
2. If a certificate expires in more than five years, the expiration date is not visible from the console.↩
3. If a certificate expires in more than five years, the expiration date is not visible from the console.↩
Target audience: This topic is designed for network operators who are responsible for creating, monitoring, managing, and
upgrading their components in the blockchain network.
After a node has been created, there are three main ways to update it.
1. Update its configuration. Just as it is possible to override configuration parameters when deploying a node, it is possible
to edit many parameters and redeploy the node. For more information, see our topic on Advanced deployment options.
2. Increase the resources allocated to it. If you notice that the performance of a node is beginning to lag or that its storage
is beginning to run out, you can choose whether to deploy a larger node and join it to channels or whether to increase the
resources allocated to your existing node.
3. Upgrade its Fabric version. Every node is deployed using a release version of Hyperledger Fabric. When new versions of
Fabric become available on IBM Blockchain Platform, Upgrade available is visible on the tile representing the node. While
upgrading to a new version of Fabric is always recommended, unless is rendered necessary by the capabilities of channels
you want to join, it is typically optional. For more information, check out Upgrading to a new version of Fabric.
In this topic, we'll cover the process for reallocating resources, upgrading to a new version of Fabric, and deleting nodes.
Important: Resizing a node requires the containers to be rebuilt, which can cause a delay in the functioning of the node.
Note: We recommend using the IBM Cloud Monitoring tool in combination with your IBM Cloud Kubernetes dashboard to
monitor your Kubernetes resource usage. When you determine that a worker node is running out of resources, you can
add a new larger worker node to your cluster and then delete the existing working node.
While it takes less effort to deploy enough resources to your Kubernetes cluster from the start and therefore be able deploy and
expand resources without having to increase the resources in your cluster, the bigger the deployment, the more it will cost.
Users need to consider their options carefully and recognize the tradeoffs that they are making regardless of the option that they
choose.
You can scale your cluster manually by monitoring your nodes and either adding more nodes or larger nodes. While this process
can be labor intensive, it has the advantage of allowing the user to always be certain what is being charged to their cloud
account.
A Kubernetes cluster on IBM Cloud includes the ability to use anautoscaler that can scale your worker nodes up or down in
response to your pod spec settings and resource requests. For more information about the autoscaler and how to set it up, see
Scaling Kubernetes clusters or Scaling OpenShift clusters in the IBM Cloud documentation. Note that allowing the autoscaler to
adjust your resources will result in charges to your IBM Cloud account that will vary automatically with your usage.
To scale manually in the console, click the node that you want to adjust on theNodes page and then click the Usage tab. You
can see a button called Reallocate, which will launch a Resource allocation tab that is very similar to the one that you saw when
you created the node. If you want to lower the amount of available resources, simply provide lower values and click Reallocate
resources on that tab and the resulting Summary page.
If you want to increase the CPU and memory for a node, use theResource allocation panel in the console to increase the
values. The white box at the end of the page adds up the new values. After clicking Reallocate resources, the Summary page
The method you will use to increase storage will depend on the storage class you chose for your cluster. Refer to theKubernetes
or OpenShift storage options in the IBM Cloud documentation. If you are about to exhaust the storage on your peer or ordering
node, you might need to deploy a new peer or ordering node with a larger file system and let it sync via your other components
on the same channels.
In IBM Cloud, CPU and memory can be increased using the console if you have resources available in your Kubernetes cluster on
IBM Cloud. However, storage must be increased using the IBM Cloud CLI. For a tutorial on how to do this, see Changing the size
and IOPS of your existing storage device on your Kubernetes or OpenShift cluster.
Tip: Note that you do not need to adjust the CPU, memory, or storage for your smart contract pods. These pods will
automatically use as many resources as they need to function efficiently. In cases where your smart contracts are
struggling because of insufficient resources, you will have to address this at the cluster level.
$ PVC {"plugin":"ibm-file-plugin-77497497cc-5qm58","region":"us-
south","cluster":"05ccfca248dc4c389978d074524e0a8e","type":"Endurance","ns":"n4c817f","pvc":"n4c817forg1ca
-fabric-ca-pvc","pv":"pvc-63074ac8-8b9b-11e9-88db-
222bd59fb4bc","storageclass":"default","reclaim":"Delete"}
To see the same information from the command line, log in to your cluster and enter this command:
This will allow you to map the output from the pods to the nodes you have deployed.
If you are using VPC infrastructure, see About block storage for VPC for more details.
Adding storage
As you monitor your pods and notice that more storage is needed, you can increase storage when additional storage is available.
The following links provide more information about how to increase storage after your network is deployed.
Users can allocate more storage to their running network by resizing the existing storage PVCs or by deploying nodes with new
PVCs.
While some new versions of Fabric only require updating the Fabric version on nodes, some include new channel capabilities
that must also be updated.
In these cases, the process of "updating to the latest" release is, at a high level, a two step process:
Important: You must upgrade nodes before you update the channels. If a node attempts to read a configuration block
containing a capability level it does not understand (which is true in cases where the capability is a higher level than the
node version), the node will crash on all channels. The node must then be upgraded to the appropriate Fabric version
before it can be used again.
1. Backing up the persistent volumes associated with the node. These backups ensure that in the case of an upgrade failure
in which the peer pod is corrupted that the node can be re-deployed using the ledger. For more information, see Backup
considerations for each node type.
2. Upgrading the Fabric versions of the nodes one at a time (also known as a "rolling upgrade").
Tip: It may also be necessary to update SDKs and smart contracts before you can take advantage of the latest Fabric
features. For more information, check out Step three: Update SDKs and smart contracts.
Attention: To update to Fabric v2.2, the recommended process (below) adds a new peer, rather than updating an existing peer
in place. Adding a new peer avoids the extended time to rebuild CouchDB (if applicable) and downtime when an existing peer is
updating. The final step then deletes the replaced peer.
Attention: Most application solutions do not interact with CAs continually, in which case CAs can be upgraded with no impact to
application usage. However, any application flows that use fabric-ca functionality may be unavailable for 1-2 minutes during the
update.
1. Using your console, navigate to your Certificate Authority and select the first CA node. Click onupgrade available and
select 1.5.5-2 or later.
2. The CA node will restart with the upgrade installed.
3. Repeat the steps for each CA node.
1. Using your console, navigate to the ordering service and select the first ordering node. Click onupgrade available and
select 2.2.10-1 or later. Click through the confirmations dialogs.
2. The node will restart using the 2.2.10-1 (or selected) image. Transaction processing will continue during the node restart,
because the remaining four orderer nodes make a quorum. The selected orderer node will be unavailable for 1-2 minutes
during the update. ATTENTION!!: If the updating orderer node does not restart and come back online successfully, please
contact IBM Support. DO NOT attempt to update any remaining orderer nodes before contacting IBM Support.
3. Repeat the procedure for each remaining orderer node.
ATTENTION!!: When creating new v2.2 peers using the steps below, selecting 2.2.10-1 is highly recommended - other
selectable versions may have chaincode implications.
1. Before upgrading any peer with CouchDB installed, you must rebuild the CouchDB state database from CouchDB v2.x to
v3.x. The recommended process is to add a new peer, and then let the database synchronize. This removes the downtime
that would occur when upgrading in place. Then continue as follows, for peers both with and without CouchDB:
2. Add a new peer using your console. Do NOT install chaincode on the new peer.
3. Remove the new peer from both peer gossip and service discovery, as follows:
a) Get the Custom Resource Definition (CRD) of the new peer, by running:
b) Back up the CRD: kubectl get ibppeer [IBPPEER_NAME] -n [NAMESPACE] -o yaml > ibppeer_crd_backup.yaml
e) Delete the peer deployment: kubectl get deployment -n [NAMESPACE] and then: kubectl delete deployment
[PEER DEPLOYMENT NAME] -n [NAMESPACE]
f) The peer will restart - then it should not be discoverable by application service discovery. DoNOT update the client
connection profiles at this time.
4. Add the new peer to the channel(s) that existing peers are participating in. DoNOT install channel chaincode on the new
peer.
5. Let the new peer synchronize its blocks, to the block height of the existing peers.
a) Get the Custom Resource Definition (CRD) of the new peer, by running: kubectl get ibppeer -n [NAMESPACE]
b) Back up the CRD: kubectl get ibppeer [IBPPEER_NAME] -n [NAMESPACE] -o yaml > ibppeer_crd_backup.yaml
e) Delete the peer deployment: kubectl get deployment -n [NAMESPACE] and then: kubectl delete deployment
[PEER DEPLOYMENT NAME] -n [NAMESPACE]
f) The new peer will restart - then it should begin participating in service discovery and getting new blocks. Application
8. Test the new environment by running applications with all peers (original and new) enabled.
9. (Recommended) Test applications by turning off the peer that is being replaced, as follows:
a) Run: kubectl patch [ibppeer-name] -n [namespace] -p= [{"op": "replace", "path":"/spec/replicas", "value":0}] -
type=json
11. Repeat the prior steps for each peer you are updating.
Important: Upgrading IBM Blockchain Platform nodes directly from Hyperledger Fabric 1.4.x to the latest Fabric version
is possible, but deploying a new Fabric 2.2.x peer instead of upgrading is recommended. Fabric installation is done by
IBM Blockchain Platform, but can take hours or days depending on the size of the database to be built. See the Fabric
documentation on upgrading for more information.
If your Fabric v1.4 nodes use Node.js chaincode, use the following sequence to upgrade these nodes from Fabric v1.4 to v2.4:
However, if you are not taking regular backups, it is recommended that you minimally take a backup before attempting to
upgrade a node, as it allows for a node to be restored to an earlier running state in cases where the upgrade fails. For
information about how to backup your nodes by taking a snapshot of the relevant persistent volumes, check out Taking
snapshots.
Tip: If you are upgrading both peer and ordering node binaries, it is a best practice to upgrade the ordering nodes first, as
ensuring that the ordering nodes (and by extension, the ordering service) is functioning correctly is more important to the
health of your network as a whole than the functioning of any particular peer.
The process for upgrading a node is relatively straightforward. First, make sure you are using the console where the node was
created. You cannot use the console to update imported nodes. When a node upgrade is available, Upgrade available is visible
on the node tile. If Upgrade available does not appear on the tile when it should be there, make sure your console is using the
latest version using the Refresh cluster feature.
The node will be unavailable during the upgrade. The status was turn grey and will readStatus unknown or Unavailable. When
the upgrade has completed, the status will turn green and be Ready. If the upgrade fails and the node lapses into an
unrecoverable state, follow the instructions for Restoring nodes from a snapshot.
It is a best practice to only upgrade one node of each type at a time. In other words, if you need to upgrade both peers and
ordering nodes, you can start a single peer upgrade and a single ordering node upgrade at the same time. However, do not
attempt to upgrade multiple peers or multiple ordering nodes at the same time, as this threatens the availability of your
components.
It is not possible to upgrade an ordering node if any node in your ordering service is down for any reason. Coordinate with all of
the administrators of your ordering service before attempting to upgrade.
Tip: It is a best practice to upgrade your SDK to the latest version as part of a general upgrade of your network. While the
SDK will always be compatible with equivalent releases of Fabric and lower, it might be necessary to upgrade to the latest
SDK to leverage the latest Fabric features. Also, after upgrading, it's possible your client application may experience
errors. Consult the your Fabric SDK documentation for information about how to upgrade.
Although support for Fabric 2.0 networks was added to the platform, you can still run your existing smart contracts on your
peers that run a v1.4 image on a channel with an application capability level of 1.4 or lower. Should you later decide to upgrade
your peer to a v2.x image and update your channel application capability level to 2.0, you may need to update your existing
smart contract. However, after you upgrade your peer image to v2.x and channel application capability v2.x, there is no longer a
way to update the original smart contract. Instead, when an update is required, you need to repackage the smart contract in the
new .tar.gz or .tgz format using v2 of the VS Code extension and then propose the definition to the channel using the new
smart contract lifecycle process.
Node
If your smart contract was written in Node, then you might need to update it. By default, a Fabric v1.4 peer will create a Node v8
runtime, and a Fabric v2.x peer creates a Node v12 runtime. In order for a smart contract to work with Node v12 runtime, the
fabric-contract-api and fabric-shim node modules must be at v1.4.5 or greater. If you are using a smart contract that
was originally written to work with Fabric 1.4, update the Node modules by running the following command before deploying the
smart contract on a Fabric v2.x peer. See Support and compatibility for fabric-chaincode-node for more information.
Go
Because Fabric v2.x peers do not have a "shim" (the external dependencies that allowed smart contracts to run on earlier
versions of Fabric), you need to vendor the shim and then repackage any smart contracts written in Golang (Go) that use the Go
SDK. "Vendoring the shim" effectively means that you are copying the dependencies into your project. Without this vendoring
Java
The build.gradle file for the smart contract must be updated:
1. If the smart contract uses the shadowjar 2.x plugin, then it should be updated to version 5 by using the following code:
plugins {
id 'com.github.johnrengelman.shadow' version '5.1.0'
id 'java'
}
2. The repositories section of the file must contain the maven URL for jitpack , for example:
repositories {
...
maven {
url 'https://jitpack.io'
}
}
Init functions
If the smart contract was written using the low-level APIs provided by the Fabric Chaincode Shim API, your smart contract
needs to contain an Init function that is used to initialize the chaincode. This function is required by the smart contract
interface, but does not necessarily need to be invoked by your applications. Because you cannot use the console to deploy a
smart contract that contains an Init function, you need to move that initialization logic into the smart contract itself and call it
separately. For example, the smart contract can use a reserved key to check whether the smart contract has already been
initialized or not. If not, then call the initialization logic, otherwise proceed as usual. If your smart contract needs to include the
Init function, the only way to deploy it is by using the Fabric peer lifecycle chaincode install command or the IBM Blockchain
Platform collection for Ansible. You can also refer to the Fabric documentation for more details on how to use an Init function
with the Fabric chaincode lifecycle.
Attention! The IBM Blockchain Platform Extension for VS Code (VS Code extension) referenced throughout the
documentation is an open-source project which is no longer active, and therefore not officially supported by IBM. Refer to
the alternatives to the VS Code extension.
After you have updated your smart contract, use v2 of the VS Code extension to repackage your smart contract.
For a look at how the new lifecycle is administered in the console, check out Deploy a smart contract using Fabric v2.x. For a
look at the possibilities the new lifecycle opens up, check out Writing powerful smart contracts.
For more information about capabilities and how to update a channel configuration to enable them, check out Capabilities.
Deleting components
However, there are cases in which this type of deletion will not be successful. For example, occasionally when a node fails to
deploy it will not be possible to delete it using the console. The same can be true if the console loses connection with the cluster
for some reason.
In these cases, it will be necessary to use the Kubernetes dashboard or delete the node or relevant pods manually. If you
attempt to delete pods that contain deployments such as peers, CAs, or ordering nodes, the pod will automatically restart and
not be permanently deleted.
Important: Because smart contracts installed on a 2.x peer are deployed into their own pods and not directly into the
peer container, they will not be deleted when a peer is deleted. They will have to be deleted either using the UI of your
cluster or by issuing kubectl commands. Smart contracts installed on a v1.4.x peer will be deleted when the peer is
deleted.
Because deployments are organized in Kubernetes by their "namespace", you need to know your Kubernetes cluster namespace
before you can delete components using the kubectl CLI. From the console, open any CA node and click the Info and Usage
icon. View the value of the API URL. For example: https://nf85a2a-soorg10524.ibpv2-cluster.us-
south.containers.appdomain.cloud:7054 . The namespace is the first part of the URL beginning with the letter n and
followed by a random string of six alphanumeric characters. So in the example above the value of the namespace is nf85a2a .
If you want to delete all of your smart contract pods, you can issue this command:
kubectl get po -n <NAMESPACE> | grep chaincode-execution | cut -d" " -f1 | xargs -I {} kubectl delete
po {} -n <NAMESPACE>
If you want to delete a single smart contract pod, you will first have to figure out the name of your smart contract pod.
First, get a list of all of the smart contract pods running in your cluster:
kubectl get po -n <NAMESPACE> | grep chaincode-execution | cut -d" " -f1 | xargs -I {} kubectl get po
{} -n <NAMESPACE> --show-labels
Your smart contract name and version is visible next to the chaincode-id.
To delete a single pod, issue this command, substituting the <POD_NAME> for the name of your pod, for example the smart
contract pod chaincode-execution-0a8fb504-78e2-4d50-a614-e95fb7e7c8f4 , as well as your <NAMESPACE> :
You can also use kubectl commands to delete all of the nodes in your cluster by issuing commands to delete each type of node.
First, set the namespace where the nodes you want to delete are located:
Then run the following commands to delete all of your blockchain nodes:
You may also choose to only delete all of a single type of node within a namespace, for example, by only issuingkubectl
delete ibppeer --all .
Tip: Note that if you delete your entire namespace, your smart contract pods will also be deleted. Your smart contract
pods will also be deleted, along with your nodes, if you delete your service instance using the Kubernetes dashboard in
IBM Cloud.
peer-endpoint or orderer-endpoint
You can find the operations endpoint URL of the peer or orderer in the peer or orderer JSON file that you export from the
console.
4. Find the operations endpoint URL that is the value of the operations_url parameter in the JSON file. This value is
referred to as the peer-endpoint or orderer-endpoint in the commands later in this topic. For example:
{
"short_name": "Peer1Org1_0",
"name": "Peer1 Org1",
{
"short_name": "Orderer_0",
"name": "Orderer",
"url": "https://169.46.208.93:31612",
"type": "fabric-orderer",
"msp_id": "orderermsp",
"operations_url": "https://169.46.208.93:30115"
}
You can find the certificate and private key of the TLS CA in the console.
You can find the TLS CA certificate of the peer or orderer in the console.
Note: For all the certificates and keys, you must convert the certificate strings, which are in base64 format, to individual .pem
files by using the following commands:
$ ```
export FLAG=$(if [ "$(uname -s)" == "Linux" ]; then echo "-w 0"; else echo "-b 0"; fi)
echo <base64_string> | base64 --decode $FLAG > <key_name>.pem
```
curl -k https://169.46.208.93:3210/healthz
curl -k <peer-endpoint>/metrics --cert <client-tls-cert> --key <client-tls-key> --cacert <peer tls ca-
cert>
For example:
curl -k <peer-endpoint>/logspec --cert <client-tls-cert> --key <client-tls-key> --cacert <peer tls ca-
cert>
For example:
You can see the result that is similar to the following example:
$ {"spec":"info"}
For example:
After you set a new logging level, you can use the view logging level command to check your settings.
For more information about log level configuration, see Log level management in Hyperledger Fabric documentation.
$ {
"systemChannel": {
"name": "testchainid",
"url": "/participation/v1/channels/testchainid"
},
"channels": [
{
"name": "mychannel",
"url": "/participation/v1/channels/mychannel"
}
]
}
To list details for an application channel that is using an osnadmin service endpoint, run:
$ curl https://osntest-ordereranode1-admin.openshift4x-ibpv2-test-68e10f583f026529fe7a89da40169ef4-
0000.us-south.containers.appdomain.cloud:443/participation/v1/channels/mychannel --cert
/tmp/msp/orderera/ca/tls/msp/signcerts/cert.pem --key
/tmp/msp/orderera/ca/tls/msp/keystore/06fa54a3978e9df58778bce22b9140f043df920eb03150d1284d3579f70d57b5_s
k --cacert /tmp/msp/orderera/ca/tls/msp/cacerts/tlsca.pem
$ {
"name": "mychannel",
"url": "/participation/v1/channels/mychannel",
"consensusRelation": "consenter",
"status": "active",
"height": 13
}
For additional osnadmin information, see osnadmin channel in the Hyperledger Fabric documentation.
Manage ordering nodes (aka orderers) that are not on a system channel
Manage application channels that were created with Channel Participation APIs
Remove the system channel (and application channels) from ordering nodes (aka unjoin a channel)
System channel support remains, however removing the system channel is recommended.
Attention If you remove the system channel from an existing network, and you use Node.js chaincode, you should upgrade in
stages - see Upgrading Node.js chaincode below for details.
Target audience: This topic is designed for architects and system administrators who are responsible for planning, configuring,
Benefits
Operating without a system channel has the following benefits:
Increased privacy - A system channel is a shared entity for all organizations on the network. It is therefore impossible to hide
the existence of application channels, and their member organizations, from other members. By contrast, operating without a
system channel obscures all channel names and their members from other member organizations.
Increased performance - A system channel consumes a small amount of CPU, networking and storage resources that can be
instead utilized for application transactions. The capability to unjoin channels also enables optimizing ordering nodes, by
recovering CPU, storage and networking resources from application channels that are no longer needed.
Enhanced channel maintenance - The channel participation APIs are lighter weight, easier to use, and deliver additional
features, resulting in reduced code requirements for managing channel policies.
With no system channel, an orderer is simply created and started. It does not wait for a genesis block before becoming online.
The node will be online immediately and the channel participation APIs are available to use. Once an orderer has joined a
channel via a channel participation API request it will be considered either a consenter or follower of the application
channel. A consenter has its TLS certificate listed in the consenters field in the channel's configuration block, which
authorizes the node to participate in the ordering of transactions. A follower ordering node has joined an application channel,
but is not listed in the consenters field and cannot order transactions. Follower nodes can download the ledger to enable data
redundancy without additional consenter networking and communication overhead. Note that a follower orderer can always be
upgraded to a consenter orderer, and vice versa, by editing the application channel's config block.
Removal of the system channel means that the legacy concept of orderering nodes belonging to a centralized group (the
consortium of network organizations) is obsolete. Orderering nodes without a system channel are a much more loosely grouped
entity. They may or may not be members of the same channels, and each orderer can choose to join or unjoin any application
channel. This also means that appending orderers to an existing ordering cluster, and creating the ordering cluster from scratch,
now both follow the same path. Which is to create and start the orderers and then join them to an application channel.
1. Ensure that each ordering node in the Ordering Service is running Fabric v2.4.x or higher
2. Place the system channel into maintenance mode, using the Fabric Operations console UI, as follows:
From the Nodes tab, click the Ordering cluster tile
Click the Ordering nodes tab
Click the settings (gear) icon
Click the Maintenance button
Follow the prompts to turn maintenance mode on
1. From the Nodes tab, select the CA tile that this orderer cluster used (during create)
2. Find the row for the identity this orderer used and click the dot dot dot
3. On the enroll wizard select the TLS CA in the CA drop down (its important to select the TLS CA)
4. Type the enroll secret that was used earlier when creating the orderer
5. Follow any other directions in the enroll wizard and click submit
6. If you browse back to the nodes page and select the Orderer Cluster tile the TLS identity error should be gone
1. Upgrade any v1.4.x peers to v2.2.x (note that earlier Node.js v12 chaincode will continue to work, because Fabric v2.2.x
provides both Node.js environments (v12 and v16)
2. Update your chaincode locally to use a Node.js v16.14.2 (or later v16.x.x) environment
3. Perform a Fabric chaincode upgrade on each channel where this chaincode is used
4. Upgrade your v2.2.x peers to Fabric v2.4.x
The IBM® Blockchain Platform Developer Tools provide an environment within Visual Studio Code for developing, packaging, and
testing smart contracts. You can use the tools to create your smart contract project and get started developing your business
logic. You can then use the tools to test your smart contract either on your local machine by using a preconfigured instance of
Hyperledger Fabric, or by connecting to an IBM Blockchain Platform network, before you deploy the smart contract to the IBM
Blockchain Platform. This tutorial describes how to install and use the Developer Tools.
Note: The IBM Blockchain Platform extension works seamlessly with any instance of the IBM Blockchain Platform that
uses Hyperledger Fabric versions 1.4 and later. This tutorial is oriented toward users of the high-level Fabric smart
contract programming model. If you are using low-level smart contract APIs, you can find additional instructions in the
IBM Blockchain Platform extension documentation. For more information, see the Writing Your First Chaincode tutorial in
the Fabric documentation.
Prerequisites
Windows 10, Linux, or Mac OS are currently the supported operating systems.
VS Code version 1.40 or greater.
Docker version v17.06.2-ce or greater.
If you are developing Go smart contracts, you need to install Go version v1.12 or greater. Note that if you are using Fabric
v2.x, you will need Go version v1.13 or higher instead.
If you are developing Node smart contracts, you need to install Node ^10.15.3 or ^12.15.0 and npm v6.x or greater.
If you are using Windows, you also must ensure the following:
The IBM Blockchain Platform Developer Tooling includes guided tutorials to help you get started. The tutorials provide step-by-
step instructions on how to develop and test your smart contract project, as well has how to deploy the smart contract to a
network on IBM Cloud. You also can find sample smart contracts that are available for you to download.
To navigate to the tutorials from within VS Code, click the blockchain icon in the left navigation and then click the IBM
Blockchain Platform icon at the upper right corner to view the extension homepage. On the homepage, you can find a link to the
tutorials gallery and the sample smart contracts.
Figure 4. Click on the IBM Blockchain icon in the upper right corner to navigate to the tutorials and sample code
1. Click the IBM Blockchain icon to open the IBM Blockchain tab. Click the overflow menu in the smart contracts pane and
click Create New Project.
2. Select the smart contract type to generate. The Default Contract example is recommended for first-time users and
demonstrates how to perform create, read, update, and delete operations to the public ledger that's shared by all network
members. The Private Data Contract example demonstrates how to perform create, read, update, delete, and verify
When the project opens, you can find the new smart contract in the explorer window in the left pane. The structure of the project
depends on the language that you selected. However, each smart contract contains the same elements:
The source code of the smart contract. If you selected to create a JavaScript or TypeScript contract, the extension builds a
basic smart contract by using the fabric-contract-api with a series of functions that manage your example asset. For
example, if you selected bond, you can find the functions of createBond, updateBond, readBond, bondExists, and
deleteBond.
A test file.
The accompanying smart contract dependencies.
Node
If your smart contract was written in Node, then you might need to update it. By default, a Fabric v1.4 peer will create a Node v8
runtime, and a Fabric v2.x peer creates a Node v12 runtime. In order for a smart contract to work with Node v12 runtime, the
fabric-contract-api and fabric-shim node modules must be at v1.4.5 or greater. If you are using a smart contract that
was originally written to work with Fabric 1.4, update the Node modules by running the following command before deploying the
smart contract on a Fabric v2.x peer. See Support and compatibility for fabric-chaincode-node for more information.
Go
Because Fabric v2.x peers do not have a "shim" (the external dependencies that allowed smart contracts to run on earlier
versions of Fabric), you need to vendor the shim and then repackage any smart contracts written in Golang (Go) that use the Go
SDK. "Vendoring the shim" effectively means that you are copying the dependencies into your project. Without this vendoring
and repackaging, the Go smart contract cannot run on a peer using a Fabric 2.x image. If you are using the IBM Developer Tools
to develop and package your smart contract, the tooling performs the vendoring for you. This process is not required for smart
contracts that are written in Java or Node.js, nor for Go smart contracts that use the Go contract-api.
Java
The build.gradle file for the smart contract must be updated:
1. If the smart contract uses the shadowjar 2.x plugin, then it should be updated to version 5 by using the following code:
plugins {
2. The repositories section of the file must contain the maven URL for jitpack , for example:
repositories {
...
maven {
url 'https://jitpack.io'
}
}
Init functions
If the smart contract was written using the low-level APIs provided by the Fabric Chaincode Shim API, your smart contract
needs to contain an Init function that is used to initialize the chaincode. This function is required by the smart contract
interface, but does not necessarily need to be invoked by your applications. Because you cannot use the console to deploy a
smart contract that contains an Init function, you need to move that initialization logic into the smart contract itself and call it
separately. For example, the smart contract can use a reserved key to check whether the smart contract has already been
initialized or not. If not, then call the initialization logic, otherwise proceed as usual. If your smart contract needs to include the
Init function, the only way to deploy it is by using the Fabric peer lifecycle chaincode install command or the IBM Blockchain
Platform collection for Ansible. You can also refer to the Fabric documentation for more details on how to use an Init function
with the Fabric chaincode lifecycle.
Attention! The IBM Blockchain Platform Extension for VS Code (VS Code extension) referenced throughout the
documentation is an open-source project which is no longer active, and therefore not officially supported by IBM. Refer to
the alternatives to the VS Code extension.
After you have updated your smart contract, use v2 of the VS Code extension to repackage your smart contract.
1. Open your smart contract project in VS Code by clicking File and then click Open .... You can also click Open Workspace if
you saved your project as a workspace. Ensure that you have the smart contract project open in the file viewer.
2. Click the IBM Blockchain icon to open the IBM Blockchain tab.
3. In the Smart Contracts pane, click the overflow menu and select Package Open Project. You are asked for the name of
the package and the version. You will also need to select whether you want to package it as a .tar.gz (for deploying to a
channel with V2 application capability) or .cds (for deploying to a channel with V1 application capability). To find out the
channel capabibilities/version, hover your mouse over the channel in the Fabric Environments panel that you wish to
deploy to. This will display a tooltip containing the channel capabilities.
If you have one smart contract project, it is packaged automatically and be displayed in theSmart Contracts pane.
If you have multiple smart contract folders open, you are asked which one to package.
If you have no smart contract folders open, you get an error message.
If you want to control which files in the project are packaged, you can create a .fabricignore file in the top-level directory of
your smart contract project. The file and pattern format for a .fabricignore file is the same as a .gitignore file, for
example:
$ /.classpath
1. In the IBM Blockchain Platform extension panel, right-click the smart contract package and selectExport Package.
2. Choose the directory to save your smart contract package file and clickExport.
You can also import an existing smart contract package into the IBM Blockchain Platform pane:
1. In the Smart Contracts pane, click the overflow menu and select Import a Package.
2. Browse to the smart contract package that you want to import, and clickImport.
You can also click Delete Package to remove the smart contract package from the list of packages.
To deploy a smart contract to a preconfigured network, you can use an existing IBM Blockchain Platform network. See the
instructions in Step six to connect to that network.
The VS Code extension creates a basic Fabric network that includes one orderer, one peer, and one certificate authority. The
peer is joined to a channel named mychannel . You can find the list of nodes, organizations, and channels that belong to the
network in the Fabric Environments pane. Above these nodes, you can find the list of smart contracts that are deployed on your
channels.
Use the following steps to create a new one organization or two organization network:
This will then take a few minutes to create a local Fabric network including the environment, gateways, and wallets.
Selecting Teardown will completely remove the local Fabric network. Note: This removal results in the loss of the ledger and
world state data.
Selecting Delete will perform a Teardown as well as remove the network from the Fabric Environments pane.
Follow these steps if you have your channel is configured with application capability V2 or higher and a .tar.gz smart contract
package.
1. Check that you are connected to the network in the Fabric Environments pane.
2. Expand the channel that you want to deploy your smart contract to.
3. Click + Deploy smart contract.
There are three steps to deploying a smart contract by using the deploy view.
Step 3: Deploy
1. Click Deploy to automatically install, approve, and commit the smart contract on all of the networks peers.
2. (Optional) Use the Perform commit toggle to enable or disable committing this smart contract definition to the channel.
3. (Optional) Click Additional peers to endorse commit transactions to select or deselect any available additional peers that
you need to approve this smart contract definition.
At this point, you smart contract is now "committed" on the channel.If you have changed your smart contract code and then
repackaged it, you can use the deploy view and follow the same steps as above to upgrade the smart contract definition that you
have deployed to the network.
1. Check that you are connected to the network in the Fabric Environments pane.
2. Expand the channel that you want to deploy your smart contract to.
3. Click + Deploy smart contract.
There are three steps to deploying a smart contract using the deploy view.
Step 3: Deploy
1. Click Deploy to automatically install and instantiate (or upgrade) the smart contract on all of the networks peers.
2. (Optional) Enter the function name to call on instantiation/upgrade.
3. (Optional) Enter the function arguments to call on instantiation/upgrade.
At this point, you smart contract is now instantiated on the channel.If you have changed your smart contract code and then
repackaged it, you can use the deploy view and follow the same steps as above to upgrade the smart contract that you have
deployed to the network.
1. Ensure that your smart contract is deployed to a channel, and that you are connected to the network.
2. In the Fabric Gateways pane, expand the Channels dropdown. Click the channel that the smart contract is instantiated or
committed on.
3. Expand the smart contract that you want to interact with. You can find the list of transactions that are listed beneath your
smart contract.
4. Right-click the transaction to submit, and selectSubmit Transaction. For example, if you created and packaged the
example bonds smart contract, click createBond.
5. Enter any arguments that the transaction requires, and press Enter. For example, enter ["bond01","100"] to create your
first bond.
6. (Optional) Enter any arguments that will be submitted as transient data. Transient data is not stored on the channel ledger
in order to keep the data private.
You can then use the Fabric SDKs and the connection profile to enroll your admin identity by using the usernameadmin and the
password adminpw . You can then use this identity to invoke your smart contract or register and enroll additional users.
After the test file is built, the tests can be run by clicking theRun Tests button in the file.
Invoke a smart contract that has been instantiated or committed on your channels
You can download your connection profile from the IBM Blockchain Platform console to build a gateway in theFabric Gateways
pane. You can then use the gateway to invoke the smart contracts that were deployed on your channel.
Open the IBM Blockchain Platform console that is associated with your instance of the IBM Blockchain Platform. Navigate to the
Organizations tab and click the Organization MSP tile for the organization that your client application will interact with. Click
Create connection profile to open a side panel that allows you to build and download your connection profile to your local file
system. Then, create an application identity by using your CA and save the enrollID and secret. Use the following steps to
connect to the IBM Blockchain Platform from VS Code.
After you connect to the IBM Blockchain Platform from VS Code, you can see the list of channels joined by your organization
peers under the gateway. Under each channel, you can see the list of smart contracts that are instantiated or committed on each
channel and the transactions within each smart contract. You can submit transactions to your network by right-clicking a
function and selecting Submit Transaction and passing the required arguments. You can also generate a test file for the smart
contracts that are instantiated on your channels.
You can also import the IBM Blockchain Platform network into the Fabric Environments pane of the extension. You can then use
the extension to deploy smart contracts on your network.
You can export nodes from your console and then import them from another console. You can use the same process to export
nodes from your console and then import them into the Fabric Environments pane. The easiest way is to use the extension to
automatically discover the console and import the nodes.
1. Navigate to the Settings tab in the left navigation. You can see a section that is calledBulk data management that
contains two buttons. The Export button opens a panel on the right.
2. Check the box to export your identities. You can deselect the other options.
3. Click Export to download the identities to your local file system in .zip file. Extract the file when the download is complete.
You can then import the nodes of your network into the extension.
Tip: In steps 5 and 6, you can alternatively enter an API key and secret that you generate using the IBM Blockchain
Platform REST APIs.
You also need to import your admin identities into the wallet pane and associate them with your nodes. You need to associate an
admin identity with your peers, CA, and an ordering node before you can connect with your network.
1. Click on the environment that you created in the Fabric Environments pane.
2. You can see an Alert sign next to the peer and ordering node. Click on the alert to associate an admin identity with the
node.
When you have associated an admin identity with your peers, CA, and an ordering node, you can connect to your network and
use the extension to deploy smart contracts.
1. Hover your mouse over the Fabric Wallets pane and click +.
2. Choose to Create a new wallet and add an identity from the options. Provide a name for your wallet and your identity.
3. Enter the MSP ID of your organization.
4. Choose to add a certificate and private key.
5. If you use a certificate and private key, browse to the certificate and private key.
You can also add new users to the wallets that have already been created:
1. In the Fabric Wallets pane, right-click a wallet and select Add Identity.
2. Provide a name for the identity and an MSP ID.
3. You can upload a JSON file, provide a certificate and private key, or provide an enrollment ID and secret.
If you are connecting to a network on the IBM Blockchain Platform, you can download an identity from your IBM
Blockchain console, either by exporting an identity from your wallet or by enrolling and then exporting an identity
using your Certificate Authority. You can then upload the JSON file directly to VS Code.
If you use a certificate and private key, browse to the certificate and private key.
If you use an enrollment ID and secret, choose the gateway to enroll with and enter the enrollment ID and secret.
This same spirit of decentralization and collaboration also drove the development of a new series of processes around installing,
managing, and using smart contracts (these processes are known as the “lifecycle” of a smart contract).
While these new processes are somewhat more elaborate and require more planning and forethought than the "old" lifecycle (in
which a single organization proposed a smart contract instantiation on a channel), the new lifecycle provides many new powerful
and elegant opportunities to satisfy a wider set of business use cases.
This topic will show how these opportunities can be exploited both during development of a smart contract and during its
lifecycle servicing a channel.
Smart contracts were proposed for instantiation by a single channel member. Organizations could not formally propose
endorsement policies or other smart contract parameters within the context of official Fabric processes.
Organizations collaborate in the channel-level decision making process regarding smart contracts.
Fingerprint matches are no longer required.
Smart contracts can be updated in some ways without the need for re-instantiation at a channel level.
Different organizations and peers can install smart contracts that only contain code relevant to their business role, yet still
be able to transact with other organizations and peers that contain only the code relevant to their role, while maintaining
deterministic outcomes. More on this later.
The latter contains the actual code representing the business logic of the smart contract. When a peer is contacted to “endorse”
a transaction or not, the package contains the code that runs and generates the read/write set.
The definition of a smart contract, on the other hand, contains information like the name, version, and endorsement policy of the
smart contract. These definitions can be proposed by any channel member but must be approved (on a per-org basis) by enough
organizations to satisfy the “lifecycle endorsement policy” of the channel, after which the definition is committed to the channel.
This lifecycle endorsement policy can in theory be anything (including allowing any organization to commit a definition, or just a
single organization), but generally speaking will, in the spirit of collaboration, be something like a “majority of channel admins”.
This separation of the definition (agreed to at the channel level) and the package that’s installed on the peers has powerful
implications for how smart contracts can be written and managed, as we will see.
Taking advantage of the ability for each organization to use a separate package
The elimination of the need for the smart contracts to exactly match their fingerprints opens up exciting new possibilities when
developing smart contracts.
First, to address a natural question: how can results be predictable (or, more to the point, deterministic) if peers in different
organizations aren’t running the same code?
An analogy might help to explain. If two people attempt to multiply two numbers together (33 by 7, for example), one might
decide to multiply 30 by 7 and also 3 by 7 and then add the two resulting numbers together. While the other person might not
use this trick, or choose to use a calculator. It’s not important that both people use the same process, only that they arrive at
the same answer.
The same basic principle is true for different smart contract packages running on different peers producing the same read/write
set, given a set of inputs. As long as the smart contracts running on every peer on a channel produce the same read/write set, it
does not matter if they are running exactly the same code.
You certainly can, and it is probably advisable to run the same (or at least similar) code in order to eliminate corner cases that
might emerge if substantially different code is being run against the same data.
However, consider a scenario in which the various organizations on a channel are all executing transactions against a set of data
Org A should, logically, be allowed to request an ad be placed, and also to query ads. Since their identity would lack the proper
permissions to create an ad, why should the smart contract they install on their peer contain the relevant code for creating an
ad? It’s just unnecessary waste and clutter.
Similarly, Org B would logically be able to query ads and to create them. But they would have no use for the ability torequest an
ad be placed since they already have the ability to create them.
A hypothetical third Org might only need the ability to verify information without actually needing the ability to query or create
information of its own, a popular use case for government entities or other kinds of regulators.
While the desire to reduce unnecessary code clutter is always worthwhile on its own, this ability for different organizations to
have different smart contracts is particularly useful in scenarios when the code to perform certain actions might contain
sensitive information (the location of a server where ads are created, for example).
While the “old” lifecycle did include ways to separate roles through a permissions structure, the ability for different orgs to have
different packages is a more secure and holistic approach to the separation of concerns central to blockchain networks, and
should be taken in account when developing smart contracts to run using the new lifecycle.
In any case, it is a best practice for smart contracts to be tested extensively (preferably on a test channel dedicated to this
purpose) to ensure that all smart contract packages produce the same result, regardless of the underlying code generating that
result. However, keep in mind that as long as an errant result is not reached by enough peers to satisfy the endorsement policy
of a smart contract, the integrity of ledger data will be maintained.
Tip: While the packages themselves can be different, the names of the packages must be identical and conform to the
name given to the smart contract in the definition committed to the channel. If the packages have different names, the
system will believe that the smart contracts do not contain compatible business logic.
In the onboarding example, it is likely that only the smart contract definition will need to be updated to reflect the new
organization’s ability to endorse transactions (if that will indeed be their role). If the underlying business logic contained in the
package changes, on the other hand, then both the package and the definition will have to change (the latter to reflect a new
version).
While updating the version in the definition is enforced by Fabric and the IBM Blockchain Platform whenever a new package is
installed, the standards adopted by a channel for how those versions are organized are up to the members of the channel.
However, it is recommended to use a consistent semantic versioning pattern.
Tip: In production scenarios, new business logic might be agreed to by the channel members collectively (out of band)
and then be written by a single channel member and passed to the others. If this code will replace custom code you have
in your own smart contract package, make sure you do not overwrite custom variables you already have by replacing the
section of your smart contract without analysis.
For more information about smart contract best practices (as well as how smart contracts relate to the concept of "chaincode"),
see Smart contracts and chaincode.
While a smart contract can be packaged using the peer CLI, the VS Code extension for developing smart contracts is a highly
useful tool and can be downloaded to your local system.
For more information, see Developing smart contracts with IBM Blockchain Platform Developer Tools.
Why would I want to use an intermediate CA with my IBM Blockchain Platform network?
Intermediate CAs are optional. Because an intermediate CA has its root certificate issued by a root CA or another intermediate
authority, a “chain of trust” is established for any certificate that is issued by all CAs in the chain. Having one or more
intermediate CAs provides added security and allows you to protect your root of trust. This ability to track back to the root CA
not only allows the function of CAs to scale while still providing security, it also limits the exposure of the root CA, which, if
compromised, would endanger the entire chain of trust. If an intermediate CA is compromised, on the other hand, there will be a
much smaller exposure. A key benefit is that after the intermediate CAs are up and running, the root CA can be effectively turned
off, limiting its vulnerability even more.
Another reason to include an intermediate CA would be when you have a very large organization with multiple departments and
you don’t want a single CA to generate certificates for all of the departments. Intermediate CAs provide a mechanism for scoping
the certificates that a CA manages to a smaller department or sub-group. This pattern though incurs significant increase if there
will only be a small number of members in the organization.
As an alternative to deploying multiple intermediate CAs, you can limit the scope of a CA by overriding the CA configuration to
specify available affiliations (similar to departments) instead. When a CA is configured with affiliations, the affiliation of the
registrar must be equal to or a prefix of the affiliation of the identity being registered. See the Fabric CA topic on registering
identities for more details.
The following diagram illustrates how the root CA issues the certificates for the intermediate CA and the intermediate CA then
issues the certificates for the nodes and users in the organization.
Limitations
Currently, IBM Blockchain Platform only supports a single level of intermediate CAs. In other words, an intermediate CA cannot
be a parent server to another intermediate CA.
Process overview
The configuration process begins with the root CA. If one does not already exist, you need to create the root CA and then register
two identities that are needed by the intermediate CA. When you create an intermediate CA you need to provide a JSON that
overrides the default CA settings with the intermediate CA configuration. After your intermediate CA is active, you can use it for
all subsequent identity register and enrollment requests for the organization, and then effectively turn off the root CA. At a high
level, the following steps need to be performed:
Edit the example JSON override file by providing the root CA TLS signing cert and the intermediate CA identity enroll id and
secrets to the JSON override file.
After completing these steps, when you create organization MSPs for your peers or orderers, you can point to the intermediate
CA instead of the root CA.
Note: This process can be performed using the console or the APIs, if you are an experienced API user. The overall
process is the same regardless of which approach you choose. For clarity, this tutorial uses the console.
2. Register the intermediate CA admin identity with the root CA. In order for an intermediate CA to be able to register and
enroll identities, the intermediate CA admin identity must be registered with the root CA.
3. Register the intermediate TLS CA admin identity with the root CA. Because TLS communications are enabled on the
network, whenever you deploy a CA, a TLS CA is automatically deployed along side the CA, and uses the same endpoint
address. Therefore, you also need to register an identity that will serve as the intermediate TLS CA admin. Repeat the
actions that you performed in the previous step to register the admin identity, but this time specify a different enroll ID and
secret. For purposes of the tutorial, we use itlscaadmin and itlscaadminpw .
4. Export the root CA to a JSON file. Now that you have the intermediate CA admins registered with the root CA, there is one
last piece of information we need: the root CA TLS signed certificate. This certificate is shared with each node in the
organization and is used to secure the communications between the nodes. Therefore, in order for the intermediate CA to
communicate with the root CA, it has to be included in the intermediate CA configuration. To get the root CA TLS signed
certificate, simply export the root CA to a JSON file. Open the root CA and click the Export icon.
Open the downloaded JSON file and locate the value corresponding to the tls_cert element. You will need to
copy and paste the certificate in a later step. It will resemble:
$
"LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNvRENDQWtXZ0F3SUJBZ0lRWXZYRUgzUktMUVNiUnZTdnRLWU
JDVEFLQmdncWhrak9QUVFEQWpDQnB6RUwKTUFrR0ExVUVCaE1DVlZNeEZ6QVZCZ05WQkFnVERrNXZjblJvSUVOaGNtO
XNhVzVoTVE4d0RRWURWUVFIRXdaRQpkWEpvWVcweEREQUtCZ05WQkFvVEEwbENUVEVUTUJFR0ExVUJVaHAKVkM1VE5O
VzNqRzJkVVZwUUlkSmEvMWtDSVFEMGE0QWRzazJ0RlhDRFp1RFB0VG5lTkNZWnBDSzMxL2MrUTFLTQozLzVGdEE9PQo
tLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCga1",
Also make note of the value of the api_url in the JSON file. You will use the value of this URL to build the parent
server URL for the intermediate CA. It will resemble:
$ "api_url": "https://nb535a5-rootca.org1Cluster.us-south.containers.appdomain.cloud:7054",
To build the parent server URL, edit the URL and insert the intermediate CA admin enroll ID and secret using the
following format:
$ https://<INTERMEDIATE-CA-ADMIN>:<INTERMEDIATE-CA-ADMIN-PW>@<DOMAIN>:<PORT>
For example:
$ https://icaadmin:icaadminpw@nb535a5-rootca.org1Cluster.us-
south.containers.appdomain.cloud:7054
{
"ca": {
"debug": true,
"registry": {
"maxenrollments": -1,
"identities": [{
"name": "<INTERMEDIATE-CA-ADMIN>",
"pass": "<INTERMEDIATE-CA-ADMIN-PW>",
"type": "client",
"attrs": {
"hf.Registrar.Roles": "*",
"hf.Registrar.DelegateRoles": "*",
Notice there are settings for both the intermediate CA and the intermediate TLS CA. Replace the following parameters:
<INTERMEDIATE-CA-ADMIN> - with the enroll ID that you specified in Part One, step 2 when you registered the
intermediate CA admin identity.
<INTERMEDIATE-CA-ADMIN-PW> - with the enroll secret that you specified in Part One, step 2 when you registered the
intermediate CA admin identity.
<PARENT-CA-SERVER-URL> - with the value of the parent server that you built in Part One, step 4.
<TLS-CERT-FILE> - (two occurrences) with the value of the tls_cert, the certificate string that you downloaded from the
root CA in Part One, step 4.
<INTERMEDIATE-TLS-CA-ADMIN> - with the enroll ID that you specified in Part One, step 3 when you registered the
intermediate TLS CA admin identity.
<INTERMEDIATE-TLS-CA-ADMIN-PW> - with the enroll secret that you specified in Part One, step 3 when you registered
the intermediate TLS CA admin identity.
<PARENT-TLS-CA-SERVER-URL> - with the value of the parent server URL that you built in Part One, step 4; however you
need to replace the enroll ID and secret with the values that you specified when you registered the admin for the
$ {
"ca": {
"debug": true,
"registry": {
"maxenrollments": -1,
"identities": [{
"name": "icaadmin",
"pass": "icaadminpw",
"type": "client",
"attrs": {
"hf.Registrar.Roles": "*",
"hf.Registrar.DelegateRoles": "*",
"hf.Revoker": true,
"hf.IntermediateCA": true,
"hf.GenCRL": true,
"hf.Registrar.Attributes": "*",
"hf.AffiliationMgr": true
}
}]
},
"intermediate": {
"parentserver": {
"url": "https://icaadmin:icaadminpw@nb535a5-rootca.org1Cluster.us-
south.containers.appdomain.cloud:7054",
"caname": "ca"
},
"tls": {
"enabled": true,
"certfiles":
["LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNvRENDQWtXZ0F3SUJBZ0lRWXZYRUgzUktMUVNiUnZTdnRLWUJDVEFLQmdncWhrak9QUVFEQW
}
}
},
"tlsca": {
"debug": true,
"registry": {
"maxenrollments": -1,
"identities": [{
"name": "itlscaadmin",
"pass": "itlscaadminpw",
"type": "client",
"attrs": {
"hf.Registrar.Roles": "*",
"hf.Registrar.DelegateRoles": "*",
"hf.Revoker": true,
"hf.IntermediateCA": true,
"hf.GenCRL": true,
"hf.Registrar.Attributes": "*",
"hf.AffiliationMgr": true
}
}]
},
"intermediate": {
"parentserver": {
"url": "https://itlscaadmin:itlscaadminpw@nb535a5-rootca.org1Cluster.us-
south.containers.appdomain.cloud:7054",
"caname": "tlsca"
},
"tls": {
"enabled": true,
"certfiles":
["LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNvRENDQWtXZ0F3SUJBZ0lRWXZYRUgzUktMUVNiUnZTdnRLWUJDVEFLQmdncWhrak9QUVFEQW
1. From the Nodes tab, click Add Certificate Authority followed by Create a Certificate Authority.
2. Give your intermediate CA a meaningful name and then provide the intermediate CA admin enroll ID and secret that you
registered with the root CA. For example icaadmin and icaadminpw. You can leave the Advanced deployment options
deselected, none are required for an intermediate CA.
3. On the Summary panel, click Edit configuration JSON (Advanced).
4. Delete the existing content from the Configuration JSON box and paste the JSON that you built in Part Two, then click
Add Certificate Authority.
Tip: It will take a few minutes for the CA to deploy. You'll know it is ready when a green status indicator box is visible on
the tile. Depending on your cluster activity, you might need to refresh your browser for the status to turn green.
Next steps
If you want to learn more about creating MSPs, see Managing organizations.
By default, certificates generated by IBM Blockchain Platform CAs expire after one year and peer and ordering node TLS
certificates expire after 15 years. Exactly thirty days before peer and ordering node certificates are due to expire, the platform
automatically attempts to contact the CA and renew the certificates. If the CA is not online, the automatic renewal fails and
enrollment to generate a new certificate needs to be performed manually. If automatic renewal of these certificates is important
for your business, careful consideration should be given to scaling down a root CA or intermediate CA. See the topic on
Certificate expiration and renewal to learn more about the process.
While this tutorial focuses specifically on using IBM Cloud HSM, you can learn more about the overall configuration process for
using any HSM that supports PCKS #11 with the IBM Blockchain Platform, see Configuring a node to use a Hardware Security
Module.
Why would I want to use an HSM with my IBM Blockchain Platform network?
When a Certificate Authority (CA), peer, or ordering node is configured to use an HSM, their private key is generated by and
protected inside a tamper resistant HSM device. IBM Cloud HSM is a FIPS 140-2 Level 3 validated, single-tenant device that
implements Gemalto (Luna) HSM. When a CA is configured to use HSM, the CA root private key is stored in the HSM. This is the
key that is used to sign enrollment requests. After a peer or ordering node is configured to use HSM, the nodes are able to sign
and endorse transactions without ever exposing their private key.
Important: Because only the private keys of node identities are secured in the HSM, when you enroll other admin or
client application identities with a CA, their private keys are not stored inside the HSM because they will need their private
key to transact on the network.
Process overview
Part One: Set up the HSM device and HSM client
This process involves deploying an HSM and configuring a partition as well as deploying an HSM client that you will use to
configure the device. Throughout these instructions you will run some commands from the HSM server and others from
the HSM client. For clarity, we prefix these steps with either or .
Communications between the HSM and client require a Network Trust Link (NTL) -- an encrypted, secure communications
channel between the HSM and client. NTL uses digital certificates that the client and HSM server can use to verify each
other's identity. You will run a command to get the HSM server certificate that allows the client to communicate with the
HSM server. Likewise, you will generate a certificate and private key for the client and then copy them to the HSM server.
After the secure communications are configured, you can register the client with the HSM server and then assign the HSM
partition to the client.
This process requires Docker to be installed on the machine where the HSM client is running and that you are familiar with the
process for building Docker images. It also presumes you are comfortable with using the Kubernetes CLI to administer your
Kubernetes cluster.
If you are using a Kubernetes cluster on IBM Cloud and IBM Cloud HSM, both services need to be deployed from the same IBM
Cloud account and on the same VLAN. If they are not on the same VLAN, then VLAN spanning must be enabled.
When the entire HSM configuration is complete, it resembles the following diagram:
The steps in this topic focus specifically on the creation of the Cloud HSM and the HSM Client in the diagram. When you deploy a
CA, peer, or ordering node to use the HSM, you need to provide the label and PIN of the HSM partition. This configuration
assumes you enabled HSM on your Kubernetes cluster when you deployed the service.
Important: Be sure to record the Label and PIN for the partition. You will need to provide these values later when
you configure a blockchain node to use this HSM partition. Also, save the IP address associated with the HSM
device. We will refer to this value throughout these instructions as <HSM_ADDRESS> .
2. Install the HSM client on your local machine. Make sure the client version that you are running matches the HSM server
version. Record the IP address or fully qualified host name where the HSM client is running. We will refer to this value
throughout these instructions as <CLIENT_ADDRESS> .
Tip: The client runs on AIX, Linux, Oracle Solaris, or Microsoft Windows, but is not supported on MacOS.
Part Two: Configure communications between the HSM server and client
In this section you will get the HSM server certificate and create the HSM client certificate-key pair in order for them to be
exchanged.
Replace
2. Now, add the HSM server to the client configuration by running the following command:
Replace
3. Create the certificate and private key for the client by running the command:
Replace
<CLIENT_ADDRESS> with the IP address or fully qualified host name of the client.
The name of the generated certificates includes the <CLIENT_ADDRESS> . The output of this command looks similar
to:
4. Copy the client certificate and private key to the HSM server by running the command:
Replace
<CLIENT_ADDRESS> with the IP address or fully qualified host name of the client.
<HSM_ADDRESS> with the IP address of the HSM.
1. SSH into the HSM as the admin the HSM server and register the client by runningone of the following commands.
Replace
{CLIENT_NAME} with the name of the client. This value can be anything meaningful to you.
2. Because network address translation (NAT) exists between the client and the HSM, we need to disable client source IP
address validation by the Network Trust Link Server (NTLS) upon Network Trust Link Agent (NTLA) client connection.
Disable ip check on the HSM server and then restart the NTLS service on the HSM server by running the following
commands:
3. Assign a partition to the newly created client on the HSM server by running the following command:
Replace
{CLIENT_NAME} with the name that you gave to your HSM client.
{PARTITION_NAME} with the name of the HSM partition you created in Part one, step 1.
You can verify the command worked by running the following command:
$ ClientID: hsmclient
IPAddress: 10.220.203.73
HTL Required: no
OTT Expiry: n/a
Partitions: "partition1"
4. Verify the client can connect to HSM server by running the command:
vtl verify
5. Create a configs folder on the client and then copy the server.pem certificate from Part two, step 1 and the
<CLIENT_ADDRESS>Key.pem and <CLIENT_ADDRESS>.pem files from Part two, step 3 into the folder:
Each HSM has its own configuration file that is typically named Chrystoki.conf . This is the main configuration file for the HSM
integration and controls many aspects of the HSM client operation. After you install the HSM client, you need to modify the
etc/Chrystoki.conf file to point to the hsm folder that contains the HSM shared object library and cryptographic material.
The paths specified in Chrystoki.conf represent the location where the IBM Blockchain Platform operator mounts these files
on the containers. You need to modify parameters inside the Chrystoki2 and LunaSA Client sections as follows:
Chrystoki2 settings
LibUnix: Name of the Chrystoki2 library on x86 Linux/UNIX operating systems. The actual name of the library depends on
the type of HSM you are using.
LibUNIX64: Name of the Chrystoki2 library on 64-bit Linux/UNIX operating systems. The actual name of the library
depends on the type of HSM you are using.
LunaSA Client settings Typically no changes would be required here unless you have explicitly modified the names of these
files.
The following example shows what the file would look like if you were using IBM Cloud HSM. It provides the path to the HSM
shared object, certificate and keys. Note that the naming of these files depends on the HSM library that is being used.
Chrystoki2 = {
LibUNIX = /hsm/libCryptoki2.so;
LibUNIX64 = /hsm/libCryptoki2_64.so;
}
...
LunaSA Client = {
...
ClientPrivKeyFile = /hsm/key.pem;
ClientCertFile = /hsm/cert.pem;
ServerCAFile = /hsm/cafile.pem;
...
}
The HSM client image can be built with a Docker file similar to the following:
The following Docker file is for IBM Cloud HSM. If you are not using IBM Cloud HSM, you need to build your own Docker
file.
You should be aware that this Docker file automatically accepts the Gemalto client license.
Note that the 64 folder inside the Docker file is required for installing the HSM client.
FROM registry.access.redhat.com/ubi8/ubi-minimal
After the image is built, the next step is to push the image to your Docker registry (for example, Docker Hub). The commands
look similar to:
If the HSM client image that you published is not public, then the operator requires an image pull secret that contains a
valid username and password (or access token) for the container registry. If the image is public, the imagepullsecret is not
required and you can skip this command. To build the image pull secret named hsm-docker-secret , run the following
command in the namespace or project where you deployed the service:
Replace:
DOCKER_REGISTRY_SERVER - Registry server url where the HSM client image is hosted.
DOCKER_USER - Valid username with access to HSM client image in the container registry.
DOCKER_PASSWORD - Valid password or access token for the HSM client image in the container registry.
DOCKER_EMAIL - Email address for container registry user.
NAMESPACE - Name of the project or namespace that is visible on the consoleSupport page.
These instructions are obviously for the Docker registry. If you are using the IBM Container Registry, then you need to set up your
own image pull secret in your cluster:
The Kubernetes secret needs to be created in the IBM Blockchain Platform service instance namespace that is visible on the
console Support page. If you are using the IBM Cloud HSM, the command would be:
Replace <NAMESPACE> with the name of your service instance namespace or OpenShift project If you are not using IBM Cloud
HSM, you need to replace the values of the --from-file parameters with the set of certificates and configuration files that are
required for your HSM client image.
$ secret/hsmcrypto created
$ apiVersion: v1
data:
Chrystoki.conf: ""
cafile.pem: ""
cert.pem: ""
key.pem: ""
kind: Secret
metadata:
name: hsmcrypto
namespace: <NAMESPACE>
Configure the operator to work with an HSM that does not use a daemon
HSM_IMAGE_URL: URL of the HSM client image that you published to your container registry.
IMAGE_PULL_SECRET: (Optional) Name of the image pull secret hsm-docker-secret that you created in the same
namespace as your service. Only required if the HSM client image is not publicly available. Important: If an image pull
secret is not required, set this value to "".
ENVIRONMENT_VARIABLE_NAME - If there are any environment variables that need to be set for the HSM client, specify
them individually.
ENVIRONMENT_VARIABLE_VALUE - Value that corresponds to the ENVIRONMENT_VARIABLE_NAME.
HSM_LIBRARY_FILE_PATH: Path to the HSM library file, for example, /usr/lib/libCryptoki2_64.so.
MOUNTPATH: Location where the file or folder should be mounted.
MOUNTPATH_NAME: Name you want to use for the mountpath.
KEY: Name of the key inside the hsmcrypto Kubernetes secret.
PATH: Mount location of the file path where the key should be mounted.
HSM_CRYPTO_SECRET: Name of the Kubernetes secret that contains the keys and configuration files for the HSM that is
used by the mountpath.
Each HSM likely has a different set of keys that are required by the HSM client. Optionally replicate the "key " and " path "
sections according to the number required by your HSM client. Similarly, if multiple sets of folders need to be mounted, you can
replicate the " mountpath " section.
For example, if you are using IBM Cloud HSM, the file looks similar to:
version: v1
type: hsm
library:
image: us.icr.io/hsm/gemalto-client:v1.2.3-amd64
auth:
In this example, the first mountpath contains four configuration files (cafile.pem, cert.pem, key.pem, server.pem) and the
hsmcrypto secret, and all of them are mounted to the mountpath /hsm . The actual name of the mountpath is hsmcrypto , and
it contains an exact mapping of the key value pair to the Kubernetes secret and the location to mount it to. For example,
cafile.pem is read from the path cafile.pem in the hsmcrypto mountpath using the hsmcrypto secret and mounted to
/hsm/cafile.pem .
A second mountpath is included for the HSM /etc/Chrystoki.conf file. Because the HSM requires its config file in the /etc
folder, which is a system directory, we need to use the subpath parameter to avoid replacing the entire /etc directory. If the
subpath is not used, the entire /etc directory is replaced with the volume being mounted.
You have completed the HSM configuration for your blockchain network. Now when you deploy a new CA, peer, or ordering node,
you can configure it to use the HSM that you have configured here. See Configuring a CA, peer, or ordering node to use the HSM
for details.
If you configured an HSM daemon, the following sample configuration shows how to configure the openCryptoki zHSM on the
operator. You need to customize the settings according to your daemon.
daemon:
image: us.icr.io/ibp-test/opencryptoki-deamon:s390x-1.0.1
auth:
imagePullSecret: "ibprepo-key-secret"
resources:
limits:
cex.s390.ibm.com/ibp: 1
securityContext:
privileged: false
runAsNonRoot: false
runAsUser: 0
library:
filepath: /hsm/opencryptoki/libopencryptoki.so.0.0.0
image: us.icr.io/ibp-test/opencryptoki-deamon:s390x-1.0.1
auth:
imagePullSecret: "ibprepo-key-secret"
envs:
- name: LD_LIBRARY_PATH
value: /stdll
mountpaths:
- mountpath: /usr/sbin/pkcsslotd
name: pkcsslotd
In the daemon: section, provide the URL of the HSM daemon image that you created. If the image is not hosted publicly,
then you need to create the appropriate pull secret and specify it here as well.
In the library: section, provide the URL of the HSM client image that you created in step two. This is the client that the
CA, peer, and ordering node will use to talk to the HSM daemon. The filepath: is the location of the shared object
library in the image. If the image is not hosted publicly then the user must create the appropriate pull secret and specify it
as well.
In the envs: section, provide the list of environment variables that are required to configure the HSM.
In the mountpaths: section, provide all the necessary artifacts such as config, shared object libraries, shared memory,
etc. that are needed to communicate with the HSM daemon. These settings are vendor-specific as it is your responsibility
to know what directories or files need to be mounted. When the CA, peer, and ordering nodes are deployed, these
mountpaths will be mounted on to their containers along with the HSM client. Most of these mountpaths can be of type
Memory , however, if there are files that need to persist, then set usePVC: true . When set, the operator stores the files in
the mountpath in a persistent medium, by leveraging the PVCs of the CA, peer, and ordering node as the persistent
medium.
Run the following command to create the configmap named ibp-hsm-config in your cluster namespace or project:
$ configmap/ibp-hsm-config created
What's next
After you have used these instructions to configure your IBM Cloud HSM and build theHSM client image, you are ready to
configure your blockchain nodes to use the HSM. When you create a CA, peer, or ordering node, select the HSM Advanced
deployment option to configure the node to use this HSM.
On the HSM configuration panel, the Use HSM client image toggle is visible. When it is on, you can enter the following values:
HSM label - Enter the name of the HSM partition to be used for this node.
HSM PIN - Enter the PIN for the HSM slot.
When the node is deployed, a private key for the specified node enroll ID and secret is generated by the HSM and stored
securely in the appliance.
While it is always possible to use a CA that you create with the console to generate identities, you can also use certificates that
were generated by a CA external to your network, one that is not hosted by IBM, and then build the required organization
Membership Service Provider (MSP) definition that is used by your blockchain components.
Objectives
Gather certificates.
Build MSP definition.
Import MSP into the console.
Create and import the organization admin identity to the wallet.
Deploy a blockchain node.
When you create a peer or ordering node, you need to provide the following four certificates in PEM format. When you request
these certificates from the third-party CA, you need to request a specific Node Organizational Unit (OU) attribute for some
certificates as indicated in the Node OU column.
2. Peer or The private key corresponding to the public signing certificate. Make sure to keep PEM
ordering this certificate safe, as it can be used to impersonate the node.
node
identity
private
key
3. Peer or The public signing certificate created by your external TLS CA that is used by the PEM
ordering peer or ordering node. The certificate needs to contain the x.509 Subject
service alternative name (SAN) for the peer or ordering nodes. If you are using the Fabric
TLS CA CA client to enroll the identity, you specify the SAN by passing the--csr.hosts
certificate parameter on the enroll command. If the hostname is not yet known, you can
specify a wildcard with the domain name, for example: --csr.hosts '*.ibpv2-
cluster.us-south.containers.appdomain.cloud,127.0.0.1'.
4.Peer or The private key corresponding to the signed certificate from your TLS CA that is PEM
ordering used by the peer or ordering node for secure communications with other members
service on the network.
TLS CA
private
key
1. CA root The root certificate of your external CA. You can also provide an base64
certificate intermediate CA root certificate or both.
2. TLS CA root The root certificate of your external TLS CA. You must provide either a TLS base64
certificate CA root certificate or an intermediate TLS CA certificate, you can also
provide both.
3. Intermediate The root certificate of your intermediate CA. You must provide either a CA base64
CA root root certificate or an intermediate CA root certificate, you can also provide
certificate: both.
(Optional)
4. Intermediate The TLS certificate if your TLS certificate is issued by an intermediate TLS base64
CA TLS certificate: CA. Upload the intermediate TLS CA certificate. You must provide either a
(Optional) TLS CA root certificate or an intermediate TLS CA certificate, you may also
provide both.
5. Peer or ordering The signing certificate from your external CA that the admin identity of this "admin" base64
organization peer or ordering service uses.
admin identity
certificate
6. Peer or ordering The private key corresponding to the signed certificate from your external base64
organization CA that the admin identity of this peer or ordering service uses.
admin identity
private key
Replace:
identity.1.pem with the name of the PKCS #1 private key .PEM file.
identity.8.pem with the name that you want to give your PKCS #8 private key.PEM file.
The MSP definition requires that all certificates are encoded in base64 format. If needed, you can convert the contents of a
certificate file, <cert.pem> from PEM format into a base64 string by running the following command on your local machine:
export FLAG=$(if [ "$(uname -s)" == "Linux" ]; then echo "-w 0"; else echo "-b 0"; fi)
cat <cert.pem> | base64 $FLAG
To build the MSP definition, create a JSON by copying the following text and saving it to a file of type JSON:
{
"name": "<organization_name>",
"display_name": "<organization_name>",
"msp_id": "<organization_id>",
"type": "msp",
"admins": [
"<admins>"
],
"root_certs": [
"<root_certs>"
],
"tls_root_certs": [
"<tls_root_certs>"
],
"fabric_node_ous": {
"enable": true,
"admin_ou_identifier": {
"certificate": "<ou_root_cert>",
"organizational_unit_identifier": "admin"
},
"client_ou_identifier": {
"certificate": "<ou_root_cert>",
"organizational_unit_identifier": "client"
},
"orderer_ou_identifier": {
"certificate": "<ou_root_cert>",
"organizational_unit_identifier": "orderer"
},
"peer_ou_identifier": {
"certificate": "<ou_root_cert>",
"organizational_unit_identifier": "peer"
}
},
"host_url": "<url>",
}
organization_name: Specify any name to be used to identify this MSP definition in the console.
organization_id: Specify an ID that is used to represent this MSP internally in the console.
root_certs: Paste in an array that contains one or more root certificates from the external CA inbase64 format. You must
The following additional fields are also available in your MSP definition but are not required:
intermediate_certs: (if an intermediate CA was used) Paste in an array that contains one or more certificates from the
external intermediate CA in base64 format. You must provide either a CA root certificate or an intermediate CA certificate,
you can also provide both.
tls_intermediate_certs: (if an intermediate TLS CA was used) Paste in an array that contains one or more certificates from
the intermediate TLS CA in base64 format. You must provide either an external TLS CA root certificate or an external
intermediate TLS CA certificate, you can also provide both.
organizational_unit_identifiers: A list of Organizational Units (OU) that valid members of this MSP should include in their
X.509 certificate. This is an optional configuration parameter that is used when multiple organizations leverage the same
root of trust and intermediate CAs, and they have reserved an OU field for their members. An organization is often divided
up into multiple organizational units (OUs), each of which has a certain set of responsibilities. For example, the ORG1
organization might have both ORG1-MANUFACTURING and ORG1-DISTRIBUTION OUs to reflect these separate lines of
business. When a CA issues X.509 certificates, the OU field in the certificate specifies the line of business to which the
identity belongs. See this topic in the Fabric documentation on Identity Classification for more information.
revocation_list: A list of certificates that are no longer valid. For X.509-based identities, these identifiers are pairs of
strings that are known as Subject Key Identifier (SKI) and Authority Key Identifier (AKI), and are checked whenever the
X.509 certificate is being used to make sure that the certificate has not been revoked. See this topic in the Fabric
documentation for more information about Certificate Revocation Lists.
{
"name": "org1msp",
"display_name": "org1msp",
"msp_id": "org1msp",
"type": "msp",
"admins": [
"LS0tLS1CRUd...LS0tLQo="
],
"root_certs": [
"LS0tLS1CRUd...LS0tLS0K"
],
"intermediate_certs": [],
"tls_root_certs": [
"LS0tLS1CRUd...LS0y=g"
],
"tls_intermediate_certs": [],
"fabric_node_ous": {
"admin_ou_identifier": {
"certificate": "LS0tLS1CRUd...LS0tLS0K",
"organizational_unit_identifier": "admin"
},
Step 4: Create and import the organization admin identity to the wallet
To be able to act as an administrator for an organization, import the identity that is listed in the MSP JSON "admins" section
into your console wallet, including both the public and private key. When you subsequently deploy a peer or ordering node, you
can designate this identity to be the node admin.
1. To import the identity, open the Wallet tab and click Add identity.
2. Give the identity a name.
3. Click Add certificate and browse to the .pem files for the organization admin identity certificate and private key.
Deploy peer
1. From the Nodes tab, click Add peer > Create peer.
2. Provide a name for your peer.
3. Under Advanced deployment options, check Use your own CA certificate and private key and click Next.
4. In the Certificate field, click Add certificate and browse to the peer enrollment certificate .pem file. This is certificate 1 in
the Node certificates table.
5. In the Private key field, click Add certificate and browse to the peer enrollment private key .pem file. This is certificate 2
in the Node certificates table.
6. In the MSP drop-down list, select the MSP that you imported into the console.
7. Select a Fabric version for your peer and click Next.
8. Provide the TLS certificate and key for the node. In theCertificate field, click Add certificate and browse to the peer TLS
certificate .pem file. This is certificate 3 in the Node certificates table.
9. In the Private key field, click Add certificate and browse to the peer TLS private key.pem file. This is certificate 4 in the
Node certificates table. Click Next.
10. From the Peer administrator identity drop-down list, select the organization admin identity that you imported into the
Note: Instead of creating an ordering service, if you prefer to contribute a single ordering node to an existing Raft ordering
service, open the ordering service and click the Ordering nodes tab. Click Add ordering node, give it a name then and
following the preceding steps.
It takes several minutes for peer and ordering node deployment to complete. When it is successful, you can see a green box on
the node tile in the console. You might need to refresh your browser for the box to turn from gray to green.
Next steps
Your blockchain nodes are ready to be used on the network. In order for the peer to participate on the network, the peer
organization needs to be part of a consortium on an ordering service so that the peer can join a channel.
You can now install smart contracts on your peer and join it to an existing channel.
Target audience: This topic is designed for network creators and system administrators who are responsible for planning and
configuring IBM Blockchain networks on IBM Cloud or on their own Kubernetes cluster and are new to Ansible playbooks.
What is Ansible
Each playbook is composed of one or more plays in a list. The goal of a playbook is to map a group of hosts to some well-defined
roles, represented by actions that Ansible calls tasks. Basically, a task is simply a call to an Ansible module.
Ansible Content Collections, or simply collections, are the mechanism for distributing, maintaining, and consuming the
automation. Combining multiple types of Ansible content (playbooks, roles, modules, and plug-ins) into a collection, adds
flexibility and scalability for automating your blockchain network deployment. The open source collections are published in
Ansible Galaxy where they can be freely downloaded. Check out their documentation for more education.
IBM Blockchain Platform offers an Ansible collection that includes the pertinent roles, modules, and documentation for rapidly
deploying, replicating, and tearing down blockchain networks in a reproducible fashion.
The Ansible collection includes a set of playbooks that automate the tasks that you would otherwise perform from the console
UI or by using the APIs, for example deploy a Certificate Authority (CA). But the playbooks are more robust than just that. The
playbooks automate a logical series of tasks that you would repeatedly perform in the console, for example create a CA, register
identities, create an organization MSP definition, and create a peer. And all of these steps can be performed by running a single
playbook.
Tip: This tutorial series is designed for users who are unfamiliar with how to use Ansible playbooks. Experienced Ansible
users can go directly to the collection documentation to get started.
Deploying your blockchain network After you deploy the IBM Blockchain Platform to a Kubernetes cluster on IBM Cloud,
or on your supported Kubernetes distribution, there are three ways to build your network. To understand the benefit of
using the Ansible playbooks, we compare the options:
1. Deploy your nodes and configure your network manually using the console user interface.This option is most
useful for getting started and learning about the platform and how the console works. It requires stepping through
multiple panels to configure all the settings for your nodes, organizations, channels, and smart contracts.
2. Use the IBM Blockchain Platform REST APIs to build your network. This option is for advanced users who want to
leverage the available REST APIs, often in conjunction with the Hyperledger Fabric APIs, to set up and administer
their blockchain network. Configuration is done through editing API parameters. Because the IBM Blockchain
Platform APIs are mainly for create, retrieve, update, and delete operations on a node, you may need to also learn
and use the Hyperledger Fabric APIs for some tasks.
The Ansible playbooks provide an easy-to-use, automated process to replicate your blockchain networks on-demand.
All components that are deployed with the playbooks are also visible in the console where you can interact with
them as normal and govern your network.
Getting started
There are multiple ways to install the Ansible collection. One option is to install all of the prerequisite software locally, which can
be cumbersome for first-time Ansible users. Another simpler option is to run the playbooks from a Docker image. Because using
a Docker image completely bypasses the need for the prerequisite setup (the prereqs are part of the Docker image), this
approach is by far the simplest option and is the process that we use throughout these tutorials. This option does require that
you install Docker before proceeding. To determine whether Docker is installed, run the command docker --version . If it is
installed, you'll see something similar to:
$ ```
Docker version 18.09.2, build 6247962
```
If you do not have Docker installed, see install Docker to download and install it. You can also check out the Docker site for
more education and documentation.
Advanced users can review the Ansible collection documentation for other installation options.
Next steps
After the image is successfully built, it can be used to run a playbook. To get started with the playbooks see Building an IBM
Blockchain Platform network using Ansible playbooks if you already have an existing instance of the IBM Blockchain Platform
deployed and want to use the Ansible playbooks to deploy your network components.
Target audience: This topic is designed for system administrators or operators who are responsible for creating or removing
components in an IBM Blockchain Platform network and are new to Ansible playbooks.
In this tutorial, we gather the connection information to your console and demonstrate how to use that information to configure
the playbooks. The playbooks group and automate common network deployment tasks so that you can bypass manually
configuring your network from the console. We teach you how to run an individual playbook and then how to run them
sequentially from a script. In just a few minutes, you can deploy an entire set of blockchain components that are ready to
process transactions on your IBM Blockchain Platform network.
The Ansible scripts can be used to build the following network that includes two organizations (Org1 and Org2) that each
contains one peer and an ordering service with a channel joined by both peers. It's a simple process to customize the playbooks
with your own component or organization names. They can also be used to deploy smart contracts on the channel. And as you
become more proficient, you can use the playbooks to build additional organizations, peers, ordering services, and channels
according to your use case.
Prerequisites
Before using the playbook, you need to complete the following steps:
Link an instance of the IBM Blockchain Platform to your Kubernetes cluster on IBM Cloud.
Review the topic on Getting started with Ansible playbooks on the IBM Blockchain Platform.
Install Docker.
When your cluster is running in IBM Cloud, you need to create service credentials for the IBM Blockchain Platform service
instance. The Ansible playbooks use the IBM Blockchain Platform REST APIs to interact with the console. The REST APIs use the
API key (api_key) and API endpoint (api_endpoint) to authenticate with the server and retrieve a Cloud Identity and Access
Management (IAM) access token. The values of the api_endpoint and api_key for the console can be found in the generated
service credentials.
Follow instructions on retrieving service credentials in IBM Cloud to gather these values now that are used with the playbooks
later in this topic.
$ ```
git clone https://github.com/IBM-Blockchain/ansible-collection.git
```
$ ```bash
cd ansible-collection/tutorial
```
The first thing that you notice is that the playbook .yml files are numbered. Because the playbooks build on each other, the
numbers help you understand the order that they should be run. When you want to change some of the configuration properties,
you can edit the .yml files and insert your own custom values, for example, if you want to customize a node name or use a
different enrollment ID. Each playbook includes either a role or a task. A role includes a set of tasks that in turn call the
associated modules that submit the requests to your cluster.
The next thing to notice is the set of variable files ordering-org-vars.yml (Ordering Org), org1-vars.yml (Org1), and
org2-vars.yml (Org2) that define the IBM Blockchain Platform console connection details for each organization. These
variable files are used by the playbook when you run it. This means that before you run a playbook, if it uses a variable file, you
need to customize the associated variable file with the connection information that you gathered in the previous step. When a
playbook requires a variables file, it is included in the playbook .yml file.
The variable files include the following four fields that define your connection information to your console:
$ ```
api_endpoint: https://ibp-console.example.org:32000
api_authtype: ibmcloud
api_key: xxxxxxxx
api_secret: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
```
api_endpoint - Set this value to the api_endpoint from your service credentials.
api_authtype - Because your cluster is in IBM Cloud, this value needs to be set toibmcloud.
api_key - to the value of api_key contained in the service credentials.
api_secret - This value is not used for clusters in IBM Cloud. No value is required here.
Refer to Gather console connection information for instructions on how to get the service credentials.
You can go ahead now and modify the ordering-org-vars.yml (Ordering Org), org1-vars.yml (Org1), and org2-vars.yml
files with your console connection information.
There is also a common variables file, common-vars.yml . You do not need to edit this variable file right now. This file contains
variables that are used by multiple organizations, for example the name of the channel that will be created, and the name of the
smart contract that will be deployed. Later, when you are ready to create your own custom network you will want to modify these
values according to your business use case.
Note: These instructions assume that you have installed Docker) in order to use the Ansible playbooks. If you have
installed all of the prerequisites locally on your system instead, you can refer to the Ansible documentation for
instructions on how to run the playbooks.
1. We use a Docker command to run the first playbook that creates an ordering organization that is namedOrdering Org,
with a certificate authority named Ordering Org CA, and finally a single node ordering service named Ordering Service. If
you have not already, go ahead and modify the console connection variables inside the ordering-org-vars.yml by
where:
--rm tells Docker to remove the container when the command completes.
-v <FULLY-QUALIFIED-PATH-TO-PLAYBOOKS> is used to mount the tutorial folder into the Docker container.
Replace <FULLY-QUALIFIED-PATH-TO-PLAYBOOKS> with the fully qualified path to where the tutorial folder
resides on your local system. When you run the command from the tutorial folder you can replace this value with
$PWD.
ibmcom/ibp-ansible represents the tag of the Docker image that is published by IBM.
For example:
$ cd tutorial
docker run --rm -v $PWD:/playbooks ibmcom/ibp-ansible ansible-playbook /playbooks/01-
create-ordering-organization-components.yml
While the command is running, you see output from each task. You can safely ignore the following warning:
$ [WARNING]: provided hosts list is empty, only localhost is available. Note that the
implicit localhost does not match 'all'`.
When the playbook is finished, in the PLAY RECAP section, you see output similar to:
If the playbook completes successfully, you should see failed=0 . Go ahead now and log in to your console to
confirm that Ordering Org CA, Ordering Org organization, and Ordering Service was created.
2. The same instructions can be repeated for the next playbook, 02-create-endorsing-organization-components.yml .
This playbook creates an endorsing organization named Org1, with a certificate authority named Org1 CA, and then a peer
named Org1 Peer. When you open the playbook, notice in the comments that this playbook uses a different variables file
org1-vars.yml . Edit that file with your console connection information. And then run that playbook:
Again, if you check your console, you can see that the Org1 CA, Org1 organization, and Org1 Peer was created.
3. You can continue running each playbook individually in the list to stand up a basic network that contains an ordering
service, two peer organizations, two peers, and a channel. The playbooks also install smart contracts on the peers and
instantiate them on the channel.
Check out this topic on Exploring the playbooks for more information about how each playbook works.
By now, you are probably interested in scripting these commands together to stand up or even tear down the components. The
next section walks you through how to do that.
build_network.sh - This is a script that runs a set of playbooks that create an entire simple network, the same one that
can be created if you manually build the network by completing the Build a network tutorial. When you call the script with
the build option, it configures a single node ordering service, a peer organization and a peer. It installs theFabCar
smart contract on the peer, creates a channel and joins the peer to the channel. If you run the script with the destroy
option it removes all of these artifacts from your cluster. For details, see Building a network.
join_network.sh - Run this script when you want to join a peer organization to an existing channel. For more details see
Joining a network.
deploy_smart_contract.sh - This script can be used to install a smart contract on one or more peers in your
organization and instantiate it on a channel. For more details, see Deploying the smart contract.
Before running any script, you need to update the console connection settings in the ordering-org-var.yml , org1-
vars.yml , and org2-vars.yml files. Go ahead and try out the build_network.sh script by running the following Docker
command from your tutorial folder:
Notice that the playbooks will run even if the artifacts that you are deploying already exist. In that case, you can see in thePLAY
RECAP status that changed=0 , meaning the playbook detected that the node exists and did not try to re-create it. You can also
run the build_network.sh with the destroy option to remove all the nodes and metadata that were created when you ran
the build_network.sh script with the build option. Give it a try now by running the command:
Increasing Some clusters perform faster than others. The scripts use a default wait timeout of600 seconds, which is
the wait sufficient for most environments. The wait timeout represents the maximum amount of time the playbook
timeout waits for the underlying transactions to complete before it logs a failure. If you need to increase the
timeout, open the associated variables file (ordering-org-vars.yml, org1-vars.yml, or org2-
vars.yml) and modify the value of the wait_timeout: parameter.
Customizing The playbooks use the organization names that are defined in the common-vars.yml file. When you are
organization ready to configure your own organizations, you can edit the file and specify the preferred organization
names names for your network.
Customizing The default ordering service name is defined in the common-vars.yml file in the ordering_service_name
the name of parameter. Edit this value to specify the preferred name of the ordering service.
the ordering
service
Using your By default, the 19-install-chaincode.yml and 20-instantiate-chaincode.yml playbooks use the
own smart Fabric 2.0 smart contract lifecycle with the FabCar sample smart contract. When you are ready to deploy
contract your own smart contract, you need to:
1. Include the smart contract package in the tutorial directory and name it using the format
<SMART-CONTRACT-NAME>@<VERSION>.tar.gz.
2. Refer to your smart contract by replacing the value of the smart_contract_base_name: and
smart_contract_version: parameters in the common-vars.yml file.
Using your When the playbooks deploy a node, it uses the enroll IDs specified in the 01-create-ordering-
own enroll organization-components.yml and 02-create-endorsing-organization-components.yml files. The
ID and associated enroll secrets are provided in the corresponding variable files ordering-org-vars.yml, org1-
secrets vars.yml, and org2-vars.yml. You can customize the values of the enroll ID and secrets in these files
according to your needs.
Next steps
Now that you have used the playbooks to deploy your components or even scripted the deployment of your network, you can
continue to use the console UI to interact with and govern your blockchain components. You will notice right away that the
Ansible scripts do not associate an identity with the nodes that it deploys. If you plan to operate the nodes from the console, you
need to use a manual process to upload the node identities to the console wallet and associate them with the nodes. The
generated node identities are JSON files and are stored in the tutorial folder.
Generated identities
The following table lists the names of the JSON files that contain the identities that are generated by the build_network.sh
script with the build option or the join_network.sh script for the case of Org 2. If you customized organization names inside
the playbook .yml files, it is possible that your JSON files will be named differently. In order to operate the nodes from the
console, you need to import all of the generated identities into the console wallet by using the following process:
Important: When you run the build_network.sh script with the destroy option, all of the nodes and associated
metadata are removed from your cluster, but any identities that you manually imported into the console wallet are not
removed. Before you run the build_network.sh script again with the build option, you need to manually remove each
identity, by opening it in the wallet and then clicking Remove identity.
Table 2. CA identities
Summary
Congratulations. You have used the Ansible playbooks to configure IBM Blockchain Platform components on your cluster. You
know how to run a playbook individually and have some sample shell scripts that show how to run the playbooks together to
build a reproducible network and tear it back down. You can explore further by building your own playbooks that call the Ansible
modules or build your own custom scripts according to your network use case.
This tutorial describes how to configure IBM Log Analysis service to work with your IBM Blockchain Platform service instance.
First, you need to configure cluster-level logging for you Kubernetes cluster. Then, you can access the Open Dashboard from the
Logging tab of the Observability dashboard in IBM Cloud.
Step two: View the logs for your IBM Blockchain Platform nodes
Using the IBM Log Analysis service makes viewing your IBM Blockchain Platform node logs simple. The search input box located
at the end of the IBM Log Analysis page can be used to filter the logs. See the following examples.
kubectl get po
The output looks similar to: NAME READY STATUS RESTARTS AGE ibp-operator-6558fdc54f-c5zmn 1/1 Running 0 65m org1ca-
74b8f49fb6-z8gvx 1/1 Running 0 60m peerorg1-5765d88c85-jglk2 4/4 Running 0 25m
In the IBM Log Analysis search box, prepend the name of the pod with the text pod: such that the resulting search string in the
tracking dashboard resembles:
pod:peerorg1-5765d88c85-jglk2
This same process can be used to view the logs of ordering nodes, peers and CAs. Simply add the pod name of the node to the
search bar as shown in the following screenshot:
If you are not getting any results, you might need to filter on your namespace for the blockchain nodes to be visible in the
Kubernetes dashboard. To find the namespace, open any Certificate Authority tile in your blockchain console and click the Info
and usage tab. View the value of the API URL. For example: https://nf85a2a-znorg10524.ibpv2-cluster.us-
south.containers.appdomain.cloud:7054 .
The namespace is the first part of the URL beginning with the letter n and followed by a random string of six alphanumeric
characters. So in the example above the value of the namespace is nf85a2a . Then run the kubectl command:
The output looks similar to: NAME READY STATUS RESTARTS AGE ibp-operator-6558fdc54f-c5zmn 1/1 Running 0 65m org1ca-
74b8f49fb6-z8gvx 1/1 Running 0 60m peerorg1-5765d88c85-jglk2 4/4 Running 0 25m
In the IBM Log Analysis search box, prepend the name of the pod with the text pod: and the value of the namespace . The
resulting search string in the tracking dashboard would then be:
pod:nf85a2apeerorg1-5765d88c85-jglk2
Just like when you view node logs, you filter on the pod name, but it needs to be the name of the peer pod where the
smart contract is running.
Smart contracts run in a dind container in the pod, but the logs are forwarded to thechaincode-logs container which is
of type fluentd. Therefore, to filter the logs to only include the smart contract events, you need to include app:fluentd
in the search input box.
Finally, you can append the name and optionally the version of the smart contract,marbles 1.0.0.
The full search string, including the namespace, would be similar to the following example:
If you don't already know it, you need to find your Kubernetes cluster namespace. From the console, open any CA node and click
the Info and Usage icon. View the value of the API URL. For example: https://n2734d0-soorg10524.ibpv2-cluster.us-
south.containers.appdomain.cloud:7054 . The namespace is the first part of the URL beginning with the letter n and
followed by a random string of six alphanumeric characters. So in the example, the value of the namespace is n2734d0 .
kubectl get po -n <NAMESPACE> | grep chaincode-execution | cut -d" " -f1 | xargs -I {} kubectl get po
{} -n <NAMESPACE> --show-labels
Find your smart contract pod by examining the associated chaincode-id that contains the smart contract name and version.
Then in IBM Log Analysis, to view the logs for the myjavacc version 1.1 smart contract, you can enter the pod name in the
search bar as follows:
pod:<SMART_CONTACT_POD>
For example:
pod:chaincode-execution-0a8fb504-78e2-4d50-a614-e95fb7e7c8f4
Summary
Congratulations. In this tutorial you learned how easy it is to use IBM Log Analysis to view the logs for your blockchain nodes and
smart contracts. To learn more about monitoring your network, check out the tutorial on using IBM Cloud Monitoring with your
blockchain network.
The tutorial provides a set of instructions for getting started with using the IBM Cloud Monitoring to monitor the resource usage
of peer, CA, and ordering service nodes. These instructions include how to configure the IBM Cloud Monitoring service to monitor
your existing IBM Blockchain Platform service instance and starts with creating an instance of IBM Cloud Monitoring in IBM
Cloud. Then, you can configure the Open Dashboard to monitor your blockchain components. To learn more about the IBM Cloud
Monitoring service and what it offers, see the IBM Cloud Monitoring documentation.
Monitoring the resource allocation for your blockchain nodes is a key part of operating a blockchain network. You are responsible
for monitoring your resource usage and taking steps to address resource contention. The IBM Cloud Monitoring is a useful tool
for monitoring your network, but you can use any tool you prefer.
This tutorial uses the Free 30-day Trial version of the service, but more advanced features are available in theGraduated tier
which you can explore if your requirements merit.
Note: It is recommended that the IBM Cloud Monitoring instance reside in the same region as your IBM Blockchain
Platform instance. See Enabling Platform Metrics for more information.
Tip: After you provision the monitoring service, if you click Edit sources in the Monitoring tab, a curl command is provided
to easily configure monitoring of your Kubernetes cluster. Simply login to your Kubernetes cluster from the CLI and run
the curl command to configure the monitoring service for your cluster. In Step two below, your monitoring instance
should be ready to go. If the curl command fails, ensure that your kubectl version is 1.14 or higher.
Step two: Configure the Open Dashboard for monitoring your IBM Blockchain Platform nodes
After you have provisioned the IBM Cloud Monitoring service, clickView Open Dashboard from the Monitoring tab of the Open
Dashboard in IBM Cloud.
The following sets of instructions are based on the default dashboard named Overview by Container that provides a good set of
widgets for getting started monitoring the resource allocation of your nodes. Each dashboard includes a set of preconfigured
panels. We can copy the dashboard and then customize the panels for the node type that we want to monitor.
1. Click the CPU % chart and then click the pencil Edit Panel icon. In this panel you can tailor the graph type and even
change the metric. But we just want to see the data broken out by peer container, assuming you have more than one peer
in your cluster.
2. In the Segment by drop down list, select the kubernetes.deployment.label.name which is the segmentation choice
that causes the chart data to be broken down by each peer container in your cluster. Click Save.
3. Repeat this process for the Memory Usage % panel. Now you can monitor the CPU and Memory used by each peer
container.
At this point you can edit the panels and play with the different chart types to see different representations of the data.
1. Click the + sign above the Edit Scope button in the top right corner.
2. Give this new panel a title, Disk space used %.
3. Select fs.used.percent from the Metrics drop-down list.
4. In the Segment by drop down list, select kubernetes.deployment.label.name and click Save.
5. Hover your mouse over the data in the generated graph and a pop-up window is displayed that shows the average disk
space percentage used by each peer container.
At this point you have configured panels to display the percentage of CPU used by each peer container, the percentage of
memory used by each peer container, and the percentage of disk space used by each peer container. You can drag the panels up
and down on the dashboard, and delete any panels that are not interesting to you.
1. Configure your preferred notification channel by clicking on your user icon followed by Settings.
When you subsequently click Notification Channels > Add Notification Channel you are able to select how you want to be
notified when an alert is triggered.
2. If you return to one of the dashboards that you created, you can click on the action menu in the upper right corner for any
panel, and then click Create Alert from the drop-down menu.
After you configure the alert based on your custom triggers, scroll down to associate the notification channel that you
configured above and select your notification preferences. Optionally, you can also enable IBM Cloud Monitoring capture
which generates a trace file that you can use to analyze what happens in a host during a selected time frame.
For more information about the various options when configuring alerts in IBM Cloud Monitoring. see IBM Cloud Monitoring
alerts.
Tip: As a general guideline, we recommend that you configure alerts for when your node CPU, memory, and storage
usage exceeds 80% so that you can take appropriate action. Feel free to adjust the alert settings according to your
notification preferences.
Summary
This tutorial has provided some basic steps for getting started using IBM Cloud Monitoring to monitor your blockchain node
resource allocation. You now have three dashboards that you can use to monitor the resource allocation of your peer, CA, and
ordering nodes in your Kubernetes cluster. With a graduated tier purchase of the IBM Cloud Monitoring service, you can edit your
charts and add more segmentations to further scope the data. You've also configured alerts for when nodes approach exceeding
their allocated resources. Combined, these actions allow you to monitor your blockchain nodes, alerting you when resources are
constrained, so that you can take the appropriate action to scale your network.
Prometheus metrics
As an alternative to IBM Cloud® Monitoring, you can use the Prometheus open-source systems monitoring and alerting toolkit to
monitor your IBM Blockchain Platform peer, orderer, and certificate authority (CA) nodes, and smart contract containers.
This tutorial helps you get started using Prometheus to monitor resource usage of peer, CA, and ordering service nodes. It
describes how to configure Prometheus to monitor your existing IBM Blockchain Platform service instance.
Monitoring node resource allocation is critical to operating a blockchain network. You are responsible for monitoring resource
usage and taking steps to address any resource contention. Prometheus is a useful tool for monitoring resources, but you can
use any comparable alternative.
For the component you are scraping Prometheus metrics from, select the CA that issued its certificates. Then, click Register
User to create a new user identity that will access your network from Sysdig. Specify the Enroll ID and Secret for this user,
Next, click Enroll Identity and select the TLS Certificate Authority from the CA drop-down list. Enter the Enroll
ID and Secret that you specified in the previous step. When you click Next , the subsequent panel contains the certificates
generated for your new user identity.
Enter an Identity display name . Click Add identity to Wallet to store the keys in your console wallet. These
certificates are stored in the browser and are not saved by IBM Blockchain Platform. It is your responsibility to manage the
certificates and keep them secure—click Export identity to save the identity to your file system for importing back into the
wallet, as needed. Export the Certificate and Private key to the file system.
Note: If you have multiple components with certificates issued by the same CA, it is not necessary to create a new
identity for each component—the certificates generated for the identity will be valid for all of these components. To collect
metrics for components with certificates issued by a different CA, repeat the previous steps (create a new identity) for this
other CA.
Navigate to the Catalog from your IBM Cloud dashboard and search for IBM Cloud Monitoring . Platform Metrics does
not have to be enabled for Prometheus metrics to work. Furthermore, you can choose any region to locate the instance—the
region will not affect the setup.
Once your IBM Cloud Monitoring instance is provisioned, navigate to Get Started > Install the agent > Add Sources .
This will redirect you to the command for installing sysdig agents on your Kubernetes cluster. Log in to your cluster using the
CLI and run the Public Endpoint curl command to install the agents, if necessary.
Create a TLS secret in the ibm-observe namespace by running the following command, where <cert-path> and <key-
path> are the paths to the certs you downloaded to your local file system. Be sure to keep a record of the <secret-name> that
you use:
Note: If you are setting up Prometheus metrics for components from multiple CAs, run the previous command for each
set of generated certificates, making sure to give them each a unique <secret-name> .
Edit the daemonset by locating spec.template.spec.containers.volumeMounts and adding the following section:
$ - mountPath: /<directory-path>
For example:
$ - mountPath: /ibp
name: ibp-volume
Note: If you set up multiple secrets, you should add as many volumeMounts as there are secrets, making sure to specify
a unique directory-path and volume-name for each one.
Next, edit the daemonset by locating spec.template.spec.containers.volumes and adding the following section:
$ - name: <volume-name>
secret:
defaultMode: 420
secretName: <secret-name>
For example:
$ - name: ibp-volume
secret:
defaultMode: 420
secretName: sysdig-tls-cert-key
Note: If you set up multiple volumeMounts , you should add as many volumes as there are volumeMounts , each using
the corresponding unique name and secretName .
Edit the configmap by adding the following lines as a sibling of the dragent.yaml section, replacing <directory-path> with
the path set up in the previous step:
$ prometheus.yaml: |
global:
scrape_interval: 10s
scrape_configs:
- job_name: 'ibm-blockchain'
scheme: https
tls_config:
insecure_skip_verify: true
cert_file: /<directory-path>/tls.crt
key_file: /<directory-path>/tls.key
metrics_path: /metrics
kubernetes_sd_configs:
- role: pod
For example:
$ prometheus.yaml: |
global:
scrape_interval: 10s
scrape_configs:
- job_name: 'ibm-blockchain'
scheme: https
tls_config:
insecure_skip_verify: true
cert_file: /ibp/tls.crt
key_file: /ibp/tls.key
metrics_path: /metrics
kubernetes_sd_configs:
- role: pod
relabel_configs:
- action: keep
source_labels: [__meta_kubernetes_pod_label_creator]
regex: ibp
Note: To scrape metrics for multiple components, add a new job by duplicating the job_name: 'ibm-blockchain'
section, specifying a unique job_name , and modifying the cert_file and key_file fields to the correct location.
The sysdig-agent pods should automatically restart when the daemonset is applied, but you should still manually restart
them after applying the configmap , using either the CLI or the Kubernetes dashboard.
Dashboards are useful for saving customizations to a chart for later viewing. Simply create a new IBM Cloud Monitoring
dashboard and click + to add a new panel, where you can select the metric and segmentation type. The process for creating a
new dashboard is described in the IBM Cloud Monitoring documentation.
Important: Taking snapshots as described in this topic does not protect against the deletion of a component or entire
environment by a user. This is because restoring a deleted component or environment requires more information than is
stored in a snapshot. Also, when a component or environment is deleted, the original volumes (which contain things like
certificates) and all snapshot data are deleted.
Overview
As with anything that is deployed to a Kubernetes-based cluster, backups of components and networks in the IBM® Blockchain
Platform are a matter of backing up its persistent volumes. These volumes are where ledgers and other types of storage are
mounted so they can be used by nodes.
As a result, "backing up" a component or a network is the process of saving a copy of the relevant persistent volumes, while
"restoring" a component or network involves bringing up components and pointing them to these saved volumes. The number of
volumes that are associated with a node depends on the type of node. Peers have either one persistent volume (if using
LevelDB) or two persistent volumes (if using CouchDB), while each node in the ordering service has a single persistent volume.
Important: Because an ordering node cannot pull blocks from a peer,all peers must be backed up before the ordering
nodes. This order ensures that the peers do not have any blocks on their ledgers that don't appear on the ledgers of the
backed-up ordering nodes. If any peers have blocks that the ordering nodes do not have, the ledgers cannot be
synchronized, making the restoration of the network impossible. If you are backing up your ledger as part of an upgrade to
a new Fabric version, you do not have to synchronize this backup with the rest of the network. However, make sure to
keep at least one ledger backup that is synchronized with the rest of the network in case a larger network restoration is
necessary.
If you're using CouchDB, which is mounted in a separate container in the peer pod, back up the persistent volume associated
with CouchDB before the volume associated with the peer pod. This is because the peer checks on CouchDB after booting and if
anything is missing from CouchDB, the peer can push transactions to it which CouchDB integrates into the database. However,
any transactions in the state database cannot be pushed back to the peer.
As a rule, it is a good practice to schedule backups (also known as "snapshots") to happen at the same time across the network.
For example, if all of the peers in the network are using CouchDB, schedule all of the CouchDB persistent volumes to be backed
up at the same time, followed by all of the peer persistent volumes (again, at the same time), and then the ordering node
persistent volumes (if multiple organizations are contributing ordering nodes, these snapshots must be coordinated with other
organizations). For an example of a backup schedule a network might choose to adopt, check out Scheduling snapshots.
While it is a best practice to periodically back up your Certificate Authority, these backups do not have to be coordinated with the
rest of the network. CAs with a local database have a single persistent volume. If you are using PostgreSQL , the CA has an
additional persistent volume associated with it that must also be backed up. For information about how to take backups of a
PostgreSQL database, check out Managing Backups from the Databases for PostgreSQL documentation.
The following node-specific guidance is provided to help plan your disaster recovery strategy.
Backup Restore
CAs must be stopped and backed up following the You can restore a CA without impacting the peers or the
instructions that are provided in this topic. ordering nodes ability to process transactions.
Ideally, all peers in the network should be Unless the If the peers include private data collections, the
backed up daily at the same time. If the peers peers are peer and ordering nodes must be using Fabric
have a CouchDB state database, CouchDB must scaled down version v.2.2.1 or higher, otherwise every node
be backed up before the peer pod. Ordering to zero as part must be backed up at exactly the same ledger
nodes should be backed up after the peers. If of backing up height. This can be achieved by scaling down the
peers have data that the ordering service does private data, resources of the peers to zero as part of the
not, synchronization of components cannot transaction backup. For more information, see Scheduling
occur. processing snapshots.
can continue.
Ideally, all nodes in the ordering service Transaction processing If you are not using private data collections,
should be backed up daily at the same continues as normal you can provision new peers and rejoin the
time. The ordering service should be during a backup. If a channels. The peers can sync up with the
backed up after the peers to ensure that restoration is necessary, latest data from the ordering service, then you
the restoration of components can occur the ordering service must can reinstall any smart contracts.
later. be brought down. Or, you can restore the peers from a backup
older than the ordering nodes. In this case, the
peers only must catch up from the last backup,
which is faster. Any smart contracts installed
since the last backup must be reinstalled.
If you are using private data collections, the
peers must be restored to exactly the same
block height as the orderers. The best way to
ensure this is to back up all peers while the
ordering service is also down for the backup.
Scheduling snapshots
It is a best practice to create a regular schedule for the snapshotting of your components. If possible, try to coordinate these
snapshots with the other members of your network to ensure that the most recent snapshots can be used if necessary. Because
no peer snapshots can be used that are more recent than ordering service snapshots, you are bound by your snapshots of the
ordering service when attempting to restore.
Tip: Even though snapshots do not disrupt the functionality of your nodes, try to schedule snapshots during a time when
the fewest transactions are being made. This ensures that differences in ledger heights between peers are kept to a
minimum. In widely distributed networks, scheduling such a time might be difficult. Prioritize the proper ordering of
snapshots over relative lulls in network activity.
For this example, we assume one backup every 24 hours and retain seven backups.
Ordering node snapshots daily at 5:00 a.m. The two-hour gap allows sufficient time for all of the peers to be snapshotted
from every organization before ordering nodes are snapshotted.
If you are using private data collections in your applications, your nodes must be running Hyperledger Fabric 2.2.1 or higher in
order to back up peer and ordering nodes while they are running. When restoring from a backup, the peers must be restored
from a lower block height than the ordering nodes. While peers can catch up to the block height of the ordering service, the
ordering service does not have the actual private data (in a private data transaction, only hashes of the data are committed to
the public ledger), rendering the data for these blocks unavailable. Fabric v2.2.1 and higher has a configurable option to lower
the priority for the reconciliation of missing private data. Earlier versions constantly attempt to reconcile the missing private
data, potentially blocking out reconciliation of other private data. On earlier versions of Hyperledger Fabric, you must back up
ordering nodes and peers at exactly the same block heights to avoid this issue. This can be accomplished by scaling the both the
peer and ordering node pods to 0 before taking the backup.
Taking snapshots
The overall steps for the backup and restore process apply in all cases and are independent of where your components are
deployed. However, the specific commands that are used in this example for creating, listing, and restoring snapshots apply only
if you are running on IBM Cloud. For other cloud providers or when running in your own datacenter, follow the specific
instructions for underlying snapshot creation and management found in the documentation of those providers.
Tip: When a snapshot is being taken the node continues to function as normal.
Node snapshots
Tip: Because the process for taking a snapshot is the same for all nodes, only one set of instructions is shown here.
After your node is provisioned, you can get the persistent volumes that are associated with it and the namespace the component
is deployed into by issuing:
Which produces a list of nodes and their persistent volumes similar to this example:
If you are using the CLI to manage snapshots, you'll need the volumeId value. If you are using the cluster UI, you'll need the
Username value. For an example volume named pvc-494ba122-3501-4413-b719-cbb4b3a8f91b , you would issue this
command:
Name: pvc-494ba122-3501-4413-b719-cbb4b3a8f91b
Labels: CapacityGb=100
Datacenter=dal10
Iops=2
StorageType=ENDURANCE
Username=IBM02SEV2046428_106
billingType=hourly
failure-domain.beta.kubernetes.io/region=us-south
failure-domain.beta.kubernetes.io/zone=dal10
path=IBM02SEV2046428_106data01
server=fsf-dal1002h-fz.adn.networklayer.com
volumeId=155617812
Annotations: ibmFileProvisionerIdentity: 44cc1a5f-b755-11ea-bfae-3692beefed97
pv.kubernetes.io/provisioned-by: ibm.io/ibmc-file
Finalizers: [kubernetes.io/pv-protection]
StorageClass: ibmc-file-bronze
Status: Bound
Claim: n3392fd/peera-statedb-pvc
Reclaim Policy: Delete
Access Modes: RWO
VolumeMode: Filesystem
Capacity: 100Gi
Node Affinity: <none>
Message:
Source:
Type: NFS (an NFS mount that lasts the lifetime of a pod)
Server: fsf-dal1002h-fz.adn.networklayer.com
Path: /IBM02SEV2046428_106/data01
ReadOnly: false
Events: <none>
You can then order snapshots for that volume, which can be done by using either the CLI or the cluster UI. For information on
how to take the snapshot, see Ordering Snapshots.
Tip: In this case, "ordering" refers to the "order to take snapshots" and not "ordering nodes".
For our example, we use the CLI and order a single snapshot by using 5 GB of space by issuing:
Tip: You might need more or less than 5 GB of space, depending on the size of the pod and the resources that have been
Taking a snapshot incurs charges on your account. Press y to accept the charges and order the snapshot.
Alternatively, you can enable snapshots to be taken on a regular schedule for a particular volume. For information on how to set
of a snapshot schedule, see Adding a Snapshot schedule.
Again, for our example, we use the CLI to set up a daily snapshot of a CouchDB volume at 3:00 a.m. and retain seven snapshots.
OK
DAILY snapshots have been enabled for volume 155617812.
We can now list the snapshot schedule to verify it's in place by issuing:
Repeat the following steps for each pod you want to back up, remembering to schedule your backups in the proper order.
Restoring nodes
Tip: If you have to restore a node, first cancel any scheduled snapshots. Only restore from a snapshot that does not have
bad or corrupted data. After a node has been restored, you can reimplement your snapshot schedule.
Here we have two examples. In the first example, we show the steps for restoring peer nodes, while in the second example, we
describe the steps for restoring the ordering service, which requires restoring peer nodes as well.
Because the details for finding the persistent volumes that are associated with each ordering node and restoring snapshots are
identical to what is documented for the peer, the commands are only listed once, in the peer instructions. However, additional
considerations when restoring ordering nodes are documented in Restoring an ordering node.
Sequencing restorations
Just as when backing up, care must be taken to restore things in the proper order. When restoring ordering nodes, for example,
even if you only restore one node, scale down all of the pods of the ordering nodes by reducing their resources to zero. If every
ordering node must be restored, the best practice is to stop them all at once and then restore them all at once. Then, make sure
all of them come up and give them a few minutes to elect a leader and establish quorum before driving any transactions.
If you are restoring the ordering service from a backup, you must also either create new peers or restore all peers to a backup
When restoring a peer, make sure to restore backups of CouchDB older than the backup of the peer pod. If your state database
has transactions your peer does not have, the database cannot sync with the peer.
Restoring a peer
To restore a peer, you need to:
As before, this produces a list of nodes and their persistent volumes similar to this example:
Then look at your deployments again to make sure that the peer is scaled down:
Use the commands in the Peer snapshot section to find the persistent volumes that are associated with the peer. Peers using
CouchDB have two volumes.
For each volume, list the available snapshots for that volume. For information on how to list available snapshots, see Listing all
Snapshots with Space Used Information and Management functions.
For our example, we use CLI and restore a specific snapshot from our volume ID for the CouchDB pod that is associated with
peera :
Pick the snapshot you'd like to restore from the list, keeping in mind that the CouchDB backup must be older than the peer pod
backup, and restore it. For information on how to restore the snapshot, see Restoring storage volume to a specific point-in-time
by using a snapshot.
OK
File volume 155617812 is being restored using snapshot 167189176.
Important: Restoring a volume results in deleting all snapshots that were taken after the snapshot that was used for the
restore.
Repeat the process for the other volume used by the peer container, which can be found by using the same commands. Choose
the 3:05 a.m. snapshot corresponding to the 3:00 a.m. snapshot you restored for CouchDB volume.
Once both snapshots are restored, scale the deployment back up to one to redeploy the pod with the new data. First, check the
status of the pods:
Then scale the peera pod back up by setting the replicas value to 1 .
Where <component> is, once again, one of: ibppeer , ibporderer , or ibpca .
Once the pod is back up, the peer is now restored, with the same peer channel membership, installed smart contracts, and
ledger height as when the snapshot was taken. Because the peer immediately starts pulling new blocks from the ordering
service or other peers once it comes up, the ledger height might increase.
1. You must stop all the ordering nodes in the cluster by scaling down each deployment to zero before restoringany of the
ordering nodes. Note after the nodes have been scaled down, it is not possible to transact. Client applications must
resubmit their transaction requests after the ordering service is restored.
2. If you restore all ordering nodes, you must scale all the deployments up to1 to restart them and give them five minutes to
determine leadership before accepting any traffic. It is a best practice to also stop all peers on the network during this
process.
3. You must then restore all peers that are connected to that ordering service to a backup taken earlier than the ordering
service backup you are restoring to, or provision new peers.
1. Scale down all five ordering nodes and peer deployments to zero to stop all traffic on the network.
2. Restore the peer nodes to the 3:00 a.m. CouchDB snapshot and the 3:05 a.m. peer pod snapshot.
3. Restore each ordering node to its 5:00 a.m. snapshot taken the same day as the peer snapshots you restored.
4. Scale all five ordering service deployments up to 1 and wait for five minutes after they have started to sync up.
5. Scale all peer deployments up to 1.
This tutorial introduces the generic flow to build a blockchain network with IBM Blockchain Platform APIs. For more information
about each API, see IBM Blockchain Platform API reference doc.
Swagger
After you review the instructions in this topic on how to use the APIs, you can alternatively access a Swagger version of the APIs
instead of the APIs in IBM Cloud where the current version is v2 . If you need to access the v1 version of the APIs, you can
import the v1 version into the Swagger editor.
v1
v2
Authentication
In order to use the APIs to access your blockchain network that you create with IBM Blockchain Platform, your application needs
to be able to authenticate with IBM Cloud and connect to your service instance.
1. In your IBM Cloud resource list, under Services, open the blockchain service instance that you created.
2. Click Service credentials from the left navigator.
3. Click the New Credential button on the Service credentials page to create a new credential.
1. Give the credential a name, for example, UseAPIs.
2. You can leave the Add inline configuration parameter field blank.
3. Click the Add button.
4. After the new credential is created, click View credentials under the ACTIONS header of this credential. The contents of
the credential looks similar to the following example:
{
"api_endpoint": "https://1088ac8563e44f5a92539d946733ad7e-
optools.so01.blockchain.test.cloud.ibm.com"
"apikey": "nvASKts6B6lMZGZUNTGVP7MLK2BujMnxz0plSPYaqc3R",
"configtxlator": "https://1088ac8563e44f5a92539d946733ad7e-
configtxlator.so01.blockchain.test.cloud.ibm.com",
"iam_apikey_description": "Auto generated apikey during resource-key operation for Instance
- crn:v1:staging:public:blockchain:us-south:a/9d46037caee397faa45c55e087d26baa:1088ac85-63e4-
4f5a-9253-9d946733ad7e::",
"iam_apikey_name": "auto-generated-apikey-c1981f5c-cff0-464f-9a78-ed2f52e24d1a",
"iam_role_crn": "crn:v1:bluemix:public:iam::::serviceRole:Manager",
"iam_serviceid_crn": "crn:v1:staging:public:iam-
identity::a/9d46037caee397faa45c55e087d26baa::serviceid:ServiceId-774190c5-9c37-4f68-8572-
8d6e2aabbc7e",
}
Call the Cloud Identity and Access Management API to retrieve your access token.
curl -X POST \
"https://iam.cloud.ibm.com/identity/token" \
-H "Content-Type: application/x-www-form-urlencoded" \
-H "Accept: application/json" \
-d "grant_type=urn%3Aibm%3Aparams%3Aoauth%3Agrant-type%3Aapikey&apikey=<API_KEY>" \
In the request, replace <API_KEY> with the apikey value from your service credentials. The following truncated example
shows the token output:
{
"access_token": "eyJraWQiOiIyM...",
"refresh_token": "...",
"expires_in":3600,
"expiration":1555558683,
"scope":"ibm openid"}
Use the full access_token value, prefixed by the Bearer token type, to programmatically work with your blockchain network
by using the APIs.
Tip: Access tokens are valid for one hour, but you can regenerate them as needed. To maintain access to the service,
refresh the access token for your API key on a regular basis by calling the Cloud Identity and Access Management API.
To build your request, pair an API endpoint with the appropriate authentication credentials in the following format:
Example cURL commands are provided for each API in the IBM Blockchain Platform API reference doc.
Limitations
You can only import CA, peer, and ordering nodes that are exported from other IBM Blockchain Platform consoles running on
IBM Cloud, OpenShift Container Platform, Red Hat Open Kubernetes Distribution, or any Kubernetes v1.23 - v1.24 container
platform on x86_64. The platform is also supported on LinuxONE (s390x) using OpenShift Container Platform.
Tip: Remember your input and the response, you will need them later.
You need to wait for the CA to start. It might take several minutes depending on environment. You can call GET
<ca_url>/cainfo API to check your CA status. You will get repeated errors, then a 200 status code, which means you
can proceed to the next step. Note that this API call times out after one minute.
2. Use your CA to register your component and administrator identities, and generate the necessary certificates. You can use
the Fabric CA client to complete the following steps:
You can also complete these steps by using your IBM Blockchain Platform console. For more information, see
Creating and managing identities.
4. Build the configuration file that is required to create an ordering service or peer. You must build a unique configuration file
for each ordering service or peer that you want to create. If you are deploying multiple ordering nodes, you need to provide
a configuration file for each node that you want to create.
7. If you want to use the console to operate your blockchain components, you must import your administrator identity into
your console wallet. Use the wallet tab to import the certificate and private key of your node admin into the console and
create an identity. You then need to use the console to associate this identity with the components you created. For more
information, see Importing an admin identity into the IBM Blockchain Platform console.
8. After you deploy your network, you can use the Fabric SDKs, the Peer CLI, or the console UI to create channels and deploy
smart contracts. If you need to programmatically create a channel, you must provide the consortium name. For IBM®
Blockchain Platform, the consortium name must be set to SampleConsortium .
Note: The service credential that is used for API authentication must have the Manager role in IAM to be able to create
components. See the table on user roles for more information.
You can also find the zones of your worker nodes by using the kubectl CLI. Navigate to the Access panel and follow the
instructions under Gain access to your cluster to connect to your cluster by using the IBM Cloud and kubectl CLI tools.
When you are connected, use the command kubectl get nodes --show-labels to get the full list of nodes and zones
of your cluster. You will be to find the zone that each worker node is located after zone field under the LABELS column.
1. To create a node within a specific zone, provide the zone name to the Create an ordering service or Create a peer API
calls by using the zone field of the request body. The anti-affinity policy of the IBM Blockchain Platform console will
automatically deploy your component to different worker nodes within each zone based on the resources available.
curl -X POST \
https://<API endpoint>/ak/api/v2/kubernetes/components/fabric-ca \
-H 'Content-Type: application/json' \
-H 'Authorization: Bearer <IAM_token>' \
-d "{
"display_name": "Sample CA",
"configoverride": {
"ca": {
"registry": {
"maxenrollments": -1,
"identities": [
{
"name": "admin",
"pass": "adminpw",
"type": "admin",
"affiliation": "",
"attrs": {
"hf.Registrar.Roles": "*",
"hf.Registrar.DelegateRoles": "*",
"hf.Revoker": true,
"hf.IntermediateCA": true,
"hf.GenCRL": true,
"hf.Registrar.Attributes": "*",
"hf.AffiliationMgr": true
}
}
}
},
"csr": {
"names": [
{
"C": "US",
"ST": "New York",
"L": null,
"O": "Big business",
"OU": "Big department"
}
],
}
}
}"
For more information about deploying a customized CA, and which fields you can customize after a CA is created, see
Customizing a CA configuration.
To use the APIs to deploy an HA CA, you need to provide the database connection file to the "db" section of the config override
JSON string. For example, the API request below will deploy a CA with two replicas that connect to a database located on IBM
Cloud.
curl -X POST \
If you are using the APIs to deploy a node, you need to provide the HSM endpoint to the HSM field of the API call. You also need
to use the config override to provide the label and pin of the HSM slot that you will use and select "PKCS11" as the default
\"LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCkFkbWluIGNlcnQgZGF0YSB3b3VsZCBiZSBoZXJlIGlmIHRoaXMgd2FzIHJlYWw
KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=\"
]
},
\"tls\": {
\"cahost\": \"n3a3ec3-myca.ibp.us-south.containers.appdomain.cloud\",
\"caport\": \"7054\",
\"caname\": \"tlsca\",
\"catls\": {
\"cacert\":
\"LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCkNlcnQgZGF0YSB3b3VsZCBiZSBoZXJlIGlmIHRoaXMgd2FzIHJlYWwKLS0tLS1
FTkQgQ0VSVElGSUNBVEUtLS0tLQo\"
},
\"enrollid\": \"admin\",
\"enrollsecret\": \"password\",
\"admincerts\": [
\"LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCkFkbWluIGNlcnQgZGF0YSB3b3VsZCBiZSBoZXJlIGlmIHRoaXMgd2FzIHJlYWw
KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=\"
]
}
}
},
\"hsm\": {
\"pkcs11endpoint\": \"tcp://example.com:666\",
},
\"config_override\": {
\"bccsp\": {
\"default\": \"PKCS11\",
\"pkcs11\": {
\"label\": \"blockchain\",
"pin": \"91927001\"
}
}
}
}"
You need to wait for the CA to start. It might take several minutes depending on environment. You can call GET
/components to check the CA status. You will get repeated errors before you get a 200 status code to go to next step.
Note that this API call times out in one minute.
5. If you plan to use the IBM Blockchain Platform console to operate your blockchain components, you must import your
component administrator identities into your console wallet. For more information, see Importing an admin identity into
the IBM Blockchain Platform console.
6. After you deploy your network, you can use the Fabric SDKs, the Peer CLI, or the console UI to create channels and deploy
smart contracts. If you need to programmatically create a channel, you must provide the consortium name. For IBM®
Blockchain Platform, the consortium name must be set to SampleConsortium .
Note: The service credential that is used for API authentication must have the Manager role in IAM to be able to create
components. See the table on user roles for more information.
The easiest way to get the Fabric CA client is to download all of the Fabric tool binaries directly. Navigate to a directory
where you would like to download the binaries with your command line, and fetch them by running the following cURL
command.
2. Set the PATH path to the directory where you downloaded the Fabric tool binaries:
export PATH=$PATH:<full/path/to/fabric-ca-client/bin>
For example, if you installed the binaries in your home directory you would set your PATH as:
export PATH=$PATH:$HOME/bin
3. Create the folder where you will store the certificates of your CA admin.
mkdir -p $HOME/fabric-ca-client/ca-admin
4. Set the value of the $FABRIC_CA_CLIENT_HOME environment variable to be the path where the CA client will store the
export FABRIC_CA_CLIENT_HOME=$HOME/fabric-ca-client/ca-admin
rm -rf $FABRIC_CA_CLIENT_HOME/fabric-ca-client-config.yaml
rm -rf $FABRIC_CA_CLIENT_HOME/msp
5. Retrieve the TLS certificate of your CA to be used by the Fabric CA client. If you are using the IBM Blockchain Platform
console, open the CA and click Settings, and look for the certificate in base64 format in the TLS Certificate field. If your
are using the APIs, you can call GET /ak/api/v2/components and find the CA TLS certificate in the "PEM" field. If you
created the CA by using the Create a Fabric CA API, you can also find the TLS certificate in the response body.
You need to convert the certificate from base64 into PEM format to use it to communicate with your CA. Insert the base64
encoded string of the TLS certificate into command below. Ensure that you are in your $HOME/fabric-ca-client
directory.
cd $HOME/fabric-ca-client
mkdir catls
export FLAG=$(if [ "$(uname -s)" == "Linux" ]; then echo "-w 0"; else echo "-b 0"; fi)
echo <base64_string> | base64 --decode $FLAG > tls.pem
1. Ensure that you complete the steps to set up the Fabric CA client and that $FABRIC_CA_CLIENT_HOME is set to the
directory where you want to store your CA admin certs.
echo $FABRIC_CA_CLIENT_HOME
$HOME/fabric-ca-client/ca-admin
The <enroll_id> and <enroll_password> in the command are the enroll_id and enroll_secret you specified when
you created the CA. Use the Certificate Authority Endpoint URL from your IBM Blockchain Platform console or the
"ca_url" returned by your API call as the value for <ca_url_with_port> . Leave off the http:// at the beginning. The
<ca_name> is the CA Name from your console, or the "ca_name" returned by the APIs.
Tip: If the value of the enrollment URL, which is the -u parameter value, contains a special character, you need to either
encode the special character or surround the URL with the single quotation marks. For example, ! becomes %21 , or the
command looks like:
$ ```
./fabric-ca-client enroll -u 'https://admin:C25A06287!0@ash-zbc07c.4.secure.blockchain.ibm.com:21241'
The `enroll` command generates a complete set of certificates, which is known as a Membership Service
Provider (MSP) folder, that is located inside the directory where you set to `$HOME` path for your
Fabric CA client. For example, `$HOME/fabric-ca-client/ca-admin`. For more information about MSPs and
what the MSP folder contains, see the [Membership Service Providers](https://hyperledger-
fabric.readthedocs.io/en/release-2.2/msp.html){: external} concept topic in the Fabric documentation.
You can run a tree command to verify that you have completed all of the prerequisite steps. Navigate
to the directory where you stored your certificates. A tree command should generate a result similar
to the following structure:
```
cd $HOME/fabric-ca-client
tree
.
├── ca-admin
│ ├── fabric-ca-client-config.yaml
│ └── msp
│ ├── cacerts
│ │ └── 9-30-250-70-30395-SampleOrgCA.pem
│ ├── IssuerPublicKey
│ ├── IssuerRevocationPublicKey
│ ├── keystore
│ │ └── 2a97952445b38a6e0a14db134645981b74a3f93992d9ddac54cb4b4e19cdf525_sk
│ ├── signcerts
│ │ └── cert.pem
│ └── user
└── catls
└── tls.pem
```
1. Generate certificates with your CA admin by using the Fabric CA client. Use these admin certificates to issue the following
commands. Ensure that $FABRIC_CA_CLIENT_HOME is set to $HOME/fabric-ca-client/ca-admin .
echo $FABRIC_CA_CLIENT_HOME
$HOME/fabric-ca-client/ca-admin
2. Issue the following command to find your affiliation and your organization name.
affiliation: org1
affiliation: org1.department1
Make a note of the second affiliation value, for example, org1.department1 . You need to use this value in the command
If you created the CA with the IBM Blockchain APIs instead of the console, your CA is deployed without affiliations, unless
you created affiliations by using the Fabric CA Client. If your CA does not have affiliations, you can skip this step and leave
the --id.affiliation off future commands.
Create a name and password for the component and then use them to replace name and secret . Make a note of this
information. Set the --id.type to orderer if you are deploying an ordering node, or set it to peer if you are deploying a
peer. The command might look similar to the following example:
Important: You need to save the "enrollid" and "enrollsecret" from the command above for when you create
your configuration file.
You can register an identity only once. If you experience a problem, try a command with a new username and password. As
a security measure, use each identity, and the accompanying enrollID and secret, to deploy only one peer. While you can
use one admin identity for several components (this is the recommended deployment strategy), do not reuse peer IDs and
passwords.
When the command completes successfully, you should see information that is similar to the following example:
You need to register this new identity with your CA, and use it to generate an MSP folder. You can make this identity an
organization administrator by adding its signCert to your organization MSP. You also need to add the signCert to your
configuration file so that it can be made the admin cert of the ordering node or peer during deployment. You need to create only
one admin identity for your organization. As a result, you need to complete these steps only once. You can use the signCert that
you generated to deploy many peers or ordering nodes.
Ensure that your $FABRIC_CA_CLIENT_HOME is set to the path to the MSP of your CA Admin.
echo $FABRIC_CA_CLIENT_HOME
$HOME/fabric-ca-client/ca-admin
Register the component admin identity with the CA by running the following command:
Important: Make a note of this information. You will use this name and secret to generate the MSP folder by using the
enroll command.
For example:
After this command completes successfully, it generates a new MSP folder in the directory that you specified by using the -M
flag. This directory contains the certificates that you need to use to operate your components. You can verify that the enroll
command worked by using a tree command. Navigate to the directory where you stored your certificates. A tree command
should generate a result similar to the following structure:
cd $HOME/fabric-ca-client
tree
.
├── ca-admin
│ ├── fabric-ca-client-config.yaml
│ └── msp
│ ├── IssuerPublicKey
│ ├── IssuerRevocationPublicKey
│ ├── cacerts
│ │ └── 9-30-250-70-30395-SampleOrgCA.pem
│ ├── keystore
│ │ └── 425947b767936a8f31780390cbc399cae48663b643e906ceb6944500d57b322c_sk
│ ├── signcerts
│ │ └── cert.pem
│ └── user
├── catls
│ └── tls.pem
├── orderer-admin
│ └── msp
│ ├── IssuerPublicKey
│ ├── IssuerRevocationPublicKey
│ ├── cacerts
│ │ └── 9-30-250-70-30395-SampleOrgCA.pem
│ ├── keystore
│ │ └── 30a12af2359cd96ec02ff5f47ad7793d2fefe3cde2be574bace18b24d36ba015_sk
│ ├── signcerts
│ │ └── cert.pem
│ └── user
└── peer-admin
└── msp
├── IssuerPublicKey
├── IssuerRevocationPublicKey
Important: You will need to return to this folder when you create your organization MSP definition and configuration files.
cd $HOME/fabric-ca-client
mkdir tlsca-admin
export FABRIC_CA_CLIENT_HOME=$HOME/fabric-ca-client/tlsca-admin
Run the command below to enroll as your admin against the TLS CA. The enroll ID and password of your TLS CA admin are the
same as your default CA. As a result, the command below is the same as you used to enroll as your CA admin only with the
name of your TLS CA. Your TLS CA name is the TLS CA Name value from the CA settings panel in your console, or the value of
the "tlsca_name" returned by the Create a CA API.
After you enroll, you have the necessary certificates to register your component with the TLS CA. Run the following command to
register the ordering node or peer:
This command is similar to the one that you used to register the component identity with the CA, except that you need to use the
TLS CA name. If you are deploying an ordering node instead of a peer, set --id.type to orderer instead of peer . You must
provide this identity a different username and password than the one that you used against your default CA. A real register might
look similar to the command below:
Important: You need to save the "enrollid" and "enrollsecret" from the command above for when you create
your configuration file.
Troubleshooting
Solution:
This error can occur when your Fabric CA client tries to enroll but cannot connect to your CA. This can happen if:
Review the parameters that you specified on your enroll command and ensure that none of these conditions exist.
Solution:
You need to either encode the special character or surround the URL with the single quotation marks. For example, ! becomes
%21 , or the command looks like:
1. Select an MSP ID for your organization. The MSP ID is the formal name of your organization within the consortium. The
MSP ID used to create the organization MSP needs to be the same that you use to deploy your peers.
3. You need to provide the signCert, in base64 format, of your organization administrator that you registered and enrolled by
using the Fabric CA client.
Navigate to the MSP directory that was created when you generated certificates by using your organization administrator.
cd $HOME/fabric-ca-client/peer-admin/msp
In this MSP directory, open the signCert file of the new user and convert it to base64 format by using the following
commands:
Note: It is important that the string generated by using the command above is formatted as a single line. It should look
similar to:
$
LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tDQpNSUlFbERDQ0EzeWdBd0lCQWdJUUFmMmo2MjdLZGNpSVE0dHlTOCs4a1RBTkJna3Foa2lHOXc
C
LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tDQpNSUlFbERDQ0EzeWdBd0lCQWdJUUFmMmo2MjdL
ZGNpSVE0dHlTOCs4a1RBTkJna3Foa2lHOXcwQkFRc0ZBREJoDQpNUXN3Q1FZRFZRUUdFd0pWVXpF
Vk1CTUdBMVVFQ2hNTVJHbG5hVU5sY25RZ1NXNWpNUmt3RndZRFZRUUxFeEIzDQpkM2N1WkdsbmFX
VEFlRncweE16QXpNRGd4TWpBd01EQmFGdzB5TXpBek1EZ3hNakF3TURCYU1FMHhDekFKQmdOVkJB
WVRBbFZUDQpNUlV3RXdZRFZRUUtFd3hFYVdkcFEyVnlkQ0JKYm1NeEp6QWxCZ05WQkFNVEhrUnBa
For example:
export FLAG=$(if [ "$(uname -s)" == "Linux" ]; then echo "-w 0"; else echo "-b 0"; fi)
cat $HOME/fabric-ca-client/peer-admin/msp/signcerts/cert.pem | base64 $FLAG
LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNuRENDQWtPZ0F3SUJBZ0lVTXF5VDhUdnlwY3lYR2sxNXRRY3hxa1RpT
G9Nd0NnWUlLb1pJemowRUF3SXcKYURFTTlEKaFhTTzRTWjJ2ZHBPL1NQZWtSRUNJQ3hjUmZVSWlkWHFYWGswUGN1OHF2aCtW
SkhGeHBLUnQ3dStHZDMzalNSLwotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
4. You also need to provide the root certificate of your CA. This certificate was created when you generated certificates by
using your CA admin.
cd $HOME/fabric-ca-client/ca-admin/msp
In this directory, open the cacerts folder and convert the certificate inside into base64 format by using the following
commands:
export FLAG=$(if [ "$(uname -s)" == "Linux" ]; then echo "-w 0"; else echo "-b 0"; fi)
cat $HOME/<path-to-ca-admin>/msp/cacerts/<ca_root_cert>.pem | base64 $FLAG
LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNGekNDQWIyZ0F3SUJBZ0lVQmZnZzcvVnIrL25OVEFNQlQ4UUtHL00wQ
U8wd0NnWUlLb1pJemowRUF3SXcKYURFTE1Ba0dBMVVFQmhNQ1ZWTXhGekFWQmdOVkJBZ1REazV2Y25Sb0lFTmhjbTlzYVc1a
E1SUXdFZ1lEVlFRSwpFd3RJZVhCbGNteGxaR2RsY2pFUE1BMEdBMVVFQ3hNR1JtRmljbWxqTVJrd0Z3WURWUVFERXhCbVlXS
nlhV010ClkyRXRjMlZ5ZG1WeU1CNFhEVEU1TURVd016RXpNamt3TUZvWERUTTBNRFF5T1RFek1qa3dNRm93YURFTE1Ba0cKQ
TFVRUJoTUNWVk14RnpBVkJnTlZCQWdURGs1dmNuUm9JRU5oY205c2FXNWhNUlF3RWdZRFZRUUtFd3RJZVhCbApjbXhsWkdkb
GNqRVBNQTBHQTFVRUN4TUdSbUZpY21sak1Sa3dGd1lEVlFRREV4Qm1ZV0p5YVdNdFkyRXRjMlZ5CmRtVnlNRmt3RXdZSEtvW
kl6ajBDQVFZSUtvWkl6ajBEQVFjRFFnQUVXMUtvN2lWeVE2VWkwdDVqbU5KaWVuSUwKR3pNM1BDWHlhL2VSQ0NWMmFQb0dTZ
1lrVUg2UWN5RjAzbFlMZFU4Y0drNTQ0alViVC9KT1lYeVgzTWc4bHFORgpNRU13RGdZRFZSMFBBUUgvQkFRREFnRUdNQklHQ
TFVZEV3RUIvd1FJTUFZQkFmOENBUUV3SFFZRFZSME9CQllFCkZDK2lJR0NSb2Zvb3FsVkZoU3dOMmk2MXNJaVBNQW9HQ0NxR
1NNNDlCQU1DQTBnQU1FVUNJUURTYW9RL1E0QzkKbFl1VGNhVXVHb3d6YmhUZHBuN2F3S2lHN1Nvd2lSQXVld0lnUWlyM3RNR
3IvYWo2aU5lRXJFN2NyOVowQ0gvTwp3QnNQcWd4RVR3MjVqZUU9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
Navigate to the MSP directory that was generated when you enrolled your TLS CA admin.
cd $HOME/fabric-ca-client/tlsca-admin/msp
In this directory, open the cacerts folder and convert the certificate inside into base64 format by using the following
commands:
export FLAG=$(if [ "$(uname -s)" == "Linux" ]; then echo "-w 0"; else echo "-b 0"; fi)
cat $HOME/<path-to-tlsca-admin>/msp/cacerts/<tls_root_cert>.pem | base64 $FLAG
The command prints the TLS CA root cert as a base64 encoded sting.
LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNHRENDQWI2Z0F3SUJBZ0lVWUVQWnprNXV2b3dobEtacG5JMXplODdIQ
Ulnd0NnWUlLb1pJemowRUF3SXcKWFRFTE1Ba0dBMVVFQmhNQ1ZWTXhGekFWQmdOVkJBZ1REazV2Y25Sb0lFTmhjbTlzYVc1a
E1SUXdFZ1lEVlFRSwpFd3RJZVhCbGNteGxaR2RsY2pFUE1BMEdBMVVFQ3hNR1JtRmljbWxqTVE0d0RBWURWUVFERXdWMGJIT
mpZVEFlCkZ3MHhPVEExTURNeE16STVNREJhRncwek5EQTBNamt4TXpJNU1EQmFNRjB4Q3pBSkJnTlZCQVlUQWxWVE1SY3cKR
lFZRFZRUUlFdzVPYjNKMGFDQkRZWEp2YkdsdVlURVVNQklHQTFVRUNoTUxTSGx3WlhKc1pXUm5aWEl4RHpBTgpCZ05WQkFzV
EJrWmhZbkpwWXpFT01Bd0dBMVVFQXhNRmRHeHpZMkV3V1RBVEJnY3Foa2pPUFFJQkJnZ3Foa2pPClBRTUJCd05DQUFRdSs2U
nZWd2w5T2dDVlAraEVxbjVxdExRVG9LWkw4a1lic0pOeU1JbERoc3hlNWx6cW1zQkoKbTk2eUR2TVV6OSsxL2pzb1M4M1JqM
VAwc3M2TnJNb3FvMXd3V2pBT0JnTlZIUThCQWY4RUJBTUNBUVl3RWdZRApWUjBUQVFIL0JBZ3dCZ0VCL3dJQkFUQWRCZ05WS
FE0RUZnUVVnUEc4anJEK1BxVjdoelc3WDlsbTFrMS91WjR3CkZRWURWUjBSQkE0d0RJY0VxVGJESW9jRUNwbnBkVEFLQmdnc
Whrak9QUVFEQWdOSUFEQkZBaUVBenk3cHJZaVMKQmlDVWdYeWRkY09WMm9mZmtqaEI0N091QXFjQWNqZS9SWkVDSUdKZFgzZ
1ErTDRIN3duY1RoZkwrenU1ejV1UApGUWhXTmlNS3hQWEYrZnYwCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
{
"enrollment": {
"component": {
"cahost": "",
"caport": "",
"caname": "",
"catls": {
"cacert": ""
},
"enrollid": "",
"enrollsecret": "",
"admincerts": [""]
},
"tls": {
"cahost": "",
"caport": "",
"caname": "",
"catls": {
"cacert": ""
},
"enrollid": "",
Copy this entire file into a text editor where you can edit it and save it to your local file system as a JSON file. Use the steps
below to complete this configuration file and use it to deploy an ordering service or peer.
If you are using the IBM Blockchain Platform console: Open the CA in your console and click Settings, then the Export button
to export the CA information to a JSON file. You can use the values from this file to complete your configuration file.
If your are using the APIs: You can call GET /ak/api/v2/components to get the connection information of your CA. If you
created the CA with the Create a Fabric CA API, you can also find the necessary information in the response body.
The "cahost" and "caport" values are visible in the ca_url field in the response body or CA JSON file that you exported.
For example, if your ca_url is https://9.30.94.174:30167, the value of the "cahost" would be 9.30.94.174 and the
"caport" would be 30167.
The "caname" is the name of the CA that was specified when you deployed the CA. This is the value of theca_name field in
the response body or the exported JSON file.
The "cacert" is the base64-encoded TLS certificate of your CA. This is the value of the pem field in the response body or
the exported JSON file.
The fields in the "tls" section below require the same information as you passed to the component sections above,
except you need to use the value of the CA TLS instance name that is specified during CA deployment. Replace caname
with the value of tlsca_name in the response body or the exported JSON file. Use the same TLS cert for the "cacert"
value.
"tls": {
"cahost": "",
"caport": "",
"caname": "",
"catls": {
"cacert": ""
"component": {...
},
"enrollid": "peer1",
"enrollsecret": "peer1pw",
2. Paste the name and secret you used to register your component with your tls CA as the "enrollid" and
"enrollsecret" in the configuration file, under the "tls" section:
"tls": {...
},
cd $HOME/fabric-ca-client/peer-admin/msp
In this MSP directory, open the signCert file of the new user and convert it to base64 format by using the following commands:
export FLAG=$(if [ "$(uname -s)" == "Linux" ]; then echo "-w 0"; else echo "-b 0"; fi)
cat $HOME/<path-to-peer-admin>/msp/signcerts/cert.pem | base64 $FLAG
Note: It is important that the string generated by using the command above is formatted as a single line. It should look similar
to:
LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tDQpNSUlFbERDQ0EzeWdBd0lCQWdJUUFmMmo2MjdLZGNpSVE0dHlTOCs4a1RBTkJna
3Foa2lHOXcwQkFRc0ZBREJoDQpNUXN3Q1FZRFZRUUdFd0pWVXpFVk1CTUdBMVVFQ2hNTVJHbG5hVU5sY25RZ1NXNWpNUmt3RndZRF
ZRUUxFeEIzDQpkM2N1WkdsbmFXTmxjblF1WTI5dE1TQXdIZ1lEVlFRREV4ZEVhV2RwUTJWeWRDQkhiRzlpWVd3Z1VtOXZkQ0JEDQp
RVEFlRncweE16QXpNRGd4TWpBd01EQmFGdzB5TXpBek1EZ3hNakF3TURCYU1FMHhDekFKQmdOVkJBWVRBbFZUDQpNUlV3RXdZRFZR
UUtFd3hFYVdkcFEyVnlkQ0JKYm1NeEp6QWxCZ05WQkFNVEhrUnBaMmxEWlhKMElGTklRVElnDQpVMlZqZFhKbElGTmxjblpsY2lC
LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tDQpNSUlFbERDQ0EzeWdBd0lCQWdJUUFmMmo2MjdL
ZGNpSVE0dHlTOCs4a1RBTkJna3Foa2lHOXcwQkFRc0ZBREJoDQpNUXN3Q1FZRFZRUUdFd0pWVXpF
Vk1CTUdBMVVFQ2hNTVJHbG5hVU5sY25RZ1NXNWpNUmt3RndZRFZRUUxFeEIzDQpkM2N1WkdsbmFX
VEFlRncweE16QXpNRGd4TWpBd01EQmFGdzB5TXpBek1EZ3hNakF3TURCYU1FMHhDekFKQmdOVkJB
WVRBbFZUDQpNUlV3RXdZRFZRUUtFd3hFYVdkcFEyVnlkQ0JKYm1NeEp6QWxCZ05WQkFNVEhrUnBa
For example:
export FLAG=$(if [ "$(uname -s)" == "Linux" ]; then echo "-w 0"; else echo "-b 0"; fi)
cat $HOME/fabric-ca-client/peer-admin/msp/signcerts/cert.pem | base64 $FLAG
LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNuRENDQWtPZ0F3SUJBZ0lVTXF5VDhUdnlwY3lYR2sxNXRRY3hxa1RpTG9Nd
0NnWUlLb1pJemowRUF3SXcKYURFTTlEKaFhTTzRTWjJ2ZHBPL1NQZWtSRUNJQ3hjUmZVSWlkWHFYWGswUGN1OHF2aCtWSkhGeHBLU
nQ3dStHZDMzalNSLwotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
Copy this string to the "admincerts" field under the component section in the configuration file.
"csr": {
"hosts": [""]
}
This section is provided for advanced users to specify a custom hostname that can be used to communicate with the peer. Most
users can leave this section blank.
"LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUMzRENDQW9PZ0F3SUJBZ0lVS2Vib0drZEJqenM5bllRbkVQTWp0VG56YTVr
d0NnWUlLb1pJemowRUF3SXcKYURFTE1Ba0dBMVVFQmhNQ1ZWTXhGekFWQmdOVkJBZ1REazV2Y25Sb0lFTmhjbTlzYVc1aE1SUXdFZ
1lEVlFRSwpFd3RJZVhCbGNteGxaR2RsY2pFUE1BMEdBMVVFQ3hNR1JtRmljbWxqTVJrd0Z3WURWUVFERXhCbVlXSnlhV010ClkyRX
RjMlZ5ZG1WeU1CNFhEVEU0TVRFeE9URTNNRE13TUZvWERURTVNVEV4T1RFM01EZ3dNRm93ZmpFTE1BaKQTFVRUJoTUNWVk14RnpBV
kJnTlZCQWdURGs1dmNuUm9JRU5oY205c2FXNWhNUlF3RWdZRFZRUUtFd3RJZVhCbApjbXhsWkdkbGNqRXVNQXNHQTFVRUN4TUVkWE
5sY2pBTEJnTlZCQXNUQkc5eVp6RXdFZ1lEVlFRTEV3dGtaWEJoCmNuUnRaVzUwTVRFUU1BNEdBMVVFQXhNSFlXUnRhVzR4Y0RCWk1
CTUdCeXFHU000OUFnRUdDQ3FHU000OUF3RUgKQTBJQUJLbjUwdEU5TmpZb0RFNDBqalh6RUJ2T2c3Y3RtOElRd0laMnRkS29iNEww
VVhKdSs1Tkt5S2dyUk9vbApWcjBmQmg5cWZWMjl4Nms0T2dmMFNiVklBZWlqZ2ZRd2dmRXdEZ1lEVlIwUEFRSC9CQVFEQWdlQU1Bd
0dBMVVkCkV3RUIvd1FDTUFBd0hRWURWUjBPQkJZRUZOYWFkV0VzcGp2Smk1akpiVktiS2M3ZU1wUmhNQjhHQTFVZEl3UVkKTUJhQU
ZMd2d1N0J3Uk9lQ2hzV2hWQWptMTdmalh1eVBNQ2NHQTFVZEVRUWdNQjZDSEdOb1lXNWtjbUZ6TFcxaQpjQzV5WVd4bGFXZG9MbWx
pYlM1amIyMHdhQVlJS2dNRUJRWUhDQUVFWEhzaVlYUjBjbk1pT25zaWFHWXVRV1ptCmFXeHBZWFJwYjI0aU9pSnZjbWN4TG1SbGNH
RnlkRzFsYm5ReElpd2lhR1l1Ulc1eWIyeHNiV1Z1ZEVsRUlqb2kKWVdSdGFXNHhjQ0lzSW1obUxsUjVjR1VpT2lKMWMyVnlJbjE5T
UFvR0NDcUdTTTQ5QkFNQ0EwY0FNRVFDSURGeApDYzE1bDZUZ1dqYnhSZzlmNjczOGV0K0NZZ1I3VVpGR200VHdoQk5jQWlBNmtUMF
FwbDV6WnBUN3BzM0dySXlVCmEydDRHSTQ5ZTdjUm5PMmdrSzl6Z3c9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg=="
]
},
"tls": {
"cahost": "9.30.20.70",
"caport": "32129",
"caname": "tlsca",
"catls": {
"cacert":
"LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNGakNDQWIyZ0F3SUJBZ0lVTmlUbkdTandSdU1JVXhpWGcwMGZZWXhPSndJ
d0NnWUlLb1pJemowRUF3SXcKYURFTE1Ba0dBMVVFQmhNQ1ZWTXhGekFWQmdOVkJBZ1REazV2Y25Sb0lFTmhjbTlzYVc1aE1SUXdFZ
1lEVlFRSwpFd3RJZVhCbGNteGxaR2RsY2pFUE1BMEdBMVVFQ3hNR1JtRmljbWxqTVJrd0Z3WURWUVFERXhCbVlXSnlhV010ClkyRX
RjMlZ5ZG1WeU1CNFhEVEU0TVRFeE5qRTJNVEF3TUZvWERUTXpNVEV4TWpFMk1UQXdNRm93YURFTE1Ba0cKQTFVRUJoTUNWVk14Rnp
BVkJnTlZCQWdURGs1dmNuUm9JRU5oY205c2FXNWhNUlF3RWdZRFZRUUtFd3RJZVhCbApXhsWkdkbGNqRVBNQTBHQTFVRUN4TUdSbU
ZpY21sak1Sa3dGd1lEVlFRREV4Qm1ZV0p5YVdNdFkyRXRjMlZ5CmRtVnlNRmt3RXdZSEtvWkl6ajBDQVFZSUtvWkl6ajBEQVFjRFF
nQUU1dlBucDJUNTdkY2hTOGRLNExsMFJRZEEKd284RmJsMzBPcnBGdWFHUld5TFl4eGcxcVFTemhUY3hTcGtHZjh3a1FzVDVFb01l
SWcrRytldjBOU01FUTZORgpNRU13RGdZRFZSMFBBUUgvQkFRREFnRUdNQklHQTFVZEV3RUIvd1FJTUFZQkFmOENBUUV3SFFZRFZSM
E9CQllFCkZMd2d1N0J3Uk9lQ2hzV2hWQWptMTdmalh1eVBNQW9HQ0NxR1NNNDlCQU1DQTBjQU1FUUNJR0FCRmNSdXhtSkIKY3c4OT
JJOXhPS3YxVmYyT0JHZUh5N2pFQzRBRm5najFBaUJqdHFvdjBXMXdxZjhwcGttYkxIQkJoWW1vS3ZqRwo4bDQyeVQ5bWYxWVQrZz0
9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K"
},
"enrollid": "peertls",
"enrollsecret": "peertlspw",
"csr": {
"hosts": [
]
}
}
}
}
Name: Enter a display name for the identity that is used for your reference only.
Certificate: Upload your admin's signing certificate. If you followed the instructions above, you can find this key in the
$HOME/fabric-ca-client/peer-admin/msp/signcerts/ folder.
Private Key: Upload your admins private key. If you followed the instructions above, you can find this key in the
$HOME/fabric-ca-client/peer-admin/msp/keystore/ folder.
After you import your admin identity, you can associate this identity with the components that you create. You can then use the
console to operate your network.
Hyperledger Fabric offers a modular architecture to extend the scalability and performance. This topic introduces some key
components in Hyperledger Fabric. For a complete introduction on Hyperledger Fabric, see Hyperledger Fabric documentation.
Peers
At a physical level, a blockchain network is comprised primarily of peer nodes (or, simply, peers). Peers are the fundamental
elements of the network because they host ledgers and smart contracts (which are contained in "chaincode". More accurately,
the peer hosts instances of the ledger, and instances of smart contracts. Because smart contracts and ledgers are used to
encapsulate the shared processes and shared information in a network, respectively, these aspects of a peer make them a good
starting point to understand what a Fabric network actually does.
To learn more about peers specifically, check out this document focusing just on peers from the Fabric community
documentation.
Certificate Authority
As a platform for permissioned blockchain networks, Hyperledger Fabric includes a modular Certificate Authority (CA)
component for managing the network identities of all member organizations and their users. The requirement for a permissioned
identity for every user enables ACL-based control over network activity, and guarantees that every transaction is ultimately
traceable to a registered user.
The CA issues a root certificate (rootCert) to each member (organization or individual) that is authorized to join the
network.
The CA also issues an enrollment certificate (eCert) to each member component, server-side applications and
occasionally users.
Each enrolled user is also granted an allocation of transaction certificates (tCerts). Each tCert authorizes one network
transaction.
This certificate-based control over network membership and actions enables members to restrict access to private and
confidential channels, applications, and data, by specific user identities.
For more information about the Hyperledger Fabric Certificate Authority component, see Fabric CA User’s Guide.
For more information about the Hyperledger Fabric Membership Services Provider component, see Membership in the
Hyperledger Fabric documentation.
Ordering service
Orderers are key components in a network because they perform a few essential functions:
It literally orders the blocks of transactions that are sent to the peers to be written to their ledgers, and this process is
called "ordering". If these transactions were instead bundled and ordered at the peers themselves, it would increase the
possibility of one peer writing a transaction to its ledger where another peer did not, creating a state fork.
It maintains the orderer system channel, the place where the consortium, the list of peer organizations permitted to
create channels, resides.
It performs important identity validation checks. For example, if an organization tries to create a channel when it is not a
member of the orderer's consortium, the request will be denied. Orderers also validate against behaviors in transaction
channels, such as the permissions for changing a channel configuration.
Hyperledger Fabric currently uses an implementation of the Raft protocol for its ordering service. For more information about the
ordering service, see The Ordering Service.
Hyperledger Fabric delivers both a Node.js SDK and Java SDK, and provides the following functions to interact with the
blockchain network:
For more information about Fabric SDKs, see Hyperledger Fabric SDKs in Hyperledger Fabric documentation.
Transaction flow
To ensure data consistency and integrity, Hyperledger Fabric implements multiple checkpoints throughout the transaction flow,
including client authentication, endorsement, ordering, and commitment to the ledger.
On a Hyperledger Fabric network, the flow of data for queries and transactions is initiated by a client-side application by
submitting a transaction request to a peer on a channel. The initial flow of data across the network is common to both queries
and transactions:
1. Using APIs available in the SDK, a client application signs and submits a transaction proposal to the appropriate endorsing
peers on the specified channel. This initial transaction proposal is a request for endorsement.
At this point in the transaction flow, the process diverges for queries and transactions. If the proposal called a query function
in the chaincode, the application returns the data to the client. If the proposal called a function in the chaincode to update
the ledger, the application continues with the following steps:
3. The application forwards the transaction, which includes the read/write set and endorsements, to theordering service.
4. The transaction is then relayed to the ordering service. All channel peers validate each transaction in the block by applying
the chaincode-specific Validation Policy and running a Concurrency Control Version Check.
Any transaction that fail the validation process is marked as invalid in the block, and the block is appended to the
channel's ledger.
All valid transactions update the state database accordingly with the modified key/value pairs.
The gossip data dissemination protocol continually broadcasts ledger data across the channel to ensure synchronized ledgers
among peers. For more information, see Gossip data dissemination protocol in Hyperledger Fabric documentation.
For a step-by-step introduction on transaction flow, see Transaction Flow in Hyperledger Fabric documentation.
Kubernetes provides a container-centric management environment. It orchestrates computing, networking, and storage
infrastructure on behalf of user workloads. This provides much of the simplicity of Platform as a Service (PaaS) with the flexibility
of Infrastructure as a Service (IaaS), and enables portability across infrastructure providers.
The following diagram explains the architecture of Kubernetes. For more explanation about nodes, containers, and pod, see the
Key Kubernetes objects section below.
A set of machines, called nodes, that run containerized applications managed by Kubernetes. A cluster has several worker
nodes and at least one master node.
Node
A node is a worker machine in Kubernetes. A node may be a VM or physical machine, depending on the cluster. Each node
contains the services necessary to run pods and is managed by the master components. The services on a node include
the container runtime, kubelet and kube-proxy . For more information, see the Kubernetes Node section in the
Kubernetes documentation.
Container
A lightweight and portable executable image that contains software and all of its dependencies. Containers decouple
applications from underlying host infrastructure to make deployment easier in different cloud or OS environments, and for
easier scaling.
Pod
The smallest and simplest Kubernetes object. A Pod represents a set of running containers on your cluster. A Pod is typically
set up to run a single primary container. It can also run optional sidecar containers that add supplementary features like
logging. Pods are commonly managed by a Deployment. For more information, see the Kubernetes Pod section in the
Kubernetes documentation.
For more information about IBM Cloud Kubernetes Service, see the following topics in IBM Cloud Kubernetes Service
documentation:
1. You need to deploy a Kubernetes cluster on IBM Cloud. You can deploy the cluster to any geography supported by the
IBM Kubernetes service or Red Hat OpenShift on IBM Cloud. For more information, see the list of locations for the IBM
Kubernetes service or locations for OpenShift on IBM Cloud.
2. After you deploy a cluster on IBM Cloud, you need to deploy an instance of the IBM Blockchain Platform. The IBM
Blockchain Platform operational tooling can be deployed in each of the regions in the table below:
You can link an instance of the IBM Blockchain Platform operational tooling to a cluster that is deployed at any location.
However, all nodes provisioned by the console will be deployed in the location of the cluster. For example, if the Kubernetes
cluster is located in Toronto and the linked console is in Washington, D.C., when you use the console to deploy a peer, the peer
will reside in Toronto. For more information about the relationship between the operational tools and your cluster, see the IBM
Blockchain Platform for IBM Cloud architecture reference.
Approve
Referring to a step in the Hyperledger Fabric v2.x smart contract lifecycle, a smart contract definition is approved by
organizations on the channel. After the number of approvals that are specified in the channel lifecycle endorsement policy are
satisfied, the smart contract definition can be committed to a channel, and the peers where it is installed can begin to process
requests.
Asset
Tangible or intangible goods, services, or property that are represented as an item that is traded on the blockchain network.
Block
An ordered set of transactions, which is cryptographically linked to the preceding block on a channel.
CA
An abbreviation of "Certificate Authority", this is the component that issues certificates to all the participating members. These
certificates represent a member’s identity. All entities in the network (peers, ordering nodes, clients, and so on) must have an
identity to communicate, authenticate, and ultimately transact. These identities are required for any direct participation in the
blockchain network.
Chain
The ledger’s chain is a transaction log structured as hash-linked blocks of transactions. Peers receive blocks of transactions from
the ordering service, mark the block’s transactions as valid or invalid based on endorsement policies and concurrency violations,
and append the block to the hash chain on the peer’s file system.
Chaincode
Where smart contracts contain the business logic that governs the interactions for a set of assets, "chaincode" describes the
larger set of packages and infrastructure that encompass the smart contract.
Channel
Consisting of a subset of network members who want to transact privately. Channels provide data isolation and confidentiality by
allowing the members of a channel to establish specific rules and a separate ledger that only channel members can access.
Peers, which are the nodes that function as transaction endpoints for organizations, are joined to channels.
Client
The client represents the entity that acts on behalf of a user. It must connect to a peer for communicating with the blockchain.
The client might connect to any peer of its choice. Clients create and thus invoke transactions. The client submits an actual
transaction invocation to the endorsers, and broadcasts transaction proposals to the ordering service.
Commit
Connection profile
A connection profile is used by the Fabric Client SDKs to connect to the network. A connection profile can be downloaded from
the Organizations tile.
Consensus
A collaborative process to keep the ledger transactions synchronized across the network. Consensus ensures that ledgers are
updated only when the appropriate participants approve transactions, and that ledgers are updated with the same transactions
in the same order. There are many different algorithmic ways of achieving consensus.
Consenter set
The ordering service nodes actively participating in the ordering process on a channel. These nodes are also known as
"consenters."
Console
The name of the user interface in the IBM Blockchain Platform. The console allows users to view, create, and manage their
deployments. Because the public and private keys are only stored locally in the browser the console runs on, users maintain
total control over their keys.
Consortium
The group of non-orderer organizations listed on the orderer system channel.The following lines do not apply to orderers that do
not use a system channel: These are the only organizations that can create channels. At channel creation time, all organizations
added to the channel must be part of a consortium. However, an organization that is not defined in a consortium may be added
to an existing channel. While a blockchain network can have multiple consortia, most blockchain networks have a single
consortium.
CouchDB
A document store that can be used as the state database of your peers. Using CouchDB allows you to use rich queries and
deploy indexes with your smart contract.
Current state
The current state of the ledger represents the latest values for all keys that are ever included in its chain transaction log. Because
current state represents all latest key values known to the channel, it is sometimes referred to as the world state. Smart
contracts execute transaction proposals against current state data. The current state changes every time when the value of a key
changes or a new key is added and is critical to a transaction flow because the latest key-value pair must be known before it can
be changed. Peers commit the latest values to the current state of the ledger for each valid transaction in a block. The current
state is stored the state database associated with a peer.
Dynamic membership
A member can be dynamically added to the network by a user withregistrar privilege. Members are also assigned roles and
attributes, which control their access and authority on the network. Neither roles nor attributes can be assigned dynamically
Endorsement
The process by which transactions are validated. Endorsement rules are implemented by specifying endorsement policies,
which define the organizations that must approve of a transaction.
Endorsement policy
Defines the peer nodes on a channel that must execute transactions that are attached to a specific application, and the required
combination of responses (endorsements). A policy could require that a transaction be endorsed by a minimum number of
endorsing peers, a minimum percentage of endorsing peers, or by all endorsing peers that are assigned to a specific application.
Policies can be curated based on the application and the desired level of resilience against misbehavior, whether deliberate or
not, by the endorsing peers. A submitted transaction must satisfy the endorsement policy before it is marked as valid by
committing peers. A distinct endorsement policy to deploy transactions is also required.
Genesis block
The configuration block that initializes a blockchain network or channel, and also serves as the first block on a chain.
Gossip
Hyperledger Fabric allows peers to gather important network information from each other without having to rely on the ordering
service. The gossip data dissemination protocol provides a secure, reliable, and scalable way for peers to exchange messages
between each other. For example, if peers miss some blocks because of delays, network outages, or other reasons, they can
sync up to the current ledger state by using gossip messaging to contact other peers in possession of these missing blocks.
HSM
Hardware Security Module. Provides on-demand encryption, key management, and key storage as a managed service. HSM is a
physical appliance that handles the resource-intensive tasks of cryptography processing and reduce latency to applications. For
more information, see Hardware Security Module.
Hyperledger Fabric
Hyperledger Fabric is a business blockchain framework that the Linux Foundation hosts to serve as a foundation for developing
blockchain applications or solutions with a modular architecture. Hyperledger Fabric components such as consensus and
membership services are plug-and-play.
Install
The process of placing a smart contract on a peer’s file system. You must install the smart contract on every peer that wants to
access or change the data governed under the smart contract.
Instantiate
The process of starting and initializing a smart contract container on a channel with peers running Fabric v1.4.x and v1.4
capabilities. After a smart contract is installed on the peers and every peer has joined the channel, the smart contract must be
instantiated on the channel. Instantiation performs any necessary initialization of the smart contract, which includes setting the
key value pairs that comprise a smart contract's initial world state. After instantiation, peers that have the smart contract
Kafka
A consensus plug-in implementation for Hyperledger Fabric that results in a cluster of ordering service nodes in the blockchain
network. Kafka implementations and Raft implementations are intended for production networks. However, only Raft ordering
service clusters are natively supported and can be created using the IBM Blockchain Platform.
Ledger
Comprised of a literal "chain of blocks" that store the immutable, sequenced record of transactions, as well as a state database
to maintain current state. There is one ledger per channel, and updates to it are managed by the consensus process according to
the policies of a particular channel.
LevelDB
A key-value store that can be used as an option for the state database for your peers. LevelDB stores the current state as key-
value pairs, and does not support the use of indexes or rich queries.
Member
Also known as "organizations", members in a blockchain network, similar to the members of any group, form the structure of the
network. A member can be as large as a multi-national corporation or as small as an individual. Members are enrolled into the
network with a certificate that grants them permissions to use the network as either a service provider (for example, issuing
certificates, validating/ordering transactions) or as a consumer. The former provides foundational blockchain services that
include transaction validation, transaction ordering, and certificate management services. Consumer members use the network
to invoke transactions against the distributed ledger. Members can have multiple Peers.
MSP
An abbreviation of Membership Service Provider, which provides the definition of an organization, including the root certificate
of the CA issuing certificates for the entities associated with that organization, as well as the sign cert of the admin of that
organization. MSPs also exist at the local level of a peer or ordering node, and are the authentication mechanism that verifies the
admin users of the node. In the IBM Blockchain Platform, MSPs can be exported from one console into another, allowing users
to create an organization in one console, import it to another console, and operate it (for example, to create a channel). MSPs
can also be imported into an ordering service, forming a "consortium", the list of organizations allowed to create and join
channels.
Network
An instance of an IBM Blockchain Platform service on IBM Cloud.
Node
The communication entity of the blockchain. There are three types of nodes: CA, peer, and ordering node.
Organization
See Member.
Out of band
An expression used to refer to sharing network artifacts outside of the console UI, for example by email or some other file
transfer mechanism. After submitting a smart contract proposal, the originator can share the smart contract package and
package id with other channel members in an out of band operation by emailing this information to them.
Peer
A blockchain network resource that provides the services to execute and validate transactions, and maintain ledgers. The peer
runs smart contract and is the holder of transaction history and the current state of assets on ledgers. They are owned and
managed by organizations and are joined to channels.
Propose
Referring to a step in the Hyperledger Fabric v2.x smart contract lifecycle, a smart contract definition is proposed to a channel
for approval by the organizations that are specified in the channel lifecycle endorsement policy. A smart contract proposal
contains a smart contract definition name, version, package, endorsement policy, and optionally a private data collection.
Quorum
In a Raft ordering service, a quorum represents the number of nodes that must be available for transactions to be processed.
This number is a majority of the total number of nodes in the consenter set of the channel. In other words, if you have one node,
you need that node available to have a quorum, because the majority of one is one. Similarly, if you have two nodes, you will
need both available, since the majority of two is two (for this reason, a configuration of two nodes is discouraged; there is no
advantage to a two node configuration). In a similar vein, the majority of three is two, the majority of four is three, the majority of
five is three, and so on.
Raft
Raft is a crash fault tolerant (CFT) ordering service based on an implementation of Raft protocol in etcd . Raft follows a “leader
and follower” model, where a leader node is elected (per channel) and its decisions are replicated by the followers. Raft ordering
services should be easier to set up and manage than Kafka-based ordering services and a cluster of these nodes can be created
using the IBM Blockchain Platform.
SDK
Hyperledger Fabric Client Software Development Kits (SDKs) enable interaction between your client application and your
blockchain network. Fabric supports three SDKs: Go, Node, and Java) that include documentation for the available APIs.
Service credentials
Service discovery
Fabric service discovery allows your client applications to dynamically find the peer and ordering endpoints of your network. If
you do not configure service discovery in your application, the endpoint information of peer and ordering nodes on your channel
needs to be added manually to your connection profile or your application.
Shim
When referring to smart contracts or chaincode, the shim represents a set of Hyperledger Fabric chaincode APIs that a smart
contract can use to access state variables, transaction context, and call other smart contracts.
SignCert
The certificate that any entities, whether organizations or admins, attach to their proposals or proposal responses. These
signCerts are unique to an entity and are checked by the ordering service to make sure they match the signCert on file for that
entity.
Smart contracts
See Chaincode.
State database
Current state data is stored in a database on the peers for efficient reads and queries from smart contracts. You can select to
use either LevelDB or CouchDB as the state database of your peers.
Transaction
Changes to the ledger are achieved by invoking "transactions", which either involve assets or changes to the configuration of a
channel. "Asset" transactions usually involve a smart contract governing the rules of a transaction between counter-parties,
while the rules governing configuration transactions are established in the configuration of the channel itself.
World state
See Current state.
Installing patches provides instructions on how to apply patches to your existing blockchain nodes. Patches are cumulative, so
select the latest available patch to include all earlier patches.
28 Feb 2023
Certificate Authority (CA) patch 1.5.5-9, Peer and ordering node patch 1.4.12-23, 2.2.10-1, 2.4.8-1.
Severity: medium
31 Jan 2023
Certificate Authority (CA) patch 1.5.5-8, Peer and ordering node patch 1.4.12-22, 2.2.9-4, 2.4.7-4.
Severity: medium
04 Jan 2023
Certificate Authority (CA) patch 1.5.5-7, Peer and ordering node patch 1.4.12-21, 2.2.9-3, 2.4.7-3.
Known issue: If the Launch the IBM Blockchain Platform console button is not enabled, refresh the page to enable it.
Severity: medium
07 Dec 2022
Certificate Authority (CA) patch 1.5.5-6, Peer and ordering node patch 1.4.12-20, 2.2.9-2, 2.4.7-2.
Severity: medium
08 Nov 2022
Certificate Authority (CA) patch 1.5.5-5, Peer and ordering node patch 1.4.12-19, 2.2.9-1, 2.4.7-1.
Severity: medium
11 Oct 2022
Certificate Authority (CA) patch 1.5.5-4, Peer and ordering node patch 1.4.12-18, 2.2.8-3, 2.4.6-3.
Severity: medium
13 Sept 2022
Certificate Authority (CA) patch 1.5.5-3, Peer and ordering node patch 1.4.12-17, 2.2.8-2, 2.4.6-2.
Severity: medium
16 Aug 2022
Certificate Authority (CA) patch 1.5.5-2, Peer and ordering node patch 1.4.12-16, 2.2.8-1, 2.4.6-1.
Added ability to remove the system channel and ability to create orderers without a system channel.
Added support to use the channel participation APIs offered by Fabric peers/orderers to manage channels.
Severity: medium
19 July 2022
Certificate Authority (CA) patch 1.5.5-1, Peer and ordering node patch 1.4.12-15, 2.2.7-1, 2.4.5-1.
Severity: medium
22 June 2022
Certificate Authority (CA) patch 1.5.3-3, Peer and ordering node patch 1.4.12-14, 2.2.5-6, 2.4.3-3.
Severity: medium
01 June 2022
Certificate Authority (CA) patch 1.5.3-2, Peer and ordering node patch 1.4.12-13, 2.2.5-5, 2.4.3-2.
Severity: medium
03 May 2022
Certificate Authority (CA) patch 1.5.3-1, Peer and ordering node patch 1.4.12-12, 2.2.5-4, 2.4.3-1.
v2.5.3 release updates listed in What's new for May 03, 2022.
Severity: medium
Severity: medium
08 Mar 2022
Certificate Authority (CA) patch 1.5.2-7, Peer and ordering node patch 1.4.12-10, 2.2.5-2.
Severity: medium
08 Feb 2022
Certificate Authority (CA) patch 1.5.2-6, Peer and ordering node patch 1.4.12-9, 2.2.5-1.
Severity: medium
11 Jan 2022
Certificate Authority (CA) patch 1.5.2-5, Peer and ordering node patch 1.4.12-8, 2.2.4-5.
14 Dec 2021
Certificate Authority (CA) patch 1.5.2-4, Peer and ordering node patch 1.4.12-7, 2.2.4-4.
16 Nov 2021
Certificate Authority (CA) patch 1.5.2-3, Peer and ordering node patch 1.4.12-6, 2.2.4-3.
Deprecation notice for IBM Blockchain Platform for IBM Cloud: Because Kubernetes v1.22 deprecates a number of APIs,
nodes running Kubernetes v1.13, v1.14, or v1.15 will no longer be updated to the latest IBM Blockchain Platform for IBM Cloud
patches. In addition, no Kubernetes cluster nodes will be updated if the master node is not reachable. Impacted clusters are
identified via Kubernetes calls to the master node and calls to health check endpoints for blockchain components. Migration
instructions for impacted clusters will be posted here soon.
26 Oct 2021
Certificate Authority (CA) patch 1.5.2-2, Peer and ordering node patch 1.4.12-5, 2.2.4-2.
05 Oct 2021
10 Aug 2021
Miscellaneous bug fixes and security patches.
13 Jul 2021
Certificate Authority (CA) patch 1.5.0-1, Peer and ordering node patch 1.4.12-2, 2.2.3-2
16 Jun 2021
Certificate Authority (CA) patch 1.4.9-8, Peer and ordering node patch 1.4.12-1, 2.2.3-1
The platform has been updated to include support for Hyperledger Fabric v1.4.12 and v2.2.3.
05 May 2021
Certificate Authority (CA) patch 1.4.9-7, Peer and ordering node patch 1.4.11-2, 2.2.2-2
13 Apr 2021
Certificate Authority (CA) patch 1.4.9-6, Peer and ordering node patch 1.4.11-2, 2.2.2-1
22 Feb 2021
Certificate Authority (CA) patch 1.4.9-5, Peer and ordering node patch 1.4.9-5 and 2.2.1-5
12 Jan 2021
Certificate Authority (CA) patch 1.4.9-4, Peer and ordering node patch 1.4.9-4, 2.2.1-4
08 Dec 2020
Certificate Authority (CA) patch 1.4.9-3, Peer and ordering node patch 1.4.9-3, 2.2.1-3
19 Nov 2020
Certificate Authority (CA) patch 1.4.9-2, Peer and ordering node patch 1.4.9-2, 2.2.1-2
When you link a new IBM Blockchain Platform service instance to a Kubernetes cluster that uses community Kubernetes
Ingress, the cluster Automatic Load Balancer (ALB) pods need to be restarted which can take five to ten minutes. If the restarts
have not completed before you create your first blockchain Certificate Authority (CA), peer, or ordering node, the initial green
status indicator on the new node can take slightly longer than you are accustomed to while the pods restart. Existing blockchain
service instances are not impacted.
02 Nov 2020
Certificate Authority (CA) patch 1.4.9-1, Peer and ordering node patch 1.4.9-1, 2.2.1-1
Important: If you are running OpenShift Container Platform 3.11 in IBM Cloud, it is recommended that you upgrade
your cluster to 4.4 now in order to fully take advantage of the new features. After you upgrade your cluster, follow
instructions to refresh your blockchain console to experience the latest functionality in this release.
For information about upgrading nodes, check out Upgrading to a new version of Fabric. For information about updating the
capabilities of your channels, check out Capabilities.
1 Oct 2020
CA, Peer, and ordering node patch 1.4.7-3, 2.1.1-3
25 Aug 2020
CA, Peer, and ordering node patch 1.4.7-2, 2.1.1-2
Certificate expiration dates have been added throughout the component details, making it easier to monitor and track certificate
expiration dates. See Certificate Management to learn more about your responsibilities. In addition, it is now possible to enable
Node OU support for your MSPs and channels through the console. Read more about Node OU support, why this is important,
and how to simplify certificate renewal for the MSPs on your network.
14 July 2020
CA, Peer, and ordering node patch 1.4.7-1, 2.1.1-1
18 June 2020
Peer and ordering node patch 1.4.7-0
IBM considers this a critical patch that you should apply at your nearest opportunity.Not applying this patch risks being
susceptible to a data integrity issue if you experience a CouchDB or underlying storage crash on your peer. This patch updates
the CouchDB delayed_commits configuration property to false. The prior setting could cause the peer's CouchDB database to
be in an inconsistent state in the event of a CouchDB or underlying storage system crash. The new setting ensures that a peer
will recover from crashes in a consistent state. As always, it is recommended to utilize an endorsement policy that requires
multiple peers to endorse a transaction, to avoid an inconsistency from a single peer from impacting the overall blockchain
network state.
To be certain that your peers have no database corruption, you should reprovision your peers.
Important: Miscellaneous bug fixes and security patches. If you are running OpenShift Container Platform 3.11 in IBM
Cloud, it is recommended that you upgrade your cluster to 4.3 now in order to fully take advantage of the new features.
After you upgrade your cluster, follow instructions to refresh your blockchain console to experience the latest
functionality in this release.
Multizone-capable storage
If your Kubernetes cluster is configured to use multizone-capable storage, new peer and ordering nodes can be deployed that
leverage multizone storage, effectively extending their high availability across cluster zones. See Multizone-capable Storage for
more information.
20 May 2020
CA, peer, and ordering node patch 1.4.6-2
16 April 2020
CA, peer, and ordering node patch 1.4.6-1
24 March 2020
Note: IBM is in the process of migrating existing IBM Blockchain Platform consoles to v2.1.3, therefore, the new features
described in this list may not yet be available in your console. Unsure what version you are currently using? Click the
question mark icon in the upper right corner of the console. The IBM Blockchain Platform version is visible under the page
heading. Existing customers will receive a Cloud notification with more details about when their console will be migrated.
All new nodes are deployed using Hyperledger Fabric v1.4.6. If you have an existing blockchain network, you should review the
topic on Capabilities to understand how this new Fabric version can impact your network.
Full cryptographic HSM support is now available for HSMs that implement the PKCS #11 standard. Using an HSM provides on-
demand encryption, key management, and key storage. When you deploy a CA, peer, or ordering node, you now have the option
to store the private key for the node identity in an HSM. See Configuring a node to use a HSM for more details.
Support for adding and removing ordering nodes from an existing ordering service
Previously, an ordering service could only contain one or five ordering nodes and they all were contributed from the same
organization. Now, the ordering service can be deployed across multiple organizations in a blockchain network, enabling
individual organizations to add and remove individual ordering nodes as required. Multi-organizational transaction ordering
improves the decentralized nature of a blockchain network. Learn more about the process in the new Adding and removing Raft
Hyperledger Fabric includes many configuration options for a CA, peer, or ordering node. A subset of those options for the CA,
peer and ordering node can now be overridden by using the console or the APIs.
In addition to smart contracts written in JavaScript, TypeScript, and Go programming languages, it is now possible to deploy
Java smart contracts from the console. Moreover, Java can be freely mixed and matched with other application and smart
contract programming languages, including JavaScript, TypeScript, and Go. This heterogeneous programming language support
enables an organization to capitalize on the full range of its development skills.
v2 APIs available
New IBM Blockchain Platform console APIs using the route /v2/ are now available. Use of the earlier /v1/ APIs continues to
be supported. See IBM Blockchain Platform APIs for more information.
When a CA is deployed, replica sets can be configured to ensure High Availability of the node. Note that CA replica sets require a
PostgreSQL database. Learn more in the Building a high availability Certificate Authority (CA) tutorial.
6 February 2020
Update default resource allocation
The default memory allocation for the peer container has been increased from 0.4GB to 1GB. When deploying a new peer, the
peer container will now default to 1GB memory, but you can adjust this value according to your use case. Increasing the memory
alleviates some resource contention that could occur during smart contract instantiation.
The Ingress timeout for the gRPC web proxy has been increased to avoid an error during smart contract instantiation. It is
recommended that you apply this patch to your existing peer and ordering nodes.
11 December 2019
Miscellaneous bug fixes
15 November 2019
Service availability in two new regions
06 November 2019
Simplified component creation flows
Peer, CA and ordering service creation has been streamlined. Now, when you create a node, you have to select a checkbox to
configure advanced deployment options.
02 October 2019
Peer, CA, and ordering node patch 1.4.3-0
When multiple zones are configured in your Kubernetes cluster, you can now choose which zone to deploy your ordering node
to. Spreading nodes across zones is useful for ensuring high availability of your blockchain network.
Ability to set peer to be an anchor peer when the peer joins the channel
Users can now choose to designate a peer to be an anchor peer when the peer is being joined to the channel, rather than after
the peer has joined the channel. An anchor peer must exist for each organization in order for cross organizational gossip to work.
Anchor peers are also required for private data and service discovery to work. Learn how.
A peer can now be joined to a channel directly from the Channels tab. See Join a peer to a channel for more details.
Export/Import all
Allows for the bulk export and import of your blockchain network, including nodes, MSPs and identities, rather than having to
export and import these components one at a time. See the topic on Exporting and importing in bulk for more details.
All new nodes are deployed using Hyperledger Fabric v1.4.3. If you have an existing blockchain network, you should review the
topic on Capabilities to understand how this new Fabric version can impact your network.
21 August 2019
Peer node patch 1.4.1-3
With this patch, you now have the ability to upload additional admin identities for a peer. See Adding new peer admin
certificates for more information.
Select peer zone (IBM Blockchain Platform for IBM Cloud only)
If multiple zones are configured in your Kubernetes cluster on IBM Cloud, you can now use the console UI to select the zone
where the peer is deployed. This capability is important if you are configuring multizone HA for peers.
You now have the option to choose between CouchDB and LevelDB for your Peer database. For more information, see LevelDB
vs CouchDB.
12 August 2019
Beta trial of the IBM Blockchain Platform ends
The Beta trial of the IBM Blockchain Platform, which began on February 12, 2019, has officially ended. All of the beta instances
of your console and the components that you deployed into your Kubernetes cluster using the beta console will be deleted.
This patch contains a security fix for the peer couchDB container.
10 July 2019
Ordering node patch 1.4.1-2
This patch fixes a problem that occurs when ordering nodes restart. The genesis block is updated which prevents the ordering
node from communicating with the other nodes in the ordering service. You can apply this patch to all existing ordering nodes in
your ordering services by following these instructions to update each ordering node. All new ordering nodes that you create will
automatically include this fix.
You now have the ability to remove anchor peers from a channel.
24 May 2019
Raft consensus protocol
The five node Raft ordering service, recommended for production networks, is now available. In addition, for development and
testing purposes, you can deploy a single node Raft ordering service.
9 May 2019
Introducing IBM Blockchain Platform Console APIs
APIs are now available to provision, edit, and delete peer, orderer, and CA nodes, making it possible to script the building of your
blockchain network. Use the documentation in the IBM Cloud API documentation repository to learn more about the APIs and
try them out. In addition, see the topic on Building a network with APIs for instructions on how to use the APIs to build out your
network.
Channel governance
Channel governance updates allow policies to be reconfigured. You can also control which channel members need to sign a
channel update and you can orchestrate signature collection.
17 April 2019
When you deploy a node you now have the ability to specify the amount of CPU, memory, and storage to your containers, where
applicable. You can later scale their resources up or down at a later time according to usage patterns. For more information, see
Allocating resources.
IAM is used to control user access to the console UI as well as restricting the actions they can perform in the UI. See this topic
for information on how to add and remove users from the console.
3 April 2019
Support for external CA
When you add a peer or orderer node, you have the option to use certificates from an external CA, one that is not hosted by IBM.
See this topic on Using certificates from an external CA with your peer or ordering nodefor more information.
New orderer tuning parameters are available in the console to give you more control over your orderer throughput and
performance. See this topic on Tuning your orderer for instructions on how to configure the parameters.
This topic describes common issues that can occur when you use the IBM Blockchain Platform console.
Why is my IBM Blockchain Platform user interface unable to connect to cluster after deployment? (Ingress issue)
Why are my console actions failing in my Chrome browser Version 77.0.3865.90 (Official Build) (64-bit)?
When I hover over my node, the status is Status unavailable , what does this mean?
When I hover over my node, the status is Status undetectable , what does this mean?
Why am I getting the error Unable to get system channel when I open my ordering service?
Why did my smart contract installation, instantiation or upgrade fail?
Why is my smart contract fail to install with an error on my peer?
Why is my Node.js smart contract fail to endorse?
Why is the smart contract that I installed on the peer not listed in the UI?
My channel, smart contracts, and identities have disappeared from the console. How can I get them back?
Why am I getting the error Unable to authenticate with the enroll ID and secret you provided when I create
a new organization MSP definition?
Why am I getting the error An error occurred when updating channel when I try to add an organization to my
channel?
When I log in to my console, why am I getting a 401 unauthorized error?
Why am I getting a Cluster linking is taking too long error when I try to link my Kubernetes cluster in IBM Cloud
to my IBM Blockchain Platform service instance?
Why am I getting an error “all SubConns are in TransientFailure” on the console?
Why is my first start of a smart contract returns the following error: no suitable peers available to initialize from?
Why are my node operations fail to operate after I create my peer or ordering service?
Why does my peer or ordering node fail to start?
Why does my blockchain node fail to restart?
What is the proper way to clean up a failed node deployment?
How can I view my smart contract container logs?
Why is my CA, peer, or ordering node that is configured to use HSM not working?
Why are my transactions returning an endorsement policy error: signature set did not satisfy policy?
Why are the transactions I submit from VS Code failing with a No endorsement plan available error?
Why are the transactions I submit from VS Code failing with an endorsement failure?
Why is my peer unable to communicate with my ordering node?
When I hover over my node, the status is red, what does this mean?
How do I disable the network policies in my namespace?
How do I delete a peer pod?
How can I recover a contract after a failed upgrade of the smart contract container?
What’s happening
When deploying a new IBM Cloud Kubernetes Service cluster and a new IBM Blockchain Platform environment, the IBM
Blockchain Platform user interface is unable to connect to the provision components. The component status does not turn green
even when the pod shows it is running fine from the IBM Cloud Kubernetes Service user interface or the command line interface
(CLI).
You may also see errors connecting to the proxy URL such as the following reported by the IBM Blockchain Platform console:
"stitch_msg": "unable to get block: grpc web proxy's message: "Response closed without headers". This
can happen when encountering CORS or untrusted TLS issues with the grpc web proxy.",
Before resolving this problem, you can check the application load balancer (ALB) replica set by running kubectl get
replicasets -n kube-system and look for result similar to public-crbpt86avw0kfob73dpb3g-alb1-875bc4d57 2 2 2
24h .
For clusters created after 01 December 2020 with version 1.18 or higher, you can check that the ingress configuration as
follows:
1. Run kubectl get ingress --all-namespaces to find out which are the ingress matching nodes that are having issues.
2. Run kubectl get ingress <componentname> -n <namespace> -o yaml to clear the current ingress configuration.
annotations:
nginx.ingress.kubernetes.io/backend-protocol: HTTPS
nginx.ingress.kubernetes.io/proxy-ssl-verify: "false"
How to fix it
To resolve this problem, you can execute the following steps:
Get the list of ALB replica set. If your cluster has only one ALB, you can get the replica set as follows:
If you have multiple ALBs, execute the following steps for each ALB as follows:
For example, you will see multiple replica sets listed as follows:
2. Delete all the replica sets except for the latest one.
Based on the example shown, you need to delete the extra replica sets as follows:
3. Get the list of replica set again to ensure that there is only one remaining.
public-x-alb1-6486c45c96 2 2 2 3d17h
What’s happening
The console has been working successfully, but requests have started to fail. For example, after I create an ordering service and
open it I see the error: Unable to get system channel. If you associated an identity without administrative
privilege on the ordering service node, you will not be able to view or manage ordering service
details.
How to fix it
To resolve this problem, open the console in a new browser tab in Chrome. Any identities that you saved in your console wallet
will persist in the new browser tab. To avoid this problem you can upgrade your Chrome browser version. Ensure you have
downloaded all of your wallet identities to your local machine before closing your browser.
When I hover over my node, the status is Status unavailable or Status unknown , what does
this mean?
What’s happening
A CA, peer, or ordering node has a gray status box, meaning the status of the node is not available. Ideally, when you hover over
any node, the node status should be Running .
How to fix it
If this is a new node, wait a few more minutes for the deployment to complete. You can try reloading the page in your browser to
refresh the status. If the node is not new, examine the associated node logs for errors to determine the cause.
When I hover over my node, the status is Status undetectable , what does this mean?
What’s happening
The node status in the tile for the peer or ordering node is yellow, meaning the status of the node cannot be detected. Ideally,
when you hover over any node, the node status should be Running .
How to fix it
If you imported the node:
You can resolve this problem by performing the following steps:
If you migrated your cluster Ingress: You need to refresh your blockchain console.
Why am I getting the error Unable to get system channel when I open my ordering service?
What’s happening
After you create an ordering service, the status is Running . But when you open the ordering service you see the error:
How to fix it
You can renew the communication between your console and the IBM Kubernetes service cluster on IBM Cloud by clicking on
the service instance of your console in your Resource list and clicking the Refresh cluster button. When the link between your
cluster and your console has been refreshed, click the Launch the IBM Blockchain Platform button.
What’s happening
It is possible you may experience an error when installing, instantiating or upgrading a smart contract. For example, when you
try to install a smart contract on a peer, it fails with the error An error occurred when installing smart contract on
peer.
Open your Kubernetes dashboard and ensure the peer status is Running.
Open the peer node and ensure the smart contract version does not already exist on the peer and try again with the
proper version.
If you are still experiencing problems after the node is up, check your node logs for errors.
What’s happening
Installing a smart contract on a peer fails with an error similar to the following:
How to fix it
In some cases, if you simply wait several minutes and then refresh theSmart contracts tab in the console, you can see that the
smart contract was successfully installed. You can customize how long the console waits for the installation to complete by
changing the console settings with the APIs. See the fabric_lc_install_cc_timeout_ms setting. In some cases, it is the
1. From the console, open the peer tile and click theSettings icon.
2. Click Edit configuration JSON (Advanced).
3. In the Configuration updates box paste the following text and clickUpdate peer.
{
"chaincode":{
"startuptimeout":"300s",
"installTimeout":"600s",
"executetimeout":"30s"
}
}
The peer restarts and then you can retry the smart contract installation. Because the original installation failed you need to
specify a new smart contract name and version.
What’s happening
My Node.js smart contract endorsement fails with the error:
Error: endorsement failure during query. response: status:500 message:"error in simulation: failed to
execute transaction 6cbcf9f94bdef3fc68abba5604e46293ae: could not launch chaincode nodecc:1.1: error
building chaincode: error building image: external builder failed: external builder failed to build:
external builder 'ibp-builder' failed: exit status 3"
How to fix it
If you are using a smart contract that was originally written to work with Fabric 1.4, update the Node modules by running the
following command before deploying the smart contract on a Fabric v2.x peer. See Support and compatibility for fabric-
chaincode-node for more information.
Why is the smart contract that I installed on the peer not listed in the UI?
What’s happening
A smart contract was installed on a peer but when you click on theSmart contracts tab, it is not listed.
How to fix it
My nodes, channels, smart contracts, and identities have disappeared from the
console. How can I get them back?
What’s happening
Nodes, identities, channels, or smart contracts (or some combination of these) that I successfully deployed into the console are
no longer available.
Whenever you create a new organization MSP definition, you generate keys for an identity that is allowed to administer the
organization. Therefore, during that process you must click the Generate and then Export buttons to store the generated
identity in your wallet and then save it to your file system as a JSON file.
To resolve this problem in your browser, you need to import those identities and associate them with the corresponding
node:
In the browser where you are experiencing the problem, click the Wallet tab followed by Add identity to import the
JSON file into your wallet.
Click Upload JSON and browse to the JSON file you exported using the Add files button.
Click Submit.
Now open the peer or ordering service node that this identity was originally associated to, and click on theSettings
icon.
Click the Associate identity button.
Select the identity you just imported to your console wallet from the drop-down list.
Click Associate.
Repeat this process for each identity that was in the wallet of the original browser.
How to fix it
You can renew the communication between your console and the IBM Kubernetes service cluster on IBM Cloud by clicking on
the service instance of your console in your Resource list and clicking the Refresh cluster button. When the link between your
cluster and your console has been refreshed, click the Launch the IBM Blockchain Platform button.
Why am I getting the error Unable to authenticate with the enroll ID and secret you provided
when I create a new organization MSP definition?
What’s happening
How to fix it
Verify that you have selected the correct organization admin enroll ID from enroll ID drop down list and enter the correct value
for the enroll secret.
Why am I getting the error An error occurred when updating channel when I try to add an
organization to my channel?
What’s happening
When you attempt to add another organization to a channel, the update fails with the message An error occurred when
updating channel .
How to fix it
On the Update channel panel, scroll down to the Channel Updater MSP ID and select the MSP ID that was specified when the
channel was created or specify the MSP ID that is the admin of the channel.
What’s happening
When I try to log in to my console, I am unable to access the console from my browser. If I check the browser logs, I can find the
error 401 unauthorized.
If your session has become inactive, you can try simply refreshing your browser. If that does not work, close the browser
including all tabs and windows. Open the URL again. You will be required to log in.
Note: As a best practice, you should have already stored your certificates and identities on your file system. If you happen
to be using an incognito window, all the certificates are deleted from the browser local storage when you close the
browser. After you log in again you will need to re-import your identities and certificates.
Why am I getting a Cluster linking is taking too long error when I try to link my
Kubernetes cluster in IBM Cloud to my IBM Blockchain Platform service instance?
How to fix it
To resolve this problem you can run the helm reset command to delete the tiller and then try to link your cluster again. The
tiller is the helm mechanism that the blockchain deployer uses to set up components on your cluster. Run the following
command from your IBM Cloud CLI terminal:
bx api cloud.ibm.com
bx login
bx cs clusters
$(bx cs cluster-config <cluster_name> --export)
kubectl get deployments #test that the connection is working
helm reset
Attempt to link your cluster again. If it continues to fail, you should Contact Support.
What’s happening
The following error is shown on the console: "All SubConns are in TransientFailutre."
How to fix it
To resolve this problem, you need to resize the peers and CouchDB containers to add more memory, such as 2000 MB memory
each. After resizing the memory, delete the peer pods so they will be re-created. Then try the scenario again. See
Considerations when reallocating resources for more information.
Why is my first invoke of a smart contract returns the following error: no suitable
peers available to initialize from?
What’s happening
When I try to invoke a smart contract from the Fabric SDK, the transaction fails and returns the following error:
How to fix it
Use the following steps to configure anchor peers on your channel. Also, you should verify that you are submitting the
transactions against the correct channel and organization MSP id.
Why are my node operations fail to operate after I create my peer or ordering
service?
It is possible you may experience an error when managing an existing node. When that occurs, it is often useful to consult the
node logs.
What’s happening
For example, when you try to operate the node, the action might fail.
How to fix it
Check your Kubernetes dashboard and ensure the peer or node status is Running . Then try your action again. If you are still
experiencing problems after the node is up, check your node logs for errors.
What’s happening
The peer log includes:
[main] InitCmd -> ERRO 001 Cannot run peer because cannot init crypto, folder “/certs/msp” does not
exist`
Failed to initialize local MSP: admin 0 is invalid [The identity does not contain OU [CLIENT], MSP:
[orderermsp],The identity does not contain OU [ADMIN], MSP: [orderermsp]]
When you created the peer or ordering service organization MSP definition, you specified an enroll ID and secret
that corresponds to an identity of type peer and not client or admin. It must be of type client or admin.
When you created the peer or ordering service organization MSP definition, you specified an enroll ID and secret
that does not match the enroll ID or secret of the corresponding organization admin identity.
When you created the peer or ordering service, you specified the enroll ID and secret of an identity that is not type
'peer' or 'orderer'.
When you created the peer or ordering service, you associated an identity that does not have theadmin role.
Open your peer or ordering service CA node and view the registered identities listed in theRegistered Users table.
What’s happening
When you change the resources allocated to a CA, peer, or ordering node, or if you update the admin certificates for a node, the
pod has to restart in order for the changes to take effect. Or when a worker node is updated for maintenance and needs to
restart, the associated blockchain pods also need to be restarted. Sometimes, due to conditions on your Kubernetes cluster, the
pod restart can fail.
If another application in a cluster with constrained resources is in a pending state, and is prioritized higher than the
blockchain component, the blockchain pod cannot restart because the resources are consumed by the pending
application.
If the blockchain component needs to restart, but is on a worker node that has been "cordoned", meaning no new
components can be brought to that node, it cannot restart. A blockchain pod becomes unschedulable when the
Kubernetes scheduler is unable to find a node that can accommodate the resource requirements of the pod.
If there is a timeout between the kubelet, the node agent that runs on each node, and the Kubernetes master node, a pod
restart can fail.
The pod restart itself can time out when its worker node restarts and takes too long to mount the persistent volume claim
(PVC).
How to fix it
To enable the blockchain pod to restart successfully, you need to address the underlying cluster issues:
Ensure there are adequate resources available on worker nodes in the cluster. If not, deploy a new worker node with
increased resources.
After you resolve the cluster issues, delete the failing blockchain pod. When Kubernetes restarts the pod, it will attempt to
move the pod workload to another node with sufficient resources.
If the timeout between a kubelet and the master node cannot be resolved, open a support ticket with your cluster
provider.
What’s happening
Sometimes a node can fail to deploy, for example, due to lack of resources in your Kubernetes cluster. After you understand the
cause of the node deployment failure, you need to clean up the failed node in your cluster.
How to fix it
Do not attempt to use Kubernetes commands to remove the node. Instead, it is extremely important that you use the IBM
Blockchain Platform console or the APIs to remove the failed node to ensure that the associated metadata and storage are also
cleaned up.
How to fix it
Follow these instructions to view your smart contract container logs on IBM Cloud.
Why is my CA, peer, or ordering node that is configured to use HSM not working?
What’s happening
This problem can happen when you try to deploy a CA, peer, or ordering node that is configured with HSM and the deployment
fails. Or it can surface when a node that is configured for HSM stops working. The node, client, or SDK logs contain the following
error:
or
How to fix it
To re-establish communications between the node and the proxy, restart the failing node by deleting the pod associated with
the node. A new pod will be created and the connection with the PKCS #11 proxy is restored. Use the following steps to restart
the failing node:
Replace:
<NAMESPACE> with the namespace where the associated pods are deployed. To find the namespace, open any CA node in
your console and click the Settings icon. View the value of the Certificate Authority endpoint URL. For example:
https://n2734d0-paorg10524.ibpv2-cluster.us-south.containers.appdomain.cloud:7054 . The namespace is
the first part of the URL beginning with the letter n and followed by a random string of six alphanumeric characters. So in
this example, the value of the namespace is n2734d0.
<PODNAME> with the Name of the failing pod that is visible in the list of pods returned by the previous command.
Why are my transactions returning an endorsement policy error: signature set did
not satisfy policy?
What’s happening
When I invoke a smart contract to submit a transaction, the transaction returns the following endorsement policy failure:
returned error: VSCC error: endorsement policy failure, err: signature set did not satisfy policy
Why are the transactions I submit from VS Code failing with a No endorsement plan
available error?
What’s happening
Transactions submitted from VS Code fail with an error similar to:
How to fix it
Follow step three of the private data topic in the Deploy a smart contract tutorial to configure your anchor peers.
Why are the transactions I submit from VS Code failing with an endorsement
failure?
What’s happening
My smart contract endorsement proposals from my peer are failing from my client application with the endorsement error
error: [Channel.js]: Channel:<channel_name> received discovery error:failed constructing descriptor for
chaincodes:<name:"chaincode-name"> or [ERROR] Error submitting transaction: No endorsement plan
available for {"chaincodes":[{"name":"MyAssetContract"}]}
UTC [discovery] chaincodeQuery -> ERRO 23c Failed constructing descriptor for chaincode chaincodes:
<name:"chaincode-name">,: cannot satisfy any principal combination
How to fix it
The only way to resolve this error is to delete the peer and create a new one with an enroll id that has the correct typepeer . You
can use the enroll id and secret from an existing user of type peer from the peer's CA or register a new user with type peer .
Follow the instructions in the Build a network tutorial to create a new peer identity with the correct type and peer.
How to fix it
Disable the network policies in your namespace. This should resolve connectivity issues with your nodes.
When I hover over my node, the status is red, what does this mean?
What’s happening
A CA, peer, or ordering node has a red status box, meaning there may be connectivity issues with the node. Ideally, when you
hover over any node, the node status should be Running .
How to fix it
Disable the network policies in your namespace. This should resolve connectivity issues with your nodes.
What’s happening
You may need to disable the network policies in your namespace to address connectivity issues in your network.
How to fix it
Check if network policies have been applied in your namespace by running the following CLI command:
If the command returns a list of one or more network policies that you did not apply and/or you want to disable, first disable the
operator creation of network policies. Get the operator deployment spec in your namespace and check for environment variable
IBPOPERATOR_CONSOLE_APPLYNETWORKPOLICY :
Once the operator creation of the network policy has been disabled, delete the network policies from the namespace:
What’s happening
You are looking for the commands to delete a peer.
How to fix it
Use the following CLI command to identify and then delete and restart the failing peer:
Replace <NAMESPACE> with the name of your Kubernetes namespace or your OpenShift project.
How can I recover a contract after a failed upgrade of the smart contract container?
What’s happening
All contracts were lost after the procedure to upgrade the smart contract container crashed.
How to fix it
Delete all the peer pods. This deletion triggers the peer to be created again and restarts the proxy.
What’s happening
I received an e-mail that my IBM Kubernetes service cluster is about to expire or its status is Expired . Or, you are not able to
access the console after 30 days.
How to fix it
It is not possible to migrate from a free cluster to a paid cluster. After 30 days you cannot access the console and all of your
nodes and certificates are deleted. See this topic on Kubernetes cluster expiration for information on what is happening and
what you can do.
After I deploy a node in the console, I'm seeing a message in my Kubernetes cluster
on IBM Cloud reporting that the pod has unbound immediate persistent volume
claims. Is this an error?
What’s happening
I see what looks like an error in my Kubernetes cluster on IBM Cloud reporting that a pod has unbound immediate persistent
volume claims and am worried that my node has failed to deploy.
How to fix it
Unbound immediate persistent volume claims are a normal part of the deployment process for any node, reflecting that the
persistent volume claim has been made but that the node itself has not yet deployed. Wait a few minutes for the node to deploy.
If it is still not resolved, run the following kubectl command to describe the persistent volume claim for your namespace:
If you see the following error, it is likely that you have reached your limit of storage volumes:
Backend Error:Your order will exceed the maximum number of storage volumes allowed. Please contact
Sales. Type:StorageOrderFailed, RC:500, Recommended Action(s):Wait a few minutes, then try re-creating
your PVC. If the problem persists, open an IBM Cloud support case.
See the troubleshooting topic on File storage and block storage: PVC remains in a pending state for more details.
After I deploy a node, I'm seeing a message in my Kubernetes cluster on IBM Cloud
reporting that the pod has hit a crash loop backoff. Is this an error?
I see an error in my Kubernetes cluster on IBM Cloud reporting that the pod has hit a crash loop backoff and am worried that my
node has failed to deploy.
How to fix it
The node has failed to deploy. There can be several reasons for this, but you must go to your console, delete the node, and
attempt to redeploy it. Make sure you are using the correct MSP, enroll ID, and secret.
Security incidents
IBM® Blockchain Platform provides the following methods for investigating and reporting security incidents:
Search known IBM security issues on the IBM Product Security Incident Response blog. You can filter the issues by
severity.
Report your security issue to the IBM Product Security Incident Response Team (PSIRT). Reporting methods for third-
parties and anonymous sources are also provided.
IBM support subscribers can log in and open a case with the appropriate severity. Refer to details, including IBM response
times, below in Submitting support cases.
General support
For all IBM Blockchain Platform offerings, it is recommended to first use free digital support resources to troubleshoot problems
and get help from IBM and the Hyperledger Fabric Community.
If your problem cannot be solved by any of the free digital support resources, consider the following approaches to get support
for the offerings that you use.
Submit a support case through IBM Cloud. For more information, see Submitting support cases.
Submit any issues in the IBM Blockchain Platform Visual Studio Code extension.
IBM Blockchain Service docs, provides guidance on how to start with IBM Blockchain Platform. You can find corresponding
topics from the table of contents or search any term from the search bar.
Hyperledger Fabric documentation, the Fabric community wiki, and the Fabric Jira dashboard provide more details about the
Fabric stack.
You can also post questions or check if your question was answered in Stack Overflow.
Developer resources
IBM Developer provides tutorials, code patterns, and videos for blockchain developers. Application developers can use the
Blockchain Design patterns to learn about common patterns and best practices for building applications that communicate with
blockchain networks.
Because IBM does not support using Hyperledger Composer for production implementation, you are encouraged to engage with
Hyperledger Composer community and Stack Overflow when you work on demos and proofs of concept.
Note: If you need help with Hyperledger Fabric or your applications, you can make use of the community resources or
engage IBM Blockchain Services. It is recommended to use Hyperledger Composer solely for demos and proofs of
concept. IBM does not support networks that use Hyperledger Composer in production, including the Composer CLI,
JavaScript APIs, REST server, and Web Playground.
The response to your support case depends on your IBM Cloud support plan.
If you purchased Premium Support or Advanced Support, you can specify a severity level on your ticket from Sev-1 to
Sev-4. Sev-1 is the highest level of severity. Support cases with higher severity levels indicate more urgency and are
responded to more quickly by the support team. Ensure that the ticket severity is assigned based on the published criteria
that is defined in Case severity and response times. For more information, see IBM Cloud support plan offerings.
If you do not purchase support, your IBM Cloud Pay-As-You-Go or Subscription account comes with a freeBasic Support
plan. In this case, your support case is automatically registered as Sev-4.
Important: Before you open a support ticket, you need to gather your logs.
You can find your previously submitted cases by clicking My Cases in the IBM Cloud Service Portal. Click and open a case to
check its status or provide additional information.
Next steps
Getting support
Considerations
Video tutorial
Browsers
Resources required
Multizone-capable storage
Deployment options
Deploy from IBM Cloud
Step two: Link the instance to your Kubernetes cluster on IBM Cloud
Post-install instructions
Limitations
Next steps
Support
Considerations
Getting started
Architecture reference
Compliance
Getting support
What is blockchain?
What is blockchain?
What's new
What's new
Peers
Ordering services
Channels
Smart contracts
Applications
An example network
Pricing
Pricing for IBM Blockchain Platform for IBM Cloud
Pricing model
Pricing examples
Billing
Storage usage
Scenario comparisons
Security
Security
Ports
Key management
API authentication
Network security
Internet Ports
Storage
Data privacy
GDPR
High availability
High availability (HA)
Peer considerations
Single region HA
Multizone HA
Multi-region HA
Overview
Configuration steps
Step one: Create the peer organization's CA and metadata in cluster one
Step two: Export the metadata and identities from cluster one
Step three: Import the metadata and identities in to cluster two and three
Step four: Create new peers in cluster two and three and join a channel
Setting up multiregion High Availability (HA) deployments for the ordering service
Export components
Import components
Import components
Next steps
Considerations
Creating an HA CA
Data residency
Data residency
Option four: A separate channel with only ordering nodes from one country
Reference material
FAQs
FAQs
What is the value of using IBM Blockchain Platform over native Hyperledger Fabric?
What version of Hyperledger Fabric is being used with IBM Blockchain Platform?
Can IBM Blockchain Platform components interoperate with Hyperledger Fabric components on the same network? And
vice versa? And what is the support policy for networks that include both IBM Blockchain Platform components and open
source components?
How can I estimate the IBM Blockchain Platform sizing requirements for my development, test, and production
environments?
How does pricing work on the IBM Blockchain Platform for IBM Cloud?
What are the limitations of the free IBM Blockchain Platform using the IBM Cloud Kubernetes Service free cluster?
What regions or locations are available for the IBM Blockchain Platform for IBM Cloud?
What persistent file storage does IBM Blockchain Platform for IBM Cloud use by default?
Is there a trial option available for using a Red Hat OpenShift cluster on IBM Cloud?
Is it possible to deploy blockchain nodes to multiple clouds from a single blockchain console?
How can I find what version of the IBM Blockchain Platform that I am running?
How do I get the latest Fabric version and Fabric functionalities on my IBM Blockchain Platform network?
I am currently using Hyperledger Fabric v1.4.x and want to move to IBM Blockchain Platform for IBM Cloud . Can I
continue to use Raft?
Can I migrate the blockchain components on my IBM Kubernetes service cluster to a Red Hat OpenShift cluster in IBM
Cloud?
What types of off-chain databases are supported with the IBM Blockchain Platform?
If service discovery is on, will an endorsement request be routed to any peer on the network?
Do ordering service Raft nodes use Transport Layer Security (TLS) for communication?
What benefits are available with the new smart contract lifecycle available on nodes and channels running on Fabric v2.x?
How can I check and interpret the status of my components through the Kubernetes command line?
Can I integrate my corporate LDAP server with the Certificate Authority (CA) in the IBM Blockchain Platform?
What version of the IBM Blockchain Platform works with the Ansible collection?
How do I get support for running the IBM Blockchain Platform Ansible playbook?
Can the IBM Blockchain Platform monitor the health of a client application?
Where does IBM store the customer's logs and how long does IBM keep the audit logs for the blockchain platform
service?
Do we have access to logging services and what logs are available to me?
Where can I see the price breakdown for IBM Cloud Kubernetes Service, Storage, and Blockchain in my monthly invoice?
Disclaimer
Disclaimer
Open-source statement
Getting started
Build a network
Creating a peer
Using your CA to register ordering service node and ordering service admin identities
Next steps
Join a network
Creating a peer
Next steps
Limitations
How do I?
What does the user type have to do with the smart contract endorsement policy?
Private data
What does the user type have to do with the smart contract endorsement policy?
Private data
Developing applications
Developing applications
Network considerations
Application compatibility
SDKs
Smart contracts
Service discovery
Prerequisites
Clock synchronization
Additional Resources
Why would I want to use an intermediate CA with my IBM Blockchain Platform network?
Limitations
Process overview
Next steps
Objectives
Gather certificates
Deploy peer
Next steps
Why would I want to use an HSM with my IBM Blockchain Platform network?
Process overview
Part Two: Configure communications between the HSM server and client
What's next
Ansible Playbooks
Getting started with Ansible playbooks on the IBM Blockchain Platform
What is Ansible
Getting started
Next steps
Prerequisites
Next steps
Generated identities
Summary
What is happening?
Why is it happening?
Next steps
Customize logging
Allocating resources
CA deployment
Customizing a CA configuration
Peer deployment
State database
Option 1: Create a new peer or single-node ordering service using certificates from an external CA
Option 2: Create a five node ordering service using certificates from an external CA
General options
Advanced options
Batch timeout
Overview
Update channel1 to add the Ordering Service2 MSP and the Ordering Service_2 node
Limitations
Importing a peer
Importing a CA
How to import a CA
Registering identities
Enrolling an identity
Adding identities
Downloading certificates
Associating identities
Managing organizations
Understanding MSPs
Importing an MSP
Removing an organization
Managing certificates
Overview
Node OU support
Step six: Update ordering service admin on ordering service system channel
Expired certificates
Export an MSP
Import an MSP
Adding storage
Deleting components
Benefits
Prerequisites
Invoke a smart contract that has been instantiated or committed on your channels
Taking advantage of the ability for each organization to use a separate package
Advanced tutorials
Creating an intermediate Certificate Authority (CA)
Why would I want to use an intermediate CA with my IBM Blockchain Platform network?
Limitations
Process overview
Next steps
Why would I want to use an HSM with my IBM Blockchain Platform network?
Process overview
Part Two: Configure communications between the HSM server and client
What's next
Objectives
Deploy peer
Next steps
What is Ansible
Getting started
Next steps
Prerequisites
Next steps
Generated identities
Summary
Step two: View the logs for your IBM Blockchain Platform nodes
Summary
Step two: Configure the Open Dashboard for monitoring your IBM Blockchain Platform nodes
Summary
Prometheus metrics
Overview
Scheduling snapshots
Taking snapshots
Restoring nodes
Sequencing restorations
Restoring a peer
Swagger
Authentication
Limitations
Troubleshooting
API reference
API reference
Hyperledger Fabric
Hyperledger Fabric
Peers
Certificate Authority
Ordering service
Transaction flow
Kubernetes
Kubernetes
IBM Developer
IBM Developer
Glossary
Approve
Asset
Block
CA
Chain
Chaincode
Channel
Client
Commit
Connection profile
Consensus
Consenter set
Console
Consortium
CouchDB
Current state
Dynamic membership
Endorsement
Endorsement policy
Genesis block
Gossip
HSM
Hyperledger Fabric
Install
Instantiate
Kafka
Ledger
LevelDB
MSP
Network
Node
Ordering node
Organization
Out of band
Peer
Propose
Quorum
Raft
SDK
Service credentials
Service discovery
Shim
SignCert
Smart contracts
State database
Transaction
User
World state
Release notes
Release notes
28 Feb 2023
31 Jan 2023
04 Jan 2023
07 Dec 2022
11 Oct 2022
13 Sept 2022
16 Aug 2022
19 July 2022
22 June 2022
01 June 2022
03 May 2022
05 Apr 2022
08 Mar 2022
08 Feb 2022
11 Jan 2022
14 Dec 2021
16 Nov 2021
26 Oct 2021
05 Oct 2021
10 Aug 2021
13 Jul 2021
16 Jun 2021
05 May 2021
13 Apr 2021
22 Feb 2021
12 Jan 2021
08 Dec 2020
19 Nov 2020
02 Nov 2020
1 Oct 2020
25 Aug 2020
14 July 2020
18 June 2020
Multizone-capable storage
20 May 2020
16 April 2020
24 March 2020
6 February 2020
11 December 2019
15 November 2019
06 November 2019
02 October 2019
21 August 2019
12 August 2019
10 July 2019
24 May 2019
9 May 2019
17 April 2019
3 April 2019
Known issues
Known issues
Why is my IBM Blockchain Platform user interface unable to connect to cluster after deployment (Ingress issue)?
Why are my console actions failing in my Chrome browser Version 77.0.3865.90 (Official Build) (64-bit)?
When I hover over my node, the status is Status unavailable or Status unknown , what does this mean?
When I hover over my node, the status is Status undetectable , what does this mean?
Why am I getting the error Unable to get system channel when I open my ordering service?
Why is the smart contract that I installed on the peer not listed in the UI?
My nodes, channels, smart contracts, and identities have disappeared from the console. How can I get them back?
Why am I getting the error Unable to authenticate with the enroll ID and secret you provided when I create
a new organization MSP definition?
Why am I getting the error An error occurred when updating channel when I try to add an organization to my
channel?
Why am I getting a Cluster linking is taking too long error when I try to link my Kubernetes cluster in IBM Cloud
to my IBM Blockchain Platform service instance?
Why is my first invoke of a smart contract returns the following error: no suitable peers available to initialize from?
Why are my node operations fail to operate after I create my peer or ordering service?
Why is my CA, peer, or ordering node that is configured to use HSM not working?
Why are my transactions returning an endorsement policy error: signature set did not satisfy policy?
Why are the transactions I submit from VS Code failing with a No endorsement plan available error?
Why are the transactions I submit from VS Code failing with an endorsement failure?
How can I recover a contract after a failed upgrade of the smart contract container?
After I deploy a node in the console, I'm seeing a message in my Kubernetes cluster on IBM Cloud reporting that the pod
has unbound immediate persistent volume claims. Is this an error?
After I deploy a node, I'm seeing a message in my Kubernetes cluster on IBM Cloud reporting that the pod has hit a crash
loop backoff. Is this an error?
Getting support
Getting support
Security incidents
General support