Wholesale CBDC Sample Application Prerequisites

Before importing the Oracle Visual Builder sample application package, it is essential to complete several prerequisites, including the creation of all required Oracle Cloud Infrastructure (OCI) resources and Oracle Identity Cloud Service (IDCS) groups as outlined below.

Visual Builder Cloud Service

The Wholesale CBDC application sample is built using Oracle Visual Builder Cloud Service. The package needs to be imported into Visual Builder to use it.

For more information on Visual Builder, see Visual Builder.

  1. Sign in to your Oracle Cloud Infrastructure account.
    Ensure you're in the correct compartment where you'll deploy the sample application.
  2. In the Console, click the Navigation menu in the top-left corner.
  3. Under Developer Services, select Visual Builder.
  4. In the Visual Builder interface, click Create Instance.
    1. Enter an instance name and choose the default network access or another option as needed.
    2. Click Create Visual Builder Instance.
Once Visual Builder is provisioned, you can explore Visual Builder Designer which is the interface you'll use to interact with the wholesale CBDC sample app. See Tour the Designer.

Provision Autonomous Database

All account transaction data is stored in and fetched from the rich history database. To use the rich history database, you must create an Oracle Autonomous Database.

For additional information on the rich history database in Oracle Blockchain Platform, see Create the Rich History Database.

In generic mode, create one database instance that is linked to the system owner (central bank) instance of Oracle Blockchain Platform.

In confidential mode, which supports the confidential payments feature, each participating organization including the system owner must have a dedicated instance of Oracle Autonomous Database.

Additionally for confidential mode, the system owner database must have access to all participant transaction history. When the database view definitions script runs, it connects participant databases to the system owner database. Oracle Autonomous Database has a built-in restriction: by default, each database can connect to only three other databases. This affects the system owner in this scenario, because the system owner must be associated with all participant databases. The default configuration works if you have up to three participants. If you plan to add more than three participants (the application supports up to six), the setup script will fail unless this limit is increased.

Because of this limitation, when you provision the Oracle Autonomous Database for the system owner, if you want to use more than three participant organizations, raise a Service Request (SR) with Oracle Cloud Infrastructure (OCI) Support. Request an increase in the connection limit (OPEN_LINKS) for the system owner's Autonomous Database. After Oracle Support updates the limit, continue with the setup script.

  1. Sign in to your Oracle Cloud Infrastructure account.
    Ensure you're in the correct compartment where you'll deploy the sample application.
  2. In the Console, click the Navigation menu in the top-left corner. Select Oracle Database.
  3. Select Autonomous Data Warehouse, Autonomous JSON Database, or Autonomous Transaction Processing based on your workload.
  4. Click Create Autonomous Database.
    • Display Name: A user-friendly description (not unique).
    • Database Name: Must consist of letters and numbers only (maximum 30 characters).
    • Workload Type: Select Transaction Processing.
    • Deployments Type: Select the default Serverless.
    • Configure the database: Adjust the CPU and storage settings according to your requirements. However, the CBDC Application is designed to function effectively with the default values, so there is no need to modify these settings for the CBDC Application.
    • Backup retention: Keep the default settings.
    • Network:
      • Access Type: Select Secure access from allowed IPs and VCNs only.
      • Access control list: Select CIDR block from the IP notation type, and enter the value 0.0.0.0/0.
      • Mutual TLS (mTLS) authentication: mTLS is not required.
  5. After you select the settings, click Create Autonomous Database.
    When the provisioning is complete, the Lifecycle State will be Available.

Provision Oracle Blockchain Platform Digital Assets Edition

You must have an Oracle Blockchain Platform Digital Assets Edition instance provisioned for the sample application to use.

You can create Oracle Blockchain Platform Digital Assets Edition instances with any name; however, the application supports one system owner (central bank) as the founder of the Oracle Blockchain Platform Digital Assets Edition network and six participant organizations (Bank1, Bank2, Bank3, Bank4, Bank5, and Bank6) as participant banks in the network.

To ensure proper configuration, you must update the details of the founder organization in the central bank section and the participant organizations in the banks section. It is essential to maintain a fixed order for the participant organizations: Bank1 corresponds to Participant 1, Bank2 to Participant 2, and so on. The same details must be used to update the respective bank details accordingly.

  1. Sign in to your Oracle Cloud Infrastructure account.
    Ensure that you're in the correct compartment where you'll deploy the sample application.
  2. In the Console, click the Navigation menu in the top-left corner.
  3. Under Developer Services, select Oracle Blockchain Platform.
  4. Click Create Oracle Blockchain Platform.
    1. Instance/Display Name: Must contain 1-15 characters, starting with an ASCII letter.
    2. Description: Enter an optional description for your instance.
    3. Platform Role: Choose Create a new network to create a founder organization. For a participant instance, choose Join an existing network.
    4. Platform Version: Choose Hyperledger Fabric v2.5.x.
    5. Edition: Select Digital Assets.
  5. Review your settings and click Create.
    The instance can take approximately 15 minutes to create. You'll receive notification when it's complete.

Create Users and User Groups with Oracle Identity Cloud Service

The CBDC application supports 11 personas, and the corresponding 11 application roles have already been created in the Visual Builder package. These roles are necessary to define the permissions and access levels for each persona in the application.

For a complete list of the roles and their operations, see Wholesale CBDC Application Workflow.

Application roles in Visual Builder are created to:

  • Define Access Levels: Each persona (example, Central Bank Admin, Participant User) has specific permissions and access requirements in the application. Application roles ensure that users only see and interact with the features relevant to their role.
  • Enable Role-Based Access Control (RBAC): By mapping IDCS groups to these roles, you can control who has access to specific functionality in the application.
  • Simplify User Management: Instead of assigning permissions to individual users, you assign them to roles, and users inherit these permissions through their IDCS group membership.

Overview

The IDCS groups for one system owner and six participant organizations have already been mapped to these application roles in Visual Builder. This means you only need to create IDCS groups and add users to those groups as listed in the table below. The IDCS groups are already mapped to the corresponding application roles in Visual Builder. When users are added to the groups, they will automatically get the correct access to the application.

You'll create the groups described in the table below, and add users to them. By creating the IDCS groups with the exact names provided and adding users to these groups, you can easily enable role-based access to the application. The mapping between IDCS groups and Visual Builder roles is already configured, so no further setup is required.

For additional informing on creating IDCS groups and managing users, see: Manage Oracle Identity Cloud Service Users and Manage Oracle Identity Cloud Service Groups.

Table 3-1 Application Roles and their IDCS Groups and Bank Names

S NO Application Role IDCS User Groups Bank Name
1 SYSTEM_ADMINS System_Admins CentralBank
2 SYSTEM_AUDITORS System_Auditors CentralBank
3 SYSTEM_CREATORS System_Creators CentralBank
4 SYSTEM_MANAGERS System_Managers CentralBank
5 SYSTEM_ISSUERS System_Issuers CentralBank
6 SYSTEM_RETIRERS System_Retirers CentralBank
7 ORG_ADMINS Org1_Admins (repeat this pattern for remaining participant orgs: <org>_Admins) Bank1, Bank2, Bank3, Bank4, Bank5 and Bank6
8 ORG_USERS Org1_Users (repeat this pattern for remaining participant orgs: <org>_Users) Bank1, Bank2, Bank3, Bank4, Bank5 and Bank6
9 ORG_OFFICERS Org1_Officers (repeat this pattern for remaining participant orgs: <org>_Officers) Bank1, Bank2, Bank3, Bank4, Bank5 and Bank6
10 ORG_MANAGERS Org1_Managers (repeat this pattern for remaining participant orgs: <org>_Managers) Bank1, Bank2, Bank3, Bank4, Bank5 and Bank6
11 ORG_AUDITORS Org1_Auditors (repeat this pattern for remaining participant orgs: <org>_Auditors) Bank1, Bank2, Bank3, Bank4, Bank5 and Bank6

When you map IDCS groups to an Oracle Blockchain Platform instance, use one combined IDCS group for all users of that instance instead of mapping multiple persona-specific groups individually. Using one combined group reduces the number of IDCS group membership checks run by the Oracle Blockchain Platform REST proxy, which can improve performance. If your deployment includes one system owner and six participant banks, create one combined SystemOwner group that contains all of the system owner personas, and create six combined participant groups (one per bank) that each contain all participant personas for that bank.

For best results, use the following IDCS group structure on each participant organization and the system owner.
  • Persona-specific IDCS groups: These groups align directly with the application roles in the Visual Builder package. These groups define role-based access for individual personas such as administrators, auditors, and managers.
  • One combined IDCS group: This group consolidates all personas for the organization, and is mapped to the corresponding Oracle Blockchain Platform instance.

All persona-specific IDCS group names must exactly match the application role names in the Visual Builder package. To use different names for IDCS groups, update the corresponding IDCS group mappings for the application roles in Visual Builder. For more information, see Manage User Roles and Access.

Create Groups

  1. Sign in to your Oracle Cloud Infrastructure account. Ensure you're in the correct compartment where you'll deploy the sample application.
  2. In the Console, click the Navigation menu in the top-left corner. Click Identity & Security. Under Identity select Domains.
  3. On the Domains page, click Oracle Identity Cloud Service to open the Domains Overview page.
  4. Click Groups. Click Create Group.
    • Name: Enter a unique name for the group (example System_Admins).
    • Description: Provide a brief description of the group's purpose.
    • To allow users to request access to this group, select the option User can request access.
    Click Finish.

Create Users and Assign Them to Groups

  1. On the Domains Overview page, click Users.
  2. Click Create User.
    • First Name: Enter the user's first name.
    • Last Name: Enter the user's last name.
    • User Name / Email: Enter a valid email address or user name for login.
    • Email: Enter the email address for communication and account activation.
  3. On the Assign Group page, you will see a list of existing groups.
  4. Select the checkbox next to each group that you want to assign this user to. Ensure you select the appropriate group that aligns with their role (example System_Admins).
  5. After selecting the desired groups, click Finish to complete user creation.

Verifying Users and Groups

  1. After creating groups and adding users, return to the Groups section in the IDCS Console.
  2. Verify that all created groups and added users are listed correctly.