4 User Management
Configure an Authentication Server
An LDAP server is included with Oracle Blockchain Platform Enterprise Edition or you can integrate your own authentication server.
- OpenLDAP 2.4.44 or later
- Oracle Internet Directory 12.2.1.4.0 or later
- Oracle Unified Directory 12.2.1.4.0 or later
- Microsoft Active Directory Windows Server 2016 or later with a single domain
Each instance within a Blockchain Platform Manager uses the same authentication server. You can create multiple Blockchain Platform Manager instances, and each one can use a different authentication server or share an authentication server.
Lifecycle of Identity Resources within Oracle Blockchain Platform
When you provision an instance through Blockchain Platform Manager, it deploys the embedded LDAP server (if you're not providing your own), and creates the LDAP groups OBP_<platform-name>_<instance-name>_xxxx
.
When you delete an instance, Blockchain Platform Manager removes all the LDAP assets such as the LDAP groups from an LDAP server you have provided.
Configure the Built-In LDAP Server
The built-in LDAP server has a default configuration already set up when you log in. You can use it for testing, or modify the configuration to meet your needs.
- Open the Configuration tab.
- Click Add New.
- Enter the configuration information for the LDAP server:
- Click Test Configuration to ensure your settings work. The test results show if the configuration was successful.
- Click Save. Your configuration is now available to be used by any instances you provision.
Once you've selected your LDAP configuration by selecting it in the Active LDAP Configuration field, you need to log out of Blockchain Platform Manager with your administrative ID, and log in with a user ID that exists in the LDAP server as described in Add Users to Your LDAP Server Using a Script or Add Users to Your LDAP Server Using Blockchain Platform Manager.
Once you've successfully logged into Blockchain Platform Manager with this user ID and provisioned an instance, you may want to disable the default user ID (obpadmin
) for security reasons. This can be done from the Configuration page Platform Settings tab.
Add Users to Your LDAP Server Using a Script
Once you've configured your LDAP server in Blockchain Platform Manager, you need to add users to the LDAP server to create an instance.
- Log into the VM instance as a Unix user. The initial user name and password are
oracle
andWelcome1
. You'll be prompted to change the password immediately. - Change directories to
/u01/blockchain/ldap/environment
and run theadduser.sh
script:
Ensure that you've logged out of Blockchain Platform Manager, and then log in using this user ID and password. You can now provision a Oracle Blockchain Platform instance.
Once you've successfully logged into Blockchain Platform Manager with this user ID and provisioned an instance, you may want to disable the default user ID (obpadmin
) for security reasons. This can be done from the Configuration page Platform Settings tab.
Add Users to Your LDAP Server Using Blockchain Platform Manager
Once you've configured your LDAP server in Blockchain Platform Manager, you need to add users to the LDAP server, and then log back into Blockchain Platform Manager with one of these users to create an instance.
Once you've create your LDAP configuration, you need to add your initial user to the LDAP server. On the Authentication Server Configuration page of Blockchain Platform Manager, click Add User. Once you've entered the user name and password, this user will be added to the LDAP server as an administrative user. You can now log out of Blockchain Platform Manager with your administrative ID, and log in with this user ID to create an instance.
Ensure that you've logged out of Blockchain Platform Manager, and then log in using this user ID and password. You can now provision a Oracle Blockchain Platform instance.
Once you've successfully logged into Blockchain Platform Manager with this user ID and provisioned an instance, you may want to disable the default user ID (obpadmin
) for security reasons. This can be done from the Configuration page Platform Settings tab.
Configure an External OpenLDAP, Oracle Unified Directory, or Oracle Internet Directory LDAP Server
If you don't want to use the LDAP server provided with the product, you must have installed your ownOpenLDAP, Oracle Unified Directory, or Oracle Internet Directory server 12.2.1.4.0 or later before completing this configuration step.
- An external LDAP server should be installed for any production environment. It should be protected by TLS certificates - self-signed certificates should be used for internal testing only. If you are using self-signed certificates, complete these steps before configuring the LDAP server through Blockchain Platform Manager:
- Generate a root CA key/certificate pair.
- Generate a server key/certificate pair signed using the root CA pair.
- When configuring the server in Blockchain Platform Manager you will need to upload the root CA certificate.
- Open the Configuration tab.
- Click Add New.
- Enter the configuration information for the LDAP server:
- Click Test Configuration to ensure your settings work. The test results show if the configuration was successful.
- Click Save. Your configuration is now available to be used by any instances you provision.
After you've selected your LDAP configuration by selecting it in the Authentication Servers field, you need to log out of Blockchain Platform Manager with your administrative ID, and log in with a user ID that exists in the LDAP server as described in Add Users to an External LDAP Server.
Add Users to an External LDAP Server
Once you've configured your LDAP server in Blockchain Platform Manager, you need to add users to the LDAP server to create an instance.
- Create your administrative user if one doesn't already exist.
- Create the
OBP_<platform name>_CP_ADMIN
group if it doesn't exist. - Add the user as a member of the
OBP_<platform name>_CP_ADMIN
group.
Ensure that you've logged out of Blockchain Platform Manager, and then log in using this user ID and password. You can now provision a Oracle Blockchain Platform instance.
Once you've successfully logged into Blockchain Platform Manager with this user ID and provisioned an instance, you may want to disable the default user ID (obpadmin
) for security reasons. This can be done from the Configuration page Platform Settings tab.
Configure an External Microsoft Active Directory Authentication Server
If you don't want to use the LDAP server provided with the product, you must have installed your own Microsoft Active Directory Windows Server 2016 or later with a single domain before completing this configuration step.
-
An external authentication server should be installed for any production environment. It should be protected by CA certificates - self-signed certificates should be used for internal testing only. If you are using self-signed certificates, complete these steps before configuring the authentication server through Blockchain Platform Manager:
- Generate a root CA key/certificate pair.
- Generate a server key/certificate pair signed using the root CA pair.
-
All necessary user groups should be created in Microsoft Active Directory before configuring it as the authentication server for Blockchain Platform. During the configuration process you will map these groups to pre-existing Blockchain Platform groups in order to control user access and capabilities. For a complete list of Blockchain Platform groups and their roles see: User Groups and Roles.
After you've selected your authentication server configuration by selecting it in the Authentication Servers field, you need to log out of Blockchain Platform Manager with your administrative ID, and log in with a user ID that exists in Active Directory with membership in the Blockchain Platform Manager Users
group.
User Groups and Roles
This overview describes the groups and roles that are relevant to Oracle Blockchain Platform. Anyone who uses or administers Oracle Blockchain Platform must be added to the authentication server and granted the correct group.
Groups
Below are the group roles that are available for Oracle Blockchain Platform.
User Role | LDAP Group Name in LDAP/Oracle Internet Directory/Oracle Unified Directory | Microsoft Active Directory Group Name | Description |
---|---|---|---|
Application | OBP_<platform-name>_<instance-name> | Not applicable |
Security identifier for an individual instance. |
Control Plane management | OBP_<platform-name>_CP_ADMIN | Blockchain Platform Manager Users |
User can provision a new Oracle Blockchain Platform instance, configure existing instances, set the LDAP configuration, and perform life cycle operations on Oracle Blockchain Platform instances. A user must be a member of this group to be able to log in to the Blockchain Platform Manager or create an instance. |
CA Administrator | OBP_<platform-name>_<instance-name>_CA_ADMIN | CA Administrators |
The CA Admin group is the bootstrap and overall administrator for the Oracle Blockchain Platform application. Users must be part of this group to create an instance. |
Instance Administrator | OBP_<platform-name>_<instance-name>_ADMIN | Blockchain Instance Admins |
Users in this group can manage instances via the console UI or REST. Users must be part of this group to create an instance. See the table in Access Control List for Console Function by User Roles for a complete list of console functions available for this user role. |
Instance User | OBP_<platform-name>_<instance-name>_USER | Blockchain Instance Users |
Users in this group can view instance via console UI or REST See the table in Access Control List for Console Function by User Roles for a complete list of console functions available for this user role. |
REST Proxy Client | OBP_<platform-name>_<instance-name>_REST | Rest Proxy Client Users | Users in this group can call REST proxy to execute transactions using the default enrollment. |
Custom REST Client | OBP_<platform-name>_<instance-name>_REST_<custom-enrollment> | <Rest Proxy Client Users group name>_<custom enrolment name> | Users in this group can call REST proxy to execute transactions using a custom enrollment. |
Access Control List for Console Function by User Roles
The following table lists which console features are available to the Instance Administrator and Instance User roles.
Feature | Instance Administrator | Instance User |
---|---|---|
Dashboard |
Yes |
Yes |
Network: list orgs |
Yes |
Yes |
Network: add orgs |
Yes |
No |
Network: Ordering service setting |
Yes |
No |
Network: Export certificates |
Yes |
No |
Network: Export orderer settings |
Yes |
Yes |
Node: list |
Yes |
Yes |
Node: start/stop/restart |
Yes |
No |
Node: view attributes |
Yes |
Yes |
Node: edit attributes |
Yes |
No |
Node: view metrics |
Yes |
Yes |
Node: Export/Import Peers |
Yes |
No |
Peer Node: list channels |
Yes |
Yes |
Peer Node: join channel |
Yes |
No |
Peer Node: list chaincode |
Yes |
Yes |
Channel: list |
Yes |
Yes |
Channel: create |
Yes |
No |
Channel: add org to channel |
Yes |
No |
Channel: Update ordering service settings |
Yes |
No |
Channel: view/query ledger |
Yes |
Yes |
Channel: list instantiated chaincode |
Yes |
Yes |
Channel: list joined peers |
Yes |
Yes |
Channel: set anchor peer |
Yes |
No |
Channel: upgrade chaincode |
Yes |
No |
Chaincode: list |
Yes |
Yes |
Chaincode: install |
Yes |
No |
Chaincode: instantiate |
Yes |
No |
Sample chaincode: install |
Yes |
No |
Sample chaincode: instantiate |
Yes |
No |
Sample chaincode: invoke |
Yes |
Yes |
CRL |
Yes |
No |