Add Organizations with Third-Party Certificates to the Network

This topic contains information about joining organizations using third-party certificates to an Oracle Blockchain Platform network.

Topics:

• Typical Workflow to Join an Organization with Third-Party Certificates to an Oracle Blockchain Platform Network

• Third-Party Certificate Requirements

• Create an Organization's Third-Party Certificates File

• Prepare the Third-Party Environment to Use the Oracle Blockchain Platform Network

Typical Workflow to Join an Organization with Third-Party Certificates to an Oracle Blockchain Platform Network

Here are the tasks that an organization with third-party certificates and the Oracle Blockchain Platform founder need to perform to join the organization to an Oracle Blockchain Platform network.

Organization with certificates issued by a third-party certificate authority (CA) can join the Oracle Blockchain Platform network as participants. These participants are client-only organizations and have no peers or orderers. After joining the network, these participants can use an SDK or a Hyperledger Fabric command line interface (CLI) to start blockchain transactions on the network.

Task	Who Does This?	Description	More Information
Get the third-party certificates	Third-party certificates (participant) organization	Go to the third-party CA server and generate the required certificates files. Format the files as needed for import into the network.	Third-Party Certificate Requirements
Create the certificates file for import	Third-party certificates (participant) organization	Find the participant’s Admin and CA certificate information and use it to compose a JSON certificates file.	Create an Organization's Third-Party Certificates File
Upload a certificate file for the third-party (participant) organization	Founder organization	Use the console to upload and import the participant’s certificate file to add the participant to the network.	Import Certificates to Add Organizations to the Network
Export the ordering service settings from network founder and provide them to the third-party (participant) organization	Founder organization	Output the founder’s ordering services settings to a JSON file and send the file to the participant. Open the ordering service settings file and find the ordering service’s address and port and give them to the participant. For example: "orderingServiceNodes": [ { "address": "grpcs://example_address:7777" ... }]	Export Ordering Service Settings
Create the channel	Founder	Create a new channel and add the participant to it.	Create a Channel
Install and instantiate the chaincode	Founder	In the founder’s instance, upload, install, and instantiate the chaincode. Choose the network peers to install the chaincode on.	Use Quick Deployment
Set up the third-party (participant) organization's environment	Third-party certificates (participant) organization	To query or invoke chaincodes, the participant must: Add the founder's ordering service's address and port to the participant's environment. Configure the environment to use Hyperledger Fabric CLI or SDKs. Install the chaincode on peers.	Prepare the Third-Party Environment to Use the Oracle Blockchain Platform Network

Third-Party Certificate Requirements

To successfully join the network, an organization must generate the required third-party certificates. The information in these certificates is used to create the organization's certificates file, which is then imported into the founder's instance.

Which Certificates Do Organizations Need to Provide?

You must generate the following certificates from your CA server:

• Client Public Certificate
• CA Root Certificate

What Are the Requirements for These Certificates?

The certificates must meet the following requirements:

• When generating the private key, you must use the Elliptic Curve Digital Signature Algorithm (ECDSA). This algorithm is the only accepted algorithm for Fabric MSP keys.
• The Subject Key Identifier (SKI) is mandatory and you must indicate it as x509 extensions in the extension file.
• You must convert the key files from the .key to the .pem format.
• You must convert the certificates from the .crt to the .pem format.

After confirming that you’ve outputted and updated the proper files, you can then create the certificates file for import into the Oracle Blockchain Platform network. See Create an Organization's Third-Party Certificates File.

Create an Organization's Third-Party Certificates File

To join an Oracle Blockchain Platform network, the organization must write a certificates file containing its admincert and cacert information. The network founder imports this file to add the organization to the network.

These organizations are client-only and have no peers or orderers. After joining the network, these organizations can use an SDK or a Hyperledger Fabric CLI to start blockchain transactions on the network.

Go to the certificates files that you generated from the CA Server to find the information that you need to create the certificates file. See Third-Party Certificate Requirements.

The certificates file must be in written in JSON and contain the following fields:

• mspid — Specifies the name of the organization.
• type — Indicates that the organization is a network participant. This value must be Participant.
• admincert — Contains the contents of the organization’s Admin certificates file. When you copy the certificates information into the JSON file, you must replace each new line with \n.
• cacert — Contains the contents of the organization’s CA certificates file. When you copy the certificates information into the JSON file, you must replace each new line with \n.

This is how the file needs to be structured:

{
  "mspID": "examplemspID",
  "type":  "Participant",  
  "certs": { 
   "admincert": "-----BEGIN CERTIFICATE-----\nexample_certificate\nexample_certificate==\n-----END CERTIFICATE-----\n",
   "cacert": "-----BEGIN CERTIFICATE-----\nexample_certificate\nexample_certificate==\n-----END CERTIFICATE-----\n"
 }
} 
    

Prepare the Third-Party Environment to Use the Oracle Blockchain Platform Network

You must set up the third-party organization's environment before it can use the Oracle Blockchain Platform network.

Confirm that the following prerequisite tasks were completed. For information, see Typical Workflow to Join an Organization with Third-Party Certificates to an Oracle Blockchain Platform Network.

• The third-party organization’s certificate file was created and sent to the Oracle Blockchain Platform network founder.
• The network founder uploaded the certificates file to add the third-party organization to the network.
• The network founder exported the orderer service's settings and gave the service's address and port to the third-party organization and the organization added them to the environment.
• The network founder created a new channel and added the third-party organization to it.
• The network founder installed and instantiated the chaincode.

Setup organization's Environment

Before the third-party organization can successfully use the Oracle Blockchain Platform network, it must set up its environment to use Hyperledger Fabric CLI or SDKs. See Welcome to Hyperledger Fabric.

Install the Chaincode

The third-party organization must install the chaincode on the peers. These peers must then be joined to the channel so that the chaincode can be invoked.

Instantiate the Chaincode

If needed, the third-party organizations can instantiate the chaincode on the channel. For example:

export  CORE_PEER_TLS_ENABLED=true
export  CORE_PEER_TLS_ROOTCERT_FILE=$PWD/tls-ca.pem
export  CORE_PEER_MSPCONFIGPATH=$PWD/crypto-config/peerOrganizations/customerorg1.com/users/Admin@customerorg1.com/msp
export  CORE_PEER_LOCALMSPID="customerorg1" 

### gets channel name from input###
CHANNEL_NAME=$1

echo "######### going to instantiate chaincode on channel ${CHANNEL_NAME} ##########"
CORE_PEER_ADDRESS=${peer_host}:${port} peer chaincode instantiate
-o ${peer_host}:${port}  --tls $CORE_PEER_TLS_ENABLED --cafile 
./tls-ca.pem -C ${CHANNEL_NAME}  -n obcs-example02 -v v0 -c '{"Args":["init","a","100","b","200"]}'

Invoke the Chaincode

Third-party organizations use the Hyperledger Fabric CLI or SDKs to invoke the chaincode. For example:

export CORE_PEER_TLS_ENABLED=true
export CORE_PEER_TLS_ROOTCERT_FILE=$PWD/tls-ca.pem
export CORE_PEER_MSPCONFIGPATH=$PWD/crypto-config/peerOrganizations/customerorg1.com/users/User1@customerorg1.com/msp
export CORE_PEER_LOCALMSPID="customerorg1"

### gets channel name from input ###
CHANNEL_NAME=$1

#### do query or invoke on chaincode ####

CORE_PEER_ADDRESS=${peer_host}:${port} peer chaincode query -C
${CHANNEL_NAME} -n $2 -c '{"Args":["query","a"]}'

CORE_PEER_ADDRESS=${peer_host}:${port} peer chaincode invoke -o
${peer_host}:${port} --tls $CORE_PEER_TLS_ENABLED --cafile ./tls-
ca.pem -C ${CHANNEL_NAME} -n $2 -c '{"Args":["invoke","a","b","10"]}'