Add Organizations with Third-Party Certificates to the Network
This topic contains information about joining organizations using third-party certificates to an Oracle Blockchain Platform network.
Typical Workflow to Join an Organization with Third-Party Certificates to an Oracle Blockchain Platform Network
Here are the tasks that an organization with third-party certificates and the Oracle Blockchain Platform founder need to perform to join the organization to an Oracle Blockchain Platform network.
Organization with certificates issued by a third-party certificate authority (CA) can join the Oracle Blockchain Platform network as participants. These participants are client-only organizations and have no peers or orderers. After joining the network, these participants can use an SDK or a Hyperledger Fabric command line interface (CLI) to start blockchain transactions on the network.
Task | Who Does This? | Description | More Information |
---|---|---|---|
Get the third-party certificates | Third-party certificates (participant) organization | Go to the third-party CA server and generate the required certificates files. Format the files as needed for import into the network. | Third-Party Certificate Requirements |
Create the certificates file for import | Third-party certificates (participant) organization | Find the participant’s Admin and CA certificate information and use it to compose a JSON certificates file. | Create an Organization's Third-Party Certificates File |
Upload a certificate file for the third-party (participant) organization | Founder organization | Use the console to upload and import the participant’s certificate file to add the participant to the network. | Import Certificates to Add Organizations to the Network |
Export the ordering service settings from network founder and provide them to the third-party (participant) organization | Founder organization | Output the founder’s ordering services settings to a JSON file and send the file
to the participant.
Open the ordering service settings file and find the ordering service’s address and port and give them to the participant. For example:
|
Export Ordering Service Settings |
Create the channel | Founder | Create a new channel and add the participant to it. | Create a Channel |
Install and instantiate the chaincode | Founder | In the founder’s instance, upload, install, and instantiate the chaincode. Choose the network peers to install the chaincode on. | Use Quick Deployment |
Set up the third-party (participant) organization's environment | Third-party certificates (participant) organization | To query or invoke chaincodes, the participant must:
|
Prepare the Third-Party Environment to Use the Oracle Blockchain Platform Network |
Third-Party Certificate Requirements
To successfully join the network, an organization must generate the required third-party certificates. The information in these certificates is used to create the organization's certificates file, which is then imported into the founder's instance.
Which Certificates Do Organizations Need to Provide?
You must generate the following certificates from your CA server:
- Client Public Certificate
- CA Root Certificate
What Are the Requirements for These Certificates?
The certificates must meet the following requirements:
- When generating the private key, you must use the Elliptic Curve Digital Signature Algorithm (ECDSA). This algorithm is the only accepted algorithm for Fabric MSP keys.
- The Subject Key Identifier (SKI) is mandatory and you must indicate it as x509 extensions in the extension file.
- You must convert the key files from the .key to the .pem format.
- You must convert the certificates from the .crt to the .pem format.
After confirming that you’ve outputted and updated the proper files, you can then create the certificates file for import into the Oracle Blockchain Platform network. See Create an Organization's Third-Party Certificates File.
Create an Organization's Third-Party Certificates File
To join an Oracle Blockchain Platform network, the organization must write a certificates file containing its admincert and cacert information. The network founder imports this file to add the organization to the network.
These organizations are client-only and have no peers or orderers. After joining the network, these organizations can use an SDK or a Hyperledger Fabric CLI to start blockchain transactions on the network.
Go to the certificates files that you generated from the CA Server to find the information that you need to create the certificates file. See Third-Party Certificate Requirements.
The certificates file must be in written in JSON and contain the following fields:
- mspid — Specifies the name of the organization.
- type — Indicates that the organization is a network participant. This value must be Participant.
- admincert — Contains the contents of the organization’s Admin certificates file. When you copy the certificates information into the JSON file, you must replace each new line with \n.
- cacert — Contains the contents of the organization’s CA certificates file. When you copy the certificates information into the JSON file, you must replace each new line with \n.
{
"mspID": "examplemspID",
"type": "Participant",
"certs": {
"admincert": "-----BEGIN CERTIFICATE-----\nexample_certificate\nexample_certificate==\n-----END CERTIFICATE-----\n",
"cacert": "-----BEGIN CERTIFICATE-----\nexample_certificate\nexample_certificate==\n-----END CERTIFICATE-----\n"
}
}
Prepare the Third-Party Environment to Use the Oracle Blockchain Platform Network
You must set up the third-party organization's environment before it can use the Oracle Blockchain Platform network.
Confirm that the following prerequisite tasks were completed. For information, see Typical Workflow to Join an Organization with Third-Party Certificates to an Oracle Blockchain Platform Network.
- The third-party organization’s certificate file was created and sent to the Oracle Blockchain Platform network founder.
- The network founder uploaded the certificates file to add the third-party organization to the network.
- The network founder exported the orderer service's settings and gave the service's address and port to the third-party organization and the organization added them to the environment.
- The network founder created a new channel and added the third-party organization to it.
- The network founder installed and instantiated the chaincode.
Setup organization's Environment
Before the third-party organization can successfully use the Oracle Blockchain Platform network, it must set up its environment to use Hyperledger Fabric CLI or SDKs. See Welcome to Hyperledger Fabric.
Install the Chaincode
The third-party organization must install the chaincode on the peers. These peers must then be joined to the channel so that the chaincode can be invoked.
Instantiate the Chaincode
If needed, the third-party organizations can instantiate the chaincode on the channel. For example:
export CORE_PEER_TLS_ENABLED=true
export CORE_PEER_TLS_ROOTCERT_FILE=$PWD/tls-ca.pem
export CORE_PEER_MSPCONFIGPATH=$PWD/crypto-config/peerOrganizations/customerorg1.com/users/Admin@customerorg1.com/msp
export CORE_PEER_LOCALMSPID="customerorg1"
### gets channel name from input###
CHANNEL_NAME=$1
echo "######### going to instantiate chaincode on channel ${CHANNEL_NAME} ##########"
CORE_PEER_ADDRESS=${peer_host}:${port} peer chaincode instantiate
-o ${peer_host}:${port} --tls $CORE_PEER_TLS_ENABLED --cafile
./tls-ca.pem -C ${CHANNEL_NAME} -n obcs-example02 -v v0 -c '{"Args":["init","a","100","b","200"]}'
Invoke the Chaincode
Third-party organizations use the Hyperledger Fabric CLI or SDKs to invoke the chaincode. For example:
export CORE_PEER_TLS_ENABLED=true
export CORE_PEER_TLS_ROOTCERT_FILE=$PWD/tls-ca.pem
export CORE_PEER_MSPCONFIGPATH=$PWD/crypto-config/peerOrganizations/customerorg1.com/users/User1@customerorg1.com/msp
export CORE_PEER_LOCALMSPID="customerorg1"
### gets channel name from input ###
CHANNEL_NAME=$1
#### do query or invoke on chaincode ####
CORE_PEER_ADDRESS=${peer_host}:${port} peer chaincode query -C
${CHANNEL_NAME} -n $2 -c '{"Args":["query","a"]}'
CORE_PEER_ADDRESS=${peer_host}:${port} peer chaincode invoke -o
${peer_host}:${port} --tls $CORE_PEER_TLS_ENABLED --cafile ./tls-
ca.pem -C ${CHANNEL_NAME} -n $2 -c '{"Args":["invoke","a","b","10"]}'