3 Install Your Oracle Blockchain Platform Instance
Deploy Your Virtual Machine
Load Oracle Blockchain Platform Enterprise Edition on your Virtual Machine Hosting Software
- On the Oracle Blockchain Platform Enterprise
Edition page, click Download and follow the
steps to download the Oracle Blockchain Platform Enterprise Edition package. Extract the OVA image,
obpee_21_1_2.ova
, from the downloaded archive file. - Import the VM into your virtual machine hosting software. For example, on Oracle
VirtualBox, complete the following steps. For information about using VMWare
ESXi, see Load Oracle Blockchain Platform Enterprise Edition on VMWare ESXi.
- Select File then Import Appliance, and browse to the directory where the OVA has been extracted.
- On the Appliance settings page, you may check Reinitialize the MAC address of all network cards if you plan on running more than 1 VM in your setup. You can create multiple VMs by either importing the appliance multiple times, or cloning the VM immediately after it's imported. Click Import.
- After a few minutes, the VM will be displayed in the list of machines in VirtualBox Manager. Right-click on the VM and select Settings:
- Under System on the Motherboard tab, select Hardware Clock in UTC Time to ensure the guest VM and the host's clocks are consistent in terms of timezones.
- Under Network on the Adapter tab connected to the network you want the VM to be on, ensure Enable Network Adapter is selected, and select Bridged Adapter.
The VM is now ready to be used.
Load Oracle Blockchain Platform Enterprise Edition on VMWare ESXi
- In the VMWare ESXi navigator, select the Virtual Machines page, and then click Create / Register VM.
- Under Select creation type, select Deploy a virtual machine from an OVF or OVA file and then click Next.
- Enter a name for the virtual machine and select the blockchain package (OVA file) that you downloaded and then click Next.
- Accept the default values and click Next for the remaining pages.
- Click Finish, and then wait for the VM to be provisioned.
- Once the VM is running, open a console to the VM and log in using
the default user name
oracle
and the default passwordWelcome1
. You'll be prompted to change the password. After you change the password, log in again using the new password. - To enable DHCP to obtain an IP address, use the
sudo
command to change to the root account and then complete the following steps:- Copy the file
/etc/sysconfig/network-scripts/ifcfg-enp0s3
to a new file in the same directory calledifcfg-ens160
. - Edit the
ifcfg-ens160
file to change the adapter name from enp0s3 to ens160. - Power off the VM.
- Change the network adapter type from E1000 to VMXNET 3.
- Copy the file
- Power on the VM.
The VM is now ready to be used.
Expand the Available Space for the Ledger
Because the ledger and logs for Oracle Blockchain Platform are persistent, you need to expand the root volume to ensure you don't run out of space.
- Add a hard disk for the SCSI controller. In VirtualBox click Settings then select Storage. Add a new hard disk. The recommended file type is VHD (Virtual Hard Disk); select either fixed or extensible mode.
- Create the logical volume partition:
sudo fdisk -c -u /dev/sdb
Enter the following subcommands sequentially:n Create new partition Press p Choose primary partition use p 1 Choose 1 for the primary partition after this press return key twice for max allocation t Change the type 8e Change the partition type to Linux LVM p Print the partition w write the changes
- Create the new physical volume:
sudo pvcreate /dev/sdb1
- Restart the system.
- Verify the physical volume:
sudo pvs PV VG Fmt Attr PSize PFree /dev/sda2 vg00 lvm2 a-- 96.66g <25.41g /dev/sdb1 vg00 lvm2 a-- <200.00g <200.00g
- Add
/dev/sdb1
tovg00
to extend the size to get more space for expanding the logical volume:sudo vgextend vg00 /dev/sdb1
- Check the size of the volume group:
In this example, 225.4 GB are free.sudo vgs VG #PV #LV #SN Attr VSize VFree vg00 2 5 0 wz-n <296.66g 225.40g
- Extend the size of the logical volume:
wherelvextend /dev/vg00/root -L+24G
24G
is the size you're by which you're extending the logical volume which can be modified as needed. To determine the maximum space it can be extended to, use thevgdisplay
command to check the value for theFree PE / Size
. - After extending, resize the file system:
sudo resize2fs /dev/vg00/root\
- Check the logical volume:
/dev/vg00/root df -h /dev/mapper/vg00-root 194G 18G 169G 10% /
Start Oracle Blockchain Platform
Once your network and sytem settings are configured, start the VM by selecting it and clicking Start. It should start within a minute.
Once the VM has started, hit the Enter key to get a login prompt.
Update Your Docker Root CA Certificate
The Docker root CA certificates included with Oracle Blockchain Platform Enterprise Edition must be updated on each of the Oracle Blockchain Platform Enterprise Edition virtual machines.
Update Your OpenLDAP and Blockchain Platform Manager Certificates
The OpenLDAP and Blockchain Plaform Manager certificates that are included with Oracle Blockchain Platform Enterprise Edition must be updated on each of the Oracle Blockchain Platform Enterprise Edition virtual machines.
Before you update the OpenLDAP and Blockchain Platform Manager certificates, update the Docker root CA certificate. The following script relies on artifacts that are created when you update the Docker root CA certificate.
To update the OpenLDAP and Blockchain Platform Manager certificates, run the following script from a command prompt:
#!/bin/bash
echo "OBPEE 21.1.2 Cert provisioning script"
newRootCACertPath='/u01/renewCerts/docker-certs/rootCA.crt'
newRootCAKeyPath='/u01/renewCerts/docker-certs/rootCA.key'
cpRootCACert='/u01/blockchain/cp/certs/rootCA.crt'
cpRootCAKey='/u01/blockchain/cp/certs/rootCA.key'
registryRootCACert='/u01/blockchain/registry/certs/rootCA.crt'
registryRootCAKey='/u01/blockchain/registry/certs/rootCA.key'
cpid=$(docker ps | grep 'controlplane' | awk '{ print $1 }')
echo "CP container ID -> $cpid"
ldapid=$(docker ps | grep 'openldap' | awk '{ print $1 }')
echo "OpenLDAP container ID -> $ldapid"
if [ -z "$ldapid" ] || [ -z "$cpid" ]; then
echo 'ERROR: Failed to detect running containers. Abort.'
exit
else
echo "Openldap and CP containers are running."
fi
if [ ! -f $newRootCACertPath ] || [ ! -f $newRootCAKeyPath ]; then
echo "Error: New RootCA cert and/or key not found. Abort."
exit
else
echo "New RootCA cert and key detected."
fi
#### CP changes ####
#Backup existing image
docker tag bcs/control-plane:latest bcs/control-plane:latest_bk
#Modify existing image
docker cp $newRootCACertPath ${cpid}:/tmp/rootCA.crt
docker exec -it ${cpid} bash -c "keytool -import -trustcacerts -keystore /usr/lib/jvm/jre/lib/security/cacerts -storepass changeit -alias defaultOpenLdapCACert2022 -import -file /tmp/rootCA.crt -noprompt"
#Commit image
docker commit ${cpid} bcs/control-plane:latest
#Backup existing cert and key
cp -f $cpRootCACert ${cpRootCACert}.old
cp -f $cpRootCAKey ${cpRootCAKey}.old
#Replace new cert and key
cp -f $newRootCACertPath ${cpRootCACert}
cp -f $newRootCAKeyPath ${cpRootCAKey}
#Restart
echo "Restarting controlplane service"
systemctl restart controlplane
#### OpenLDAP changes ####
#Backup existing image
docker tag obp/ol-openldap:latest obp/ol-openldap:latest_bk
docker cp $newRootCACertPath ${ldapid}:/tmp/rootCA.crt
docker cp $newRootCAKeyPath ${ldapid}:/tmp/rootCA.key
docker exec -it ${ldapid} bash -c "cp -f /tmp/rootCA.crt /etc/ssl/certs/ca_server.pem"
#Commit image
docker commit $ldapid obp/ol-openldap:latest
#Restart
echo "Restarting OpenLDAP service"
systemctl restart openldap
#### Registry changes ####
#Backup existing cert and key
cp -f $registryRootCACert ${registryRootCACert}.old
cp -f $registryRootCAKey ${registryRootCAKey}.old
#Replace new cert and key
cp -f $newRootCACertPath $registryRootCACert
cp -f $newRootCAKeyPath $registryRootCAKey
#Restart
echo "Restarting registry service"
systemctl restart dregistry
echo "Successfully completed cert renewals"
Log on to Oracle Blockchain Platform for the First Time
After you've deployed and started Oracle Blockchain Platform Enterprise Edition on your VM hosting software, you can log on to Blockchain Platform Manager to create an instance.
https://<hostname of your VM>:7443/console/index.html
The initial user name is obpadmin
and the password is welcome1
. This user is only meant for performing initial configuration and does not have instance creation privileges.
In order to use the internal LDAP server, the admin
password must first be changed. Blockchain Platform Manager will not allow you to use an internal LDAP configuration with the default password.
Set the Blockchain Platform Manager Name
On the Configuration page Platform Settings tab of Blockchain Platform Manager, you can set a name for the Platform Manager.
Note:
Once the name for the Platform Manager has been set, any users added to the LDAP server will be associated with this name. If you change the name after adding users, those users will lose access to Blockchain Platform Manager and any Oracle Blockchain Platform instances.Set the Notification and Console Idle Timeouts
- Console Idle Timeout: in minutes, how long the console can be idle before it logs out the current user.
- Notification Timeout: in seconds, how long notifications will remain visible on the browser. Select -1 if you want notifications to remain visible until you close them.
Configure a Hardware Security Module Client
Oracle Blockchain Platform Enterprise Edition support using a hardware security module (HSM) to manage keys. You can use an HSM server on your network or a data protection on-demand (DPoD) service.
To use an HSM, you must install client software on each virtual machine (VM). Currently SafeNet Luna HSMs are supported.
You can configure an instance to use a HSM only when the instance is created. You cannot add HSM capabilities to existing instance.
Install the Client for SafeNet Luna Network HSM Devices
A script is provided in the virtual machine (VM) to assist with installing and configuring the SafeNet Luna Client for use with a hardware security module (HSM).
- The script supports version 10.2 and later of the SafeNet Luna Client.
- The script is for use with SafeNet Luna Network HSM devices, not the SafeNet Luna HSM on Demand service.
- The script is written to use the standard naming and folder structure for the client installer. If you change the location or file name of the client installer, the script might fail.
- The script must be run using root privileges.
- The script must be run after the host name and IP address for the VM are configured. If you change the host name or IP address after installing the client, you might need to reconfigure the client.
Manually Install the Client for SafeNet Luna Network HSM Devices
If you need more control over installation of the SafeNet Luna client than the provided script affords, you can install the client manually.
- The SafeNet Luna Network HSM is set up and the client archive is downloaded to the host computer.
- You must have
sudo
privileges on the host computer.
partition init -label fabric
role login -name Partition SO
role init -name Crypto Officer
role logout
role login -name Crypto Officer
role changepw -name Crypto Officer
role init -name Crypto User
role logout
role login -name Crypto User
role changepw -name Crypto User
Install the Client for SafeNet Luna HSM on Demand
To use the SafeNet Luna HSM on Demand service to manage keys, you download a pre-configured SafeNet Luna client archive and extract it on each virtual machine (VM) in the instance.
- The SafeNet Luna HSM on Demand service is set up and the client archive is downloaded to the host computer.
- The client installation directory must be under the
/etc/hyperledger/fabric
path. - You must have
sudo
privileges on the host computer.
partition init -label fabric
role login -name Partition SO
role init -name Crypto Officer
role logout
role login -name Crypto Officer
role changepw -name Crypto Officer
role init -name Crypto User
role logout
role login -name Crypto User
role changepw -name Crypto User