Deploying Business Networks

Deploying Business Networks

Before a business network definition can be deployed it must be packaged into a Business Network Archive (.bna) file. The composer archive create command is used to create a business network archive file from a business network definition folder on disk.

Once the business network archive file has been created it can be deployed to a runtime using the composer runtime install command followed by a composer network start command.

For example:

composer runtime install -n tutorial-network -c PeerAdmin@fabric-network

To update the business network definition for an already deployed business network use the composer network update CLI command.

Deploying business networks to Hyperledger Fabric v1.0

In Hyperledger Fabric v1.0, peers enforce the concepts of administrators and members (or users). Administrators have permission to install Hyperledger Fabric chaincode for a new business network onto peers. Members do not have permission to install chaincode. In order to deploy a business network to a set of peers, you must provide an identity that has administrative rights to all of those peers.

To make that identity and its certificates available, you must create a Peer Admin business network card using the certificate and private key associated with the peer admin identity. Hyperledger Composer provides a sample Hyperledger Fabric v1.0 network. The peer administrator for this network is called PeerAdmin, and the identity is automatically imported for you when you use the sample scripts for starting the network. Please note that the peer administrator may be given a different name for other Hyperledger Fabric v1.0 networks.

Important: When deploying a business network to Hyperledger Fabric v1.0 a bootstrap registrar is defined in the Hyperledger Fabric Certificate Authority (CA) configuration. The Hyperledger Composer development environment contains a preconfigured instance of Hyperledger Fabric with a specific enrollment ID and enrollment secret for the bootstrap registrar.

Business network administrators

When you deploy a business network, access controls are enforced as per the access control rules specified in the business network definition. Each business network must have at least one participant, and that participant must have a valid identity for accessing the business network. Otherwise, client applications cannot interact with the business network.

A business network administrator is a participant who is responsible for configuring the business network for their organisation after the business network is deployed, and is responsible for on-boarding other participants from their organisation. Because business networks include multiple organisations, there should be multiple business network administrators for any given business network.

A built-in participant type, org.hyperledger.composer.system.NetworkAdmin, representing a business network administrator is provided by Hyperledger Composer. This built-in participant type does not have any special permissions; they are still subject to the access control rules specified in the business network definition. For this reason, it is recommended that you start with the following sample access control rules that grant business network administrators full access to a business network:

rule NetworkAdminUser {
    description: "Grant business network administrators full access to user resources"
    participant: "org.hyperledger.composer.system.NetworkAdmin"
    operation: ALL
    resource: "**"
    action: ALLOW
}

rule NetworkAdminSystem {
    description: "Grant business network administrators full access to system resources"
    participant: "org.hyperledger.composer.system.NetworkAdmin"
    operation: ALL
    resource: "org.hyperledger.composer.system.**"
    action: ALLOW
}

By default, Hyperledger Composer will automatically create a single business network administrator participant during deployment. The identity that is used for deploying the business network will also be bound to that business network administrator participant, so that identity can be used to interact with the business network after deployment.

Hyperledger Fabric peer administrators may not have permission to issue new identities using the Hyperledger Fabric Certificate Authority (CA). This may restrict the ability of the business network administrator to on-board other participants from their organisation. For this reason, it may be preferable to create a business network administrator that does have permission to issue new identities using the Hyperledger Fabric Certificate Authority (CA).

You can use additional options to the composer network start command to specify the business network administrators that should be created during the deployment of the business network.

If the business network administrator has an enrollment ID and enrollment secret, you can use the -A (business network administrator) and -S (business network administrator uses enrollment secret) flags. For example, the following command will create a business network administrator for the existing admin enrollment ID:

composer network start -c PeerAdmin@fabric-network -A admin -S

Deploying business networks using Playground locally

Please note: When using a local Playground instance to deploy a business network to Hyperledger Fabric v1.0, as part of the deployment process you must choose how to provide credentials for the initial business network participant. The initial participant will be a NetworkAdmin.

When deploying a business network using playground, you will be prompted to enter the credentials for the initial participant. Credentials can be provided either as a certificate or as a pre-defined enrollment ID and enrollment secret. If you are using the instance of Hyperledger Fabric set up in the Hyperledger Composer development environment, the bootstrap registrar enrollment ID is admin and the bootstrap registrar enrollment secret is adminpw. This initial participant uses the credentials set for the bootstrap registrar in the Hyperledger Fabric Certificate Authority (CA), and will be a NetworkAdmin.

When deploying a business network using Playground locally, you must have at least one business network card with the PeerAdmin role and at least one business network card with the ChannelAdmin role. Each of these business network cards must contain the correct admin certificates.

Errors deploying a business network to a local fabric using the Hyperledger Composer Playground

When deploying a business network to an instance of Hyperledger Fabric by using a locally installed Hyperledger Composer Playground, you may encounter the following error:

Error: error trying to list instantiated chaincodes. Error: chaincode error (status 500, message: Authorization for GETCHAINCODES on channel getchaincodes has been denied with error Failed verifying that proposal's creator satisfies local MSP principal during channelless check policy with policy [Admins]:[This identity is not an admin])

Once this error has occurred, you must delete your local browser storage to restore normal function. Please note: Deleting local browser storage will delete your connection profile and identities in your wallet. For more information on this error, see the specific error page

References