Deploying a Hyperledger Composer blockchain business network to Hyperledger Fabric (multiple organizations)
This tutorial will demonstrate the steps that administrators in multiple organization scenarios must take to deploy a blockchain business network to an instance of Hyperledger Fabric, including how to generate the Hyperledger Composer configuration.
It is recommended that you first follow the previous tutorial that demonstrates how to deploy a blockchain business network to an instance of Hyperledger Fabric for a single organization, as it will explain some of the concepts in more detail.
This tutorial will cover how to deploy a blockchain business network to a Hyperledger Fabric network that spans two organizations, Org1
and Org2
. The tutorial is presented with different types of steps depending on which organization should follow the step.
The first kind of step is for both organizations to follow:
Example Step: A step for Org1 and Org2 to follow
The organization Org1
is represented by Alice, the Green Conga Block:
Example Step: A step for Org1 to follow
The organization Org2
is represented by Bob, the Violet Conga Block:
Example Step: A step for Org2 to follow
You can follow these steps by yourself, or pair with a friend or colleague and follow the steps together.
Let's get started!
Prerequisites
If you have installed the development environment, you will need to first stop the Hyperledger Fabric provided by the development environment:
cd ~/fabric-tools
./stopFabric.sh
./teardownFabric.sh
Clone the following GitHub repository:
git clone -b issue-6978 https://github.com/sstone1/fabric-samples.git
Follow the Building Your First Network tutorial, ensuring that you use the GitHub repository cloned in the previous step. You must not clone and use the Hyperledger Fabric version of the GitHub repository as it is currently missing changes that are required for this tutorial.
Step One: Starting a Hyperledger Fabric network
In order to follow this tutorial, you must start a Hyperledger Fabric network.
This tutorial will assume that you use the Hyperledger Fabric network provided in the Hyperledger Fabric Building Your First Network tutorial. We will refer to this Hyperledger Fabric network as the BYFN (Building Your First Network) network.
You can now start the BYFN network. You must specify additional flags that are not specified in the Building Your First Network tutorial. This is because we want to use CouchDB as the world state database, and we want to start a Certificate Authority (CA) for each organization.
./byfn.sh -m generate
./byfn.sh -m up -s couchdb -a
If the command works successfully, the BYFN network is started, and you will see the following output:
========= All GOOD, BYFN execution completed ===========
_____ _ _ ____
| ____| | \ | | | _ \
| _| | \| | | | | |
| |___ | |\ | | |_| |
|_____| |_| \_| |____/
Next, delete any business network cards that may exist in your wallet. It is safe to ignore any errors that state that the business network cards cannot be found:
composer card delete -n PeerAdmin@byfn-network-org1-only
composer card delete -n PeerAdmin@byfn-network-org1
composer card delete -n PeerAdmin@byfn-network-org2-only
composer card delete -n PeerAdmin@byfn-network-org2
composer card delete -n alice@tutorial-network
composer card delete -n bob@tutorial-network
composer card delete -n admin@tutorial-network
composer card delete -n PeerAdmin@fabric-network
Step Two: Exploring the Hyperledger Fabric network
This step will explore the BFYN network configuration and components. The configuration details are required to complete the subsequent steps.
Organizations
The BYFN network is made up of two organizations: Org1
and Org2
. The organization Org1
uses the domain name org1.example.com
. The Membership Services Provider (MSP) for Org1
is called Org1MSP
. The organization Org2
uses the domain name org2.example.com
. The MSP for Org2
is called Org2MSP
. In this tutorial, you will deploy a blockchain business network that both of the organizations Org1
and Org2
can interact with.
Network components
The Hyperledger Fabric network is made up of several components:
- Two peer nodes for
Org1
, namedpeer0.org1.example.com
andpeer1.org1.example.com
.- The request port for
peer0
is 7051. - The event hub port for
peer0
is 7053. - The request port for
peer1
is 8051. - The event hub port for
peer1
is 8053.
- The request port for
- A single CA (Certificate Authority) for
Org1
, namedca.org1.example.com
.- The CA port is 7054.
- Two peer nodes for
Org2
, namedpeer0.org2.example.com
andpeer1.org2.example.com
.- The request port for
peer0
is 9051. - The event hub port for
peer0
is 9053. - The request port for
peer1
is 10051. - The event hub port for
peer1
is 10053.
- The request port for
- A single CA (Certificate Authority) for
Org2
, namedca.org2.example.com
.- The CA port is 8054.
- A single orderer node, named
orderer.example.com
.- The orderer port is 7050.
These components are running inside Docker containers. When running Hyperledger Composer within a Docker container, the names above (for example, peer0.org1.example.com
) can be used to interact with the Hyperledger Fabric network.
This tutorial will run Hyperledger Composer commands on the Docker host machine, rather than from inside the Docker network. This means that the Hyperledger Composer commands must interact with the Hyperledger Fabric network using localhost
as the host name and the exposed container ports.
All of the network components are secured using TLS to encrypt communications. You will need the Certificate Authority (CA) certificates for all of the network components in order to connect to those network components. The CA certificates can be found in the directory containing the byfn.sh script.
CA certificate for the orderer node:
crypto-config/ordererOrganizations/example.com/orderers/orderer.example.com/tls/ca.crt
CA certificate for Org1
:
crypto-config/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/ca.crt
CA certificate for Org2
:
crypto-config/peerOrganizations/org2.example.com/peers/peer0.org2.example.com/tls/ca.crt
You will use these files later on to interact with the Hyperledger Fabric network.
Users
The organization Org1
is configured with a user named Admin@org1.example.com
. This user is an administrator.
The user Admin@org1.example.com
has a set of certificates and private key files stored in the directory:
crypto-config/peerOrganizations/org1.example.com/users/Admin@org1.example.com/msp
The organization Org2
is configured with a user named Admin@org2.example.com
. This user is an administrator.
The user Admin@org2.example.com
has a set of certificates and private key files stored in the directory:
crypto-config/peerOrganizations/org2.example.com/users/Admin@org2.example.com/msp
You will use some of these files later on to interact with the Hyperledger Fabric network.
In addition to the administrator, the CAs (Certificate Authorities) for Org1
and Org2
have been configured with a default user. This default user has an enrolment ID of admin
and an enrolment secret of adminpw
. However, this user does not have permission to deploy a blockchain business network.
Channel
A channel named mychannel
has been created. All four peer nodes - peer0.org1.example.com
, peer1.org1.example.com
, peer0.org2.example.com
, and peer1.org2.example.com
have been joined to this channel.
Step Three: Building connection profiles for Org1
Org1
requires two connection profiles. One connection profile will contain just the peer nodes that belong to Org1
, and the other connection profile will contain the peer nodes that belong to Org1
and Org2
.
Create a connection profile file called connection-org1-only.json
with the following contents and save it to disk. This connection profile will contain just the peer nodes that belong to Org1
. You will use this file in later steps, so remember where you place it!
{
"name": "byfn-network-org1-only",
"type": "hlfv1",
"mspID": "Org1MSP",
"peers": [
{
"requestURL": "grpcs://localhost:7051",
"eventURL": "grpcs://localhost:7053",
"cert": "INSERT_ORG1_CA_CERT_FILE_PATH",
"hostnameOverride": "peer0.org1.example.com"
},
{
"requestURL": "grpcs://localhost:8051",
"eventURL": "grpcs://localhost:8053",
"cert": "INSERT_ORG1_CA_CERT_FILE_PATH",
"hostnameOverride": "peer1.org1.example.com"
}
],
"ca": {
"url": "https://localhost:7054",
"name": "ca-org1",
"cert": "INSERT_ORG1_CA_CERT_FILE_PATH",
"hostnameOverride": "ca.org1.example.com"
},
"orderers": [
{
"url" : "grpcs://localhost:7050",
"cert": "INSERT_ORDERER_CA_CERT_FILE_PATH",
"hostnameOverride": "orderer.example.com"
}
],
"channel": "mychannel",
"timeout": 300
}
Replace all instances of the text INSERT_ORG1_CA_CERT_FILE_PATH
with the fully qualified path to the file containing the CA certificate for the peer nodes for Org1
:
crypto-config/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/ca.crt
Replace all instances of the text INSERT_ORDERER_CA_CERT_FILE_PATH
with the fully qualified path to the file containing the CA certificate for the orderer node:
crypto-config/ordererOrganizations/example.com/orderers/orderer.example.com/tls/ca.crt
Create another connection profile file called connection-org1.json
with the following contents and save it to disk. This connection profile will contain the peer nodes that belong to Org1
and Org2
. You will use this file in later steps, so remember where you place it!
{
"name": "byfn-network-org1",
"type": "hlfv1",
"mspID": "Org1MSP",
"peers": [
{
"requestURL": "grpcs://localhost:7051",
"eventURL": "grpcs://localhost:7053",
"cert": "INSERT_ORG1_CA_CERT_FILE_PATH",
"hostnameOverride": "peer0.org1.example.com"
},
{
"requestURL": "grpcs://localhost:8051",
"eventURL": "grpcs://localhost:8053",
"cert": "INSERT_ORG1_CA_CERT_FILE_PATH",
"hostnameOverride": "peer1.org1.example.com"
},
{
"requestURL": "grpcs://localhost:9051",
"cert": "INSERT_ORG2_CA_CERT_FILE_PATH",
"hostnameOverride": "peer0.org2.example.com"
},
{
"requestURL": "grpcs://localhost:10051",
"cert": "INSERT_ORG2_CA_CERT_FILE_PATH",
"hostnameOverride": "peer1.org2.example.com"
}
],
"ca": {
"url": "https://localhost:7054",
"name": "ca-org1",
"cert": "INSERT_ORG1_CA_CERT_FILE_PATH",
"hostnameOverride": "ca.org1.example.com"
},
"orderers": [
{
"url" : "grpcs://localhost:7050",
"cert": "INSERT_ORDERER_CA_CERT_FILE_PATH",
"hostnameOverride": "orderer.example.com"
}
],
"channel": "mychannel",
"timeout": 300
}
Replace all instances of the text INSERT_ORG1_CA_CERT_FILE_PATH
with the fully qualified path to the file containing the CA certificate for the peer nodes for Org1
:
crypto-config/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/ca.crt
Replace all instances of the text INSERT_ORG2_CA_CERT_FILE_PATH
with the fully qualified path to the file containing the CA certificate for the peer nodes for Org2
:
crypto-config/peerOrganizations/org2.example.com/peers/peer0.org2.example.com/tls/ca.crt
Replace all instances of the text INSERT_ORDERER_CA_CERT_FILE_PATH
with the fully qualified path to the file containing the CA certificate for the orderer node:
crypto-config/ordererOrganizations/example.com/orderers/orderer.example.com/tls/ca.crt
Note that where this connection profile contains details of the peer nodes for Org2
, it only includes the request port and does not contain the event hub port. This is because one organization cannot access another organizations event hub port.
Step Four: Building connection profiles for Org2
Org2
requires two connection profiles. One connection profile will contain just the peer nodes that belong to Org2
, and the other connection profile will contain the peer nodes that belong to Org2
and Org1
.
Create a connection profile file called connection-org2-only.json
with the following contents and save it to disk. This connection profile will contain just the peer nodes that belong to Org2
. You will use this file in later steps, so remember where you place it!
{
"name": "byfn-network-org2-only",
"type": "hlfv1",
"mspID": "Org2MSP",
"peers": [
{
"requestURL": "grpcs://localhost:9051",
"eventURL": "grpcs://localhost:9053",
"cert": "INSERT_ORG2_CA_CERT_FILE_PATH",
"hostnameOverride": "peer0.org2.example.com"
},
{
"requestURL": "grpcs://localhost:10051",
"eventURL": "grpcs://localhost:10053",
"cert": "INSERT_ORG2_CA_CERT_FILE_PATH",
"hostnameOverride": "peer1.org2.example.com"
}
],
"ca": {
"url": "https://localhost:8054",
"name": "ca-org2",
"cert": "INSERT_ORG2_CA_CERT_FILE_PATH",
"hostnameOverride": "ca.org2.example.com"
},
"orderers": [
{
"url" : "grpcs://localhost:7050",
"cert": "INSERT_ORDERER_CA_CERT_FILE_PATH",
"hostnameOverride": "orderer.example.com"
}
],
"channel": "mychannel",
"timeout": 300
}
Replace all instances of the text INSERT_ORG2_CA_CERT_FILE_PATH
with the fully qualified path to the file containing the CA certificate for the peer nodes for Org2
:
crypto-config/peerOrganizations/org2.example.com/peers/peer0.org2.example.com/tls/ca.crt
Replace all instances of the text INSERT_ORDERER_CA_CERT_FILE_PATH
with the fully qualified path to the file containing the CA certificate for the orderer node:
crypto-config/ordererOrganizations/example.com/orderers/orderer.example.com/tls/ca.crt
Create another connection profile file called connection-org2.json
with the following contents and save it to disk. This connection profile will contain the peer nodes that belong to Org2
and Org1
. You will use this file in later steps, so remember where you place it!
{
"name": "byfn-network-org2",
"type": "hlfv1",
"mspID": "Org2MSP",
"peers": [
{
"requestURL": "grpcs://localhost:9051",
"eventURL": "grpcs://localhost:9053",
"cert": "INSERT_ORG2_CA_CERT_FILE_PATH",
"hostnameOverride": "peer0.org2.example.com"
},
{
"requestURL": "grpcs://localhost:10051",
"eventURL": "grpcs://localhost:10053",
"cert": "INSERT_ORG2_CA_CERT_FILE_PATH",
"hostnameOverride": "peer1.org2.example.com"
},
{
"requestURL": "grpcs://localhost:7051",
"cert": "INSERT_ORG1_CA_CERT_FILE_PATH",
"hostnameOverride": "peer0.org1.example.com"
},
{
"requestURL": "grpcs://localhost:8051",
"cert": "INSERT_ORG1_CA_CERT_FILE_PATH",
"hostnameOverride": "peer1.org1.example.com"
}
],
"ca": {
"url": "https://localhost:8054",
"name": "ca-org2",
"cert": "INSERT_ORG2_CA_CERT_FILE_PATH",
"hostnameOverride": "ca.org2.example.com"
},
"orderers": [
{
"url" : "grpcs://localhost:7050",
"cert": "INSERT_ORDERER_CA_CERT_FILE_PATH",
"hostnameOverride": "orderer.example.com"
}
],
"channel": "mychannel",
"timeout": 300
}
Replace all instances of the text INSERT_ORG2_CA_CERT_FILE_PATH
with the fully qualified path to the file containing the CA certificate for the peer nodes for Org2
:
crypto-config/peerOrganizations/org2.example.com/peers/peer0.org2.example.com/tls/ca.crt
Replace all instances of the text INSERT_ORG1_CA_CERT_FILE_PATH
with the fully qualified path to the file containing the CA certificate for the peer nodes for Org1
:
crypto-config/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/ca.crt
Replace all instances of the text INSERT_ORDERER_CA_CERT_FILE_PATH
with the fully qualified path to the file containing the CA certificate for the orderer node:
crypto-config/ordererOrganizations/example.com/orderers/orderer.example.com/tls/ca.crt
Note that where this connection profile contains details of the peer nodes for Org1
, it only includes the request port and does not contain the event hub port. This is because one organization cannot access another organizations event hub port.
Step Five: Locating the certificate and private key for the Hyperledger Fabric administrator for Org1
The administrator for our Hyperledger Fabric network is a user called Admin@org1.example.com
. The certificates and private key files for this user are stored in the directory:
crypto-config/peerOrganizations/org1.example.com/users/Admin@org1.example.com/msp
You must first locate the certificate file for this user. The certificate is the public part of the identity. The certificate file can be found in the signcerts
subdirectory and is named Admin@org1.example.com-cert.pem
.
Next, you must locate the private key file for this user. The private key is used to sign transactions as this identity. The private key file can be found in the keystore
subdirectory. The name of the private key file is a long hexadecimal string, with a suffix of _sk
, for example 78f2139bfcfc0edc7ada0801650ed785a11cfcdef3f9c36f3c8ca2ebfa00a59c_sk
. The name will change every time the configuration is generated.
Remember the path to both of these files, or copy them into the same directory as the connection profile file connection-org1.json
that you created in step three. You will need these files in the next steps.
Step Six: Locating the certificate and private key for the Hyperledger Fabric administrator for Org2
The administrator for our Hyperledger Fabric network is a user called Admin@org2.example.com
. The certificates and private key files for this user are stored in the directory:
crypto-config/peerOrganizations/org2.example.com/users/Admin@org2.example.com/msp
You must first locate the certificate file for this user. The certificate is the public part of the identity. The certificate file can be found in the signcerts
subdirectory and is named Admin@org2.example.com-cert.pem
.
Next, you must locate the private key file for this user. The private key is used to sign transactions as this identity. The private key file can be found in the keystore
subdirectory. The name of the private key file is a long hexadecimal string, with a suffix of _sk
, for example d4889cb2a32e167bf7aeced872a214673ee5976b63a94a6a4e61c135ca2f2dbb_sk
. The name will change every time the configuration is generated.
Remember the path to both of these files, or copy them into the same directory as the connection profile file connection-org2.json
that you created in step four. You will need these files in the next steps.
Step Seven: Creating business network cards for the Hyperledger Fabric administrator for Org1
In this step you will create business network cards for the administrator to use to deploy the blockchain business network to the Hyperledger Fabric network.
Run the composer card create
command to create a business network card using the connection profile that just contains the peers for Org1
. You must specify the path to all three files that you either created or located in the previous steps: (note: the sk file will differ.)
composer card create -p connection-org1-only.json -u PeerAdmin -c Admin@org1.example.com-cert.pem -k 78f2139bfcfc0edc7ada0801650ed785a11cfcdef3f9c36f3c8ca2ebfa00a59c_sk -r PeerAdmin -r ChannelAdmin
If the command works successfully, a business network card file called PeerAdmin@byfn-network-org1-only.card
will have been written to the current directory.
Run the composer card create
command to create a business network card using the connection profile that contains the peers for Org1
and Org2
. You must specify the path to all three files that you either created or located in the previous steps:
composer card create -p connection-org1.json -u PeerAdmin -c Admin@org1.example.com-cert.pem -k 78f2139bfcfc0edc7ada0801650ed785a11cfcdef3f9c36f3c8ca2ebfa00a59c_sk -r PeerAdmin -r ChannelAdmin
If the command works successfully, a business network card file called PeerAdmin@byfn-network-org1.card
will have been written to the current directory.
Step Eight: Creating business network cards for the Hyperledger Fabric administrator for Org2
In this step you will create business network cards for the administrator to use to deploy the blockchain business network to the Hyperledger Fabric network.
Run the composer card create
command to create a business network card using the connection profile that just contains the peers for Org2
. You must specify the path to all three files that you either created or located in the previous steps:
composer card create -p connection-org2-only.json -u PeerAdmin -c Admin@org2.example.com-cert.pem -k d4889cb2a32e167bf7aeced872a214673ee5976b63a94a6a4e61c135ca2f2dbb_sk -r PeerAdmin -r ChannelAdmin
If the command works successfully, a business network card file called PeerAdmin@byfn-network-org2-only.card
will have been written to the current directory.
Run the composer card create
command to create a business network card using the connection profile that contains the peers for Org2
and Org1
. You must specify the path to all three files that you either created or located in the previous steps:
composer card create -p connection-org2.json -u PeerAdmin -c Admin@org2.example.com-cert.pem -k d4889cb2a32e167bf7aeced872a214673ee5976b63a94a6a4e61c135ca2f2dbb_sk -r PeerAdmin -r ChannelAdmin
If the command works successfully, a business network card file called PeerAdmin@byfn-network-org2.card
will have been written to the current directory.
Step Nine: Importing the business network cards for the Hyperledger Fabric administrator for Org1
Run the composer card import
command to import the business network card that just contains the peers for Org1
into the wallet:
composer card import -f PeerAdmin@byfn-network-org1-only.card
If the command works successfully, a business network card called PeerAdmin@byfn-network-org1-only
will have been imported into the wallet.
Run the composer card import
command to import the business network card that contains the peers for Org1
and Org2
into the wallet:
composer card import -f PeerAdmin@byfn-network-org1.card
If the command works successfully, a business network card called PeerAdmin@byfn-network-org1
will have been imported into the wallet.
Step Ten: Importing the business network cards for the Hyperledger Fabric administrator for Org2
Run the composer card import
command to import the business network card that just contains the peers for Org2
into the wallet:
composer card import -f PeerAdmin@byfn-network-org2-only.card
If the command works successfully, a business network card called PeerAdmin@byfn-network-org2-only
will have been imported into the wallet.
Run the composer card import
command to import the business network card that contains the peers for Org2
and Org1
into the wallet:
composer card import -f PeerAdmin@byfn-network-org2.card
If the command works successfully, a business network card called PeerAdmin@byfn-network-org2
will have been imported into the wallet.
Step Eleven: Installing the Hyperledger Composer runtime onto the Hyperledger Fabric peer nodes for Org1
Run the composer runtime install
command to install the Hyperledger Composer runtime onto all of the Hyperledger Fabric peer nodes for Org1
that you specified in the connection profile file you created in step three:
composer runtime install -c PeerAdmin@byfn-network-org1-only -n tutorial-network
Step Twelve: Installing the Hyperledger Composer runtime onto the Hyperledger Fabric peer nodes for Org2
Run the composer runtime install
command to install the Hyperledger Composer runtime onto all of the Hyperledger Fabric peer nodes for Org2
that you specified in the connection profile file you created in step four:
composer runtime install -c PeerAdmin@byfn-network-org2-only -n tutorial-network
Step Thirteen: Defining the endorsement policy for the business network
A running business network has an endorsement policy, which defines the rules around which organizations must endorse transactions before they can be committed to the blockchain. By default, a business network is deployed with an endorsement policy that states that only one organization has to endorse a transaction before it can be committed to the blockchain.
In real world blockchain business networks, multiple organizations will want to ensure that they endorse transactions before they can be committed to the blockchain, and so the default endorsement policy is not suitable. Instead, you can specify a custom endorsement policy when you start a business network.
You can find more information on endorsement policies in the Hyperledger Fabric documentation, in Endorsement policies.
Please note that the endorsement policies used for a business network must be in the JSON format used by the Hyperledger Fabric Node.js SDK. This is a different format to the simple endorsement policy format used by the Hyperledger Fabric CLI, which you will see in the Hyperledger Fabric documentation.
Create an endorsement policy file called endorsement-policy.json
with the following contents and save it to disk. You will use this file in later steps, so remember where you place it!
{
"identities": [
{
"role": {
"name": "member",
"mspId": "Org1MSP"
}
},
{
"role": {
"name": "member",
"mspId": "Org2MSP"
}
}
],
"policy": {
"2-of": [
{
"signed-by": 0
},
{
"signed-by": 1
}
]
}
}
The endorsement policy you have just created states that both Org1
and Org2
must endorse transactions in the business network before they can be committed to the blockchain. If Org1
or Org2
do not endorse transactions, or disagree on the result of a transaction, then the transaction will be rejected by the business network.
Step Fourteen: Understanding and selecting the business network administrators
When a business network is started, the business network must be configured with a set of initial participants. These participants will be responsible for bootstrapping the business network and onboarding other participants into the business network. In Hyperledger Composer, we call these initial participants the business network administrators.
In our business network, the organizations Org1
and Org2
have equal rights. Each organization will provide a business network administrator for the business network, and those business network administrators will onboard the other participants in their organizations. The business network administrator for Org1
will be Alice, and the business network administrator for Org2
will be Bob.
When the business network is started, the certificates (the public part of the identity) for all of the business network administrators must be passed to the organization performing the commands to start the business network. After the business network has been started, all of the business network administrators can use their identities to interact with the business network.
You can find more information on business network administrators in Deploying Business Networks.
Step Fifteen: Retrieving business network administrator certificates for Org1
Run the composer identity request
command to retrieve certificates for Alice to use as the business network administrator for Org1
:
composer identity request -c PeerAdmin@byfn-network-org1-only -u admin -s adminpw -d alice
The -u admin
and the -s adminpw
options to this command correspond to the default user registered with the Hyperledger Fabric CA (Certificate Authority).
The certficates will be placed into a directory called alice
in the current working directory. There are three certificate files created, but only two are important. These are admin-pub.pem
, the certificate (including the public key), and admin-priv.pem
, the private key. Only the admin-pub.pem
file is suitable for sharing with other organizations. The admin-priv.pem
file must be kept secret as it can be used to sign transactions on behalf of the issuing organization.
Step Sixteen: Retrieving business network administrator certificates for Org2
Run the composer identity request
command to retrieve certificates for Bob to use as the business network administrator for Org2
:
composer identity request -c PeerAdmin@byfn-network-org2-only -u admin -s adminpw -d bob
The -u admin
and the -s adminpw
options to this command correspond to the default user registered with the Hyperledger Fabric CA (Certificate Authority).
The certficates will be placed into a directory called bob
in the current working directory. There are three certificate files created, but only two are important. These are admin-pub.pem
, the certificate (including the public key), and admin-priv.pem
, the private key. Only the admin-pub.pem
file is suitable for sharing with other organizations. The admin-priv.pem
file must be kept secret as it can be used to sign transactions on behalf of the issuing organization.
Step Seventeen: Starting the business network
Run the composer network start
command to start the business network. Only Org1
needs to perform this operation. This command uses the endorsement-policy.json
file created in step thirteen, and the admin-pub.pem
files created by both Alice and Bob in step fifteen and step sixteen, so you must ensure that all of these files are accessible to this command:
composer network start -c PeerAdmin@byfn-network-org1 -a tutorial-network@0.0.1.bna -o endorsementPolicyFile=endorsement-policy.json -A alice -C alice/admin-pub.pem -A bob -C bob/admin-pub.pem
Once this command completes, the business network will have been started. Both Alice and Bob will be able to access the business network, start to set up the business network, and onboard other participants from their respective organizations. However, both Alice and Bob must create new business network cards with the certificates that they created in the previous steps so that they can access the business network.
Step Eighteen: Creating a business network card to access the business network as Org1
Run the composer card create
command to create a business network card that Alice, the business network administrator for Org1
, can use to access the business network:
composer card create -p connection-org1.json -u alice -n tutorial-network -c alice/admin-pub.pem -k alice/admin-priv.pem
Run the composer card import
command to import the business network card that you just created:
composer card import -f alice@tutorial-network.card
Run the composer network ping
command to test the connection to the blockchain business network:
composer network ping -c alice@tutorial-network
If the command completes successfully, then you should see the fully qualified participant identifier org.hyperledger.composer.system.NetworkAdmin#alice
in the output from the command. You can now use this business network card to interact with the blockchain business network and onboard other participants in your organization.
Step Nineteen: Creating a business network card to access the business network as Org2
Run the composer card create
command to create a business network card that Bob, the business network administrator for Org2
, can use to access the business network:
composer card create -p connection-org2.json -u bob -n tutorial-network -c bob/admin-pub.pem -k bob/admin-priv.pem
Run the composer card import
command to import the business network card that you just created:
composer card import -f bob@tutorial-network.card
Run the composer network ping
command to test the connection to the blockchain business network:
composer network ping -c bob@tutorial-network
If the command completes successfully, then you should see the fully qualified participant identifier org.hyperledger.composer.system.NetworkAdmin#bob
in the output from the command. You can now use this business network card to interact with the blockchain business network and onboard other participants in your organization.
Conclusion
In this tutorial you have seen how to configure Hyperledger Composer with all of the information required to connect to a Hyperledger Fabric network that spans multiple organizations, and how to deploy a blockchain business network that spans all of the organizations in that Hyperledger Fabric network.