best practices - huawei cloud · bcs service deployment is completed.----end 1.3 installing and...

25
BCS Best Practices Issue 01 Date 2020-10-19 HUAWEI TECHNOLOGIES CO., LTD.

Upload: others

Post on 21-Oct-2020

0 views

Category:

Documents


0 download

TRANSCRIPT

  • BCS

    Best Practices

    Issue 01

    Date 2020-10-19

    HUAWEI TECHNOLOGIES CO., LTD.

  • Copyright © Huawei Technologies Co., Ltd. 2020. All rights reserved.

    No part of this document may be reproduced or transmitted in any form or by any means without priorwritten consent of Huawei Technologies Co., Ltd. Trademarks and Permissions

    and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.All other trademarks and trade names mentioned in this document are the property of their respectiveholders. NoticeThe purchased products, services and features are stipulated by the contract made between Huawei andthe customer. All or part of the products, services and features described in this document may not bewithin the purchase scope or the usage scope. Unless otherwise specified in the contract, all statements,information, and recommendations in this document are provided "AS IS" without warranties, guaranteesor representations of any kind, either express or implied.

    The information in this document is subject to change without notice. Every effort has been made in thepreparation of this document to ensure accuracy of the contents, but all statements, information, andrecommendations in this document do not constitute a warranty of any kind, express or implied.

    Issue 01 (2020-10-19) Copyright © Huawei Technologies Co., Ltd. i

  • Contents

    1 About the Demo...................................................................................................................... 1

    2 Buying a BCS Service...............................................................................................................2

    3 Inviting Tenants to Join a Consortium............................................................................... 5

    4 Joining a Consortium.............................................................................................................. 7

    5 Installing and Instantiating a Chaincode........................................................................ 11

    6 Configuring the Application............................................................................................... 14

    7 Deploying the Application.................................................................................................. 19

    8 Debugging the Application.................................................................................................21

    BCSBest Practices Contents

    Issue 01 (2020-10-19) Copyright © Huawei Technologies Co., Ltd. ii

  • 1 About the DemoThis best practice uses a bank consortium blockchain as an example to explain thebasics of consortium blockchains and how to form a consortium blockchain. Ithelps you quickly get started with HUAWEI CLOUD Blockchain Service (BCS).

    A bank can invite other banks to form a consortium blockchain of banks. Theblockchain nodes run in independent VPCs and are managed by the respectivebanks to ensure security.

    NO TE

    This is a demo only and is not for actual use.

    ● Scenario– Democratic Bank invites Civilization Bank and Harmonious Bank to join a

    consortium blockchain.– A customer registers accounts with Civilization Bank and Harmonious

    Bank without Know Your Customer (KYC) checks based on an existingaccount and KYC check results of Democratic Bank.

    ● RequirementsData such as user identities must be encrypted to protect the informationagainst brute force attack. Quick information queries based on identities mustbe supported.

    ● Key challenges:– Security and privacy: Banks require no disclosure of customer privacy

    information to other banks.– High-performance retrieval: Retrieval performance (millisecond-level

    response) similar to that of legacy databases must be delivered to ensureuser experience.

    – Easy-to-use interfaces: Simple and convenient interfaces must beprovided to facilitate application development.

    BCSBest Practices 1 About the Demo

    Issue 01 (2020-10-19) Copyright © Huawei Technologies Co., Ltd. 1

  • 2 Buying a BCS ServiceBuy a BCS service and configure the basic parameters and network nodes.

    Procedure

    Step 1 Log in to the BCS console.

    Step 2 Click Buy BCS Service in the upper right corner of the page and set theparameters.

    NO TICE

    To ensure that the demo runs properly, set the parameters as described in thefollowing table.

    Table 2-1 Parameters

    Parameter Setting

    Billing Mode Select pay-per-use.

    Region Retain the default value.

    Enterprise Project Select an existing enterprise project, forexample, default.If you have not enabled the enterprisemanagement service, this parameter is notdisplayed.

    Service Name Enter bank-union-demo.

    Edition Select Enterprise.

    Blockchain Type Select Consortium.To ensure network connectivity, use aconsortium blockchain.

    Consensus Mechanism Retain the default setting.

    BCSBest Practices 2 Buying a BCS Service

    Issue 01 (2020-10-19) Copyright © Huawei Technologies Co., Ltd. 2

  • Parameter Setting

    Resource Access InitialPassword

    Enter a password.

    Confirm Password Enter the password again.

    Advanced Settings Select Configure.

    Cluster Select Create a new CCE cluster.

    AZ Select an AZ.

    ECS Specifications Select the flavor for 4 vCPUs | 8 GB.

    ECS Quantity Enter 1.

    High Availability Select No.

    VPC Select Automatically create VPC.

    ECS Login Method Select Password.

    Password of Root User If you do not enter a password here, thepreviously specified resource access initialpassword will be used.

    Confirm password. -

    Blockchain Mgmt. InitialPassword

    If you do not enter a password here, thepreviously specified resource access initialpassword will be used.

    Confirm Password -

    Version Select a version.

    Volume Type Select SFS Turbo.

    Peer Organization Create one peer organization with the exactname and peer quantity as the following:Name: democraticBank; quantity: 2

    Orderer Quantity Enter 3.

    Enable Data Aging onOrderers

    Select No.

    Security Mechanism Select ECDSA.

    Storage Capacity of PeerOrganization

    Retain the default value.

    Ledger Storage Select File database (goleveldb).

    BCSBest Practices 2 Buying a BCS Service

    Issue 01 (2020-10-19) Copyright © Huawei Technologies Co., Ltd. 3

  • Parameter Setting

    Channel Configuration Change the channel name to testchannel andadd the created democraticBank organizationto the channel.NOTE

    The channel must be named testchannel.

    Enable support for RESTfulAPIs

    Select No.

    Use EIP of a CCE Node Select Yes.

    EIP Billed By Select Bandwidth.

    EIP Bandwidth Set it to 5 Mbit/s.

    Configure Block Generation Select No.

    Enabling Trusted Computing Select No.

    Step 3 Click Next, confirm the configuration, and click Submit.

    Wait for several minutes. After a message is displayed indicating successfulcreation, check the status of the service and organizations. If they are Normal, theBCS service deployment is completed.

    NO TE

    If the creation fails, locate the failure cause by referring to the purchase and deploymentFAQs.

    ----End

    BCSBest Practices 2 Buying a BCS Service

    Issue 01 (2020-10-19) Copyright © Huawei Technologies Co., Ltd. 4

    https://support.huaweicloud.com/intl/en-us/bcs_faq/bcs_faq_0319.htmlhttps://support.huaweicloud.com/intl/en-us/bcs_faq/bcs_faq_0319.html

  • 3 Inviting Tenants to Join a ConsortiumProcedure

    Step 1 Log in to the BCS console.

    Step 2 Choose Member Management in the navigation pane on the left. Click InviteTenant in the upper right corner of the page.

    Step 3 Select the BCS service and channel you just created, and enter the invited tenant'sname.

    Figure 3-1 Inviting a tenant

    Step 4 (Optional) Click Add Tenant to invite multiple tenants.

    In this demo, civilizationBank ("invitee A") and harmoniousBank ("invitee B")are invited.

    NO TE

    A maximum of 5 tenants can be invited. Only the platinum edition supports changes in themember quantity quota initiated by submitting service tickets.

    BCSBest Practices 3 Inviting Tenants to Join a Consortium

    Issue 01 (2020-10-19) Copyright © Huawei Technologies Co., Ltd. 5

  • Step 5 Click OK. An invitation notification is sent to the invited tenants.

    ----End

    BCSBest Practices 3 Inviting Tenants to Join a Consortium

    Issue 01 (2020-10-19) Copyright © Huawei Technologies Co., Ltd. 6

  • 4 Joining a ConsortiumWhen you are invited to join a consortium blockchain, you will receive anotification. You can accept the invitation to join the consortium.

    Procedure

    Step 1 Log in to the BCS console.

    Step 2 Choose Notification Management in the navigation pane on the left. Locate thenotification and click View Details in the Operation column.

    Step 3 Create a BCS service.

    1. If you have not created a BCS service, click Create Service to create a servicebefore selecting an organization. Otherwise, you cannot join the consortium.

    BCSBest Practices 4 Joining a Consortium

    Issue 01 (2020-10-19) Copyright © Huawei Technologies Co., Ltd. 7

  • Figure 4-1 Creating a BCS service

    2. Specify the BCS service parameters as prompted.

    Table 4-1 BCS service parameters

    Parameter Setting

    Billing Mode Select pay-per-use.

    Region Select the same region as the inviter.

    Service Name Enter the same name as the BCS service of theinviter, for example, bank-union-demo.

    Edition Select Enterprise.

    Blockchain Type Select Consortium.

    Cluster Type Select CCE cluster.

    Container Cluster Select an existing container cluster.

    Volume Type Select SFS.

    Network Storage Select an existing SFS file system.

    Ledger Storage Select File database (goleveldb).

    BCSBest Practices 4 Joining a Consortium

    Issue 01 (2020-10-19) Copyright © Huawei Technologies Co., Ltd. 8

  • Parameter Setting

    Peer Organization Create one peer organization namedcivilizationBank.

    ConsensusMechanism

    Retain the default value.

    Enable Data Agingon Orderers

    Select No.

    Cross-AZScheduling

    Select No.

    Security Mechanism Retain the default value.

    Version Select the latest version.

    Blockchain Mgmt.Initial Password

    Enter a password.

    Enable support forRESTful APIs

    Select No.

    Use EIP of a CCENode

    Select Yes.

    Enabling TrustedComputing

    Select No.

    3. Click Next, confirm the configuration, and click Submit.

    Wait for several minutes. After a message is displayed indicating successfulcreation, check the status of the service and organizations. If they areNormal, the BCS service deployment is completed.

    Step 4 After creating the BCS service, select an organization in the Notice Detailswindow and click Accept to join the consortium blockchain.

    BCSBest Practices 4 Joining a Consortium

    Issue 01 (2020-10-19) Copyright © Huawei Technologies Co., Ltd. 9

  • Step 5 Other invited tenants can repeat Step 1 to Step 4 to join the consortium.

    The operations and parameter settings for other invited tenants are the same asdescribed in the previous steps, except the peer organization names. In this demo,invitee B should set the name of the peer organization to harmoniousBank.

    ----End

    BCSBest Practices 4 Joining a Consortium

    Issue 01 (2020-10-19) Copyright © Huawei Technologies Co., Ltd. 10

  • 5 Installing and Instantiating a ChaincodeA chaincode must be installed on all peers in a channel and instantiated on anyone peer. To use the same chaincode, channel members must specify the samename and version for the chaincode during chaincode installation.

    NO TICE

    ● The chaincode must be installed by the inviter and all invited tenants (in thisdemo, invitees A and B).

    ● The chaincode name and version specified by all parties must be consistent.● The chaincode can be instantiated by any member in the consortium.

    Installing a Chaincode

    Step 1 Log in to the BCS console.

    Step 2 In the navigation pane on the left, choose Service Management.

    Step 3 In the card of the service, click Manage Blockchain.

    Step 4 On the login page, enter the username, password, and verification code, and clickLog In.

    NO TE

    ● The username is admin, and the password is the Blockchain Mgmt. Initial Passwordset when you created the BCS service. If you have not set this password, use theresource access initial password.

    ● If you use the Internet Explorer, you may fail to open the Blockchain Managementlogin page and see a message indicating that the certificate is untrusted. In this case,you can click here to resolve the problem.

    Step 5 Click in the upper left corner of the page.

    Step 6 Enter the chaincode name and version number, select the peers where thechaincode is to be installed, specify the programming language of the chaincode,and add the chaincode file, as described in Table 5-1.

    BCSBest Practices 5 Installing and Instantiating a Chaincode

    Issue 01 (2020-10-19) Copyright © Huawei Technologies Co., Ltd. 11

    https://support.microsoft.com/en-us/help/3071338/internet-explorer-11-adds-support-for-http-strict-transport-security-s

  • Table 5-1 Chaincode installation parameters

    Parameter Setting

    Chaincode Name Enter fabbank.

    Chaincode Version Enter 1.0.

    Ledger Storage File database (goleveldb)

    Select All Peers Select the checkbox.

    Organization & Peer All peers have been selected automatically.

    Language Select Golang.

    Chaincode File Add the sample chaincode file packagefabbank.zip.

    Chaincode Description Enter a description of the chaincode.

    Step 7 Click Install to install the chaincode.

    ----End

    Instantiating a Chaincode

    Step 1 After installing the chaincode, click Instantiate in the Operation column of thechaincode list.

    Step 2 Specify the channel, chaincode version, endorsement policy, endorsingorganizations, initialization function, and chaincode parameters, as described inTable 5-2.

    Table 5-2 Chaincode instantiation parameters

    Parameter Setting

    Chaincode Name fabbank

    Channel Select testchannel.

    Chaincode Version Select 1.0.

    Initialization Function Enter init.

    Endorsement Policy Select Endorsement from any of the followingorganizations.

    Endorsing Organizations Select all the three organizations.

    Privacy Protection Select No.

    Step 3 Click Instantiate.

    BCSBest Practices 5 Installing and Instantiating a Chaincode

    Issue 01 (2020-10-19) Copyright © Huawei Technologies Co., Ltd. 12

    https://bcs.obs.cn-north-1.myhuaweicloud.com/bankdemo/fabbank.zip

  • Wait for 2 to 3 minutes and refresh the page. Click View more to check theinstantiation status.

    ----End

    BCSBest Practices 5 Installing and Instantiating a Chaincode

    Issue 01 (2020-10-19) Copyright © Huawei Technologies Co., Ltd. 13

  • 6 Configuring the ApplicationBefore initiating transactions, the inviter must download the administratorcertificates of the orderer and organization democraticBank, and the certificatesin which the private keys are hidden by invitees A and B.

    Keep the private keys in the downloaded certificates secure. You are advised toencrypt the private keys for storage.

    Downloading Certificates

    Step 1 On the Service Management page, click the service to view its details.

    Step 2 In the Blockchain Organizations area on the Basic Information tab page, click in the blockchain organization cards to download certificates.

    Download the administrator certificates of bank-union-demo-orderer andorganization democraticBank.

    Figure 6-1 Downloading the administrator certificate of bank-union-demo-orderer

    BCSBest Practices 6 Configuring the Application

    Issue 01 (2020-10-19) Copyright © Huawei Technologies Co., Ltd. 14

  • Figure 6-2 Downloading the administrator certificate of organizationdemocraticBank

    Step 3 Invitee A downloads the administrator certificate of organization civilizationBank.

    Figure 6-3 Downloading the administrator certificate of organizationcivilizationBank

    Step 4 Invitee A deletes the private key files from the administrator certificate oforganization civilizationBank, as shown in the following figures.

    BCSBest Practices 6 Configuring the Application

    Issue 01 (2020-10-19) Copyright © Huawei Technologies Co., Ltd. 15

  • Figure 6-4 Deleting the server.key file from the tls directory

    Figure 6-5 Deleting the keystore file from the msp directory

    Step 5 Invitee B repeates Step 3 to Step 4 to download the administrator certificate oforganization harmoniousBank and delete the private key files.

    Step 6 The inviter stores the downloaded bank-union-demo-orderer administratorcertificate, the administrator certificate of organization democraticBank, andcertificates of organizations civilizationBank and harmoniousBank (in which theprivate key files have been deleted by the invitees) to the /root/bankuniondemodirectory of the prepared ECS.

    ----End

    Downloading SDK Configurations

    Step 1 On the Service Management page, choose More > Download SDKConfiguration.

    BCSBest Practices 6 Configuring the Application

    Issue 01 (2020-10-19) Copyright © Huawei Technologies Co., Ltd. 16

  • Step 2 Set the SDK file parameters as described in Table 6-1.

    NO TICE

    To ensure that the demo runs properly, set the parameters as described in thefollowing table.

    Table 6-1 SDK file parameters

    Parameter Setting

    Chaincode Name Enter fabbank.

    Certificate RootPath

    Enter /opt/bank/src/bank/conf/crypto.

    Channel Retain the automatically selected testchannel.

    Peer Retain all the automatically selected peers.

    Step 3 Decompress the downloaded file to retrieve a .yaml file. Duplicate the .yaml filewith another two copies, and name the three files democraticBank.yaml,civilizationBank.yaml, and harmoniousBank.yaml. Then, save the files to the /root/bankuniondemo directory on the ECS.

    The following figure shows the structure of the bankuniondemo directory.

    BCSBest Practices 6 Configuring the Application

    Issue 01 (2020-10-19) Copyright © Huawei Technologies Co., Ltd. 17

  • Figure 6-6 bankuniondemo directory structure

    ----End

    BCSBest Practices 6 Configuring the Application

    Issue 01 (2020-10-19) Copyright © Huawei Technologies Co., Ltd. 18

  • 7 Deploying the ApplicationThis section describes how to deploy the application.

    Deploying the Application

    Step 1 Log in to the ECS and run the following commands:

    cd /root/bankuniondemo

    wget https://bcs.obs.cn-north-1.myhuaweicloud.com/bankdemo/fabric2.0/startserver.sh

    bash startserver.sh

    NO TE

    The demo image is downloaded during the execution of startserver.sh. The execution maybe slow because the image is large. You can also download the image in advance andupload it to the directory.

    Step 2 After you see "Is this the first time you deploy the application?", enter y for yes, orenter n if you want to change the password. Then, insert your password (123456is used as an example in the following figure).

    The command output is similar to the following:

    Step 3 Run the following command to check whether the container has started:

    docker ps

    If the following information is displayed, the container has started. Otherwise,check the configuration.

    BCSBest Practices 7 Deploying the Application

    Issue 01 (2020-10-19) Copyright © Huawei Technologies Co., Ltd. 19

    https://bcs.obs.cn-north-1.myhuaweicloud.com/bankdemo/bankv2.tar.gz

  • ----End

    (Optional) Adding a Security Group● If you deploy the bankuniondemo application on your own server, skip this

    procedure.● The EIP must be the IP address of the server where the bankuniondemo

    application is deployed or the floating IP address of the ECS.● If you deploy the bankuniondemo application on an ECS, you need to create a

    security group and then add security group rules to enable access to port8080 of the server. Table 7-1 describes the security group rule.

    Table 7-1 Parameters of a security group rule

    Parameter Setting Description

    Protocol Select TCP. Specifies the network protocol.

    Direction Set the inboundrules.

    Specifies the direction in which thesecurity group rule takes effect.Inbound rules control externalaccess to the ECS.

    Port numberrange

    Create a rule, and setthe port to 8080.

    Specifies the port range for whicha rule takes effect.

    Source Select IP Address,and enter 0.0.0.0/0.

    This parameter is required forinbound rules.

    BCSBest Practices 7 Deploying the Application

    Issue 01 (2020-10-19) Copyright © Huawei Technologies Co., Ltd. 20

  • 8 Debugging the ApplicationAfter deploying the application, the administrator can enter customer informationand the customer can apply to open an account.

    Entering Customer Information (by the Bank Administrator)

    Step 1 After the demo application is successfully deployed, visit http://EIP:8080/adminLogin to access the administrator-facing page of the application.

    NO TE

    ● The EIP must be the IP address of the server where the demo application is deployed orthe floating IP address of the ECS.

    ● Default username: admin; password: the password inserted during applicationdeployment. (This information is for the demo only.)

    Step 2 Create an account and enter the customer information. For example, theinformation to be entered for the Democratic Bank includes the name, ResidentIdentity Card number, bank card number, and mobile number.

    Step 3 After the account is created, the administrator can view the account creationrecord in the Block Browser.

    ----End

    Applying for an Account (by a Customer)

    Step 1 Visit http://EIP:8080/userLogin to open the customer-facing page of theapplication.

    NO TE

    ● The EIP must be the IP address of the server where the demo application is deployed orthe floating IP address of the ECS.

    ● Default username: customer; password: the password inserted during applicationdeployment. (This information is for the demo only.)

    Step 2 Select Civilization Bank and log in.

    BCSBest Practices 8 Debugging the Application

    Issue 01 (2020-10-19) Copyright © Huawei Technologies Co., Ltd. 21

  • The account application page of the Civilization Bank is displayed. The customercan open an account with Civilization Bank based on the Democratic Bankaccount.

    In this process, the customer's identity is shared across the blockchain. Once thecustomer opens a bank account, the reviewed trusted identity information isrecorded to the blockchain and is encrypted and shared to other banks. Then, thecustomer can apply for accounts with other banks without repeating the approvalprocess.

    If the account is opened successfully, the system displays a message indicatingthat the bank account has been opened successfully based on the accountinformation of other banks. If the account opening failed, the system displays amessage reminding the customer to check the account information.

    Step 3 After the account is opened, the customer can view the account opening record inthe Block Browser.

    ----End

    BCSBest Practices 8 Debugging the Application

    Issue 01 (2020-10-19) Copyright © Huawei Technologies Co., Ltd. 22

    Contents1 About the Demo2 Buying a BCS Service3 Inviting Tenants to Join a Consortium4 Joining a Consortium5 Installing and Instantiating a Chaincode6 Configuring the Application7 Deploying the Application8 Debugging the Application