user guide - huawei · relational database (mysql) is available only in the cn north-beijing4...

Blockchain Service

User Guide

Issue 01

Date 2020-11-09

HUAWEI TECHNOLOGIES CO., LTD.

Copyright © Huawei Technologies Co., Ltd. 2020. All rights reserved.

No part of this document may be reproduced or transmitted in any form or by any means without priorwritten consent of Huawei Technologies Co., Ltd. Trademarks and Permissions

and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.All other trademarks and trade names mentioned in this document are the property of their respectiveholders. NoticeThe purchased products, services and features are stipulated by the contract made between Huawei andthe customer. All or part of the products, services and features described in this document may not bewithin the purchase scope or the usage scope. Unless otherwise specified in the contract, all statements,information, and recommendations in this document are provided "AS IS" without warranties, guaranteesor representations of any kind, either express or implied.

The information in this document is subject to change without notice. Every effort has been made in thepreparation of this document to ensure accuracy of the contents, but all statements, information, andrecommendations in this document do not constitute a warranty of any kind, express or implied.

Issue 01 (2020-11-09) Copyright © Huawei Technologies Co., Ltd. i

Contents

1 Outline of the BCS Usage Process....................................................................................... 1

2 Service Deployment................................................................................................................ 32.1 Using a CCE Cluster................................................................................................................................................................ 3

3 Inviting Tenants to a Consortium Blockchain................................................................ 11

4 Blockchain Management..................................................................................................... 154.1 Chaincode Management.................................................................................................................................................... 154.2 Block Browser......................................................................................................................................................................... 21

5 Trusted Computing Platform (OBT)................................................................................. 235.1 Overview.................................................................................................................................................................................. 235.2 Data Set Management........................................................................................................................................................245.3 Analysis Algorithm Management....................................................................................................................................255.3.1 Writing an Analysis Algorithm...................................................................................................................................... 265.4 Order Management............................................................................................................................................................. 275.5 Deployment Management.................................................................................................................................................295.6 Identity Management..........................................................................................................................................................30

6 BCS Access............................................................................................................................... 33

7 Service Management............................................................................................................36

8 Channel Management..........................................................................................................42

9 Member Management......................................................................................................... 44

10 Notification Management................................................................................................ 45

11 Add-on Management......................................................................................................... 46

12 Contract Management.......................................................................................................48

13 O&M Center......................................................................................................................... 4913.1 Viewing Monitoring Data and Logs............................................................................................................................. 4913.2 Setting Web Disk Space Alarms.................................................................................................................................... 5213.3 Disk Metrics.......................................................................................................................................................................... 5513.4 View O&M Logs.................................................................................................................................................................. 56

Blockchain ServiceUser Guide Contents

Issue 01 (2020-11-09) Copyright © Huawei Technologies Co., Ltd. ii

14 Permissions Management................................................................................................. 61

Blockchain ServiceUser Guide Contents

Issue 01 (2020-11-09) Copyright © Huawei Technologies Co., Ltd. iii

1 Outline of the BCS Usage Process

The HUAWEI CLOUD Blockchain Service (BCS) provides functions such as servicedeployment, blockchain management, channel management, membermanagement, and notification management. The following figure outlines the BCSusage process.

Blockchain ServiceUser Guide 1 Outline of the BCS Usage Process

Issue 01 (2020-11-09) Copyright © Huawei Technologies Co., Ltd. 1

Figure 1-1 Outline of the BCS usage process

Blockchain ServiceUser Guide 1 Outline of the BCS Usage Process


2 Service Deployment

2.1 Using a CCE ClusterA BCS service can be deployed on a CCE cluster or an edge cluster. This sectiondescribes how to deploy a BCS service using a CCE cluster.

● Using a CCE cluster: Both the service instance and blockchain data are storedon HUAWEI CLOUD. If you do not have available hardware, you can purchaseHUAWEI CLOUD resources and use a CCE cluster to deploy a BCS service.

● Using an edge cluster: The blockchain data is stored on your own node, thatis, on edge nodes. BCS provides only the blockchain management capabilities.If the required hardware is available, you can use this method to avoidunnecessary resources and investments.

PrerequisitesIf you need to perform operations on and subscribe to BCS services as an IAM usercreated by a HUAWEI CLOUD account, ensure that the IAM user has been grantedthe permissions of the following policies:

BCS Administrator, CCE Administrator, SWR Admin, VPC Administrator, SFSAdministrator, BSS Administrator, ECS Admin, AOM Admin, APM Administrator,and DMS Administrator

SWR Admin, ECS Admin, and AOM Admin are fine-grained policies. To obtain thepermissions of these policies, apply for the fine-grained access control function ofIAM.

For details, see Permissions Management.

Deploying a BCS ServiceAfter the environment is ready, perform the following steps to purchase anddeploy a BCS service:

Blockchain ServiceUser Guide 2 Service Deployment


CA UTION

If your account is in arrears, the service web disk will be released and thepurchased services will be unavailable.

Step 1 Buy a BCS service.

● Log in to the BCS console, and click Buy BCS Service in the upper rightcorner.

● To enable trusted computing for an existing BCS service, perform thefollowing steps:

a. Log in to the BCS console.

b. In the navigation pane on the left, choose Add-on Management.

c. On the Add-on Repository tab page, click Install in the tc3-taskservercard.

NO TE

– To enable trusted computing for a deployed BCS service, ensure that the servicehas been upgraded to the latest version.

– Click Task Details on the Service Management page to view service deploymentrecords, and click View Details or Delete on the right of the records.

Step 2 Set the BCS service parameters on the purchase page.

Table 2-1 Parameter description

Parameter Description Example Setting

Billing Mode BCS services are billed in pay-per-usemode.

-

Region Select the region where the blockchaininfrastructure is located. You areadvised to select the same region asthe service application system.

Retain the defaultvalue.

Enterprise Project Select an existing enterprise project, towhich the BCS service will be added.NOTE

● If you have not enabled the enterprisemanagement service, this parameter isunavailable.

● To use an existing CCE cluster to deploya BCS service, you are advised to addthe BCS service to the enterprise projectof the CCE cluster. If the BCS serviceand the CCE cluster where the BCSservice is deployed belong to differententerprise projects, the BCS service mayfail to be used.

Select default.




Service Name A service name can contain 4 to 24characters, including letters, digits, andhyphens (-). It cannot start with ahyphen (-).

Enter bcs-wh.

Edition BCS provides basic, professional, andenterprise editions.

Select Enterprise.

Blockchain ServiceType

A private blockchain is used only bythe tenant that deploys the BCSservice. A consortium blockchain canbe used by the blockchain initiator andthe tenants that the initiator invites tojoin the consortium.

SelectConsortium.

ConsensusMechanism

The supported mechanisms forblockchain nodes reaching consensusinclude:Solo (for testing), fast Byzantine faulttolerance (FBFT), Kafka (crash faulttolerant), and Raft (crash faulttolerant).NOTE

If Raft is selected, a basic-edition servicehas one orderer by default and aprofessional- or enterprise-edition servicehas three orderers by default.

Select FBFT.

Resource AccessInitial Password

Password of blockchain administrationuser admin, ECS user root, or CouchDBdatabase user.It will be used as such a password ifBlockchain Mgmt. Initial Password,Initial Password displayed whenNoSQL (CouchDB) is selected forLedger Storage, or Password of RootUser is not set in the advancedsettings.

-

Confirm Password Confirm the resource access initialpassword.

-

Advanced Settings You can select Skip or Configure.If you select Skip, the system willconfigure the service based on Table2-2.

Select Configure.




Cluster Cluster where the BCS service will bedeployed. You can use an existing CCEcluster or create a new one.NOTE

CCE clusters of v1.15 or earlier aresupported.

Select Create anew CCE cluster.

AZ Select the AZ where the ECS is located. Select AZ1.

Specifications Specifications of the ECSs in the CCEcluster.

Select the flavorfor 4 vCPUs | 8GB.

Quantity Quantity of ECSs Enter 2.

High Availability If you have high requirements onsystem reliability, purchase high-availability ECSs.

Select No.

VPC You can create a new virtual privatecloud (VPC), select an existing VPC, orlet the system automatically create aVPC.

SelectAutomaticallycreate VPC.

ECS Login Method Either a password or key pair can beused to log in to ECSs.

Select Password.

Password of RootUser

Password of the root user for loggingin to ECSs.If you do not enter a password here,the previously specified resource accessinitial password will be used.

-

Confirm Password Confirm the ECS login password of theroot user.

-

Blockchain Mgmt.Initial Password

Password of the admin user forlogging in to the BCS console.If you do not enter a password here,the previously specified resource accessinitial password will be used.

-

Confirm Password Enter the blockchain managementinitial password again forconfirmation.

-

Version BCS service version.● 4.0.2 corresponds to Hyperledger

Fabric v2.0.● 3.0.12 corresponds to Hyperledger

Fabric v1.4.0.

Select 4.0.2.




Volume Type ● SFS provides high-bandwidth andlarge-capacity file storage.

● SFS Turbo provides low-latency andhigh-IOPS file storage.

● EVS provides high I/O, low-latencydisks. SFS is recommended.NOTE

– Only SFS is available in the AP-Hong Kong region.

– Only SFS Turbo is available in theAP-Singapore and LA-Santiagoregions.

Select SFS.

Peer Organization Peer organizations to be added to theBCS service.

Add a peerorganizationnamedorganization with2 peers.

Orderer Quantity Number of nodes that ordertransactions into blocks in theblockchain network.It is fixed to 4 if the FBFT orderingservice is used.

4

Enable DataAging on Orderers

When the amount of data on anorderer reaches a specified threshold,the system automatically deletes theearliest data to prevent exceptionscaused by insufficient storage space.This function can be enabled ifConsensus Mechanism is set to Kafka(CFT).

Select No.

SecurityMechanism

Encryption algorithm used to ensuredata security. ECDSA and Chinesecryptographic algorithm are supported.

Select ECDSA.

Storage Capacityof PeerOrganization

Stores shared ledger, consensus data,and other intermediate data of theblockchain system.

Set it to 100 GB.

Ledger Storage Multiple types of databases can beused for ledger storage. For detailsabout their differences, see thecorresponding tips on the GUI.

Select Filedatabase(goleveldb).




ChannelConfiguration

Channels isolate business in aconsortium blockchain. Businessparticipants (some or all of theorganizations in a consortium) arechannel members. Each channel canbe regarded as a sub-chain andcorresponds to one ledger.

By default, achannel namedchannel has beencreated, and thepeer organizationyou just specifiedhas been addedto the channel.

Enable Supportfor RESTful APIs

If you need to use RESTful APIs toinvoke chaincodes, select Yes.

Select No.

Use EIP To use an elastic IP address (EIP)bound to the cluster as the blockchainnetwork access address, select Yes.

Select Yes.

EIP Billed By If you select Pay-per-use for BillingMode, EIPs can be charged bybandwidth or traffic.

SelectBandwidth.

EIP Bandwidth - Set it to 5 Mbit/s.

Configure BlockGeneration

The configuration of block generationincludes the block generation interval,maximum number of transactions in ablock, and maximum size of a block. Anew block is generated at the specifiedinterval or when the transactionquantity or size of a block reaches thethreshold. Configure these parametersbased on the transaction frequencyand service volume.

Select No.




Enable TrustedComputing

Trusted computing enhances full-lifecycle data security and privacy byusing trusted execution environments(TEEs). It helps achieve trusted sharingof data assets, secure multi-partycomputation, and confidentialcomputing. Trusted computing is notsupported by basic-edition BCSservices, BCS services deployed in edgeclusters, and BCS services that useChinese cryptographic algorithms.Select Yes or No as required.● Yes: Enable trusted computing for

the service. For details aboutTrusted Computing Platform, seeTrusted Computing Platform(OBT).

● No: Do not enable trustedcomputing. After the BCS service iscreated, you can still enable TrustedComputing Platform by installingan add-on. For details, see Add-onManagement.

Select No.

Table 2-2 Default specifications:

Item Basic Professional Enterprise Platinum

Number ofCCE clusternodes

1 1 2 4

CCE nodespecifications

4 vCPUs and8 GB

4 vCPUs and8 GB

4 vCPUs and8 GB

16 vCPUs and32 GB

Note: If the default specifications are sold out, other higherspecifications will be purchased by default.

Highavailability ofthe CCEcluster

No No No No

Storage of theSFS filesystem

40 GB 100 GB 100 GB 500 GB



Item Basic Professional Enterprise Platinum

Kafka (DMS) ● Assured bandwidth: 100 MB/s● Storage class: Common I/O● Storage space: 600 GBNote: If the default specifications are sold out, other higherspecifications will be purchased by default.

EIP ● Type: Dynamic BGP● Bandwidth: 5 Mbit/s

Step 3 Click Next, confirm the configuration, and click Submit.

Wait for several minutes. After a message is displayed indicating successfulinstallation, check the status of the service. If it is Normal, the BCS servicedeployment is completed.

----End

Subsequent Operations (Optional)You can configure an anti-affinity label for the cluster node where the BCS serviceis deployed. This label can be used to isolate the service from other applications inthe same cluster to ensure normal running of the system.

Step 1 Log in to the CCE console. In the navigation pane, choose Resource Management> Nodes. The node list is displayed. Choose Operation > Manage Label in theOperation column.

Step 2 Click Add Label. Set Key to nodeScope and Value to userApplication for thelabel to be added.

Step 3 Click OK. After Label updated successfully. is displayed, click Manage Labelsagain. Then you can see the label that you have added.

----End



3 Inviting Tenants to a ConsortiumBlockchain

After creating a consortium blockchain, you can invite tenants to join it.

NO TE

● Existing BCS services corresponding to Fabric v1.1.0 can be upgraded to the versioncorresponding to Fabric v1.4.0. For new BCS services, Fabric v1.1.0 will not be supportedand only Fabric v1.4.0 and v2.0 are supported.

● BCS services corresponding to Fabric v1.4.0 can be upgraded to the versioncorresponding to Fabric v2.0. If one member in a consortium blockchain has upgradedto Fabric v2.0, all consortium members must also upgrade to v2.0. Otherwise,transactions will fail. For details about upgrading the version, see Step 3.● BCS v3.0.12 corresponds to Hyperledger Fabric v1.4.0.● BCS v4.0.2 corresponds to Hyperledger Fabric v2.0.

● For existing consortium blockchains of v1.1.0, an invitee can still create a blockchain ofv1.1.0 and join the consortium.

● If one party in a consortium blockchain has upgraded to v1.4.0, all consortium membersmust also upgrade to v1.4.0. Otherwise, transactions will fail.

NoteBCS services deployed in CCE clusters or edge clusters can form a consortiumblockchain. When using edge clusters, ensure the network connectivity betweenthe VPCs where the edge cluster of different tenants reside.

1. Use the EIP when creating a BCS service.To ensure network connectivity, enter the EIP of the edge cluster where a BCSservice is deployed.

Blockchain ServiceUser Guide 3 Inviting Tenants to a Consortium Blockchain


2. View EIPs.Go to the ECS console to view the EIPs in the ECS list.

3. For an existing BCS service deployed using an edge cluster, you can switch itsaccess address to an EIP.Choose More > Change Access Address in the service card and then enter anEIP.

You can also connect VPCs of different tenants by establishing VPC peeringconnections or using Direct Connect connections.

CA UTION

When changing the access address for an existing BCS service deployed using anedge cluster, note the following:● If the consortium has not been formed, enter an EIP as the new address.● If the consortium has already been formed, do not change the access address.

Inviting a Tenant

Step 1 Log in to the BCS console.

Step 2 Choose Member Management in the navigation pane on the left. Click InviteTenant in the upper right corner of the page.

Step 3 In the Invite Tenant window, select your BCS service and channel, and enter theinvited tenant's name.



Figure 3-1 Inviting a tenant

Step 4 (Optional) Click Add Tenant to invite multiple tenants.

NO TE

A maximum of 5 tenants can be invited. Only the platinum edition supports changes in themember quantity quota initiated by submitting service tickets.

Step 5 Click OK. An invitation notification is sent to the invited tenant.

----End

Accepting/Declining an InvitationWhen you are invited to join a consortium blockchain, you will receive anotification. You can either accept or decline it.


Step 2 Choose Notification Management in the navigation pane on the left. On theNotification Management page, locate the notification and click View Details inthe Operation column.● To accept the invitation, select the organization that you want to add to the

consortium, and then click Accept.● To decline the invitation, click Decline.



NO TE

– If you have not created a BCS service, click Create Service to create a servicebefore selecting an organization. Otherwise, you cannot join the consortium.

Figure 3-2 Creating a BCS service after receiving an invitation

– For details about how to create a BCS service, see Service Deployment Using aCCE Cluster. To successfully join a consortium blockchain, certain parameters ofyour service must have the same settings as the inviter's BCS service, such as theblockchain type, consensus mechanism, and security mechanism. Therefore, theseparameters are dimmed on the service configuration page and cannot be modified.

----End



4 Blockchain Management

4.1 Chaincode ManagementYou can manage chaincodes on the web, including chaincode installation,instantiation, and update, and develop chaincodes using an online editor.

Note

If the Network Status displayed in the upper right corner of the BlockchainManagement page is abnormal, do not perform any operations. Wait for a fewminutes until the network is recovered.

Installing a Chaincode

Step 1 Log in to the Blockchain Management console.● If the BCS service is deployed in a CCE cluster, perform the following steps to

go to the Blockchain Management console:

a. Log in to the BCS console.b. Click Manage Blockchain in a service card.c. Enter the username, password, and verification code, and click Log In.

● If the BCS service is deployed in an edge cluster, perform the following stepsto go to the Blockchain Management console:

a. Log in to the IEF console.b. In the navigation pane, choose Edge Applications > Containerized

Applications.c. Click the container whose name ends with "baas-agent", and view its

edge node in the instance list.

Blockchain ServiceUser Guide 4 Blockchain Management


Figure 4-1 Querying the edge node

d. Click the node name to view the node details and record the host name.e. Go to the ECS console. Enter the host name to search for the ECS

managing the edge node. Record the Elastic IP address (EIP) of the ECS.

Figure 4-2 Querying the EIP of the ECS

f. Access the Blockchain Management console at https://IP:30603.g. Enter the username, password, and verification code, and click Log In.

NO TE

▪ The username is admin, and the initial login password is the password setwhen you buy the BCS service. To ensure the system security, change thepassword periodically.

▪ If you use the Internet Explorer, you may fail to open the BlockchainManagement login page and see a message indicating that the certificate isuntrusted. In this case, you can click here to resolve the problem.

Step 2 On the Chaincode Management page, click Install Chaincode.

Step 3 On the Install Chaincode dialog box, enter the chaincode name and versionnumber, select the peers where the chaincode is to be installed, select thechaincode programming language, and add the chaincode file, as shown in thefollowing figure.



https://support.microsoft.com/en-us/help/3071338/internet-explorer-11-adds-support-for-http-strict-transport-security-s

Step 4 Click Install.

----End

Instantiating a ChaincodeAfter a chaincode is installed, it must be instantiated on the channel so that thepeers can interact with each other using the distributed ledger and the chaincodecontainer.

Before instantiating a chaincode, you need to add the peers to the channel.Otherwise, the chaincode cannot be instantiated.

Step 1 Click Instantiate in the Operation column of the chaincode list.

Step 2 Specify the channel for instantiation, chaincode version, endorsement policy,endorsing organizations, initialization function and chaincode parameters.



Figure 4-3 Instantiating a chaincode

Step 3 Enter the private data (JSON format) to be protected in the text box belowPrivacy Protection.

If you want to restrict data in a shared channel to certain specified members, usethe privacy protection function. Skip this step if privacy protection is not requiredfor your chaincode.

Configure privacy protection by referring to the example and the followingparameter description:● name: Name of the collection of private data, for example,

collectionPrivateDetails.● policy: Peers allowed to access the data in the collection. In the example, only

peers of organizations Org1 and Org2 are allowed to obtain the data in thecollection.

● requiredPeerCount: Number of endorsing peers to which the private datacan be disseminated. In the example, value 0 indicates that there is noendorsing peer.



● maxPeerCount: Maximum number of orderers, which is 3 in the example.Multiple orderers can be used for data redundancy. If one orderer isunavailable, other orderers can respond to requests for obtaining the privatedata.

● blockToLive: Maximum number of blocks that the private data can live for. Ifthe number of blocks exceeds the threshold, the private data will be cleared.To keep private data indefinitely, set this parameter to 0.

● memberOnlyRead: The default value is true. The access policy set in policytakes effect only when memberOnlyReadis is set to true.

Example of privacy protection configuration (JSON):

[ { "name": "collectionPrivateDetails", "policy": "OR('Org1MSP.member','Org2MSP.member')", "requiredPeerCount": 0, "maxPeerCount": 3, "blockToLive":0, "memberOnlyRead": true }]

This configuration indicates that the chaincode uses a private data collectioncalled collectionPrivateDetails. Only the peers of organizations Org1 and Org2have access to the data in this collection.

NO TE

The values of name and blockToLive cannot be modified during subsequent chaincodeupgrade. For more information, see Using Private Data in Fabric.

Step 4 Click Instantiate.

If privacy protection is configured, you can click View More after the chaincode issuccessfully instantiated to download the private data and check whether theprivacy protection settings are correct.

Figure 4-4 Downloading private data

If chaincode instantiation fails, refer to Chaincode Instantiation Error Codes todetermine the cause.

----End

Updating a Chaincode

If your chaincode is updated, you need to install and instantiate it again to meetnew business requirements.



https://hyperledger-fabric.readthedocs.io/en/release-1.4/private_data_tutorial.html?spm=a2c63.p38356.879954.12.159b3b3cr674N9

Step 1 Click Update in the Operation column of the chaincode list.

Step 2 Fill in the chaincode version, select peers, add a chaincode file, and click Update.

Step 3 Instantiate the updated chaincode. For details, see Instantiating a Chaincode.

Step 4 (Optional) Click in front of the chaincode name. You can see details about thischaincode, including the versions and installation and instantiation information.

----End

NO TE

BCS provides an online chaincode editor. Use the Google Chrome to open the BlockchainManagement console. Then, click Edit Chaincode on the Chaincode Management pageto edit, debug, and run chaincodes.

Chaincode Instantiation Error Codes

Chaincode instantiation may fail due to various causes. When confronted with aninstantiation failure, you can refer to the following table to determine the cause.

Table 4-1 Error codes

Error Code Message

6001 Instantiation timed out.

6999 Unknown error.

6701 Client failed to connect to a peer.

6703 Endorsement signature failed verification.

6704 Failed to pull the ccenv image during chaincodecompilation.

6705 Chaincode compilation failed.

6707 Failed to build a chaincode image.

6708 Failed to create a chaincode container.

6709 Failed to register the chaincode container.

6710 Client failed to connect to an orderer.

6712 Transaction recording in ledgers failed.

6713 Request error determined by the orderer.

6714 The endorsement policy failed the verification.

6715 Instantiation failed because instantiation of anotherchaincode has already been started.

6716 Error detected in the init() function parameters.

6717 Error detected in the invoke() function parameters.



Error Code Message

6720 Failed to create a chaincode certificate.

6721 Chaincode container startup timed out.

6722 Transaction timed out because init() executionabnormally terminates after startup of the chaincodecontainer.

6723 A chaincode with the same schema has already beeninstantiated on this channel.

6725 The signature set does not satisfy the endorsementpolicy.

6726 The instantiation policy failed the verification. Select apeer of an organization that exists in the channel beforechaincode instantiation to upgrade the chaincode.

6803 Duplicate import files in the chaincode package.

6901 Instantiation failed. The chaincode to be instantiatedmust contain all the tables in the previously instantiatedchaincode.

6902 Instantiation failed. The chaincode to be instantiatedmust contain all the fields in the previously instantiatedchaincode.

6903 Instantiation failed. The chaincode to be instantiatedmust not contain any changes to the field attributesincluded in the previously instantiated chaincode.

6904 The schema file of the instantiated chaincode does notexist.

6905 Failed to resolve the schema file.

6906 Insufficient disk space.

4.2 Block BrowserYou can query blockchain information required for maintenance, including theblock quantity, transaction quantity, block details, transaction details,performance, and peer statuses.

Procedure

Step 1 Open the block browser page.

1. Log in to the BCS console.2. Click Manage Blockchain in a service card.3. Enter the username, password, and verification code, and click Log In.



4. Choose Block Browser in the navigation tree on the left.

Step 2 Select a channel from the Channel drop-down list box. Real-time data is displayedin the lower part of the page.

Step 3 You can view the following data in the block browser.

Table 4-2 Data

Item Description

Peers Number of peers in the selected channel

Chaincodes Number of chaincodes in the selected channel, that is, thenumber of the chaincode versions

Blocks Number of generated blocks

Transactions Number of transactions that have been performed

Block details Click the Block List tab to view the block hash, data hash, andcreation time of recent blocks.

Transactiondetails

● Click the Transaction List tab to view the information aboutrecent transactions such as the transaction IDs, creators'MSPs, and creation time.

● Click View Details in the Operation column of thetransaction list to view more details about the transaction.

Performanceanalysis

The line charts show the trends of performance data, helpingyou know the performance status.● Block performance: Click Block to view changes in the block

quantity. Move the pointer along the curve to view thenumber of blocks at different time points.

● Transaction performance: Click Transaction to view changesin the transaction quantity. Move the pointer along thecurve to view the number of transactions at different timepoints.

NOTEYou can select a time granularity (hours or minutes) in the upper rightcorner of the chart.

Transactionquantity oforganizations

The pie chart shows the percentage of each organization'stransactions.NOTE

Move the pointer on the pie chart to view the transaction quantity andpercentage of each organization.

Peer status You can view the running statuses of all peers in the selectedchannel to detect exceptions of peers in time.

----End



5 Trusted Computing Platform (OBT)

5.1 OverviewTrusted computing ensures the security of blockchains. BCS provides the TrustedComputing Platform to address security and privacy issues in enterprise datacooperation. Data silos can be eliminated through trusted data sharing.Computing is performed where the data resides, so that data can be kept securewhile being computed. The Trusted Computing Platform provides the followingcapabilities:

● Privacy protection: Federated learning and trusted execution environment(TEE) ensure that raw data can be computed without being revealed,ensuring the data privacy of all parties. As a part of the Trusted ComputingPlatform, TEE enables trusted data exchange, computing, credentialmanagement, and token management.

● Full-lifecycle trustworthiness: Trustworthiness is ensured throughout thelifecycle spanning resource registration, identity authentication, data release,computing review, computing scheduling, and asset settlement. Evaluation,auditing, and tracing are driven and documented by blockchains and smartcontracts.

The Trusted Computing Platform is suitable for big data bureaus, economybureaus, large enterprises, research institutions, and medical institutions.

Enabling Trusted ComputingYou can enable trusted computing for a BCS service in either of the followingways:

● When creating a BCS service, select Yes for Enable Trusted Computing. Fordetails, see Using a CCE Cluster.

● If you did not enable trusted computing during the BCS service creation, youcan still enable it by installing an add-on. For details, see Add-onManagement.

Blockchain ServiceUser Guide 5 Trusted Computing Platform (OBT)


NO TE

Trusted computing is not supported by the following BCS services:

● Basic-edition BCS services

● BCS services deployed in edge clusters

● BCS services that use Chinese cryptographic algorithms

Viewing the Dashboard of Trusted Computing Platform

The Dashboard page of the Trusted Computing Platform provides an overview ofcomputing task statuses and resources, and the general procedure for using thetrusted computing platform. On the Dashboard page, you can perform thefollowing operations in sequence:

Deployment Management > Identity Management > Data Set Management >Analysis Algorithm Management > Order Management

Figure 5-1 Dashboard page

5.2 Data Set ManagementYou can upload data sets to the server. After being encrypted, the data sets will bereleased to the blockchain and can be used by others. You can also apply for datasets that have already been released.

On the Data Sets page of Trusted Computing Platform, you can create data setsand apply for public data sets.

Step 1 Log in to Trusted Computing Platform. In the navigation pane on the left, chooseData Sets.

Step 2 Click Create Data Set in the upper left corner of the Data Sets page.

Step 3 Specify the name and description of the data set, and upload a sample data setand the complete data set.



Figure 5-2 Creating a data set

Step 4 Click OK.

Step 5 On the Public Data Sets tab page, apply for public data sets.

● Click Apply in the row containing the data set you want to apply for, and thenclick Yes.

● Click Download Sample in the row containing the data set that you want todownload to use as a sample data set.

Step 6 On the My Data Sets tab page, view your data sets.

● Click Released to view the data sets you have released. You can downloadsamples of these data sets or delete these data sets.

● Click Applied to view the data sets you have applied for. You can alsodownload samples of these data sets.

----End

5.3 Analysis Algorithm ManagementYou can use an analysis algorithm to compute data of a data set that has alreadybeen released to the blockchain. When you apply for an analysis algorithm, youare requesting the right to use the data set on which the algorithm is based. Youcan compute the data set by using the analysis algorithm.

On the Analysis Algorithm page of Trusted Computing Platform, you can createand apply for analysis algorithms.

Step 1 Log in to Trusted Computing Platform. In the navigation pane on the left, chooseAnalysis Algorithms.

Step 2 Click Create Analysis Algorithm on the Public Algorithms or My Algorithms tabpage.

Step 3 Specify the analysis algorithm name, description, and initial parameter, select orupload a source file, and specify the compute type, compute node, and the dataset.



Figure 5-3 Creating an analysis algorithm

Step 4 Click OK.

Step 5 On the Public Algorithms tab page, apply for public algorithms.

Step 6 On the My Algorithms page, view your algorithms.● Click Released to view the algorithms you have released. You can delete

these algorithms.● Click Applied to view the algorithms you have applied for.

----End

5.3.1 Writing an Analysis AlgorithmYou can write your own algorithm scripts in Python and upload them by usingPySpark. The computing tasks on computing nodes are submitted through spark-submit. You can design your algorithms based on the downloaded data setsamples to implement SQL queries, data analysis, machine learning, and more.

The algorithm script needs to accept the following parameters:

● Path of the data file, which cannot be empty. You can configure multiplepaths.

● Path for storing computing results, which cannot be empty. If you want tosave the model, save the result to this folder.

● Computing dependency parameters, which can be empty. You can configuremultiple dependency parameters.

The following example shows a simple implementation of k-means clustering. Inlines 48 to 50, the function acceptance parameters are set according to thepreceding parameter requirements. In lines 79 and 80, the computing results aresaved to the specified file. For more examples, download the demo package athttps://bcs.obs.cn-north-1.myhuaweicloud.com/tc3/TC3-Worker-Demo-master.tar.



https://bcs.obs.cn-north-1.myhuaweicloud.com/tc3/TC3-Worker-Demo-master.tar

https://bcs.obs.cn-north-1.myhuaweicloud.com/tc3/TC3-Worker-Demo-master.tar

5.4 Order ManagementThere are two types of orders:

● Data set orders: After a data set application is approved, the applicant canobtain the plaintext of the data set.

● Algorithm orders: After an analysis algorithm application is approved, theapplicant can obtain the computing result, but cannot obtain the plaintext ofthe algorithm.

On the Orders pages, you can apply for data sets and analysis algorithms, runalgorithms, and obtain computing results.

Viewing My Applications

Step 1 Log in to Trusted Computing Platform. In the navigation pane, choose Orders >My Applications.

Step 2 Click the Data Sets tab.

● Click Approved to view the successful data set applications. You can clickDownload Result to download the data set.



● Click Pending to view the data set applications pending approval. You canclick Withdraw Application to withdraw the application.

● Click Rejected to view the rejected data set applications. You can click ApplyAgain to apply for the data set again.

Step 3 Click the Analysis Algorithms tab.● Click Approved to view the successful algorithm applications. You can click

Run Algorithm to run the algorithm and click Download Result to downloadthe computing result.

● Click Pending to view the algorithm applications pending approval. You canclick Withdraw Application to withdraw the application.

● Click Rejected to view the rejected algorithm applications. You can clickApply Again to apply for the algorithm again.

----End

Viewing My Reviews

Step 1 Log in to Trusted Computing Platform. In the navigation pane, choose Orders >My Reviews.

Step 2 Click the Data Sets tab.● Click Approved to view the data set applications you have approved.● Click Pending to view the data set applications pending approval. You can

click Approve or Reject to approve or reject the application.● Click Rejected to view the data set applications you have rejected.

Step 3 Click the Analysis Algorithms tab.● Click Approved to view the algorithm applications you have approved.● Click Pending to view the algorithm applications pending approval. You can

click Approve or Reject to approve or reject the application.● Click Rejected to view the algorithm applications you have rejected.

----End

Managing TasksAfter your algorithm application is approved, you can run the algorithm on theMy Applications > Analysis Algorithms page. Then, a computing task isgenerated.

On the Tasks page, you can manage the computing tasks running based on theanalysis algorithms.

Step 1 Log in to Trusted Computing Platform. In the navigation pane on the left, chooseOrders > Tasks.

Step 2 View the task information on the Tasks page.

Task statuses include:● Completed: The task is completed. You can download the results or delete

tasks in this state.



● Running: The task is running. You can stop or delete tasks in this state.● Queued: The task is waiting to run. You can stop or delete tasks in this state.● Abnormal: An error occurs on the task. You can restart or delete tasks in this

state.● Stopped: The task has been stopped. You can restart or delete tasks in this

state.

----End

5.5 Deployment ManagementOn Trusted Computing Platform, you can install and instantiate chaincodes fortrusted, collaborative computing.

This section describes how to deploy trusted chaincodes.

Step 1 Log in to Trusted Computing Platform.

Perform the following steps to access Trusted Computing Platform:

1. Log in to the BCS console.2. In the navigation pane on the left, choose Add-on Management.3. On the Add-on Instances tab page, click Access Trusted Computing

Platform.4. Enter the username, password, and verification code, and click Log In.

Figure 5-4 Accessing the Trusted Computing Platform

NO TE

● The default username is admin, and the initial login password is the password set whenyou buy the BCS service. For security purposes, change the password periodically.

● Use Firefox 38.0 or later or Google Chrome 43.0 or later for login. If you use InternetExplorer, the redirection may fail and a message will be displayed indicating that thecertificate is untrusted. In this case, resolve the problem according to the instructionsprovided on the Microsoft official website.

Step 2 The default trusted chaincode has already been installed and instantiated on thedefault channel trustedchannel. If there are additional channels, proceed with thenext step.

Step 3 On Trusted Computing Platform, choose Deployment Management in thenavigation pane on the left.



https://support.microsoft.com/en-us/help/3071338/internet-explorer-11-adds-support-for-http-strict-transport-security-s

Step 4 Click Configure Trusted Chaincode on the right of the page.

Step 5 Select a channel. Then, select all peers or specify the organization and peers.

Figure 5-5 Configuring a trusted chaincode

Step 6 Click Install.

----End

5.6 Identity ManagementTrusted computing depends on decentralized identity (DID). All operations on theTrusted Computing Platform are performed by DID users. After enabling trustedcomputing, an enterprise or organization can create a DID user and performtrusted computing as the DID user.

This topic describes how to register and update a DID user.

Registering a UserNO TE

● System user: the admin user for logging in to Trusted Computing Platform. The systemuser can configure trusted chaincodes, but all other operations are performed by theDID user.

● DID user: You must create a valid DID user to manage data sets, analysis algorithms,tasks, and orders.

Step 1 Log in to Trusted Computing Platform. In the navigation pane on the left, chooseIdentity Management.

Step 2 Click Register User.

Step 3 Enter the name, phone number, access key ID (AK), and secret access key (SK).

NO TE

AK/SK constitute the access key of a public cloud account. For details about how to createan access key, see My Credentials.



https://support.huaweicloud.com/intl/en-us/usermanual-ca/en-us_topic_0046606340.html

Figure 5-6 Registering a user

Step 4 Click OK.

----End

Updating DID User InformationStep 1 Log in to Trusted Computing Platform. In the navigation pane on the left, choose

Identity Management.

Step 2 Click Update in the Operation column of the row containing the user you want toupdate.

Figure 5-7 Updating DID user information



Step 3 Click OK.

----End



6 BCS Access

The BCS supports chaincode functions such as execution and query. Beforedeveloping an application, you need to download the certificates and SDKconfiguration. The SDKs can use the configuration file to easily access theblockchain network and complete transactions. You do not need to manuallyconfigure the SDKs.

Downloading CertificatesTwo types of certificates are now supported: administrator certificate and usercertificate. The administrator certificate is required to create, join, and upgrade achannel, and install, instantiate, update, and delete a chaincode. For transactionsand query, you are advised to use the user certificate. Download the certificates ofa service on the Service Management page.

NO TICE

● The administrator certificate differs between an orderer and a peer. Formanagement within a channel, you need to use the administrator certificate forpeers instead of that for orderers.

● Keep the private key in the downloaded certificate secure. You are advised toencrypt the private key for storage.


Step 2 In the navigation pane on the left, choose Service Management.

Step 3 Click the target service to view its details.

Step 4 In the Blockchain Organizations section of the service details page, click todownload the required certificates.

Blockchain ServiceUser Guide 6 BCS Access


Figure 6-1 Downloading certificates

Step 5 Decompress the downloaded certificate packages and store the files in anapplication directory for the application to access.

----End

Downloading the SDK Configuration

Step 1 On the Service Management page, choose More > Download SDKConfiguration, as shown in the following figure.

Figure 6-2 Downloading the SDK configuration

Step 2 Configure the SDK file parameters, as shown in the following figure.



Figure 6-3 Configuring the SDK file

Table 6-1 Parameters

Parameter Setting

ChaincodeName

Set it as required.

CertificateRoot Path

Enter the root path of the certificates specified duringapplication compilation.

Channel Select a channel.

Member Select peer organizations in the channel.

Step 3 Click Download. The downloaded file package can be named test-sdk-config.zip.

Step 4 Decompress the file package and store the retrieved test-sdk-config.yaml file.

----End



7 Service Management

You can view the running status of your BCS services and perform operations onyour BCS services.

Procedure


Step 2 In the navigation pane, choose Service Management. You can view the overallrunning status of your services. For details about the parameters, see Table 7-1.

Click a service to view its details.

● Viewing the basic information of a serviceClick a service and view its basic information on the Basic Information tabpage, including the service details, blockchain organization information, CPUusage, physical memory usage, and add-ons.

● Viewing the monitoring data of a serviceClick a service and then click the Monitoring tab to view monitoring dataabout the service and the instances.

● Viewing the logs of a serviceClick a service and then click the Logs tab to view the logs of the service.

For details about viewing monitoring data and logs, see Viewing MonitoringData and Logs.

NO TE

In the Blockchain Organizations section of the service details page, click to downloadthe required certificates.

Blockchain ServiceUser Guide 7 Service Management


Table 7-1 Parameter description

Parameter Description

BlockchainType

Type of the blockchain, that is, Consortium or Private.

ConsensusMechanism

The name of the consensus mechanism, for example, Solo.Four consensus mechanisms are supported:● Solo: Only one orderer is available, and therefore, fault

tolerance is not supported. Solo is recommended for testing.● FBFT: Requires 4 to 10 orderers for transaction ordering and

tolerates faults at a maximum of (N - 1)/3 orderers, where Nindicates the total number of orderers. For example, assumethat there are 4 orderers. Transactions can be correctlyordered if no orderer or only 1 orderer experiences faults.

● Kafka (CFT): Orders transactions using Kafka clusters.Multiple orderers can function as Kafka cluster clients toshare loads, ensuring service reliability. Kafka enables higherhorizontal scalability.

● Raft (CFT): A CFT ordering service that tolerates faults at amaximum of (N – 1)/2 orderers, where N indicates the totalnumber of orderers. For example, assume that there are 3orderers, and then transactions can be correctly ordered if noorderer or only 1 orderer experiences faults.

Status Status of the BCS service, which can be Unknown, Normal,Abnormal, Creating, Upgrading, Adding peers, EIP abnormal,Deleting, Frozen, Hibernating, or Cluster frozen.

Created Time when the BCS service was created, for example,2020/08/10 20:30:21 GMT+08:00.

Orderer Number of normal and abnormal orderer organizations.

Peer Numbers of normal and abnormal peer organizations andinstances.

Agent Numbers of normal and abnormal agent organizations.

Add-ons Number of add-ons. For example, 1/2 indicates that the totalnumber of instances is 2 and 1 instance is abnormal.



Step 3 You can perform the operations listed in Table 7-2 on the Service Managementpage.

Table 7-2 Operation list

Subject

Operation Description

Organization

Adding anorganization 1. In the service card, click . Specify the

name for Peer Organization and a quantity forPeers, and select Network Storage.

2. Click Next.NOTE

● This operation cannot be performed on services that usethe basic edition.

● Do not perform any operations on the service when anorganization is being added. Otherwise, the servicerunning may be affected.

● The service price will change after an organization isadded. The price shown at the bottom of this page is theamount to be paid for the new organization added to ayearly/monthly-billed service, or the hourly price for a pay-per-use service after the change.

● After you add an organization to an existing channel,update the endorsement policy of the channel beforeinstantiating the chaincode. Otherwise, the instantiationmay fail due to a certificate verification failure.

● After organization addition, the price will change. Payattention to the notes on the upper part of the page andthe price at the bottom.

Service

Managing theblockchain

This operation is available only after an EIP is bound.In the service card, click . On thedisplayed Blockchain Management console, you canview, install, instantiate, update, and delete chaincodes.



Subject


Upgrading theversion

A BCS service can be upgraded to the latest version ifUpgradable is displayed in the upper left corner of thecard containing the service. The operations are asfollows:1. Log in to the BCS console.2. In the navigation pane, choose Service

Management.3. Choose More > Upgrade in the service card.4. In the dialog box that is displayed, view the current

service version or upgrade the BCS service to thelatest version.

NOTE● Services are unavailable during version upgrade. If you are

a member of a consortium blockchain, your versionupgrade will also affect other members in the sameblockchain. Before upgrading the version, ensure that youhave reached consensus with other members in theconsortium and that their components will also beupgraded to the target version.

● Do not initiate version upgrade when the chaincode isbeing installed or instantiated.

● You can upgrade a BCS service from the versioncorresponding to Hyperledger Fabric v1.4 to the versioncorresponding to Hyperledger Fabric v2.0. If one memberin a consortium blockchain has upgraded, all consortiummembers must also upgrade to the same version.Otherwise, transactions will fail.– BCS v3.0.12 corresponds to Hyperledger Fabric v1.4.0.– BCS v4.0.2 corresponds to Hyperledger Fabric v2.0.

Changingeditions

BCS provides four editions with different specifications.If the edition you selected during deployment cannotmeet your business requirements, click More > ChangeEdition in the card containing the service to changethe edition, for example, from professional to platinum.NOTE

Currently, you can only change the edition of enterprise-edition services billed in the yearly/mnthly mode.

Downloadingthe SDKconfiguration

Choose More > Download SDK Configuration in theservice card. In the Download SDK Configurationdialogue box, set the parameters and click Download.The downloaded SDK configuration will be used forapplication development.



Subject


Resetting themanagementpassword

Choose More > Reset Management Password in theservice card. By default, resetting this password willalso reset the passwords for logging in to theBlockchain Management console and TrustedComputing Platform. If you do not want to reset thesepasswords together, change the passwords on theBlockchain Management console or Trusted ComputingPlatform separately.

Changing theblockchainnetworkaccess address

Choose More > Change Access Address in the servicecard, select a new address, and click OK.

Hibernating aservice

Choose More > Hibernate in the service card.NOTE

● Pay-per-use services can be hibernated, while yearly/monthly services cannot.

● Only services in the Normal state can be hibernated.● A service in hibernation does not incur management fees

until it is woken.

Waking aservice

Choose More > Wake.NOTE

● Pay-per-use services in hibernation can be woken, whileyearly/monthly services cannot be hibernated or woken.

● After a service is woken, management fees are charged.

Changing tothe yearly/monthlybilling mode

Choose More > Change Billing Mode in the servicecard.If you selected Pay-per-use when buying a BCS service,you can change it to the yearly/monthly billing modeafter the service is created.

Deleting orunsubscribingfrom a service

Choose More > Delete or Unsubscribe in the servicecard.● A pay-per-use service can be deleted.● A service billed in yearly/monthly mode can be

unsubscribed. After the unsubscription application isapproved, the remaining fees paid for the servicewill be refunded.



Subject


OtherOperations

Viewingfailure records

In the upper left of the service cards on the ServiceManagement page, the number of failure records is

displayed. You can click the record quantity or toview the failure records. Click View Details to viewdetails about a record.NOTE

If a service fails to be created, the service fee will be returnedto your account in 30 minutes to 1 hour.

----End



8 Channel Management

Nodes communicate through channels. The channel management functionenables you to create a channel or add peers to an existing channel.

Creating a Channel


Step 2 Choose Channel Management in the navigation pane on the left. Click CreateChannel in the upper right corner of the page.

NO TE

● The maximum number of channels for each service differs with the edition, which is 1for the basic edition, 2 for professional, and 10 for platinum.

● Channels cannot be created for a service that is created by a tenant invited to aconsortium blockchain.

Step 3 In the Create Channel dialog box, select a service, enter a channel name anddescription, and click OK.

----End

Adding a Peer

Step 1 After the channel is created, click Add Peer in the Operation column of thechannel list.

Step 2 In the displayed Add Peer dialog box, select an organization, and specify thenumber of peers to be added to the channel.

Step 3 Click OK.

----End

Blockchain ServiceUser Guide 8 Channel Management


Other Operations

Table 8-1 Other operations


Queryingchannels

A channel list is displayed on the Channel Managementpage. You can view the information such as the channelname, name of the service for which the channel is used, andpeers in the channel.

Viewing a peer Click View Peer in the Operation column of the channel listto view peer information by organization, including theMembership Service Provider (MSP) ID, floating IP address (ifbound), port number, peer name, domain of each peer, andwhether the peer has been added to the channel.

Blockchain ServiceUser Guide 8 Channel Management


9 Member Management

You can invite tenants to become blockchain consortium members, who can viewinvitations and topologies and delete invitations.

● To invite a tenant, see Inviting a Tenant.● To view an invitation, click View Invitation in the Operation column on the

Member Management page.● To delete an invitation, click Delete Invitation in the Operation column on

the Member Management page. After that, the invitation you have sent to atenant is withdrawn. This operation can be done only if the invited tenant hasnot accepted the invitation.

● To view the topology between consortium blockchain members, click ViewTopology in the Operation column on the Member Management page.

Blockchain ServiceUser Guide 9 Member Management


10 Notification Management

When another tenant invites you to join a consortium blockchain, you will receivean invitation notification. Then, you can view the invitation on the NotificationManagement page.

● To accept the invitation, click View Details in the Operation column of thenotification list, select a BCS service and organization, and click Accept.

● To decline the invitation, click View Details in the Operation column of thenotification list, and click Decline.

● To delete a notification, click Delete Notification in the Operation column ofthe notification list

● To postpone the processing of an invitation, click View Details in theOperation column of the notification list, and click Process Later.

NO TE

● If you have not created a BCS service, click Create BCS Service to create a service beforeselecting an organization. Otherwise, you cannot join the consortium.

● Notification statuses include:● Unprocessed: You have not processed the invitation notification. You can click

View Details to accept or decline the invitation.● Finished: You have accepted the invitation to join the consortium blockchain.● Canceled: The inviting party has deleted the service before you accept the

invitation. You cannot join the consortium blockchain.● Declined: You have declined the invitation to join the consortium blockchain.● Quit: You have accepted the invitation and joined the consortium blockchain but

later quit the consortium.● Dismissed: The inviting party has deleted the service after you joined the

consortium blockchain. As a result, the blockchain is dismissed.● Frozen: The inviting party's account is frozen.● Upgraded: A service in the consortium blockchain has been upgraded successfully

after you join the blockchain.

Blockchain ServiceUser Guide 10 Notification Management


11 Add-on Management

Add-ons allow you to extend the functionality of BCS services as required. On theAdd-on Management page, you can install add-ons and upgrade, uninstall, andview details about the installed add-ons.

Table 11-1 lists the add-ons that are available for BCS services.

Table 11-1 Add-ons

Name Description Restrictions

tc3-taskserver

Provides trusted data sharing,multi-party confidentialcomputing, and distributedidentity management.

This add-on can be installed only ifthe BCS service meets all of thefollowing conditions:● Deployed in a CCE cluster● Professional or platinum edition● Uses ECDSA for the security

mechanism● v3.0.12 (corresponding to Fabric

v1.4.0) or v4.0.2 (correspondingto Fabric v2.0)

baas-restapi

Supports access to theblockchain system by usingRESTful APIs.

This add-on can be installed only ifthe BCS service meets both of thefollowing conditions:● Deployed in a CCE cluster● v3.0.12 (corresponding to Fabric

v1.4.0) or v4.0.2 (correspondingto Fabric v2.0)

Installing an Add-on


Step 2 Choose Add-on Management in the navigation pane on the left.

Blockchain ServiceUser Guide 11 Add-on Management


Step 3 On the Add-on Repository tab page, click Install in the card of the desired add-on.

NO TE

● Do not perform any operations on the service when an add-on is being installed.Otherwise, the service may become abnormal.

● If you selected No for Enable Support for RESTful APIs during BCS service creation,you can enable support for RESTful APIs by installing an add-on.

● If you did not enable trusted computing during BCS service creation, you can still enableit by installing an add-on.

----End

Viewing Add-ons


Step 2 Choose Add-on Management in the navigation pane on the left.

Step 3 View the add-ons on the Add-on Instances tab page.

You can perform the following operations on the add-ons as required:● tc3-taskserver or baas-restapi

– Click the add-on to view its details. You can click Scale next toNormal/All Instances to scale the number of instances in the range from1 to 5.

– Click Access Trusted Computing Platform in the card of the tcs-taskserver add-on to go to the trusted computing platform. For details,see Trusted Computing Platform (OBT).

– Click Upgrade to upgrade an add-on.– Click Uninstall to uninstall an add-on.

----End

Blockchain ServiceUser Guide 11 Add-on Management


12 Contract Management

A contract template is a smart contract that can implement certain functions. Youcan directly use the code provided by the templates or use the templates as afoundation for developing your own smart contracts.

In the Contract Management module on the console, you can view contracttemplates for various industries, download the ones you need, and manage yourcontract templates.

Downloading a Contract Template


Step 2 Choose Contract Management in the navigation pane on the left.

Step 3 On the Contract Template Repository tab page, view contract templates fordifferent industries, such as finance and healthcare.

Step 4 Click View Details to view details about a contract template, including theversion, supported language, category, and interfaces.

Step 5 Click Download to download a contract template.

You can use the downloaded template files to install and instantiate chaincodes.For details, see Chaincode Management.

----End

Blockchain ServiceUser Guide 12 Contract Management


https://support.huaweicloud.com/intl/en-us/usermanual-bcs/bcs_usermanual_0003.html

13 O&M Center

13.1 Viewing Monitoring Data and LogsBCS provides O&M monitoring capabilities. O&M personnel can view themonitoring data and logs on the BCS console.

Viewing Monitoring Data1. Log in to the BCS console.2. In the navigation pane, choose Service Management to view the basic

information about a BCS service, including the blockchain type, consensusmechanism, status, and creation time.

3. In the service card, click a service.4. Click the Monitoring tab to view the service monitoring and instance

monitoring data.– Service monitoring allows you to view the CPU usage and physical

memory usage of the service.– Instance monitoring allows you to view the organization instance

information, including the CPU usage, disk read rate, disk write rate,uplink rate, and downlink rate.You can click View Metric view the data of the last 15 minutes. You canalso click More to view more monitoring data.

Blockchain ServiceUser Guide 13 O&M Center


Figure 13-1 Viewing the monitoring data of a service



Figure 13-2 Viewing more monitoring data

Viewing Logs1. Log in to the BCS console.2. In the navigation pane, choose Service Management to view the basic

information about a BCS service, including the blockchain type, consensusmechanism, status, and creation time.

Figure 13-3 Viewing service information



3. In the service card, click a service.

4. Click the Logs tab.

Log data in the last 5 minutes is displayed, including the log file name,generation time, and log content.

Figure 13-4 Viewing logs

13.2 Setting Web Disk Space Alarms

Background

The O&M center of BCS is connected to the Application Operations Management(AOM). AOM is a one-stop platform for O&M personnel to monitor theapplication and resource operating state in real time. By analyzing metrics, alarms,and logs, you can quickly locate root causes to ensure smooth running of services.

The following describes how to use the AOM service to monitor the web diskstatus (file storage) of a BCS instance. After receiving an alarming notificationindicating that the disk space is insufficient, O&M personnel need to expand thedisk capacity to prevent services from becoming abnormal.

Setting Alarms

When OM personnel need to check the web disk metrics, they can use the AOMservice to set alarm generation thresholds for the disk metrics. If a metric exceedsthe threshold, the system automatically sends an alarming SMS message or email.

Step 1 Create a topic in the Simple Message Notification (SMN) console and add asubscriber.

If you need to obtain resource change information in real time, create a topic andadd subscribers to this topic. In this way, the email addresses or mobile numbersof recipients are noted by the system. When establishing threshold rules, you canselect the relevant recipient.

1. Create a topic.



Figure 13-5 Creating a topic

2. Select APM for Services that can publish messages to this topic. Otherwise,notifications cannot be sent.

Figure 13-6 Configuring a topic policy

3. Add subscription to the topic.

Figure 13-7 Adding a subscription task

Step 2 Click O&M Center in the navigation pane of the BCS console. On the displayedAOM console, establish a threshold rule.

1. In the navigation pane on the left, choose Alarm Center > Threshold Rules.Then, click Add Threshold, select the host in the cluster where BCS isdeployed, specify the threshold name, and set the parameters such asCreation Mode and Resource Type. Then, click Next.



Figure 13-8 Adding a threshold

2. Configure the basic information about the threshold rule and enablenotification. For example, if you want to receive a notification after the CPUusage (cpuUsage) reaches 50%, configure the threshold-based alarmingcriterion by referring to the following figure.

Figure 13-9 Setting the threshold rule

----End

Handling AlarmsAfter receiving an alarming notification indicating that the disk space isinsufficient, O&M personnel need to expand the disk capacity to prevent servicesfrom becoming abnormal.

Step 1 Choose Service List > Storage > Scalable File Service on the console.

Step 2 In the SFS file system list, locate the file system used for the cluster where the BCSservice is deployed.



Step 3 Click Resize in the Operation column.

Step 4 Set New Maximum Capacity, and click OK.

Figure 13-10 Resizing the file system

----End

13.3 Disk MetricsAfter metric thresholds and alarming criteria related to disk usage are configured,alarming short messages or emails can be sent to O&M personnel. In this way,O&M personnel can detect and handle service exceptions in a timely manner toreduce the loss caused by exceptions. The following table lists the metrics relatedto disks used for BCS services.

Table 13-1 Node metrics

Metrics Description Meaning Value Range Unit

diskAvailableCapacity

Available diskspace

Disk spacethat is notused

≥ 0 MB

diskCapacity Disk capacity Total diskcapacity

≥ 0 MB

diskReadRate Disk read rate Data volumeread from thedisk persecond

≥ 0 KB/s



Metrics Description Meaning Value Range Unit

diskRWStatus Disk read/write status

Read/writestatus of thedisk on anode

0 (read andwrite) and 1(read-only).

None

diskUsedRate Disk usage Percentage ofthe used diskspace to thetotal diskspace

≥ 0 Percentage

diskWriteRate Disk writerate

Data volumewritten intothe disk persecond

≥ 0 KB/s

Disk metrics can be calculated on the following bases.

Table 13-2 Metric measurement bases

Basis Description

clusterId Cluster ID

clusterName Cluster name

hostID Node ID

namespace Cluster namespace

nodeIP IP addresses of a node

nodeName Node name

13.4 View O&M Logs

Background

If an exception occurs when you use a BCS service, view the O&M logs to analyzeand locate the fault for quick rectification. This section describes how to view theO&M logs of each BCS service node in the CCE cluster on the frontend GUI andbackend virtual machines (VMs).

Viewing Logs on the Frontend GUI

Step 1 View the node name on the Workloads page of the CCE console, and record thenode name.



1. Choose Workloads > Deployments, and click the cluster where the BCSservice is located. View and record the names of the baas-agent and dev-peernodes, for example, baas-restapi.

2. Choose Workloads > StatefulSets, and click the cluster where the BCS serviceis located. View and record the orderer and peer node names, for example,peer-a4d420a7d08419d1173b99912321a2bc87f87c67.

Step 2 Click O&M Center on the BCS console. View logs on the displayed AOM console.

1. In the navigation pane on the left of the AOM console, choose LogManagement > Log Files, and select the cluster where the BCS service islocated.

2. Select a recorded node name, and click View in the Operation column toview the node logs.

3. Click Enable Real-Time Viewing. Then, you can view O&M logs of the nodein real time.



----End

Viewing O&M Logs on a Backend VM

Step 1 View the node name on the Workloads page of the CCE console. See 1.

Step 2 On the Service Management page of the BCS console, locate the service andchoose More > Change Access Address to view the access address.

Step 3 Log in to the VM corresponding to the access address, and view the O&M logs.



1. Check the logs of the dev-peer node.

a. Run the following command to query the dev-peer node ID:docker ps|grep dev-peer

b. Run the following command to query the dev-peer node logs:docker logs –f ID

2. Check the logs of the baas-agent node.

a. Run the following command to query the baas-agent node ID:docker ps|grep baas-agent

b. Run the following command to query the baas-agent node logs:docker logs –f ID

3. Check the logs of a peer node.

a. Run the following command to query the peer node ID:docker ps|grep peer



b. Run the following command to query the peer node logs:docker logs –f ID

4. Check the logs of an orderer node.

a. Run the following command to query the orderer ID:docker ps|grep orderer

b. Run the following command to query the orderer logs:docker logs –f ID

----End



14 Permissions Management

If you perform operations as an IAM user created by using a HUAWEI CLOUDaccount, you (IAM user) must have sufficient permissions to perform operationson BCS. Otherwise, the system displays a message indicating that you do not havethe required permissions, as shown in the following figures.

In this case, you need to request the administrator to assign the permissionsrequired to use BCS. Before assigning permissions to IAM users, administratorsneed to understand basic operations of IAM, including creating users and usergroups, and assigning permissions to user groups. This section provides only theoperation guide for granting BCS rights to users.

Before assigning permissions, the administrator needs to check whether an IAMuser requires all or only some of the BCS permissions.

● If the IAM user requires all the permissions, the administrator can assign thesystem-defined policy BCS Administrator to the user.

● If the IAM user requires only the permissions for some of the functions, forexample, service, channel, and member management, the administrator

Blockchain ServiceUser Guide 14 Permissions Management


needs to create a custom policy to grant the required permissions to the IAMuser.

Table 14-1 Mapping between error messages and the actions correspondingto the required permissions

Error Message Related Action Action Description

Policy doesn't allowbcs:dashboard:get to beperformed

bcs:dashboard:get Operations on theDashboard page

Policy doesn't allowbcs:blockchains:list tobe performed

bcs:blockchains:list Service managementoperations

Policy doesn't allowbcs:channels:list to beperformed

bcs:channels:list Channel managementoperations

Policy doesn't allowbcs:members:list to beperformed

bcs:members:list Member managementoperations

Policy doesn't allowbcs:notifications:list tobe performed

bcs:notifications:list Notificationmanagementoperations

Policy doesn't allowbcs:experiences:list tobe performed

bcs:experiences:list Walkthroughoperations

You do not havepermissions to performthis operation.

bcs:blockchain:delete BCS service deletion


bcs:blockchainondemand:create

BCS service creation


bcs:blockchainorder:create

Creation of a yearly/monthly BCS service


bcs:cert:post Certificate downloading


bcs:sdkcfg:post SDK configurationdownloading



Granting BCS Permissions to an IAM User

Step 1 The administrator creates a custom policy. (This step is mandatory only whenthe administrator needs to grant only some permissions for a BCS service tothe IAM user. If the administrator needs to grant all the permissions for aservice to the user, skip this step.)

NO TE

To create a custom policy, the administrator must apply for fine-grained access control onthe Policies page of the IAM console first.

1. On the management console homepage, choose Service List > Management& Deployment > Identity and Access Management.

2. In the navigation pane, choose Permissions. Then, click Create CustomPolicy.

3. On the Create Custom Policy page, set the parameters such as the policyname, scope, view, and content, then click OK.– Policy Name: Enter a custom policy name, for example, "partial BCS

permissions".– Scope: Select Project-level services.– Policy View: Select JSON.– Policy Content: Enter the policy content based on the template.

For example, copy the following content to specify service, channel, andmember management actions:{ "Version": "1.1", "Statement": [ { "Effect": "Allow", "Action": [ "bcs:blockchains:list", "bcs:channels:list", "bcs:members:list" ] } ]}

Table 14-2 Parameters of the policy content

Parameters Meaning Value

Version Policy version Fixed to 1.1.

Statement

Effect Whether theactions areallowed

▪ Allow

▪ Deny



Parameters Meaning Value

Action Operations to beperformed on BCS

Each action name mustbe in the format ofService name:Resourcetype:Operation. The BCSservice supports only thefollowing actions:"bcs:dashboard:get","bcs:blockchains:list","bcs:channels:list","bcs:members:list""bcs:notifications:list","bcs:experiences:list

After you fill any actionin this parameter, thepermissions for theaction will be grantedto the IAM user.

Step 2 The administrator creates a user group and grant permissions to it.

1. In the navigation pane of the IAM console, choose User Groups.2. Click Create User Group in the upper right corner, enter the user group

name, and click OK.3. In the Operation column, choose More > Manage Permissions.4. On the Permissions tab page, click Assign Permissions.5. Select Region-specific projects.

Select projects in which the permissions take effect. By default, all projects areselected. If you select a single project, users in the user group can performBCS operations only in this project.

6. Search for the required permission and select it.– BCS Administrator: all permissions for BCS– BCS FullAccess: full permissions for BCS– BCS ReadOnlyAccess: read-only permissions for BCS

NO TE

If you select BCS Administrator, you also need to select the following dependent roles andpolicies in the same project: CCE Administrator, SWR Administrator, VPC Administrator,SFS Administrator, BSS Administrator, ECS FullAccess, AOM Administrator, APMAdministrator, DMS Administrator, and IEF Administrator.

ECS FullAccess is a policy, and others are roles.

Step 3 Create a user.

1. In the navigation pane, click Users. Then click Create User.2. Create a user as prompted.

Step 4 The IAM user logs in to the console again to verify the BCS permissions.

----End



user guide - huawei · relational database (mysql) is available only in the cn north-beijing4...

Documents