Spring Boot Fullstack Blockchain Application With Hyperledger Fabric running on Kubernetes (Part 4) — Generating Certificates and Artifacts

Şuayb Şimşek
7 min readNov 27, 2021

--

Hello everyone, through this article series we will the Hyperledger Fabric integration with Spring Boot.In this article, we will look into generating certificates,genesis block and channel transaction.Also,we will deploy job on kubernetes for this certificates and artifacts generating.

Other articles on Hyperledger Fabric integration with Spring Boot can be accessed from the links below.

Part 1 — Introduction

Part 2 — Kubernetes Cluster Setup

Part 3 — Fabric CA Server

Part 4— Generating Certificates and Artifacts

Part 5 — Kafka

Part 6 — Orderer

First, let’s explain some concepts that are often repeated in the article.

Anchor Peer

Used by gossip to make sure peers in different organizations know about each other.

When a configuration block that contains an update to the anchor peers is committed, peers reach out to the anchor peers and learn from them about all of the peers known to the anchor peer(s). Once at least one peer from each organization has contacted an anchor peer, the anchor peer learns about every peer in the channel.

ACL

An ACL, or Access Control List, associates access to specific peer resources (such as system chaincode APIs or event services) to a Policy (which specifies how many and what types of organizations or roles are required).

The ACL is part of a channel’s configuration.

A set of default ACLs is provided in the configtx.yaml file which is used by configtxgen to build channel configurations.

Block

A block contains an ordered set of transactions.

It is cryptographically linked to the preceding block, and in turn it is linked to be subsequent blocks.

The first block in such a chain of blocks is called the genesis block.

Blocks are created by the ordering service, and then validated and committed by peers.

Channel

A channel is a private blockchain overlay which allows for data isolation and confidentiality.

A channel-specific ledger is shared across the peers in the channel, and transacting parties must be authenticated to a channel in order to interact with it.

Configuration Settings

Let’s open the project we downloaded from this link and go to the directory where the k8s is located.

$ cd deploy/k8s

We need the configtx.yaml file to create generate genesis block and channel transaction.The yaml file is in deploy/k8s/fabricfiles/configtx/configtx.yaml.

- &OrdererOrg

# ID to load the MSP definition as
ID: OrdererMSP

The ID field is required to load the Orderer MSP definitions.Likewise, this parameter is mandatory in Org1,Org2 and Org3.

MSPDir: ../organizations/ordererOrganizations/example.com/msp

MSPDir is the filesystem path which contains the MSP configuration.This parameter is mandatory in Org1,Org2 and Org3.

OrdererEndpoints:
- orderer:7050

For OrdererOrg, it is the service name and service port information of the orderer on kubernetes.

AnchorPeers:
# AnchorPeers defines the location of peers which can be used
# for cross org gossip communication. Note, this value is only
# encoded in the genesis block in the Application section context
- Host: peer0-org1
Port: 7051

Anchor Peer defines the location of peers which can be used.It must be defined for each organization.it is the service name and service port definition of the peer to be used as the anchor peer for Org1 on kubernetes.The anchor peer must be defined in Org2 and Org3.

Orderer: &OrdererDefaults

# Orderer Type: The orderer implementation to start
OrdererType: kafka

With this configuration,Hyperledger Fabric ordering service nodes (OSNs) use your Kafka cluster and provide an ordering service to your blockchain network.

Addresses:
- orderer:7050
- orderer2:7050
- orderer3:7050
- orderer4:7050
- orderer5:7050

The service name and service port of orderers on kubernetes are defined. 5 orderers are running on blockchain network.

Kafka:
# Brokers: A list of Kafka brokers to which the orderer connects
# NOTE: Use IP:port notation
Brokers:
- broker-0.broker:9092
- broker-1.broker:9092

The service name and service port of the kafka brokers on kubernetes to which the orderer will be connected are defined.We will set up Kafka cluster in this project. Kafka will run 2 instances.

TwoOrgsOrdererGenesis:
...
Organizations:
- *Org1
- *Org2
- *Org3

The TwoOrgsOrdererGenesis profile needs to be defined to create a genesis block.3 organizations are defined in this configuration.

TwoOrgsChannel:
...
Organizations:
- *Org1
- *Org2
- *Org3

The TwoOrgsChannel profile needs to be defined to create the channel transaction.3 organizations are defined in this configuration.

The generating certificate scripts defined in the project for the Orderer is as follows.The script file is in the deploy/k8s/fabricfiles/scripts/orderer-certs.sh .

.Certificate Authorities are used to generate the identities assigned to admins, nodes, and users (client applications).This script creates tls certificate, msp for each of the orderers and register and enroll identities with CA.

The generating certificate scripts defined in the project for the Org1,Org2 and Org3 are as follows.The scripts files are in the deploy/k8s/fabricfiles/scripts folder.

This scripts create tls certificate, msp for each of the organization and register and enroll identities with CA.

The generating artifact scripts defined in the project are as follows.The scripts files are in the deploy/k8s/fabricfiles/scripts folder.

configtxgen -profile TwoOrgsOrdererGenesis

The TwoOrgsOrdererGenesis profile must be defined in the configtx.yaml file. It is required to create a Genesis block.

-channelID system-channel

To create a Genesis block, the channel id must be system-channel.

configtxgen -profile TwoOrgsChannel

The TwoOrgsChannel profile must be defined in the configtx.yaml file. It is required to create channel transaction.

CHANNEL_NAME:="mychannel"

Channel is a private “subnet” of communication between two or more specific network members, for the purpose of conducting private and confidential transactions.Channel id information is required to create a channel transaction.The channel id is assigned “mychannel”.

for orgmsp in Org1MSP Org2MSP Org3MSP; do
set -x
configtxgen -profile TwoOrgsChannel -outputAnchorPeersUpdate ./channel-artifacts/${orgmsp}anchors.tx -channelID $CHANNEL_NAME -asOrg ${orgmsp}
done

Generate anchor peer update transaction for each organization.

Lets create an certificate creation job, create-certs.yaml .the yaml file is in the deploy/k8s/job folder.

- |
./scripts/orderer-certs.sh &&
./scripts/org1-certs.sh &&
./scripts/org2-certs.sh &&
./scripts/org3-certs.sh

Scripts to run in job are defined to create certificates.

volumeMounts:
- name: fabricfiles
mountPath: /organizations
subPath: organizations
- name: fabricfiles
mountPath: /scripts
subPath: scripts

Required to access scripts folder and organizations folder on nfs server.Certificates are created in the organizations folder.

volumes:
- name: fabricfiles
persistentVolumeClaim:
claimName: fabricfiles-pvc

Lets create an artifact creation job, create-certs.yaml .the yaml file is in the deploy/k8s/job folder.

It allows us to mount the fabric files on the nfs server to the container.

- |
./scripts/createGenesis.sh &&
./scripts/createChannel.sh

Scripts to run in job are defined to create artifacts.

volumeMounts:
- name: fabricfiles
mountPath: /organizations
subPath: organizations
- name: fabricfiles
mountPath: /configtx
subPath: configtx
- name: fabricfiles
mountPath: /system-genesis-block
subPath: system-genesis-block
- name: fabricfiles
mountPath: /channel-artifacts
subPath: channel-artifacts
- name: fabricfiles
mountPath: /scripts
subPath: scripts

Required to access scripts folder,configtx folder and organizations folder on nfs server.System Genesis Block is created in the system-genesis-block folder.Channel artifacts are created in the channel-artifacts folder.

Installation of Jobs on Kubernetes

Let’s connect to the kubernetes master node virtual machine with the vagrant ssh command.

$ vagrant ssh k8smaster

Let’s go to the directory where the kubernetes installation scripts are located.This directory is the same as the deploy/k8s folder in the project. With Vagrant, this directory is synchronized to the virtual machine.

$ cd /vagrant/k8s

Deploying the certificate creating job for peers and orderers.

$ kubectl apply -f job/create-certs.yaml

Certificate creation job pending completion

$ kubectl wait --for=condition=complete --timeout=300s job create-certs

After the job is completed, ordererOrganizations and peerOrganizations were created under the organizations folder on the nfs server.Let’s check if these folders are created.

Let’s open a new terminal and connect to the nfs server virtual machine.

$ vagrant ssh nfsserver

Let’s list the folders under the organizations folder.

$ ls /srv/kubedata/fabricfiles/organizations

As you can see, the ordererOrganizations and peerOrganizations folders have been created.Certificate creation completed successfully.

Lets come back to kubernetes master node terminal.

Deploying the certificate artifacts job.

$ kubectl apply -f job/create-artifacts.yaml

Artifact creation job pending completion.

$ kubectl wait --for=condition=complete --timeout=300s job create-artifacts

After the job is completed, system-genesis-block and channel-artifacts were created under the fabricfiles folder on the nfs server.Let’s check if these folders are created.

Lets come back to nfs server virtual machine terminal.

Let’s list the folders under the fabricfiles folder.

$ ls /srv/kubedata/fabricfiles

As you can see, the system-genesis-block and channel-artifacts folders have been created.Artifacts creation completed successfully.

Finally, let’s check the conditions of the jobs we run from the lens ide.

The jobs we run have been completed.

My article ends here. In general,I explained generating certificates for peers,orderer and generating genesis block and generating channel transactions on Kubernetes.

See you in the next articles.

Project Links

Spring Boot Hlf Starter Project details and installation can be accessed via this link.

Asset Transfer Project details and installation can be accessed via this link

--

--

Şuayb Şimşek
Şuayb Şimşek

Written by Şuayb Şimşek

Software Engineer at Community Gaming . #Java #Kotlin .#Devops . #Blockchain . #SpringBoot . #Echo .#Golang .#React

No responses yet