This is the third article in a series that explores the provisioning of blockchain and Web3 technologies in traditional banking. The first piece provided insights into a business use case of how a bank can leverage blockchain-based solutions and adopt a Web3 application for a construction company. The second article focused on the technical aspect, detailing a proof of concept (PoC) to implement the use case.
In this article, we outline how AWS Managed Blockchain can help in the smooth running of Hyperledger Fabric (an open-source platform to build and run smart contracts), highlighting all the necessary steps in between.
Overview
AWS Managed Blockchain offers a robust and scalable solution for deploying and managing blockchain networks in the rapidly evolving landscape of blockchain technology. This document provides a comprehensive guide to provisioning AWS Managed Blockchain specifically for Hyperledger Fabric (HLF). HLF is a popular framework for developing permissioned blockchain networks, and with AWS Managed Blockchain, deployment and management become more streamlined.
Prerequisites
Before diving into the process of provisioning AWS Managed Blockchain for HLF, it's essential to ensure specific prerequisites are met. This section outlines the requirements and initial steps to set the stage for a successful deployment.
- AWS Account Setup
- Identity and Access Management (IAM)
Set up IAM users and roles with the necessary permissions for creating and managing AWS Managed Blockchain resources - Hyperledger Fabric knowledge
- Docker knowledge
- Linux or Ubuntu knowledge
Architecture Overview
The following diagram shows the essential components of a Hyperledger Fabric blockchain running on AMB.
Source: https://docs.aws.amazon.com/managed-blockchain/latest/hyperledger-fabric-dev/network-components.html
Creating a Managed Blockchain Network
Creating an HLF network on AMB involves several vital steps: configuring the network, defining its members, and setting up the necessary infrastructure. This section provides a detailed walkthrough of the steps required to create and configure a managed blockchain network on AWS.
We will be going to create an HLF network with two members. Each member will have a peer node associated with it.
Choosing the HLF version
When creating a managed blockchain network on AWS, choosing the appropriate version of Hyperledger Fabric relevant to your use case is crucial. We have chosen the HLF version 2.2 provisioning on AMB.
Creating a Network
- Open the AMB Access Console at https://console.aws.amazon.com/managedblockchain/
- Click on “Create private network” to initiate the network creation process.
- Select Hyperledger Fabric Framework version 2.2 (latest).
- Choose the “Network edition” relevant to your use case.
- Provide a unique name and description for your network.
- Specify the “Voting policy,” determining conditions for accepting changes to the network.
- Create the network's first member, e.g., Org1Member, with a unique name and description.
- Specify a username and password for “Hyperledger Fabric certificate authority (CA) configuration” for administrator use. Remember the username and password for later use.
- Review “Network options” and “Member options,” and then click on “Create network and member.”
It takes around a minimum of 30 minutes for AMB access to create your network. Once created, the Status will become Available.
Creating a VPC Endpoint
This section guides you through setting up an interface VPC for your member, allowing the Amazon EC2 instance used as an HLF Client to interact with AMB members and network resources.
- Click on the network you created above to go into details.
- Click on “Create VPC endpoint.”
- Choose a VPC from the list.
- Choose a Subnet from the list.
- Choose a Security group from the list, preferably the same as your client EC2 instance.
- Click on “Create.”
Inviting Another Member
Now that you have an HLF network with a first member (Org1Member) and a VPC endpoint, you can invite additional members.
- Click on the “Proposals” tab and click “Propose invitation.”
- Choose a “Submit proposal as” you are an initial member created in the above steps.
- Provide a “Description” for the member invitation.
- Specify the AWS account ID to invite to the network, which can be the same or another relevant AWS account.
- Click on “Create.”
After creating the invitation proposal, use the first member to approve the bid.
- Click on the “Proposals” tab.
- Under “Active,” choose the Proposal ID to vote on.
- Under “Vote on proposal,” select the member in your account to vote as.
- Choose Yes to approve the proposal.
- Click on “Confirm” your vote.
Follow the steps below to accept an invitation to create another member and join the network.
- From the navigation pane, click on “Invitations.”
- Select the invitation you want to accept from the list and click “Accept invitation.”
- Under “Create member and join network,” configure your network member by providing a unique name, member name, and description, e.g., Org2Member.
- Under “HLF certificate authority (CA) configuration,” specify a username and password for administrator use. Remember the username and password for later use.
- Click on “Create member and join network.”
Like the screenshot above, you will see two members, Org1Member and Org2Member, under the “Members” tab.
Creating a Peer Node
To create a peer node for both members, follow the same procedures:
- Click on the “Members” tab.
- Select a Member from the list, then choose “Create peer node.”
- Under peer node configuration, choose a “Blockchain instance type” relevant to your use case.
- Choose a “State DB configuration” as CouchDB.
- Choose an “Availability Zone” as your region.
- Enable all the logging configurations.
- Click on “Create peer node.”
Creating an Amazon EC2 Instance
To complete this step, launch an Amazon EC2 instance using the Amazon Linux AMI, considering the following requirements and recommendations.
- We recommend launching the client Amazon EC2 instance in the same region as the AMB network you created above.
- We recommend launching the client Amazon EC2 instance in the same VPC and using the same security group as the VPC endpoint you created above.
- We recommend that the VPC endpoint share the EC2 security group, and the client Amazon EC2 instance has rules that allow all inbound and outbound traffic between members of the security group.
- Ensure that this security group associated with the client Amazon EC2 instance has a rule allowing inbound SSH connections from a source that includes your SSH client’s IP address.
- If your machine SSH client’s IP address is dynamic, specify the source as 0.0.0.0/0 to allow any SSH client’s IP address.
- Ensure that the client Amazon EC2 instance is configured with an automatically assigned public IP address and that you can connect to it using SSH.
- Ensure that the service role associated with the EC2 instance allows access to the Amazon S3 bucket where AMB Access certificates are stored.
Follow the detailed references below to launch an Amazon EC2 instance and add the necessary rules and permissions.
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EC2_GetStarted.html
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/connect-to-linux-instance.html
Set Up the Hyperledger Fabric Client
Once you’ve created an Amazon EC2 instance using the Amazon Linux AMI, install the following packages to support blockchain network connection.
- Docker version 20.10.23
- Docker compose version 1.20.0
- Go version 1.14.4
- Fabric samples version 2.2.3
- Fabric client version 1.4.7
- Git version 2.40.1
Follow the procedures in the reference document below for installing the packages and setting up the HLF client.
Go to this link and follow the steps from 4.1 to 4.4.
For step 4.4: The sample “docker-compose.yaml” file contains one member and peer endpoint. For two members, add one more like the “cli” structure under “services.” Then, name it as something else and configure it with another member ID and peer endpoint.
Enroll an Administrative User
Follow the steps in the reference document below to enroll administrative users in the HLF client.
Do the same steps for both the members in the network. Copy the MSP certificates of both members into the two different folders.
Creating a Channel and Installing Chaincode
Follow the steps in the reference document below to create a multi-member channel and install Chaincode. Perform installing Chaincode for both Org1 and Org2 member peers.
Before diving into the procedures, perform these steps from the reference document below.
- Set “Orderer” environment variables.
https://docs.aws.amazon.com/managed-blockchain/latest/hyperledger-fabric-dev/get-started-create-channel.html#get-started-create-channel-environment-variables - Install Go vendor dependencies.
https://docs.aws.amazon.com/managed-blockchain/latest/hyperledger-fabric-dev/get-started-chaincode.html#get-started-chaincode-install-vendor-dependencies - Create the Chaincode package.
https://docs.aws.amazon.com/managed-blockchain/latest/hyperledger-fabric-dev/get-started-chaincode.html#get-started-chaincode-create-package
Security and Logging
For additional security, follow the reference document below to add more security features such as Data protection, Authentication, and Access control.
Follow the reference document below for monitoring Certificate Authority (CA) and Chaincode logs.
That’s all; we are done with provisioning Amazon Managed Blockchain for HLF!
To conclude, the creation, implementation, and management of blockchain networks in HLF gets streamlined with AWS Managed Blockchain. This means banks and financial institutions can focus on building and deploying blockchain-based solutions while AMB takes care of administrative tasks, network setup, and managing decentralized applications.