Amazon Managed Blockchain

(1)

Amazon Managed Blockchain

Hyperledger Fabric Developer Guide

(2)

Amazon Managed Blockchain: Hyperledger Fabric Developer Guide

Amazon's trademarks and trade dress may not be used in connection with any product or service that is not Amazon's, in any manner that is likely to cause confusion among customers, or in any manner that disparages or discredits Amazon. All other trademarks not owned by Amazon are the property of their respective owners, who may or may not be aﬃliated with, connected to, or sponsored by Amazon.

(3)

What Is Amazon Managed Blockchain?

Amazon Managed Blockchain is a fully managed service for creating and managing blockchain networks and network resources using open-source frameworks. Blockchain allows you to build applications where multiple parties can securely and transparently run transactions and share data without the need for a trusted, central authority.

You can use Managed Blockchain to create scalable blockchain resources and networks quickly and eﬃciently using the AWS Management Console, the AWS CLI, or the Managed Blockchain SDK.

Managed Blockchain scales to meet the demands of thousands of applications running millions of transactions. Managed Blockchain also simpliﬁes the management of blockchain networks and resources after they are up and running. Managed Blockchain manages your certiﬁcates, lets you easily create proposals for a vote among network members where applicable, and helps you track operational metrics related to requests, computational load, memory usage, and data storage.

This guide covers the fundamentals of creating and working with a Hyperledger Fabric blockchain network using Managed Blockchain. For information about working with Ethereum on Managed Blockchain, see Ethereum on Amazon Managed Blockchain Developer Guide.

How to Get Started with Hyperledger Fabric on Managed Blockchain

We recommend the following resources to get started with Hyperledger Fabric networks and chaincode on Managed Blockchain:

• Key Concepts: Amazon Managed Blockchain Networks, Members, and Peer Nodes (p. 2)

This overview helps you understand the fundamental building blocks of a Hyperledger Fabric network on Managed Blockchain. It also tells you how to identify and communicate with network resources.

• Get Started Creating a Hyperledger Fabric Blockchain Network Using Amazon Managed Blockchain (p. 6)

Use this tutorial to create your ﬁrst Hyperledger Fabric network, set up a Hyperledger Fabric client on EC2, and use the open-source Hyperledger Fabric peer CLI to query and update the ledger. You then invite another member to the network. The member can be from a diﬀerent AWS account, or you can invite a new member in your own account to simulate a multi-account network. The new member then queries and updates the ledger.

• Hyperledger Fabric Documentation (v2.2)

The open-source documentation for Hyperledger Fabric is a starting point for key concepts and the architecture of the Hyperledger Fabric blockchain network that you build using Managed Blockchain.

As you develop your blockchain application, you can reference this document for key tasks and code samples. Use the documentation version that corresponds to the version of Hyperledger Fabric that you use.

(7)

Networks and Editions

Key Concepts: Amazon Managed

Blockchain Networks, Members, and Peer Nodes

A blockchain network is a peer-to-peer network running a decentralized blockchain framework. A Hyperledger Fabric network on Amazon Managed Blockchain includes one or more members. Members are unique identities in the network. For example, a member might be an organization in a consortium of banks. A single AWS account might have multiple members. Each member runs one or more Hyperledger Fabric peer nodes. The peer nodes run chaincode, endorse transactions, and store a local copy of ledger.

Amazon Managed Blockchain creates and manages these components for each member in a network.

Managed Blockchain also creates components that all network members share, such as the Hyperledger Fabric ordering service and the general networking conﬁguration.

NoteWhat we call members in a Hyperledger Fabric network on Managed Blockchain is very similar to what Hyperledger Fabric calls organizations.

Hyperledger Fabric on Managed Blockchain Networks and Editions

When creating a Hyperledger Fabric network, the creator chooses the framework version and the edition of Amazon Managed Blockchain to use. The edition determines the capacity and capabilities of the network as a whole.

The creator also must create the ﬁrst network member. Additional members are added through a proposal and voting process. There is no charge for the network itself, but each member pays an hourly rate (billed per second) for their network membership. Charges vary depending on the edition of the network. Each member also pays for peer nodes, peer node storage, and the amount of data that the member writes to the network. For more information about available editions and their attributes, see Managed Blockchain Pricing. For more information about the number of networks that each AWS account can create and join, see Managed Blockchain Limits in the AWS General Reference.

A Hyperledger Fabric network on Managed Blockchain remains active as long as there are members.

The network is deleted only when the last member deletes itself from the network. No member or AWS account, even the creator's AWS account, can delete the network until they are the last member and delete themselves.

The following diagram shows the basic components of a Hyperledger Fabric blockchain running on Managed Blockchain.

(8)

Networks, Proposals, and Members

Inviting and Removing Members

An AWS account initially creates a Hyperledger Fabric network on Managed Blockchain, but the network is not owned by that AWS account or any other AWS account. The network is decentralized, so changes to the network are made by consensus.

To make changes to the network, members make proposals that all other members in the network vote on. For another AWS account to join the network, for example, an existing member creates a proposal to

(9)

Peer Nodes

invite the account. Other members then vote Yes or No on the proposal. If the proposal is approved, an invitation is sent to the AWS account. The account then accepts the invitation and creates a member to join the network. A similar proposal process is required to remove a member in a diﬀerent AWS account.

A principal in an AWS account with suﬃcient permissions can remove a member that the account owns at any time by deleting that member directly, without submitting a proposal.

The network creator also deﬁnes a voting policy for the network during creation. The voting policy determines the basic rules for all proposal voting on the network. The voting policy includes the percentage of votes required to pass the proposal, and the duration before the vote expires.

Peer Nodes

When a member joins the network, one of the ﬁrst things they must do is create at least one peer node in the membership.

Blockchain networks contain a distributed, cryptographically secure ledger that maintains the history of transactions in the network that is immutable—it can't be changed after-the fact. Each peer node also holds the global state of the network for the channels in which they participate. The global state is updated with each new transaction. When a new peer node in a channel comes online, it fetches the global state and ledger from other peers. Even if there are no other peer nodes on a network, as long as a member exists, ledger data can be restored to a new peer node.

Peer nodes also interact to create and endorse the transactions that are proposed on the network to update the ledger. Members deﬁne the rules in the endorsement process based on their business logic.

In this way, every member can conduct transactions as allowed by the business logic and independently verify the transaction history without a centralized authority.

NoteLimit transactions to less than 4 MB. Transactions greater than 4 MB result in an error.

To configure Hyperledger Fabric applications on peer nodes and to interact with other network resources, members use a client configured with open-source Hyperledger Fabric tools such as a CLI or SDK. The applications and tools that you choose and your client setup depend on your preferred development environment. For example, in the Getting Started (p. 6) tutorial, you configure an Amazon EC2 instance in a VPC with open-source Hyperledger Fabric CLI tools.

Identifying Managed Blockchain Resources and Connecting from a Client

Because a Hyperledger Fabric blockchain network is decentralized, members must interact with each other's peer nodes and network-wide resources to make transactions, endorse transactions, verify members, and so on. When a network is created, Managed Blockchain gives the network a unique ID.

Similarly, when an AWS account creates a member on the network and peer nodes, Managed Blockchain gives unique IDs to those resources.

Each network resource has a unique, addressable endpoint that Managed Blockchain creates from these IDs. Other members of the network, Hyperledger Fabric chaincode, and other tools use these endpoints to identify and interact with resources on the network.

Resource endpoints for a Hyperledger Fabric network on Managed Blockchain are in the following format:

ResourceID.MemberID.NetworkID.managedblockchain.AWSRegion.amazonaws.com:PortNumber

(10)

Connecting to Resources

For example, to refer to a peer node with ID nd-6EAJ5VA43JGGNPXOUZP7Y47E4Y, owned by a member with ID m-K46ICRRXJRCGRNNS4ES4XUUS5A, in a Hyperledger Fabric network with ID n- MWY63ZJZU5HGNCMBQER7IN6OIU, you use the following peer node endpoint:

nd-6EAJ5VA43JGGNPXOUZP7Y47E4Y.m-K46ICRRXJRCGRNNS4ES4XUUS5A.n-

MWY63ZJZU5HGNCMBQER7IN6OIU.managedblockchain.us-east-1.amazonaws.com:30003

The port that you use with an endpoint depends on the Hyperledger Fabric service that you are calling and your unique network setup. AWSRegion is the Region you are using. For a list of supported Regions, see Amazon Managed Blockchain Endpoints and Quotas in the Amazon Web Services General Reference.

Within the Hyperledger Fabric network, access and authorization for each resource is governed by processes deﬁned in the chaincode and network conﬁgurations such as Hyperledger Fabric channels.

Outside the conﬁnes of the network—that is, from member's client applications and tools—Managed Blockchain uses AWS PrivateLink to ensure that only network members can access required resources.

In this way, each member has a private connection from a client in their VPC to the Hyperledger Fabric network on Managed Blockchain. The interface VPC endpoint uses private DNS, so you must have a VPC in your account that is enabled for Private DNS. For more information, see Create an Interface VPC Endpoint for Hyperledger Fabric on Amazon Managed Blockchain (p. 48).

(11)

Prerequisites and Considerations

Get Started Creating a Hyperledger Fabric Blockchain Network Using

Amazon Managed Blockchain

This tutorial guides you through creating your ﬁrst Hyperledger Fabric network using Amazon Managed Blockchain. It shows you how to set up the network and create a member in your AWS account, set up chaincode and a channel, and then invite members from other AWS accounts to join a channel.

Instructions for invitees are also provided.

Steps

• Prerequisites and Considerations (p. 6)

• Step 1: Create the Network and First Member (p. 9)

• Step 2: Create and Conﬁgure the Interface VPC Endpoint (p. 11)

• Step 3: Create a Peer Node in Your Membership (p. 11)

• Step 4: Create an Amazon EC2 Instance and Set Up the Hyperledger Fabric Client (p. 12)

• Step 5: Enroll an Administrative User (p. 17)

• Step 6: Create a Hyperledger Fabric Channel (p. 19)

• Step 7: Install and Run Chaincode (p. 24)

• Step 8: Invite Another AWS Account to be a Member and Create a Multi-Member Channel (p. 27)

Prerequisites and Considerations

To complete this tutorial, you must have the resources listed in this section. Unless speciﬁcally stated otherwise, the requirements apply to both network creators and invited members.

Topics

• An AWS account (p. 6)

• A Linux Client (EC2 Instance) (p. 7)

• A VPC (p. 7)

• Permissions to Create an Interface VPC Endpoint (p. 7)

• EC2 Security Groups That Allow Communication on Required Ports (p. 7)

• Additional Considerations (p. 9)

An AWS account

Before you use Managed Blockchain for the ﬁrst time, you must sign up for an Amazon Web Services (AWS) account.

If you do not have an AWS account, complete the following steps to create one.

(12)

A Linux Client (EC2 Instance) To sign up for an AWS account

1. Open https://portal.aws.amazon.com/billing/signup.

2. Follow the online instructions.

Part of the sign-up procedure involves receiving a phone call and entering a veriﬁcation code on the phone keypad.

A Linux Client (EC2 Instance)

You must have a Linux computer with access to resources in the VPC to serve as your Hyperledger Fabric client. This computer must have version 1.16.149 or later of the AWS CLI installed. Earlier versions of the AWS CLI do not have the managedblockchain command. We recommend that you use the latest version of the AWS CLI available. For information about updating the AWS CLI, see Update the AWS CLI version 2 on Linux in the AWS Command Line Interface User Guide.

We recommend creating an Amazon Elastic Compute Cloud (Amazon EC2) instance in the same VPC and AWS Region as the VPC endpoint for the Hyperledger Fabric network on Managed Blockchain.

This is the setup that the tutorial uses. For instructions to set up a Hyperledger Fabric client using this conﬁguration, see Step 4: Create an Amazon EC2 Instance and Set Up the Hyperledger Fabric Client (p. 12).

An AWS CloudFormation template to create a Hyperledger Fabric client is available in amazon-managedblockchain-client-templates repository on Github. For more information, see the readme.md in that repository. For more information about using AWS CloudFormation, see Getting Started in the AWS CloudFormation User Guide.

A VPC

You must have a VPC with an IPv4 CIDR block, and the enableDnsHostnames and enableDnsSupport options must be set to true. If you will connect to the Hyperledger Fabric client using SSH, the VPC must have an internet gateway, and the security group conﬁguration associated with the Hyperledger Framework client must allow inbound SSH access from your SSH client.

• For more information about creating a suitable network, see Getting Started with IPv4 for Amazon VPC tutorial in the Amazon VPC User Guide.

• For information about using SSH to connect to an Amazon EC2 Instance, see Connecting to Your Linux Instance Using SSH in the Amazon EC2 User Guide for Linux Instances.

• For instructions about how to verify if DNS options are enabled, see Using DNS with Your VPC in the Amazon VPC User Guide.

Permissions to Create an Interface VPC Endpoint

The IAM principal (user) identity that you are using must have suﬃcient IAM permissions to create an interface VPC endpoint in your AWS account. For more information, see Controlling Access - Creating and Managing VPC Endpoints in the Amazon VPC User Guide.

EC2 Security Groups That Allow Communication on Required Ports

The EC2 security groups associated with the Hyperledger Fabric client Amazon EC2 instance and the Interface VPC Endpoint that you create during this tutorial must have rules that allow traﬃc between

(13)

EC2 Security Groups That Allow Communication on Required Ports

them for required Hyperledger Fabric services. EC2 security groups are restrictive by default, so you need to create security group rules that allow required access. In addition, a security group associated with the Hyperledger Fabric client Amazon EC2 instance must have an inbound rule that allows SSH traﬃc (Port 22) from trusted SSH clients.

For the purposes of simplicity in this tutorial, we recommend that you create an EC2 security group that you associate only with the Hyperledger Fabric client Amazon EC2 instance and the Interface VPC Endpoint. Then create an inbound rule that allows all traﬃc from within the security group. In addition, create another security group to associate with the Hyperledger Fabric client Amazon EC2 instance that allows inbound SSH traﬃc from trusted clients.

Important

This security group conﬁguration is recommended for this tutorial only. Carefully consider security group settings for your desired security posture. For information about the minimum required rules, see Conﬁguring Security Groups for Hyperledger Fabric on Amazon Managed Blockchain (p. 121).

To create a security group that allows traﬃc between the Hyperledger Fabric client and the interface VPC endpoint for use in this tutorial

1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

2. Choose Security groups in the navigation pane, and then choose Create security group.

3. Enter a Security group name and Description for the security group that helps you ﬁnd it. For example, HFClientAndEndpoint.

4. Make sure that the VPC you select is the default VPC for your account. This is the VPC in which Hyperledger Fabric network resources and the interface VPC endpoint are created.

5. Choose Create.

6. Select the security group that you just created from the list, choose Inbound, and then choose Edit.

7. Under Type, select All traﬃc from the list.

8. Under Source, leave Custom selected, and then begin typing the name or ID of this same security group—for example, HFClientAndEndpoint—and then select the security group so that its ID appears under Source.

9. Choose Save.

You reference this security group later in this tutorial in Step 2: Create and Conﬁgure the Interface VPC Endpoint (p. 11) and Step 4: Create an Amazon EC2 Instance and Set Up the Hyperledger Fabric Client (p. 12).

To create a security group for the Hyperledger Fabric client that allows inbound SSH connections from the computer that you are working with

1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

2. Choose Security groups in the navigation pane, and then choose Create security group.

3. Enter a Security group name and Description for the security group that helps you ﬁnd it. For example, HFClientSSH.

4. Make sure that the VPC you select is the same VPC that you will select for the interface VPC endpoint.

5. Choose Inbound, and then choose Add rule.

6. Under Type, select SSH from the list.

7. Under Source, select My IP. This adds the detected IP address of your current computer. Optionally, you can create additional rules for SSH connections from additional IP addresses or sources if required.

8. Choose Create.

(14)

Additional Considerations

You will reference this security group later in this tutorial in Step 4: Create an Amazon EC2 Instance and Set Up the Hyperledger Fabric Client (p. 12).

Additional Considerations

• All commands in the tutorial assume that you are using an Amazon EC2 instance with an Amazon Linux AMI. Unless noted otherwise, instructions also assume that you are running commands in the default home directory (/home/ec2-user). If you have a different configuration, modify instructions to fit your home directory as necessary.

• Hyperledger Fabric 2.2 requires that a channel ID contain only lowercase ASCII alphanumeric

characters, dots (.), and dashes (-). It must start with a letter, and must be fewer than 250 characters.

Step 1: Create the Network and First Member

When you create the network, you specify the following parameters along with basic information such as names and descriptions:

• The open-source framework and version. This tutorial uses Hyperledger Fabric version 2.2.

• The voting policy for proposals on the network. For more information, see Work with Proposals for a Hyperledger Fabric Network on Amazon Managed Blockchain (p. 56).

• The ﬁrst member of the network, including the administrative user and administrative password that are used to authenticate to the member's certiﬁcate authority (CA).

Important

Each member that is created accrues charges according to the membership rate for the network. For more information, see Amazon Managed Blockchain Pricing.

Create the network using the AWS CLI or Managed Blockchain console according to the following instructions. It takes around 30 minutes for Managed Blockchain to provision resources and bring the network online.

To create a Hyperledger Fabric network using the AWS Management Console

1. Open the Managed Blockchain console at https://console.aws.amazon.com/managedblockchain/.

2. Choose Create private network.

3. Under Blockchain frameworks:

a. Select the blockchain framework to use. This tutorial is based on Hyperledger Fabric version 2.2.

b. Select the Network edition to use. The network edition determines attributes of the network, such as the maximum number of members, nodes per member, and transaction throughput.

Diﬀerent editions have diﬀerent rates associated with the membership. For more information, see Amazon Managed Blockchain Pricing.

4. Enter a Network name and description.

5. Under Voting Policy, choose the following:

a. Enter the Approval threshold percentage along with the comparator, either Greater than or Greater than or equal to. For a proposal to pass, the Yes votes cast must meet this threshold before the vote duration expires.

(15)

Step 1: Create the Network and First Member

b. Enter the Proposal duration in hours. If enough votes are not cast within this duration to either approve or reject a proposal, the proposal status is EXPIRED, no further votes on this proposal are allowed, and the proposal does not pass.

6. Choose Next, and then, under Create member, do the following to deﬁne the ﬁrst member for the network, which you own:

a. Enter a Member name that will be visible to all members and an optional Description.

b. Under Hyperledger Fabric certiﬁcate authority (CA) conﬁguration specify a username and password to be used as the administrator on the Hyperledger Fabric CA. Remember the user name and password. You need them later any time that you create users and resources that need to authenticate.

c. Choose Next.

7. Review Network options and Member options, and then choose Create network and member.

The Networks list shows the name and Network ID of the network you created, with a Status of Creating. It takes around 30 minutes for Managed Blockchain to create your network, after which the Status is Available.

To create a Hyperledger Fabric network using the AWS CLI

Use the create-network command as shown in the following example. Consider the following:

• The example shows HYPERLEDGER_FABRIC as the Framework and 2.2 as the FrameworkVersion.

The FrameworkConfiguration properties for --network-configuration and --memberconfiguration options may be diﬀerent for other frameworks and versions.

• The AdminPassword must be at least 8 characters long and no more than 32 characters. It must contain at least one uppercase letter, one lowercase letter, and one digit. It cannot have a single quote(‘), double quote(“), forward slash(/), backward slash(\), @, percent sign (%), or a space.

• The member name must not contain any special characters.

• Remember the user name and password. You need them later any time you create users and resources that need to authenticate.

[ec2-user@ip-192-0-2-17 ~]$ aws managedblockchain create-network \

--cli-input-json '{\"Name\":\"OurBlockchainNet\", \"Description\":\"OurBlockchainNetDesc\", \"Framework\":\"HYPERLEDGER_FABRIC\",\"FrameworkVersion\": \"2.2\",

\"FrameworkConfiguration\": {\"Fabric\": {\"Edition\": \"STARTER\"}}, \"VotingPolicy\":

{\"ApprovalThresholdPolicy\": {\"ThresholdPercentage\": 50, \"ProposalDurationInHours

\": 24, \"ThresholdComparator\": \"GREATER_THAN\"}}, “MemberConfiguration”: {\"Name\":

\"org1\", \"Description\":\"Org1 first member of network\", \"FrameworkConfiguration\":

{\"Fabric\":\n{\"AdminUsername\":\"MyAdminUser\",\"AdminPassword\":\"Password123\"}}, \"LogPublishingConfiguration\": {\"Fabric\":{\"CaLogs\":{\"Cloudwatch\": {\"Enabled\":

true}}}}}}'

The command returns the Network ID and the Member ID, as shown in the following example:

{ "NetworkId": "n-MWY63ZJZU5HGNCMBQER7IN6OIU", "MemberId": "m-K46ICRRXJRCGRNNS4ES4XUUS5A"

}

The Networks page on the console shows a Status of Available when the network is ready. Alternatively, you can use the list-networks command, as shown in the following example, to conﬁrm the network status.

(16)

Step 2: Create an Endpoint

aws managedblockchain list-networks

The command returns information about the network, including an AVAILABLE status.

{

"Networks": [ {

"Id": "n-MWY63ZJZU5HGNCMBQER7IN6OIU", "Name": "MyTestNetwork",

"Description": "MyNetDescription", "Framework": "HYPERLEDGER_FABRIC", "FrameworkVersion": "2.2",

"Status": "AVAILABLE",

"CreationDate": 1541497086.888, }

] }

Step 2: Create and Conﬁgure the Interface VPC Endpoint

Now that the network is up and running in your VPC, you set up an interface VPC endpoint (AWS PrivateLink) for your member. This allows the Amazon EC2 instance that you use as a Hyperledger Fabric client to interact with the Hyperledger Fabric endpoints that Amazon Managed Blockchain exposes for your member and network resources. For more information, see Interface VPC Endpoints (AWS PrivateLink) in the Amazon VPC User Guide. Applicable charges for interface VPC endpoints apply. For more information, see AWS PrivateLink Pricing.

The AWS Identity and Access Management (IAM) principal (user) identity that you use must have suﬃcient IAM permissions to create an interface VPC endpoint in your AWS account. For more information, see Controlling Access - Creating and Managing VPC Endpoints in the Amazon VPC User Guide.

You can create the interface VPC endpoint using a shortcut in the Managed Blockchain console.

To create an interface VPC endpoint using the Managed Blockchain console

2. Choose Networks, select your network from the list, and then choose View details.

3. Choose Create VPC endpoint.

4. Choose a VPC.

5. For Subnets, choose a subnet from the list, and then choose additional subnets as necessary.

6. For Security groups, choose an EC2 security group from the list, and then choose additional security groups as necessary. We recommend that you select the same security group that your framework client EC2 instance is associated with.

7. Choose Create.

Step 3: Create a Peer Node in Your Membership

Now that your network and the ﬁrst member are up and running, you can use the Managed Blockchain console or the AWS CLI to create a peer node. Your member's peer nodes interact with other members' peer nodes on the blockchain to query and update the ledger, and store a local copy of the ledger.

(17)

Step 4: Set Up a Client Use one of the following procedures to create a peer node.

To create a peer node using the AWS Management Console

2. Choose Networks, select the network from the list, and then choose View details.

3. Select a Member from the list, and then choose Create peer node.

4. Choose conﬁguration parameters for your peer node according to the guidelines in Work with Hyperledger Fabric Peer Nodes on Managed Blockchain (p. 50), and then choose Create peer node.

To create a peer node using the AWS CLI

• Use the create-node command, as shown in the following example. Replace the value of -- network-id, --member-id, and AvailabilityZone as appropriate.

[ec2-user@ip-192-0-2-17 ~]$ aws managedblockchain create-node \

--node-configuration '{"InstanceType":"bc.t3.small","AvailabilityZone":"us-east-1a"}' \ --network-id n-MWY63ZJZU5HGNCMBQER7IN6OIU \

--member-id m-K46ICRRXJRCGRNNS4ES4XUUS5A

The command returns output that includes the peer node's NodeID, as shown in the following example:

{ "NodeId": "nd-6EAJ5VA43JGGNPXOUZP7Y47E4Y"

}

Step 4: Create an Amazon EC2 Instance and Set Up the Hyperledger Fabric Client

To complete this step, you launch an Amazon EC2 instance using the Amazon Linux AMI. Consider the following requirements and recommendations when you create the Hyperledger Fabric client Amazon EC2 instance:

• We recommend that you launch the client Amazon EC2 instance in the same VPC and using the same security group as the VPC Endpoint that you created in Step 2: Create and Conﬁgure the Interface VPC Endpoint (p. 11). This simpliﬁes connectivity between the Amazon EC2 instance and the Interface VPC Endpoint.

• We recommend that the EC2 security group shared by the VPC Endpoint and the client Amazon EC2 instance have rules that allow all inbound and outbound traffic between members of the security group. This also simplifies connectivity. In addition, ensure that this security group or another security group associated with the client Amazon EC2 instance has a rule that allows inbound SSH connections from a source that includes your SSH client's IP address. For more information about security groups and required rules, see Configuring Security Groups for Hyperledger Fabric on Amazon Managed Blockchain (p. 121).

• Make sure that the client Amazon EC2 instance is conﬁgured with an automatically assigned public IP address and that you can connect to it using SSH. For more information, see Getting Started with Amazon EC2 Linux Instances and Connect to your Linux instance in the Amazon EC2 User Guide for Linux Instances.

(18)

4.1: Install Packages

• Make sure that the service role associated with the EC2 instance allows access to the Amazon S3 bucket where Managed Blockchain certiﬁcates are stored and that it has required permissions for working with Managed Blockchain resources. For more information, see Example IAM Role Permissions Policy for Hyperledger Fabric Client EC2 Instance (p. 116).

NoteAn AWS CloudFormation template to create a Hyperledger Fabric client is available in amazon- managed-blockchain-client-templates repository on Github. For more information, see the readme.md in that repository. For more information about using AWS CloudFormation, see Getting Started in the AWS CloudFormation User Guide.

Step 4.1: Install Packages

Your Hyperledger Fabric client needs some packages and samples installed so that you can work with the Hyperledger Fabric resources. In this step, you install Go, Docker, Docker Compose, and some other utilities. You also create variables in the ~/.bash_profile for your development environment. These are prerequisites for installing and using Hyperledger tools.

While connected to the Hyperledger Fabric client using SSH, run the following commands to install utilities, install docker, and conﬁgure the Docker user to be the default user for the Amazon EC2 instance:

sudo yum update -y

sudo yum install jq telnet emacs docker libtool libtool-ltdl-devel git -y

sudo service docker start

sudo usermod -a -G docker ec2-user

Log out and log in again for the usermod command to take eﬀect.

Run the following commands to install Docker Compose.

sudo curl -L \

https://github.com/docker/compose/releases/download/1.20.0/docker-compose-`uname \ -s`-`uname -m` -o /usr/local/bin/docker-compose

sudo chmod a+x /usr/local/bin/docker-compose

Run the following commands to install golang.

wget https://dl.google.com/go/go1.14.4.linux-amd64.tar.gz

tar -xzf go1.14.4.linux-amd64.tar.gz

sudo mv go /usr/local

sudo yum install git -y

Use a text editor to set up variables such as GOROOT and GOPATH in your ~/.bashrc or

~/.bash_profile and save the updates. The following example shows entries in .bash_profile.

(19)

4.1: Install Packages

# .bash_profile

# Get the aliases and functions if [ -f ~/.bashrc ]; then . ~/.bashrc

fi

# User specific environment and startup programs PATH=$PATH:$HOME/.local/bin:$HOME/bin

# GOROOT is the location where Go package is installed on your system export GOROOT=/usr/local/go

# GOPATH is the location of your work directory export GOPATH=$HOME/go

# CASERVICEENDPOINT is the endpoint to reach your member's CA

# for example ca.m-K46ICRRXJRCGRNNS4ES4XUUS5A.n-

MWY63ZJZU5HGNCMBQER7IN6OIU.managedblockchain.us-east-1.amazonaws.com:30002 export CASERVICEENDPOINT=MyMemberCaEndpoint

# ORDERER is the endpoint to reach your network's orderer

# for example orderer.n-MWY63ZJZU5HGNCMBQER7IN6OIU.managedblockchain.amazonaws.com:30001 export ORDERER=MyNetworkOrdererEndpoint

# Update PATH so that you can access the go binary system wide export PATH=$GOROOT/bin:$PATH

export PATH=$PATH:/home/ec2-user/go/src/github.com/hyperledger/fabric-ca/bin

After you update .bash_profile, apply the changes:

source ~/.bash_profile

After the installation, verify that you have the correct versions installed:

• Docker–17.06.2-ce or later

• Docker-compose–1.14.0 or later

• Go–1.14.x

To check the Docker version, run the following command:

sudo docker version

The command returns output similar to the following:

Client:

Version: 18.06.1-ce API version: 1.38 Go version: go1.14.4 Git commit: CommitHash

Built: Tue Oct 2 18:06:45 2018 OS/Arch: linux/amd64

Experimental: false Server:

Engine:

Version: 18.06.1-ce

API version: 1.38 (minimum version 1.12) Go version: go1.14.4

Git commit: e68fc7a/18.06.1-ce

(20)

4.2: Set Up the Fabric CA Client Built: Tue Oct 2 18:08:26 2018

OS/Arch: linux/amd64 Experimental: false

To check the version of Docker Compose, run the following command:

sudo /usr/local/bin/docker-compose version

docker-compose version 1.22.0, build f46880fe docker-py version: 3.4.1

CPython version: 3.6.6

OpenSSL version: OpenSSL 1.1.0f 25 May 2017

To check the version of go, run the following command:

go version

go version go1.14.4 linux/amd64

Step 4.2: Set Up the Hyperledger Fabric CA Client

In this step, you verify that you can connect to the Hyperledger Fabric CA using the VPC endpoint you configured in Step 2: Create and Configure the Interface VPC Endpoint (p. 11). You then install the Hyperledger Fabric CA client. The Fabric CA issues certificates to administrators and network peers.

To verify connectivity to the Hyperledger Fabric CA, you need the CAEndpoint. Use the get-member command to get the CA endpoint for your member, as shown in the following example. Replace the values of --network-id and --member-id with the values returned in Step 1: Create the Network and First Member (p. 9).

aws managedblockchain get-member \

--network-id n-MWY63ZJZU5HGNCMBQER7IN6OIU \ --member-id m-K46ICRRXJRCGRNNS4ES4XUUS5A

Use curl or telnet to verify that the endpoint resolves. In the following example, the value of the variable $CASERVICEENDPOINT is the CAEndpoint returned by the get-member command.

curl https://$CASERVICEENDPOINT/cainfo -k

The command should return output similar to the following:

{"result":

{"CAName":"abcd1efghijkllmn5op3q52rst","CAChain":"LongStringOfCharacters","Version":"1.4.7- snapshot-"}

,"errors":[],"messages":[],"success":true}

Note that Hyperledger Fabric v2.2 networks should use version 1.4 of the CA client.

Alternatively, you can connect to the Fabric CA using Telnet as shown in the following example. Use the same endpoint in the curl example, but separate the endpoint and the port as shown in the following example.

(21)

4.3: Clone Samples

telnet CaEndpoint-Without-Port CaPort

The command should return output similar to the following:

Trying 10.0.1.228...

Connected to ca.m-K46ICRRXJRCGRNNS4ES4XUUS5A.n-

MWY63ZJZU5HGNCMBQER7IN6OIU.managedblockchain.us-east-1.amazonaws.com.

Escape character is '^]'.

If you are unable to connect to the Fabric CA, double-check your network settings to ensure that the client Amazon EC2 instance has connectivity with the VPC Endpoint. In particular, ensure that the security groups associated with both the VPC Endpoint and the client Amazon EC2 instance have inbound and outbound rules that allow traﬃc between them.

Now that you have veriﬁed that you can connect to the Hyperledger Fabric CA, run the following commands to conﬁgure the CA client.

NoteIf you are working with Hyperledger Fabric v1.2 networks, you need to install and build the correct client version, which is available at https://github.com/hyperledger/fabric-ca/releases/

download/v1.2.1/hyperledger-fabric-ca-linux-amd64-1.2.1.tar.gz.

mkdir -p /home/ec2-user/go/src/github.com/hyperledger/fabric-ca

cd /home/ec2-user/go/src/github.com/hyperledger/fabric-ca

wget https://github.com/hyperledger/fabric-ca/releases/download/v1.4.7/hyperledger-fabric- ca-linux-amd64-1.4.7.tar.gz

tar -xzf hyperledger-fabric-ca-linux-amd64-1.4.7.tar.gz

Step 4.3: Clone the Samples Repository

NoteIf you are working with Hyperledger Fabric v1.2 or v1.4 networks, use --branch v1.2.0 or -- branch v1.4.7 instead of --branch v2.2.3 in the following commmands.

cd /home/ec2-user

git clone --branch v2.2.3 https://github.com/hyperledger/fabric-samples.git

Step 4.4: Conﬁgure and Run Docker Compose to Start the Hyperledger Fabric CLI

Use a text editor to create a configuration file for Docker Compose named docker-compose-cli.yaml in the /home/ec2-user directory, which you use to run the Hyperledger Fabric CLI. You use this CLI to interact with peer nodes that your member owns. Copy the following contents into the file and replace the placeholder values according to the following guidance:

• MyMemberID is the MemberID returned by the aws managedblockchain list-members AWS CLI command and shown on the member details page of the Managed Blockchain console—for example, m-K46ICRRXJRCGRNNS4ES4XUUS5A.

(22)

Step 5: Enroll the Member Admin

• MyPeerNodeEndpoint is the PeerEndpoint returned by the aws managedblockchain get-node command and listed on the node details page of the Managed Blockchain console

—for example, nd-6EAJ5VA43JGGNPXOUZP7Y47E4Y.m-K46ICRRXJRCGRNNS4ES4XUUS5A.n- MWY63ZJZU5HGNCMBQER7IN6OIU.managedblockchain.us-east-1.amazonaws.com:30003.

When you subsequently use the cli container to run commands—for example, docker exec cli peer channel create—you can use the -e option to override an environment variable that you establish in the docker-compose-cli.yaml ﬁle.

Note

If you are working with Hyperledger Fabric v1.2 or v1.4 networks, use image: hyperledger/

fabric-tools:1.2 or image: hyperledger/fabric-tools:1.4 in the following example instead of image: hyperledger/fabric-tools:2.2.

In addition for v1.2, use CORE_LOGGING_LEVEL=info instead of FABRIC_LOGGING_SPEC=info.

version: '2' services:

cli:

container_name: cli

image: hyperledger/fabric-tools:2.2 tty: true

environment:

- GOPATH=/opt/gopath

- CORE_VM_ENDPOINT=unix:///host/var/run/docker.sock

- FABRIC_LOGGING_SPEC=info # Set logging level to debug for more verbose logging - CORE_PEER_ID=cli

- CORE_CHAINCODE_KEEPALIVE=10 - CORE_PEER_TLS_ENABLED=true

- CORE_PEER_TLS_ROOTCERT_FILE=/opt/home/managedblockchain-tls-chain.pem - CORE_PEER_LOCALMSPID=MyMemberID

- CORE_PEER_MSPCONFIGPATH=/opt/home/admin-msp - CORE_PEER_ADDRESS=MyPeerNodeEndpoint

working_dir: /opt/home command: /bin/bash volumes:

- /var/run/:/host/var/run/

- /home/ec2-user/fabric-samples/chaincode:/opt/gopath/src/github.com/

- /home/ec2-user:/opt/home

Run the following command to start the Hyperledger Fabric peer CLI container:

docker-compose -f docker-compose-cli.yaml up -d

If you restarted or logged out and back in after the usermod command in Step 4.1: Install

Packages (p. 13), you shouldn't need to run this command with sudo. If the command fails, you can log out and log back in. Alternatively, you can run the command using sudo, as shown in the following example:

sudo /usr/local/bin/docker-compose -f docker-compose-cli.yaml up -d

Step 5: Enroll an Administrative User

In this step, you use a pre-configured certificate to enroll a user with administrative permissions to your member's certificate authority (CA). To do this, you must create a certificate file. You also need the

(23)

5.1: Create the Certiﬁcate File

endpoint for the CA of your member, and the user name and password for the user that you created in Step 1: Create the Network and First Member (p. 9).

Step 5.1: Create the Certiﬁcate File

Run the following command to copy the managedblockchain-tls-chain.pem to the /home/ec2- user directory. Replace MyRegion with the AWS Region you are using—for example, us-east-1.

aws s3 cp s3://MyRegion.managedblockchain/etc/managedblockchain-tls-chain.pem /home/ec2- user/managedblockchain-tls-chain.pem

If the command fails with a permissions error, ensure that a service role associated with the EC2 instance allows access to the Amazon S3 bucket location. For more information see Example IAM Role Permissions Policy for Hyperledger Fabric Client EC2 Instance (p. 116).

Run the following command to test that you copied the contents to the ﬁle correctly:

openssl x509 -noout -text -in /home/ec2-user/managedblockchain-tls-chain.pem

The command should return the contents of the certiﬁcate in human-readable format.

Step 5.2: Enroll the Administrative User

Managed Blockchain registers the user identity that you speciﬁed when you created the member as an administrator. In Hyperledger Fabric, this user is known as the bootstrap identity because the identity is used to enroll itself. To enroll, you need the CA endpoint, as well as the user name and password for the administrator that you created in Step 1: Create the Network and First Member (p. 9). For

information about registering other user identities as administrators before you enroll them, see Register and Enroll a Hyperledger Fabric Admin (p. 65).

Use the get-member command to get the CA endpoint for your membership as shown in the following example. Replace the values of --network-id and --member-id with the values returned in Step 1:

Create the Network and First Member (p. 9).

aws managedblockchain get-member \

--network-id n-MWY63ZJZU5HGNCMBQER7IN6OIU \ --member-id m-K46ICRRXJRCGRNNS4ES4XUUS5A

The command returns information about the initial member that you created in the network, as shown in the following example. Make a note of the CaEndpoint. You also need the AdminUsername and password that you created along with the network.

{

"Member": {

"NetworkId": "n-MWY63ZJZU5HGNCMBQER7IN6OIU", "Status": "AVAILABLE",

"Description": "MyNetDescription", "FrameworkAttributes": {

"Fabric": {

"CaEndpoint": "ca.m-K46ICRRXJRCGRNNS4ES4XUUS5A.n-

MWY63ZJZU5HGNCMBQER7IN6OIU.managedblockchain.us-east-1.amazonaws.com:30002", "AdminUsername": "AdminUser"

}

(24)

5.3: Copy Certiﬁcates },

"StatusReason": "Network member created successfully", "CreationDate": 1542255358.74,

"Id": "m-K46ICRRXJRCGRNNS4ES4XUUS5A", "Name": "org1"

} }

Use the CA endpoint, administrator profile, and the certificate file to enroll the member administrator using the fabric-ca-client enroll command, as shown in the following example:

fabric-ca-client enroll \

-u 'https://AdminUsername:AdminPassword@$CASERVICEENDPOINT' \

--tls.certfiles /home/ec2-user/managedblockchain-tls-chain.pem -M /home/ec2-user/admin-msp

An example command with ﬁctitious administrator name, password, and endpoint is shown in the following example:

fabric-ca-client enroll \

-u https://AdminUser:[email protected]

MWY63ZJZU5HGNCMBQER7IN6OIU.managedblockchain.us-east-1.amazonaws.com:30002 \

--tls.certfiles /home/ec2-user/managedblockchain-tls-chain.pem -M /home/ec2-user/admin-msp

2018/11/16 02:21:40 [INFO] Created a default configuration file at /home/ec2-user/.fabric- ca-client/fabric-ca-client-config.yaml

2018/11/16 02:21:40 [INFO] TLS Enabled

2018/11/16 02:21:40 [INFO] generating key: &{A:ecdsa S:256}

2018/11/16 02:21:40 [INFO] encoded CSR

2018/11/16 02:21:40 [INFO] Stored client certificate at /home/ec2-user/admin-msp/signcerts/

cert.pem

2018/11/16 02:21:40 [INFO] Stored root CA certificate at /home/ec2-user/admin-msp/cacerts/

ca-abcd1efghijkllmn5op3q52rst-uqz2f2xakfd7vcfewqhckr7q5m-managedblockchain-us-east-1- amazonaws-com-30002.pem

Important

It may take a minute or two after you enroll for you to be able to use your administrator certiﬁcate to create a channel with the ordering service.

Step 5.3: Copy Certiﬁcates for the MSP

In Hyperledger Fabric, the Membership Service Provider (MSP) identifies which root CAs and intermediate CAs are trusted to define the members of a trust domain. Certificates for the administrator's MSP are in /home/ec2-user/admin-msp in this tutorial. Because this MSP is for the member administrator, copy the certificates from signcerts to admincerts as shown in the following example. The example assumes you are in the /home/ec2-user directory when running the command.

cp -r /home/ec2-user/admin-msp/signcerts admin-msp/admincerts

Step 6: Create a Hyperledger Fabric Channel

In Hyperledger Fabric, a ledger exists in the scope of a channel. The ledger can be shared across the entire network if every member is operating on a common channel. A channel also can be privatized to

(25)

6.1: Create conﬁgtx

include only a speciﬁc set of participants. Members can be in your AWS account, or they can be members that you invite from other AWS accounts.

In this step, you set up a basic channel. Later on in the tutorial, in Step 8: Invite Another AWS Account to be a Member and Create a Multi-Member Channel (p. 27), you go through a similar process to set up a channel that includes another member.

Wait a minute or two for the administrative permissions from previous steps to propagate, and then perform these tasks to create a channel.

NoteAll Hyperledger Fabric networks on Managed Blockchain support a maximum of 8 channels per network, regardless of network edition.

Step 6.1: Create conﬁgtx for Hyperledger Fabric Channel Creation

The configtx.yaml file contains details of the channel configuration. For more information, see Channel Configuration (configtx) in the Hyperledger Fabric documentation.

This configtx.yaml enables application features associated with Hyperledger Fabric 2.2. It is not compatible with Hyperledger Fabric 1.2 or 1.4. For a configtx.yaml compatible with Hyperledger Fabric 1.2 or 1.4, see Work with Channels (p. 67).

Use a text editor to create a ﬁle with the following contents and save it as configtx.yaml on your Hyperledger Fabric client. Note the following placeholders and values.

• Replace MemberID with the MemberID you returned previously. For example m- K46ICRRXJRCGRNNS4ES4XUUS5A.

• The MSPDir is set to the same directory location, /opt/home/admin-msp, that you established using the CORE_PEER_MSPCONFIGPATH environment variable in the Docker container for the Hyperledger Fabric CLI in step 4.4 (p. 16).

Important

This ﬁle is sensitive. Artifacts from pasting can cause the ﬁle to fail with marshalling errors.

We recommend using emacs to edit it. You can also use VI, but before using VI, enter :set paste, press i to enter insert mode, paste the contents, press escape, and then enter :set nopaste before saving.

################################################################################

## ORGANIZATIONS

## This section defines the organizational identities that can be referenced

# in the configuration profiles.

#################################################################################

Organizations:

# Org1 defines an MSP using the sampleconfig. It should never be used # in production but may be used as a template for other definitions.

- &Org1

# Name is the key by which this org will be referenced in channel # configuration transactions.

# Name can include alphanumeric characters as well as dots and dashes.

Name: MemberID

# ID is the key by which this org's MSP definition will be referenced.

# ID can include alphanumeric characters as well as dots and dashes.

ID: MemberID

# SkipAsForeign can be set to true for org definitions which are to be

(26)

6.1: Create conﬁgtx

# inherited from the orderer system channel during channel creation. This # is especially useful when an admin of a single org without access to the # MSP directories of the other orgs wishes to create a channel. Note # this property must always be set to false for orgs included in block # creation.

SkipAsForeign: false Policies: &Org1Policies Readers:

Type: Signature

Rule: "OR('Org1.member')"

# If your MSP is configured with the new NodeOUs, you might # want to use a more specific rule like the following:

# Rule: "OR('Org1.admin', 'Org1.peer', 'Org1.client')"

Writers:

Type: Signature

Rule: "OR('Org1.member')"

# If your MSP is configured with the new NodeOUs, you might # want to use a more specific rule like the following:

# Rule: "OR('Org1.admin', 'Org1.client')"

Admins:

Type: Signature

Rule: "OR('Org1.admin')"

# MSPDir is the filesystem path which contains the MSP configuration.

MSPDir: /opt/home/admin-msp

# AnchorPeers defines the location of peers which can be used for # cross-org gossip communication. Note, this value is only encoded in # the genesis block in the Application section context.

AnchorPeers:

- Host: 127.0.0.1 Port: 7051

################################################################################

## CAPABILITIES

#

# This section defines the capabilities of fabric network. This is a new

# concept as of v1.1.0 and should not be utilized in mixed networks with

# v1.0.x peers and orderers. Capabilities define features which must be

# present in a fabric binary for that binary to safely participate in the

# fabric network. For instance, if a new MSP type is added, newer binaries

# might recognize and validate the signatures from this type, while older

# binaries without this support would be unable to validate those

# transactions. This could lead to different versions of the fabric binaries

# having different world states. Instead, defining a capability for a channel

# informs those binaries without this capability that they must cease

# processing transactions until they have been upgraded. For v1.0.x if any

# capabilities are defined (including a map with all capabilities turned off)

# then the v1.0.x peer will deliberately crash.

#################################################################################

Capabilities:

# Channel capabilities apply to both the orderers and the peers and must be # supported by both.

# Set the value of the capability to true to require it.

# Note that setting a later Channel version capability to true will also # implicitly set prior Channel version capabilities to true. There is no need # to set each version capability to true (prior version capabilities remain # in this sample only to provide the list of valid values).

Channel: &ChannelCapabilities

# V2.0 for Channel is a catchall flag for behavior which has been

# determined to be desired for all orderers and peers running at the v2.0.0 # level, but which would be incompatible with orderers and peers from # prior releases.

# Prior to enabling V2.0 channel capabilities, ensure that all # orderers and peers on a channel are at v2.0.0 or later.

V2_0: true

# Orderer capabilities apply only to the orderers, and may be safely

(27)

6.1: Create conﬁgtx # used with prior release peers.

Orderer: &OrdererCapabilities

# V1.1 for Orderer is a catchall flag for behavior which has been # determined to be desired for all orderers running at the v1.1.x

# level, but which would be incompatible with orderers from prior releases.

# Prior to enabling V2.0 orderer capabilities, ensure that all # orderers on a channel are at v2.0.0 or later.

V2_0: true

# Application capabilities apply only to the peer network, and may be safely # used with prior release orderers.

# Note that setting a later Application version capability to true will also # implicitly set prior Application version capabilities to true. There is no need # to set each version capability to true (prior version capabilities remain # in this sample only to provide the list of valid values).

Application: &ApplicationCapabilities

# V2.0 for Application enables the new non-backwards compatible # features and fixes of fabric v2.0.

# Prior to enabling V2.0 orderer capabilities, ensure that all # orderers on a channel are at v2.0.0 or later.

V2_0: true

################################################################################

#

# CHANNEL

#

# This section defines the values to encode into a config transaction or

# genesis block for channel related parameters.

#

################################################################################

Channel: &ChannelDefaults

# Policies defines the set of policies at this level of the config tree # For Channel policies, their canonical path is

# /Channel/<PolicyName>

Policies:

# Who may invoke the 'Deliver' API Readers:

Type: ImplicitMeta Rule: "ANY Readers"

# Who may invoke the 'Broadcast' API Writers:

Type: ImplicitMeta Rule: "ANY Writers"

# By default, who may modify elements at this config level Admins:

Type: ImplicitMeta Rule: "MAJORITY Admins"

# Capabilities describes the channel level capabilities, see the # dedicated Capabilities section elsewhere in this file for a full # description

Capabilities:

<<: *ChannelCapabilities

################################################################################

#

# APPLICATION

#

# This section defines the values to encode into a config transaction or

# genesis block for application-related parameters.

#

################################################################################

Application: &ApplicationDefaults

# Organizations is the list of orgs which are defined as participants on # the application side of the network

Organizations:

# Policies defines the set of policies at this level of the config tree # For Application policies, their canonical path is

(28)

6.2: Set an Environment Variable for the Orderer # /Channel/Application/<PolicyName>

Policies: &ApplicationDefaultPolicies LifecycleEndorsement:

Endorsement:

Readers:

Writers:

Type: ImplicitMeta Rule: "ANY Writers"

Admins:

Type: ImplicitMeta Rule: "MAJORITY Admins"

Capabilities:

<<: *ApplicationCapabilities

################################################################################

## PROFILES

#

# Different configuration profiles may be encoded here to be specified as

# parameters to the configtxgen tool. The profiles which specify consortiums

# are to be used for generating the orderer genesis block. With the correct

# consortium members defined in the orderer genesis block, channel creation

# requests may be generated with only the org member names and a consortium

# name.

#

################################################################################

Profiles:

OneOrgChannel:

<<: *ChannelDefaults

Consortium: AWSSystemConsortium Application:

<<: *ApplicationDefaults Organizations:

- <<: *Org1

Run the following command to generate the conﬁgtx peer block:

docker exec cli configtxgen \

-outputCreateChannelTx /opt/home/mychannel.pb \ -profile OneOrgChannel -channelID mychannel \ --configPath /opt/home/

Important

Hyperledger Fabric 2.2 requires that a channel ID contain only lowercase ASCII alphanumeric characters, dots (.), and dashes (-). It must start with a letter, and must be fewer than 250 characters.

Step 6.2: Set Environment Variables for the Orderer

Set the $ORDERER environment variable for convenience. Replace orderer.n-

MWY63ZJZU5HGNCMBQER7IN6OIU.managedblockchain.amazonaws.com:30001 with the OrderingServiceEndpoint returned by the aws managedblockchain get-network command and listed on the network details page of the Managed Blockchain console.

export ORDERER=orderer.n-MWY63ZJZU5HGNCMBQER7IN6OIU.managedblockchain.amazonaws.com:30001

(29)

6.3: Create the Channel

This variable must be exported each time you log out of the client. To persist the variable across sessions, add the export statement to your ~/.bash_profile as shown in the following example.

# .bash_profile

...other configurations

export ORDERER=orderer.n-MWY63ZJZU5HGNCMBQER7IN6OIU.managedblockchain.amazonaws.com:30001

After updating .bash_profile, apply the changes:

source ~/.bash_profile

Step 6.3: Create the Channel

Run the following command to create a channel using the variables that you established and the conﬁgtx peer block that you created:

docker exec cli peer channel create -c mychannel \ -f /opt/home/mychannel.pb -o $ORDERER \

--cafile /opt/home/managedblockchain-tls-chain.pem --tls

Important

It may take a minute or two after you enroll an administrative user for you to be able to use your administrator certiﬁcate to create a channel with the ordering service.

Step 6.4: Join Your Peer Node to the Channel

Run the following command to join the peer node that you created earlier to the channel:

docker exec cli peer channel join -b mychannel.block \

-o $ORDERER --cafile /opt/home/managedblockchain-tls-chain.pem --tls

Step 7: Install and Run Chaincode

In this section, you create and install a package for golang sample chaincode on your peer node. You also approve, commit, and verify the chaincode.

You then use the chaincode's init command to initialize values attributed to entities a and b in the ledger, followed by the query command to conﬁrm that initialization was successful. Next, you use the chaincode's invoke command to transfer 10 units from a to b in the ledger. Finally, you use the chaincode's query command again to conﬁrm that the value attributed to a was decremented by 10 units in the ledger.

Step 7.1: Install Vendor Dependencies

Run the following commands to enable vendoring for the Go module dependencies of your example chaincode.

sudo chown -R ec2-user:ec2-user fabric-samples/

cd fabric-samples/chaincode/abstore/go/

GO111MODULE=on go mod vendor cd -

(30)

7.2: Create Chaincode Package

Step 7.2: Create the Chaincode Package

Run the following command to create the example chaincode package.

docker exec cli peer lifecycle chaincode package ./abstore.tar.gz \ --path fabric-samples/chaincode/abstore/go/ \

--label abstore_1

Step 7.3: Install the Package

Run the following command to install the chaincode package on the peer node.

docker exec cli peer lifecycle chaincode install abstore.tar.gz

Step 7.4: Verify the Package

Run the following command to verify that the chaincode package is installed on the peer node.

docker exec cli peer lifecycle chaincode queryinstalled

The command returns the following if the package is installed successfully.

Installed chaincodes on peer:

Package ID: MyPackageID, Label: abstore_1

Step 7.5: Approve the Chaincode

Run the following commands to approve the chaincode deﬁnition for your organization. Replace MyPackageID with the Package ID value returned in the previous step Step 7.4: Verify the Package (p. 25).

export CC_PACKAGE_ID=MyPackageID

docker exec cli peer lifecycle chaincode approveformyorg \

--orderer $ORDERER --tls --cafile /opt/home/managedblockchain-tls-chain.pem \

--channelID mychannel --name mycc --version v0 --sequence 1 --package-id $CC_PACKAGE_ID

Step 7.6: Check Commit Readiness

Run the following command to check whether the chaincode deﬁnition is ready to be committed on the channel.

docker exec cli peer lifecycle chaincode checkcommitreadiness \

--orderer $ORDERER --tls --cafile /opt/home/managedblockchain-tls-chain.pem \ --channelID mychannel --name mycc --version v0 --sequence 1

The command returns true if the chaincode is ready to be committed.

Chaincode definition for chaincode 'mycc', version 'v0', sequence '1' on channel 'mychannel' approval status by org:

m-LVQMIJ75CNCUZATGHLDP24HUHM: true

(31)

7.7: Commit Chaincode

Step 7.7: Commit the Chaincode

Run the following command to commit the chaincode deﬁnition on the channel.

docker exec cli peer lifecycle chaincode commit \

--orderer $ORDERER --tls --cafile /opt/home/managedblockchain-tls-chain.pem \ --channelID mychannel --name mycc --version v0 --sequence 1

Step 7.8: Verify the Chaincode

You might have to wait a minute or two for the commit to propagate to the peer node. Run the following command to verify that the chaincode is committed.

docker exec cli peer lifecycle chaincode querycommitted \ --channelID mychannel

The command returns the following if the chaincode is committed successfully.

Committed chaincode definitions on channel 'mychannel':

Name: mycc, Version: v0, Sequence: 1, Endorsement Plugin: escc, Validation Plugin: vscc

Step 7.9: Initialize the Chaincode

Run the following command to initialize the chaincode.

docker exec cli peer chaincode invoke \

--tls --cafile /opt/home/managedblockchain-tls-chain.pem \ --channelID mychannel \

--name mycc -c '{"Args":["init", "a", "100", "b", "200"]}'

The command returns the following when the chaincode is initialized.

2021-12-20 19:23:05.434 UTC [chaincodeCmd] chaincodeInvokeOrQuery -> INFO 0ad Chaincode invoke successful. result: status:200

Step 7.10: Query the Chaincode

You might need to wait a brief moment for the initialization from the previous command to complete before you run the following command to query a value.

docker exec cli peer chaincode query \

--tls --cafile /opt/home/managedblockchain-tls-chain.pem \ --channelID mychannel \

--name mycc -c '{"Args":["query", "a"]}'

The command should return the value of a, which you initialized with a value of 100.

Step 7.11: Invoke the Chaincode

In the previous steps, you initialized the key a with a value of 100 and queried to verify. Using the invoke command in the following example, you subtract 10 from that initial value.

Amazon Managed Blockchain

Amazon Managed Blockchain

Hyperledger Fabric Developer Guide

Amazon Managed Blockchain: Hyperledger Fabric Developer Guide

Table of Contents

What Is Amazon Managed Blockchain?

How to Get Started with Hyperledger Fabric on Managed Blockchain

Key Concepts: Amazon Managed

Blockchain Networks, Members, and Peer Nodes

Hyperledger Fabric on Managed Blockchain Networks and Editions

Inviting and Removing Members

Peer Nodes

Identifying Managed Blockchain Resources and Connecting from a Client

Get Started Creating a Hyperledger Fabric Blockchain Network Using

Amazon Managed Blockchain

Prerequisites and Considerations

An AWS account

A Linux Client (EC2 Instance)

A VPC

Permissions to Create an Interface VPC Endpoint

EC2 Security Groups That Allow Communication on Required Ports

Additional Considerations

Step 1: Create the Network and First Member

To create a Hyperledger Fabric network using the AWS Management Console

To create a Hyperledger Fabric network using the AWS CLI

Step 2: Create and Conﬁgure the Interface VPC Endpoint

Step 3: Create a Peer Node in Your Membership

To create a peer node using the AWS Management Console

To create a peer node using the AWS CLI

Step 4: Create an Amazon EC2 Instance and Set Up the Hyperledger Fabric Client

Step 4.1: Install Packages

Step 4.2: Set Up the Hyperledger Fabric CA Client

Step 4.3: Clone the Samples Repository

Step 4.4: Conﬁgure and Run Docker Compose to Start the Hyperledger Fabric CLI

Step 5: Enroll an Administrative User

Step 5.1: Create the Certiﬁcate File

Step 5.2: Enroll the Administrative User

Step 5.3: Copy Certiﬁcates for the MSP

Step 6: Create a Hyperledger Fabric Channel

Step 6.1: Create conﬁgtx for Hyperledger Fabric Channel Creation

Step 6.2: Set Environment Variables for the Orderer

Step 6.3: Create the Channel

Step 6.4: Join Your Peer Node to the Channel

Step 7: Install and Run Chaincode

Step 7.1: Install Vendor Dependencies

Step 7.2: Create the Chaincode Package

Step 7.3: Install the Package

Step 7.4: Verify the Package

Step 7.5: Approve the Chaincode

Step 7.6: Check Commit Readiness

Step 7.7: Commit the Chaincode

Step 7.8: Verify the Chaincode

Step 7.9: Initialize the Chaincode

Step 7.10: Query the Chaincode

Step 7.11: Invoke the Chaincode