Step 5: Enroll an Administrative User - Amazon Managed Blockchain (AMB)

Step 5: Enroll an Administrative User

In this step, you use a pre-configured certificate to enroll a user with administrative permissions to your member's certificate authority (CA). To do this, you must create a certificate file. You also need the endpoint for the CA of your member, and the user name and password for the user that you created in Step 1: Create the Network and First Member.

Step 5.1: Create the Certificate File

Run the following command to copy the managedblockchain-tls-chain.pem to the /home/ec2-user directory. Replace MyRegion with the AWS Region you are using—for example, us-east-1.

aws s3 cp s3://MyRegion.managedblockchain/etc/managedblockchain-tls-chain.pem /home/ec2-user/managedblockchain-tls-chain.pem

If the command fails with a permissions error, ensure that a service role associated with the EC2 instance allows access to the Amazon S3 bucket location. For more information see Example IAM Role Permissions Policy for Hyperledger Fabric Client EC2 Instance.

Run the following command to test that you copied the contents to the file correctly:

openssl x509 -noout -text -in /home/ec2-user/managedblockchain-tls-chain.pem

The command should return the contents of the certificate in human-readable format.

Step 5.2: Enroll the Administrative User

AMB Access registers the user identity that you specified when you created the member as an administrator. In Hyperledger Fabric, this user is known as the bootstrap identity because the identity is used to enroll itself. To enroll, you need the CA endpoint, as well as the user name and password for the administrator that you created in Step 1: Create the Network and First Member. For information about registering other user identities as administrators before you enroll them, see Register and Enroll a Hyperledger Fabric Admin.

Use the get-member command to get the CA endpoint for your membership as shown in the following example. Replace the values of --network-id and --member-id with the values returned in Step 1: Create the Network and First Member.

aws managedblockchain get-member \ --network-id n-MWY63ZJZU5HGNCMBQER7IN6OIU \ --member-id m-K46ICRRXJRCGRNNS4ES4XUUS5A

The command returns information about the initial member that you created in the network, as shown in the following example. Make a note of the CaEndpoint. You also need the AdminUsername and password that you created along with the network.

The command returns output similar to the following:

{ "Member": { "NetworkId": "n-MWY63ZJZU5HGNCMBQER7IN6OIU", "Status": "AVAILABLE", "Description": "MyNetDescription", "FrameworkAttributes": { "Fabric": { "CaEndpoint": "ca.m-K46ICRRXJRCGRNNS4ES4XUUS5A.n-MWY63ZJZU5HGNCMBQER7IN6OIU.managedblockchain.us-east-1.amazonaws.com:30002", "AdminUsername": "Example-AdminUser" } }, "StatusReason": "Network member created successfully", "CreationDate": 1542255358.74, "Id": "m-K46ICRRXJRCGRNNS4ES4XUUS5A", "Name": "org1" } }

Use the CA endpoint, administrator profile, and the certificate file to enroll the member administrator using the fabric-ca-client enroll command, as shown in the following example:

fabric-ca-client enroll \ -u 'https://${AdminUsername}:${AdminPassword}@$CASERVICEENDPOINT' \ --tls.certfiles /home/ec2-user/managedblockchain-tls-chain.pem -M /home/ec2-user/admin-msp

To use this command, you will need to set the following environment variables:

  • AdminUsername — The admin username.

  • AdminPassword — The admin password.

Warning

Always use variables in your code to pass user credentials. For more information, see Move hard-coded credentials to AWS Secrets Manager

An example command with fictitious administrator name, password, and endpoint is shown in the following example:

fabric-ca-client enroll \ -u https://Example-AdminUser:Example-Password123@ca.m-K46ICRRXJRCGRNNS4ES4XUUS5A.n-MWY63ZJZU5HGNCMBQER7IN6OIU.managedblockchain.us-east-1.amazonaws.com:30002 \ --tls.certfiles /home/ec2-user/managedblockchain-tls-chain.pem -M /home/ec2-user/admin-msp

The command returns output similar to the following:

2018/11/16 02:21:40 [INFO] Created a default configuration file at /home/ec2-user/.fabric-ca-client/fabric-ca-client-config.yaml 2018/11/16 02:21:40 [INFO] TLS Enabled 2018/11/16 02:21:40 [INFO] generating key: &{A:ecdsa S:256} 2018/11/16 02:21:40 [INFO] encoded CSR 2018/11/16 02:21:40 [INFO] Stored client certificate at /home/ec2-user/admin-msp/signcerts/cert.pem 2018/11/16 02:21:40 [INFO] Stored root CA certificate at /home/ec2-user/admin-msp/cacerts/ca-abcd1efghijkllmn5op3q52rst-uqz2f2xakfd7vcfewqhckr7q5m-managedblockchain-us-east-1-amazonaws-com-30002.pem
Important

It may take a minute or two after you enroll for you to be able to use your administrator certificate to create a channel with the ordering service.

Step 5.3: Copy Certificates for the MSP

In Hyperledger Fabric, the Membership Service Provider (MSP) identifies which root CAs and intermediate CAs are trusted to define the members of a trust domain. Certificates for the administrator's MSP are in /home/ec2-user/admin-msp in this tutorial. Because this MSP is for the member administrator, copy the certificates from signcerts to admincerts as shown in the following example. The example assumes you are in the /home/ec2-user directory when running the command.

cp -r /home/ec2-user/admin-msp/signcerts admin-msp/admincerts