Register and Enroll an Admin - Amazon Managed Blockchain

Register and Enroll an Admin

Only identities who are admins within a Hyperledger Fabric member on a Managed Blockchain network have the ability to install, instantiate, and query chaincode. Creating an admin in Hyperledger Fabric is a two-step process. You first register the identity with the Hyperledger Fabric CA. Registering stores the user name and password in the CA database as an admin. After you register, you then enroll the identity. This sends the CA a Certificate Signing Request (CSR). The CA validates that the identity is registered and otherwise valid, and returns a signed certificate that is stored in the Hyperledger Fabric client machine's local Membership Service Provider (MSP). You then copy the certificate to the admincerts subdirectory, and the certificate validates the role of the identity as an admin. Similarly, the CA updates the local MSP for the member's peer nodes and the ordering service so that the admin is recognized. For more information, see Fabric CA User's Guide and Membership in Hyperledger Fabric documentation.

When you first create a member in a Managed Blockchain network, you specify the first user. Managed Blockchain registers this user automatically with the Hyperledger Fabric CA as an admin using a bootstrap identity. This user must then enroll itself as an admin. After the user identity is enrolled as an admin, it can be used to enroll additional admins.

After you enroll a user as an admin, it may take a minute or two for the user to be able to use the admin certificate to perform tasks.

Important

Managed Blockchain does not support revoking user certificates. After an admin user is created, the user persists for the life of the member.

To register and enroll a user as an admin, you must have the following:

  • The member CA endpoint

  • The user name and password of either the bootstrap identity or an admin with permissions to register and enroll

  • A valid certificate file and the path to the MSP directory of the identity that will register the new administrator

Registering an Admin

The following example uses a Fabric-CA Client CLI register command to register an admin with these options:

  • --url specifies the endpoint of the CA along with an existing user name of an admin with permissions to register, such as the bootstrap identity. The example uses a user name of AdminUser with password Password123.

  • --id.name and --id.secret parameters establish the user name and password for the new admin.

  • --id.type is set to user and --id.affiliation is set to the member name to which the admins belong. The example member name is org1.

  • --id.attrs is set to 'hf.admin=true'. This is a property specific to Managed Blockchain that registers the identity as an admin.

  • The --tls.certfiles option specifies the location and file name of the Managed Blockchain TLS certificate that you copied from Amazon S3 (see ).

  • --mspdir specifies the MSP directory on the local machine where certificates are saved. The example uses /home/ec2-user/admin-msp.

fabric-ca-client register \ –-url https://AdminUser:Password123@ca.m-K46ICRRXJRCGRNNS4ES4XUUS5A.n-MWY63ZJZU5HGNCMBQER7IN6OIU.managedblockchain.us-east-1.amazonaws.com:30002 \ --id.name AdminUser2 --id.secret Password456 \ –-id.type user --id.affiliation org1 \ --id.attrs ‘hf.Admin=true’ --tls.certfiles /home/ec2-user/managedblockchain-tls-chain.pem \ --mspdir /home/ec2-user/admin-msp

Enrolling an Admin

After registering an identity as an admin or creating the first user with your member, you can use the Fabric-CA Client CLI enroll command to enroll that same user as an admin. This is shown in the following example using these options:

  • -u (an alternative for --url) specifies the endpoint of the CA along with the user name and password of the admin you are enrolling.

  • tls.certfiles specifies the location and file name of the Managed Blockchain TLS certificate that you copied from Amazon S3 (see ).

  • -M (an alternative for --mspdir) specifies the MSP directory on the local machine where certificates are saved. The example uses /home/ec2-user/admin-msp.

fabric-ca-client enroll \ -u https://AdminUser:Password123@ca.m-K46ICRRXJRCGRNNS4ES4XUUS5A.n-MWY63ZJZU5HGNCMBQER7IN6OIU.managedblockchain.us-east-1.amazonaws.com:30002 \ --tls.certfiles /home/ec2-user/managedblockchain-tls-chain.pem \ -M /home/ec2-user/admin-msp

Copying the Admin Certificate

After you enroll the admin, copy the certificates from the signcerts directory to the admincerts directory as shown in the following example. The MSP directory /home/ec2-user/admin-msp is used in the example, and the example assumes you are running the command in the /home/ec2-user directory.

cp -r admin-msp/signcerts admin-msp/admincerts