Page Comparison

Step - by - step guide on how to Install Insights Advanced - Hyperledger Fabric Network.

• Docker version 18.03 or later, Docker Compose  1.14.0 or greater (If not, we recommend that you install a more recent version of Docker) , curl
• Python 3.x
• Node.js Runtime 8.x(8.12.0) and NPM 6.x(6.3.0) - For chaincode
• git (git bash to clone the repo)
• wget

Refer the link to know the Software component version for latest fabric network: https://hyperledger-fabric.readthedocs.io/en/latest/prereqs.html

Fabric Version Specific. Change the version in the URL for other versions: https://hyperledger-fabric.readthedocs.io/en/release-1.4/prereqs.html

Docker, Docker Compose and curl

On RHEL/CentOS7:

Docker - https://docs.docker.com/engine/install/centos/

• yum update

• yum install yum-utils

• yum-config-manager --enable rhel-7-server-rhui-extras-rpms 
• yum install docker
• Ensure that docker daemon is running with an option -H unix:///var/run/docker.sock  . If not, open the file(vi), add it as shown below and save(:wq). Ensure, only one ExecStart is available in the file. 

          vi /lib/systemd/system/docker.service

          ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock -H unix:///var/run/docker.sock

          :wq

• Provide permission "chmod 666 /var/run/docker.sock"
• systemctl start docker
• systemctl status docker
• systemctl enable docker (start docker at system boot)
• Add your user to the docker group.
• groupadd docker (Do this if not present)
  usermod -a -G docker <username>

                     Example: usermod -aG docker ec2-user

1. For RHUI 3 repo ID(rhel-7-server-rhui-extras-rpms ) to configure yum-config-manager, please visit - https://access.redhat.com/articles/4599971

2. For docker commands please visit -  https://docs.docker.com/edge/engine/reference/commandline/docker/

Docker Compose

1. Install docker compose specific version. Any existing installation of Docker is replaced.           
   1. Specific version of docker-compose installation. Refer current release of docker compose in https://docs.docker.com/compose/install/
   2. For example "docker-compose v1.26.2": 

      sudo curl -L "https://github.com/docker/compose/releases/download/1.26.2/docker-compose-$(uname -s)-$(uname -m)" -o /usr/bin/docker-compose

      sudo chmod +x /usr/bin/docker-compose

      docker-compose --version

      systemctl status docke

Reference: https://docs.docker.com/install/linux/docker-ce/ubuntu/

cURL

Download the latest version of cURL (curl) tool if it is not installed - https://curl.haxx.se/download.html

GO

1. Download the archive: wget https://dl.google.com/go/go1.11.10.linux-amd64.tar.gz
2. Extract it into /usr/local, creating a Go tree in /usr/local/go. 
3. tar -C /usr/local -xzf go1.11.10.linux-amd64.tar.gz
4. Add /usr/local/go/bin to the PATH environment variable. You can do this by adding this line to your /etc/profile (for a system-wide installation) or $HOME/.bashprofile:                  export PATH=$PATH:/usr/local/go/bin
   Reference - Section Linux :https://golang.org/doc/install#install

Python

As of Ubuntu 16.04 LTS (xenial),  both python 2 and python3 by default. Recommended to use python3. Check and then install if required.

1. apt-get install python3.5
2. apt-get install python3-pip

set alias to respectiive python version in ~/.bashrc to avoid error while installing the module.

alias pip=pip3

alias python=python3.5

(OR)

update-alternatives --install /usr/bin/python python /usr/bin/python3.5 10

Reference: https://wiki.ubuntu.com/Python

Node.js Runtime and NPM
The recommended versions for node and npm are Node 8.x.x and npm5.x.x. If you are getting lower versions using apt-get install, remove existing node setup from your machine and then run the following:

curl -sL https://deb.nodesource.com/setup_8.x | sudo -E bash -

yum install nodejs

Git

As Of RHEL/CentOS7, git is available by default. Check and then install if required.

1. yum update
2. yum install git

wget

       yum install wget

Environment variable INSIGHTS_HOME and $INSIGHTS_HOME/.InSights/server-config.json

• Windows: Server 2 - SetEnvVariables.bat
• Linux: insights_first.sh

Refer here for installation steps if required.

Following port must be opened to access the fabric network from fabric sdk.

Source : fabric sdk instance where our Insights is running

Destination: fabric network installed instance - hyperledger network

Example Ports: You can change these ports based on availability and configuration in fabric network. Then, enable connectivity to those ports.

• orderer - 7050 
• peer0.org1 - 7051
• peer1.org1 - 8051
• peer0.org2 - 9051
• peer1.org2 - 10051
• ca.org1 - 7054
• ca.org2 - 8054

List active container: docker ps

List active/exited container: docker ps -a

List docker images: docker images

Check container logs: docker logs <container-id>

Connect to Container: docker exec -it <container-id> bash

Remove docker container: docker rmi -f <contianer-id>

Remove docker images: docker rmi -f <image-name/id>

Reference: https://docs.docker.com/engine/reference/commandline/docker/

Make sure you've done all the Prerequisites. Raft Ordering Service introduced in 1.4.1 (Reference: https://hyperledger-fabric.readthedocs.io/en/latest//whatsnew.html)

Ensure docker images are pulled as per raft supported version ( https://github.com/hyperledger/fabric/releases )

Network Architecture

• 5 Orderers
• 2 Organizations
• 4 peers, 2 for each organization
• 4 couchdb, one for each peer
• 2 certificate authority(CA), one for each organization

Setup the Network

1. Login as non-root user "ec2-user". Navigate to your home directory or any convenient directory and create directory hyperledger:

2. cd /home/ec2-user/

   mkdir hyperledger

   cd /home/ec2-user/hyperledger/

   
   

3. Refer for more detailed steps with samples: https://hyperledger-fabric.readthedocs.io/en/latest/install.html?highlight=https%3A%2F%2Fbit.ly%2F2ysbOFE#install-samples-binaries-and-docker-images Followed the steps and created tar ball (insights-fabric-network.tar.gz) with required binaries and docker images.

   wget https://infra.cogdevops.com:8443/repository/docroot/insights_install/installationScripts/latest/RHEL/hyperledger/insights-fabric-network.tar.gz

   
   

4. untar the file insights-fabric-network.tar.gz .   

   cd /home/ec2-user/hyperledger

   tar -zxvf insights-fabric-network.tar.gz

   cd /home/ec2-user/hyperledger/insights-fabric-network

      
5. Following directories (bin , config , insights-network) are available to start the network.

6. Give permissions to all the executable and shell files which will easily bring up/down the network:
   chmod 777 *.sh
   chmod -R 755 bin

7. Get into the directory insights-network : cd /home/ec2-user/hyperledger/insights-fabric-network/insights-network

8. Required configurations and scripts are already updated for the DOMAIN - cogdevops.com .   

   Info
   title References - Hyperledger Config Files
   configtx.yaml - https://hyperledger-fabric.readthedocs.io/en/latest/create_channel/create_channel_config.html#using-configtx-yaml-to-build-a-channel-configuration Architecture - https://hyperledger-fabric.readthedocs.io/en/latest/architecture.html

   /home/ec2-user/hyperledger/insights-fabric-network/insights-network/.env

   Code Block
   language bash theme Emacs title .env
   COMPOSE_PROJECT_NAME=hyperledger IMAGE_TAG=latest SYS_CHANNEL=system-channel DOMAIN=<yourdomain>

   
   

9. Start the network by  using the following command. Specify the fabric version, fabric-ca version and couch db as state database : 

   
   

   Code Block
   language bash theme Emacs title Start fabric network
   cd /home/ec2-user/hyperledger/insights-fabric-network/insights-network ./network.sh up -ca -s couchdb -i 2.2.0 -cai 1.4.8

   network.sh internally calls the required scripts to perform the following actions: TLS Enabled, required certs, register and enroll users (fabric-ca) - both admin and other users;- these details required to connect from Java sdk while connecting network , pull necessary docker images and start the containers. 

          Verify if all the docker containers are running:

          docker ps -a

1. 
   

2. Create channel. Following script will create channel , join and update for all peers.                                                                                                                                                            

   Code Block
   language bash theme Emacs title Create Channel
   cd /home/ec2-user/hyperledger/insights-fabric-network/insights-network ./network.sh createChannel -c insightschannel

   
   

   Info
   title Hint:
   Change permission/ownership to non-root user for the directory channel-artifacts if you face any issues in channel creation due to permissions restricted by root user.

   
   

3. Copy (Specify github location for chaincode) the chaincode/contract to the directory /home/ec2-user/hyperledger/insights-fabric-network/insights-network. Directory structure after chaincode copy is : /home/ec2-user/hyperledger/insights-fabric-network/insights-network/chaincode/src/nodejs

4. Deploy Smart Contract (Chaincode): Run the following command to deploy the smart contract/chaincode. 

   Code Block
   language bash theme Emacs title Deploy Smart Contract (Chaincode)
   cd /home/ec2-user/hyperledger/insights-fabric-network/insights-network ./network.sh deployCC -ccn insightsaudit -ccp ./chaincode/src/nodejs/ -ccv 1 -ccl javascript

   Note: ccl parameter can either javascript or typescript. Both will refer to CC_RUNTIME_LANGUAGE=node inside scripts/deployCC.sh file

   Info

   You will notice some extra containers running other than the ones mentioned in the network architecture with names like this: dev-peer0.org1.<yourdomain>-insightsaudit_1-xxxxxxxxxxxxxxxx , dev-peer1.org1.<yourdomain>-insightsaudit_1-xxxxxxxxxxxxxxxx, dev-peer0.org2.<yourdomain>-insightsaudit_1-xxxxxxxxxxxxxxxx , dev-peer1.org2.<yourdomain>-insightsaudit_1-xxxxxxxxxxxxxxxx . It is an expected behavior for the fabric-network. These containers will get spawned whenever chaincode is instantiated(deployed) in a peer.

   
   

5. Set the environments in host machine where you have deployed your network(Don't to get into any peer container). to operate via Org1 or Org2. 

   Info
   title Important Note
   Set either ORG1 or ORG2 in one terminal. Open 2 terminal window then set ORG1 in first terminal and Org2 in second terminal. If you attempt to set continuously then latest one will override all the previous ones.

   
   

   Code Block
   language bash theme Emacs title ORG1 admin
   export PATH=${PWD}/../bin:${PWD}:$PATH export FABRIC_CFG_PATH=$PWD/../config/ export CORE_PEER_TLS_ENABLED=true export CORE_PEER_LOCALMSPID="Org1MSP" export CORE_PEER_TLS_ROOTCERT_FILE=${PWD}/organizations/peerOrganizations/org1.<yourdomain>/peers/peer0.org1.<yourdomain>/tls/ca.crt export CORE_PEER_MSPCONFIGPATH=${PWD}/organizations/peerOrganizations/org1.<yourdomain>/users/Admin@org1.<yourdomain>/msp export CORE_PEER_ADDRESS=localhost:7051

   
   

   
   

   Code Block
   language bash theme Emacs title ORG2 admin
   export PATH=${PWD}/../bin:${PWD}:$PATH export FABRIC_CFG_PATH=$PWD/../config/ export CORE_PEER_LOCALMSPID="Org2MSP" export CORE_PEER_TLS_ROOTCERT_FILE=${PWD}/organizations/peerOrganizations/org2.<yourdomain>/peers/peer0.org2.<yourdomain>/tls/ca.crt export CORE_PEER_MSPCONFIGPATH=${PWD}/organizations/peerOrganizations/org2.<yourdomain>/users/Admin@org2.<yourdomain>/msp export CORE_PEER_ADDRESS=localhost:9051

   
   

   Info
   title Note
   Latest fabric version has feature to execute peer lifecycle commands in host machine itself by setting respective org env variables as specified above.

   
   

6. Sanity testing. Test the Chaincode. Either insert record manually or let the data gets inserted via PlatformEngine with digitalSignature validation. Use the following command to verify network and smart contract functionality are deployed successfully or not.

   Before executing the below command in host machine. You must have either ORG1 admin env variables or ORG2 admin env variables set in the terminal.

   Manual insertion and read:

   Code Block
   language bash title Instantiate(write) to Smart Contract insightsaudit
   peer chaincode invoke -o localhost:7050 --ordererTLSHostnameOverride orderer0.<yourdomain> -C insightschannel -n insightsaudit --tls --cafile ${PWD}/organizations/ordererOrganizations/<yourdomain>/orderers/orderer0.<yourdomain>/msp/tlscacerts/tlsca.<yourdomain>-cert.pem --peerAddresses localhost:7051 --tlsRootCertFiles ${PWD}/organizations/peerOrganizations/org1.<yourdomain>/peers/peer0.org1.<yourdomain>/tls/ca.crt --peerAddresses localhost:9051 --tlsRootCertFiles ${PWD}/organizations/peerOrganizations/org2.<yourdomain>/peers/peer0.org2.<yourdomain>/tls/ca.crt -c '{"Args":["Instantiate","{\"almAssetID\":\"IN-1\",\"property\":\"ALM\",\"phase\":\"Plan\",\"toolName\":\"JIRA\",\"toolstatus\":\"Done\",\"priority\":\"Medium\",\"sprintNames\":[\"IN Sprint 1\"],\"issueType\":\"Story\",\"attachments\":\"https://<jirahostnameurl>/secure/attachment/10017/test.txt\",\"projectName\":\"InsightsAuditing Testing\",\"createdTime\": 1557741850.0,\"issueAPI\": \"https://bcdevops.atlassian.net/rest/api/2/issue/10013\",\"timestamp\":1557751850.0,\"date\":\"2019-05-13\",\"uplink\":\"null\",\"downlink\":{\"jiraKeys\":\"IN-1\"}}"]}'

   
   

   Code Block
   language bash title Read from Smart Contract - insightsaudit
   peer chaincode query -n insightsaudit -c '{"Args":["GetAssetDetails","IN-1"]}' -C insightschannel

   
   

Prerequisites:

1. Fabric network must be running and with smart contract/chaincode deployed into it, to establish the fabric network connection from fabric Java sdk.
2. Required network ports must be opened (Refer: "Recommended Network Ports" section in this page)

Configuration Steps:

• Download connections-tls.json from Nexus3 docroot repo and keep it inside the instance where our Insights application is running. Path: $INSIGHTS_HOME/.InSights/connections-tls.json
• Keep the required certs inside the path $INSIGHTS_HOME/.InSights/BlockChainCerts/etcdraft-certs. Certs generated while creating fabric network.
• Update the path of the json and certs locations in connections-tls.json.  
• Replace <yourdomain> by your actual domain name. (For example: orderer0.example.com)
• Update enrollSecret value which is password for ca-org1 and ca-org2.
• Finally, keep this updated connections-tls.json inside the path  INSIGHTS_HOME. Parallel to server-config.json
• Download other config files datamodel.json and Process.json used for logic construction. Keep these files inside the path INSIGHTS_HOME. Parallel to server-config.json

• Set flag as true for AuditEngine in "server-config.json" as mentioned below:

• Set flag as true for "showAuditReporting" in uiConfig.json (Path: TOMCAT/webapps/app/config/uiConfig.json) as mentioned below to enable the "Audit Reporting" in UI.

• Restart Tomcat service for the changes to be refreshed in Insights application.
• Restart PlatformEngine for the engine to include audit/hyperledger functionalities.

Prerequisites:

1. Following value must be configured "enableAuditEngine":true in server-config.json

Configure digitalSignature:

• The hash value of each node is encrypted using the public key at agent(python) side and decrypted using private key at the platformengine(java) side.
• BaseAgent has digitalSignature encryption function invoked from publishToolsData and tool agents(Example: JenkinsAgent3.py) will invoke publishToolsData with third parameter auditing as True. Default publishToolsData without sending this parameter will perform the usual publish data to MQ without digitalSignature. 
• Public/Private keys are generated using the same RSA algorithm by executing a simple python script GenerateKeys.py where Insights is installed and INSIGHTS_HOME is set in environment. This is a one time execution.
• Public/Private keys are placed inside */$INSIGHTS_HOME/.InSights/BlockChainCerts/* folder by the python script mentioned in previous point.
• Each agent config.json contains an additional property called "publicKeyPath"  containing the path of the public key ($INSIGHTS_HOME/.InSights/BlockChainCerts/public_key.pem) used for encryption.
• The connections-tls.json contains an additional variable called "ENGINE_PRIVATE_KEY" containing the path of the private key ($INSIGHTS_HOME/.InSights/BlockChainCerts/private_key.pem) used for decryption.
• If a node doesn't contain digitalSignature, PlatformEngine will reject it and inform the corresponding uuid in console output.

The tool agents(written in python) will perform the following:

1. Calculates the hash from all the property values of each node
2. Encrypts the hash using *RSA* algorithm with MGF1 padding
3. Adds the encrypted hash as "digitalSignature" field to respective nodes and push to Neo4j.

PlatformEngine with Audit enabled does the following:

1. PlatformEngine will consume the nodes from Neo4j. Decrypt digitalSignature of each node and obtain the hash value of the corresponding node
2. Re-calculate the hash value from the corresponding node's properties
3. if hash obtained in step 1 is equal to calculated hash value in step 2 then respective node is inserted into ledger, else node is not inserted into ledger & the corresponding uuid is logged into console output.