Kubernetes with OpenShift World Tour: Get hands-on experience and build applications fast! Find a workshop!

Build a blockchain network on IBM Z or LinuxONE with the IBM Blockchain Platform

In this tutorial, we’ll show you a basic Hyperledger Fabric development configuration with two organizations — one for the ordering service and one for a peer. Following the recommendation in the IBM Blockchain Platform documentation, we’ll guide you to deploy separate certificate authorities (CAs) for each organization. Therefore, you will see how to deploy two CAs, one for a peer that is associated with one organization, and one for an ordering node that is associated with another organization.

Learning objectives

This tutorial guides you through the steps to build a blockchain network using IBM Blockchain Platform in the private cloud environment of IBM Cloud Private on IBM Z or LinuxONE with the Secure Service Container framework.

When you finish this tutorial, you will have:

  • A running blockchain network in IBM Cloud Private on IBM Z or LinuxONE
  • A peer that is in a consortium in the orderer’s system channel

Prerequisites

In this tutorial, you will use one logical partition (LPAR) in your IBM Z or LinuxONE environment to install and configure the Secure Service Container framework, and then set up the IBM Cloud Private cluster. Make sure you have an LPAR ready for use.

Before you start, you need to prepare the following versions of the products to complete this tutorial:

You need to follow the installation instructions to install the following command-line tools:

  • Kubernetes CLI (kubectl)
  • Helm CLI (helm)
  • IBM Cloud Private CLI (cloudctl)

Estimated time

The estimated time to complete this tutorial is provided under each step because the steps are completed by different roles on different platforms.

Steps

1

Set up the LPAR

Required user role: IBM Z or LinuxONE system administrator who has access to the Hardware Management Console (HMC)

Estimated time: 0.5 hours

IBM Z and LinuxONE servers support several types of partitions. When system administrators define a partition, they specify characteristics that include processor resources, memory resources, and security controls. System administrators use the HMC to define partition characteristics.

Prerequisites:

Instructions:

Follow the instructions in the IBM Z Systems Secure Service Container User’s Guide, SC28-6971-01 to create a Secure Service Container partition, allocate at least 450 GB of storage disk space for data pool resizing, and assign the IP address for the partition. The following are the relevant instruction chapters in the user’s guide.

  • To create a Secure Service Container partition on a host system that is running in standard mode (that is, with Processor Resource/System Manager or PR/SM), refer to the following chapters:

    • Chapter 3 – Configuring a Secure Service Container partition on a standard mode system
    • Chapter 4 – Starting a Secure Service Container partition on a standard mode system
    • Chapter 5 – Changing the logon settings for a Secure Service Container partition on a standard mode system
    • Chapter 6 – Changing the network settings for a Secure Service Container partition on a standard mode system
  • To create a Secure Service Container partition on a host system with IBM Dynamic Partition Manager (DPM) enabled, refer to the following chapters:

    • Chapter 8 – Creating a Secure Service Container partition on a DPM-enabled system
    • Chapter 9 – Starting a Secure Service Container partition on a DPM-enabled system
    • Chapter 10 – Changing the login settings for a Secure Service Container partition on a DPM-enabled system
    • Chapter 11 – Changing the network settings for a Secure Service Container partition on a DPM-enabled system

During the configuration, you need to enter the master ID and password for the partition, which you will use later when you set up the Secure Service Container for IBM Cloud Private.

2

Set up Secure Service Container for IBM Cloud Private

Required user role: Appliance administrator and IBM Cloud Private cluster administrator who have access to the Secure Service Container environment

Estimated time: 2 – 3 hours

IBM Secure Service Container for IBM Cloud Private is a software offering that’s built on the IBM Secure Service Container framework, and you can run IBM Cloud Private workloads on a secure platform on IBM Z and LinuxONE. For more information about how the offering works, See IBM Secure Service Container for IBM Cloud Private technology at a glance.

The master node is hosted on an x86 server, while the worker and proxy nodes are hosted on the Secure Service Container partition on an IBM Z or LinuxONE server. Figure 1 shows an example network topology.

Figure 1. Network topology example

Network topology example

Prerequisites:

Before you install the Secure Service Container for IBM Cloud Private, be sure to complete the following configurations:

Instructions:

The appliance administrator should complete the following tasks via the Secure Service Container user interface at https://<LPAR_IP>:

The cluster administrator should complete the following tasks on the x86 server:

Note: You need to perform additional tasks on the x86 server to ensure secure connectivity among the cluster nodes that are created using the Secure Service Container for IBM Cloud Private CLI tool. For more information, see Configuring the network on the master node.

3

Set up an IBM Cloud Private cluster

Required user role: IBM Cloud Private cluster administrator who has access to the Secure Service Container environment

Estimated time: 2 – 3 hours

Prerequisites:

Before you install IBM Cloud Private, be sure to complete the prerequisites to prepare your cluster, especially the following configurations:

  • Ensure that you have enough resource and storage for the blockchain nodes. The following list shows the minimum resource requirements for each CA, ordering node, peer, and peer’s CouchDB consumptions:
    • CA: 1 vCPU, 192 MB RAM, and 1 GB disk
    • Ordering node: 2 vCPU, 512 MB RAM, and 100 GB disk with the ability to expand
    • Peer: 2 vCPU, 2 GB RAM, and 50 GB disk with the ability to expand
    • CouchDB for Peer (applicable only if you use CouchDB): 2 vCPU, 2 GB RAM, and 50 GB disk with the ability to expand
  • If you use only AMD64 nodes in your IBM Cloud Private, you can use dynamic provisioning for your storage; otherwise, Persistent Volumes must be created with labels. You can use the default storage setting, which creates a separate Persistent Volume claim for your Helm chart deployment, or you need to create a storageClass for use. For more information, see Storage considerations.

Instructions:

Follow the installation instructions to install IBM Cloud Private on your IBM Z or LinuxONE environment.

After you successfully access your IBM Cloud Private cluster, you also need to create a new target namespace that is bound to a pod security policy before you can install the IBM Blockchain Platform Helm chart.

4

Install the IBM Blockchain Platform Helm chart

Required user role: Cluster administrator or team administrator to the IBM Cloud Private cluster

Estimated time: 1 hour

IBM Blockchain Platform for IBM Cloud Private is delivered as a Helm chart file that can be installed as a bundled service in your IBM Cloud Private cluster.

Instructions:

Follow the instructions for importing the IBM Blockchain Platform Helm chart into your IBM Cloud Private cluster. After you import the Helm chart, you will know it’s successful if you can see the ibm-blockchain-platform tile in your IBM Cloud Private Catalog dashboard.

Note: If you are installing IBM Blockchain Platform behind a firewall, you need to get the required images ready in your local system beforehand. For more information, see Installing IBM Blockchain Platform behind a firewall. You can find the specification file manifest.yaml under the ibm-blockchain-platform-dev/ibm_cloud_pak directory in the Helm chart.

5

Deploy blockchain components on an IBM Cloud Private cluster and build a blockchain network

Required user role: Cluster administrator or team administrator to the IBM Cloud Private cluster

Estimated time: 1.5 hours

For IBM Blockchain Platform for IBM Cloud Private v1.0.2, you need to deploy your blockchain components one at a time by creating Helm releases with the installed IBM Blockchain Platform Helm chart. Also, note that before you can deploy a peer or an ordering node, you first need to deploy a CA node to generate the required certificates.

For this tutorial, you deploy two CAs one at a time, and then use one CA to deploy an ordering node and use the other CA to deploy a peer.

Instructions:

At the end of this step, you will build a network with the following structure:

Figure 2. Blockchain network structure

Blockchain network structure

  1. Deploy the blockchain components

    Deploy the blockchain components in the following sequence:

    1. Deploy a CA to build order CA pod — that is, Ordering service CA.
    2. Deploy an ordering node — that is, Ordering service Org.
    3. Deploy another CA for peer organization — that is, Org1 CA.
    4. Deploy a peer — that is, Org 1.
  2. Configure the network

    1. Create the Org 1 MSP definition and the Ordering service Org MSP definition.
    2. Add the Org 1 MSP definition to the consortium hosted by Ordering service Org.
    3. Create a channel named Channel 1.
    4. Use the CLI to join Org 1 to Channel 1.
  3. Install and instantiate a smart contract

    Follow the instructions below, install and instantiate a smart contract on Channel 1.

    1. Install your chaincode.
    2. Instantiate the chaincode.

Summary

Congratulations! You should now have a blockchain network successfully running in your IBM Cloud Private cluster, which is built on the Secure Service Container framework on your IBM Z or LinuxONE environment. The network is flexible and you can scale it by deploying more blockchain components to the network.

Now you can create applications that submit transactions in your private cloud with pervasive encryption, which protects your data at rest and in flight. For more information about creating applications, see the Creating applications tutorial in the IBM Cloud docs, as well as the IBM Developer Blockchain code patterns.

Wei Jun Zheng
Run Hua Chi
Chun Ling Li
Yi Yuan