Onboarding the MGM

This section describes how to configure the MGM, through which a membership group is created for a dynamic network.

The PowerShell commands listed on this page are for use with PowerShell 7.0 and will not execute correctly with PowerShell 5.x.

Set Variables

Set the values of variables for use in later commands:

Set the P2P gateway host and port and the REST API host and port.
- Bash
- PowerShell
export REST_HOST=localhost export REST_PORT=8888 export P2P_GATEWAY_HOST=localhost export P2P_GATEWAY_PORT=8080
$REST_HOST = "localhost" $REST_PORT = 8888 $P2P_GATEWAY_HOST = "localhost" $P2P_GATEWAY_PORT = 8080 $AUTH_INFO = [Convert]::ToBase64String([Text.Encoding]::ASCII.GetBytes(("admin:admin" -f $username,$password)))
}
These values vary depending on where you have deployed your cluster(s) and how you have forwarded the ports. For example, if corda-p2p-gateway-worker is the name of the P2P gateway Kubernetes service and corda-cluster-a is the namespace that the Corda cluster is deployed within, set $P2P_GATEWAY_HOST to corda-p2p-gateway-worker.corda-cluster-a. Alternatively, you can specify the IP address of the gateway, instead of the hostname. For example, 192.168.0.1.
Set the REST API URL. This may vary depending on where you have deployed your cluster(s) and how you have forwarded the ports.
- Bash
- PowerShell
export API_URL="https://$REST_HOST:$REST_PORT/api/v1"
$API_URL="https://$REST_HOST:$REST_PORT/api/v1"
}

Set the working directory for storing temporary files:

Bash
PowerShell

export WORK_DIR=~/Desktop/register-mgm
mkdir -p "$WORK_DIR"

$WORK_DIR = "$HOME/register-mgm"
md $WORK_DIR -Force

}

Set the path to your local clone of corda-runtime-os:

Bash
PowerShell

export RUNTIME_OS=~/dev/corda-runtime-os

$RUNTIME_OS = "~/dev/corda-runtime-os"

}

Select a Certificate Authority

Corda uses an external Certificate Authority (CA) for the keys it generates. This is mandatory for P2P TLS certificates, and optionally, they may also be used for session certificates, depending on the network configuration defined by the MGM operator. This root CA certificate in PEM format must be included later when onboarding the MGM.

Create the CPB

The MGM only requires a GroupPolicy file and an empty CPB is sufficient for the CPI. You can run the following to use the MGM test CPB included in corda-runtime-os, or alternatively you can use any empty CPB:

cd "$RUNTIME_OS"
./gradlew testing:cpbs:mgm:build
cp testing/cpbs/mgm/build/libs/mgm-5.0.0.0-SNAPSHOT-package.cpb "$WORK_DIR"

Create the Group Policy File

Create the GroupPolicy.json file in the same directory as the CPB:

Bash
PowerShell

echo '{
  "fileFormatVersion" : 1,
  "groupId" : "CREATE_ID",
  "registrationProtocol" :"net.corda.membership.impl.registration.dynamic.mgm.MGMRegistrationService",
  "synchronisationProtocol": "net.corda.membership.impl.synchronisation.MgmSynchronisationServiceImpl"
}' > "$WORK_DIR"/GroupPolicy.json

Add-Content $WORK_DIR/GroupPolicy.json @"
{
  "fileFormatVersion" : 1,
  "groupId" : "CREATE_ID",
  "registrationProtocol" :"net.corda.membership.impl.registration.dynamic.mgm.MGMRegistrationService",
  "synchronisationProtocol": "net.corda.membership.impl.synchronisation.MgmSynchronisationServiceImpl"
}
"@

Build the CPI

Build a CPI using the Corda CLI packaging plugin, passing in your generated MGM GroupPolicy.json file. For more information about creating CPIs, see the CorDapp Packaging section.

Upload the CPI

To upload the CPI, run the following:

Bash
PowerShell

export CPI_PATH=<CPI-directory/CPI-filename.cpi>
curl --insecure -u admin:admin -F upload=@$CPI_PATH $API_URL/cpi/

$CPI_PATH = "$WORK_DIR\mgm-5.0.0.0-SNAPSHOT-package.cpi"
$CPI_UPLOAD_RESPONSE = Invoke-RestMethod -SkipCertificateCheck  -Headers @{Authorization=("Basic {0}" -f $AUTH_INFO)} -Uri "$API_URL/cpi/" -Method Post -Form @{
    upload = Get-Item -Path $CPI_PATH
}

The returned identifier (for example f0a0f381-e0d6-49d2-abba-6094992cef02) is the CPI ID. Use this identifier to get the checksum of the CPI:

Bash
PowerShell

export CPI_ID=<CPI ID>
curl --insecure -u admin:admin $API_URL/cpi/status/$CPI_ID

$CPI_ID = $CPI_UPLOAD_RESPONSE.id
$CPI_STATUS_RESPONSE = Invoke-RestMethod -SkipCertificateCheck  -Headers @{Authorization=("Basic {0}" -f $AUTH_INFO)} -Uri "$API_URL/cpi/status/$CPI_ID"

The result contains the cpiFileChecksum. Save this for the next step.

Create a Virtual Node

To create a virtual node for the MGM, run the following:

Bash
PowerShell

export CPI_CHECKSUM=<CPI checksum>
curl --insecure -u admin:admin -d '{ "request": {"cpiFileChecksum": "'$CPI_CHECKSUM'", "x500Name": "C=GB, L=London, O=MGM"}}' $API_URL/virtualnode

$VIRTUAL_NODE_RESPONSE = Invoke-RestMethod -SkipCertificateCheck  -Headers @{Authorization=("Basic {0}" -f $AUTH_INFO)} -Uri "$API_URL/virtualnode" -Method Post -Body (ConvertTo-Json @{
    request = @{
       cpiFileChecksum = $CPI_STATUS_RESPONSE.cpiFileChecksum
       x500Name = "C=GB, L=London, O=MGM"
    }
})

$MGM_HOLDING_ID = $VIRTUAL_NODE_RESPONSE.holdingIdentity.shortHash

If using Bash, run the following, replacing <holding-identity-ID> with the ID returned in holdingIdentity.shortHash (for example, 58B6030FABDD).

export MGM_HOLDING_ID=<holding-identity-ID>

Assign Soft HSM and Generate Session Initiation and ECDH Key Pair

To assign a soft high security module (HSM) and generate a session initiation key pair:

Bash
PowerShell

curl --insecure -u admin:admin -X POST $API_URL/hsm/soft/$MGM_HOLDING_ID/SESSION_INIT
curl --insecure -u admin:admin -X POST $API_URL/keys/$MGM_HOLDING_ID/alias/$MGM_HOLDING_ID-session/category/SESSION_INIT/scheme/CORDA.ECDSA.SECP256R1

Invoke-RestMethod -SkipCertificateCheck  -Headers @{Authorization=("Basic {0}" -f $AUTH_INFO)} -Method Post -Uri "$API_URL/hsm/soft/$MGM_HOLDING_ID/SESSION_INIT"
$SESSION_KEY_RESPONSE = Invoke-RestMethod -SkipCertificateCheck  -Headers @{Authorization=("Basic {0}" -f $AUTH_INFO)} -Method Post -Uri "$API_URL/keys/$MGM_HOLDING_ID/alias/$MGM_HOLDING_ID-session/category/SESSION_INIT/scheme/CORDA.ECDSA.SECP256R1"
$SESSION_KEY_ID = $SESSION_KEY_RESPONSE.id

If using Bash, the result contains session key ID (e.g. 3B9A266F96E2). Run the following command to save this ID for use in subsequent steps:

export SESSION_KEY_ID=<session key ID>

You can use a certificate in addition to the session initiation key pair. For more information, see Configuring Optional Session Certificates.

To generate an Elliptic-curve Diffie–Hellman (ECDH) key pair:

Bash
PowerShell

curl --insecure -u admin:admin -X POST $API_URL/hsm/soft/$MGM_HOLDING_ID/PRE_AUTH
curl --insecure -u admin:admin -X POST $API_URL/keys/$MGM_HOLDING_ID/alias/$MGM_HOLDING_ID-auth/category/PRE_AUTH/scheme/CORDA.ECDSA.SECP256R1

Invoke-RestMethod -SkipCertificateCheck  -Headers @{Authorization=("Basic {0}" -f $AUTH_INFO)} -Method Post -Uri "$API_URL/hsm/soft/$MGM_HOLDING_ID/PRE_AUTH"
$ECDH_KEY_RESPONSE = Invoke-RestMethod -SkipCertificateCheck  -Headers @{Authorization=("Basic {0}" -f $AUTH_INFO)} -Method Post -Uri "$API_URL/keys/$MGM_HOLDING_ID/alias/$MGM_HOLDING_ID-auth/category/PRE_AUTH/scheme/CORDA.ECDSA.SECP256R1"
$ECDH_KEY_ID = $ECDH_KEY_RESPONSE.id

If using Bash, the result contains key ID (e.g. 3B9A266F96E2). Run the following command to save this ID for use in subsequent steps:

export ECDH_KEY_ID=<ecdh key ID>

You can use the following schemes for ECDH key derivation:

ECDSA_SECP256R1
ECDSA_SECP256K1
X25519
SM2

Configure the Cluster TLS Key Pair and Certificate

This step is only necessary if setting up a new cluster. When using cluster-level TLS, it is only necessary to do this once per cluster.

To set up the TLS key pair and certificate for the cluster:

Create a TLS key pair at the P2P cluster level by running this command:

Bash
PowerShell

curl -k -u admin:admin -X POST -H "Content-Type: application/json" $API_URL/keys/p2p/alias/p2p-TLS/category/TLS/scheme/CORDA.RSA

$TLS_KEY_RESPONSE = Invoke-RestMethod -SkipCertificateCheck  -Headers @{Authorization=("Basic {0}" -f $AUTH_INFO)} -Method Post -Uri "$API_URL/keys/p2p/alias/p2p-TLS/category/TLS/scheme/CORDA.RSA"
$TLS_KEY_ID = $TLS_KEY_RESPONSE.id

If using Bash, the endpoint returns the TLS key ID:

export TLS_KEY_ID=<TLS-key-ID>

Create a certificate for the TLS key pair. In order to do so, you must create a certificate signing request (CSR). To generate a CSR, run this command:

Bash
PowerShell

curl -k -u admin:admin  -X POST -H "Content-Type: application/json" -d '{"x500Name": "CN=CordaOperator, C=GB, L=London, O=Org", "subjectAlternativeNames": ["'$P2P_GATEWAY_HOST'"]}' $API_URL"/certificates/p2p/"$TLS_KEY_ID > "$WORK_DIR"/request1.csr

Invoke-RestMethod -SkipCertificateCheck  -Headers @{Authorization=("Basic {0}" -f $AUTH_INFO)} -Method Post -Uri "$API_URL/certificates/p2p/$TLS_KEY_ID" -Body (ConvertTo-Json @{
    x500Name = "CN=CordaOperator, C=GB, L=London, O=Org"
    subjectAlternativeNames = @($P2P_GATEWAY_HOST)
}) > $WORK_DIR/request1.csr

You can inspect the request1.csr file by running this command:

openssl req -text -noout -verify -in ./request1.csr

The contents should resemble the following:

Provide the chosen CA with this CSR and request for certificate issuance.
To upload the certificate chain to the Corda cluster, run this command, where certificate-folder is the path to the folder in which you saved the certificate received from the CA:
- Bash
- PowerShell
curl -k -u admin:admin -X PUT -F certificate=<certificate-folder>/certificate.pem -F alias=p2p-tls-cert $API_URL/certificates/cluster/p2p-tls
Invoke-RestMethod -SkipCertificateCheck -Headers @{Authorization=("Basic {0}" -f $AUTH_INFO)} -Method Put -Uri "$API_URL/certificates/cluster/p2p-tls" -Form @{ certificate = Get-Item -Path <certificate-folder>\certificate.pem alias = "p2p-tls-cert" }
You can optionally omit the root certificate.
If you upload a certificate chain consisting of more than one certificate, ensure that -----END CERTIFICATE----- and -----BEGIN CERTIFICATE----- from the next certificate are separated by a new line with no empty spaces in between.

Disable Revocation Checks

If the CA has not been configured with revocation (for example, via CRL or OCSP), you can disable revocation checks:

Disable Revocation Checks Using Bash
Disable Revocation Checks Using PowerShell By default, revocation checks are enabled. This only needs to be done once per cluster.

Disable Revocation Checks Using Bash

If using Bash, to disable revocation checks, do the following:

Retrieve the current gateway configuration version:

curl --insecure -u admin:admin -X GET $API_URL/config/corda.p2p.gateway

Save the displayed version number from the response as a variable:
```
export CONFIG_VERSION=<configuration-version>
```

Send the following request to disable revocation checks for the specified gateway worker:

curl -k -u admin:admin -X PUT -d '{"section":"corda.p2p.gateway", "version":"'$CONFIG_VERSION'", "config":"{ \"sslConfig\": { \"revocationCheck\": { \"mode\": \"OFF\" }  }  }", "schemaVersion": {"major": 1, "minor": 0}}' $API_URL"/config"

Disable Revocation Checks Using PowerShell

If using PowerShell, to disable revocation checks, run the following:

$CONFIG_VERSION = (Invoke-RestMethod -SkipCertificateCheck  -Headers @{Authorization=("Basic {0}" -f $AUTH_INFO)} -Uri "$API_URL/config/corda.p2p.gateway").version
Invoke-RestMethod -SkipCertificateCheck  -Headers @{Authorization=("Basic {0}" -f $AUTH_INFO)} -Method Put -Uri "$API_URL/config" -Body (ConvertTo-Json -Depth 4 @{
    section = "corda.p2p.gateway"
    version = $CONFIG_VERSION
    config = @{
        sslConfig = @{
            revocationCheck = @{
                mode = "OFF"
            }
        }
    }
    schemaVersion = @{
        major = 1
        minor = 0
    }
})

Build Registration Context

To register the MGM, you must first generate the registration context:

Build Registration Context Using Bash
Build Registration Context Using PowerShell

The examples in this section set corda.group.key.session.policy to Distinct, indicating that the ledger and session initiation key must not be the same key. Alternatively, setting corda.group.key.session.policy to Combined means that the ledger key used by a member must be the same as the session initiation key.

You can also optionally set the session certificate trustroot using the property corda.group.truststore.session.0, similar to corda.group.truststore.tls.0. However, when corda.group.pki.session is set to NoPKI, the session certificates are not validated against a session trustroot. For more information, see Configuring Optional Session Certificates.

If using session certificates for the P2P layer, see Configuring Optional Session Certificates for information about the additional JSON fields required.
If using mutual TLS, you must set the corda.group.tls.type field to Mutual. For more information, see Configuring Mutual TLS.

Build Registration Context Using Bash

To build the registration context using Bash, run the following command, replacing <TLS-CA-PEM-certificate> with the PEM format certificate of the CA. This is the trustroot used to validate member certificates. The certificate must all be on one line in the curl command. Replace new lines with \n.

export TLS_CA_CERT=$(cat /tmp/ca/ca/root-certificate.pem | awk '{printf "%s\\n", $0}')
export REGISTRATION_CONTEXT='{
  "corda.session.key.id": "'$SESSION_KEY_ID'",
  "corda.ecdh.key.id": "'$ECDH_KEY_ID'",
  "corda.group.protocol.registration": "net.corda.membership.impl.registration.dynamic.member.DynamicMemberRegistrationService",
  "corda.group.protocol.synchronisation": "net.corda.membership.impl.synchronisation.MemberSynchronisationServiceImpl",
  "corda.group.protocol.p2p.mode": "Authenticated_Encryption",
  "corda.group.key.session.policy": "Distinct",
  "corda.group.pki.session": "NoPKI",
  "corda.group.pki.tls": "Standard",
  "corda.group.tls.type": "OneWay",
  "corda.group.tls.version": "1.3",
  "corda.endpoints.0.connectionURL": "https://'$P2P_GATEWAY_HOST':'$P2P_GATEWAY_PORT'",
  "corda.endpoints.0.protocolVersion": "1",
  "corda.group.truststore.tls.0" : "'$TLS_CA_CERT'"
}'

Build Registration Context Using PowerShell

To build the registration context using PowerShell, run the following command, setting TLS_CA_CERT_PATH to the certificate path:

$TLS_CA_CERT_PATH = "$env:TEMP\tmp\ca\ca\root-certificate.pem"
$REGISTRATION_CONTEXT = @{
  'corda.session.key.id' =  $SESSION_KEY_ID
  'corda.ecdh.key.id' = $ECDH_KEY_ID
  'corda.group.protocol.registration' = "net.corda.membership.impl.registration.dynamic.member.DynamicMemberRegistrationService"
  'corda.group.protocol.synchronisation' = "net.corda.membership.impl.synchronisation.MemberSynchronisationServiceImpl"
  'corda.group.protocol.p2p.mode' = "Authenticated_Encryption"
  'corda.group.key.session.policy' = "Distinct"
  'corda.group.pki.session' = "NoPKI"
  'corda.group.pki.tls' = "Standard"
  'corda.group.tls.version' = "1.3"
  'corda.endpoints.0.connectionURL' = "https://$P2P_GATEWAY_HOST:$P2P_GATEWAY_PORT"
  'corda.endpoints.0.protocolVersion' = "1"
  'corda.group.truststore.tls.0'  =  [IO.File]::ReadAllText($TLS_CA_CERT_PATH)
}

Register the MGM

You can now use the registration context to register the MGM on the network:

Register the MGM using Bash

To register the MGM using Bash, run this command:

REGISTRATION_REQUEST='{"memberRegistrationRequest":{"action": "requestJoin", "context": '$REGISTRATION_CONTEXT'}}'
curl --insecure -u admin:admin -d "$REGISTRATION_REQUEST" $API_URL/membership/$MGM_HOLDING_ID

For example:

curl --insecure -u admin:admin -d '{ "memberRegistrationRequest": { "action": "requestJoin", "context": {
  "corda.session.key.id": "D2FAF709052F",
  "corda.ecdh.key.id": "E2FCF719062B",
  "corda.group.protocol.registration": "net.corda.membership.impl.registration.dynamic.member.DynamicMemberRegistrationService",
  "corda.group.protocol.synchronisation": "net.corda.membership.impl.synchronisation.MemberSynchronisationServiceImpl",
  "corda.group.protocol.p2p.mode": "Authenticated_Encryption",
  "corda.group.key.session.policy": "Distinct",
  "corda.group.pki.session": "NoPKI",
  "corda.group.pki.tls": "Standard",
  "corda.group.tls.type": "OneWay",
  "corda.group.tls.version": "1.3",
  "corda.endpoints.0.connectionURL": "https://localhost:8080",
  "corda.endpoints.0.protocolVersion": "1",
  "corda.group.truststore.tls.0" : "-----BEGIN CERTIFICATE-----\nMIIBLjCB1aADAgECAgECMAoGCCqGSM49BAMCMBAxDjAMBgNVBAYTBVVLIENOMB4X\nDTIyMDgyMzA4MDUzN1oXDTIyMDkyMjA4MDUzN1owEDEOMAwGA1UEBhMFVUsgQ04w\nWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASG6ijAvbmaIaIwKpZZqTeKmMKfoOPb\ncCK/BqdtKXVTt5AjJtiP/Uoq+481UEQyaUZYXGf5rC1owjT40U2B71qdoyAwHjAP\nBgNVHRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBrjAKBggqhkjOPQQDAgNIADBFAiEA\n1h6WEfdWUXSjBcenf5ycXPkYQQzI92I54q2WaVVjQHwCIEBk1ov/hYp9RCCDPnJx\nk8WgCZIyhFe0pEmow7MuI/Zk\n-----END CERTIFICATE-----"
} } }' https://localhost:8888/api/v1/membership/EF19BF67E77C

Alternatively, using jq:

curl --insecure -u admin:admin -d $(
jq -n '.memberRegistrationRequest.action="requestJoin"' | \
  jq --arg session_key_id $SESSION_KEY_ID '.memberRegistrationRequest.context."corda.session.key.id"=$session_key_id' | \
  jq --arg ecdh_key_id $ECDH_KEY_ID '.memberRegistrationRequest.context."corda.ecdh.key.id"=$ecdh_key_id' | \
  jq '.memberRegistrationRequest.context."corda.group.protocol.registration"="net.corda.membership.impl.registration.dynamic.member.DynamicMemberRegistrationService"' | \
  jq '.memberRegistrationRequest.context."corda.group.protocol.synchronisation"="net.corda.membership.impl.synchronisation.MemberSynchronisationServiceImpl"' | \
  jq '.memberRegistrationRequest.context."corda.group.protocol.p2p.mode"="Authenticated_Encryption"' | \
  jq '.memberRegistrationRequest.context."corda.group.key.session.policy"="Distinct"' | \
  jq '.memberRegistrationRequest.context."corda.group.pki.session"="NoPKI"' | \
  jq '.memberRegistrationRequest.context."corda.group.pki.tls"="Standard"' | \
  jq '.memberRegistrationRequest.context."corda.group.tls.version"="1.3"' | \
  jq '.memberRegistrationRequest.context."corda.group.key.session.policy"="Distinct"' | \
  jq --arg p2p_url "https://$P2P_GATEWAY_HOST:$P2P_GATEWAY_PORT" '.memberRegistrationRequest.context."corda.endpoints.0.connectionURL"=$p2p_url' | \
  jq '.memberRegistrationRequest.context."corda.endpoints.0.protocolVersion"="1"' | \
  jq --rawfile root_certicicate /tmp/ca/ca/root-certificate.pem '.memberRegistrationRequest.context."corda.group.truststore.tls.0"=$root_certicicate' \
) $API_URL/membership/$MGM_HOLDING_ID

Register the MGM using PowerShell

To register the MGM using PowerShell, run this command:

$REGISTER_RESPONSE = Invoke-RestMethod -SkipCertificateCheck  -Headers @{Authorization=("Basic {0}" -f $AUTH_INFO)} -Method Post -Uri "$API_URL/membership/$MGM_HOLDING_ID" -Body (ConvertTo-Json -Depth 4 @{
    memberRegistrationRequest = @{
        action = "requestJoin"
        context = $REGISTRATION_CONTEXT
    }
})
$REGISTER_RESPONSE.registrationStatus

Confirm Registration

Registration should return a successful response with the status SUBMITTED. You can confirm if the MGM was onboarded successfully by checking the status of the registration request:

Bash
PowerShell

export REGISTRATION_ID=<registration ID>
curl --insecure -u admin:admin -X GET $API_URL/membership/$MGM_HOLDING_ID/$REGISTRATION_ID

Invoke-RestMethod -SkipCertificateCheck  -Headers @{Authorization=("Basic {0}" -f $AUTH_INFO)} -Uri "$API_URL/membership/$MGM_HOLDING_ID/${RESGISTER_RESPONSE.registrationId}"

If successful, you should see the APPROVED registration status.

Configure the Virtual Node as a Network Participant

To configure the MGM virtual node with properties required for P2P messaging, run this command:

Bash
PowerShell

curl -k -u admin:admin -X PUT -d '{"p2pTlsCertificateChainAlias": "p2p-tls-cert", "useClusterLevelTlsCertificateAndKey": true, "sessionKeyId": "'$SESSION_KEY_ID'"}' $API_URL/network/setup/$MGM_HOLDING_ID

Invoke-RestMethod -SkipCertificateCheck  -Headers @{Authorization=("Basic {0}" -f $AUTH_INFO)} -Uri "$API_URL/network/setup/$MGM_HOLDING_ID" -Method Put -Body (ConvertTo-Json @{
    p2pTlsCertificateChainAlias = "p2p-tls-cert"
    useClusterLevelTlsCertificateAndKey = $true
    sessionKeyId = $SESSION_KEY_ID
})

p2pTlsCertificateChainAlias — the alias used when importing the TLS certificate.
p2pTlsTenantId — the tenant ID under which the TLS cert was stored (“p2p” for cluster level).
sessionKeyId — the session key ID previously generated.
useClusterLevelTlsCertificateAndKey - true if the TLS certificate and key are cluster-level certificates and keys.

Export the Group Policy

Now that the MGM is onboarded, the MGM can export a group policy file with the connection details of the MGM. To output the full contents of the GroupPolicy.json file that should be packaged within the CPI for members, run this command:

Bash
PowerShell

mkdir -p "~/Desktop/register-member"
curl --insecure -u admin:admin -X GET $API_URL/mgm/$MGM_HOLDING_ID/info > "~/Desktop/register-member/GroupPolicy.json"

md ~/register-member -Force
Invoke-RestMethod -SkipCertificateCheck  -Headers @{Authorization=("Basic {0}" -f $AUTH_INFO)} -Uri "$API_URL/mgm/$MGM_HOLDING_ID/info" | ConvertTo-Json -Depth 4 > ~/register-member/GroupPolicy.json

You can now use the MGM to set up members in your network.