Build the MGM CPI

This section describes how to build an MGM Membership Group Manager. May also be referred to as the Network Manager. It is a virtual node and Corda identity that acts as a central registrar for group membership. CPI Corda Package Installer. A signed ZIP/JAR combination of a CPB and a Group Policy File that defines not only the application code that a virtual node will run, but also the details of the MGM with which to register, and the details of network PKI requirements. and upload it to the network. It contains the following:

1. Set Variables
2. Select a Certificate Authority
3. Create the Group Policy File
4. Create the CPI File
5. Import Code Signing Certificates
6. Upload the CPI

Set Variables

Set the values of variables for use in later commands:

1. Set the P2P gateway host and port and the REST API host and port. For example:

   • Bash
   • PowerShell

   export REST_API_HOST=localhost
   export REST_API_PORT=8888
   export P2P_GATEWAY_HOST=localhost
   export P2P_GATEWAY_PORT=8080
   

   $REST_API_HOST = "localhost"
   $REST_API_PORT = 8888
   $P2P_GATEWAY_HOST = "localhost"
   $P2P_GATEWAY_PORT = 8080
   

   These values vary depending on where you have deployed your cluster A complete set of worker processes. Clusters require a fully functioning virtual node infrastructure. and how you have forwarded the ports. For example, if corda-p2p-gateway-worker is the name of the P2P gateway Kubernetes A powerful tool for managing containerized applications at scale, making it easier for teams to deploy and manage their applications with high reliability and efficiency. service and corda-cluster-a is the namespace that the Corda cluster is deployed within, set $P2P_GATEWAY_HOST to corda-p2p-gateway-worker.corda-cluster-a. Alternatively, you can specify the IP address of the gateway, instead of the hostname. For example, 192.168.0.1. If you are using an Ingress service in front of the P2P gateway, the hostname should be one of the values under hosts and the port set to 443 (the default port for HTTPS).

2. Set the REST API URL. This may vary depending on where you have deployed your cluster(s) and how you have forwarded the ports.

   • Bash
   • PowerShell

   export REST_API_URL="https://$REST_API_HOST:$REST_API_PORT/api/v5_1"
   

   $REST_API_URL="https://${REST_API_HOST}:${REST_API_PORT}/api/v5_1"
   

3. Set the authentication information for the REST API:

   • Bash
   • PowerShell

   export REST_API_USER="<username>"
   export REST_API_PASSWORD="<password>"
   

    $REST_API_USER = "<username>"
    $REST_API_PASSWORD = "<password>"
    $AUTH_INFO = [Convert]::ToBase64String([Text.Encoding]::ASCII.GetBytes(("${REST_API_USER}:${REST_API_PASSWORD}" -f $username,$password)))
   

4. Set the working directory for storing temporary files:

   • Bash
   • PowerShell

   export WORK_DIR=creating-mgm-cpi
   mkdir -p "$WORK_DIR"
   

   $WORK_DIR = "creating-mgm-cpi"
   md $WORK_DIR
   

Select a Certificate Authority

Corda uses an external CA Certificate Authority. The holders of a PKI trust root that can issue certificates to customers. for the keys it generates. This is mandatory for P2P TLS Transport Layer Security. A protocol that establishes an encrypted session between two computers on the Internet. certificates, and optionally, they may also be used for session certificates, depending on the network configuration defined by the MGM Membership Group Manager. May also be referred to as the Network Manager. It is a virtual node and Corda identity that acts as a central registrar for group membership. operator. This root CA certificate in PEM A container format for the CA certificate. This is the format of the TLS certificate specified when onboarding members and is used to validate member certificates. format must be included later when onboarding the MGM.

Create the Group Policy File

As most of the information in a group policy A JSON file containing network information that is bundled with a CPB to create a CPI. file is exported by the MGM, the initial MGM group policy is a much smaller file than that needed to create a member.

The MGM group policy file only requires a flag to indicate that a group ID must be generated during virtual node The combination of the context of a user and the ephemeral compute instances created to progress a transaction on that identity's behalf. onboarding and information about how to register itself as part of the group. Registration for an MGM is essentially finalizing setup of the group, but currently the registration terminology is kept in-line with the member setup.

This is a simple file that you can construct manually. For example, to manually create the GroupPolicy.json file in your working directory:

echo '{
  "fileFormatVersion" : 1,
  "groupId" : "CREATE_ID",
  "registrationProtocol" :"net.corda.membership.impl.registration.dynamic.mgm.MGMRegistrationService",
  "synchronisationProtocol": "net.corda.membership.impl.synchronisation.MgmSynchronisationServiceImpl"
}' > "$WORK_DIR"/GroupPolicy.json

Add-Content $WORK_DIR/GroupPolicy.json @"
{
  "fileFormatVersion" : 1,
  "groupId" : "CREATE_ID",
  "registrationProtocol" :"net.corda.membership.impl.registration.dynamic.mgm.MGMRegistrationService",
  "synchronisationProtocol": "net.corda.membership.impl.synchronisation.MgmSynchronisationServiceImpl"
}
"@

Create the CPI File

Build a CPI using the Corda CLI A command line tool that supports various Corda-related tasks, including Corda Package Installer (CPI) creation and Corda cluster management. , passing in your generated GroupPolicy.json file:

./corda-cli.sh package create-cpi \
 --group-policy "$WORK_DIR/GroupPolicy.json" \
 --cpi-name "MGM" \
 --cpi-version "1.0.0.0-SNAPSHOT" \
 --file "$WORK_DIR/MGM-1.0.0.0-SNAPSHOT.cpi"\
 --keystore <SIGNING_KEY> \
 --storepass "<SIGNING_KEY_PASSWORD>" \
 --key "<SIGNING_KEY_NAME>"

corda-cli.cmd package create-cpi `
 --group-policy "$WORK_DIR/GroupPolicy.json" `
 --cpi-name "MGM" `
 --cpi-version "1.0.0.0-SNAPSHOT" `
 --file "$WORK_DIR/MGM-1.0.0.0-SNAPSHOT.cpi" `
 --keystore <SIGNING_KEY> `
 --storepass "<SIGNING_KEY_PASSWORD>" `
 --key "<SIGNING_KEY_NAME>"

Import Code Signing Certificates

Corda validates that uploaded CPIs are signed with a trusted key. To trust your signing keys:

1. Export the signing key certificate from the keystore:

   keytool -exportcert -rfc -alias "<key-alias>" -keystore <signingkeys.pfx> -storepass "<keystore-password>" -file <signingkey1.pem>
   

2. Import the signing key into Corda:

   • Bash
   • PowerShell

   curl -k -u $REST_API_USER:$REST_API_PASSWORD -X PUT -F alias="<unique-key-alias>" -F certificate=@<signingkey1.pem> $REST_API_URL/certificates/cluster/code-signer
   

   Invoke-RestMethod -SkipCertificateCheck  -Headers @{Authorization=("Basic {0}" -f $AUTH_INFO)} -Method Put -Uri "$REST_API_URL/certificates/cluster/code-signer"  -Form @{
   certificate=@<signingkey1.pem>
   alias="<unique-key-alias>"
   }
   

Upload the CPI

To upload the CPI to your network, run the following:

export CPI_PATH="$WORK_DIR/MGM-1.0.0.0-SNAPSHOT.cpi"
curl -k -u $REST_API_USER:$REST_API_PASSWORD -F upload=@$CPI_PATH $REST_API_URL/cpi/

$CPI_PATH = "$WORK_DIR/MGM-1.0.0.0-SNAPSHOT.cpi"
$CPI_UPLOAD_RESPONSE = Invoke-RestMethod -SkipCertificateCheck  -Headers @{Authorization=("Basic {0}" -f $AUTH_INFO)} -Uri "$REST_API_URL/cpi/" -Method Post -Form @{
    upload = Get-Item -Path $CPI_PATH
}

The returned identifier (for example f0a0f381-e0d6-49d2-abba-6094992cef02) is the CPI ID. Use this identifier to get the checksum of the CPI:

export CPI_ID=<CPI-ID>
curl -k -u $REST_API_USER:$REST_API_PASSWORD $REST_API_URL/cpi/status/$CPI_ID

$CPI_ID = $CPI_UPLOAD_RESPONSE.id
$CPI_STATUS_RESPONSE = Invoke-RestMethod -SkipCertificateCheck  -Headers @{Authorization=("Basic {0}" -f $AUTH_INFO)} -Uri "$REST_API_URL/cpi/status/$CPI_ID"

The result contains the cpiFileChecksum. You need this to create the virtual node for the MGM.