Build the MGM CPI heading-link-icon

This section describes how to build an MGM Membership Group Manager. May also be referred to as the Network Manager. It is a virtual node and Corda identity that acts as a central registrar for group membership. CPI Corda Package Installer. A signed ZIP/JAR combination of a CPB and a Group Policy File that defines not only the application code that a virtual node will run, but also the details of the MGM with which to register, and the details of network PKI requirements. and upload it to the network. It contains the following:

  1. Set Variables
  2. Select a Certificate Authority
  3. Create the Group Policy File
  4. Create the CPI File
  5. Import Code Signing Certificates
  6. Upload the CPI

Set the values of variables for use in later commands:

  1. Set the P2P gateway host and port and the REST API host and port. For example:

    export REST_API_HOST=localhost
    export REST_API_PORT=8888
    export P2P_GATEWAY_HOST=localhost
    export P2P_GATEWAY_PORT=8080
    
    $REST_API_HOST = "localhost"
    $REST_API_PORT = 8888
    $P2P_GATEWAY_HOST = "localhost"
    $P2P_GATEWAY_PORT = 8080
    

    These values vary depending on where you have deployed your cluster A complete set of worker processes. Clusters require a fully functioning virtual node infrastructure. and how you have forwarded the ports. For example, if corda-p2p-gateway-worker is the name of the P2P gateway Kubernetes A powerful tool for managing containerized applications at scale, making it easier for teams to deploy and manage their applications with high reliability and efficiency. service and corda-cluster-a is the namespace that the Corda cluster is deployed within, set $P2P_GATEWAY_HOST to corda-p2p-gateway-worker.corda-cluster-a. Alternatively, you can specify the IP address of the gateway, instead of the hostname. For example, 192.168.0.1. If you are using an Ingress service in front of the P2P gateway, the hostname should be one of the values under hosts and the port set to 443 (the default port for HTTPS).

  2. Set the REST API URL. This may vary depending on where you have deployed your cluster(s) and how you have forwarded the ports.

    export REST_API_URL="https://$REST_API_HOST:$REST_API_PORT/api/v5_1"
    
    $REST_API_URL="https://${REST_API_HOST}:${REST_API_PORT}/api/v5_1"
    

  3. Set the authentication information for the REST API:

    export REST_API_USER="<username>"
    export REST_API_PASSWORD="<password>"
    
     $REST_API_USER = "<username>"
     $REST_API_PASSWORD = "<password>"
     $AUTH_INFO = [Convert]::ToBase64String([Text.Encoding]::ASCII.GetBytes(("${REST_API_USER}:${REST_API_PASSWORD}" -f $username,$password)))
    

  4. Set the working directory for storing temporary files:

    export WORK_DIR=creating-mgm-cpi
    mkdir -p "$WORK_DIR"
    
    $WORK_DIR = "creating-mgm-cpi"
    md $WORK_DIR
    

Corda uses an external CA Certificate Authority. The holders of a PKI trust root that can issue certificates to customers. for the keys it generates. This is mandatory for P2P TLS Transport Layer Security. A protocol that establishes an encrypted session between two computers on the Internet. certificates, and optionally, they may also be used for session certificates, depending on the network configuration defined by the MGM Membership Group Manager. May also be referred to as the Network Manager. It is a virtual node and Corda identity that acts as a central registrar for group membership. operator. This root CA certificate in PEM A container format for the CA certificate. This is the format of the TLS certificate specified when onboarding members and is used to validate member certificates. format must be included later when onboarding the MGM.

As most of the information in a group policy A JSON file containing network information that is bundled with a CPB to create a CPI. file is exported by the MGM, the initial MGM group policy is a much smaller file than that needed to create a member.

The MGM group policy file only requires a flag to indicate that a group ID must be generated during virtual node The combination of the context of a user and the ephemeral compute instances created to progress a transaction on that identity's behalf. onboarding and information about how to register itself as part of the group. Registration for an MGM is essentially finalizing setup of the group, but currently the registration terminology is kept in-line with the member setup.

This is a simple file that you can construct manually. For example, to manually create the GroupPolicy.json file in your working directory:

echo '{
  "fileFormatVersion" : 1,
  "groupId" : "CREATE_ID",
  "registrationProtocol" :"net.corda.membership.impl.registration.dynamic.mgm.MGMRegistrationService",
  "synchronisationProtocol": "net.corda.membership.impl.synchronisation.MgmSynchronisationServiceImpl"
}' > "$WORK_DIR"/GroupPolicy.json
Add-Content $WORK_DIR/GroupPolicy.json @"
{
  "fileFormatVersion" : 1,
  "groupId" : "CREATE_ID",
  "registrationProtocol" :"net.corda.membership.impl.registration.dynamic.mgm.MGMRegistrationService",
  "synchronisationProtocol": "net.corda.membership.impl.synchronisation.MgmSynchronisationServiceImpl"
}
"@

Build a CPI using the Corda CLI A command line tool that supports various Corda-related tasks, including Corda Package Installer (CPI) creation and Corda cluster management. , passing in your generated GroupPolicy.json file:

./corda-cli.sh package create-cpi \
 --group-policy "$WORK_DIR/GroupPolicy.json" \
 --cpi-name "MGM" \
 --cpi-version "1.0.0.0-SNAPSHOT" \
 --file "$WORK_DIR/MGM-1.0.0.0-SNAPSHOT.cpi"\
 --keystore <SIGNING_KEY> \
 --storepass "<SIGNING_KEY_PASSWORD>" \
 --key "<SIGNING_KEY_NAME>"
corda-cli.cmd package create-cpi `
 --group-policy "$WORK_DIR/GroupPolicy.json" `
 --cpi-name "MGM" `
 --cpi-version "1.0.0.0-SNAPSHOT" `
 --file "$WORK_DIR/MGM-1.0.0.0-SNAPSHOT.cpi" `
 --keystore <SIGNING_KEY> `
 --storepass "<SIGNING_KEY_PASSWORD>" `
 --key "<SIGNING_KEY_NAME>"

Corda validates that uploaded CPIs are signed with a trusted key. To trust your signing keys:

  1. Export the signing key certificate from the keystore:

    keytool -exportcert -rfc -alias "<key-alias>" -keystore <signingkeys.pfx> -storepass "<keystore-password>" -file <signingkey1.pem>
    
  2. Import the signing key into Corda:

    curl -k -u $REST_API_USER:$REST_API_PASSWORD -X PUT -F alias="<unique-key-alias>" -F certificate=@<signingkey1.pem> $REST_API_URL/certificates/cluster/code-signer
    
    Invoke-RestMethod -SkipCertificateCheck  -Headers @{Authorization=("Basic {0}" -f $AUTH_INFO)} -Method Put -Uri "$REST_API_URL/certificates/cluster/code-signer"  -Form @{
    certificate=@<signingkey1.pem>
    alias="<unique-key-alias>"
    }
    

To upload the CPI to your network, run the following:

export CPI_PATH="$WORK_DIR/MGM-1.0.0.0-SNAPSHOT.cpi"
curl -k -u $REST_API_USER:$REST_API_PASSWORD -F upload=@$CPI_PATH $REST_API_URL/cpi/
$CPI_PATH = "$WORK_DIR/MGM-1.0.0.0-SNAPSHOT.cpi"
$CPI_UPLOAD_RESPONSE = Invoke-RestMethod -SkipCertificateCheck  -Headers @{Authorization=("Basic {0}" -f $AUTH_INFO)} -Uri "$REST_API_URL/cpi/" -Method Post -Form @{
    upload = Get-Item -Path $CPI_PATH
}

The returned identifier (for example f0a0f381-e0d6-49d2-abba-6094992cef02) is the CPI ID. Use this identifier to get the checksum of the CPI:

export CPI_ID=<CPI-ID>
curl -k -u $REST_API_USER:$REST_API_PASSWORD $REST_API_URL/cpi/status/$CPI_ID
$CPI_ID = $CPI_UPLOAD_RESPONSE.id
$CPI_STATUS_RESPONSE = Invoke-RestMethod -SkipCertificateCheck  -Headers @{Authorization=("Basic {0}" -f $AUTH_INFO)} -Uri "$REST_API_URL/cpi/status/$CPI_ID"

The result contains the cpiFileChecksum. You need this to create the virtual node for the MGM.

Was this page helpful?

Thanks for your feedback!

Chat with us

Chat with us on our #docs channel on slack. You can also join a lot of other slack channels there and have access to 1-on-1 communication with members of the R3 team and the online community.

Propose documentation improvements directly

Help us to improve the docs by contributing directly. It's simple - just fork this repository and raise a PR of your own - R3's Technical Writers will review it and apply the relevant suggestions.

We're sorry this page wasn't helpful. Let us know how we can make it better!

Chat with us

Chat with us on our #docs channel on slack. You can also join a lot of other slack channels there and have access to 1-on-1 communication with members of the R3 team and the online community.

Create an issue

Create a new GitHub issue in this repository - submit technical feedback, draw attention to a potential documentation bug, or share ideas for improvement and general feedback.

Propose documentation improvements directly

Help us to improve the docs by contributing directly. It's simple - just fork this repository and raise a PR of your own - R3's Technical Writers will review it and apply the relevant suggestions.