Build and Upload the Member CPI
This section describes how to build a member Corda identity that has been granted admission to a membership group. Synonym for a virtual node or group member. CPI Corda Package Installer. A signed ZIP/JAR combination of a CPB and a Group Policy File that defines not only the application code that a virtual node will run, but also the details of the MGM with which to register, and the details of network PKI requirements. and upload it to the network. It contains the following:
- Set Variables
- Generate the Group Policy File
- Import the Notary Certificate
- Create the CPI File
- Import Code Signing Certificates
- Upload the CPI
Set Variables
Set the values of variables for use in later commands:
Set the P2P gateway host and port and the REST API host and port. For example:
export REST_API_HOST=localhost export REST_API_PORT=8888 export P2P_GATEWAY_HOST=localhost export P2P_GATEWAY_PORT=8080$REST_API_HOST = "localhost" $REST_API_PORT = 8888 $P2P_GATEWAY_HOST = "localhost" $P2P_GATEWAY_PORT = 8080These values vary depending on where you have deployed your clusters A complete set of worker processes. Clusters require a fully functioning virtual node infrastructure. and how you have forwarded the ports. For example, if
corda-p2p-gateway-workeris the name of the P2P gateway Kubernetes A powerful tool for managing containerized applications at scale, making it easier for teams to deploy and manage their applications with high reliability and efficiency. service andcorda-cluster-ais the namespace that the Corda cluster is deployed within, set$P2P_GATEWAY_HOSTtocorda-p2p-gateway-worker.corda-cluster-a. Alternatively, you can specify the IP address of the gateway, instead of the hostname; for example,192.168.0.1.If you are using an Ingress service in front of the P2P gateway, the hostname should be one of the values under
hostsand the port set to 443 (the default port for HTTPS).Set the REST API URL. This may vary depending on where you have deployed your cluster(s) and how you have forwarded the ports.
export REST_API_URL="https://$REST_API_HOST:$REST_API_PORT/api/v5_2"$REST_API_URL = "https://${REST_API_HOST}:${REST_API_PORT}/api/v5_2"Set the authentication information for the REST API:
export REST_API_USER="<username>" export REST_API_PASSWORD="<password>"$REST_API_USER = "<username>" $REST_API_PASSWORD = "<password>" $AUTH_INFO = [Convert]::ToBase64String([Text.Encoding]::ASCII.GetBytes(("${REST_API_USER}:${REST_API_PASSWORD}" -f $username,$password)))Set the working directory for storing temporary files.
export WORK_DIR=creating-members-cpi mkdir -p "$WORK_DIR"$WORK_DIR = "creating-members-cpi" md $WORK_DIR
Generate the Group Policy File
To join a group, members must use a group policy
A JSON file containing network information that is bundled with a CPB to create a CPI.
file exported from the MGM
Membership Group Manager. May also be referred to as the Network Manager. It is a virtual node and Corda identity that acts as a central registrar for group membership.
of that group. To retrieve the GroupPolicy.json file from the MGM:
export MGM_REST_HOST=localhost
export MGM_REST_PORT=8888
export MGM_REST_URL="https://$MGM_REST_HOST:$MGM_REST_PORT/api/v5_2"
export MGM_HOLDING_ID=<MGM-holding-ID>
$MGM_REST_HOST = "localhost"
$MGM_REST_PORT = "8888"
$MGM_REST_URL = "https://$MGM_REST_HOST:$MGM_REST_PORT/api/v5_2"
$MGM_HOLDING_ID = <MGM-holding-ID>
Invoke-RestMethod -SkipCertificateCheck -Headers @{Authorization=("Basic {0}" -f $AUTH_INFO)} -Uri "$MGM_REST_URL/mgm/$MGM_HOLDING_ID/info" | ConvertTo-Json -Depth 4 > $WORK_DIR/GroupPolicy.json
GroupPolicy.json by exporting it using the MGM, by running this Curl command:curl -k -u $REST_API_USER:$REST_API_PASSWORD -X GET $MGM_REST_URL/mgm/$MGM_HOLDING_ID/info > "$WORK_DIR/GroupPolicy.json"
Import the Notary Certificate
If you are using a network with a notary and your CPB will have the contract validating notary plugin, you must add a certificate from that notary to the CPI keystore.
Save the following text into a file named
notary-ca-root.pem:-----BEGIN CERTIFICATE----- MIIFkDCCA3igAwIBAgIQBZsbV56OITLiOQe9p3d1XDANBgkqhkiG9w0BAQwFADBi MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3 d3cuZGlnaWNlcnQuY29tMSEwHwYDVQQDExhEaWdpQ2VydCBUcnVzdGVkIFJvb3Qg RzQwHhcNMTMwODAxMTIwMDAwWhcNMzgwMTE1MTIwMDAwWjBiMQswCQYDVQQGEwJV UzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQu Y29tMSEwHwYDVQQDExhEaWdpQ2VydCBUcnVzdGVkIFJvb3QgRzQwggIiMA0GCSqG SIb3DQEBAQUAA4ICDwAwggIKAoICAQC/5pBzaN675F1KPDAiMGkz7MKnJS7JIT3y ithZwuEppz1Yq3aaza57G4QNxDAf8xukOBbrVsaXbR2rsnnyyhHS5F/WBTxSD1If xp4VpX6+n6lXFllVcq9ok3DCsrp1mWpzMpTREEQQLt+C8weE5nQ7bXHiLQwb7iDV ySAdYyktzuxeTsiT+CFhmzTrBcZe7FsavOvJz82sNEBfsXpm7nfISKhmV1efVFiO DCu3T6cw2Vbuyntd463JT17lNecxy9qTXtyOj4DatpGYQJB5w3jHtrHEtWoYOAMQ jdjUN6QuBX2I9YI+EJFwq1WCQTLX2wRzKm6RAXwhTNS8rhsDdV14Ztk6MUSaM0C/ CNdaSaTC5qmgZ92kJ7yhTzm1EVgX9yRcRo9k98FpiHaYdj1ZXUJ2h4mXaXpI8OCi EhtmmnTK3kse5w5jrubU75KSOp493ADkRSWJtppEGSt+wJS00mFt6zPZxd9LBADM fRyVw4/3IbKyEbe7f/LVjHAsQWCqsWMYRJUadmJ+9oCw++hkpjPRiQfhvbfmQ6QY uKZ3AeEPlAwhHbJUKSWJbOUOUlFHdL4mrLZBdd56rF+NP8m800ERElvlEFDrMcXK chYiCd98THU/Y+whX8QgUWtvsauGi0/C1kVfnSD8oR7FwI+isX4KJpn15GkvmB0t 9dmpsh3lGwIDAQABo0IwQDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIB hjAdBgNVHQ4EFgQU7NfjgtJxXWRM3y5nP+e6mK4cD08wDQYJKoZIhvcNAQEMBQAD ggIBALth2X2pbL4XxJEbw6GiAI3jZGgPVs93rnD5/ZpKmbnJeFwMDF/k5hQpVgs2 SV1EY+CtnJYYZhsjDT156W1r1lT40jzBQ0CuHVD1UvyQO7uYmWlrx8GnqGikJ9yd +SeuMIW59mdNOj6PWTkiU0TryF0Dyu1Qen1iIQqAyHNm0aAFYF/opbSnr6j3bTWc fFqK1qI4mfN4i/RN0iAL3gTujJtHgXINwBQy7zBZLq7gcfJW5GqXb5JQbZaNaHqa sjYUegbyJLkJEVDXCLG4iXqEI2FCKeWjzaIgQdfRnGTZ6iahixTXTBmyUEFxPT9N cCOGDErcgdLMMpSEDQgJlxxPwO5rIHQw0uA5NBCFIRUBCOhVMt5xSdkoF1BN5r5N 0XWs0Mr7QbhDparTwwVETyw2m+L64kW4I1NsBm9nVX9GtUw/bihaeSbSpKhil9Ie 4u1Ki7wb/UdKDd9nZn6yW0HQO+T0O/QEY+nvwlQAUaCKKsnOeMzV6ocEGLPOr0mI r/OSmbaz5mEP0oUA51Aa5BuVnRmhuZyxm7EAHu/QD09CbMkKvO5D+jpxpchNJqU1 /YldvIViHTLSoCtU7ZpXwdv6EM8Zt4tKG48BtieVU+i2iW1bvGjUI+iLUaJW+fCm gKDWHrO8Dw9TdSmq6hN35N6MgSGtBxBHEa2HPQfRdbzP82Z+ -----END CERTIFICATE-----Import the
notary-ca-root.pemfile into the CPI keystore:keytool -importcert -keystore signingkeys.pfx -storepass <keystore-password> -noprompt -alias notary-ca-root -file notary-ca-root.pem
Create the CPI File
Build a CPI using the Corda CLI
A command line tool that supports various Corda-related tasks, including Corda Package Installer (CPI) creation and Corda cluster management.
, passing in the member CPB, the GroupPolicy.json file exported from the MGM, and the details of the keystore certificate used to sign the CPB.
./corda-cli.sh package create-cpi \
--cpb <CPB_FILE> \
--group-policy <GROUP_POLICY_FILE_> \
--cpi-name "<CPI_Name>" \
--cpi-version "1.0.0.0-SNAPSHOT" \
--file <CPI_FILE_NAME> \
--keystore <SIGNING_KEY> \
--storepass "<SIGNING_KEY_PASSWORD>" \
--key "<SIGNING_KEY_NAME>"
corda-cli.cmd package create-cpi `
--cpb <CPB_FILE> `
--group-policy <GROUP_POLICY_FILE_> `
--cpi-name "<CPI_Name>" `
--cpi-version "1.0.0.0-SNAPSHOT" `
--file <CPI_FILE_NAME>`
--keystore <SIGNING_KEY> `
--storepass "<SIGNING_KEY_PASSWORD>" `
--key "<SIGNING_KEY_NAME>"
Import Code Signing Certificates
Corda validates that uploaded CPIs are signed with a trusted key. To trust your signing keys:
Export the signing key certificate from the keystore:
keytool -exportcert -rfc -alias "<key-alias>" -keystore <signingkeys.pfx> -storepass "<keystore-password>" -file <signingkey1.pem>Import the signing key into Corda:
curl -k -u $REST_API_USER:$REST_API_PASSWORD -X PUT -F alias="<unique-key-alias>" -F certificate=@<signingkey1.pem> $REST_API_URL/certificates/cluster/code-signerInvoke-RestMethod -SkipCertificateCheck -Headers @{Authorization=("Basic {0}" -f $AUTH_INFO)} -Method Put -Uri "$REST_API_URL/certificates/cluster/code-signer" -Form @{ certificate=@<signingkey1.pem> alias="<unique-key-alias>" }
Upload the CPI
To upload the CPI to the network, run the following:
export CPI_PATH="$WORK_DIR\mgm-5.2.0.0-SNAPSHOT-package.cpi"
curl -k -u $REST_API_USER:$REST_API_PASSWORD -F upload=@$CPI_PATH $REST_API_URL/cpi/
$CPI_PATH = "$WORK_DIR\mgm-5.2.0.0-SNAPSHOT-package.cpi"
$CPI_UPLOAD_RESPONSE = Invoke-RestMethod -SkipCertificateCheck -Headers @{Authorization=("Basic {0}" -f $AUTH_INFO)} -Uri "$REST_API_URL/cpi/" -Method Post -Form @{
upload = Get-Item -Path $CPI_PATH
}
The returned identifier (for example f0a0f381-e0d6-49d2-abba-6094992cef02) is the CPI ID.
Use this identifier to get the checksum of the CPI:
export CPI_ID=<CPI-ID>
curl -k -u $REST_API_USER:$REST_API_PASSWORD $REST_API_URL/cpi/status/$CPI_ID
$CPI_ID = $CPI_UPLOAD_RESPONSE.id
$CPI_STATUS_RESPONSE = Invoke-RestMethod -SkipCertificateCheck -Headers @{Authorization=("Basic {0}" -f $AUTH_INFO)} -Uri "$REST_API_URL/cpi/status/$CPI_ID"
The result contains the cpiFileChecksum. You need this to create the member virtual node.
Was this page helpful?
Thanks for your feedback!
Chat with us
Chat with us on our #docs channel on slack. You can also join a lot of other slack channels there and have access to 1-on-1 communication with members of the R3 team and the online community.
Propose documentation improvements directly
Help us to improve the docs by contributing directly. It's simple - just fork this repository and raise a PR of your own - R3's Technical Writers will review it and apply the relevant suggestions.
We're sorry this page wasn't helpful. Let us know how we can make it better!
Chat with us
Chat with us on our #docs channel on slack. You can also join a lot of other slack channels there and have access to 1-on-1 communication with members of the R3 team and the online community.
Create an issue
Create a new GitHub issue in this repository - submit technical feedback, draw attention to a potential documentation bug, or share ideas for improvement and general feedback.
Propose documentation improvements directly
Help us to improve the docs by contributing directly. It's simple - just fork this repository and raise a PR of your own - R3's Technical Writers will review it and apply the relevant suggestions.