title | sidebar_position | description | tags | |
---|---|---|---|---|
Create a multi-tenant network |
2 |
Configure multi-tenancy |
|
:::caution
Tessera-based privacy is deprecated in Besu version 24.12.0 and later. Please read this blog post for more context on the rationale behind this decision as well as alternative options.
:::
You can configure Besu and associated Tessera node in a privacy-enabled network to host multiple tenants.
In this tutorial we'll add tenants to the Node-1
Besu and Tessera node in a privacy-enabled network.
IBFT-Network/
├── Node-1
│ ├── data
│ ├── Tessera
├── Node-2
│ ├── data
│ ├── Tessera
├── Node-3
│ ├── data
│ ├── Tessera
└── Node-4
├── data
├── Tessera
:::info
This tutorial uses JWT public key authentication to create the tenant's JWT, but you can also use username and password authentication.
:::
In the Node-1
directory, generate the private and public key pair. The key pair, which must be in .pem
format, belongs to the operator who uses the key pair to authenticate the tenant JWTs.
:::info
This step is not required when using username and password authentication to create the required JWTs.
:::
In the Node-1/Tessera
directory, generate a public/private key pair for each tenant.
:::note
The instructions creates an unlocked private key, meaning you do not need a password to decrypt the private key file.
:::
Name the key pair nodeKey2
and nodeKey3
.
In the Node-1/Tessera
directory, update the tessera.conf
file by adding the new key pairs:
{
"mode": "orion",
"useWhiteList": false,
"jdbc": {
"username": "sa",
"password": "",
"url": "jdbc:h2:./target/h2/tessera1",
"autoCreateTables": true
},
"serverConfigs": [
{
"app": "ThirdParty",
"serverAddress": "http://localhost:9101",
"communicationType": "REST"
},
{
"app": "Q2T",
"serverAddress": "http://localhost:9102",
"communicationType": "REST"
},
{
"app": "P2P",
"serverAddress": "http://localhost:9103",
"sslConfig": {
"tls": "OFF"
},
"communicationType": "REST"
}
],
"peer": [
{
"url": "http://localhost:9203"
},
{
"url": "http://localhost:9303"
},
{
"url": "http://localhost:9403"
}
],
"keys": {
"passwords": [],
"keyData": [
{
"privateKeyPath": "nodeKey.key",
"publicKeyPath": "nodeKey.pub"
},
{
"privateKeyPath": "nodeKey2.key",
"publicKeyPath": "nodeKey2.pub"
},
{
"privateKeyPath": "nodeKey3.key",
"publicKeyPath": "nodeKey3.pub"
}
]
},
"alwaysSendTo": []
}
:::info
Besu requires orion
mode. Add the line "mode": "orion",
to the Tessera configuration file.
:::
Start the Tessera nodes and specify the configuration file.
In the Node-1
directory, start Besu Node-1:
besu --data-path=data --genesis-file=../genesis.json --rpc-http-authentication-enabled --rpc-http-authentication-jwt-public-key-file=publicKey.pem --rpc-http-enabled --rpc-http-api=ETH,NET,IBFT,EEA,PRIV --host-allowlist="*" --rpc-http-cors-origins="all" --privacy-enabled --privacy-url=http://127.0.0.1:9102 --privacy-multi-tenancy-enabled --profile=ENTERPRISE
The command line specifies privacy options:
--rpc-http-authentication-enabled
enables authentication for JSON-RPC APIs.--rpc-http-authentication-jwt-public-key-file
specifies the Operator's public key file. Used to authenticate the tenant JWTs.--privacy-enabled
enables privacy.--privacy-url
specifies the Quorum to Tessera (Q2T) server address of the Tessera node (Q2T
intessera.conf
).--privacy-multi-tenancy-enabled
enables multi-tenancy.
:::note
--rpc-http-authentication-jwt-public-key-file
is only required when using JWT public key authentication. If using username and password authentication, use --rpc-http-authentication-credentials-file
instead.
:::
Start the remaining Besu nodes.
Generate the JWT for each tenant and specify the tenant's Tessera public key in the privacyPublicKey
field.
Ensure you apply the appropriate JSON-RPC API permissions to the token. For example, ensure you enable the PRIV
and EEA
APIs for privacy.
:::note
This step is not required when using username and password authentication to create the required JWTs.
:::