| title | sidebar_position | description | tags | |
|---|---|---|---|---|
Create a multi-tenant network |
2 |
Configure multi-tenancy |
|
:::caution
Tessera-based privacy is deprecated in Besu version 24.12.0 and later. Please read this blog post for more context on the rationale behind this decision as well as alternative options.
:::
You can configure Besu and associated Tessera node in a privacy-enabled network to host multiple tenants.
In this tutorial we'll add tenants to the Node-1 Besu and Tessera node in a privacy-enabled network.
IBFT-Network/
├── Node-1
│ ├── data
│ ├── Tessera
├── Node-2
│ ├── data
│ ├── Tessera
├── Node-3
│ ├── data
│ ├── Tessera
└── Node-4
├── data
├── Tessera:::info
This tutorial uses JWT public key authentication to create the tenant's JWT, but you can also use username and password authentication.
:::
In the Node-1 directory, generate the private and public key pair. The key pair, which must be in .pem format, belongs to the operator who uses the key pair to authenticate the tenant JWTs.
:::info
This step is not required when using username and password authentication to create the required JWTs.
:::
In the Node-1/Tessera directory, generate a public/private key pair for each tenant.
:::note
The instructions creates an unlocked private key, meaning you do not need a password to decrypt the private key file.
:::
Name the key pair nodeKey2 and nodeKey3.
In the Node-1/Tessera directory, update the tessera.conf file by adding the new key pairs:
{
"mode": "orion",
"useWhiteList": false,
"jdbc": {
"username": "sa",
"password": "",
"url": "jdbc:h2:./target/h2/tessera1",
"autoCreateTables": true
},
"serverConfigs": [
{
"app": "ThirdParty",
"serverAddress": "http://localhost:9101",
"communicationType": "REST"
},
{
"app": "Q2T",
"serverAddress": "http://localhost:9102",
"communicationType": "REST"
},
{
"app": "P2P",
"serverAddress": "http://localhost:9103",
"sslConfig": {
"tls": "OFF"
},
"communicationType": "REST"
}
],
"peer": [
{
"url": "http://localhost:9203"
},
{
"url": "http://localhost:9303"
},
{
"url": "http://localhost:9403"
}
],
"keys": {
"passwords": [],
"keyData": [
{
"privateKeyPath": "nodeKey.key",
"publicKeyPath": "nodeKey.pub"
},
{
"privateKeyPath": "nodeKey2.key",
"publicKeyPath": "nodeKey2.pub"
},
{
"privateKeyPath": "nodeKey3.key",
"publicKeyPath": "nodeKey3.pub"
}
]
},
"alwaysSendTo": []
}:::info
Besu requires orion mode. Add the line "mode": "orion", to the Tessera configuration file.
:::
Start the Tessera nodes and specify the configuration file.
In the Node-1 directory, start Besu Node-1:
besu --data-path=data --genesis-file=../genesis.json --rpc-http-authentication-enabled --rpc-http-authentication-jwt-public-key-file=publicKey.pem --rpc-http-enabled --rpc-http-api=ETH,NET,IBFT,EEA,PRIV --host-allowlist="*" --rpc-http-cors-origins="all" --privacy-enabled --privacy-url=http://127.0.0.1:9102 --privacy-multi-tenancy-enabled --profile=ENTERPRISEThe command line specifies privacy options:
--rpc-http-authentication-enabledenables authentication for JSON-RPC APIs.--rpc-http-authentication-jwt-public-key-filespecifies the Operator's public key file. Used to authenticate the tenant JWTs.--privacy-enabledenables privacy.--privacy-urlspecifies the Quorum to Tessera (Q2T) server address of the Tessera node (Q2Tintessera.conf).--privacy-multi-tenancy-enabledenables multi-tenancy.
:::note
--rpc-http-authentication-jwt-public-key-file is only required when using JWT public key authentication. If using username and password authentication, use --rpc-http-authentication-credentials-file instead.
:::
Start the remaining Besu nodes.
Generate the JWT for each tenant and specify the tenant's Tessera public key in the privacyPublicKey field.
Ensure you apply the appropriate JSON-RPC API permissions to the token. For example, ensure you enable the PRIV and EEA APIs for privacy.
:::note
This step is not required when using username and password authentication to create the required JWTs.
:::