Skip to content
You are reading Hyperledger Besu development version documentation and some displayed features may not be available in the stable release. You can switch to stable version using the version box at screen bottom.

Updated on October 9, 2020

Configure a multi-tenant node

You can configure Besu and associated Orion node in a privacy-enabled network to host multiple tenants.

In this tutorial we’ll add tenants to the Node-1 Besu and Orion node in a privacy-enabled network.

├── Node-1
│   ├── data
│   ├── Orion
├── Node-2
│   ├── data
│   ├── Orion
└── Node-3
    ├── data
    ├── Orion


This tutorial uses JWT public key authentication to create the tenant’s JWT, but you can also use username and password authentication.


1. Generate a private and public key pair

In the Node-1 directory, generate the private and public key pair. The key pair, which must be in .pem format, belongs to the operator who uses the key pair to authenticate the tenant JWTs.


This step is not required when using username and password authentication to create the required JWTs.

2. Generate Orion keys

In the Node-1/Orion directory, generate a public/private key pair for each tenant.

Name the key pair nodeKey2 and nodeKey3.

3. Update the password file

Update passwordFile in the Node-1/Orion directory by adding each password used to generate the Orion keys on a new line.

You require separate passwords for each key pair, even if the passwords are identical.

4. Update the Orion configuration file

In the Node-1/Orion directory, update the orion.conf file by adding the new key pairs:

nodeurl = ""
nodeport = 8080
clienturl = ""
clientport = 8888
publickeys = ["", "", ""]
privatekeys = ["nodeKey.key", "nodeKey2.key", "nodeKey3.key"]
passwords = "passwordFile"
tls = "off"

5. Start Orion

In the Node-1/Orion directory, start Orion and specify the configuration file.

6. Start Besu Node-1

In the Node-1 directory, start Besu Node-1:

besu --data-path=data --genesis-file=../genesis.json --rpc-http-authentication-enabled --rpc-http-authentication-jwt-public-key-file=publicKey.pem --rpc-http-enabled --rpc-http-api=ETH,NET,IBFT,EEA,PRIV --host-allowlist="*" --rpc-http-cors-origins="all" --privacy-enabled --privacy-url= --privacy-multi-tenancy-enabled --min-gas-price=0

The command line specifies privacy options:

Start the remaining Besu nodes.

7. Generate the tenant JWTs

Generate the JWT for each tenant and specify the tenant’s Orion public key in the privacyPublicKey field.

Ensure you apply the appropriate JSON-RPC API permissions to the token. For example, ensure you enable the PRIV and EEA APIs for privacy.


This step is not required when using username and password authentication to create the required JWTs.

Use the authentication token to make requests.

Questions or feedback? You can discuss issues and obtain free support on Hyperledger Besu chat channel.
For Hyperledger Besu community support, contact the mailing list