Updated on April 20, 2020

Configure a multi-tenant node

You can configure Besu and associated Orion node in a privacy-enabled network to host multiple tenants.

In this tutorial we’ll add tenants to the Node-1 Besu and Orion node in a privacy-enabled network.

IBFT-Network/
├── Node-1
│   ├── data
│   ├── Orion
├── Node-2
│   ├── data
│   ├── Orion
└── Node-3
    ├── data
    ├── Orion

Note

This tutorial uses JSON Web Token (JWT) public key authentication to create the tenant’s JWT, but you can also use username and password authentication.

Prerequisites

A Privacy-enabled network.

1. Generate a private and public key pair

In the Node-1 directory, generate the private and public key pair. The key pair, which must be in .pem format, belongs to the operator who uses the key pair to authenticate the tenant JWTs.

Note

This step is not required when using username and password authentication to create the required JWTs.

2. Generate Orion keys

In the Node-1/Orion directory, generate a public/private key pair for each tenant.

Name the key pair nodeKey2 and nodeKey3.

3. Update the password file

Update passwordFile in the Node-1/Orion directory by adding each password used to generate the Orion keys on a new line.

You require separate passwords for each key pair, even if the passwords are identical.

4. Update the Orion configuration file

In the Node-1/Orion directory, update the orion.conf file by adding the new key pairs:

nodeurl = "http://127.0.0.1:8080/"
nodeport = 8080
clienturl = "http://127.0.0.1:8888/"
clientport = 8888
publickeys = ["nodeKey.pub", "nodeKey2.pub", "nodeKey3.pub"]
privatekeys = ["nodeKey.key", "nodeKey2.key", "nodeKey3.key"]
passwords = "passwordFile"
tls = "off"

5. Start the Orion nodes

In each Orion directory, start Orion and specify the configuration file.

6. Start Besu Node-1

In the Node-1 directory, start Besu Node-1:

MacOS

besu --data-path=data --genesis-file=../genesis.json --rpc-http-authentication-enabled --rpc-http-authentication-jwt-public-key-file=publicKey.pem --rpc-http-enabled --rpc-http-api=ETH,NET,IBFT,EEA,PRIV --host-whitelist="*" --rpc-http-cors-origins="all" --privacy-enabled --privacy-url=http://127.0.0.1:8888 --privacy-multi-tenancy-enabled --min-gas-price=0

The command line specifies privacy options:

--rpc-http-authentication-enabled enables authentication for JSON-RPC APIs.
--rpc-http-authentication-jwt-public-key-file specifies the Operator’s public key file. Used to authenticate the tenant JWTs.
--privacy-enabled enables privacy.
--privacy-url specifies the Orion node URL (clienturl in orion.conf)
--privacy-multi-tenancy-enabled enables multi-tenancy.

Note

--rpc-http-authentication-jwt-public-key-file is only required when using [JWT public key authentication]. If using username and password authentication, use --rpc-http-authentication-credentials-file instead.

Start the remaining Besu nodes.

7. Generate the tenant JWTs

Generate the JWT for each tenant and specify the tenant’s Orion public key in the privacyPublicKey field.

Ensure you apply the appropriate JSON-RPC API permissions to the token. For example, ensure you enable the PRIV and EEA APIs for privacy.

Note

This step is not required when using username and password authentication to create the required JWTs.

Use the authentication token to make requests.