Skip to content
You are reading Hyperledger Besu development version documentation and some displayed features may not be available in the stable release. You can switch to stable version using the version box at screen bottom.
Date of last update: September 14, 2022

Configure a multi-tenant node

Warning

Orion features have been merged into Tessera! Read our Orion to Tessera migration guide and about all the new Tessera features.

You can configure Besu and associated Tessera node in a privacy-enabled network to host multiple tenants.

In this tutorial we’ll add tenants to the Node-1 Besu and Tessera node in a privacy-enabled network.

IBFT-Network/
├── Node-1
│   ├── data
│   ├── Tessera
├── Node-2
│   ├── data
│   ├── Tessera
├── Node-3
│   ├── data
│   ├── Tessera
└── Node-4
    ├── data
    ├── Tessera

Note

This tutorial uses JWT public key authentication to create the tenant’s JWT, but you can also use username and password authentication.

Prerequisites

1. Generate a private and public key pair

In the Node-1 directory, generate the private and public key pair. The key pair, which must be in .pem format, belongs to the operator who uses the key pair to authenticate the tenant JWTs.

Note

This step is not required when using username and password authentication to create the required JWTs.

2. Generate Tessera keys

In the Node-1/Tessera directory, generate a public/private key pair for each tenant.

Note

The instructions creates an unlocked private key, meaning you do not need a password to decrypt the private key file.

Name the key pair nodeKey2 and nodeKey3.

3. Update the Tessera configuration file

In the Node-1/Tessera directory, update the tessera.conf file by adding the new key pairs:

{
  "mode": "orion",
  "useWhiteList": false,
  "jdbc": {
    "username": "sa",
    "password": "",
    "url": "jdbc:h2:./target/h2/tessera1",
    "autoCreateTables": true
  },
  "serverConfigs":[
    {
      "app":"ThirdParty",
      "serverAddress": "http://localhost:9101",
      "communicationType" : "REST"
    },
    {
      "app":"Q2T",
      "serverAddress": "http://localhost:9102",
      "communicationType" : "REST"
    },
    {
      "app":"P2P",
      "serverAddress":"http://localhost:9103",
      "sslConfig": {
        "tls": "OFF"
      },
      "communicationType" : "REST"
    }
  ],
  "peer": [
    {
      "url": "http://localhost:9203"
    },
    {
      "url": "http://localhost:9303"
    },
    {
      "url": "http://localhost:9403"
    }
  ],
  "keys": {
    "passwords": [],
    "keyData": [
      {
        "privateKeyPath": "nodeKey.key",
        "publicKeyPath": "nodeKey.pub"
      },
      {
        "privateKeyPath": "nodeKey2.key",
        "publicKeyPath": "nodeKey2.pub"
      },
      {
        "privateKeyPath": "nodeKey3.key",
        "publicKeyPath": "nodeKey3.pub"
      }
    ]
  },
  "alwaysSendTo": []
}

Note

If you are running Besu in GoQuorum-compatible privacy mode, disable orion mode by removing the line "mode": "orion", from the Tessera configuration file.

4. Start Tessera

Start the Tessera nodes and specify the configuration file.

5. Start Besu Node-1

In the Node-1 directory, start Besu Node-1:

besu --data-path=data --genesis-file=../genesis.json --rpc-http-authentication-enabled --rpc-http-authentication-jwt-public-key-file=publicKey.pem --rpc-http-enabled --rpc-http-api=ETH,NET,IBFT,EEA,PRIV --host-allowlist="*" --rpc-http-cors-origins="all" --privacy-enabled --privacy-url=http://127.0.0.1:9102 --privacy-multi-tenancy-enabled --min-gas-price=0

The command line specifies privacy options:

Start the remaining Besu nodes.

6. Generate the tenant JWTs

Generate the JWT for each tenant and specify the tenant’s Tessera public key in the privacyPublicKey field.

Ensure you apply the appropriate JSON-RPC API permissions to the token. For example, ensure you enable the PRIV and EEA APIs for privacy.

Note

This step is not required when using username and password authentication to create the required JWTs.

Use the authentication token to make requests.