Configure a multi-tenant node (Deprecated)
Tessera-based privacy is deprecated in Besu version 24.12.0 and later. Please read this blog post for more context on the rationale behind this decision as well as alternative options.
You can configure Besu and associated Tessera node in a privacy-enabled network to host multiple tenants.
In this tutorial we'll add tenants to the Node-1 Besu and Tessera node in a privacy-enabled network.
IBFT-Network/
├── Node-1
│ ├── data
�│ ├── Tessera
├── Node-2
│ ├── data
│ ├── Tessera
├── Node-3
│ ├── data
│ ├── Tessera
└── Node-4
├── data
├── Tessera
This tutorial uses JWT public key authentication to create the tenant's JWT, but you can also use username and password authentication.
Prerequisites
Steps
1. Generate a private and public key pair
In the Node-1 directory, generate the private and public key pair. The key pair, which must be in .pem format, belongs to the operator who uses the key pair to authenticate the tenant JWTs.
This step is not required when using username and password authentication to create the required JWTs.
2. Generate Tessera keys
In the Node-1/Tessera directory, generate a public/private key pair for each tenant.
The instructions creates an unlocked private key, meaning you do not need a password to decrypt the private key file.
Name the key pair nodeKey2 and nodeKey3.
3. Update the Tessera configuration file
In the Node-1/Tessera directory, update the tessera.conf file by adding the new key pairs:
{
"mode": "orion",
"useWhiteList": false,
"jdbc": {
"username": "sa",
"password": "",
"url": "jdbc:h2:./target/h2/tessera1",
"autoCreateTables": true
},
"serverConfigs": [
{
"app": "ThirdParty",
"serverAddress": "http://localhost:9101",
"communicationType": "REST"
},
{
"app": "Q2T",
"serverAddress": "http://localhost:9102",
"communicationType": "REST"
},
{
"app": "P2P",
"serverAddress": "http://localhost:9103",
"sslConfig": {
"tls": "OFF"
},
"communicationType": "REST"
}
],
"peer": [
{
"url": "http://localhost:9203"
},
{
"url": "http://localhost:9303"
},
{
"url": "http://localhost:9403"
}
],
"keys": {
"passwords": [],
"keyData": [
{
"privateKeyPath": "nodeKey.key",
"publicKeyPath": "nodeKey.pub"
},
{
"privateKeyPath": "nodeKey2.key",
"publicKeyPath": "nodeKey2.pub"
},
{
"privateKeyPath": "nodeKey3.key",
"publicKeyPath": "nodeKey3.pub"
}
]
},
"alwaysSendTo": []
}
Besu requires orion mode. Add the line "mode": "orion", to the Tessera configuration file.
4. Start Tessera
Start the Tessera nodes and specify the configuration file.
5. Start Besu Node-1
In the Node-1 directory, start Besu Node-1:
besu --data-path=data --genesis-file=../genesis.json --rpc-http-authentication-enabled --rpc-http-authentication-jwt-public-key-file=publicKey.pem --rpc-http-enabled --rpc-http-api=ETH,NET,IBFT,EEA,PRIV --host-allowlist="*" --rpc-http-cors-origins="all" --privacy-enabled --privacy-url=http://127.0.0.1:9102 --privacy-multi-tenancy-enabled --profile=ENTERPRISE
The command line specifies privacy options:
--rpc-http-authentication-enabledenables authentication for JSON-RPC APIs.--rpc-http-authentication-jwt-public-key-filespecifies the Operator's public key file. Used to authenticate the tenant JWTs.--privacy-enabledenables privacy.--privacy-urlspecifies the Quorum to Tessera (Q2T) server address of the Tessera node (Q2Tintessera.conf).--privacy-multi-tenancy-enabledenables multi-tenancy.
--rpc-http-authentication-jwt-public-key-file is only required when using JWT public key authentication. If using username and password authentication, use --rpc-http-authentication-credentials-file instead.
Start the remaining Besu nodes.
6. Generate the tenant JWTs
Generate the JWT for each tenant and specify the tenant's Tessera public key in the privacyPublicKey field.
Ensure you apply the appropriate JSON-RPC API permissions to the token. For example, ensure you enable the PRIV and EEA APIs for privacy.
This step is not required when using username and password authentication to create the required JWTs.