Part 4 : Provide secure authentication and authorization using Hyperledger Fabric CA
Welcome to the last part of the “Integrating SAP Business Technology Platform with Blockchain Service” blog post series, In this blog post we will see how we can implement role-based access to the Hyperledger Fabric blockchain network.
For a quick recap kindly go through previous blogs as below :
To summarize what we have done so far, the below architecture will help you understand it better.
- UI Application is deployed on SAP BTP
- All the communication of Supplier and Financier to Blockchain network is through Connectivity services offered by SAP BTP
- REST API is deployed on Azure VM which connects UI app to HLF on AKS
- REST API uses connection profile and Admin credentials json file which is static to specific peer channel.
Currently, we are using static admin credentials JSON file of a specific user with Admin access to underlying Hyperledger fabric network. For demo purposes, this approach definitely works.
But for the production environment, we need to have role-based access to perform transactions as per the user’s role.
This needs custom development to have secure authentication and authorization framework across the network.
There can be multiple ways to achieve this, we have followed below approach :
- Any request through UI app gets authenticated with Azure AD
- When UI app invokes transaction through REST service, user information is passed along to the rest service
- REST service captures custom attributes that contain User Role information, to check whether the user is authorized to perform transaction or not
- For an authorized user, using Hyperledger Fabric CA SDK, a certificate is generated.
- Using this certificate user can perform a transaction on a blockchain ledger
- For optimization and better performance, the certificate can be stored in Azure Key Vault to efficiently handle frequent queries from the same user.
Typically, the below steps are performed in REST service:
- When a transaction is submitted, the user profile is parsed to capture custom attributes configured in Azure AD as per the User’s access role.
- As per custom attribute, using HLF CA SDK, CA certificate is generated using below details:
- Organization name
- Certification details
- Private key
- Using the above details, we need to first need to register the user and then enroll it for the underlying Fabric ledger peer node.
- Once certificate is generated, it is cached in Azure Key Vault so that for already enrolled users it will be reused.
- Using this certificate, the user can submit transactions on a blockchain network.
By this approach, we can integrate with any underlying ERP or Non-ERP system to be authenticated and authorized efficiently to provide secure and role-based access to the blockchain network.
The below links will serve as important pointers to dive further:
- The Hyperledger Fabric CA documentation for registering and enrolling identities can be found here.
- The following module can be used from Fabric Node SDK to register and enroll new identities with Fabric CA. Further, you can refer to our sample azhlfTool code to achieve the same, using the register and enroll functions respectively.
This brings to the end of this blog series and concludes the “Integration of SAP Business Technology Platform with blockchain service (Hyperledger Fabric on Azure Kubernetes Service)”.
Keep looking up for upcoming new exciting multi-cloud initiatives.
Special Thanks to the Microsoft team Chintan Rajvir, Sunil Sanjeev, Holgar, Loganathan Ramalingam, Holger Bruchelt for supporting this.
Reference Links :