Skip to Content
Technical Articles

Part 4 : Provide secure authentication and authorization using Hyperledger Fabric CA

Welcome to the last part of the “Integrating SAP Business Technology Platform with Blockchain Service” blog post series, In this blog post we will see how we can implement role-based access to the Hyperledger Fabric blockchain network.

 

For a quick recap kindly go through previous blogs as below :

Integrating SAP Business Technology Platform with Blockchain Service

Part 1 :-Deploying a Hyperledger Fabric template on Azure Kubernetes Service (AKS)

Part 2:-Building a Hyperledger Fabric consortium based on Azure Kubernetes Service (AKS) template

Part 3 :- Building User Interface on SAP Business Technology Platform to consume Blockchain

 

To summarize what we have done so far, the below architecture will help you understand it better.

  • UI Application is deployed on SAP BTP
  • All the communication of Supplier and Financier to Blockchain network is through Connectivity services offered by SAP BTP
  • REST API is deployed on Azure VM which connects UI app to HLF on AKS
  • REST API uses connection profile and Admin credentials json file which is static to specific peer channel.

Currently, we are using static admin credentials JSON file of a specific user with Admin access to underlying Hyperledger fabric network. For demo purposes, this approach definitely works.

 

But for the production environment, we need to have role-based access to perform transactions as per the user’s role.

This needs custom development to have secure authentication and authorization framework across the network.

There can be multiple ways to achieve this, we have followed below approach :

  • Any request through UI app gets authenticated with Azure AD
  • When UI app invokes transaction through REST service, user information is passed along to the rest service
  • REST service captures custom attributes that contain User Role information, to check whether the user is authorized to perform transaction or not
  • For an authorized user, using Hyperledger Fabric CA SDK, a certificate is generated.
  • Using this certificate user can perform a transaction on a blockchain ledger
  • For optimization and better performance, the certificate can be stored in Azure Key Vault to efficiently handle frequent queries from the same user.

 

Typically, the below steps are performed in REST service:

  • When a transaction is submitted, the user profile is parsed to capture custom attributes configured in Azure AD as per the User’s access role.
  • As per custom attribute, using HLF CA SDK, CA certificate is generated using below details:
  • Username
  • Organization name
  • Certification details
  • Private key
  • Tls_private_key
  • Tls_private_certification
  • Using the above details, we need to first need to register the user and then enroll it for the underlying Fabric ledger peer node.
  • Once certificate is generated, it is cached in Azure Key Vault so that for already enrolled users it will be reused.
  • Using this certificate, the user can submit transactions on a blockchain network.

 

By this approach, we can integrate with any underlying ERP or Non-ERP system to be authenticated and authorized efficiently to provide secure and role-based access to the blockchain network.

 

The below links will serve as important pointers to dive further:

  1. The Hyperledger Fabric CA documentation for registering and enrolling identities can be found here.
  2. The following module can be used from Fabric Node SDK to register and enroll new identities with Fabric CA. Further, you can refer to our sample azhlfTool code to achieve the same, using the register and enroll functions respectively.

 

This brings to the end of this blog series and concludes the “Integration of SAP Business Technology Platform with blockchain service (Hyperledger Fabric on Azure Kubernetes Service)”.

Keep looking up for upcoming new exciting multi-cloud initiatives.

I would like to thank my team members  Shalini AgrawalAnton Efremov, Mohamed Youssef for their valuable contributions and perseverance shown to conclude this blog series.

Special Thanks to the Microsoft team Chintan Rajvir, Sunil Sanjeev,  Holgar, Loganathan Ramalingam, Holger Bruchelt for supporting this.

 

Reference Links :

Hyperledger Fabric CA Documentation

Reference Article -Attribute based access in HLF

Fabric CA Client SDK

Be the first to leave a comment
You must be Logged on to comment or reply to a post.