Add and remove members from an Azure Managed CCF resource
Members can be added and removed from an Azure Managed CCF (Managed CCF) resource using governance operations. This tutorial builds on the Managed CCF resource created in the Quickstart: Create an Azure Managed CCF resource using the Azure portal tutorial.
Prerequisites
- Python 3+.
- Install the latest version of the CCF Python package.
Download the service identity
An Azure Managed CCF resource has a unique identity called the service identity. It is represented by a certificate and is created during the resource creation. Every individual node that is part of the Azure Managed CCF resource has its self-signed certificate, endorsed by the service identity, which establishes trust on it.
Customers are recommended to download the service identity certificate and use it to establish a TLS connection when interacting with the service. The following command downloads the certificate and saves it into service_cert.pem.
curl https://identity.confidential-ledger.core.azure.com/ledgerIdentity/confidentialbillingapp --silent | jq ' .ledgerTlsCertificate' | xargs echo -e > service_cert.pem
Note
When executing the commands on a Mac, replace date -Is
with date +%FT%T%z
.
Add a member
Generate a key pair for the member. After the following commands complete, the member's public key is saved in member0_cert.pem
and the private key is saved in member0_privk.pem
.
openssl ecparam -out "member0_privk.pem" -name "secp384r1" -genkey
openssl req -new -key "member0_privk.pem" -x509 -nodes -days 365 -out "member0_cert.pem" -"sha384" -subj=/CN="member0"
- Submit a proposal to add the member.
$cat set_member.json { "actions": [ { "name": "set_member", "args": { "cert": "-----BEGIN CERTIFICATE-----\nMIIBtDCCATqgAwIBAgIUV...sy93h74oqHk=\n-----END CERTIFICATE-----", "encryption_pub_key": "" } } ] } $ proposal_id=$( (ccf_cose_sign1 --content set_member.json --signing-cert member0_cert.pem --signing-key member0_privk.pem --ccf-gov-msg-type proposal --ccf-gov-msg-created_at `date -Is` | curl https://confidentialbillingapp.confidential-ledger.azure.com/gov/proposals -H 'Content-Type: application/cose' --data-binary @- --cacert service_cert.pem) )
- Accept the proposal by submitting a vote. Repeat the step for all the members in the resource.
cat vote_accept.json { "ballot": "export function vote (proposal, proposerId) { return true }" } ccf_cose_sign1 --content vote_accept.json --signing-cert member0_cert.pem --signing-key member0_privk.pem --ccf-gov-msg-type ballot --ccf-gov-msg-created_at `date -Is` --ccf-gov-msg-proposal_id $proposal_id | curl https://confidentialbillingapp.confidential-ledger.azure.com/gov/proposals/$proposal_id/ballots -H 'Content-Type: application/cose' --data-binary @- --cacert service_cert.pem
- When the command completes, the member is added in the Managed CCF resource. But, they cannot participate in the governance operations unless they are activated. Refer to the quickstart tutorial Activate a member to activate the member.
- View the members in the network using the following command.
curl --cacert service_cert.pem https://confidentialbillingapp.confidential-ledger.azure.com/gov/members | jq
{
"710c4d7ce6a70a89137b39170cd5c48f94b4756a66e66b2242370111c1c47564": {
"cert": "-----BEGIN CERTIFICATE-----\nMIIB9zCCAX2gAwIBAgIQW20I1iR...l8Uv8rRce\n-----END CERTIFICATE-----",
"member_data": {
"is_operator": true,
"owner": "Microsoft Azure"
},
"public_encryption_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMI...n3QIDAQAB\n-----END PUBLIC KEY-----\n",
"status": "Active"
},
"f9ea379051e5292b538ff2a3dc97f1bb4d5046f12e2bdbf5b8e3acc4516f34e3": {
"cert": "-----BEGIN CERTIFICATE-----\nMIIBuzCCAUKgAwIBAgIURuSESLma...yyK1EHhxx\n-----END CERTIFICATE-----",
"member_data": {
"group": "",
"identifier": "member0"
},
"public_encryption_key": null,
"status": "Active"
}
}
Remove a member
- Submit a proposal to remove the member. The member is identified by their public certificate.
$cat remove_member.json { "actions": [ { "name": "remove_member", "args": { "cert": "-----BEGIN CERTIFICATE-----\nMIIBtDCCATqgAwIBAgIUV...sy93h74oqHk=\n-----END CERTIFICATE-----", } } ] } $ proposal_id=$( (ccf_cose_sign1 --content remove_member.json --signing-cert member0_cert.pem --signing-key member0_privk.pem --ccf-gov-msg-type proposal --ccf-gov-msg-created_at `date -Is` | curl https://confidentialbillingapp.confidential-ledger.azure.com/gov/proposals -H 'Content-Type: application/cose' --data-binary @- --cacert service_cert.pem) )
- Accept the proposal by submitting a vote. Repeat the step for all the members in the resource.
cat vote_accept.json { "ballot": "export function vote (proposal, proposerId) { return true }" } ccf_cose_sign1 --content vote_accept.json --signing-cert member0_cert.pem --signing-key member0_privk.pem --ccf-gov-msg-type ballot --ccf-gov-msg-created_at `date -Is` --ccf-gov-msg-proposal_id $proposal_id | curl https://confidentialbillingapp.confidential-ledger.azure.com/gov/proposals/$proposal_id/ballots -H 'Content-Type: application/cose' --data-binary @- --cacert service_cert.pem
- When the command completes, the member is removed from the Managed CCF resource and they can no longer participate in the governance operations.
- View the members in the network using the following command.
curl --cacert service_cert.pem https://confidentialbillingapp.confidential-ledger.azure.com/gov/members | jq
{
"710c4d7ce6a70a89137b39170cd5c48f94b4756a66e66b2242370111c1c47564": {
"cert": "-----BEGIN CERTIFICATE-----\nMIIB9zCCAX2gAwIBAgIQW20I1iR...l8Uv8rRce\n-----END CERTIFICATE-----",
"member_data": {
"is_operator": true,
"owner": "Microsoft Azure"
},
"public_encryption_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMI...n3QIDAQAB\n-----END PUBLIC KEY-----\n",
"status": "Active"
},
"f9ea379051e5292b538ff2a3dc97f1bb4d5046f12e2bdbf5b8e3acc4516f34e3": {
"cert": "-----BEGIN CERTIFICATE-----\nMIIBuzCCAUKgAwIBAgIURuSESLma...yyK1EHhxx\n-----END CERTIFICATE-----",
"member_data": {
"group": "",
"identifier": "member0"
},
"public_encryption_key": null,
"status": "Active"
}
}