Architecture Reference

Figure: Blockchain Automation Framework Physical Architecture

Figure: Blockchain Automation Framework Physical Architecture

Security Services

These are the services to enable the security of cryptographic keys, users, nodes and transactions along with the infrastructure supporting those services.

Policy Management

Policy management is the process of creating, communicating, and maintaining policies and procedures within an organization. Policy Management is a key feature used in development as well as operational phase of any product as it dictates who has what control in the dev/test/prod environment(s).

In the Blockchain Automation Framework (BAF), Policy Management is provided by the Git repository. BAF uses GitOps for deployment and operations, hence all policies are defined in the Git repository. Git branches with appropriate rights to users is maintained for releases in each environment. Read/write access, admin access to git repository, access to add access keys in repository, pull request based merge in main branch are some of the key features that is used in BAF.

Key Management

Key Management is the process of overseeing the generation, exchange, storage, use and destruction of cryptographic keys. Key Management is an important consideration for blockchain as all transactions in blockchain are signed using digital keys. Loss of keys can lead to financial loss as well as brand impact to the organization conducting the transaction.

The Blockchain Automation Framework uses Hashicorp Vault to hold secrets that are used by the DLT/Blockchain platform. A secret is anything that you want to tightly control access to (e.g. API keys, passwords, certificates). Vault provides a unified interface to any secret, while providing tight access control and recording a detailed audit log. Hashicorp Vault provides an abstraction on top of a Cloud KMS and does not create Cloud Platform lock-in. See the Platform-Specific Reference Guides for specific details on the structure of the Vault. Vault is a pre-requisite for BAF and should be configured and available before the automation is triggered.

Identity and Access Management (IAM)

Identity and Access Management (IAM) is the process of defining and managing the access privileges of network users and determining how users are granted or denied those privileges. IAM is the front door for all blockchain applications and hence has to be designed upfront to reduce risk. Strong authentication techniques and user level permissioning will help shift left some of the security concerns.

The Blockchain Automation Framework does not provide IAM controls. This is to be developed and applied by the application/use-case.

Certificate Authority (CA)

A Certificate Authority dispenses certificates to different actors. These certificates are digitally signed by the CA and bind together the actor with the actor’s public key (and optionally with a comprehensive list of properties). As a result, if one trusts the CA (and knows its public key), it can trust that the specific actor is bound to the public key included in the certificate, and owns the included attributes, by validating the CA’s signature on the actor’s certificate.

For test and dev environments, the Blockchain Automation Framework generates certificates and keys (for all Platforms) and also provides CA servers (Fabric only).

For production use, generation of certificates, keys and CA servers via the Blockchain Automation Framework is not recommended. The existing certificates and keys can be placed in Vault in the paths described under subsections of Platform-Specific Reference Guides .

Policies/Operations

Policies/Operations refers to the actual security policies that an organization may/should have governing their business processes, operations and management.

This part of the reference architecture is out of scope for the Blockchain Automation Framework.

DevOps Services

These services enable the development of on-ledger (e.g. smart contracts) or off-ledger services based on SDK’s and IDE’s (e.g. Web APIs) including the maintenance, monitoring and administration of the distributed ledger and its on- and off-ledger services.

Version Management

Version Management capabilities enable change control of smart contract and decentralized applications. This enables developers and operators to track different version of the code as well as releases.

The Blockchain Automation Framework utilizes Git as the version management tool.

Configuration Management

Configuration management involves automation of scripts and ad-hoc practices in a consistent, reliable and secure way. Configuration Management enables operators to set-up DLT/Blockchain networks idempotently by using minimum configuration changes.

The Blockchain Automation Framework utilizes Ansible for configuration management. Ansible features a state driven, goal oriented resource model that describes the desired state of computer systems and services, not the paths to get them to this state. No matter what state a system is in, Ansible understands how to transform it to the desired state (and also supports a “dry run” mode to preview needed changes). This allows reliable and repeatable IT infrastructure configuration, avoiding the potential failures from scripting and script-based solutions that describe explicit and often irreversible actions rather than the end goal.

Kubernetes Deploy/Operate

Kubernetes Deploy/Operate consists of the services that are used to deploy desired state of various services on Kubernetes clusters. It is also used for maintenance and operations of these services.

The Blockchain Automation Framework uses Helm to achieve this. Helm uses a packaging format called charts. A chart is a collection of files that describe a related set of Kubernetes resources. A single chart might be used to deploy something simple, like a memcached pod, or something complex, like a full web app stack with HTTP servers, databases, caches, and so on, which in our case, is the desired blockchain platform. While using helm, we can deploy a set of services and deployments together as a release.

Infrastructure as Code

Infrastructure as Code (IaC) is the process of managing and provisioning cloud hardware through machine-readable definition files, rather than physical hardware configuration or interactive configuration tools. IaC can be versioned and hence, maintained easily and can be used to deploy cloud environments idempotently.

This part of the reference architecture is out of scope for the Blockchain Automation Framework.

Build, Test, and Artifact Management

Build, Test, and Artifact Management capabilities enable continuous delivery management by ensuring automation of the build and deployment of artefacts.

The Blockchain Automation Framework (BAF) uses TravisCI for running static tests, building and storing of Docker images. Jenkins Pipelines (as code) are also available for continuous deployment/reset of DLT network. Artefact management is not implemented yet, but GitHub Releases can be used for this.

Delivery Management

Delivery Management is the process where all software, artifacts and data from disparate tools used to move a product or feature from initial idea to max adoption are integrated into a unified common data layer, with the key information connected and easily accessible, giving each individual and team an unprecedented level of insight into bottlenecks and inefficiencies dramatically improving the speed at which better software gets to users safely.

As it is opensource and a hyperledger-labs project, the Blockchain Automation Framework integrates with GitHub for reporting and tracking new features, bugs/issues and releases. BAF uses ReadTheDocs for sharing documentation. In specific implementations, the Blockchain Automation Framework can be integrated with tools like Jira and Confluence.

Presentation Services

The presentation services specify how the application will be provided to the end-user. It also defines the on-ledger and off-ledger services and capabilities via different channels.

This part of the reference architecture is out of scope for Blockchain Automation Framework (BAF) and will be determined by the application using BAF.

Integration Services

These are combination of the services to interact with on- and off-ledger services via APIs or ledger protocols including runtime and operations services.

DLT Integration

DLT integration refers to how the presentation services will talk to the DLT Platform. This will depend on the presentation service as such.

The Blockchain Automation Framework provides a sample application Supplychain, which uses Express Nodejs API as the integration layer to talk to the underlying DLT platform. Each DLT/Blockchain platform also enables this by providing SDKs or APIs themselves.

Application Integration

Application Integration refers to how the application will talk to different components of the same application.

This part of the reference architecture is out of scope for the Blockchain Automation Framework (BAF) and will be determined by the application using BAF.

External Integration

External integration is required when the blockchain application interfaces with systems outside of the application or DLT platform.

This part of the reference architecture is out of scope for the Blockchain Automation Framework (BAF) and will be determined by the application using BAF.

Distributed Data Platforms

Distributed Data Platforms form the core of any distributed architecture solution. The Blockchain Automation Framework (BAF) aims to support both Distributed Ledgers and Distributed Databases. BAF currently supports DLT/Blockchain Platforms: Corda, Hyperledger Fabric, Hyperledger Indy, Hyperledger Besu, and Quorum.

Infrastructure Services

Infrastructure services refer to the various services needed to run or deploy the different services of a distributed ledger architecture.

Cloud Providers

A Cloud Provider is a company that delivers cloud computing based services with features like scalibility and easy maintainance.

The Blockchain Automation Framework is built on Kubernetes, so will run on any Cloud provider providing Kubernetes as a service; this includes private and hybrid clouds.

Container Services

Container services allows users to deploy and manage containers using container based virtualization. Containers allow a developer to package up an application with all of the parts it needs, such as libraries and other dependencies, and ship it all out as one package.

The Blockchain Automation Framework (BAF) uses 2 containerization technologies: Docker and Kubernetes. Kubernetes (K8s) is an open-source system for automating deployment, scaling, and management of containerized applications. Docker is a tool designed to make it easier to create, deploy, and run applications by using containers.

Backup/Restore

Disaster recovery involves a set of policies, tools and procedures to enable the recovery of vital technology infrastructure and systems following a natural or human-induced disaster. Even though blockchain applications are self replicating, complete auto recovery is not always possible. Therefore it is important to have guidelines around backing up the data in a distributed store and restoring it using a conventional restoring mechanism. Backup is the process of copying and archiving data. Restore is the process of returning data that has been lost, stolen or damaged from secondary storage.

This part of the reference architecture is out of scope for the Blockchain Automation Framework.

Other Data Services

Data services are related to on-ledger storage and data processing.

This part of the reference architecture is out of scope for the Blockchain Automation Framework.