Oracle® Cloud

Administering Oracle Blockchain Cloud

Service

E88957-06
December 2018
Oracle Cloud Administering Oracle Blockchain Cloud Service,

E88957-06

Copyright © 2018, Oracle and/or its affiliates. All rights reserved.

Primary Author: Kate Price

This software and related documentation are provided under a license agreement containing restrictions on
use and disclosure and are protected by intellectual property laws. Except as expressly permitted in your
license agreement or allowed by law, you may not use, copy, reproduce, translate, broadcast, modify,
license, transmit, distribute, exhibit, perform, publish, or display any part, in any form, or by any means.
Reverse engineering, disassembly, or decompilation of this software, unless required by law for
interoperability, is prohibited.

The information contained herein is subject to change without notice and is not warranted to be error-free. If
you find any errors, please report them to us in writing.

If this is software or related documentation that is delivered to the U.S. Government or anyone licensing it on
behalf of the U.S. Government, then the following notice is applicable:

U.S. GOVERNMENT END USERS: Oracle programs, including any operating system, integrated software,
any programs installed on the hardware, and/or documentation, delivered to U.S. Government end users are
"commercial computer software" pursuant to the applicable Federal Acquisition Regulation and agency-
specific supplemental regulations. As such, use, duplication, disclosure, modification, and adaptation of the
programs, including any operating system, integrated software, any programs installed on the hardware,
and/or documentation, shall be subject to license terms and license restrictions applicable to the programs.
No other rights are granted to the U.S. Government.

This software or hardware is developed for general use in a variety of information management applications.
It is not developed or intended for use in any inherently dangerous applications, including applications that
may create a risk of personal injury. If you use this software or hardware in dangerous applications, then you
shall be responsible to take all appropriate fail-safe, backup, redundancy, and other measures to ensure its
safe use. Oracle Corporation and its affiliates disclaim any liability for any damages caused by use of this
software or hardware in dangerous applications.

Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of
their respective owners.

Intel and Intel Xeon are trademarks or registered trademarks of Intel Corporation. All SPARC trademarks are
used under license and are trademarks or registered trademarks of SPARC International, Inc. AMD, Opteron,
the AMD logo, and the AMD Opteron logo are trademarks or registered trademarks of Advanced Micro
Devices. UNIX is a registered trademark of The Open Group.

This software or hardware and documentation may provide access to or information about content, products,
and services from third parties. Oracle Corporation and its affiliates are not responsible for and expressly
disclaim all warranties of any kind with respect to third-party content, products, and services unless otherwise
set forth in an applicable agreement between you and Oracle. Oracle Corporation and its affiliates will not be
responsible for any loss, costs, or damages incurred due to your access to or use of third-party content,
products, or services, except as set forth in an applicable agreement between you and Oracle.
Contents
Preface
Audience v
Documentation Accessibility v
Related Documents v
Conventions vi

1 Get Started with Oracle Blockchain Cloud Service

About Oracle Blockchain Cloud Service 1-1
About Application and Network Security in OBCS 1-1
Before You Begin with Oracle Blockchain Cloud Service 1-2
Workflow for Administering OBCS 1-2
How to Begin with OBCS 1-3
Accessing the My Services Console 1-3

2 Create an OBCS Instance

Typical Workflow to Create an OBCS Instance 2-1
Before You Create an OBCS Instance 2-1
Create a QuickStart Instance with a Single Click 2-2
Create an Oracle Blockchain Cloud Service Instance 2-2
Create an Instance Using the PaaS Service Manager 2-4
After You Create a Service Instance 2-5
Verify Your Instance and Access the OBCS Console 2-5

3 Manage the Lifecycle of an Instance

Explore the OBCS Console 3-1
Monitor Activity 3-4
Track the Number of OBCS Instances in an Account 3-4
Manage Tags 3-4
Create, Assign, and Unassign Tags 3-4
Find Tags and Instances Using Search Expressions 3-5

iii
 Delete an OBCS Instance 3-8

4 Set Up Users and Access Roles

Use Oracle Identity Cloud Service for Authentication 4-1
Connect to Oracle Identity Cloud Service from the Service Console 4-1
Add Oracle Identity Cloud Service Users 4-2
Add Hyperledger Fabric Enrollments to a REST Proxy 4-3
Use a Third Party Identity Provider 4-3
Assigning Roles in Oracle Identity Cloud Service 4-6

5 Top FAQs for Administration and Configuration

iv
Preface
Administering Oracle Blockchain Cloud Service explains how to provision and maintain
Oracle Blockchain Cloud Service (OBCS) instances.

Topics:
• Audience
• Documentation Accessibility
• Related Documents
• Conventions

Audience
This guide is intended for service administrators responsible for provisioning and
maintaining Oracle Blockchain Cloud Service .

Documentation Accessibility
For information about Oracle's commitment to accessibility, visit the Oracle
Accessibility Program website at http://www.oracle.com/pls/topic/lookup?
ctx=acc&id=docacc.

Access to Oracle Support

Oracle customers that have purchased support have access to electronic support
through My Oracle Support. For information, visit http://www.oracle.com/pls/topic/
lookup?ctx=acc&id=info or visit http://www.oracle.com/pls/topic/lookup?
ctx=acc&id=trs if you are hearing impaired.

Related Documents
For more information, see these Oracle resources:
• Oracle Cloud:
http://cloud.oracle.com
• Getting Started with Oracle Cloud
• Managing and Monitoring Oracle Cloud
• Using Oracle Blockchain Cloud Service

v
 Preface

Conventions
The following text conventions are used in this document:

Convention Meaning
boldface Boldface type indicates graphical user interface elements associated
with an action, or terms defined in text or the glossary.
italic Italic type indicates book titles, emphasis, or placeholder variables for
which you supply particular values.
monospace Monospace type indicates commands within a paragraph, URLs, code
in examples, text that appears on the screen, or text that you enter.

vi
1
Get Started with Oracle Blockchain Cloud
Service
This section describes how to get started with Oracle Blockchain Cloud Service
(OBCS) for Oracle Cloud account and service administrators.

Topics:
• About Oracle Blockchain Cloud Service
• Before You Begin with Oracle Blockchain Cloud Service
• Workflow for Administering OBCS
• How to Begin with OBCS

About Oracle Blockchain Cloud Service

OBCS gives you a pre-assembled platform for building and running smart contracts
and maintaining a tamper-proof distributed ledger.
OBCS is a network consisting of validating nodes (peers) that update the ledger and
respond to queries by executing smart contract code—the business logic that runs on
the blockchain. External applications invoke transactions or run queries through client
SDKs or REST API calls, which prompts selected peers to run the smart contracts.
Multiple peers endorse (digitally sign) the results, which are then verified and sent to
the ordering service. After consensus is reached on the transaction order, transaction
results are grouped into cryptographically secured, tamper-proof data blocks and sent
to peer nodes to be validated and appended to the ledger. Service administrators can
use the OBCS web console to configure the blockchain and monitor its operation.
With OBCS, you complete some simple instance creation steps, and then Oracle takes
care of service management, patching, backup and restore, and other service lifecycle
tasks.
For information about available features, see Using Oracle Blockchain Cloud Service.

About Application and Network Security in OBCS

Your Oracle Cloud account includes Oracle Identity Cloud Service . You use Oracle
Identity Cloud Service to add users and manage access for OBCS. When users
access an OBCS console or a blockchain application developed for OBCS, they are
authenticated against Oracle Identity Cloud Service.
In addition, Oracle Cloud provides a reliable and flexible network security infrastructure
to further control how clients, administrators, and other cloud services access your
service instance and its applications. By default, your service instances can only be
accessed over secure protocols like HTTPS and SSH.

1-1
 Chapter 1
Before You Begin with Oracle Blockchain Cloud Service

Before You Begin with Oracle Blockchain Cloud Service

OBCS is available on Oracle Cloud Infrastructure (OCI). When you order OBCS
through Oracle Universal Credits, you automatically get access to other required
services, including Oracle Cloud Infrastructure Compute, Oracle Cloud Infrastructure
Object Storage, and Oracle Identity Cloud Service.
When you activate your OBCS order, you get the Cloud Account Administrator role.
This role gives you full administration privileges on the cloud account, so you can
complete all aspects of OBCS setup and create other users.
Here’s some information about how OBCS uses other services that you might find
useful:
• Oracle Cloud Infrastructure Compute
OBCS uses an Oracle Cloud Infrastructure Compute VM to deploy and run the
OBCS instance and all other required applications such as Oracle Cloud
Infrastructure Object Storage,Oracle Identity Cloud Service and Oracle Cloud
Infrastructure Load Balancing.
• Oracle Cloud Infrastructure Object Storage
OBCS uses Oracle Cloud Infrastructure Object Storage to store product-related
binary files and logs.
• Oracle Identity Cloud Service
Oracle Identity Cloud Service Foundation is automatically provided when you
subscribe to OBCS through Oracle Universal Credits. Some additional features
are available with Basic and Standard Editions. See About Oracle Identity Cloud
Service Pricing Tiers and Features in Administering Oracle Identity Cloud Service.

Workflow for Administering OBCS

To start using OBCS, refer to the following tasks as a guide.

Task Description More Information

Place an order Signing up for the free Oracle Sign up for free credits
for OBCS or sign up Cloud promotion is as easy as Sign up for your Oracle Cloud
for a free Oracle creating a new Oracle Cloud Account
Cloud promotion account.
Activate your Oracle You receive a welcome email Signing In For the First Time
Cloud account when your account is ready. To
activate your account, you must
sign in with the credentials
provided in the email.
Click the Get Started with
Oracle Cloud link in your
welcome email and sign in.
You’re prompted to change your
password.
Access Oracle Access the My Services console. Accessing the My Services Console
Cloud My Services

1-2
 Chapter 1
How to Begin with OBCS

Task Description More Information

Add and manage Optionally, create additional Adding Users and Assigning Roles in
Oracle Cloud users accounts for your cloud users and Getting Started with Oracle Cloud
and roles assign the necessary roles.
Create a service Use the Create Instance wizard in Creating an OBCS instance
instance the Blockchain page to create a
service instance.
Create users and Optionally, you can use Oracle Using Oracle Identity Cloud Service
give them access to Identity Cloud Service to create for Authentication
the service instance additional users.
in Oracle Identity
Cloud Service

After you’ve created your instance and any required users, you can begin to use
OBCS as described in Using Oracle Blockchain Cloud Service

How to Begin with OBCS

Place an order for OBCS or sign up for a free Oracle Cloud promotion.
1. Sign up for a free credit promotion or purchase a subscription. Refer to these
topics in Getting Started with Oracle Cloud:
• Requesting and Managing Free Oracle Cloud Promotions
• Buying an Oracle Cloud Subscription
2. Access the Oracle Cloud My Services console.
See Accessing the My Services console.
3. Optional: Create additional Oracle Cloud users and grant them access to OBCS.
See Adding Users and Assigning Roles in Getting Started with Oracle Cloud.
Additional information on creating roles for OBCS can be found in Use Oracle Identity
Cloud Service for Authentication. For general information on Oracle Identity Cloud
Service, see Use Oracle Identity Cloud Service for Authentication.

Accessing the My Services Console

OBCS can be accessed through a web-based console.
To access the console:
1. Display the Sign In to Oracle Cloud page by clicking the My Services URL link in
your Welcome email or by following these instructions:
a. Open your web browser and go to the Oracle Cloud website: http://
cloud.oracle.com.
b. Click Sign In.
c. In the My Services box, select the data center where your services are
located: Public Cloud Services - NA or Public Cloud Services - EMEA.
d. Click My Services.
2. On the Sign In to Oracle Cloud page, enter your user name, your password, and
the name of your identity domain. Then, click Sign In.

1-3
 Chapter 1
How to Begin with OBCS

The My Services dashboard opens.

3. To access the OBCS section of the console, click the

navigation menu in the top corner of the My Services dashboard and then click
Blockchain.

1-4
2
Create an OBCS Instance
As Cloud Account Administrator, you can create and set up an Oracle Blockchain
Cloud Service (OBCS) instance for your organization.

Topics
• Typical Workflow for Creating an OBCS Instance
• Before you Create an OBCS Instance
• Create a QuickStart Instance with a Single Click
• Create an OBCS Instance
• Create an Instance Using the PaaS Service Manager
• After You Create an OBCS Instance

Typical Workflow to Create an OBCS Instance

If you’re about to create an OBCS instance for the first time, follow these tasks as a
guide.

Task Description More Information

Before you start
Activate your order and As Cloud Account Administrator, you
sign in to My Services can complete all setup tasks for OBCS.
Create the service
instance
Create a service Set up and configure your OBCS Create an Oracle Blockchain Cloud Service
components. Instance
Complete the setup Verify that your service instance is up Verify Your Instance and Access the OBCS
and running and that you can sign in. Console
After creating your
service instance
Manage users Set up users for OBCS in Oracle Use Oracle Identity Cloud Service for
Identity Cloud Service and assign roles Authentication
to them.
Manage your blockchain Add organizations to your blockchain See Using Oracle Blockchain Cloud Service
network network and manage a complex
network.

Before You Create an OBCS Instance

Before you can set up Oracle Blockchain Cloud Service, you can take some time to
set up your My Services dashboard and plan your service. However there are no
formal prerequisites to create your instance.

2-1
 Chapter 2
Create a QuickStart Instance with a Single Click

Create a QuickStart Instance with a Single Click

You can create a QuickStart instance of OBCS with a single click. This
installs OBCS and the services associated with it. Together, these instances are
known as the stack. Oracle manages the stack for you.
The QuickStart templates provision a complete blockchain founder network with two
peer nodes. The following templates are available:
• Developer: A 1 Kafka orderer and 3 OCPU total in 1 VM; 1 unit minimum charge
(500 transactions/hr)
• Enterprise-X1: A 3 node Kafka cluster and 3 x Standard 2.1 VM shapes; 2 unit
minimum charge (1000 transactions/hr)
• Enterprise-X4: A 3 node Kafka cluster and 3 x Standard 2.4 VM shapes; 8 unit
minimum charge (4000 transactions/hr)
To create a participant network, use the Custom provisioning option.
1. Sign in to your Oracle Cloud account.
2. From the My Services Console Dashboard, open the Oracle Blockchain Cloud
Service
3. Click QuickStarts.
4. Enter your instance name or accept the default, and click Create.
It will take approximately 15 minutes for your service to be provisioned. Once it’s
complete, you’ll receive an email with the details of the instance.

Create an Oracle Blockchain Cloud Service Instance

To create a blockchain founder or participant instance from Oracle Cloud My Services,
use the Create New Instance wizard.
There are two types of OBCS instances you can provision:
• Founder organization: a complete blockchain environment, including a new
network to which participants can join later on.
• Participant instance: if there is already a founder organization you want to join,
you can create a participant instance if your credentials provide you with access to
the network.
1. In My Services, open the Dashboard.
2. Select Create Instance, navigate to Blockchain, and click Create. If the
QuickStart creation wizard opens, click Custom to access additional
customization options.
3. Complete the following fields:

2-2
 Chapter 2
Create an Oracle Blockchain Cloud Service Instance

Field Description
Instance Name Enter a name for your OBCS instance.
The service instance name:
• Must contain one or more characters.
• Must not exceed 15 characters.
• Must start with an ASCII letter: a to z.
• Must contain only ASCII lower-case letters or numbers.
• Must not contain a hyphen.
• Must not contain any other special characters.
• Must be unique within the identity domain.
Description (Optional) Enter a short description of the OBCS instance.
Notification Email Specify an email address where you would like to receive a notification when
the service instance provisioning has succeeded or failed.
Region Select the region where you want to host your service instance.
Tags (Optional) Select existing tags or add tags to associate with the service
instance.
To select existing tags, select one or more check boxes from the list of tags that
are displayed on the pull-down menu.
To create tags, click Click to create a tag to display the Create Tags dialog
box. In the New Tags field, enter one or more comma-separated tags that can
be a key or a key:value pair.
If you do not assign tags during provisioning, you can create and manage tags
after the service instance is created. See Creating, Assigning, and Unassigning
Tags.
Create a New Network Selecting this creates a complete blockchain environment. This instance
becomes the founder organization and you can onboard new participants in the
network later.
If this option is not selected, the instance will be created as a participant
organization and must join an existing blockchain network created elsewhere
before this instance can be used.
Configuration Select a provisioning shape which meets the needs of your deployment:
• Developer: A 1 Kafka orderer and 3 OCPU total in 1 VM; 1 unit minimum
charge (500 transactions/hr)
• Enterprise X1: A 3 node Kafka cluster and 3 x Standard 2.1 VM shapes; 2
unit minimum charge (1000 transactions/hr)
• Enterprise X4: A 3 node Kafka cluster and 3 x Standard 2.4 VM shapes; 8
unit minimum charge (4000 transactions/hr)
Note that the minimums are charged every hour even if no transactions are
used.
Peers Specify the number of peer nodes that will be initially created in this service
instance. You can create between 1 and 14 peer nodes for an Enterprise
configuration, and between 1 and 7 nodes for a Developer configuration.
Additional peer nodes can be added in the OBCS console at a later time.

4. Click Next.
5. Verify that the details are correct, and click Confirm.
It takes about 15 minutes to create the service instance. Oracle sends an email to the
designated email address when your service is ready. Display the Oracle Cloud
Activity tab to check the current status. Once the instance has been created it is
started, and can’t be stopped until it is deleted.

2-3
 Chapter 2
Create an Instance Using the PaaS Service Manager

Create an Instance Using the PaaS Service Manager

The Oracle PaaS Service Manager provides a command line interface which contains
tools you can use to manage the lifecycle of your Oracle services. You can provision
an OBCS instance using a REST API.
The following example shows how to create an OBCS instance using REST API:

curl -X POST \
-u <username>:<password> \
https://<PSM_endpoint>/paas/api/v1.1/instancemgmt/<IdentityDomain>/
services/OABCSINST/instances
-H "Content-Type: application/vnd.com.oracle.oracloud.provisioning.Service
+json" \
-H "X-ID-TENANT-NAME: <IdentifyDomain>" \
-d "@service_payload.json" \

The service_payload.json file will be of the format:

{
"serviceName": "your_service_name",
"appSize":"Enterprise-X1",
"serviceLevel": "PAAS",
"region":"your_region"
"organizationType": "true",
"numberOfPeersDev": "8",
"managedSystemType": "oracle",
"enableNotification":"true",
"notificationEmail":"your_email"
}

• serviceName
– Must contain one or more characters.
– Must not exceed 15 characters.
– Must start with an ASCII letter: a to z.
– Must contain only ASCII lower-case letters or numbers.
– Must not contain a hyphen.
– Must not contain any other special characters.
– Must be unique within the identity domain.
• appSize
– Developer: A 1 Kafka orderer and 3 OCPU total in 1 VM; 1 unit minimum
charge (500 transactions/hr)
– Enterprise-X1: A 3 node Kafka cluster and 3 X Standard 2.1 VM shapes; 2
unit minimum charge (1000 transactions/hr)
– Enterprise-X4: A 3 node Kafka cluster and 3 X Standard 2.4 VM shapes; 8
unit minimum charge (4000 transactions/hr)

2-4
 Chapter 2
After You Create a Service Instance

• serviceLevel
– Must be set to PAAS
• region
– Optional. Select the region where you want to host your service instance.
• organizationType
– Must be set to true
• numberOfPeersDev
– Specify the number of peer nodes that will be initially created in this service
instance.
– 1 to 14 peer nodes for an Enterprise configuration.
– 1 to 7 nodes for a Developer configuration
• managedSystemType
– Must be set to oracle
• enableNotification
– Must be set to true
• notificationEmail
– Enter the email where all notifications will be sent.
If you are using the instance creation wizard in Oracle My Services, once you have
entered your desired configuration information, on the information confirmation page
you can download a service_payload.json file with your selections by clicking the
download icon.

After You Create a Service Instance

When you receive the email to say your service is ready, verify that the service is up
and running, and then set up users for the service.
Verify that your instance has been created and access the OBCS console as
described in Verify Your Instance and Access the OBCS Console.
Add users and apply roles to them in IDCS as described in Connect to Oracle Identity
Cloud Service from the Service Console.
Explore, monitor, or delete your instance as described in Manage the Lifecycle of an
Instance

Verify Your Instance and Access the OBCS Console

Oracle sends an email to the designated email address when your OBCS instance is
ready. Navigate to your service in My Services, obtain the service URL, and then sign
in to verify your OBCS instance is up and running.
1. In My Services, open the dashboard.
2. Navigate to Blockchain and click the Action menu beside your instance name.
3. Click Blockchain Console.

2-5
 Chapter 2
After You Create a Service Instance

4. Sign in with your administrator credentials.

2-6
3
Manage the Lifecycle of an Instance
You can use the Instances page of the My Services Console to perform routine
maintenance or troubleshooting for your Oracle Blockchain Cloud Service instance.
You can also monitor these lifecycle operations and other management activities for all
OBCS instances.

Topics:
• Exploring the OBCS Console
• Monitoring Activity
• Tracking the Number of OBCS Instances in an Account
• Managing Tags
• Deleting an Instance

Explore the OBCS Console

You can use the OBCS console to view all OBCS instances.

What You See on the OBCS Console

When you access OBCS the first time for an account, you will see the Welcome page.
Click Instances to view the OBCS console home page.
There is one additional tab on the OBCS console: Activity. See:
• Monitor Activity
The following table describes the key information shown on the OBCS console. The
information displayed in the OBCS console will vary based on whether or not you have
created OBCS instances. When you access the OBCS console for your account for
the first time and there are no OBCS instances created, any service instance details
will not be displayed. In this case, you can create a service instance by clicking Create
Instance and access information about the prerequisites and steps for creating an
instance.

Element Description
identity domain Click to change the resource identity domain.

3-1
 Chapter 3
Explore the OBCS Console

Element Description
Click the user menu icon containing the initials of the user in order to access
a menu with the following options:
• Help: Provides links to documentation, videos, tutorials, and
troubleshooting information. You can also choose to download the
PaaS Service Manager (PSM) Command Line Interface (CLI) or
AppToCloud feature.
• Accessibility: Specify whether you use a screen reader, high contrast,
and/or large fonts.
• About: Provides a description of what you can do with OBCS, and the
version of the service and UI you are using.
• Sign Out: Logs you out of the service.
Access help for this page, including documentation, tutorials, videos, and
FAQs.
Click the Contact Use button to:
• Look up Oracle contact phone numbers
• Access My Oracle Support
• Access Oracle Cloud Discussion Forums
• Chat with Oracle Support online
Click and select a choice from the menu to open the service console for one
of the Oracle Cloud Services to which you subscribe.
(In the branding bar)
Instances Click to refresh this page.
Activity Click to view all operations performed on your service instances. See
Monitor Activity.
Welcome! Click to return to the Welcome page.
Click and select a choice from the drop-down menu to open the service
(Adjacent to the Welcome! link console for one of the Oracle Cloud Platform Services to which you
in the banner) subscribe.
Instances (Summary panel) Number of OBCS instances in the identity domain.
OCPUs (Summary panel) Total number of Oracle Compute Units (OCPUs) allocated across all OBCS
instances.
Memory (Summary panel) Total amount of memory in GBs allocated across all OBCS instances.
Storage (Summary panel) Total amount of block storage in GBs allocated across all OBCS instances.
Public IPs (Summary panel) Total number of public IP addresses allocated across all OBCS instances.
Instances (heading) All OBCS instances in the identity domain.
Enter a full or partial service instance name to filter the list of service
Search instances to include only the instances that contain the string in their name.
field
Click to refresh the page. The date and time the page was last refreshed is
displayed adjacent to this button.
Create Instance Create a new OBCS instance. See Creating an OBCS Instance.
OBCS instance. Click this icon to view more details.

Status icon indicating that the OBCS instance is being created.

Status icon indicating the OBCS instance is undergoing maintenance or

terminating.

3-2
 Chapter 3
Explore the OBCS Console

Element Description
Status icon indicating that the OBCS instance wasn’t created. This icon can
also mean that the service instance has stopped. See the Activity section of
this page.
service-name Name of the OBCS instance. Click the name to view more details.
Status Status of the service instance. Valid values include: In Progress,
Maintenance, Terminating, Stopped, and Failed.
Click the status label to view progress messages.

Note:
Running service instances do not display this
field.

Version Version of OBCS the instance was created with.

Tags Tags assigned to the service instance. The first tag is displayed. To see all
tags assigned to the service instance, hover over the tag name and click
More.
Submitted On When status is In Progress, date and time in UTC that the OBCS instance
creation request was submitted.
Created On When provisioning is complete, date and time in UTC that the OBCS
instance was created.
OCPUs Number of OCPUs allocated for the OBCS instance.
If your service instance has multiple clusters, the OCPUs value is the sum of
all OCPUs used in all the clusters.
Memory Amount of memory in GBs allocated for the OBCS instance.
Storage Amount of storage in GBs allocated for the OBCS instance.

(adjacent to the service instance
name)
Instance Create and Delete History
Instance menu icon provides the following options:
• Blockchain Console
: launches the OBCS console
• Delete: Deletes the service instance.
Shows details about created or deleted service instances.
• Show only failed attempts—Check this box if you want to see failed
attempts only.
• Details—Displays system messages logged during the creation or
deletion process. Messages include information about auto-retry
attempts.
• Complete Cleanup— This button appears only if there are failed
resources created during a successful auto-retry process. If you select
this button, the failed resources are deleted. You might have to press
the button again and wait, repeating this process until the button is no
longer displayed.
• Retry Delete—This button appears only if an attempt to delete a failed
service instances is unsuccessful. The software cleans up failed
resources and tries again to delete the service instance. You might
have to press the button again and wait, repeating this process until the
button is no longer displayed.

3-3
 Chapter 3
Monitor Activity

Monitor Activity
You can view all of the cloud operations that have been performed on your Oracle
Blockchain Cloud Service instances.
You can restrict the list of activities that are displayed by using search filters. For each
activity, you can view the operation, service name, service type, status, start time and
end time. You can also view the name of the cloud user that initiated the activity.
1. Access your service console.
2. Click the Activity tab.
3. To locate a specific activity, complete these fields in the Search Activity Log
area, and then click Search.
By default, this page displays all Oracle Blockchain Cloud Service activities that
occurred in the previous 24 hours.
4. Optional: Select a value for Results per page to limit the maximum number of
search results.

Track the Number of OBCS Instances in an Account

The account administrator can track the number of OBCS instances across all
accounts using the My Account Dashboard page.
1. Sign in to Oracle Cloud and navigate to the My Services Dashboard.
See Signing in to Your Cloud Account in Getting Started with Oracle Cloud.

2. On the Dashboard, select Open Service Console from the menu on the
Blockchain tile.
The tile displays the number of OBCS instances in the identity domain.

Manage Tags
A tag is an arbitrary key or a key-value pair that you can create and assign to your
Oracle Blockchain Cloud Service instances. You can use tags to organize and
categorize your instances, and to search for them.

Topics:
• Creating, Assigning, and Unassigning Tags
• Finding Tags and Instances Using Search Expressions

Create, Assign, and Unassign Tags

You can create and assign tags to Oracle Blockchain Cloud Service instances while
creating the instances or later. When you no longer need certain tags for an instance,
you can unassign them.
To assign tags to an instance or to unassign tags:

3-4
 Chapter 3
Manage Tags

1. Navigate to the Overview page for the instance for which you want to assign or
unassign tags.
2. This step depends on whether any tags are already assigned to the instance:
If at least one tag is assigned to the instance, the Overview page shows a Tags
field.
a. Hover over any of the tags in the Tags field, until a More link is displayed.
b. Click the More link.
If you don’t see the Tags field, then no tags are currently assigned to the instance.

a. Click Manage this service in the instance name bar at the top.
b. Select Add Tags.
3. In the Manage Tags dialog box, assign or unassign tags, as required:
• In the Assign section, from the Tags field, select the tags that you want to
assign to the instance.
• If the tags that you want to assign don't exist, select Create and Assign in the
Tags field, and then enter the required tags in the Enter New Tags field.
• To unassign a tag, in the Unassign section, look for the tag that you want to
unassign, and click the X button next to the tag.

Note:
You might see one or more tags with the key starting with ora_.
Such tags are auto-assigned and used internally. You can’t assign or
unassign them.

• To exit without changing any tag assignments for the instance, click Cancel.
4. After assigning and unassigning tags, click OK for the tag assignments to take
effect.

Find Tags and Instances Using Search Expressions

A tag is an arbitrary key or a key-value pair that you can create and assign to your
Oracle Blockchain Cloud Service instances. You can use tags to organize and
categorize your instances, and to search for them. Over time, you might create dozens
of tags, and you might assign one or more tags to several of your instances. To search
for specific tags and to find instances that are assigned specific tags, you can use
filtering expressions.
For example, on the home page of the web console, you can search for the instances
that are assigned a tag with the key env and any value starting with dev (example:
env:dev1, env:dev2), by entering the search expression 'env':'dev%' in the Search
field.

3-5
 Chapter 3
Manage Tags

Similarly, when you use the REST API to find tags or to find instances that are
assigned specific tags, you can filter the results by appending the optional
tagFilter=expression query parameter to the REST endpoint URL.
• To find specific tags: GET paas/api/v1.1/tags/{identity_domain}/tags?
tagFilter={expression}
• To get a list of instances that are assigned specific tags: GET paas/api/v1.1/
instancemgmt/{identity_domain}/instances?tagFilter={expression}

Syntax and Rules for Building Tag-Search Expressions

• When using cURL to send tag-search API requests, enclose the URL in double
quotation marks.
Example:

curl -s -u username:password -H "X-ID-TENANT-NAME:acme"

"restEndpointURL/paas/api/v1.1/instancemgmt/acme/instances?
tagFilter='env'"

This request returns all the tags that have the key env.
• Enclose each key and each value in single quotation marks. And use a colon (:) to
indicate a key:value pair.
Examples:

'env'
'env':'dev'

• You can include keys or key:value pairs in a tag-filtering expression.

Sample Description Sample Search Result

Expressio
n
'env' Finds the tags with the key env, or the The following tags, or the instances
instances that are assigned the tags that are assigned any of these tags:
with that key.
env:dev
env:qa

'env':'d Finds the tag with the key env and the The following tag, or the instances
ev' value dev, or the instances that are that are assigned this tag
assigned that tag.
env:dev

• You can build a tag-search expression by using actual keys and key values, or by
using the following wildcard characters.
% (percent sign): Matches any number of characters.
_ (underscore): Matches one character.

3-6
 Chapter 3
Manage Tags

Sample Description Sample Search Result

Expressio
n
'env':'de Finds the tags with the key env and a The following tags, or the instances
v%' value starting with dev, or the that are assigned any of these tags:
instances that are assigned such tags.
Note: When you use curl or any env:dev
command-line tool to send tag-search env:dev1
REST API requests, encode the
percent sign as %25.
'env':'de Finds the tags with the key env and The following tags, or the instances
v_' the value devX where X can be any that are assigned any of these tags:
one character, or finds the instances
that are assigned such tags. env:dev1
env:dev2

• To use a single quotation mark ('), the percent sign (%), or the underscore (_) as a
literal character in a search expression, escape the character by prefixing a
backslash (\).

Sample Description Sample Search Result

Expression
'env':'dev Finds the tags with the key env and The following tags, or the instances
\_%' a value starting with dev_, or the that are assigned any of these tags:
instances that are assigned such
tags. env:dev_1
env:dev_admin

• You can use the Boolean operators AND, OR, and NOT in your search
expressions:

Sample Expression Description Sample Search Result

'env' OR 'owner' Finds the tags with the The following tags, or the
key env or the key instances that are
owner, or the instances assigned any of these
that are assigned either tags:
of those keys.
env:dev
owner:admin

'env' AND 'owner' Finds the instances that The instances that are
are assigned the tags assigned all of the
env and owner. following tags:
Note: This expression
won’t return any results env:dev
when used to search for owner:admin
tags, because a tag can
have only one key.

3-7
 Chapter 3
Delete an OBCS Instance

Sample Expression Description Sample Search Result

NOT 'env’ Finds the tags that have The following tags, or the
a key other than env, or instances that are
the instances that are assigned any of these
assigned such tags. tags or no tags:
Note: Untagged
instances as well will owner:admin
satisfy this search department
expression.

('env' OR 'owner') AND NOT
'department'
Finds the tags that have The following tags, or the
the key env or the key instances that are
owner but not the key assigned any of these
department, or the tags:
instances that are
assigned such tags. env:dev
owner:admin

Delete an OBCS Instance

When you no longer require an OBCS instance, you can delete it. Your account is no
longer charged for the instance.
Only a blockchain administrator can delete a service instance. See Assigning Roles in
Oracle Identity Cloud Service.
When you delete an OBCS instance:
• Resources such as IP addresses are removed.
• Storage volumes attached to the VMs hosting the OBCS instance are removed.
To delete an OBCS instance:
1. Navigate to My Services.

2. From the menu for the service instance, select Delete.

The Delete Service dialog is displayed.
3. In the Delete Service dialog box that opens, click Force service deletion and then
click Delete.
Once deleted, the OBCS instance is removed from the list of service instances
displayed on My Services.
If there is a problem deleting the service instance, the Retry Delete displays. Click the
Retry Delete button to attempt to clean up any remaining resources and delete the
service instance completely. The Retry Delete button is displayed for as long as the
failed resources exist. Repeat this process, as necessary, until the Retry Delete
button is no longer displayed.
You won't be billed for the service if the deletion process times out before all the entire
cleanup is complete. Oracle Cloud Services periodically retries to complete the
cleanup until the service instance is successfully deleted. Alternatively, you can do this
manually:
1. Click on Service create and delete history on My Services.

3-8
 Chapter 3
Delete an OBCS Instance

2. Select the service instance. The status of the service instance will be Deletion
Failed.
3. Click Retry Delete to initiate cleanup again.

3-9
4
Set Up Users and Access Roles
One of the first jobs you do after setting up a service with OBCS is to add user
accounts in Oracle Identity Cloud Service for everyone you expect to use the service
and assign them suitable permissions in the service.
Oracle Identity Cloud Service is available with your OBCS account. Use Oracle
Identity Cloud Service to add users and groups.

Topics:
• Use Oracle Identity Cloud Service for Authentication
• Connect to Oracle Identity Cloud Service from the Service Console
• Add Oracle Identity Cloud Service Users
• Assigning Roles in Oracle Identity Cloud Service

Use Oracle Identity Cloud Service for Authentication

Oracle Blockchain Cloud Service uses Oracle Identity Cloud Service for identity
management and authentication.
Oracle Identity Cloud Service provides Oracle Cloud administrators with a central
security platform to manage the relationships that your users have with your
applications, including with other Oracle Cloud services like OBCS. With Oracle
Identity Cloud Service you can create custom password policies and email
notifications, onboard new users, assign users and groups to applications, and run
security reports. See these topics in Administering Oracle Identity Cloud Service:
• About Oracle Identity Cloud Service Concepts
• How to Access Oracle Identity Cloud Service
Each Oracle Cloud service instance in your account is associated with an Oracle
Identity Cloud Service security application. Each security application defines one or
more application roles. Assign users and groups to these application roles in order to
grant them administrative access to a service. See these topics in Administering
Oracle Identity Cloud Service:
• Creating User Accounts
• Creating Groups
• Assigning Users to Oracle Applications
• Assigning Groups to Oracle Applications

Connect to Oracle Identity Cloud Service from the Service Console

When you create an OBCS instance, Oracle Cloud creates a security application for
the instance in Oracle Identity Cloud Service. You have direct access to this

4-1
 Chapter 4
Use Oracle Identity Cloud Service for Authentication

application from the OBCS instance page in My Services so it's easy for you to add
users and grant roles for your instance.
1. Open the Cloud My Services console.
2. Click the name of the OBCS instance.
The Service Overview page displays showing the Web Tier Security Service and
the Blockchain Service Manager.
3. Click the manager for your instance.
An overview page with OBCS instance details is displayed.
4. Click the link next to IDCS Application and log in with your Oracle Identity Cloud
Service credentials if prompted.
An instance of Oracle Identity Cloud Service opens on the Details tab. Details
about the application associated with your OBCS instance is displayed in Oracle
Identity Cloud Service. From here, you can add users and groups, and assign
them various permissions (application roles) in the OBCS instance.
The IDCS console has the following tabs used by the OBCS instance:
• Details - Displays information about the OBCS instance, including the application
ID, name, display name, and description.
• Application Roles - Displays roles. Use this tab to assign users to roles in OBCS.
• Groups - Displays user groups. You use this tab to create groups and then add
one or more users or applications to the group.
• Users - Displays users. You use this tab to add users and assign them to one or
more groups or applications.

Add Oracle Identity Cloud Service Users

To access a OBCS instance that uses Oracle Identity Cloud Service for authentication,
OBCS users must first have valid Oracle Identity Cloud Service credentials.
Administrators manage the provisioning of users in Oracle Identity Cloud Service and
perform the task of adding users.
To add users and provide them access to OBCS:
1. Open the security application associated with the OBCS instance in Oracle Identity
Cloud Service as described in Connect to Oracle Identity Cloud Service from the
Service Console.
2. Click the Identity Cloud Service Users tab at the top of the page (not the Users tab
for the OBCS instance).
3. Click Add and provide user details, then click Finish.
The Details page is displayed for the user. An email will be sent to the user with
login information.

4-2
 Chapter 4
Use Oracle Identity Cloud Service for Authentication

Add Hyperledger Fabric Enrollments to a REST Proxy

To use the REST proxy API you can use the default enrollments or create a new
enrollment by mapping an Oracle Identity Cloud Service user to a Hyperledger Fabric
enrollment.
Prerequisite: you must have added the enrollment to the REST node in the OBCS
console as described in Add Enrollments to a REST Proxy in Using Oracle Blockchain
Cloud Service
1. Open the Oracle Identity Cloud Service console for your OBCS instance. The
application you’re looking for is named: OABCSINST_${stackname}manager
2. On the Application Roles tab, search for the REST proxy user you created the
enrollment for using the OBCS console. This role will be named:
RESTPROXY_USER_${enrollment_name}
3. Click the Action menu for this role, and select Assign Users.
4. Select a user registered with Oracle Identity Cloud Service, and click OK.
Some important things to note about how OBCS handles REST proxy user roles:
• The REST proxy will accept the request if the Oracle Identity Cloud Service user
has only one RESTPROXY_USER_${enrollment_name} role in the Oracle Identity
Cloud Service application.
• The REST proxy will reject the request if the Oracle Identity Cloud Service user
has multiple RESTPROXY_USER_$ {enrollment_name} roles in the Oracle Identity
Cloud Service application.
– If the Oracle Identity Cloud Service user doesn't have a RESTPROXY_USER_$
{enrollment_name} role, but has one or more roles such as
RESTPROXY${1-4}_USER, the REST proxy will map this Oracle Identity Cloud
Service user to the default enrollment.
– The REST proxy will reject the request if the Oracle Identity Cloud Service
user doesn't have a RESTPROXY_USER_${enrollment_name} or
RESTPROXY${1-4} _USER role in the Oracle Identity Cloud Service application.
• The REST proxy will cache the Oracle Identity Cloud Service application role
states each 120 seconds for better performance, so assigning and revoking users
to an Oracle Identity Cloud Service role may take 120 seconds to take effect.

Use a Third Party Identity Provider

By default OBCS uses Oracle Identity Cloud Service as its identity provider. However
it is possible to use another identity provider and map it to OBCS user roles.
Oracle Cloud Infrastructure supports federation withOracle Identity Cloud Service and
Microsoft Active Directory (via Active Directory Federation Services), and any identity
provider that supports the Security Assertion Markup Language (SAML) 2.0 protocol.
For detailed information about how to configure this federation, refer to Identity
Providers and Federation.
To use a third party identity provider with OBCS:
1. Configure federation and single sign-on between Oracle Identity Cloud Service
and the third-party identity provider.

4-3
 Chapter 4
Use Oracle Identity Cloud Service for Authentication

2. Grant OBCS roles to the identity provider user IDs.

3. Generate an access token for each identity provider user ID which uses REST to
interact with OBCS.

Configure the Single Sign-on

The instructions in this section provide a very brief overview of the general process
required to associate your third-party identity provider with Oracle Identity Cloud
Service and configure single sign-on. Refer to the documentation of both products for
more comprehensive information on how to complete this process.
In your third-party identity provider, create an integration between it and Oracle Identity
Cloud Service. Ensure that you configure it to use SAML-based sign-on using SAML
2.0. Export your identity provider's metadata for SAML federation (the SAML signing
certificate).
Create users in your identity provider and assign them access to Oracle Identity Cloud
Service. Create matching users in Oracle Identity Cloud Service. You can then add a
SAML identity provider in Oracle Identity Cloud Service and map it to your identity
provider by importing the identity provider metadata.

Grant User Roles

In order for the users registered in your identity provider to access OBCS, you will
need to grant them the appropriate user roles in Oracle Identity Cloud Service.
• In order to access the OBCS console, they need to be either BCS Administrator
or BCS User.
• In order to use the REST proxy they need to be either RESTPROXY#_ADMIN or
RESTPROXY#_USER.
• In order to run chaincode transactions or perform Fabric certificate authority
functions they need to be Administrator or Client.

For detailed information on user roles in OBCS, see Assigning Roles in Oracle Identity
Cloud Service.

Generate Access Tokens

Any user accessing OBCS through the REST APIs requires an access token.
1. Create a confidential application using a cURL command. Below is an example:

curl -X POST -H "Content-Type:application/scim+json"

-H "Authorization: Bearer $ACCESS_TOKEN" ${IDCS_URL}/admin/v1/Apps
-d '{
"displayName": "'${appDisplay}'",
"realmName": "'${appDisplay}'",
"isKerberosRealm": false,
"description": "App desc '${appDisplay}'",
"basedOnTemplate": {
"value": "CustomWebAppTemplateId"
},
"isOAuthClient": true,
"clientType": "confidential",
"allowedGrants": ["client_credentials", "urn:ietf:params:oauth:grant-
type:jwt-bearer", "urn:ietf:params:oauth:grant-type:saml2-bearer",

4-4
 Chapter 4
Use Oracle Identity Cloud Service for Authentication

"refresh_token"],
"allowedScopes": [{
"idOfDefiningApp": "d55b5f55b5ec55555ef55555b5cb55d5",
"fqs": "https://URL.com:443/external"
}, {
"idOfDefiningApp": "d55b5f55b5ec55555ef55555b5cb55d5",
"fqs": "https://URL.com:443/internal"
}, {
"idOfDefiningApp": "d55b5f55b5ec55555ef55555b5cb55d5",
"fqs": "https://URL.com:443/restproxy"
}],

"schemas": [
"urn:ietf:params:scim:schemas:oracle:idcs:App"
],
"isUnmanagedApp": true,
"urn:ietf:params:scim:schemas:oracle:idcs:extension:kerberosRealm:App":
{
"realmName": "'${appDisplay}'realmName",
"masterKey": "hello_world",
"defaultEncryptionSaltType": "defaultSalt",
"supportedEncryptionSaltTypes": [
"supportedTypes"
],
"ticketFlags": 1,
"maxTicketLife": 100,
"maxRenewableAge": 100
}
}'

2. To make the confidential application visible to a user in the third-party identity

provider, create a role:

curl -X POST -H "Content-Type:application/scim+json"

-H "Authorization: Bearer $ACCESS_TOKEN"${IDCS_URL}/admin/v1/AppRoles
-d '{"displayName": "'${NEW_APP_ROLE}'", "adminRole": true,
"description": "test role for userX",
"public": false, "availableToClients": true, "app": {"value": "'$
{APP_ID}'"},"schemas":
["urn:ietf:params:scim:schemas:oracle:idcs:AppRole"]}'

3. Grant the role to the third-party identity provider user:

curl -X POST -H "Content-Type:application/scim+json"

-H "Authorization: Bearer $ACCESS_TOKEN" "$IDCS_URL/admin/v1/Grants"
-d '{"app":{"value":"'${APP_ID}'"},
"entitlement":{"attributeName":"appRoles","attributeValue":"'$
{ROLE_ID}'"},
"grantMechanism":"ADMINISTRATOR_TO_USER","grantee":{"value":"'$
{USER_ID}'","type":"User"},
"schemas":["urn:ietf:params:scim:schemas:oracle:idcs:Grant"]}'

4. Sign on to Oracle Identity Cloud Service using the user ID from the third-party
identity provider. You should now see the OBCS application as well as the

4-5
 Chapter 4
Use Oracle Identity Cloud Service for Authentication

confidential application you just created. Open the confidential application by

double-clicking it.
5. On the Details tab there is a Generate Access Token button. Click it to generate
the access token you need to access the REST proxy.
Once you have the access token it can be added to the OBCS REST API cURL
command headers as described in REST API for OBCS: Authentication.

Assigning Roles in Oracle Identity Cloud Service

This overview describes the roles that are relevant to OBCS. Anyone who uses or
administers OBCS must be added in Oracle Identity Cloud Service and granted the
correct user role.
Below are the roles that are available for OBCS.

User Role Granted Description

Automatically to
Instance Creator?
Administrator Yes The CA Admin role is the overall
administrator for the OBCS cloud
application.
BCS Administrator Yes See the table in Access Control List for
Console Function by User Roles for a
complete list of console functions
available for this user role.
BCS User See the table in Access Control List for
Console Function by User Roles for a
complete list of console functions
available for this user role.
Client Yes This user role is assigned to OBCS
participants to run transactions using the
chaincode.
ORDERER Yes This role is assigned to the Fabric orderer
node.
PEER Yes This role is assigned to a Fabric peer
node.
RESTPROXY#_ADMIN Yes Grants user access to call administrative
REST proxy endpoints.
RESTPROXY#_USER Yes Grants user access to call all REST proxy
endpoints available on the REST proxy
node with the same number.

Access Control List for Console Function by User Roles

The following table lists which console features are available to the BCS Administrator
and BCS User roles.

Feature BCS Administrator BCS User

Dashboard Yes Yes
Network: list orgs Yes Yes
Network: add orgs Yes No

4-6
 Chapter 4
Use Oracle Identity Cloud Service for Authentication

Feature BCS Administrator BCS User

Network: Ordering service Yes No
setting
Network: Export certificates Yes Yes
Network: Export orderer Yes Yes
settings
Node: list Yes Yes
Node: start/stop/restart Yes No
Node: add/remove Yes No
Node: view attributes Yes Yes
Node: edit attributes Yes No
Node: view metrics Yes Yes
Node: view logs Yes Yes
Node: Export/Import Peers Yes No
Peer Node: list channels Yes Yes
Peer Node: join channel Yes No
Peer Node: list chaincode Yes Yes
Channel: list Yes Yes
Channel: create Yes No
Channel: add org to channel Yes No
Channel: Update ordering Yes No
service settings
Channel: view/query ledger Yes Yes
Channel: list instantiated Yes Yes
chaincode
Channel: list joined peers Yes Yes
Channel: set anchor peer Yes No
Channel: upgrade chaincode Yes No
Chaincode: list Yes Yes
Chaincode: install Yes No
Chaincode: instantiate Yes No
Sample chaincode: install Yes No
Sample chaincode: instantiate Yes No
Sample chaincode: invoke Yes Yes
CRL Yes No

4-7
5
Top FAQs for Administration and
Configuration
The top FAQs for OBCS administration and configuration are identified in this topic.

How do I get support for OBCS?

You create a service request in the same way as for on-premises software.

How do I access my service once it’s created?

It’s accessible from My Services. Navigate to Oracle Blockchain Cloud Service,
select the Instances tab and look for the service you want to access. From the
Manage Instance menu associated with this instance, select Console URL.

How do I patch or upgrade my service?

You don’t need to patch or upgrade your service. Oracle takes care of patching for
you.

How do I backup or restore my service?

You can’t create a backup and restore an instance yourself.

How do I start and stop my instance?

You can’t start and stop your instance. Once it’s created it runs continuously until you
delete it.

Can I reuse instance names?

You won’t be able to create a new instance with a name used previously, even if the
instance has been deleted. Oracle is required to preserve data from the deleted
instance for 60 days which would cause conflicts if the name were reused.

Do I have direct access to the file system associated with my service?

No. You can’t access the file system for your service. Your service is managed by
Oracle.

5-1