Understanding the Infrastructure Schema Parameters

Organization Parameters

Specify the keyword organization in the infrastructure descriptor file.

Parameter	Description
damlSdk	Add the DAML (Digital Asset Modeling Language) SDK version. This parameter is optional.
generatePassword	If the parameter is set to true, a root password is generated. This parameter is optional.
generateDamlDbPassword	If the parameter is set to true, a DAML database password is generated. For cloning your deployment environment, verify that the generateDamlPassword parameter is not set to true. This parameter is optional.
secureStore	The agent residing in each Replica and Client node VM encrypts the files received from the configuration service. The agent generates a symmetric key and stores the key in the agent memory of each VM. You can retrieve the symmetric key file from the blockchain node VM port 8546. curl -X GET 127.0.0.1:8546/api/encryption/key The additional_info contains any additional information or can remain null. When an error occurs, this option includes a probable reason. Some of the files in the encrypted data include: Private keys used for Replica node tls connections Client node private keys for bft-client Replica node private keys for trs Client node private keys for trc Replica node secrets.config Transaction signing private keys on the Client node If Secure Store is not provided, the default setting is INSECURE. You can specify where the symmetric key file is written using the DISK option. If Secure Store is provided and the parameter option is left blank, the default setting is DISK. The default URL isfile:///config/agent/secrets/secret_key.json . You must provide the storeType value in the descriptor file for the deployment to start. The following are the storeType values: INSECURE - Feature is not enabled, and secrets are written in plain text on the blockchain node VMs. Note: This option is not recommended if you are storing sensitive information. DISK - Specify a URL where the symmetric key file is written on the disk. The URL must start with file:///config/<URL>. If this option is left blank, then the default URL is file:///config/agent/secrets/secret_key.json. NONE - Symmetric key is not written and stored in the memory only. You can retrieve the symmetric key file from the blockchain node VM port 8546. curl -X GET 127.0.0.1:8546/api/encryption/key Associate the symmetric key file to a user and restart the VM. This parameter is optional.
advancedFeatures CPU_PINNING	If this advanced parameter is set to true, your system gets tuned for higher performance. Before enabling the parameter, verify that the underlying infrastructure can accommodate 96 vCPUs for each Replica node VM for increased performance. Setting the "CPU_PINNING": "True" enables high performance on all the Replica nodes after the deployment is complete. The vCPU values after deployment are listed as follows in the agent configuration files: Logging components- 0-5 DAMLe- 48-95 Concord container- 6-47 This parameter is optional.

vCenter Server Parameters

Specify the keyword vCenter in the infrastructure descriptor file.

Parameter	Description
url	Enter the vCenter Server URL endpoint you configured. This parameter is mandatory.
tlsCertificateData	Enter the single line vCenter Server public key you extracted. This parameter is optional.
userName	Enter your vCenter Server user name. This parameter is mandatory.
password	Enter your vCenter Server password. This parameter is mandatory.
resourcePool	Enter the vCenter Server resource pool you configured. This parameter is mandatory.
storage	Enter the vCenter Server storage or datastore you assigned. This parameter is mandatory.
folder	Enter the vCenter Server folder you designated. This parameter is mandatory.

Replica and Client Node Network Parameters

Specify the keyword network in the infrastructure descriptor file.

If the NTP service is down or not synchronized, the time across Replica and Client nodes might become inaccurate, leading to data discrepancies or cause errors in the DAML Ledger API. To avoid any DAML Ledger API errors and data discrepancies, you must keep the NTP service up and synchronized to ensure that all the servers running VMware Blockchain reflect the accurate time.

Parameter	Description
name	Enter the network name. This parameter is mandatory.
gateway	Enter the network gateway IP address. This parameter is mandatory.
subnet	Set the subnet mask between 0–32. This parameter is mandatory.
nameServers	Enter single or multiple server IP addresses. Separate the multiple server IP addresses with a comma without any space in between. This parameter is mandatory.

Outbound Proxy Parameters

Specify the keyword outboundProxy in the infrastructure descriptor file.

The outbound proxy parameters are optional.

If you use this parameter httpHost, then the httpPort must also be used.

If you use this parameter httpsHost, then the httpsPort must also be used.

Parameter	Description
httpHost	Enter the outbound proxy HTTP host name or IP address.
httpPort	Enter the outbound proxy designated HTTP port.
httpsHost	Enter the outbound proxy HTTPS host name or IP address.
httpsPort	Enter the outbound proxy designated HTTPS port.

Docker Container Registry Parameters

Specify the keyword containerRegistry in the infrastructure descriptor file.

If you are using a private Docker container registry, you must download trusted VMware images. See Download Trusted VMware Images for Your Private Docker Container Registry

Parameter	Description
url	Enter the Docker container registry URL so that VMware Blockchain can connect to the Docker repositories. Note: The Docker container registry can have a CA (Certificate Authority) or self-signed-based authentication. For example, the Docker container registry URL can be https://vmwaresaas.jfrog.io/vmwblockchain. This parameter is mandatory.
userName	Enter the Docker container registry user name. For example, the Docker container registry username can be `vmbc-jfrog-reader@vmware`. This parameter is mandatory.
password	Enter the Docker container registry password. This parameter is mandatory.
tlsCertificateData	Enter the single-line TLS certificate output value for a Docker container registry if it is based on a self-signed authentication. The keys must be generated using the RSA algorithm. This parameter is optional.

Notary Server Parameters

If you are using a private self-signed authentication, you must download trusted VMware images. See Download Trusted VMware Images for Your Private Docker Container Registry

Parameter	Description
url	Enter a trusted notary server URL so that VMware Blockchain can connect to the notary server. Note: The notary server can have a CA (Certificate Authority) or self-signed-based authentication. The notary server address where all the images are signed is https://notary.vdp.vmware.com. This parameter is mandatory.
tlsCertificateData	Enter the single-line TLS certificate output value for the notary server based on a self-signed authentication. The keys must be generated using the RSA algorithm. This parameter is optional.

Parameter

Description

url

Enter a trusted notary server URL so that VMware Blockchain can connect to the notary server.

Note:

The notary server can have a CA (Certificate Authority) or self-signed-based authentication.

The notary server address where all the images are signed is https://notary.vdp.vmware.com.

This parameter is mandatory.

tlsCertificateData

Enter the single-line TLS certificate output value for the notary server based on a self-signed authentication. The keys must be generated using the RSA algorithm.

This parameter is optional.

Wavefront Metrics Parameters

Specify the keyword wavefront in the infrastructure descriptor file.

The Wavefront parameters are optional.

If you use this parameter, then both the url and token parameters are mandatory.

Parameter	Description
url	Enter the Wavefront endpoint URL.
token	Enter the token value you generated from Wavefront.

Elastic Search Metrics Parameters

Specify the keyword elasticSearch in the infrastructure descriptor file.

The Elasticsearch proxy parameters are optional.

If you use this parameter, then all the parameters are mandatory.

Parameter	Description
url	Enter the ELK endpoint URL.
userName	Enter the Elasticsearch endpoint user name.
password	Enter the Elasticsearch endpoint password.

Logging Parameters

Depending on the type of logging parameter you are using, specify the keyword LOG_INTELLIGENCE, LOG_INSIGHT, and HTTP and in the infrastructure descriptor file.

Parameter	Description
type	Enter the logging parameter type, Log Intelligence, vRealize Log Insight, or HTTP. This parameter is mandatory.
address	Enter the IP address or FQDN of the Log Intelligence, vRealize Log Insight, or HTTP. This parameter is mandatory.
port	Enter the Log Intelligence, vRealize Log Insight, or HTTP port. This parameter is optional. If the port number is not specified in the URL and provided as the port attribute value, then the endpoint configuration in Fluentd has the hostname:port URL form.
username	Enter the vRealize Log Insight endpoint user name. This parameter is mandatory. For Log Intelligence, specify the authToken for user authentication instead. HTTP for the endpoint user name is optional.
password	Enter the vRealize Log Insight endpoint password. This parameter is mandatory. For Log Intelligence, specify the authToken for user authentication instead. HTTP for the endpoint password is optional.
logInsightAgentId	Enter the vRealize Log Insight agent ID. This parameter is optional.

Zone Parameters

A zone is a set of standard infrastructure configurations applied to single or multiple blockchain deployments.

A zone can host multiple blockchain deployments that share the common infrastructure, such as network parameters, resource pool, storage, and compute resources. Multiple deployments in a single zone also share monitoring, logging, container registry, and proxy settings.

To establish a connection between your environment and the VMware Blockchain nodes, you must create a zone.

Parameter

Description

name

Assign a zone name.

This parameter is mandatory.

vCenter

Enter the vCenter Server URL endpoint you configured.

This parameter is mandatory.

network

Enter the zone network properties.

This parameter is mandatory.

outboundProxy

Enter the zone outbound proxy properties.

This parameter is optional.

containerRegistry

Enter the zone Docker registry properties.

This parameter is mandatory.

wavefront

Enter the zone Wavefront metrics properties.

This parameter is optional.

elasticSearch

Enter the zone Elastic Search metrics properties.

This parameter is optional.

logManagement

Enter the zone logging properties.

Zone logging supports HTTP endpoints with token-based authentication or basic authentication with username and password authentication. Logging parameters can be configured to be sent to multiple endpoints concurrently. Basic authentication is optional.

TLS for an HTTP logging destination is supported. If required, the logging destination server public key can be specified in the tlsCertificateData attribute. The keys must be generated using the RSA algorithm.

For example, you can specify HTTP and basic authentication with username and password for logstash-server-1.com and logstash-server-2.com.

Logging endpoint providers have their specifications for authentication tokens. You can also optionally provide basic authentication tokens, for example, endpoint-1.splunk.com.

Note:

You can specify only one basic authentication and authentication token.

Some authentication tokens require "Bearer <token>". The token must be included in double-quotes syntax. For example, Splunk requires the authentication token "Splunk <token>". Check your logging endpoint server for the correct syntax.

Some logging endpoints require a port number to be specified in the URL. If the port number is specified in the URL, the port attribute value is ignored during the endpoint configuration.

If the port number is not specified in the URL and provided as the port attribute value, then the endpoint configuration in Fluentd has the hostname:port URL form.

This parameter is optional.

pullMetricsEndpoint

Activate the VMware Blockchain node VM metrics endpoints, manually retrieve the monitoring metrics data, and examine an error.

The metrics data is available in the Prometheus format. You can download and analyze this data within your preferred monitoring metrics framework.

This parameter is optional. If the parameter is not specified, the default configuration is enabled where the metrics can be retrieved from http://<Blockchain-VM-IP>:9273/metrics URL.

You can use domain-validated or self-signed certificates. As a best practice, use domain-validated certificates.

When the tlsCertificateData and tlsKeyData values are provided, the monitoring metrics data can be retrieved securely using an HTTPS protocol. The keys must be generated using the RSA algorithm. As a best practice, use these parameters to activate a secure endpoint connection.

The same certificate pair specified in the infrastructure descriptor file is applied to all deployed VMware Blockchain node VMs. Use only domain-validated certificates because IP address validated certificates are specific to an IP address and cannot be used.

If the mentioned parameters are not specified, the monitoring metrics data is retrieved using an unsecured HTTP protocol. The HTTP protocol has weak security and must be used for internal use only.

After deployment, you can validate whether the VMware Blockchain node VM endpoints are enabled, and the monitoring metrics data is retrieved.

pullMetricsEndpoint

userName

Enter the endpoint access user name. This user name is used for all the VMware Blockchain node VMs that belong to a zone.

This parameter is mandatory.

pullMetricsEndpoint

password

Enter the endpoint access password. This password is used for all the VMware Blockchain node VMs that belong to a zone.

This parameter is mandatory.

pullMetricsEndpoint

tlsCertificateData

Enter the single-line TLS certificate output value for self-signed authentication. The keys must be generated using the RSA algorithm.

You can convert the certificate file into a single-line string using the command,

awk 'NF {sub(/\r/, ""); printf "%s\\n",$0;}' <cert_file_name>

This parameter is optional.

pullMetricsEndpoint

tlsKeyData

Enter the single-line TLS key data output value for self-signed authentication.

Note:

The private key must not contain a passphrase.

You can convert the certificate file into a single-line string using the command,

awk 'NF {sub(/\r/, ""); printf "%s\\n",$0;}' <cert_file_name>

This parameter is optional.

Sample logManagement configuration.

"logManagement": [
  {
    "type": "LOG_INSIGHT",
    "address": "http://log-insight-server.com",
    "port": "9543",
    "userName": "loginsight-user",
    "password": "loginsight-password",
    "logInsightAgentId": "0"
  },
  {
    "type": "LOG_INTELLIGENCE",
    "address": "http://log-intelligence-server.com/v1/streams/ingestion-pipeline-stream",
    "port": "9543",
    "authToken": "\"Bearer <token>\""
  },
  {
    "type": "HTTP",
    "address": "http://logstash-server-1.com",
    "port": "19999",
    "userName": "logstash-user-1",
    "password": "logstash-password-1"
  },
  {
    "type": "HTTP",
    "address": "https://logstash-server-2.com:8938",
    "tlsCertificateData": "-----BEGIN CERTIFICATE-------
     TLS Certificate Data
     -----END CERTIFICATE-----"
  },
  {
    "type": "HTTP",
    "address": "https://endpoint-1.splunk.com:8088",
    "authToken": "\"Splunk <token>\""
  }
]