IBM Cloud Docs
FAQs

FAQs

ATTENTION!! IBM Blockchain Platform SaaS Edition has been replaced by IBM Support for Hyperledger Fabric!! IBM Blockchain Platform SaaS Edition will no longer be supported after July 31, 2023. Customers have been directed to migrate their networks by July 31, 2023. After this date, IBM Blockchain Platform SaaS networks that are not migrated to IBM Support for Hyperledger Fabric will be at risk for potential security vulnerabilities. A migration tool is provided from your console, and the disruption to your network is minimal. See Migrating to IBM Support for Hyperledger Fabric for details.

Hyperledger Fabric

Planning for your network

Deploying the platform or upgrading

Blockchain components

Certificates

Developing applications and smart contracts

Monitoring your network

What is the value of using IBM Blockchain Platform over native Hyperledger Fabric?

Hyperledger Fabric is a powerful, versatile, pluggable, open source, distributed ledger technology capable of addressing a wide variety of use cases across many industries. IBM Blockchain Platform is IBM's commercial distribution of Hyperledger Fabric. A key benefit of the platform is that IBM tests the open source code for security vulnerabilities daily and provides 24x7x365 support with SLAs appropriate for production environments. The platform is the commercial distribution of Hyperledger Fabric and includes integrated tools that provide end to end features for developers and network operators to develop, test, operate, monitor, and govern Fabric components by using an intuitive console UI. Quickly deploy an instance and use the streamlined console UI to build a network, easily deploy smart contracts, govern your components, and govern your channel. Interested in APIs? See the IBM Blockchain Platform API reference. With the IBM Blockchain Platform, it is easy to extend a basic network, work with multicloud solutions, and receive IBM worldwide support when needed. Finally, the IBM Blockchain Platform provides additional security benefits that are essential for running an enterprise-grade production network.

What version of Hyperledger Fabric is being used with IBM Blockchain Platform?

IBM Blockchain Platform for IBM Cloud uses Hyperledger Fabric v2.2.10.

Can IBM Blockchain Platform components interoperate with Hyperledger Fabric components on the same network? And vice versa? And what is the support policy for networks that include both IBM Blockchain Platform components and open source components?

Yes. Hyperledger Fabric networks consist of many distributed members owning one or more nodes. There are multiple deployment options:

  • IBM Blockchain Platform for IBM Cloud with console
  • IBM Blockchain Platform v2.x (Full Platform)
  • IBM Blockchain Images
  • Open source Hyperledger Fabric images or a non-IBM product

Containers deployed from any of the above sources can be connected on a single channel and transact. You can join IBM Blockchain Platform peers to any network running Hyperledger Fabric components. Similarly, you can invite Fabric peers to join channels hosted on an ordering service deployed on the IBM Blockchain Platform. Note that you will need to use Hyperledger Fabric APIs or the CLI. For more information about what is supported, see Support for IBM Blockchain Platform. For instructions on how to configure interoperability see Connect the IBM Blockchain Platform to Hyperledger Fabric components.

Is IBM Blockchain Platform HIPAA ready?

Because HIPAA readiness is only relevant when platform components process Personal Health Information (PHI) or Personally Identifiable Information (PII), the IBM Blockchain Platform does not need to be HIPAA ready. Customers should not store PHI or PII on the ledger since it is immutable and therefore cannot be deleted. Instead, the recommendation is to store all PHI or PII off ledger in another database and simply reference it from the ledger.

The IBM Blockchain platform gives customers total control over their deployments, certificates, and private keys. The console simplifies and accelerates the process of deploying components into a Kubernetes cluster on IBM Cloud that is managed and controlled by the customer. As a reminder, because the customer owns the storage that is mounted to the containers, IBM does not have access to or control over any of the data that the customer chooses to store in their ledger.

What ports are used by the IBM Blockchain Platform?

See the port information in the Security topic that addresses this for the console and the customer Kubernetes cluster.

How can I estimate the IBM Blockchain Platform sizing requirements for my development, test, and production environments?

After you understand how many CAs, peers, and ordering nodes are required, you can examine the default resource allocations table for your nodes to get an approximate estimate of the CPUs (VPCs) required for your network. If you are purchasing IBM Blockchain Platform on IBM Cloud, you can estimate your cost through this method, but you also have the ability to scale dynamically if more sources are needed.

How does pricing work on the IBM Blockchain Platform for IBM Cloud?

IBM Blockchain Platform for IBM Cloud is priced based on the VPCs that you allocate to your blockchain nodes on the IBM Kubernetes Service. For more information, see Pricing for IBM Blockchain Platform for IBM Cloud.

What are the limitations of the free IBM Blockchain Platform using the IBM Cloud Kubernetes Service free cluster?

  • Preview the IBM Blockchain Platform at no charge for 30 days when you link your IBM Blockchain Platform service instance to an IBM Cloud Kubernetes free cluster.
  • Performance will be limited by throughput, storage, and functionality. Read more about the limitations of free clusters.
  • IBM Cloud will delete your Kubernetes cluster after 30 days.
  • Only one blockchain console can be connected to a free cluster at a time.
  • You cannot migrate any nodes or data from a free cluster to a paid cluster.

The following capabilities are only available on a paid cluster:

  • Customizing resource allocation for a node during or after deployment.
  • Using a Hardware Security Module (HSM) to secure the private key for a node.
  • Configuring a Certificate Authority (CA) for high availability by using a PostgreSQL database and replica sets.
  • Selecting a specific Kubernetes zone when deploying a node.
  • Overriding node configuration during or after deployment by using the console or APIs.
  • Adding or removing ordering nodes to an ordering service. The free offering only supports a single node Raft ordering service.

See Find out how to preview the platform free for 30 days for more information on how to get started.

What regions or locations are available for the IBM Blockchain Platform for IBM Cloud?

The available regions for IBM Blockchain Platform are listed in IBM Blockchain Platform locations. Note that you must create a Kubernetes cluster on IBM Cloud in the same region as the blockchain service to recognize the cluster. Additional regions will be available soon.

What persistent file storage does IBM Blockchain Platform for IBM Cloud use by default?

By default IBM Blockchain Platform for IBM Cloud uses Classic file storage. You can find more information on the IBM Cloud File storage page. For a complete list of storage options, see Persistent storage considerations

Do I need multizone region storage for IBM Blockchain Platform nodes?

No. When the IBM Blockchain Platform is configured with a multizone cluster in IBM Cloud Kubernetes service, you can choose which zone a particular component (peer or ordering node) is deployed to, or you can let the console decide. Then, when the node is subsequently deployed, Kubernetes "pins" the associated pod to the chosen zone. Pinning means that Kubernetes will not provision the pod in another zone in the event of a whole zone failure. And because the pods are pinned to specific zones, there is no need to access the same storage from another zone. Therefore, MZR storage is not required for IBM Blockchain Platform nodes.

What versions of Red Hat OpenShift are supported?

Currently, IBM Blockchain Platform for IBM Cloud supports linking to Red Hat OpenShift Container Platform 4.5, 4.6 and 4.7 clusters.

Is there a trial option available for using a Red Hat OpenShift cluster on IBM Cloud?

A free 30 day trial is available in the Red Hat Marketplace.. See Deploy from Red Hat Marketplace to learn more.

Is it possible to deploy blockchain nodes to multiple clouds from a single blockchain console?

You cannot currently deploy blockchain nodes to multiple hosted cloud providers. However, you can use your console to operate a distributed multicloud network by importing nodes deployed by using consoles on other clouds.

How can I find what version of the IBM Blockchain Platform that I am running?

View the Support page by clicking the question mark icon Support link icon in the upper right corner of the page. The IBM Blockchain Platform version is visible under the page heading.

How do I get the latest Fabric version and Fabric functionalities on my IBM Blockchain Platform network?

Depending on the contents of a Fabric release and IBM Blockchain Platform, it might only be necessary to upgrade nodes to get access to the latest features. However, often it is necessary to update channel configurations with the latest capabilities in order to get access to the latest Fabric features. In these cases, it is important to upgrade components and channels in a particular order:

  1. Upgrade nodes to the latest Fabric versions. Note that nodes are always backward compatible with earlier versions and earlier capabilities. For more information about upgrading nodes, see Upgrading to a new version of Fabric.
  2. Update channels with any new channel capabilities. If you update capabilities to a capability level (such as 2.0) before upgrading nodes to the Fabric version corresponding to a capability, the node may crash. For more information, see Capabilities.

If you are moving from v1.4.x to v2.x, you may have to update your smart contracts to conform to new smart contract lifecycle. For more information, see Upgrading to a new version of Fabric.

I am currently using Hyperledger Fabric v1.4.x and want to move to IBM Blockchain Platform for IBM Cloud . Can I continue to use Raft?

Yes. The IBM Blockchain Platform for IBM Cloud uses Raft consensus. All of the applications and smart contracts that you are using on Fabric v1.4.x are able to work on your IBM Blockchain Platform network. However, no mechanism exists to migrate your ledger data from one network to another. Instead, you can reinstall your smart contract packages on your IBM Blockchain Platform network. See also Can IBM Blockchain Platform components interoperate with Hyperledger Fabric components on the same network?.

Can I migrate the blockchain components on my IBM Kubernetes service cluster to a Red Hat OpenShift cluster in IBM Cloud?

No. There is currently no way to migrate existing components to a new Red Hat OpenShift cluster in IBM Cloud.

What happens when I delete my IBM Blockchain Platform service?

When you delete an IBM Blockchain Platform service instance, all of the blockchain CAs, peers, smart contract pods (if using peers deployed with a Fabric 2.x image; smart contracts deployed on peers using a Fabric 1.4.x image are located inside the peer container), and ordering nodes are deleted along with their associated storage. If you have exported any nodes to other consoles, make sure to reach out to the administrators of those consoles to let them know that those nodes are no longer functioning, because deleting them in your console does not automatically delete them in theirs.

Can I use my existing Kubernetes cluster on IBM Cloud?

Your existing Kubernetes cluster works with the IBM Blockchain Platform if it satisfies the following conditions:

  • It is running Kubernetes version v1.24 - v1.26.
  • There are enough available resources in the cluster.

What database do the peers use for their ledger?

You have the choice of either CouchDB or LevelDB when you configure your peer database. Because data is modeled differently in a Couch database than in a Level database, the peers in a channel must all use the same database type. See LevelDB versus CouchDB to decide what is best for your business needs.

What types of off-chain databases are supported with the IBM Blockchain Platform?

As a best practice it is recommended that you do not query the entire blockchain ledger for the purpose of aggregation or reporting. If you want to build a dashboard or collect large amounts of data as part of your application, you can query an off chain database that replicates the data from your blockchain network. This allows you to understand the data on the blockchain without degrading the performance of your network or disrupting transactions.

You can use block or smart contract events from your application to write transaction data to an off-chain database or analytics engine. For each block received, the block listener application would iterate through the block transactions and build a data store by using the key/value writes from each valid transaction's read-write set. The Peer channel-based event services provide replayable events to ensure the integrity of downstream data stores. For an example of how you can use an event listener to write data to an external database, see the Off chain data sample in the Fabric samples.

Blockchain solutions can use any RDBMS or NoSQL DB such as IBM Cloudant for offchain data storage. Hyperledger Fabric does not govern, interact with, or manage off-chain databases. In most cases, the off-chain database is used for reference data and non-transactional data. IBM has successfully built blockchain products and solution accelerators with Hyperledger Fabric and NoSQL databases such as OrientDB.

If service discovery is on, will an endorsement request be routed to any peer on the network?

It depends on whether your endorsement policy is set to "ANY", in which any peer can sign an endorsement request, or whether the policy is bound directly to an organization's peers. The service discovery information provided by the peer supplies two pieces of information, Layouts and EndorsersByGroup. With these two pieces of data, the SDK has the ability to send requests to peers in different organizations that meet the endorsement policy requirements. The Node.js SDK provides default code that uses the Layouts and EndorsersByGroup and sends the requests to the appropriate peers to meet the endorsement policy requirements. This existing logic can be customized to meet the business needs.

Do ordering service Raft nodes use Transport Layer Security (TLS) for communication?

Yes. The Raft ordering service nodes are configured to use TLS communication. TLS is embedded in the trust model of Hyperledger Fabric. By default, server-side TLS is enabled for all communications using TLS certificates. TLS is used to encrypt the communication between your nodes and as well as between your nodes and your applications. TLS prevents man-in-the-middle and session hijacking attacks. All IBM Blockchain Platform components use TLS to communicate with each other.

How can I back up and restore components and networks?

As with anything that is deployed to a Kubernetes-based cluster, backups of components and networks in the IBM® Blockchain Platform are a matter of backing up its persistent volumes. These volumes are where ledgers and other types of storage are mounted so they can be used by nodes.

As a result, "backing up" a component or a network is the process of saving a copy of the relevant persistent volumes, while "restoring" a component or network involves bringing up components and pointing them to these saved volumes. For more information, check out Backing up and restoring components and networks.

What benefits are available with the new smart contract lifecycle available on nodes and channels running on Fabric v2.x?

The new smart contract lifecycle allows channel members to collaborate in the decision making process about smart contracts like never before. Where previously smart contracts were instantiated on a channel by a single channel member and other organizations only had the ability to choose whether to install the smart contract, the new lifecycle allows organizations to propose, approve, and commit smart contracts at an organizational level.

This separation of concerns opens exciting new opportunities for collaborating organizations. For example, different organizations can install smart contracts on their peers that contain only the code relevant to their business role and make minor updates to these smart contracts where necessary, without needing to seek new approvals from other organizations.

For a tutorial on how this process is handled by the console, check out Deploy a smart contract using Fabric v2.x.

For information about to take advantage of the new lifecycle when writing a smart contract, check out Writing powerful smart contracts.

How can I check and interpret the status of my components through the Kubernetes command line?

To check the status of your component, run the following command:

kubectl get <CUSTOM_RESOURCE_TYPE> <CUSTOM_RESOURCE_NAME> -n <NAMESPACE> -o yaml
  • Replace <CUSTOM_RESOURCE_TYPE> with the custom resource type of your component (ibpca, ibppeer, ibporderer, or ibpconsole).
  • Replace <CUSTOM_RESOURCE_NAME> with the name of your component.
  • Replace <NAMESPACE> with the name of your IBM Support for Hyperledger Fabric deployment namespace or OpenShift project.

The spec.status field will contain details of your component's status:

  • errorCode
  • lastHeartbeatTime: when the controller last reconciled the component
  • message: long explanation of the status type
  • reason: short explanation of the status
  • status: "true" or "false" based on if status is valid
  • version: the product (IBP) version of the component
  • versions: the operand version of the component
  • type: describes the current status of the component
    • Deploying: component pod(s) spinning up but not yet running and ready
    • Deployed: component pod(s) are running
    • Precreated: (specific to the Orderer) Orderer is waiting for the genesis block to be created
    • Error: component hit an error during reconcile, or a certificate has expired
    • Warning: one or more of the component's certificate will be expiring within 30 days (by default)
    • Initializing: component is being reconciled again due to spec updates in the pre-reconcile checks

Do you support using certificates from non-IBM Certificate Authorities?

Yes, you can bring your own certificates if they are issued by a CA that is X.509 compliant. The CA should sign by using ECDSA and the defaults should be set to use P256 curve. See this topic about Using certificates from an external CA with your peer or ordering node.

What is the recommended way to manage private keys?

Because private keys are not stored by the platform, users are responsible for downloading and securing their private key. Therefore, when a higher level of security is required for private keys, an HSM is recommended. An HSM is a hardware appliance that performs cryptographic operations and provides the capability to ensure that the cryptographic keys never leave the HSM. Hyperledger Fabric supports HSM devices that implement the PKCS #11 standard. PKCS #11 is a cryptographic standard for secure operations, generation, and storage of keys. See Configuring a node to use a Hardware Security Module (HSM) to learn more.

Can I integrate my corporate LDAP server with the Certificate Authority (CA) in the IBM Blockchain Platform?

You cannot currently directly integrate your LDAP server with the CA. However, you can use an external mechanism to generate X.509 certificates for the LDAP users. To use those certificates with a peer or ordering service, see these topics on Using certs from an external CA for your peer or ordering service and Manually building an organization MSP.

Also, you cannot configure the blockchain console login authentication to use an LDAP user registry at this time.

What is the process for rotating certificates on a periodic basis?

Similar to how passwords need to be regularly updated, identity certificates need to be renewed, a process also referred to as "certificate rotation". The platform displays certificate expiration dates for components throughout the console. When a certificate expires, transactions on the network will fail because the identity can no longer be trusted. It is your responsibility to monitor those expiration dates and manage your certificate renewal accordingly. The process varies depending on the type of certificate, when it was generated, and for organization admin certificates, whether Node OU support was enabled on the MSP when the identity was enrolled. The platform attempts to renew the peer and ordering node enrollment certificates 30 days before they expire. See Managing certificates to learn more about the types of certificates that you need to monitor and how to renew them.

What languages are supported for smart contracts?

The IBM Blockchain Platform supports smart contracts that are written in Node.js, Golang (Go), JavaScript, and Java. The new Hyperledger Fabric programming model currently supports JavaScript, TypeScript, Java, and Go. If you are interested in preserving your existing application code, or by using Fabric SDKs for Go, you can still connect to your IBM Blockchain Platform network by using the lower-level Fabric SDK APIs.

What version of the IBM Blockchain Platform works with the Ansible collection?

Versions 2.1.3 and 2.5.x of the IBM Blockchain Platform can be used with the Ansible collection to deploy a Hyperledger Fabric network.

How do I get support for running the IBM Blockchain Platform Ansible playbook?

Ansible is an open source technology and this product is not officially supported by IBM. For support related to the usage of the IBM Blockchain Platform and Ansible playbooks use the GitHub repository.

Can the IBM Blockchain Platform monitor the health of a client application?

The IBM Blockchain Platform console does not monitor the health of blockchain client applications, but IBM Cloud does offer tooling such as IBM Log Analysis and IBM Cloud Monitoring that can be used for their health monitoring.

Where does IBM store the customer's logs and how long does IBM keep the audit logs for the blockchain platform service?

The logs are stored in the customer's Kubernetes cluster. IBM does not have access to the logs and it is up to the customer to manage all of their log data including retention management.

Do we have access to logging services and what logs are available to me?

With IBM Blockchain Platform, you can now directly access logs from your Kubernetes dashboard. It is recommend that you take advantage of the IBM Log Analysis service that allows you to easily parse the logs in real time.

Where can I see the price breakdown for IBM Cloud Kubernetes Service, Storage, and Blockchain in my monthly invoice?

Actual cost breakdowns are visible from your Invoices in the IBM Cloud Dashboard. For detailed steps, see the Billing section in the Pricing topic.

Is there a best practice for monitoring my blockchain resources?

You are responsible for the health monitoring and resource allocation of the blockchain nodes in your Kubernetes cluster. While requests against the nodes are being actively processed, you should be monitoring for spikes in resource consumption to avoid problems. IBM recommends that you configure IBM Cloud Monitoring and set up alerts to track when blockchain nodes are reaching their limits. See the tutorial on IBM Cloud Monitoring for more details.

You should be aware that JavaScript and TypeScript smart contracts require more resources than contracts written in Golang. Therefore, when you are allocating resources to your cluster, it is important to ensure adequate resources are available to your smart contract pods when they are deployed on a channel and during transaction processing. The pods containing the smart contracts will consume as much resources as they need to function.