AWS Partner Network (APN) Blog
Build and Integrate Production Blockchain at Consortia Scale with Kaleido Marketplace on AWS
By Lana Kalashnyk, Partner Solutions Architect at AWS
By Peter Broadhurst, Head of Engineering at Kaleido
Enterprise customers increasingly look to blockchain as a way to improve transparency, reduce cost and time of transactions, reduce fraud, and eliminate inefficient centralized middle-ware processes.
As opposed to public blockchains, their enterprise cousins have to tackle an additional set of requirements, such as privacy and security of customer data, consortia governance, shared IT, and integration with existing internal systems and cloud estate.
For example, back-office processes need to be interwoven, identity registries need proper management, sensitive key materials need to be securely encrypted, existing applications and trusted oracles need to communicate with the chain, and on and on and on. Now extend this with the need for ancillary features like identity masking and off-chain shared file systems, and you begin to see that a legitimate production solution is far broader than blockchain itself.
The reality is only about 10 percent of an enterprise blockchain solution is the blockchain network itself. There are many other application, data, and infrastructure components required to build a complete production-ready business solution.
Kaleido is a ConsenSys business that introduced the Kaleido Marketplace—a catalog of supplementary ledger services, third-party applications, and AWS integration services. This makes Kaleido a full-stack cloud-based platform for enterprise blockchains that can accelerate the entire journey from experimentation and proofs of concepts (POC) to pilots and production networks.
ConsenSys is an AWS ISV Partner that is enabling consortiums—that is, associations of two or more organizations—to create and operate enterprise blockchain networks on Amazon Web Services (AWS) without spending months and millions of dollars writing custom code.
Kaleido Marketplace
You can view the Kaleido Marketplace either from Kaleido.io website, or from within your Kaleido console by accessing Add Services as shown in Figure 1.
Figure 1 – Kaleido Console with Add Services drop-down selection.
Available exclusively on AWS, Kaleido offers organizations of all sizes a simplified journey for building out consortia and deploying bespoke blockchain networks. Via the tried-and-true Ethereum protocol, end users can choose between varying node clients like geth and quorum, and consensus algorithms depending on their trust needs, to form customized networks that comply with privacy and performance mandates.
Now, with the presence of the Kaleido Marketplace, organizations can accelerate their journey to production-caliber solutions by wiring in pre-integrated components. Let’s walk through an end-to-end journey using Kaleido and the new marketplace.
Creating a Blockchain Network for a Consortiums
As an example, let’s say a consortium of banks and energy suppliers wants to use Kaleido for a trade finance use case. The actual formation of the consortium is at heart a human problem, and Kaleido offers streamlined member on-boarding with fully transparent views of the current state of the consortia. This means that when an external organization is issued an email invitation to join, they’ll have full line-of-sight into the existing members and the consortia mission.
These features and the breadth plus flexibility of Ethereum applications in tokenizing illiquid assets is particularly applicable to commodities trading.
Leveraging Kaleido to bring their solutions to production, Komgo, a cutting-edge commodity trade and finance network comprised of global institutions like Citi, ABN AMRO Bank, ING, Koch Supply & Trading, MUFG Bank, Societe Generale, Credit Agricole Group, BNP Paribas, Shell, and others, has successfully developed a blockchain platform to facilitate transactions between extractors, traders, and financiers, thus reducing the mobilization of capital.
Learn more about Komgo and Kaleido >>
Figure 2 – Kaleido services integrations.
With the consortia fully built, the next step is to address know your customer (KYC) compliance. Consortia members have a right and need to know that their business counterparts in the network truly are whom they claim to be.
To accommodate this requirement, Kaleido takes advantage of the widely used public key infrastructure (PKI) scheme, and allows individual organizations to upload their own digital x509 certificate chains. The rest of the network can then download a fellow organization’s certificate and ensure it has been signed by a trusted and reputable root authority.
On-Chain Identity
This transparent identity verification is incredibly powerful, but it’s only part of the solution. The end goal is to map identities to specific Ethereum addresses, so that when transactions come into the network they can be unequivocally bound to a parent organization in the consortium.
The Identity Registry is a smart contract that keeps track of organizations, digital certificates, Ethereum addresses, and end users. Now, when a transaction takes place publicly in the network, everyone will know that 0xce4602c27Adf0faD56EB0D5711BefF148D2d71ae is actually alice@email.com who is registered against Bank A.
But what’s to stop another organization from identity theft by downloading another’s certificate and uploading it into the ID Registry as their own? The Registry has cryptographic checks built in to ensure that only the possessor of a certificate’s private key has the ability to claim that identity. As a result, consortia members can trust that only the organizational admins are able to access the registry and inject identity assertions.
Anonymity
It may seem strange to broach the subject of anonymity immediately after KYC and enterprise identity, but there are a variety of circumstances where the true actors in a transaction need to be hidden. Say, for instance, that a consortia has full line-of-sight into frequent transactions taking place between Bank A and Energy Company B. The rest of the financial institutions in the network would have competitive market data and could sweeten their financing bids on future proposals.
Kaleido tackles this issue with Identity Masking HD Wallet, which are simply a deterministic key tree offering access to an unlimited supply of private signing keys. Using the HD Wallet, transactions can be sent to the network with a random untraceable identity on a need-by-need basis.
Secure File Sharing
As mentioned at the onset of this post, the chain layer is only a fractional piece in an overall blockchain solution. Because blockchain ledgers are not designed to store and process large files, organizations need some type of shared infrastructure to upload files and quickly retrieve them.
Let’s say you have a lengthy contract outlining the mechanics of a syndicated loan. It may be nice to store a reference to this contract on the blockchain, rather than the entire file. Enter Kaleido service number three, interplanetary file system (IPFS) nodes. IPFS is a censorship resistant peer-to-peer file sharing technique that allows anyone to seamlessly upload a file and then retrieve it by referencing a hash.
So, IPFS nodes become a powerful supplementary service to the actual chain layer, with smart contracts and transactions only needing to reference the hash of an uploaded file. This keeps transactions lightweight and performant.
Token Economy
At the heart of the Ethereum blockchain is an intrinsic token, specifically an ERC20 token, referred to as ether. Ether is used to pay for transactions on the public network, and serves as an incentive mechanism for nodes that successfully “mine” blocks.
In private permissioned Ethereum implementations, ether is not required to process transactions. However, the presence of a token could add extra versatility and flexibility for certain use cases. For example, ether could be mapped to fiat and fungible assets or used to impose costs on certain smart contract functions. Every environment in Kaleido comes provisioned with a one billion Ether Pool for the fellow members of the consortia to disseminate as they see fit.
Collusion Resistance
Private networks have a limited number of participants. What if a supermajority decided to collude in an attempt to rewrite the blockchain? While the technical complexities of such a hack make this incredibly unlikely, the hypothetical possibility still exists.
The MainNet Tether feature takes collectively-signed state snapshots of the private chain environment and appends them to the selected public Ethereum network. In the event of ledger manipulation and retroactive collusion, an indelible record of the true chain history will exist as a proof on the public network.
Chain Analytics
Organizations need to visualize transactions and quickly retrieve blocks, smart contracts, and other critical pieces of ledger data. The Block Explorer is exactly what you probably imagine it to be: an environment-specific dashboard exposing real-time and historical chain information.
The explorer is also backed by a logical set of APIs, allowing organizations to scope and refine certain subsets of data as they see fit.
Ethereum Made Easy
There are many nuances and complexities involved with the submission of Ethereum transactions. Typically, a heavy client library is leveraged and applications are coded against Ethereum-compatible APIs. This approach requires deep blockchain expertise and is prone to a wide variety of unforeseen errors.
The Eth-Connect bridge is a messaging layer that takes the headache out of transaction submission. Transactions can be submitted as basic JSON payloads, and existing legacy applications can be easily integrated with Kaleido without needing to inject these heavy libraries into already hardened processes. The bridge also handles periodic surges and bursts of transactions by injecting them to the network at an optimal rate.
Build with Seamless Integration to AWS Services
The Kaleido platform is available across AWS Regions in North America, Europe, and Asia Pacific. Besides managing your blockchain environment, it leverages private networking via AWS PrivateLink, federated login via Amazon Cognito, data backup with Amazon Simple Storage Service (Amazon S3), log streaming with AWS CloudWatch, and key protection with AWS Key Management Service (KMS).
Figure 3 – Integration with AWS services.
Private Networking to Your Node with AWS PrivateLink
Kaleido nodes API endpoints can be reached from within your own AWS account via AWS PrivateLink. This allows you to connect your infrastructure by running all traffic on AWS backbone, leveraging TLS 1.2 encryption without ever sending transactions over the public internet.
PrivateLink is also compatible with AWS Direct Connect if you have it configured on your account, allowing you to create a private connection all the way into Kaleido from applications and infrastructure running in your own private/on-premises data center network.
Learn how to set up Kaleido with AWS PrivateLink >>
Key Protection with AWS Key Management Service (KMS)
Key material is generated inside of the container, stored on the dedicated file store allocated to your node, and encrypted at-rest. You can now configure an extra layer of security on top of your keys, using a master key locked inside your own KMS. This allows you to never persists the plain-text key materials such as node signing keys, account keys, and private transaction store communication keys.
Learn how to configure KMS key protection in Kaleido >>
Backup Node Data to a Secure Amazon S3 Bucket
Kaleido drastically simplifies running a blockchain network by offering a fully managed service for running and administering your nodes in private blockchains. Backing up the nodes data allows you to have a complete copy of all the nodes transactions and other data in an Amazon S3 bucket of your choosing.
Backups can be initiated on-demand or scheduled via Kaleido REST API:
- The ledger data maintained by that node
- The key materials (encrypted if you use KMS)
- The secure data enclave for private transactions
- The genesis and other configuration needed to run the node
Stream Your Logs to AWS CloudWatch
Diagnosing problems in decentralized applications can be tricky. The new integration with AWS CloudWatch allows you to diagnose problems quickly, through your application stack, right down onto the chain. Kaleido seamlessly integrates with CloudWatch to securely stream logs to a Log Group that you specify in your AWS account.
By leveraging CloudWatch, you have the ability to forward logs on to Amazon OpenSearch Service (successor to Amazon Elasticsearch Service) cluster, so you can build powerful Kibana dashboards correlating events in your blockchain logs, with your application logs.
Learn how to configure log streaming to AWS CloudWatch >>
Enterprise Login and Identity Federation via Amazon Cognito
Kaleido is built for enterprises, so we have provided the ability to delegate login to Kaleido to your own Amazon Cognito user pool. This puts access management, on-boarding, and off-boarding of users for your Kaleido organization fully in your own control.
Within Amazon Cognito, you can then configure identity federation to your own identity provider via SAML or Open ID Connect, as well as a rich set of built-in integrations such as to Google Sign-in. So if you have an enterprise login infrastructure for software-as-a-service (SaaS) solutions, you can plug this into Kaleido and exploit your own Enterprise controls such as:
- Multi-factor authentication (2FA/MFA)
- Integration into your own LDAP user registry
- Custom password management controls
Learn how to configure a login and ID federation via Amazon Cognito >>
Third-Party Integrations
Ethereum ecosystems of budding startups and thousands of developers is what draws like-minded individuals to rewrite some of the existing paradigms. Kaleido Marketplace offers a capability to plug in third-party solutions into an existing Consortia Blockchain Networks. Two of these integrations are available now, with more to come.
The first is Chainlink, a decentralized oracle network that provides a reliable temper-proof input and outputs for complex smart contracts. Oracles in the context of blockchain connect external data allows a contract to have knowledge of real-world external events, APIs, and other blockchains.
The other is OpenLaw, which allows you to create, store, and execute legal agreements that interact with blockchain-based smart contracts. OpenLaw allows users to automate legal agreements, provide evidence of “state” of agreement, and electronic signatures. All of this can speed up tasks that used to take days to just a fraction of that time and cost.
Next Steps
If you’re looking for an easy, fast, and frictionless path to enterprise-grade production blockchains, you’ve come to the right place.
Kaleido, in collaboration with ConsenSys and AWS, offers simplified and accelerated access to blockchain. Its full-stack blockchain SaaS platform can eliminate up to 80 percent of the custom code needed to build a given blockchain solution by providing an array of trusted tools and services from Kaleido, AWS, and third-party providers that are “plug-and-play” and span needs from back-end development to front-end app user interfaces.
Start using Kaleido and the Kaleido Marketplace, and accelerate your blockchain journey for free with their complimentary Starter Plan.