Skip to content

Commit

Permalink
Edits to use a CA
Browse files Browse the repository at this point in the history 
Doc previously, and in error, listed users folders
in the org MSP section where none is needed thanks
to Node OUs

Signed-off-by: joe-alewine <Joe.Alewine@ibm.com>
(cherry picked from commit a07c3fe)
  • Loading branch information
@denyeart
joe-alewine authored and denyeart committed Aug 26, 2020
1 parent 7653f06 commit 4d53ed8
Showing 1 changed file with 10 additions and 7 deletions.
17 changes: 10 additions & 7 deletions docs/source/deployguide/use_CA.md
View file
Expand Up @@ -68,11 +68,13 @@ Even if you don't plan to create an orderer organization, this kind of structure

It is the best practice to create these folders before enrolling identities and then referencing them when issuing the enroll command through the `--mspdir` flag. Note that while the --mspdir flag is used to specify where the MSP of the CA admin is during **registration**, it is used instead during **enrollment** to specify the location on the filesystem where the folders and certificates returned by the CA will be stored.

### Specifying NodeOUs
### NodeOUs

In previous versions of Fabric, identities only had two types: `client` and `peer`. The `peer` type was used for both peers and ordering nodes, while the `client` type was used for both clients (applications) and admins, with the placement of a `client` type in a special `admincerts` folder making the identity an admin within a particular context.

Now it is possible, and recommended, to encode not just `peer` or `client`, but also `orderer` or `admin` roles into the certificates generated by a CA using NodeOUs. Note that an identity can only have one of these roles, and that to enable these roles you must copy the relevant stanzas into a file called `config.yaml`. This `config.yaml` file is used by Fabric in different ways. In a channel MSP, it is used to verify that the `admin` of an organization has a role of `admin` (this replaces the use of an `admincerts` folder which was used in older versions of Fabric). In the local MSP of a node, it is used not just to verify the `admin` role of the node admin but that the identity of the node itself has a `peer` or `orderer` role.
Now it is possible, and recommended, to encode not just `peer` or `client`, but also `orderer` or `admin` roles into the certificates generated by a CA using NodeOUs. This embeds the role an identity has within the certificate.

Note that an identity can only have one of these roles, and that to enable these roles you must copy the relevant stanzas into a file called `config.yaml`. This `config.yaml` file is used by Fabric in different ways. In a channel MSP, it is used to verify that the `admin` of an organization has a role of `admin` (this replaces the use of an `admincerts` folder which was used in older versions of Fabric). In the local MSP of a node, it is used to verify the `admin` role of the node admin and the `peer` or `orderer` role of the node itself.

Note that you can name this `msp` folder anything you want --- `msp` is the default folder name used by the Fabric CA client. If you choose another name, for example, `org1msp`, then you will have to reference this folder using the `--mspdir` flag when enrolling the identity. Programmatically, you can use a command similar to this to copy `config.yaml` to the correct `msp` folder for the identity you've enrolled.

Expand Down Expand Up @@ -191,7 +193,7 @@ In certificate naming, it is helpful to use a convention that will help you keep

In this convention, the last word in the name before appending the `.pem` extension would be either `cert` or `key` to help you remember which is which.

## Creating an MSP from an enrolled identity
## Create an MSP from an enrolled identity

As we have noted, enrolling an identity with the Fabric CA generates output that includes not just public/private key pairs, but a number of related folders and certificates that Fabric networks need to consume.

Expand All @@ -216,8 +218,6 @@ Here is a sample of the folder structure you will need if you want to add an org
│ └── tlsca.<org-domain>.pem
└── tlsintermediatecerts
└── tlsca.<org-domain>.pem
├── users
└── <admin public cert>.pem
```

Where the folders and certificates are:
Expand All @@ -226,11 +226,12 @@ Where the folders and certificates are:
* `intermediatecerts`: the root cert of an intermediate CA, if one was used.
* `tlscacerts`: the root cert of the TLS CA that has issued certificates to the nodes associated with this organization.
* `tlsintermediatecerts`: the root cert of the intermediate TLS CA, if one was used.
* `users`: this folder must contain the **public** certificate of at least one admin of this organization. Do not add a private key here. If you have registered and enrolled multiple admins, you will only need to include the public certificate from those enrollments here. You will still need to point to the relevant private key to sign requests, however.

Note that while the certificates themselves can be named anything you want, you should not change the name of the folders themselves, as Fabric expects to consume folders with certain names.

### Creating the local MSP of a node
In older versions of Fabric, the `config.yaml` file would not have been here and an additional folder, `admincerts`, would be needed, in which certificates identifying the admin of this organization would be placed. This is no longer necessary thanks to Node OUs. **Any identity given a Node OU of `admin` by the CA listed in `config.yaml` can administer the organization**.

### Create the local MSP of a node

While the MSP of an organization serves as the representation of the organization on a channel configuration, the local MSP of a node is a logical collection of parameters that is used, along with other parameters, as part of the creation of a node.

Expand Down Expand Up @@ -283,5 +284,7 @@ Where the folders and certificates are:

Note that while the certificates themselves can be named anything you want, you should not change the name of the folders themselves, as Fabric expects to consume folders with certain names.

Just as Node OUs make it no longer necessary to include a certificate of an admin in the organization MSP, it is not necessary to include the public certificate of a node admin to administer the node. **Any identity given a Node OU of `admin` by the CA listed in `config.yaml` can administer any of the nodes owned by that organization without needing to place the public certificate of that admin in the organization MSP or the local MSP**.

<!--- Licensed under Creative Commons Attribution 4.0 International License
https://creativecommons.org/licenses/by/4.0/ -->

0 comments on commit 4d53ed8

Please sign in to comment.