-
Notifications
You must be signed in to change notification settings - Fork 176
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #589 from 125801169/release-2.0
Securing Communication With Transport Layer Security (TLS)
- Loading branch information
Showing
4 changed files
with
148 additions
and
278 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,145 +1,101 @@ | ||
Securing Communication With Transport Layer Security (TLS) | ||
使用传输层安全性(TLS)保护通信 | ||
========================================================== | ||
|
||
Fabric supports for secure communication between nodes using TLS. TLS communication | ||
can use both one-way (server only) and two-way (server and client) authentication. | ||
Fabric支持使用TLS的节点之间的安全通信。 TLS通信可以使用单向(仅服务器)和双向(服务器和客户端)身份验证。 | ||
|
||
Configuring TLS for peers nodes | ||
为peer节点配置TLS | ||
------------------------------- | ||
|
||
A peer node is both a TLS server and a TLS client. It is the former when another peer | ||
node, application, or the CLI makes a connection to it and the latter when it makes | ||
a connection to another peer node or orderer. | ||
peer节点既是TLS服务器又是TLS客户端。当另一个peer节点、应用程序或客户端与其建立连接时,它是前者;而当它与另一个peer节点或orderer节点建立连接时,则是后者。 | ||
|
||
To enable TLS on a peer node set the following peer configuration properties: | ||
要在peer节点上启用TLS,需要设置以下配置属性: | ||
|
||
* ``peer.tls.enabled`` = ``true`` | ||
* ``peer.tls.cert.file`` = fully qualified path of the file that contains the TLS server | ||
certificate | ||
* ``peer.tls.key.file`` = fully qualified path of the file that contains the TLS server | ||
private key | ||
* ``peer.tls.rootcert.file`` = fully qualified path of the file that contains the | ||
certificate chain of the certificate authority(CA) that issued TLS server certificate | ||
|
||
By default, TLS client authentication is turned off when TLS is enabled on a peer node. | ||
This means that the peer node will not verify the certificate of a client (another peer | ||
node, application, or the CLI) during a TLS handshake. To enable TLS client authentication | ||
on a peer node, set the peer configuration property ``peer.tls.clientAuthRequired`` to | ||
``true`` and set the ``peer.tls.clientRootCAs.files`` property to the CA chain file(s) that | ||
contain(s) the CA certificate chain(s) that issued TLS certificates for your organization's | ||
clients. | ||
|
||
By default, a peer node will use the same certificate and private key pair when acting as a | ||
TLS server and client. To use a different certificate and private key pair for the client | ||
side, set the ``peer.tls.clientCert.file`` and ``peer.tls.clientKey.file`` configuration | ||
properties to the fully qualified path of the client certificate and key file, | ||
respectively. | ||
|
||
TLS with client authentication can also be enabled by setting the following environment | ||
variables: | ||
* ``peer.tls.cert.file`` = 包含TLS服务器证书的文件的标准路径 | ||
* ``peer.tls.key.file`` = 包含TLS服务器私钥的文件的标准路径 | ||
* ``peer.tls.rootcert.file`` = 包含颁发TLS服务器证书的证书颁发机构(CA)的链上证书文件的标准路径 | ||
|
||
默认情况下,在peer节点上启用TLS时,TLS客户端身份验证是关闭的。这意味着在TLS握手期间,peer节点将不会验证客户端(另一个peer节点,应用程序或CLI)的证书。要在对等节点上启用TLS客户端身份验证,需要将peer配置中的属性``peer.tls.clientAuthRequired`` 设置为``true`` ,并将该``peer.tls.clientRootCAs.files`` 属性设置为包含CA证书链的CA链文件,该CA证书链为组织(organization)的客户端发布TLS证书。 | ||
|
||
默认情况下,per节点在充当TLS服务器和客户端时将使用相同的证书和私钥对。要在客户端使用其他证书和私钥对,请将 ``peer.tls.clientCert.file``和 ``peer.tls.clientKey.file``配置属性分别设置为客户端证书和密钥文件的标准路径。 | ||
也可以通过设置以下环境变量来启用具有客户端身份验证的TLS: | ||
* ``CORE_PEER_TLS_ENABLED`` = ``true`` | ||
* ``CORE_PEER_TLS_CERT_FILE`` = fully qualified path of the server certificate | ||
* ``CORE_PEER_TLS_KEY_FILE`` = fully qualified path of the server private key | ||
* ``CORE_PEER_TLS_ROOTCERT_FILE`` = fully qualified path of the CA chain file | ||
* ``CORE_PEER_TLS_CERT_FILE`` = 服务器证书的标准路径 | ||
* ``CORE_PEER_TLS_KEY_FILE`` = 服务器私钥的标准路径 | ||
* ``CORE_PEER_TLS_ROOTCERT_FILE`` = CA链文件的标准路径 | ||
* ``CORE_PEER_TLS_CLIENTAUTHREQUIRED`` = ``true`` | ||
* ``CORE_PEER_TLS_CLIENTROOTCAS_FILES`` = fully qualified path of the CA chain file | ||
* ``CORE_PEER_TLS_CLIENTCERT_FILE`` = fully qualified path of the client certificate | ||
* ``CORE_PEER_TLS_CLIENTKEY_FILE`` = fully qualified path of the client key | ||
* ``CORE_PEER_TLS_CLIENTROOTCAS_FILES`` = CA链文件的标准路径 | ||
* ``CORE_PEER_TLS_CLIENTCERT_FILE`` = 客户证书的标准路径 | ||
* ``CORE_PEER_TLS_CLIENTKEY_FILE`` = 客户端密钥的标准路径 | ||
|
||
|
||
|
||
When client authentication is enabled on a peer node, a client is required to send its | ||
certificate during a TLS handshake. If the client does not send its certificate, the | ||
handshake will fail and the peer will close the connection. | ||
在peer节点上启用客户端身份验证后,要求客户端在TLS握手期间发送其证书。如果客户端未发送其证书,则握手将失败,并且peer节点将关闭连接。 | ||
|
||
When a peer joins a channel, root CA certificate chains of the channel members are | ||
read from the config block of the channel and are added to the TLS client and server | ||
root CAs data structure. So, peer to peer communication, peer to orderer communication | ||
should work seamlessly. | ||
当peer节点加入通道时,将从通道的配置区块中读取通道成员的CA根证书链,并将其添加到TLS客户端和服务器CA数据结构中。因此,peer节点间通信和peer节点与orderer节点间通信应该无缝地工作。 | ||
|
||
Configuring TLS for orderer nodes | ||
|
||
为orderer节点配置TLS | ||
--------------------------------- | ||
|
||
To enable TLS on an orderer node, set the following orderer configuration properties: | ||
要在orderer节点上启用TLS,需要设置orderer节点的配置属性: | ||
|
||
* ``General.TLS.Enabled`` = ``true`` | ||
* ``General.TLS.PrivateKey`` = fully qualified path of the file that contains the server | ||
private key | ||
* ``General.TLS.Certificate`` = fully qualified path of the file that contains the server | ||
certificate | ||
* ``General.TLS.RootCAs`` = fully qualified path of the file that contains the certificate | ||
chain of the CA that issued TLS server certificate | ||
* ``General.TLS.PrivateKey`` = 包含服务器私钥的文件的标准路径 | ||
* ``General.TLS.Certificate`` = 包含服务器证书的文件的标准路径 | ||
* ``General.TLS.RootCAs`` = 包含颁发TLS服务器证书的CA的证书链的文件的标准路径 | ||
|
||
By default, TLS client authentication is turned off on orderer, as is the case with peer. | ||
To enable TLS client authentication, set the following config properties: | ||
默认情况下,与peer节点一样,orderer节点上的TLS客户端身份验证处于关闭状态。要启用TLS客户端身份验证,需要设置以下配置属性: | ||
|
||
* ``General.TLS.ClientAuthRequired`` = ``true`` | ||
* ``General.TLS.ClientRootCAs`` = fully qualified path of the file that contains the | ||
certificate chain of the CA that issued the TLS server certificate | ||
* ``General.TLS.ClientRootCAs`` = 包含颁发TLS服务器证书的CA的证书链的文件的标准路径 | ||
|
||
TLS with client authentication can also be enabled by setting the following environment | ||
variables: | ||
也可以通过设置以下环境变量来启用具有客户端身份验证的TLS: | ||
|
||
* ``ORDERER_GENERAL_TLS_ENABLED`` = ``true`` | ||
* ``ORDERER_GENERAL_TLS_PRIVATEKEY`` = fully qualified path of the file that contains the | ||
server private key | ||
* ``ORDERER_GENERAL_TLS_CERTIFICATE`` = fully qualified path of the file that contains the | ||
server certificate | ||
* ``ORDERER_GENERAL_TLS_ROOTCAS`` = fully qualified path of the file that contains the | ||
certificate chain of the CA that issued TLS server certificate | ||
* ``ORDERER_GENERAL_TLS_PRIVATEKEY`` = 包含服务器私钥的文件的标准路径 | ||
* ``ORDERER_GENERAL_TLS_CERTIFICATE`` = 包含服务器证书的文件的标准路径 | ||
* ``ORDERER_GENERAL_TLS_ROOTCAS`` = 包含颁发TLS服务器证书的CA的证书链的文件的标准路径 | ||
* ``ORDERER_GENERAL_TLS_CLIENTAUTHREQUIRED`` = ``true`` | ||
* ``ORDERER_GENERAL_TLS_CLIENTROOTCAS`` = fully qualified path of the file that contains | ||
the certificate chain of the CA that issued TLS server certificate | ||
* ``ORDERER_GENERAL_TLS_CLIENTROOTCAS`` = 包含颁发TLS服务器证书的CA的证书链的文件的标准路径 | ||
|
||
Configuring TLS for the peer CLI | ||
为CLI节点配置TLS | ||
-------------------------------- | ||
|
||
The following environment variables must be set when running peer CLI commands against a | ||
TLS enabled peer node: | ||
针对启用了TLS的peer节点运行CLI命令时,必须设置以下环境变量: | ||
|
||
* ``CORE_PEER_TLS_ENABLED`` = ``true`` | ||
* ``CORE_PEER_TLS_ROOTCERT_FILE`` = fully qualified path of the file that contains cert chain | ||
of the CA that issued the TLS server cert | ||
* ``CORE_PEER_TLS_ROOTCERT_FILE`` = 包含颁发TLS服务器证书的CA的证书链的文件的标准路径 | ||
|
||
If TLS client authentication is also enabled on the remote server, the following variables | ||
must to be set in addition to those above: | ||
如果在远程服务器上也启用了TLS客户端身份验证,则除上述变量外,还必须设置以下变量: | ||
|
||
* ``CORE_PEER_TLS_CLIENTAUTHREQUIRED`` = ``true`` | ||
* ``CORE_PEER_TLS_CLIENTCERT_FILE`` = fully qualified path of the client certificate | ||
* ``CORE_PEER_TLS_CLIENTKEY_FILE`` = fully qualified path of the client private key | ||
* ``CORE_PEER_TLS_CLIENTCERT_FILE`` = 客户端证书的标准路径 | ||
* ``CORE_PEER_TLS_CLIENTKEY_FILE`` = 客户端私钥的标准路径 | ||
|
||
When running a command that connects to orderer service, like `peer channel <create|update|fetch>` | ||
or `peer chaincode <invoke>`, following command line arguments must also be specified | ||
if TLS is enabled on the orderer: | ||
当运行连接到orderer节点的命令时,例如`peer channel <create|update|fetch>`或 `peer chaincode <invoke>`,如果在orderer节点上启用了TLS,则还必须指定以下命令行参数: | ||
|
||
* --tls | ||
* --cafile <fully qualified path of the file that contains cert chain of the orderer CA> | ||
* --cafile <包含订购者CA的证书链的文件的标准路径> | ||
|
||
If TLS client authentication is enabled on the orderer, the following arguments must be specified | ||
as well: | ||
如果在orderer节点上启用了TLS客户端身份验证,则还必须指定以下参数: | ||
|
||
* --clientauth | ||
* --keyfile <fully qualified path of the file that contains the client private key> | ||
* --certfile <fully qualified path of the file that contains the client certificate> | ||
* --keyfile <包含客户端私钥的文件的标准路径> | ||
* --certfile <包含客户端证书的文件的标准路径> | ||
|
||
|
||
Debugging TLS issues | ||
调试TLS问题 | ||
-------------------- | ||
|
||
Before debugging TLS issues, it is advisable to enable ``GRPC debug`` on both the TLS client | ||
and the server side to get additional information. To enable ``GRPC debug``, set the | ||
environment variable ``FABRIC_LOGGING_SPEC`` to include ``grpc=debug``. For example, to | ||
set the default logging level to ``INFO`` and the GRPC logging level to ``DEBUG``, set | ||
the logging specification to ``grpc=debug:info``. | ||
|
||
If you see the error message ``remote error: tls: bad certificate`` on the client side, it | ||
usually means that the TLS server has enabled client authentication and the server either did | ||
not receive the correct client certificate or it received a client certificate that it does | ||
not trust. Make sure the client is sending its certificate and that it has been signed by one | ||
of the CA certificates trusted by the peer or orderer node. | ||
|
||
If you see the error message ``remote error: tls: bad certificate`` in your chaincode logs, | ||
ensure that your chaincode has been built using the chaincode shim provided with Fabric v1.1 | ||
or newer. | ||
在调试TLS问题之前,建议同时在TLS客户端和服务器端启用 ``GRPC debug`` 以获取附加信息。要启用 ``GRPC debug``,需要在环境变量``FABRIC_LOGGING_SPEC`` 中加入 ``grpc=debug`` 。例如,如要将默认日志记录级别设置为``INFO`` ,将GRPC日志记录级别设置为 ``DEBUG``,则需先将日志记录规范设置为 ``grpc=debug:info``。 | ||
|
||
如果您在客户端看到错误消息``remote error: tls: bad certificate`` ,则通常表示TLS服务器已启用客户端身份验证,并且该服务器未收到正确的客户端证书,或者收到了不信任的客户端证书。确保客户端正在发送其证书,并且该证书已被peer节点或orderer节点信任的CA证书所签名。 | ||
|
||
如果在链码日志中看到错误消息``remote error: tls: bad certificate`` ,请确保链码是使用Fabric v1.1或更高版本的程序构建的。 | ||
|
||
|
||
.. Licensed under Creative Commons Attribution 4.0 International License | ||
https://creativecommons.org/licenses/by/4.0/ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.