[FAB-11864] Add orderer client TLS cert

Change-Id: Ibed9be1aa0bdf7b5a6606691a841a87f505ab48c
Signed-off-by: yacovm <yacovm@il.ibm.com>

Author: yacovm

orderer/common/localconfig/config.go

@@ -42,6 +42,7 @@ type General struct {
 	ListenAddress  string
 	ListenPort     uint16
 	TLS            TLS
+	Cluster        Cluster
 	Keepalive      Keepalive
 	GenesisMethod  string
 	GenesisProfile string
@@ -56,6 +57,13 @@ type General struct {
 	Authentication Authentication
 }
 
+type Cluster struct {
+	RootCAs           []string
+	ClientCertificate string
+	ClientPrivateKey  string
+	DialTimeout       time.Duration
+}
+
 // Keepalive contains configuration for gRPC servers.
 type Keepalive struct {
 	ServerMinInterval time.Duration
@@ -260,7 +268,11 @@ func Load() (*TopLevel, error) {
 
 func (c *TopLevel) completeInitialization(configDir string) {
 	defer func() {
-		// Translate any paths
+		// Translate any paths for cluster TLS configuration if applicable
+		coreconfig.TranslatePathInPlace(configDir, &c.General.Cluster.ClientPrivateKey)
+		coreconfig.TranslatePathInPlace(configDir, &c.General.Cluster.ClientCertificate)
+		c.General.Cluster.RootCAs = translateCAs(configDir, c.General.Cluster.RootCAs)
+		// Translate any paths for general TLS configuration
 		c.General.TLS.RootCAs = translateCAs(configDir, c.General.TLS.RootCAs)
 		c.General.TLS.ClientRootCAs = translateCAs(configDir, c.General.TLS.ClientRootCAs)
 		coreconfig.TranslatePathInPlace(configDir, &c.General.TLS.PrivateKey)

orderer/common/server/main.go

@@ -132,6 +132,49 @@ func initializeProfilingService(conf *localconfig.TopLevel) {
 	}
 }
 
+func initializeClusterConfig(conf *localconfig.TopLevel) comm.ClientConfig {
+	cc := comm.ClientConfig{
+		KaOpts:  comm.DefaultKeepaliveOptions,
+		Timeout: conf.General.Cluster.DialTimeout,
+	}
+
+	if (!conf.General.TLS.Enabled) || conf.General.Cluster.ClientCertificate == "" {
+		return cc
+	}
+
+	certFile := conf.General.Cluster.ClientCertificate
+	certBytes, err := ioutil.ReadFile(certFile)
+	if err != nil {
+		logger.Fatalf("Failed to load client TLS certificate file '%s' (%s)", certFile, err)
+	}
+
+	keyFile := conf.General.Cluster.ClientPrivateKey
+	keyBytes, err := ioutil.ReadFile(keyFile)
+	if err != nil {
+		logger.Fatalf("Failed to load client TLS key file '%s' (%s)", keyFile, err)
+	}
+
+	var serverRootCAs [][]byte
+	for _, serverRoot := range conf.General.Cluster.RootCAs {
+		rootCACert, err := ioutil.ReadFile(serverRoot)
+		if err != nil {
+			logger.Fatalf("Failed to load ServerRootCAs file '%s' (%s)",
+				err, serverRoot)
+		}
+		serverRootCAs = append(serverRootCAs, rootCACert)
+	}
+
+	cc.SecOpts = &comm.SecureOptions{
+		CipherSuites:  comm.DefaultTLSCipherSuites,
+		ServerRootCAs: serverRootCAs,
+		Certificate:   certBytes,
+		Key:           keyBytes,
+		UseTLS:        true,
+	}
+
+	return cc
+}
+
 func initializeServerConfig(conf *localconfig.TopLevel) comm.ServerConfig {
 	// secure server config
 	secureOpts := &comm.SecureOptions{
@@ -174,7 +217,6 @@ func initializeServerConfig(conf *localconfig.TopLevel) comm.ServerConfig {
 		}
 		secureOpts.Key = serverKey
 		secureOpts.Certificate = serverCertificate
-		secureOpts.ServerRootCAs = serverRootCAs
 		secureOpts.ClientRootCAs = clientRootCAs
 		logger.Infof("Starting orderer with %s enabled", msg)
 	}

orderer/common/server/main_test.go

@@ -103,34 +103,48 @@ func TestInitializeServerConfig(t *testing.T) {
 	logger, _ = floggingtest.NewTestLogger(t)
 
 	testCases := []struct {
-		name              string
-		certificate       string
-		privateKey        string
-		rootCA            string
-		clientCertificate string
+		name           string
+		certificate    string
+		privateKey     string
+		rootCA         string
+		clientRootCert string
+		clusterCert    string
+		clusterKey     string
+		clusterCA      string
 	}{
-		{"BadCertificate", badFile, goodFile, goodFile, goodFile},
-		{"BadPrivateKey", goodFile, badFile, goodFile, goodFile},
-		{"BadRootCA", goodFile, goodFile, badFile, goodFile},
-		{"BadClientCertificate", goodFile, goodFile, goodFile, badFile},
+		{"BadCertificate", badFile, goodFile, goodFile, goodFile, "", "", ""},
+		{"BadPrivateKey", goodFile, badFile, goodFile, goodFile, "", "", ""},
+		{"BadRootCA", goodFile, goodFile, badFile, goodFile, "", "", ""},
+		{"BadClientRootCertificate", goodFile, goodFile, goodFile, badFile, "", "", ""},
+		{"ClusterBadCertificate", goodFile, goodFile, goodFile, goodFile, badFile, goodFile, goodFile},
+		{"ClusterBadPrivateKey", goodFile, goodFile, goodFile, goodFile, goodFile, badFile, goodFile},
+		{"ClusterBadRootCA", goodFile, goodFile, goodFile, goodFile, goodFile, goodFile, badFile},
 	}
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
-			assert.Panics(t, func() {
-				initializeServerConfig(
-					&localconfig.TopLevel{
-						General: localconfig.General{
-							TLS: localconfig.TLS{
-								Enabled:            true,
-								ClientAuthRequired: true,
-								Certificate:        tc.certificate,
-								PrivateKey:         tc.privateKey,
-								RootCAs:            []string{tc.rootCA},
-								ClientRootCAs:      []string{tc.clientCertificate},
-							},
-						},
+			conf := &localconfig.TopLevel{
+				General: localconfig.General{
+					TLS: localconfig.TLS{
+						Enabled:            true,
+						ClientAuthRequired: true,
+						Certificate:        tc.certificate,
+						PrivateKey:         tc.privateKey,
+						RootCAs:            []string{tc.rootCA},
+						ClientRootCAs:      []string{tc.clientRootCert},
 					},
-				)
+					Cluster: localconfig.Cluster{
+						ClientCertificate: tc.clusterCert,
+						ClientPrivateKey:  tc.clusterKey,
+						RootCAs:           []string{tc.clusterCA},
+					},
+				},
+			}
+			assert.Panics(t, func() {
+				if tc.clusterCert == "" {
+					initializeServerConfig(conf)
+				} else {
+					initializeClusterConfig(conf)
+				}
 			},
 			)
 		})

sampleconfig/orderer.yaml

@@ -30,13 +30,14 @@ General:
     # TLS: TLS settings for the GRPC server.
     TLS:
         Enabled: false
+        # PrivateKey governs the file location of the private key of the TLS certificate.
         PrivateKey: tls/server.key
+        # Certificate governs the file location of the server TLS certificate.
         Certificate: tls/server.crt
         RootCAs:
           - tls/ca.crt
         ClientAuthRequired: false
         ClientRootCAs:
-
     # Keepalive settings for the GRPC server.
     Keepalive:
         # ServerMinInterval is the minimum permitted time between client pings.
@@ -48,7 +49,21 @@ General:
         # ServerTimeout is the duration the server waits for a response from
         # a client before closing the connection.
         ServerTimeout: 20s
-
+    # Cluster settings for ordering service nodes that communicate with other ordering service nodes
+    # such as Raft based ordering service.
+    Cluster:
+        # ClientCertificate governs the file location of the client TLS certificate
+        # used to establish mutual TLS connections with other ordering service nodes.
+        ClientCertificate:
+        # ClientPrivateKey governs the file location of the private key of the client TLS certificate.
+        ClientPrivateKey:
+        # DialTimeout governs the maximum duration of time after which connection
+        # attempts are considered as failed.
+        DialTimeout: 5s
+        # RootCAs governs the file locations of certificates of the Certificate Authorities
+        # which authorize connections to remote ordering service nodes.
+        RootCAs:
+          - tls/ca.crt
     # Log Level: The level at which to log. This accepts logging specifications
     # per: fabric/docs/Setup/logging-control.md
     LogLevel: info