Skip to content

Commit

Permalink
[FAB-3710] /examples/cluster: configure CA
Browse files Browse the repository at this point in the history 
We need to ensure we configure the CA with the MSP artifacts
or it will be unable to generate usable ECerts.

Change-Id: Iec5f1bf033d92a9d11ab7feca2aaf3e78eac8d78
Signed-off-by: Greg Haskins <gregory.haskins@gmail.com>
  • Loading branch information
@ghaskins
ghaskins committed May 8, 2017
1 parent c346b06 commit 7a42145
Show file tree
Hide file tree
Showing 3 changed files with 244 additions and 7 deletions.
8 changes: 4 additions & 4 deletions examples/cluster/Makefile
View file
Expand Up @@ -95,10 +95,10 @@ build/nodes/orderer: build/nodes/orderer/orderer.yaml
build/nodes/orderer: build/nodes/orderer/genesis.block
build/nodes/cli: $(CHANNEL_TXNS)

build/nodes/ca:
@mkdir -p $@/tls
cp $(CA_PATH)/*_sk $@/tls/ca.key
cp $(CA_PATH)/*.pem $@/tls/ca.crt
build/nodes/ca: build/nodes/ca/fabric-ca-server-config.yaml
@mkdir -p $@
cp $(CA_PATH)/*_sk $@/ca.key
cp $(CA_PATH)/*.pem $@/ca.crt

build/nodes/%: build/nodes/%/msp build/nodes/%/configtx.yaml build/nodes/%/core.yaml
@echo "Built $@"
Expand Down
4 changes: 1 addition & 3 deletions examples/cluster/compose/docker-compose.yaml
View file
Expand Up @@ -8,15 +8,13 @@ services:
dns_search: .
environment:
- FABRIC_CA_SERVER_TLS_ENABLED=${TLS_ENABLED}
- FABRIC_CA_SERVER_TLS_CERTFILE=/etc/hyperledger/fabric-ca-server/tls/ca.crt
- FABRIC_CA_SERVER_TLS_KEYFILE=/etc/hyperledger/fabric-ca-server/tls/ca.key
logging: &logging
driver: json-file
options:
max-size: "25m"
max-file: "2"
volumes:
- ../build/nodes/ca/tls:/etc/hyperledger/fabric-ca-server/tls
- ../build/nodes/ca:/etc/hyperledger/fabric-ca-server

orderer:
container_name: orderer
Expand Down
239 changes: 239 additions & 0 deletions examples/cluster/config/fabric-ca-server-config.yaml
View file
@@ -0,0 +1,239 @@
#############################################################################
# This is a configuration file for the fabric-ca-server command.
#
# COMMAND LINE ARGUMENTS AND ENVIRONMENT VARIABLES
# ------------------------------------------------
# Each configuration element can be overridden via command line
# arguments or environment variables. The precedence for determining
# the value of each element is as follows:
# 1) command line argument
# Examples:
# a) --port 443
# To set the listening port
# b) --ca-keyfile ../mykey.pem
# To set the "keyfile" element in the "ca" section below;
# note the '-' separator character.
# 2) environment variable
# Examples:
# a) FABRIC_CA_SERVER_PORT=443
# To set the listening port
# b) FABRIC_CA_SERVER_CA_KEYFILE="../mykey.pem"
# To set the "keyfile" element in the "ca" section below;
# note the '_' separator character.
# 3) configuration file
# 4) default value (if there is one)
# All default values are shown beside each element below.
#
# FILE NAME ELEMENTS
# ------------------
# All filename elements below end with the word "file".
# For example, see "certfile" and "keyfile" in the "ca" section.
# The value of each filename element can be a simple filename, a
# relative path, or an absolute path. If the value is not an
# absolute path, it is interpretted as being relative to the location
# of this configuration file.
#
#############################################################################

# Server's listening port (default: 7054)
port: 7054

# Enables debug logging (default: false)
debug: false

#############################################################################
# TLS section for the server's listening port
#
# The following types are supported for client authentication: NoClientCert,
# RequestClientCert, RequireAnyClientCert, VerfiyClientCertIfGiven,
# and RequireAndVerifyClientCert.
#
# Certfiles is a list of root certificate authorities that the server uses
# when verifying client certificates.
#############################################################################
tls:
# Enable TLS (default: false)
enabled: false
# TLS for the server's listening port
certfile: ca.crt
keyfile: ca.key
clientauth:
type: noclientcert
certfiles:

#############################################################################
# The CA section contains information related to the Certificate Authority
# including the name of the CA, which should be unique for all members
# of a blockchain network. It also includes the key and certificate files
# used when issuing enrollment certificates (ECerts) and transaction
# certificates (TCerts).
# The chainfile (if it exists) contains the certificate chain which
# should be trusted for this CA, where the 1st in the chain is always the
# root CA certificate.
#############################################################################
ca:
# Name of this CA
name:
certfile: ca.crt
keyfile: ca.key
# Chain file (default: chain-cert.pem)
chainfile: ca-chain.pem

#############################################################################
# The registry section controls how the fabric-ca-server does two things:
# 1) authenticates enrollment requests which contain a username and password
# (also known as an enrollment ID and secret).
# 2) once authenticated, retrieves the identity's attribute names and
# values which the fabric-ca-server optionally puts into TCerts
# which it issues for transacting on the Hyperledger Fabric blockchain.
# These attributes are useful for making access control decisions in
# chaincode.
# There are two main configuration options:
# 1) The fabric-ca-server is the registry
# 2) An LDAP server is the registry, in which case the fabric-ca-server
# calls the LDAP server to perform these tasks.
#############################################################################
registry:
# Maximum number of times a password/secret can be reused for enrollment
# (default: 0, which means there is no limit)
maxEnrollments: 0

# Contains identity information which is used when LDAP is disabled
identities:
- name: admin
pass: adminpw
type: client
affiliation: ""
attrs:
hf.Registrar.Roles: "client,user,peer,validator,auditor,ca"
hf.Registrar.DelegateRoles: "client,user,validator,auditor"
hf.Revoker: true
hf.IntermediateCA: true

#############################################################################
# Database section
# Supported types are: "sqlite3", "postgres", and "mysql".
# The datasource value depends on the type.
# If the type is "sqlite3", the datasource value is a file name to use
# as the database store. Since "sqlite3" is an embedded database, it
# may not be used if you want to run the fabric-ca-server in a cluster.
# To run the fabric-ca-server in a cluster, you must choose "postgres"
# or "mysql".
#############################################################################
db:
type: sqlite3
datasource: /var/hyperledger/fabric-ca-server.db
tls:
enabled: false
certfiles:
- db-server-cert.pem
client:
certfile: db-client-cert.pem
keyfile: db-client-key.pem

#############################################################################
# LDAP section
# If LDAP is enabled, the fabric-ca-server calls LDAP to:
# 1) authenticate enrollment ID and secret (i.e. username and password)
# for enrollment requests;
# 2) To retrieve identity attributes
#############################################################################
ldap:
# Enables or disables the LDAP client (default: false)
enabled: false
# The URL of the LDAP server
url: ldap://<adminDN>:<adminPassword>@<host>:<port>/<base>
tls:
certfiles:
- ldap-server-cert.pem
client:
certfile: ldap-client-cert.pem
keyfile: ldap-client-key.pem

#############################################################################
# Affiliation section
#############################################################################
affiliations:
org1:
- department1
- department2
org2:
- department1

#############################################################################
# Signing section
#############################################################################
signing:
profiles:
ca:
usage:
- cert sign
expiry: 8000h
caconstraint:
isca: true
default:
usage:
- cert sign
expiry: 8000h

###########################################################################
# Certificate Signing Request section for generating the CA certificate
###########################################################################
csr:
cn: fabric-ca-server
names:
- C: US
ST: "North Carolina"
L:
O: Hyperledger
OU: Fabric
hosts:
- 2008f00aff38
ca:
pathlen:
pathlenzero:
expiry:

#############################################################################
# BCCSP (BlockChain Crypto Service Provider) section is used to select which
# crypto library implementation to use
#############################################################################

bccsp:
default: SW
sw:
hash: SHA2
security: 256
filekeystore:
# The directory used for the software file-based keystore
keystore: keystore

#############################################################################
# The fabric-ca-server init and start commands support the following two
# additional mutually exclusive options:
#
# 1) --cacount <number-of-CAs>
# Automatically generate multiple default CA instances.
# This is particularly useful in a development environment to quickly set up
# multiple CAs.
# For example,
# fabric-ca-server start -b admin:adminpw --cacount 2
# starts a server with a default CA and two non-default CA's with names
# 'ca1' and 'ca2'.
#
# 2) --cafiles <CA-config-files>
# For each CA config file in the list, generate a separate signing CA. Each CA
# config file in this list MAY contain all of the same elements as are found in
# the server config file except port, debug, and tls sections.
# For example,
# fabric-ca-server start -b admin:adminpw \
# --cafiles ca/ca1/fabric-ca-server-config.yaml \
# --cafiles ca/ca2/fabric-ca-server-config.yaml
# is equivalent to the previous example, except the files CA config files
# must already exist and can be customized.
#
#############################################################################

cacount:

cafiles:

0 comments on commit 7a42145

Please sign in to comment.