Merge changes Ifa05144a,Ife1d352c,Ibda7c0e0,Iec5f1bf0

* changes:
  [FAB-3725] /examples/cluster: Update lccc -> lscc
  [FAB-3724] /examples/cluster: Ensure CA starts first
  [FAB-3722] /examples/cluster: Use /var
  [FAB-3710] /examples/cluster: configure CA

examples/cluster/Makefile

@@ -4,6 +4,8 @@ NODES += orderer
 NODES += cli
 NODES += ca
 
+DAEMONS = $(filter-out cli,$(NODES))
+
 CHANNEL_NAME ?= mychannel
 
 CRYPTOOUTPUT = build/cryptogen
@@ -42,9 +44,9 @@ help:
 
 compose-up: nodes
 	@echo "Booting docker-compose environment"
-	$(COMPOSE) up -d ca $(PEERS)
+	$(COMPOSE) up -d $(DAEMONS)
 	$(DRUN) ./configure.sh $(CHANNEL_NAME) "$(CHANNEL_TXNS)" "$(PEERS)" $(TLS)
-	@./compose/report-env.sh "$(filter-out cli,$(NODES)")
+	@./compose/report-env.sh "$(DAEMONS)"
 
 compose-down:
 	$(COMPOSE) down
@@ -95,10 +97,10 @@ build/nodes/orderer: build/nodes/orderer/orderer.yaml
 build/nodes/orderer: build/nodes/orderer/genesis.block
 build/nodes/cli: $(CHANNEL_TXNS)
 
-build/nodes/ca:
-	@mkdir -p $@/tls
-	cp $(CA_PATH)/*_sk $@/tls/ca.key
-	cp $(CA_PATH)/*.pem $@/tls/ca.crt
+build/nodes/ca: build/nodes/ca/fabric-ca-server-config.yaml
+	@mkdir -p $@
+	cp $(CA_PATH)/*_sk $@/ca.key
+	cp $(CA_PATH)/*.pem $@/ca.crt
 
 build/nodes/%: build/nodes/%/msp build/nodes/%/configtx.yaml build/nodes/%/core.yaml
 	@echo "Built $@"

examples/cluster/compose/docker-compose.yaml

@@ -8,15 +8,13 @@ services:
     dns_search: .
     environment:
       - FABRIC_CA_SERVER_TLS_ENABLED=${TLS_ENABLED}
-      - FABRIC_CA_SERVER_TLS_CERTFILE=/etc/hyperledger/fabric-ca-server/tls/ca.crt
-      - FABRIC_CA_SERVER_TLS_KEYFILE=/etc/hyperledger/fabric-ca-server/tls/ca.key
     logging: &logging
       driver: json-file
       options:
         max-size: "25m"
         max-file: "2"
     volumes:
-      - ../build/nodes/ca/tls:/etc/hyperledger/fabric-ca-server/tls
+      - ../build/nodes/ca:/etc/hyperledger/fabric-ca-server
 
   orderer:
     container_name: orderer
@@ -28,6 +26,8 @@ services:
       <<: *logging
     volumes:
       - ../build/nodes/orderer:/etc/hyperledger/fabric
+    depends_on:
+      - ca
 
   peer1:
     container_name: peer1

examples/cluster/config/core.yaml

@@ -358,7 +358,7 @@ chaincode:
     # chaincode/importsysccs.go
     system:
         cscc: enable
-        lccc: enable
+        lscc: enable
         escc: enable
         vscc: enable
         qscc: enable

examples/cluster/config/fabric-ca-server-config.yaml

@@ -0,0 +1,239 @@
+#############################################################################
+#   This is a configuration file for the fabric-ca-server command.
+#
+#   COMMAND LINE ARGUMENTS AND ENVIRONMENT VARIABLES
+#   ------------------------------------------------
+#   Each configuration element can be overridden via command line
+#   arguments or environment variables.  The precedence for determining
+#   the value of each element is as follows:
+#   1) command line argument
+#      Examples:
+#      a) --port 443
+#         To set the listening port
+#      b) --ca-keyfile ../mykey.pem
+#         To set the "keyfile" element in the "ca" section below;
+#         note the '-' separator character.
+#   2) environment variable
+#      Examples:
+#      a) FABRIC_CA_SERVER_PORT=443
+#         To set the listening port
+#      b) FABRIC_CA_SERVER_CA_KEYFILE="../mykey.pem"
+#         To set the "keyfile" element in the "ca" section below;
+#         note the '_' separator character.
+#   3) configuration file
+#   4) default value (if there is one)
+#      All default values are shown beside each element below.
+#
+#   FILE NAME ELEMENTS
+#   ------------------
+#   All filename elements below end with the word "file".
+#   For example, see "certfile" and "keyfile" in the "ca" section.
+#   The value of each filename element can be a simple filename, a
+#   relative path, or an absolute path.  If the value is not an
+#   absolute path, it is interpretted as being relative to the location
+#   of this configuration file.
+#
+#############################################################################
+
+# Server's listening port (default: 7054)
+port: 7054
+
+# Enables debug logging (default: false)
+debug: false
+
+#############################################################################
+#  TLS section for the server's listening port
+#
+#  The following types are supported for client authentication: NoClientCert,
+#  RequestClientCert, RequireAnyClientCert, VerfiyClientCertIfGiven,
+#  and RequireAndVerifyClientCert.
+#
+#  Certfiles is a list of root certificate authorities that the server uses
+#  when verifying client certificates.
+#############################################################################
+tls:
+  # Enable TLS (default: false)
+  enabled: false
+  # TLS for the server's listening port
+  certfile: ca.crt
+  keyfile: ca.key
+  clientauth:
+    type: noclientcert
+    certfiles:
+
+#############################################################################
+#  The CA section contains information related to the Certificate Authority
+#  including the name of the CA, which should be unique for all members
+#  of a blockchain network.  It also includes the key and certificate files
+#  used when issuing enrollment certificates (ECerts) and transaction
+#  certificates (TCerts).
+#  The chainfile (if it exists) contains the certificate chain which
+#  should be trusted for this CA, where the 1st in the chain is always the
+#  root CA certificate.
+#############################################################################
+ca:
+  # Name of this CA
+  name:
+  certfile: ca.crt
+  keyfile: ca.key
+  # Chain file (default: chain-cert.pem)
+  chainfile: ca-chain.pem
+
+#############################################################################
+#  The registry section controls how the fabric-ca-server does two things:
+#  1) authenticates enrollment requests which contain a username and password
+#     (also known as an enrollment ID and secret).
+#  2) once authenticated, retrieves the identity's attribute names and
+#     values which the fabric-ca-server optionally puts into TCerts
+#     which it issues for transacting on the Hyperledger Fabric blockchain.
+#     These attributes are useful for making access control decisions in
+#     chaincode.
+#  There are two main configuration options:
+#  1) The fabric-ca-server is the registry
+#  2) An LDAP server is the registry, in which case the fabric-ca-server
+#     calls the LDAP server to perform these tasks.
+#############################################################################
+registry:
+  # Maximum number of times a password/secret can be reused for enrollment
+  # (default: 0, which means there is no limit)
+  maxEnrollments: 0
+
+  # Contains identity information which is used when LDAP is disabled
+  identities:
+     - name: admin
+       pass: adminpw
+       type: client
+       affiliation: ""
+       attrs:
+          hf.Registrar.Roles: "client,user,peer,validator,auditor,ca"
+          hf.Registrar.DelegateRoles: "client,user,validator,auditor"
+          hf.Revoker: true
+          hf.IntermediateCA: true
+
+#############################################################################
+#  Database section
+#  Supported types are: "sqlite3", "postgres", and "mysql".
+#  The datasource value depends on the type.
+#  If the type is "sqlite3", the datasource value is a file name to use
+#  as the database store.  Since "sqlite3" is an embedded database, it
+#  may not be used if you want to run the fabric-ca-server in a cluster.
+#  To run the fabric-ca-server in a cluster, you must choose "postgres"
+#  or "mysql".
+#############################################################################
+db:
+  type: sqlite3
+  datasource: /var/hyperledger/fabric-ca-server/state.db
+  tls:
+      enabled: false
+      certfiles:
+        - db-server-cert.pem
+      client:
+        certfile: db-client-cert.pem
+        keyfile: db-client-key.pem
+
+#############################################################################
+#  LDAP section
+#  If LDAP is enabled, the fabric-ca-server calls LDAP to:
+#  1) authenticate enrollment ID and secret (i.e. username and password)
+#     for enrollment requests;
+#  2) To retrieve identity attributes
+#############################################################################
+ldap:
+   # Enables or disables the LDAP client (default: false)
+   enabled: false
+   # The URL of the LDAP server
+   url: ldap://<adminDN>:<adminPassword>@<host>:<port>/<base>
+   tls:
+      certfiles:
+        - ldap-server-cert.pem
+      client:
+         certfile: ldap-client-cert.pem
+         keyfile: ldap-client-key.pem
+
+#############################################################################
+#  Affiliation section
+#############################################################################
+affiliations:
+   org1:
+      - department1
+      - department2
+   org2:
+      - department1
+
+#############################################################################
+#  Signing section
+#############################################################################
+signing:
+    profiles:
+      ca:
+         usage:
+           - cert sign
+         expiry: 8000h
+         caconstraint:
+           isca: true
+    default:
+      usage:
+        - cert sign
+      expiry: 8000h
+
+###########################################################################
+#  Certificate Signing Request section for generating the CA certificate
+###########################################################################
+csr:
+   cn: fabric-ca-server
+   names:
+      - C: US
+        ST: "North Carolina"
+        L:
+        O: Hyperledger
+        OU: Fabric
+   hosts:
+     - 2008f00aff38
+   ca:
+      pathlen:
+      pathlenzero:
+      expiry:
+
+#############################################################################
+# BCCSP (BlockChain Crypto Service Provider) section is used to select which
+# crypto library implementation to use
+#############################################################################
+
+bccsp:
+    default: SW
+    sw:
+        hash: SHA2
+        security: 256
+        filekeystore:
+            # The directory used for the software file-based keystore
+            keystore: /var/hyperledger/fabric-ca-server/keystore
+
+#############################################################################
+# The fabric-ca-server init and start commands support the following two
+# additional mutually exclusive options:
+#
+# 1) --cacount <number-of-CAs>
+# Automatically generate multiple default CA instances.
+# This is particularly useful in a development environment to quickly set up
+# multiple CAs.
+# For example,
+#     fabric-ca-server start -b admin:adminpw --cacount 2
+# starts a server with a default CA and two non-default CA's with names
+# 'ca1' and 'ca2'.
+#
+# 2) --cafiles <CA-config-files>
+# For each CA config file in the list, generate a separate signing CA.  Each CA
+# config file in this list MAY contain all of the same elements as are found in
+# the server config file except port, debug, and tls sections.
+# For example,
+#    fabric-ca-server start -b admin:adminpw                \
+#          --cafiles ca/ca1/fabric-ca-server-config.yaml    \
+#          --cafiles ca/ca2/fabric-ca-server-config.yaml
+# is equivalent to the previous example, except the files CA config files
+# must already exist and can be customized.
+#
+#############################################################################
+
+cacount:
+
+cafiles: