I was trying to enroll a user with the Fabric Go Client.
I have recently changed my Go lang version to 1.17 and after that I am receiving this error: X09: certificate relies on legacy Common Name field, use SANs instead
Although I have passed the extra hosts using custom CSR (which will result in setting up the SANS in the CSR request) while enrolling the user.
If there is anything extra which needs to be done let me know.
As per the docs, I have to pass the CSR hosts which I am passing already.
Thanks,
Related
I'm running a fabric 1.4.0 network and I'm the admin of it. I've lost the password/secret of one of the identities(not admin).
How do I get the secret of this registered & enrolled Fabric Identity? I went through the Fabric CA Guide to look up for any method/command to make this work, but couldn't find any.
I know we get the secret(if not already supplied) whenever we register a new identity and can use this secret for enrolling and other purposes. But I've lost this secret.
I'm also aware that I can issue a new secret to the identity by using command fabric-ca-client identity modify user1 --secret newsecret. But, that's not an option for me. I want to get the existing one.
I ran fabric-ca-client identity list --id user1 to see the identity's info but didn't see password /secret there.
So, how do I get the password then? Please keep in mind that this network was created only for the purpose of learning and since I'm the admin, I've the privilege of going up an extra step.
It'd be better if anyone could show me the ways, if there's any, to retrieve it using both fabric-node-sdk and fabric-ca-client.
After spending hours trying to look for a way to achieve this, the closest thing I found was getEnrollmentSecret method in User class. However, when I tried to use it, I got the error getEnrollmentSecret is not a function. From what I understood, the method was available in SDKs prior to version 1.4 as the method is not available in Fabric sdk node ver 1.4.
The only solution/alternative to this which I found is to update the identity's info using update method on Identity Service, and issue a new secret, which I know conflicts with one of the statements in question
I'm also aware that I can issue a new secret to the identity by using command fabric-ca-client identity modify user1 --secret newsecret. But, that's not an option for me. I want to get the existing one.
but, what else can you do, right?
You can find the detailed discussion about this on the fabric-sdk-node channel of Hyperledger-Fabric's official communication medium- RocketChat.
Please feel free to comment on how this answer can be made any better, or if I missed something, or there's something erroneous in my findings. Thank you.
I need to know about Hyperledger fabric and fabric CA
1. How to create the orderer and peer certificate and key pair using fabric-ca
2. How to query the affiliation and CA name using fabric, do we need to write chain code and query them, or can I query them without using chain code through fabric node js.
3. I see Domain in crypto-config file. Do I need run any domain service or need to buy some domain name. If I am using fabric ca is there anything equivalent to a cryoto-config domain?
4. Is it possible to update the member details once it's created? If it's possible, if I change the password of the member or affiliation of the member does the certificate will get reflect to?
By registering entities, enrolling both MSP and TLS profiles, and copying missing stuff between folders. Make your own scripts if you wish. https://hyperledger-fabric-ca.readthedocs.io/en/release-1.4/users-guide.html#fabric-ca-client https://hyperledger-fabric-ca.readthedocs.io/en/latest/clientcli.html
https://fabric-sdk-node.github.io/release-1.4/FabricCAServices.html https://godoc.org/github.com/hyperledger/fabric-sdk-go/pkg/client/msp
That domain in crypto-config is used to compound peer and orderer domain/names, as you should have observed. As always, you can buy a domain, use docker internal name services or work directly with IP addresses if you wish. Everything works if you configure it correctly. Be careful that TLS certificates include the domain name or IP used in CN or SAN fields (--csr.hosts parameter in fabric-ca-client).
You can edit an identity, enroll the new certificates that reflect those changes and update your nodes with them whenever you want. Be careful that certificates inside admin folder define which certificates are recognised as admin (the admin role is per certificate, not per identity), so re-enrolling an admin certificate can be tiresome.
I have an API with an endpoint creating a channel, joining a peer to it and instantiating chaincodes on it. While coding the process I encountered some interrogations about how things are done.
An organization admin certificate is tested byte per byte while other roles use OUs. Do we have an explication to why the admin verification behaves this way?
I could never manage to enroll and submit the exact same certificate for an organization admin. Due to the above problem, it means that the only solution I found to be able to perform admin operations was to copy the admin cert/key to the sdk crypto-{msp,store}. Is there a way to avoid doing the copy of the admin certificate and private key using fabric-ca?
I could not manage to instantiate a chaincode on a newly created channel without having an entry for it in the sdk config file due to the fact that the sdk does not find any channelPeer for it. Is there a way to avoid the config file update if we can programmatically know which peer has the channel?
If anyone has an hint on how to solve any of the above question I would appreciate it.
Thanks!
I want to use Access control functionality in Fabric (like permission.acl in Hyperledger Composer), so how to achieve this in Fabric? and how to specify the user while accessing chaincode to test the Access controls provided for that user from node SDK.
eg:(like Tuna-network example in Composer) I want to give different CRUD access to chaincode functions to different participants/users.
There is no direct equivalent in hyperledger fabric for the Composer ACL functionality.
First you should look at access control lists in fabric to ensure that your fabric network has the correct level of security
https://hyperledger-fabric.readthedocs.io/en/release-1.3/access_control.html
(You would have to have done this anyway as even if you used composer ACLs to ensure a participant could not read something, if that pariticpant had the ability to query the ledger or is able to listen for block events they could still infer the data, unless encrypted, regardless of the Composer ACL denying read access).
The other fabric capability you could look at is what's termed "Attribute Based Access Control". This is where attributes with values are associated with a certificate and the fabric shims for each language provide a utility library to allow chaincode to extract those attribute values and then the chaincode implementation can make a decision on whether the identity making the request has the appropriate authority to perform whatever it has requested.
More details can be found here
https://hyperledger-fabric.readthedocs.io/en/release-1.3/chaincode4ade.html?highlight=client%20identity#chaincode-api
In the Fabric-ca-server-config.yaml, i see following comment in registry section
2) once authenticated, **retrieves the identity's attribute names and
# values which the fabric-ca-server optionally puts into TCerts
# which it issues for transacting on the Hyperledger Fabric blockchain**.
# These attributes are useful for making access control decisions in
# chaincode.
My question is how to make it compulsory for ca sever to add these attribute to Tcerts?
For the default setting roles and attributes are not included in the generated certificates
Although the fabric-ca-server supports putting attributes in tcerts (transaction certificates), the clients including SDKs do not yet support using tcerts. They currently always use ecerts (enrollment certificates). There is a jira item which would allow putting attributes into ecerts also. See https://jira.hyperledger.org/browse/FAB-3752. You can track the progress and make any additional requests via jira.