I am trying to integrate softHSM with Hyperledger Fabric. I have followed the below steps:
I have cloned the repo from this link
https://github.com/hyperledger/fabric-ca (main-branch)
Executed the below 3 commands from the above directory. After execution, I got the new binary and the new Fabric-CA image.
make fabric-ca-server GO_TAGS=pkcs11
make fabric-ca-client GO_TAGS=pkcs11
make docker GO_TAGS=pkcs11
I have replaced the old binary(fabric-ca-client and fabric-ca-server)
I am trying to spin up the Fabric-CA in the docker container and passing the environment variables as per the official documentation.
ORG1_RCA:
image: hyperledger/fabric-ca:1.5.1
container_name: ORG1_RCA
environment:
- FABRIC_CA_HOME=/etc/hyperledger/fabric-ca-server
- FABRIC_CA_SERVER_CA_NAME=ORG1_RCA
- FABRIC_CA_SERVER_TLS_ENABLED=true
- FABRIC_CA_SERVER_PORT=7054
- FABRIC_CA_SERVER_BCCSP_DEFAULT=PKCS11
- FABRIC_CA_SERVER_BCCSP_PKCS11_LIBRARY=/etc/hyperledger/fabric/libsofthsm2.so
- FABRIC_CA_SERVER_BCCSP_PKCS11_PIN=
- FABRIC_CA_SERVER_BCCSP_PKCS11_LABEL=
ports:
- 7054:7054
command: sh -c 'fabric-ca-server start -b admin:adminpw -d'
environment:
- SOFTHSM2_CONF=/etc/hyperledger/fabric/config.file
volumes:
- ./fabric-ca/verizon:/etc/hyperledger/fabric-ca-server
- /home/softhsm/config.file:/etc/hyperledger/fabric/config.file
- /usr/local/lib/softhsm/libsofthsm2.so:/etc/hyperledger/fabric/libsofthsm2.so
networks:
- contract
I am not providing the PIN and label for security purposes.When I am running this container, the private keys are still getting saved into the msp/keystore folder instead of HSM.
Related
I am working with Hyperledger Fabric 1.3.0. I get the following error when I execute the "byfn.sh -m up" in the fabric-samples/first-network.
Starting for channel 'mychannel' with CLI timeout of '10' seconds and CLI delay of '3' seconds
Continue? [Y/n] Y
proceeding ...
LOCAL_VERSION=1.3.0
DOCKER_IMAGE_VERSION=1.3.0
Error: No such container: cli
ERROR !!!! Test failed
Please help
I don't have docker-compose.yaml but what I do have is docker-compose-cli.yaml. The contents are below:
# Copyright IBM Corp. All Rights Reserved.
#
# SPDX-License-Identifier: Apache-2.0
#
version: '2'
volumes:
orderer.example.com:
peer0.org1.example.com:
peer1.org1.example.com:
peer0.org2.example.com:
peer1.org2.example.com:
networks:
byfn:
services:
orderer.example.com:
extends:
file: base/docker-compose-base.yaml
service: orderer.example.com
container_name: orderer.example.com
networks:
- byfn
peer0.org1.example.com:
container_name: peer0.org1.example.com
extends:
file: base/docker-compose-base.yaml
service: peer0.org1.example.com
networks:
- byfn
peer1.org1.example.com:
container_name: peer1.org1.example.com
extends:
file: base/docker-compose-base.yaml
service: peer1.org1.example.com
networks:
- byfn
peer0.org2.example.com:
container_name: peer0.org2.example.com
extends:
file: base/docker-compose-base.yaml
service: peer0.org2.example.com
networks:
- byfn
peer1.org2.example.com:
container_name: peer1.org2.example.com
extends:
file: base/docker-compose-base.yaml
service: peer1.org2.example.com
networks:
- byfn
cli:
container_name: cli
image: hyperledger/fabric-tools:$IMAGE_TAG
tty: true
stdin_open: true
environment:
- GOPATH=/opt/gopath
- CORE_VM_ENDPOINT=unix:///host/var/run/docker.sock
#- CORE_LOGGING_LEVEL=DEBUG
- CORE_LOGGING_LEVEL=INFO
- CORE_PEER_ID=cli
- CORE_PEER_ADDRESS=peer0.org1.example.com:7051
- CORE_PEER_LOCALMSPID=Org1MSP
- CORE_PEER_TLS_ENABLED=true
- CORE_PEER_TLS_CERT_FILE=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/server.crt
- CORE_PEER_TLS_KEY_FILE=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/server.key
- CORE_PEER_TLS_ROOTCERT_FILE=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/ca.crt
- CORE_PEER_MSPCONFIGPATH=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org1.example.com/users/Admin#org1.example.com/msp
working_dir: /opt/gopath/src/github.com/hyperledger/fabric/peer
command: /bin/bash
volumes:
- /var/run/:/host/var/run/
- ./../chaincode/:/opt/gopath/src/github.com/chaincode
- ./crypto-config:/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/
- ./scripts:/opt/gopath/src/github.com/hyperledger/fabric/peer/scripts/
- ./channel-artifacts:/opt/gopath/src/github.com/hyperledger/fabric/peer/channel-artifacts
depends_on:`enter code here`
- orderer.example.com
- peer0.org1.example.com
- peer1.org1.example.com
- peer0.org2.example.com
- peer1.org2.example.com
networks:
- byfn
Well, it seems you are having some issues with your versions, what I recommend is to clean all the containers and images of docker running:
docker rmi $(docker images -a -q) //for images
docker stop $(docker ps -a -q)
docker rm $(docker ps -a -q) //for containers
After that, re-download the fabric samples, I think that they updated the 1.3.0 stable version yesterday, setup again your crytogen path (this is very important if you are pointing to an old version of the cryptogen tool it won't work!
And give a try again, if that don't work, I recommend you to give us more information like.
Where are you running your First-Network? Windows? Mac? Linux?
Version of Linux? Version of docker?
If you are still having troubles you can check out my guide of how yo setup an hyperledger fabric from scratch using the Basic-Network example, it's kinda easy and explain all the concepts that you need.
Setup Hyperledger Fabric in multiple physical machines
Update
Since you are in Windows, don't use your users Folder, create a simple folder structure like C:/HLF for example.
After that in your .env file add this line COMPOSE_CONVERT_WINDOWS_PATHS=1.
This helps docker to understand the windows paths, cause they are different in linux.
Update #2
Let's try another solution then, go to your script.sh inside your script folder, look for the command peer channel create... and add this line just before the IF statement where are them MSYS_NO_PATHCONV=1
Review the Windows Extras section in the fabric solution, check that you have all installed.
Hyperledger Fabric - Windows Extras
After that re generate everything. Run the docker commands in my first answer and add this.
docker network prune
After that.
./byfn.sh down
./byfn.sh generate
./byfn.sh -m up
Update #3
I tested the fisrt-network using Windows 10 and Docker for windows (Using linux containers) with the configurations I mentioned before and it's working fine.
My docker version is: 18.06.1-ce
And I followed the Fabric Hyperledger official tutorial: Build Network
The only difference that I saw it's that I ran ./byfn.sh up instead of ./byfn.sh -m up
I recommend you to reinstall your docker for windows, maybe its something corrupted, that doesn't allow you to start a your network.
Hope that it helps!
I am following the official tutorial about Deploying a Hyperledger Composer blockchain business network to Hyperledger Fabric (multiple organizations). I was able to up the network using the provider Org1 and Org2 example. Now I want to customize the organization as my own. But upon execution of ./byfn.sh -m up -s couchdb -a command. I am getting the below error; I inspect all the yaml files but I was not able to find the possible root cause of the error. I just really need a help on this. Thank you.
Starting for channel 'mychannel' with CLI timeout of '10' seconds and CLI delay of '3' seconds and using database 'couchdb', and using Fabric CAs
Continue? [Y/n] Y
proceeding ...
LOCAL_VERSION=1.2.0
DOCKER_IMAGE_VERSION=1.2.0
WARNING: The COMPOSE_PROJECT_NAME variable is not set. Defaulting to a blank string.
ERROR: The Compose file is invalid because:
Service peer0.org2.example.com has neither an image nor a build context specified. At least one must be provided.
ERROR !!!! Unable to start network
It looks like your peer-base.yaml file is not correct. One Problem is the COMPOSE_PROJECT_NAME variable. If it is not set, fabric uses the folder as the network-name. But if it is not right there will be some error while bootstrapping the network. We are building a bidding network and it is called trade-network. So the example of the entry in the peer-base.yaml file is:
- CORE_VM_DOCKER_HOSTCONFIG_NETWORKMODE=${COMPOSE_PROJECT_NAME}_basic
Before the boostrapping we define the COMPOSE_PROJECT_NAME with trade-network so the network is called trade-network_basic. I'm not 100% sure but I think after (or while) bootstrapping there is a point where fabric uses the folder name anyway. So we decicded to use the folder name by default and nothing happened wrong.
The other problem could be the image entry for the peer. In our file it is:
image: hyperledger/fabric-peer:x86_64-1.1.0
You can docker images list and will know which images you have, you have to use one for the peers. After the colon you can be more specific and I would suggest it.
Here is an example of our full peer-base.yaml file:
version: '2'
services:
peer-base:
image: hyperledger/fabric-peer:x86_64-1.1.0
environment:
- CORE_VM_ENDPOINT=unix:///host/var/run/docker.sock
# the following setting starts chaincode containers on the same
# bridge network as the peers
# https://docs.docker.com/compose/networking/
- CORE_VM_DOCKER_HOSTCONFIG_NETWORKMODE=${COMPOSE_PROJECT_NAME}_basic
#- CORE_LOGGING_LEVEL=INFO
- CORE_LOGGING_LEVEL=DEBUG
- CORE_PEER_TLS_ENABLED=true
- CORE_PEER_GOSSIP_USELEADERELECTION=true
- CORE_PEER_GOSSIP_ORGLEADER=false
- CORE_PEER_PROFILE_ENABLED=true
- CORE_PEER_TLS_CERT_FILE=/etc/hyperledger/fabric/tls/server.crt
- CORE_PEER_TLS_KEY_FILE=/etc/hyperledger/fabric/tls/server.key
- CORE_PEER_TLS_ROOTCERT_FILE=/etc/hyperledger/fabric/tls/ca.crt
working_dir: /opt/gopath/src/github.com/hyperledger/fabric/peer
command: peer node start
While doing Hyperledger fabric setup, we create crypto material and mention users for organizations and and correspondingly user crypto material gets generated which is used to invoke chaincode while logging through CLI. Also, when we try to connect network through SDK we also need to enroll and register user to connect to network. So, what is the difference between these two users?
Cryptogen utility used for generating Hyperledger Fabric key material is mainly meant to be used for testing environment only.
It generates the CA certificate before the Fabric CA Server is up. {This won't be the case in production env.}
This certificate is mounted to fabric-ca in docker-compose.yaml file. This is done via volumes keyword as in the below snippet:
ca.example.com:
image: hyperledger/fabric-ca
environment:
- FABRIC_CA_HOME=/etc/hyperledger/fabric-ca-server
- FABRIC_CA_SERVER_CA_NAME=ca.example.com
- FABRIC_CA_SERVER_CA_CERTFILE=/etc/hyperledger/fabric-ca-server-config/ca.org1.example.com-cert.pem
- FABRIC_CA_SERVER_CA_KEYFILE=/etc/hyperledger/fabric-ca-server-config/4239aa0dcd76daeeb8ba0cda701851d14504d31aad1b2ddddbac6a57365e497c_sk
ports:
- "7054:7054"
command: sh -c 'fabric-ca-server start -b admin:adminpw -d'
volumes:
- ./crypto-config/peerOrganizations/org1.example.com/ca/:/etc/hyperledger/fabric-ca-server-config
container_name: ca.example.com
networks:
- basic
The command 'fabric-ca-server start -b admin:adminpw -d' in above script registers a bootstrap identity. This bootstrap identity is used by the application to enroll the 'admin' user. During this enrollment, fabric-ca-server gives the app a ecert, users private key and cacert chain PEM files.
From the above reference, the users certs generated by cryptogen and via application will be issued using the same root CA Cert.
When using CLI to execute commands such install chaincode, instantiate chaincode etc. you will be using the user certs generated by the cryptogen as these are mounted into the corresponding peer. Again refer to the volumes section of peer in docker-compose.yaml for this:
volumes:
- /var/run/:/host/var/run/
- ./crypto-config/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/msp:/etc/hyperledger/msp/peer
- ./crypto-config/peerOrganizations/org1.example.com/users:/etc/hyperledger/msp/users
- ./config:/etc/hyperledger/configtx
I am following-
http://hyperledger-fabric.readthedocs.io/en/release/build_network.html
with manual configuration I installed the chain-code in the 4 peers
1. peer0.org1.example.com(anchor peer)
2. peer1.org1.example.com
3. peer0.org2.example.com(anchor peer)
4. peer1.org2.example.com
In a channel with id "first".
Now when I try to instantiate the chain-code I am getting the error:
So, this is a problem of the environment variable COMPOSE_PROJECT_NAME. I solved this by adding a .env file in my project folder with the environment variable COMPOSE_PROJECT_NAME set to net.
If that does not help, you can also check your peer-base.yaml file for the variable CORE_VM_DOCKER_HOSTCONFIG_NETWORKMODE and see if it has been set correctly or not. Your peer-base.yaml file should have environment block looking something like this:
- CORE_VM_ENDPOINT=unix:///host/var/run/docker.sock
# the following setting starts chaincode containers on the same
# bridge network as the peers
# https://docs.docker.com/compose/networking/
- CORE_VM_DOCKER_HOSTCONFIG_NETWORKMODE=${COMPOSE_PROJECT_NAME}_byfn
#- CORE_LOGGING_LEVEL=ERROR
- CORE_LOGGING_LEVEL=DEBUG
- CORE_PEER_TLS_ENABLED=true
- CORE_PEER_GOSSIP_USELEADERELECTION=true
- CORE_PEER_GOSSIP_ORGLEADER=false
- CORE_PEER_PROFILE_ENABLED=true
- CORE_PEER_TLS_CERT_FILE=/etc/hyperledger/fabric/tls/server.crt
- CORE_PEER_TLS_KEY_FILE=/etc/hyperledger/fabric/tls/server.key
- CORE_PEER_TLS_ROOTCERT_FILE=/etc/hyperledger/fabric/tls/ca.crt
Your COMPOSER_PROJECT_NAME is not set.
When starting the docker containers,
update this command
CHANNEL_NAME=$CHANNEL_NAME docker-compose -f docker-compose-cli.yaml up -d
with below command:
CHANNEL_NAME=$CHANNEL_NAME IMAGE_TAG=latest COMPOSER_PROJECT_NAME=byfn docker-compose -f docker-compose-cli.yaml up -d
I have question regarding environment variables which are passed through docker-compose file.
I have chaincode which does security checks when security is enabled. It checks if security is enabled through core.SecurityEnabled() api. I enable / disable security using docker-compose env. variable CORE_SECURITY_ENABLED.
This works fine in dev mode. However when I deploy chaincode in non-dev mode, I get core.SecurityEnabled() as false although my env variable is passed as true. I examined the docker containers. Docker container running peer, returns env variable CORE_SECURITY_ENABLED=true on env command. However docker container running chaincode does not have env variable CORE_SECURITY_ENABLED. It would be picking up value from core.yaml which is set as false.
Is this as per design? In production mode should we be making changes in core.yaml file rather than to depend on env variable passed through docker-compose?
I am using the docker-compose as given below to get the CORE_SECURITY_ENABLED=true/false. Have you tried specifying the environment variables in this manner ?
membersrvc:
image: hyperledger/fabric-membersrvc
ports:
- "7054:7054"
command: membersrvc
vp0:
image: hyperledger/fabric-peer
ports:
- "8085:7050"
- "8080:7053"
- "30303:30303"
- "30304:30304"
environment:
- CORE_PEER_ADDRESSAUTODETECT=true
- CORE_SECURITY_ENABLED=true
- CORE_SECURITY_PRIVACY=true
- CORE_VM_ENDPOINT=http://172.17.0.1:2375
- CORE_PEER_PKI_ECA_PADDR=membersrvc:7054
- CORE_PEER_PKI_TCA_PADDR=membersrvc:7054
- CORE_PEER_PKI_TLSCA_PADDR=membersrvc:7054
- CORE_LOGGING_LEVEL=DEBUG
- CORE_PEER_ID=vp0
- CORE_SECURITY_ENROLLID=test_vp0
- CORE_SECURITY_ENROLLSECRET=MwYpmSRjupbT
links:
- membersrvc
command: sh -c "sleep 35; peer node start --logging-level=DEBUG"
If you got your query answered from the FAB jira, kindly ignore this post.