I have noticed that when I run fabric ca it start registering affiliation of the organization. But it is converting to lower case of the organization affiliations.
In Fabric-ca-server-config.yaml file below is the affiliations with the name airlineOrg
enter image description here
In the debug logs of fabric ca before starting the restApi server, I see the affiliation name is converting to a lower alphabet as seen below.
enter image description here
The question is, why fabric ca is changing the name of configured affiliation to lower case? because of this, I am unable to create a user.
So, what I did in the rest API server code on getAffiliation method I have changed organization name ex: airlineorg to the lower case of the organization just to test and after that, and it successfully created in the wallet.
When you specify affiliations in the fabric-ca-server-config.yaml file, any non-leaf entry in the config file will be converted to lowercase. This is actually due to a poor design which directly leverages a config library to parse/load the config file. So if your config looks like:
affiliations:
airlineOrg:
someOtherOrg:
then the stored affiliations will be airlineorg and someotherorg and that is what you'll need to specify in your API calls or on the command-line.
If you config looks something like:
affiliations:
airlineOrg:
- Pilots
- Mechanics
someOtherOrg:
then only the non-leaf nodes are converted to lowercase and you access Pilots and Mechanics as airlineorg.Pilots and airlineorg.Mechanics.
Related
What is the procedure of replacing a root CA cert with another one of a different key pair.
Q-1 : Is that required to follow config update steps to do as we do in add/remove org, since RCA need to change?
(Understood that changing the RCA require to reCreate all peers,nodes, identities as well)
When we use the default setup of fabric CA, then
it bootstraps the fabric ca server with bootstrap administrator - 'fabric-ca-server start -b admin:adminpw -d'
On enrolling the bootstrap administrator -
It creates the following in msp : cacerts, Keystore, sign certs (Set-A)
now when we have to create identities then it uses Set-A, and all such stuff also got bind to the genesis block as well, as certificate got configured via ConfigTX file, and that got stored in the config channel of fabric.
Q-2 : Now If we have to change the RCA's cacerts, Keystore, sign certs (Set-B), then what is the procedure to do that ?
Not found any guidelines or documents on this, It's just logically understood if that is possible then maybe follow the similar steps as we do in add/remove orgs.
Q-3: But even to replace all identities with new RCA along with RCA's cert, key pair etc, then I don't think existing data may work?
if the live network already has x data, but RCA's cacerts, Keystore, sign certs and all identities got changed and also updated the config file with config-update way as we do in add/remove orgs so it has new certificate info ?
I noticed that HLf admincerts and tls certs, by default, have an expiration date of 1 year. In my case, they have expired and my orderer and peer nodes are giving me a bad certificate error.
Is there any way to do certificate rotation? I don't want to loose any data as the network is in a production enviroment. I am using hyperledger fabric 1.4 version with the raft ordering service.
You can change the default expiry time of an x509 certificate by changing its duration in the fabric-ca-server configuration file. You'll find this file inside CA's docker container.
Reference to the fabric-ca-server configuration file can be found here.
Change the value of expiry from 8760h to xxxx in the signing section of the file. signing section looks like this:
signing:
default:
usage:
- digital signature
expiry: 8760h
profiles:
ca:
usage:
- cert sign
- crl sign
expiry: 43800h
caconstraint:
isca: true
maxpathlen: 0
tls:
usage:
- signing
- key encipherment
- server auth
- client auth
- key agreement
expiry: 8760h
After changing the value of expiry, you'll have to restart your CA container for the changes to take effect.
Once your container is restarted, re-enroll your admin to create a new x509 certificate with the updated expiry duration. You can read about reenrolling an identity from here.
If you want to avoid such scenarios in the future for any user, you can reenroll it before doing a transaction. You can perform the re-enroll operation if the certificate has already expired or going to expire in the next x amount of time.
I am on fabric v2.3 and using Fabric CA.
When we re-enroll the peers, orderer or admin it will generate a new pair of certifcates.
Please correct me if i am wrong, these newly generated certificates needs to be updated in the channel configuration as well? At least this is what the doc says here
I tried to follow the doc and it does contains the root_certs and tls_certs which we need to replace. A usual sample config block after decoding it into json files looks something like this. The respective certs needs to replaced here which seems quite error prone since it's manual and a lot of certs needs to be replaced (depending on the number of peers, orderers, and organisations you've got). And, also not to forget these certs are referenced by the ccp.yaml and ccp.json as well which is used by the fabric sdk.
I am not sure if my understanding is correct about this, as I am struggling with this thing as well. I haven't been able to successfully pull this of as of now. It's strange that hyperledger fabric/Fabric CA doesn't really has a straightforward way of doing this.
Our case: k8s, fabric v2.2, mutual tls requied for all hyperledger connections, certificates expired 3 days ago.
First of all we need to pass through expired tls. Add to the orderer config:
ORDERER_GENERAL_TLS_TLSHANDSHAKETIMESHIFT: 120h
ORDERER_GENERAL_AUTHENTICATION_NOEXPIRATIONCHECKS: "true"
The latest parameter will allow to use expired MSP entities later.
To skip tls checks on the peer side, use the --tlsHandshakeTimeShift 120h parameter.
After the connection was restored, we need to update certificates in the blockchain. Unfortunately there is no analog of the _NOEXPIRATIONCHECKS option for the peer, so we need to use a time-shifted environment. I didn't manage to run the one in the kubernetes, so I had to use a notebook with ntp disabled and port-forwarded orderer endpoint. Be aware that if your kubernetes authentication is token-based, it can stop working because of having the incorrect time. In Azure, this is fixed by getting admin config.
That environment should be enough for step-by-step replaying of your standard certificate rotating scripts. If you don't have any, dive into this issue.
I am trying to make following function with customized tokens. The goal is to mint tokens including metadata which is only exposed to the owner of token. This means that no one is permitted to read the metadata other than the owner. Is it possible to create such tokens?
Thank you.
You can implement that with Attribute Based Access Control with the help of Hyperledger Fabric CA, Chaincode's client identity library and some programming related key management techniques.
In Chaincode Side:
To store metadata, the chaincode will get the owner/user certificate with the help of client identity library and by parsing that certificate, chaincode will get certificate user's/owner's public key and hold the public key with a variable named as "variablePublicKey" and after that will store it's metadata with key "variablePublicKey.metadata".
To read the metadata, the chaincode will get the owner/user certificate with the help of client identity library and by parsing that certificate, chaincode will get certificate user's/owner's public key and hold the public key with a variable named as "variablePublicKey" and after that will get it's metadata with key "variablePublicKey.metadata".
To ensure security with this system, your chaincode must need to add some substring with each of user Input key. For example if user want to invoke or to query a car type asset, the chaincode will always add a substring with that user input, like user input key is "xyz" so the chaincode will add a substring with that like "xyz.car" and store/update value against the "xyz.car" key. To query a car, if the user give the input as "xyz", the chaincode will add a substring with that like "xyz.car" and query value against the "xyz.car" key
I'm new to Hyperledger Fabric development and I'm trying to make a user friendly registration.
For example:
+ Using Oauth from google account.
+ Or using traditional email-password registration.
I've read the hyperledger fabric document and tried some of its examples. All I know is that the new identity creation process is like this:
1. Get an admin identity from fabric-ca server, by using fabric-ca client, or SDK.
2. Register new identity using that admin identity.
3. Then the fabric-ca server will send back new identity's ID and secret code(so-called password).
4. User will use that ID & secret code to enroll new user, as well as create transactions, etc.
So, my question is:
What additional work should I do to make registration/login process look like traditional Oauth or user/email registration.
Where should I store the additional information of user, like email, password, birthday, etc
(I read this question before: User registration & login in Hyperledger fabric, so I think that there's a way to do it, but did not figured it out yet).
You can use Ldap for identity authentication and use mysql or postgres any these databases to connect with fabric-ca. since you will use ldap , you will be able to do signup using normal email and password and this is the recommended way to do as per hyperledger fabric docs.
The Fabric CA server can be configured to read from an LDAP server.
In particular, the Fabric CA server may connect to an LDAP server to do the following:
authenticate an identity prior to enrollment
retrieve an identity’s attribute values which are used for authorization.
Modify the LDAP section of the Fabric CA server’s configuration file to configure the server to connect to an LDAP server.
ldap:
# Enables or disables the LDAP client (default: false)
enabled: false
# The URL of the LDAP server
url: <scheme>://<adminDN>:<adminPassword>#<host>:<port>/<base>
userfilter: <filter>
attribute:
# 'names' is an array of strings that identify the specific attributes
# which are requested from the LDAP server.
names: <LDAPAttrs>
# The 'converters' section is used to convert LDAP attribute values
# to fabric CA attribute values.
#
# For example, the following converts an LDAP 'uid' attribute
# whose value begins with 'revoker' to a fabric CA attribute
# named "hf.Revoker" with a value of "true" (because the expression
# evaluates to true).
# converters:
# - name: hf.Revoker
# value: attr("uid") =~ "revoker*"
#
# As another example, assume a user has an LDAP attribute named
# 'member' which has multiple values of "dn1", "dn2", and "dn3".
# Further assume the following configuration.
# converters:
# - name: myAttr
# value: map(attr("member"),"groups")
# maps:
# groups:
# - name: dn1
# value: client
# - name: dn2
# value: peer
# The value of the user's 'myAttr' attribute is then computed to be
# "client,peer,dn3". This is because the value of 'attr("member")' is
# "dn1,dn2,dn3", and the call to 'map' with a 2nd argument of
# "group" replaces "dn1" with "client" and "dn2" with "peer".
converters:
- name: <fcaAttrName>
value: <fcaExpr>
maps:
<mapName>:
- name: <from>
value: <to>
For more info , visit the Fabric-CA docs here.
Generating the public key but not able to generate the private key of admin user while registering a new user through REST services in blockchain network and also getting below mentioned error.
Error:Failed Error: Private key missing from key store. Can not
establish the signing identity for user admin.
Followed the below steps :
Created a network in hyperledger fabric.
Created new a node application to publish the rest services by
referring the existing "balance-transfer" application.
Then started the node application.
Testing the rest services url in postman tool.
Getting the above mentioned error while testing the url http://localhost:4000/users in Postman tool.
Error at code level:
app.js--->helper.js
let adminUserObj = await client.setUserContext({username: admins[0].username, password: admins[0].secret});
Please suggest.
Remove the folders holding key-value store for organizations -> fabric-client-kv-* from the balance-transfer fabric sample.
rm -rf fabric-client-kv-*
Then create the network again. This resolved the issue for me.
have you tried to restart the network completely? (by using the "runApp.sh" script for that?) Take a look inside this script to the restartNetwork() function, where the "fabric-client-kv-org" folders in your balance-transfer folder are removed.
Does it work?