I'm running a fabric 1.4.0 network and I'm the admin of it. I've lost the password/secret of one of the identities(not admin).
How do I get the secret of this registered & enrolled Fabric Identity? I went through the Fabric CA Guide to look up for any method/command to make this work, but couldn't find any.
I know we get the secret(if not already supplied) whenever we register a new identity and can use this secret for enrolling and other purposes. But I've lost this secret.
I'm also aware that I can issue a new secret to the identity by using command fabric-ca-client identity modify user1 --secret newsecret. But, that's not an option for me. I want to get the existing one.
I ran fabric-ca-client identity list --id user1 to see the identity's info but didn't see password /secret there.
So, how do I get the password then? Please keep in mind that this network was created only for the purpose of learning and since I'm the admin, I've the privilege of going up an extra step.
It'd be better if anyone could show me the ways, if there's any, to retrieve it using both fabric-node-sdk and fabric-ca-client.
After spending hours trying to look for a way to achieve this, the closest thing I found was getEnrollmentSecret method in User class. However, when I tried to use it, I got the error getEnrollmentSecret is not a function. From what I understood, the method was available in SDKs prior to version 1.4 as the method is not available in Fabric sdk node ver 1.4.
The only solution/alternative to this which I found is to update the identity's info using update method on Identity Service, and issue a new secret, which I know conflicts with one of the statements in question
I'm also aware that I can issue a new secret to the identity by using command fabric-ca-client identity modify user1 --secret newsecret. But, that's not an option for me. I want to get the existing one.
but, what else can you do, right?
You can find the detailed discussion about this on the fabric-sdk-node channel of Hyperledger-Fabric's official communication medium- RocketChat.
Please feel free to comment on how this answer can be made any better, or if I missed something, or there's something erroneous in my findings. Thank you.
Related
I am struggling to create and configure an Azure Enterprise Application.
I have been trying to accomplish this task via PowerShell. I attempted to create an enterprise application by making use of the tags an application registration can have by following this github post, which essentially boils down to adding this tag to the service principal:
$tags = #("WindowsAzureActiveDirectoryIntegratedApp")
From there, I seem to be having problems with adding an identifier uri to the application. Here is the error:
Values of identifierUris property must use a verified domain of the organization or its subdomain
This error does occur to me whether I try this using PowerShell or Terraform.
I think it might be possible to resolve this error by adding the url as a custom domain, but the weird thing is that this url is used by the enterprise application that is setup manually, so I'm a little confused by this error and think the problem might be more than just adding the url as a custom domain.
I would like to note that at this point if I remove the identifierUris the application registration and service principal are both created, but if I were to go to SAML section of the service principal, there does not seem to be a way to manually upload a SAML metadata file (via PowerShell only - it does work in Terraform, interestingly enough).
This brings me to the other issue that I face for configuration: SSO configuration, specifically via SAML. I would like to programmatically upload a SAML metadata file and then modify some of the fields in the SAML section of the service principal from the result of that upload. However, I have been unable to find a way to do this or find an equivalent workaround.
EDIT: Turns out you can upload a token certificate to the service principal via Terraform - for more info on the command see here. You will need to transform your data into an accepted value format (I would recommend .pem if you are coming from a .xml file). I am not 100% sure if this command works yet, as I am left with this message under the SAML Certificates section:
**Token signing certificate**
A certificate has been successfully created. Please reload the page to make it active.
And reload doesn't seem to be working yet...
Issues still left to address:
Identifier uri (previously mentioned)
How to edit the Attributes & Claims fields
EDIT 2:
So I was able to uncover this resource, which offers a step by step guide for automating away SAML-based single sign-on via MS Graph.
Still testing it - and there are some parts that can only be done on Windows (creating a custom certificate) - but this seems very helpful.
Based on my early testing, the only problem I have found with this method so far tis that might not edit the Attributes and Claims section of SAML SSO. However, I believe by creating your own application template this method solves the identifier issue I was running into.
So, the MsGraph tutorial largely covers most of what I needed for my usecase. A few things of difference that I would note:
I used a template application that suited my needs better*.
Attributes and claims are fixed by following the tutorials points on creating and assigning a claims mapping policy. You will not be able to see this through the GUI. Additionally, getting the updated service principal also does not display this configuration**.
If you have difficulty updating your logoutUrl I would see this github post - you can configure it via az rest, PATCH, and this endpoint: "https://graph.microsoft.com/v1.0/applications/$($app_id)".
Tying it all together is a little annoying via PowerShell as it seems that some of the commands take longer to process than others. As a result, I would recommend implementing some sort of retry into your script and even calling Start-Sleep so that future cmdlets recognize resources created by the ones that have already been called.
*Note the process of finding a template that works best for you can be a bit tricky if you do not already have one in mind. I ended up selecting the template that matched the enterprise application I was using when doing this process manually. I am unsure if every enterprise application available has a template that matches it.
**The only way to get a confirmation that a new claims mapping policy worked is to see this message (under the Edit section of Attributes & Claims, which is in the SSO section of the service principal): "This configuration was overwritten by a claims mapping policy created via Graph/PowerShell. Learn More.".
I have recently started to learn the Hyperledger Besu, and what I am trying to do is actually compare Besu with Fabric and see if it is compatible with my already finished Fabric project.
I know from Fabric that using the CA from an organization we can create new users that are under that org. Also, there is the option to name this user with a username and add some custom attributes that can be used in the chaincode like attribute role for example.
Now, in Besu I have only discovered so far that only with some third party tools like MetaMask and the js library web3j we can create accounts. Although, those accounts are in the form of Public Key/Address & Private Key.
Is there something that I have missed out?
Is it possible to have somehow similar user accounts in Besu like Fabric?
Thank you
After my own research I have concluded that these are the only ways to create accounts for Hyperledger Besu:
MetaMask Wallet
web3 js library through javascript
In order to have more specific accounts that may be connected with some user information or roles that could determine various things in the application, the most suitable option is the following:
Use a centralized database to store the user information and associate it with the users address. This database could be used from a client application where the user can login with his/her credentials or using a third-party wallet like MetaMask.
Also, to distinguish the users inside the smart contracts the best option so far seems to be the library of OpenZeppelin Ownable
We used to be able to create GitHub personal access tokens via a request to api.github.com/authorizations with the username, password, and specifying the token’s scope. That functionality has been deprecated as of November 13, 2020.
It seems nothing took its place. They recommend the web application flow, which makes no sense if you’re building a CLI tool.
Rather than asking people to go to https://github.com/settings/tokens to manually create a new token, is there an alternative which works by not having to leave the CLI?
For that use case you should consider using "Device Flow". Documented here.
I have an API with an endpoint creating a channel, joining a peer to it and instantiating chaincodes on it. While coding the process I encountered some interrogations about how things are done.
An organization admin certificate is tested byte per byte while other roles use OUs. Do we have an explication to why the admin verification behaves this way?
I could never manage to enroll and submit the exact same certificate for an organization admin. Due to the above problem, it means that the only solution I found to be able to perform admin operations was to copy the admin cert/key to the sdk crypto-{msp,store}. Is there a way to avoid doing the copy of the admin certificate and private key using fabric-ca?
I could not manage to instantiate a chaincode on a newly created channel without having an entry for it in the sdk config file due to the fact that the sdk does not find any channelPeer for it. Is there a way to avoid the config file update if we can programmatically know which peer has the channel?
If anyone has an hint on how to solve any of the above question I would appreciate it.
Thanks!
I am working on a project where I need the functionality of user registration and user login. I need some suggestion. What would be the better way of achieving this task?
A.) Old school email & password OR B.) By using public & private keys?
What I understand from option B is that we need to enroll a user from CA from Fabric-SDK. Once enrolment of user is done, we can generate a unique password-phrase like the same is happening in Meta-Mask. We can store that user info along with its username (the default username in fabric is user1, user2) with password-phrase.During user login, it will ask for user's private key or the unique password-phrase generated for its account. The certificates will be stored in hfc-keystore (the default dir used in Hyperledger fabric). Whenever a transaction is executed by that user say user akshay.sood, we will set the context of that user to fabric-client (Please correct if I am wrong in this case).
Here, My questions/queries are:
1.) What do you prefer (email/password or private/public keys and why?).
2.) If you prefer 2nd mechanism then how will you protect user keys and certificates stored in hfc-keystore dir. I mean it can be hacked or data can be stolen by hacker.
3.) How to recover user private/public key and certificate if it is deleted mistakenly from hfc-dir.
4.) Would you prefer using password-phrase? if no, what do you prefer?
Edits are welcome.
Please let me know if you have any suggestion/improvements
Your question is a choice of your preference, convenience & business needs. You can use either or both approaches in combination. Asking the user to keep or manage his private keys calls for a managed wallet. However, IMHO, if you are concerned about leakage or loss of private keys then you would need a Hardware Security Module that is specifically designed for this purpose.
P.S. Fabric & its examples store the keys in hfc folder for simplicity, although not recommended in real cases.