Attempting to configure HSM according to:
https://hyperledger-fabric-ca.readthedocs.io/en/release-1.4/users-guide.html#configuring-an-hsm
but trying to do so running the Fabric CA Server as a systemd service according to:
https://upcloud.com/community/tutorials/hyperledger-fabric-systemd/
I followed a combo of the above link and this link:
https://gist.github.com/AkshayCHD/f7c96175dca1e5ab8d5785a3af0d5692
BUT I built it with "GO_TAGS=pkcs11 make fabric-ca-server" according to this:
https://jira.hyperledger.org/browse/FAB-13458
I installed SoftHSM according to the below link and can initialize the token:
https://wiki.opendnssec.org/display/SoftHSMDOCS/SoftHSM+Documentation+v2#SoftHSMDocumentationv2-Download
I initialize the server before starting so I can edit the fabric-ca-server-config.yaml with the appropriate PKCS11 data.
I can start the server/service fine without PKCS11 but when I edit the fabric-ca-server-config.yaml file to the below it never works.
INTERESTINGLY when I switch the default to "SW" I receive:
Error: Failed to initialize BCCSP Factories: Failed initializing PKCS11.BCCSP %!s(): Could not initialize BCCSP PKCS11 [Failed initializing PKCS11 library /home/ubuntu/softhsm/SoftHSMv2/src/lib/.libs/libsofthsm2.so ForFabric: Could not get Slot List [pkcs11: 0x190: CKR_CRYPTOKI_NOT_INITIALIZED]]
BUT when I have "default: PKCS11" I get this error:
Could not find default PKCS11 BCCSP
I have read this https://jira.hyperledger.org/browse/FAB-9595 but AGAIN I'm not using Docker.
Any help or pointers in the right direction would be appreciated.
Relevant output:
bccsp:
default: PKCS11
pkcs11:
Library: /home/ubuntu/softhsm/SoftHSMv2/src/lib/.libs/libsofthsm2.so
Pin: 98765432
Label: ForFabric
hash: SHA2
security: 256
filekeystore:
# The directory used for the software file-based keystore
keystore: msp/keystore
sw:
hash: SHA2
security: 256
filekeystore:
# The directory used for the software file-based keystore
keystore: msp/keystore
fabric-ca-server:
Version: 2.0.0-snapshot-d780eb0
Go version: go1.13.5
OS/Arch: linux/amd64
After executing GO_TAGS=pkcs11 make fabric-ca-server, remember to remove the original fabric-ca-server binary and put the newly built binary in path/to/go/bin
The issue encountered was a combination of creating the tokens as one user and starting the service as another (sudo). Creating the token and starting the Fabric CA server as root (sudo -i) solved this issue.
root#ip-172-31-85-208:~/fab-ca/server# fabric-ca-server start -b
admin:adminpw 2020/01/10 17:57:31 [INFO] Configuration file location:
/root/fab-ca/server/fabric-ca-server-config.yaml 2020/01/10 17:57:31
[INFO] Starting server in home directory: /root/fab-ca/server
2020/01/10 17:57:31 [INFO] Server Version: 2.0.0-snapshot-d780eb0
2020/01/10 17:57:31 [INFO] Server Levels: &{Identity:2 Affiliation:1
Certificate:1 Credential:1 RAInfo:1 Nonce:1} 2020/01/10 17:57:31
[INFO] The CA key and certificate already exist 2020/01/10 17:57:31
[INFO] The key is stored by BCCSP provider 'PKCS11' 2020/01/10
17:57:31 [INFO] The certificate is at: /root/fab-ca/server/ca-cert.pem
2020/01/10 17:57:31 [INFO] Initialized sqlite3 database at
/root/fab-ca/server/fabric-ca-server.db 2020/01/10 17:57:31 [INFO] The
Idemix issuer public and secret key files already exist 2020/01/10
17:57:31 [INFO] secret key file location:
/root/fab-ca/server/msp/keystore/IssuerSecretKey 2020/01/10 17:57:31
[INFO] public key file location:
/root/fab-ca/server/IssuerPublicKey 2020/01/10 17:57:31 [INFO] The
Idemix issuer revocation public and secret key files already exist
2020/01/10 17:57:31 [INFO] private key file location:
/root/fab-ca/server/msp/keystore/IssuerRevocationPrivateKey 2020/01/10
17:57:31 [INFO] public key file location:
/root/fab-ca/server/IssuerRevocationPublicKey 2020/01/10 17:57:31
[INFO] Home directory for default CA: /root/fab-ca/server 2020/01/10
17:57:31 [INFO] Operation Server Listening on 127.0.0.1:9443
2020/01/10 17:57:31 [INFO] Listening on http://0.0.0.0:7054
Related
I am trying to run Hyperledger fabric peer with SoftHSM enabled. Fabric-ca-server is already running with SoftHSM enabled and all the certificates are generated with HSM enabled.
Initially, when I was trying to run fabric-ca-server it was throwing the same error Could not find defaultPKCS11BCCSP.
Then I found some people suggesting to make build from source code and it fixed that error.
Now I am facing the same error when I run peer node start command to bootstrap peer.
The BCCSP content on core.yaml is below:
# BCCSP (Blockchain crypto provider): Select which crypto implementation or
# library to use
BCCSP:
Default: PKCS11
# Settings for the SW crypto provider (i.e. when DEFAULT: SW)
SW:
# TODO: The default Hash and Security level needs refactoring to be
# fully configurable. Changing these defaults requires coordination
# SHA2 is hardcoded in several places, not only BCCSP
Hash: SHA2
Security: 256
# Location of Key Store
FileKeyStore:
# If "", defaults to 'mspConfigPath'/keystore
KeyStore:
# Settings for the PKCS#11 crypto provider (i.e. when DEFAULT: PKCS11)
PKCS11:
# Location of the PKCS11 module library
Library: /usr/local/lib/softhsm/libsofthsm2.so
# Token Label
Label: ForFabric
# User PIN
Pin: 98765432
Hash: SHA2
Security: 256
FileKeyStore:
KeyStore: /home/akshay/dev/fabric-ca/fabric-ca-client/peerOrg/msp/keystore
The error when I run peer node start:
$ peer node start
2018-12-28 14:48:50.508 IST [main] InitCmd -> ERRO 001 Cannot run peer because error when setting up MSP of type bccsp from directory /home/akshay/dev/fabric-ca/fabric-ca-client/peerOrg/msp: could not initialize BCCSP Factories: Failed initializing BCCSP.: Could not initialize BCCSP SW [Failed to initialize software key store: An invalid KeyStore path provided. Path cannot be an empty string.]
Could not find default `PKCS11` BCCSP
I am using the following peer version:
$ peer version
peer:
Version: 1.4.0
Commit SHA: 9cd9fce
Go version: go1.11.2
OS/Arch: linux/amd64
Chaincode:
Base Image Version: 0.4.14
Base Docker Namespace: hyperledger
Base Docker Label: org.hyperledger.fabric
Docker Namespace: hyperledger
There were two issues:
1) Make sure to delete the SW: section under BCCSP in core.yaml
2) By default, the peer binary and Docker image are both built without support for PCKS11. You can build the peer binary yourself using GO_TAGS=pkcs11 make peer
I am trying to enroll admin after initialising fabric CA server with:
fabric-ca-server init -b “admin:adminpw”
And starting CA server with:
fabric-ca-server start -b “admin:adminpw”
At client-side, enroll command:
fabric-ca-client enroll -u http://admin:adminpw#localhost:7054
Client-side error message:
[INFO] generating key: &{A:ecdsa S:256}
[INFO] encoded CSR
Error: Response from server: Error Code: 20 - Authorization failure
Server-side:
fabric-ca-server start -b “admin:adminpw”
2018/08/27 14:48:57 [INFO] Configuration file location:
/home/nadeem/Documents/Fabric-CA/server/fabric-ca-server-config.yaml
2018/08/27 14:48:57 [INFO] Starting server in home directory:
/home/nadeem/Documents/Fabric-CA/server
2018/08/27 14:48:57 [INFO] Server Version: 1.2.1-snapshot-3bcdbb2
2018/08/27 14:48:57 [INFO] Server Levels: &{Identity:1 Affiliation:1
Certificate:1 Credential:1 RAInfo:1 Nonce:1}
2018/08/27 14:48:57 [INFO] The CA key and certificate already exist
2018/08/27 14:48:57 [INFO] The key is stored by BCCSP provider 'SW'
2018/08/27 14:48:57 [INFO] The certificate is at:
/home/nadeem/Documents/Fabric-CA/server/ca-cert.pem
2018/08/27 14:48:57 [INFO] Initialized sqlite3 database at
/home/nadeem/Documents/Fabric-CA/server/fabric-ca-server.db
2018/08/27 14:48:57 [INFO] Home directory for default CA:
/home/nadeem/Documents/Fabric-CA/server
2018/08/27 14:48:57 [INFO] Listening on http://0.0.0.0:7054
***2018/08/27 14:49:34 [INFO] 127.0.0.1:46350 POST /enroll 401 23 "Failed
to get user: : scode: 404, code: 63, msg: Failed to get User: sql: no
rows in result set"***
fabric-ca-client/server:
Version: 1.2.1-snapshot-3bcdbb2 Go version: go1.11 OS/Arch:
linux/amd64
Found similar post here:
https://jira.hyperledger.org/browse/FABC-302
It is marked resolved with v1.2 but there are no clear instructions on how to resolve it now.
Thanks :)
I've been trying to make Fabric-CA work for a while,
The best advice I can give you is to take off the "" around the admin credentials before you start. I do not put them and it works for me.
So commands would be :
fabric-ca-server init -b admin:adminpw
fabric-ca-server start -b admin:adminpw
this error message appear. Account and password are not same when ca start and when you use ca enroll use.
Error Code: 20 - Authorization failure
Error code 20 arises due to the following condition.
Suppose you have registered the identity like this :-
fabric-ca-client register --id.name org1 --id.type client --id.affiliation org1 --id.attrs '"hf.Registrar.Roles=user,client,peer","hf.AffiliationMgr=true","hf.Revoker=true"'
which is giving you the output
2020/02/05 11:19:25 [INFO] Configuration file location: /home/username/myPros/caclient/admin/fabric-ca-client-config.yaml
Password: ZXCbhJajCObX
and you are trying to enroll the user/identity like this :-
fabric-ca-client enroll -u http://org1-admin:ZXCbhJajCObX#localhost:7054
or
fabric-ca-client enroll -u http://org1-admin:adminpw#localhost:7054
so long story short either your enrollment Id or your password is mismatched. Make sure that your username and password are not mismatched.
Possibly during init. Look in your fabric-ca-server-config.yaml file for these quotation marks and remove them. Do not use them during init enroll.
I prepared multi-organization with Fabric CA environment by following tutorial. This tutorial itself was worked with no problem.
Deploying a Hyperledger Composer blockchain business network to Hyperledger Fabric (multiple
organizations)
https://hyperledger.github.io/composer/unstable/tutorials/deploy-to-fabric-multi-org.html
In this environment, I'm trying Fabric CA client commands on both ca_peerOrg1 and host environment. I copied tls crt, public key and private key from crypto-config/ordererOrganizations/example.com/orderers/orderer.example.com/ and tried following command, but I got error "x509: certificate is valid for ca.org1.example.com, not localhost".
linux1#fabric:~$ fabric-ca-client enroll --caname ca-org1 --tls.certfiles ca.crt --tls.client.certfile Admin#org1.example.com-cert.pem --tls.client.keyfile 0dbfd9d156b90331e6bc4a0529e07cb123f7de586935019499623062f182a8fa_sk -u https://admin:adminpw#localhost:7054
2017/12/19 16:34:35 [INFO] User provided config file: /home/linux1/fabric-ca/clients/admin/fabric-ca-client-config.yaml
2017/12/19 16:34:35 [INFO] generating key: &{A:ecdsa S:256}
2017/12/19 16:34:35 [INFO] encoded CSR
2017/12/19 16:34:35 [INFO] TLS Enabled
Error: POST failure [Post https://localhost:7054/enroll: x509: certificate is valid for ca.org1.example.com, not localhost]; not sending
POST https://localhost:7054/enroll
Authorization: Basic YWRtaW46YWRtaW5wdw==
{"hosts":["fabric"],"certificate_request":"-----BEGIN CERTIFICATE REQUEST-----\nMIIBOzCB4wIBADBdMQswCQYDVQQGEwJVUzEXMBUGA1UECBMOTm9ydGggQ2Fyb2xp\nbmExFDASBgNVBAoTC0h5cGVybGVkZ2VyMQ8wDQYDVQQLEwZGYWJyaWMxDjAMBgNV\nBAMTBWFkbWluMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEI8Y4aR/YxeyMXIQ3\nHGydrTLaoI+6tZ57ho1uv6gNonbFfftE7lrdsIbL8d8QLimztDjtqkg6rk612nso\nD66M9aAkMCIGCSqGSIb3DQEJDjEVMBMwEQYDVR0RBAowCIIGZmFicmljMAoGCCqG\nSM49BAMCA0cAMEQCIH9u2w9xO43Ba5rJ1SCKgtEFfokj1DKhg2cHjnbu8ucEAiBn\nwZKjjSbQage+ElofYbgagWpuCFz0t57Zwycz22M00w==\n-----END CERTIFICATE REQUEST-----\n","profile":"","crl_override":"","label":"","CAName":"ca-org1"}
linux1#fabric:~$
How can I avoid this error ? When I'm looking at the tutorial, I realized that composer connection profile has configuration like "hostnameOverride": "ca.org1.example.com". I guess I need to do same kind for fabric-ca-client.
I am new to Hyperledger Fabric and i am trying to register the fabric client with the server locally. here is what i have done so far.
go get -u github.com/hyperledger/fabric-ca/cmd/...
fabric-ca-server start -b admin:adminpw
after that i got the logs
2017/12/11 13:26:09 [INFO] Home directory for default CA:
/home/akash/fabric-demo 2017/12/11 13:26:09 [INFO] Listening on
http://0.0.0.0:7054
then i tried to register the fabric client with server by using the following commands
export FABRIC_CA_CLIENT_HOME=$HOME/fabric-ca/clients/admin
fabric-ca-client enroll -u http://admin:adminpw#localhost:7054
and I got the following logs
2017/12/11 13:28:48 [INFO] Stored client certificate at
/home/akash/fabric-ca/clients/admin/msp/signcerts/cert.pem 2017/12/11
13:28:48 [INFO] Stored CA root certificate at
/home/akash/fabric-ca/clients/admin/msp/cacerts/localhost-7054.pem
but when i tried to register the client then i got the following error
fabric-ca-client register --id.name admin --id.affiliation org1.department1 --id.attrs 'hf.Revoker=true,admin=true:ecert'
2017/12/11 13:37:05 [INFO] Configuration file location:
/home/akash/fabric-ca/clients/admin/fabric-ca-client-config.yaml
Error: Error response from server was: Authorization failure
on the fabric-server side i got the following logs
2017/12/11 13:37:05 [ERROR] No certificates found for provided serial and aki
Can anyone tell what i am doing wrong here.
The sequence to obtain new user certificates is to 1) register and then 2) enroll.
For the bootstrap admin (enrollment id:admin) this is already registered when the CA server is started (thus providing the secret when starting the instance). As such, you are able to run the enroll command for admin.
Not too sure what you are trying to do here, but if you are:
1) trying to register a new user. You have to use a new unique enrollment id (not admin)
2) updating the affiliation of the admin enrollment id, refer to the fabric-ca-client command to update an identity (https://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html)
I am using the given link for exploring the fabric-ca
http://fabric-ca.readthedocs.io/en/latest/users-guide.html
Following the content in the link, I am trying to setup fabric-ca-server with mysql as DB and I am specifying the below config for the same in the fabric-ca-server-config.yaml
db:
type: mysql
datasource: root:**123##tcp(localhost:3306)/fabric_ca?parseTime=true
tls:
enabled: false
certfiles:
- db-server-cert.pem
client:
certfile: db-client-cert.pem
keyfile: db-client-key.pem
I do not pass the argument tls=custom in 'datasource' above as I am not using the TLS
Upon server startup I get
root#Openwhisk-Node2-172:~/fabric-ca/fabric-ca-server# fabric-ca-server start -b admin:adminpw
2017/09/05 15:25:17 [INFO] Configuration file location: /root/fabric-ca/fabric-ca-server/fabric-ca-server-config.yaml
2017/09/05 15:25:17 [INFO] Starting server in home directory: /root/fabric-ca/fabric-ca-server
2017/09/05 15:25:17 [INFO] The CA key and certificate already exist
2017/09/05 15:25:17 [INFO] The key is stored by BCCSP provider 'SW'
2017/09/05 15:25:17 [INFO] The certificate is at: /root/fabric-ca/fabric-ca-server/ca-cert.pem
2017/09/05 15:25:17 [INFO] Initialized mysql database at root:Nokia123##tcp(localhost:3306)/fabric_ca?parseTime=true
2017/09/05 15:25:17 [INFO] Home directory for default CA: /root/fabric-ca/fabric-ca-server
2017/09/05 15:25:17 [INFO] Listening on %!s(int=7054)%!(EXTRA string=http://0.0.0.0:7054)
but when I try to use the client for enroll bootstrap identity, I get
fabric-ca-client enroll -u http://admin:adminpw#localhost:7054
2017/09/05 15:27:40 [INFO] User provided config file: /root/fabric-ca/fabric-ca-client1/admin/fabric-ca-client-config.yaml
2017/09/05 15:27:40 [INFO] Created a default configuration file at /root/fabric-ca/fabric-ca-client1/admin/fabric-ca-client-config.yaml
2017/09/05 15:27:40 [INFO] generating key: &{A:ecdsa S:256}
2017/09/05 15:27:40 [INFO] encoded CSR
Error: Error response from server was: Authorization failure
The database is up.
I have also created a database with name fabric_ca
NO_ZERO_DATE related changes are also done
Kindly help. let me know if some steps I have missed or if I have done something wrong
If you actually created the database prior to running the fabric-ca-server that's likely the issue. The code currently just checks to see if the database exists. If it exists, then it does not run any of the SQL setup scripts. So the best best is to just start with a clean MYSQL which does not have any database instance created.