I am new to Hyperledger fabric, i am using the hyperledger fabric ca server to register the admin,user,peer. I have few doubts
1. when i create the admin, using fabric-ca-client start --id admin:adminpw its create the config file and msp folder in home directory, does msp contain the private key of admin.
2. if msp contain the private key, when we host the fabric-server into live do we still keep the msp folder in live/production,does the private key will be exposed. how its works.
Please it would be helpful someone clarify my doubts.
1) When you use fabric-ca-client to enroll ( fabric-ca-client enroll ), it will create the private key in the map/keystore directory.
2) If you do not want to expose the private key on the filesystem, you can store the private key in an HSM (Hardware Security Module) using via PKCS11. See https://hyperledger-fabric-ca.readthedocs.io/en/release-1.4/users-guide.html?highlight=pkcs11#hsm for more details. If you don't have access to an HSM, then you should minimally encrypt the file system (if running in a cloud) and ensure that you set the file permissions to 0400 for the user you use to start your fabric processes.
Related
What is the procedure of replacing a root CA cert with another one of a different key pair.
Q-1 : Is that required to follow config update steps to do as we do in add/remove org, since RCA need to change?
(Understood that changing the RCA require to reCreate all peers,nodes, identities as well)
When we use the default setup of fabric CA, then
it bootstraps the fabric ca server with bootstrap administrator - 'fabric-ca-server start -b admin:adminpw -d'
On enrolling the bootstrap administrator -
It creates the following in msp : cacerts, Keystore, sign certs (Set-A)
now when we have to create identities then it uses Set-A, and all such stuff also got bind to the genesis block as well, as certificate got configured via ConfigTX file, and that got stored in the config channel of fabric.
Q-2 : Now If we have to change the RCA's cacerts, Keystore, sign certs (Set-B), then what is the procedure to do that ?
Not found any guidelines or documents on this, It's just logically understood if that is possible then maybe follow the similar steps as we do in add/remove orgs.
Q-3: But even to replace all identities with new RCA along with RCA's cert, key pair etc, then I don't think existing data may work?
if the live network already has x data, but RCA's cacerts, Keystore, sign certs and all identities got changed and also updated the config file with config-update way as we do in add/remove orgs so it has new certificate info ?
I am using cryptogen to generate all of the crypto material for the Fabric network I am building. I can successfully bring the network up and deploy chaincode. However, I am running into problems when trying to register a new user. I am following along with the asset-transfer-private-data tutorial, and after deploying the chaincode, I run
fabric-ca-client register --caname ca.org1 --id.name org1-client --id.secret org1-password --id.type client --mspdir ./config/crypto-config/peerOrganizations/org1/msp
and get the error
2020/10/03 12:20:11 [INFO] Configuration file location: /home/user/network3.2/config/crypto-config/peerOrganizations/org1/fabric-ca-client-config.yaml
2020/10/03 12:20:11 [ERROR] Enrollment check failed: Idemix enrollment information does not exist
Error: Enrollment information does not exist. Please execute enroll command first. Example: fabric-ca-client enroll -u http://user:userpw#serverAddr:serverPort
There is no fabric-ca-client-config.yaml file. The mspdir I specify has the directories signcerts, keystore, and cacerts which according to Hyperledger Fabric: Enrollment check failed: Idemix enrollment information does not exist are needed. However, both the signcerts and keystore directories are empty whereas they should include a public cert and a private key respectively.
How can I generate these files? Thanks.
For Idemix, you can use idemixgen tool.
But both cryptogen tool and idemixgen tool are used for testing purpose. For production level use, you have to use Hyperledger Fabric CA.
cryptogen is an utility for generating Hyperledger Fabric key material. It is provided as a means of preconfiguring a network for testing purposes. It would normally not be used in the operation of a production network.
Link: https://hyperledger-fabric.readthedocs.io/en/release-2.2/commands/cryptogen.html?highlight=cryptogen#cryptogen
cryptogen is a utility to quickly allow you to generate crypto material to get things started. It does not have any direct ties to Fabric CA (intentionally).
The only thing you can do is to leverage the CA key pair generated for each organization (under the ca folder) as the root key pair used when starting up an instance of Fabric CA.
In the Hyperledger Fabric test network registration script*, the TLS certs and keys are copied from the Peer's MSP to the parent Organization's MSP (lines 63-71):
cp ${PWD}/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/tlscacerts/* ${PWD}/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/ca.crt
cp ${PWD}/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/signcerts/* ${PWD}/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/server.crt
cp ${PWD}/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/keystore/* ${PWD}/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/server.key
mkdir -p ${PWD}/organizations/peerOrganizations/org1.example.com/msp/tlscacerts
cp ${PWD}/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/tlscacerts/* ${PWD}/organizations/peerOrganizations/org1.example.com/msp/tlscacerts/ca.crt
mkdir -p ${PWD}/organizations/peerOrganizations/org1.example.com/tlsca
cp ${PWD}/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/tlscacerts/* ${PWD}/organizations/peerOrganizations/org1.example.com/tlsca/tlsca.org1.example.com-cert.pem
Does this mean that the Organization uses the same TLS and certs and keys as the Peer?
If you add a second peer to the organization, would they (both peers and parent organization) all use the same TLS key+cert?
*This script is used when the Fabric-CA is used instead of cryptogen to generate the necessary certificates.
Actually a peer organization MSP holds three elements
Organization Admin Certification under /admincerts
CA Certification or the certification of Certification Authority that will be in charge of issuing and signing all the certifications (peer, user ... ) under this organization under /cacerts
TLSCA Certification which is like CA Certification but used to sign all the TLS certification (peer, user ...) under this organization under /tlscacerts
Whereas a peer MSP holds five elements
The precedent three elements that represent the authorities that signed its own certifications ( /cacerts and /tlscacerts ) and the authority whith the right to perform operations ( /admincerts )
Its own public key which is under /signcerts
Its own private key that goes with its public key which is under /keystore
So to answer your question NO: organization and peer don't have the same MSP. Each peer has its own MSP( aka a couple public and private key which represent his unique identity and the CA certs that signed it )
And the organization has only the CA certs that signed every node identity in that organization.
So when you create another peer under this Org ( with cryptogen tool for example ), this peer will hold in its MSP his own unique identity but the same CA certs then the other peer.
setting up the MSP manager failed: administrators must be declared when no admin ou classification is set.
CA Server seems fine. I register and enroll caadmin, orgadmin, ordereradmin. I create the genesis.block with orgadmin. orgadmin has admin in OU. orderer has OU=orderer.
It seems to use the config.yaml, as it gives a WARN on Failed loading ClientOU certificate. (Just a warning and not required, per the docs).
But even though I set the AdminOUIdentifier:
# Certificate: "cacerts/cacert.pem"
OrganizationalUnitIdentifier: "admin"
and the OrgAdmin has OU=admin in the subject, it errors and says no admin ou is set.
What am I missing?
The OU definition needs to be set like you are doing using config.yaml file. You need to define the OUs for every MSP in your channel, before creating the network. Then you start the network, such that the local MSPs (the MSP configurations of nodes: peers and orderers) also get this config.yaml in their MSP directories respectively.
This way, the NodeOUs will be enabled in the channel and the local MSPs of the nodes will also respect the same configuration.
If the NodeOUs are not set, then while creating the node containers, in the MSP directory that you mount inside the respective nodes, must have an admincerts sub-folder which will contain the certificate issued by the CA of that organization (or at least is a valid certificate in the chain of trust for that organization's MSP).
NOTE: If admincerts have been configured, i.e. the NodeOUs are disabled, then the Hyperledger Fabric network, will recognize only the identity of that organization holding the certificate present in the admincerts directory as the admin of that organization.
I’m trying to deploy a developed network with the composer on first network sample. I have set the connection profile but it’s not enough because I have to set composer-credentials. I have tried to use the credential of developing environment (I have added the role of channel admin and peerAdmin) but it is firing the following error when I try to deploy the network:
Error: Error trying login and get user Context. Error: Private key missing from the key store. Can not establish the signing identity for user PeerAdmin
I have search information and there are two users on peers node one Admin#org1.example.com and User1#org1.example.com where there are 3 files: ca.crt, server.crt and server.key.
I have read that steps for creating a new ID card but it is using playground environment with the website but I need to do manually for the composer. So, what steps should I follow to create/update a connection profile for first network sample?
Thank you
My file
{
"name":"PeerAdmin",
"mspid":"Org1MSP",
"roles":["PeerAdmin", "ChannelAdmin"],
"affiliation":"",
"enrollmentSecret":"",
"enrollment":{
"signingIdentity":"114aab0e76bf0c78308f89efc4b8c9423e31568da0c340ca187a9b17aa9a4457",
"identity":{
"certificate":"-----BEGIN CERTIFICATE-----\n
MIICGjCCAcCgAwIBAgIRANuOnVN+yd/BGyoX7ioEklQwCgYIKoZIzj0EAwIwczEL\n
MAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDVNhbiBG\n
cmFuY2lzY28xGTAXBgNVBAoTEG9yZzEuZXhhbXBsZS5jb20xHDAaBgNVBAMTE2Nh\n
Lm9yZzEuZXhhbXBsZS5jb20wHhcNMTcwNjI2MTI0OTI2WhcNMjcwNjI0MTI0OTI2\n
WjBbMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMN\n
U2FuIEZyYW5jaXNjbzEfMB0GA1UEAwwWQWRtaW5Ab3JnMS5leGFtcGxlLmNvbTBZ\n
MBMGByqGSM49AgEGCCqGSM49AwEHA0IABGu8KxBQ1GkxSTMVoLv7NXiYKWj5t6Dh\n
WRTJBHnLkWV7lRUfYaKAKFadSii5M7Z7ZpwD8NS7IsMdPR6Z4EyGgwKjTTBLMA4G\n
A1UdDwEB/wQEAwIHgDAMBgNVHRMBAf8EAjAAMCsGA1UdIwQkMCKAIBmrZau7BIB9\n
rRLkwKmqpmSecIaOOr0CF6Mi2J5H4aauMAoGCCqGSM49BAMCA0gAMEUCIQC4sKQ6\n
CEgqbTYe48az95W9/hnZ+7DI5eSnWUwV9vCd/gIgS5K6omNJydoFoEpaEIwM97uS\n
XVMHPa0iyC497vdNURA=\n
-----END CERTIFICATE-----\n"
}
}
}
To create a profile, it is done with composer cli tool. You have to execute the following command:
composer identity import -p hlfv1 -u Admin -c ../Downloads/fabric-samples/first-network/crypto-config/peerOrganizations/org1.example.com/users/Admin#org1.example.com/msp/signcerts/Admin#org1.example.com-cert.pem -k ../Downloads/fabric-samples/first-network/crypto-config/peerOrganizations/org1.example.com/users/Admin#org1.example.com/msp/keystore/072d0b5a2dfc61beb8120736a9aa836f5046148dcba178ba52d57a4e26def8b6_sk
I see you're using the sample Developer environment. Why not just go into the fabric-tools directory (you downloaded) and run ./createComposerProfile.sh . It will import the required crypto material into the composer credentials directory for the dev setup, and that represents a channel admin and admin for the peer of the development fabric server.
Here's a workaround:
create a BlockChain Starter Plan from IBM Cloud
define the peers & channels as you wish from the UI
click download the connection profile
the file downloaded contains all the information about the Fabric, including the public/private keys and enrollmentSecret.