When we are deploying our hyperledger network where are these identity of user and admin stored and how is user authenticated
I hyperledger fabric total three identities
CA-Admin: certificate authority admin
command: sh -c 'fabric-ca-server start -b nbdadmin:nbdpw -d'
Org-Admin: we will register and enroll this admin and submit to all MSP's
User: Normal user
Storage:
User certs can be stored in KVS (File Store), data store(couchDB)
Related
Note: I've tried to keep things as simple as possible in this question as that is as far as my knowledge goes. Any form of help is appreciated
I'm new to FreeIPA and I struggle to request a SSL certificate and key file from FreeIPA as Certificate Authority.
I verify I get a krbtgt using klist using the credentials of Certificate Admin.
$ klist
Valid starting Expires Service principal
01/05/2022 5:35:35 01/06/2022 5:35:35 krbtgt/MYDOM#MYDOM
renew until 01/12/2022 5:35:35
sudo /usr/bin/ipa-getcert request -r -w -k /tmp/test.key \
-f /tmp/test.cert.pem \
-g 4096
-K HTTP/service.mydom \
-T caIPAserviceCert \
-D test.myDom -N CN=test.myDom,O=MYDOM
New signing request "20220105093346" added.
Only thing being created is the private key:
$ ls /tmp
test.key
Why isn't the certificate being created ? Insufficient privileges.
Error:
$ sudo getcert list
Number of certificates and requests being tracked: 1.
Request ID '20220105093346':
status: CA_REJECTED
ca-error: Server at https://idm.myDom/ipa/xml denied our request, giving up: 2100 (RPC failed at server. Insufficient access: Insufficient 'write' privilege to the 'userCertificate' attribute of entry 'krbprincipalname=HTTP/service.mydom#MYDOM,cn=services,cn=accounts,dc=mydom'.).
stuck: yes
key pair storage: type=FILE,location='/tmp/test.key'
certificate: type=FILE,location='/tmp/test.cert.pem'
CA: IPA
issuer:
subject:
expires: unknown
pre-save command:
post-save command:
track: yes
auto-renew: yes
Though I am able to run
$ ipa service-mod HTTP/service.mydom --certificate=
Possible duplicatae freeipa-request-certificate-with-cname
Any ideas?
Turns out the machine I am requesting the certificate from needs to be allowed to manage the web service for web host.
Only the target machine can create a certificate (IPA uses the host
kerberos ticket) by default, so to be able to create the certificate
on your IPA server you need to allow it to manage the web service for
the www host.
[root#ipa-server ~]# ipa service-add-host --hosts=ipa-server.test.lan HTTP/www.test.lan
Source:
Creating certs and keys for services using freeipadogtag/
I know the problem "This identity is not an admin" is widely reported, but this is a specific case. I have read a lot of issues here and at Jira and I see no problem close to mine.
What I am trying to do is to join a channel from a peer in a full custom Hyperledger 1.4 network where I have not used cryptogen. The problem I am getting is exactly this one:
2019-09-25 14:02:43.340 UTC [channelCmd] InitCmdFactory -> INFO 001 Endorser and orderer connections initialized
Error: proposal failed (err: bad proposal response 500: access denied for [JoinChain][global]: [Failed verifying that proposal's creator satisfies local MSP principal during channelless check policy with policy [Admins]: [This identity is not an admin]])
I know that I have to use an admin identity to make the channel connection proposal, which I am doing by enrolling as the org admin. Once it is done, I just join the peer (code below). Of course, CORE_PEER_ variables are correctly set and ADMIN_NAME and ADMIN_PASSWORD exist.
# Get admin identity
ORG_ADMIN_HOME=/data/orgs/${ORG}/admin
ORG_ADMIN_CERT=/data/orgs/${ORG}/msp/admincerts/cert.pem
if [[ ! -d ${ORG_ADMIN_HOME} ]]; then
echo "[INFO] Enrolling admin '${ADMIN_NAME}' with ${CA_NAME} ..."
export FABRIC_CA_CLIENT_HOME=${ORG_ADMIN_HOME}
fabric-ca-client enroll -d -u https://${ADMIN_NAME}:${ADMIN_PASSWORD}#${CA_URL}
mkdir -p $(dirname "${ORG_ADMIN_CERT}")
cp ${ORG_ADMIN_HOME}/msp/signcerts/* ${ORG_ADMIN_CERT}
mkdir ${ORG_ADMIN_HOME}/msp/admincerts
cp ${ORG_ADMIN_HOME}/msp/signcerts/* ${ORG_ADMIN_HOME}/msp/admincerts
fi
export CORE_PEER_MSPCONFIGPATH=${ORG_ADMIN_HOME}/msp
# Join channel
peer channel join -b ${GENESIS_FILE}
I got the admin identity by register it before this with another script that does the next:
# Enroll CA Admin
export FABRIC_CA_CLIENT_HOME=$HOME/cas/${CA_NAME}
fabric-ca-client enroll -d -u ${ENROLLMENT_URL}
# Register ORG Admin
fabric-ca-client register -d --id.name ${ADMIN_NAME} --id.secret ${ADMIN_PASSWORD} --id.attrs "hf.Registrar.Roles=client,hf.Registrar.Attributes=*,hf.Revoker=true,hf.GenCRL=true,admin=true:ecert,abac.init=true:ecert"
My question is, if I registered the Org Admin and I am able to enroll as it, why do I get the This identity is not an admin error? Does it have any sense?
Thank you
EDIT: What I am doing right now (It is reduced, not a direct copy of the code, so there are some changes mainly related to paths and folders).
I run a container called register-org that does the following:
# Enroll as CA Admin
fabric-ca-client enroll -d -u ${ENROLLMENT_URL}
# Get CA Certs
fabric-ca-client getcacert -d -u https://${CA_URL} -M ${ORG_MSP_DIR}
# Register Org Admin
fabric-ca-client register -d --id.name ${ADMIN_NAME} --id.secret ${ADMIN_PASSWORD} --id.attrs "hf.Registrar.Roles=client,hf.Registrar.Attributes=*,hf.Revoker=true,hf.GenCRL=true,admin=true:ecert,abac.init=true:ecert"
# Enroll as Org Admin
fabric-ca-client enroll -d -u https://${ADMIN_NAME}:${ADMIN_PASSWORD}#${CA_URL}
# I download then ${ORG_ADMIN_HOME}/msp/admincerts/cert.pem and save it
The next container is the peer itself, where I do:
# I upload the CERT.PEM file to ${CORE_PEER_MSPCONFIGPATH}/admincerts/cert.pem
# Generate Server TLS Key and Certs
fabric-ca-client enroll -d --enrollment.profile tls -u ${ENROLLMENT_URL} -M /tmp/tls --csr.hosts ${PEER_HOST}
# Generate Client TLS Key and Certificate
fabric-ca-client enroll -d --enrollment.profile tls -u ${ENROLLMENT_URL} -M /tmp/tls --csr.hosts ${PEER_HOST}
# Enroll peer
fabric-ca-client enroll -d -u ${ENROLLMENT_URL} -M ${CORE_PEER_MSPCONFIGPATH}
# Start peer
peer node start
Finally, I run the join-peer-channel container, where I do:
# I upload the CERT.PEM file to ${CORE_PEER_MSPCONFIGPATH}/admincerts/cert.pem
# Enroll as Org Admin
fabric-ca-client enroll -d -u https://${ADMIN_NAME}:${ADMIN_PASS}#${CA_URL}
# Join the channel
peer channel join -b ${GENESIS_FILE}
# AND IT FAILS AGAIN.
Are you sure that the admin's certificate is really in the peer's admin folder?
cp ${ORG_ADMIN_HOME}/msp/signcerts/* ${ORG_ADMIN_HOME}/msp/admincerts
Are you doing this inside the peer container/VM ?
we get this error whenever we try to run fabric-ca-client. Example below:
# fabric-ca-client register --url https://ica-org:7054 --id.name user-org --id.affiliation=org
2019/03/19 20:18:07 [INFO] Configuration file location: /home/fabric-ca-client-config.yaml
2019/03/19 20:18:07 [INFO] TLS Enabled
2019/03/19 20:18:07 [ERROR] Enrollment check failed: Idemix enrollment information does not exist
Error: Enrollment information does not exist. Please execute enroll command first. Example: fabric-ca-client enroll -u http://user:userpw#serverAddr:serverPort
How can we fix this?
This happens when fabric-ca-client cannot find any X509 or Idemix identity. fabric-ca-client needs to be initialized with an identity (except when its being used to enroll a user). It first tries to load an X509 identity from the mspdir location specified in the fabric-ca-client-config.yaml file or the -M command line argument which takes precedence over mspdir in config file. And if its not able to find X509 identity it will look for an idemix identity. If this fails as well it displays the error in question.
For X509 identity:
its public cert needs to be in signcerts
and private key needs to be in keystore
and the public cert of the authority who issued the public/private keypair needs to be in cacerts folder (if an intermediate ca was used then its cert needs to be in intermediatecerts)
all the folders above are under the mspdir
Solution 1
A potential cause if the folder indicated by FABRIC_CA_CLIENT_HOME is not created you'll get that error. You have to check if FABRIC_CA_CLIENT_HOME points to an existing folder. This happens too when indicating a wrong MSP path
exp
fabric-ca-client gencrl -M ~/wrong_path
Solution2:
Resolution to issue fabric-ca-client identity list command is as follows:
start the network with the CA option
./network.sh up -ca
after the network is up, navigate to (assumes you are already in the test-network directory):
cd organizations/peerOrganizations/org1.example.com
export cert path using this command:
export FABRIC_CA_CLIENT_TLS_CERTFILES=$PWD/ca/ca.org1.example.com-cert.pem
export fabric-ca-client home using this command:
export FABRIC_CA_CLIENT_HOME=$PWD
issue the following command:
fabric-ca-client identity list
Since you use TLS, you should be using the --tls.certfiles flag or set the FABRIC_CA_CLIENT_TLS_CERTFILES environment variable when using the fabric-ca-client command. This should hold the full path to your organisation's TLS certificate.
I have deployed two org hyperledger network. Now I want to create a new business card for a new user for connection byfn-network-org1.
I executed
composer identity request -c PeerAdmin#byfn-network-org1-only -u admin -s adminpw -d rock
and then
composer card create -p connection-org1.json -u rock -n supply-chain -c rock/admin-pub.pem -k rock/admin-priv.pem
and then imported the card.
Now when I am trying to ping the network with it its giving error :
Error: Error trying to ping. Error: Error trying to query business network. Error: chaincode error (status: 500, message: Error: The current identity has not been registered: admin).
What shall I do to now to make this card access the network.
The correct way to create a new card for new users is to Create a Participant in the Business Network, and then Issue an Identity to that Participant.
You can create the Partitipant via the Playground, the REST server or via the CLI - here is an example from the CLI:
composer participant add -c admin#tutorial-network -d '{"$class":"org.acme.biznet.Trader","tradeId":"t12","firstName":"Charles","lastName":"Thomas"}'
You can Issue the Identity to that Participant again via the Playground, REST server or CLI - here is an example for the CLI:
composer identity issue -c admin#tutorial-network -f ct02.card -u charlie -a "resource:org.acme.biznet.Trader#t12"
On the machine where you want to use the card - Import the card. CLI example here:
composer card import -f ct02.card
Test the card:
composer network ping -c charlie#tutorial-network
I have an issue with the deployment of business network (composer version 0.14.2):
I request an identity to the fabric-ca (enrolling as admin password adminpw , same as the bootstrapping identity of the fabric-ca-server)
I receive a certificate and a private key back, I import that identity into the userID adminCC (matching the previous certificate and key to this userID) and I try to deploy a network with enrollmentID adminCC and businessnetworkadmin adminCC
I get an error saying that Error: Error trying deploy. Error: Error trying install composer runtime. Error: chaincode error (status: 500, message: Authorization for INSTALL has been denied (error-Failed verifying that proposal's creator satisfies local MSP principal during channelless check policy with policy [Admins]: [This identity is not an admin]))
Any help with this issue? Shouldn't the certificate requested to the fabric-ca be one with admin rights?
The error you have received is from the peer saying the identity you have used does not have admin rights so is not permitted to install the chaincode onto it.
The admin identity in your fabric-ca-server setup is just a bootstrap identity for the fabric-ca-server and as such has only issuer rights on the fabric-ca-server from which you obtained it and has no admin rights on any part of the fabric network.
If you were running on v0.13.2 or lower before, there was a breaking change when they upgrade to v0.14.0 or v0.14.2. You can read about it more here. But the gist of it was all previous releases of Composer, all digital certificates with admin in the name (case insensitive) have had "privileged access" to the business network - essentially it acted as if the access control rules were disabled. They replace this with a more secure model. So you can change your permissions.pcl file and add:
rule NetworkAdminUser {
description: "Grant business network administrators full access to user resources"
participant: "org.hyperledger.composer.system.NetworkAdmin"
operation: ALL
resource: "**"
action: ALLOW
}
rule NetworkAdminSystem {
description: "Grant business network administrators full access to
system resources"
participant: "org.hyperledger.composer.system.NetworkAdmin"
operation: ALL
resource: "org.hyperledger.composer.system.**"
action: ALLOW
}
Then after you archive your BNA, in order to deploy properly use:
composer network deploy -p hlfv1 -a {ban_location/ban_name.bna} -i PeerAdmin -s randomString -A admin -S adminpw
After this you can the old commands using admin and adminpw as before like:
composer-rest-server -p hlfv1 -n my-network -i admin -s adminpw -N never