While reading the documentation on Hyperledger Fabric I couldn't understand what MSP is. It is really unclear to me what an MSP exactly is and how it differs from CA?
What I understand is CA issue certificates and MSP says which of these are valid and belong to a certain organization. But, what exactly it is?
Is the MSP some kind of a server that has some kind of an interface, that other peers and orderers use, or is it a bunch of directories that contain configuration, or what exactly it is? How can I view it?
The documentation describes what its role is and how it fits into the blockchain network. But not what exactly what it is.
When I run a simple dev fabric network, decker contains a process for peer, orderer, and a CA. Where is the MSP?
I've checked these questions but none of them explains what MSP actually is.
Hyperledger Fabric docs on Membership Service Provider - Questions
Hyperledger fabric understanding MSP
What is the difference between MSP and Fabric CA?
OK, so I was able, hopefully, to answer my question. I will answer it in the form of points.
The name "MSP" is, in my opinion, a poorly chosen name. The word "service" implies having a working process/program/server in place, like Web Service, Rest Service etc. The word "Provider" also implies that it provides the membership service and finally I imagine that this is some kind of an OAuth or LDAP Server or something alike, it is not. It a bunch of directories with digital certificates. Probably a better name would be Members Certificates Directory (MCD) or Members Certificates Registry (MCR).
After realizing that these are directories from the documentation
To set up a local MSP (for either a peer or an orderer), the
administrator should create a folder (e.g. $MY_PATH/mspconfig) that
contains six subfolders and a file
Also set up implies starting and configure a process/server or something alike.
So I entered the peer container of the Dev Servers created for Hyperledger Composer development and searched for a $FABRIC_CFG_PATH
the /msp DIRECTORY is the MSP directory and it contains directories explained in the docs
And it is configured as required by the documents:
The path to the mspconfig folder is expected to be relative to
FABRIC_CFG_PATH and is provided as the value of parameter
mspConfigPath for the peer, and LocalMSPDir for the orderer
I hope this clears uncertainty for others as it did for me and the docs of fabric updated for more clarity.
Hyperledger fabric 2.2. documentation explains it as per the accepted answer.
https://hyperledger-fabric.readthedocs.io/en/release-2.2/membership/membership.html
What is MSP
Despite its name, the Membership Service Provider does not actually provide anything. Rather, the implementation of the MSP requirement is a set of folders that are added to the configuration of the network... Whereas Certificate Authorities generate the certificates that represent identities, the MSP contains a list of permissioned identities.
Two types of MSP :
Local MSPs are represented as a folder structure on the file system
Channel MSPs are described in a channel configuration.
The confusion may come from the fact HLF is both defining the MSP as an abstraction layer and providing a simplistic implementation (using directories).
MSP documentation -link above- clearly states In the rest of this document we elaborate on the setup of the MSP **implementation** supported by Hyperledger Fabric
Related
I want to have orderer beside each organization and NOT to create a separate organization for orderers. Is it possible? If yes, how can I do it?
Yes, the application organizations can provide ordering nodes. For example the sample configuration shows a single organization providing both peers and ordering nodes. Simply configure OrdererEndpoints under the organization configuration.
That being said, for each organization that provides an ordering node, you may want to consider creating a separate logical organization in the channel configuration, so that the peer credentials and orderer credentials can be managed separately using different root certificate authorities.
I am planning to implement a decentralized orderer or say peer-org-owned orderer in Hyperledger Fabric.
Can someone please explain whether is it valid to implement an orderer from a peer-org-owned organization?
If it's valid then how the configuration will look like?
It is not only valid, but actually encouraged. A decentralized ordering service is the best scenario in HLF, as no single organization has total control over the ordering process. From Fabric v2.3, you can have any organization contribute to the ordering service. They also made it very easy to do so: create an ordering node, and join that ordering node to a channel much like you currently do with your peer nodes. A full tutorial from the Fabric Docs can be found here. Take your time when reading through the tutorial as it is quite long and may seem complicated at first.
I am reading the docs and other information regarding using the hyperledger fabric and everywhere I see the Fabric CA.
I undertand the concept how it works and I also understand pretty well PKI.
Is it mandatory to use Fabric CA in order to provide identities in hyperledger? I do not see any reason why not to use any other deployed PKI in order to issue certificates and CRL to hyperledger peers, orderers, etc.
I tried to use it in developmen environment and private keys and certificates has standard format which can be produced by any PKI solution.
No. It's not mandatory to use Fabric CA. My network runs well with keys and certificates generated by other CA. For instance, you can generate all the materials by openssl. By the way, it's worth noting that currently the Java/Node SDK only supports ECDSA algorithms (per my knowledge), you want to pay attention to the algorithms when generating keys and certificates from your CA.
I am trying to create my own fabric network by taking reference of "basic network" and "First Network" provided in "fabric-samples"
I have came across section called "Capabilities" in "configtx" yaml file.
Kindly help me to understand significance of this section.
This is a new feature added in Hyperledger Fabric 1.1 to enable us to manage system upgrades across a decentralized deployment spanning multiple organizations.
It is likely that in a large network, there may be nodes running different versions of the software. As new features are introduced, we need a means of ensuring deterministic execution, and hence we use this feature to ensure consistency of execution within a channel.
Capability requirements are defined per channel in the channel configuration (found in the channel’s most recent configuration block). The channel configuration contains three locations, each of which defines a capability of a different type.
Channel: these capabilities apply to both peer and orderers and are
located in the root Channel group.
Orderer: apply to orderers only and are located in the Orderer group.
Application: apply to peers only and are located in the Application group.
Only binaries that support a given capability specified in a channel's configuration block will be able to participate in that channel.
Please see the docs for additional insight.
I was wandering what is the "best" practice in ordering the steps for the HF development cycle? Here are some questions organized in different topics.
1. Specification of network infrastructure:
What are the mandatory members in one business
network definition (organizations, peers, ca)?
How many pears do we need in our business network (bn)?
I am aware of the semantic in
relationship between the channel and the peer, but I am not sure
about the relationship between the peer and the organization? Also,
what if just one organization (org1.example.com) will use the
developed network, how to specify the endorsement policy in that use
case (since we need at least two organization in chaincode
instantiate command specification)?
2. SDK development lifecycle
When we develop SDK (Node.js), in order to interact with our BN what are required CA certificates needed for our SDK app to be able to connect and issue chain-code functions?
How to issue the CA certificates needed for SDK app?
3. Chain-code development lifecycle
1.If I am using the CLI docker container for management of my BN, is it a good practice to git clone my chain-code to CLI and then to install it and instantiate it to certain peer node?
2.After I change my go chain-code, do I need to install it again with the different id to the same peer, or I can just update the existing instance of my chain-code?
My idea is to make this question sort of place where we can add all the relevant questions about these three topics, so please edit and add additional questions! Thank you for your answers.
Let me try to answer your questions:
What are the mandatory members in one business network definition (organizations, peers, ca)?
The only mandatory network entities are peers and ordering service. Of course to be able to define anything you should have a notion of organizations the parties which are going to transact. Each such party expected to have a number of peers which running chaincodes (smartcontracts) on organization behalf. CA is required to issue certificates and bind peers and clients identities to certain organization.
How many pears do we need in our business network (bn)?
The desired number of peers is completely up to your business logic and requirements, need to accommodate expectations for availability, scalability and your trust model (endorsement policies).
I am aware of the semantic in relationship between the channel and the peer, but I am not sure about the relationship between the peer and the organization?
Peer is the network entity which executes chaincodes on behalf of given organization increasing the organization confidence in correctness of execution results.
Also, what if just one organization (org1.example.com) will use the developed network, how to specify the endorsement policy in that use case (since we need at least two organization in chaincode instantiate command specification)?
You do not have to have at least two organizations to define endorsement policy, while with one org is a bit redundant since, default endorsement policy is to have some peer from the channel to sign on endorsement request.
When we develop SDK (Node.js), in order to interact with our BN what are required CA certificates needed for our SDK app to be able to connect and issue chain-code functions?
You do not need CA certificate, but you need a client certificated signed by root CA to prove client identity and enable peer to validate whenever client has correct access rights.
How to issue the CA certificates needed for SDK app?
You can use fabric-ca to enroll use and get client certificate, or you can simply leverage cryptogen to produce client certs for you.
If I am using the CLI docker container for management of my BN, is it a good practice to git clone my chain-code to CLI and then to install it and instantiate it to certain peer node?
Here is the thing, peer cli is a bit abused, since it's primary usage is to rapid testing in development and for demoing. The proper way to communicate with Hyperledger Fabric is by using SDK's, e.g. you basically need to implement a client which will be capable to install and instantiate chaincodes based on your own logic and parameters relevant for your application.
After I change my go chain-code, do I need to install it again with the different id to the same peer, or I can just update the existing instance of my chain-code?
You have an upgrade procedure which pretty well covered in Hyperledger Fabric documentation. Or you can see a short demo on video.
My idea is to make this question sort of place where we can add all the relevant questions about these three topics, so please edit and add additional questions!
Please consider to login into Rocket.Chat and use #fabric channel to ask your questions.
Additionally please take a look on documentation, since most of the information and details about your questions could be found there and it constantly being updated.