I have an API with an endpoint creating a channel, joining a peer to it and instantiating chaincodes on it. While coding the process I encountered some interrogations about how things are done.
An organization admin certificate is tested byte per byte while other roles use OUs. Do we have an explication to why the admin verification behaves this way?
I could never manage to enroll and submit the exact same certificate for an organization admin. Due to the above problem, it means that the only solution I found to be able to perform admin operations was to copy the admin cert/key to the sdk crypto-{msp,store}. Is there a way to avoid doing the copy of the admin certificate and private key using fabric-ca?
I could not manage to instantiate a chaincode on a newly created channel without having an entry for it in the sdk config file due to the fact that the sdk does not find any channelPeer for it. Is there a way to avoid the config file update if we can programmatically know which peer has the channel?
If anyone has an hint on how to solve any of the above question I would appreciate it.
Thanks!
Related
I have recently started to learn the Hyperledger Besu, and what I am trying to do is actually compare Besu with Fabric and see if it is compatible with my already finished Fabric project.
I know from Fabric that using the CA from an organization we can create new users that are under that org. Also, there is the option to name this user with a username and add some custom attributes that can be used in the chaincode like attribute role for example.
Now, in Besu I have only discovered so far that only with some third party tools like MetaMask and the js library web3j we can create accounts. Although, those accounts are in the form of Public Key/Address & Private Key.
Is there something that I have missed out?
Is it possible to have somehow similar user accounts in Besu like Fabric?
Thank you
After my own research I have concluded that these are the only ways to create accounts for Hyperledger Besu:
MetaMask Wallet
web3 js library through javascript
In order to have more specific accounts that may be connected with some user information or roles that could determine various things in the application, the most suitable option is the following:
Use a centralized database to store the user information and associate it with the users address. This database could be used from a client application where the user can login with his/her credentials or using a third-party wallet like MetaMask.
Also, to distinguish the users inside the smart contracts the best option so far seems to be the library of OpenZeppelin Ownable
I'm running a fabric 1.4.0 network and I'm the admin of it. I've lost the password/secret of one of the identities(not admin).
How do I get the secret of this registered & enrolled Fabric Identity? I went through the Fabric CA Guide to look up for any method/command to make this work, but couldn't find any.
I know we get the secret(if not already supplied) whenever we register a new identity and can use this secret for enrolling and other purposes. But I've lost this secret.
I'm also aware that I can issue a new secret to the identity by using command fabric-ca-client identity modify user1 --secret newsecret. But, that's not an option for me. I want to get the existing one.
I ran fabric-ca-client identity list --id user1 to see the identity's info but didn't see password /secret there.
So, how do I get the password then? Please keep in mind that this network was created only for the purpose of learning and since I'm the admin, I've the privilege of going up an extra step.
It'd be better if anyone could show me the ways, if there's any, to retrieve it using both fabric-node-sdk and fabric-ca-client.
After spending hours trying to look for a way to achieve this, the closest thing I found was getEnrollmentSecret method in User class. However, when I tried to use it, I got the error getEnrollmentSecret is not a function. From what I understood, the method was available in SDKs prior to version 1.4 as the method is not available in Fabric sdk node ver 1.4.
The only solution/alternative to this which I found is to update the identity's info using update method on Identity Service, and issue a new secret, which I know conflicts with one of the statements in question
I'm also aware that I can issue a new secret to the identity by using command fabric-ca-client identity modify user1 --secret newsecret. But, that's not an option for me. I want to get the existing one.
but, what else can you do, right?
You can find the detailed discussion about this on the fabric-sdk-node channel of Hyperledger-Fabric's official communication medium- RocketChat.
Please feel free to comment on how this answer can be made any better, or if I missed something, or there's something erroneous in my findings. Thank you.
whenever I look for a new blockchain project it is asked to make an admin first before adding any other members. And also whenever I instantiate a new build I have to create an admin. Why is it required? Why can't I directly create members and start my nodes?
HF is an permissioned network, the only Admin has permission to install query and upgrade the chain code ,similarly every member have to register himself with admin as know user inside fabric before doing any transaction. it is predefined in architecture.
I understand that Hyperledger stores private key of users in a directory called keystore. i don't want my network to store it rather user should upload this file before any transaction.
How to do it.
I don't have a full code to provide to you and I don't have time to write it. However, here is a flow you can follow:
FRONT END: Allow user to upload files (Example (assuming you are building a web application): http://reusableforms.com/d/o3/html5-contact-form-with-file-upload)
BACK END: Retrieve the file from the request.
BACK END: Create the user context from these files
BACK END: Build/send transaction
FABRIC: Process transaction
BACK END: If transaction is VALID, delete all the information about the user (private key in particular)
BACK END: Send response back to FRONT END
I do not know what is your scenario, but:
I think having the user manage its own keys is a risk, as he can lose it or someone may "hack" the user device to get it.
Having private keys moving on the network may be a security issue, has someone may be able to intercept it.
But as I said, I don't know your scenario. If you are in a closed network then transfering PK might not be a problem. If your client application manages the keys for the user, it may be ok too, but what if the user deletes it by mistake? Or what if the device is broken?
I think there's a misunderstanding of what the keystore folder accomplishes and what you want to accomplish here.
In the context of an MSP, the keystore folder does store private keys. It stores the private keys of the identities represented by the MSP. However, this is highly unique to the node that the MSP is running on.
On a peer, the keystore would store the certificate for the peer and the key for the peer identity. It would not store the keys for any other identity, as that node is not meant to act as that identity (remember that ownership of private = able to act as that identity). It would also store the certificates (not private keys) of the identities meant to act as administrators of that peer.
What exactly are you trying to do by allowing users to upload the private key? If you are trying to allow users to identify themselves to the network, providing their key is not the solution. If it's something else, try and edit your post to explain your use case more clearly so we can help.
Background
I am studying the hyperledger fabic tutorial: Building Your First Network (BYFN), and studying the details of the scripts. The source codes can be found here.
Question
The commandbyfn.sh generate runs cryptogen generate ./config=./crypto-config.yaml and then generates certificates. A directory crypto-config/ is produced with sub-directories ordererOrganization/ and peerOrganizations/.
In the path crypto-config/peerOrganizations/org1.example.com/. It consists of
ca/
msp/
peers
tlsca/
users/
I have difficulties in understanding the structures in this directory.
Q1: There are certs and private keys in ca/, msp/ and tlsa/. But what are they representing? and why do we need them? It confuses me because inside directory of peer/, there are also msp/ and tls/.
Q2: What is the purpose of users/ directory? (I only know the network has peers and orderers). Are user and admin representing the end-users for this organization? and what is the difference between user and admin? Take this network picture for example, where are user and admin?
Many Thanks
So, public channel configuration is loaded only with what is found under msp/.
This is used to verify certificates of clients, and network nodes (peers, orderers).
The ca/ folder just represents what a CA would have had it exited.
The tlsca/ folder is basically used to define the same thing the ca/ folder, only for TLS certificates. In fabric, there is a different certificate chain for TLS and for enrollment certificates.
Now, the peers, orderers , users contain the material for the local MSP of the node, as well as its signing identity (certificate, and private key).
The user is basically anyone that can authenticate to fabric as a client, and an admin is a special type of users who is authorized to sign transactions that have administrative changes on the organization it belongs to, like - adding anchor peers when sending a configuration transaction to the orderer, or - instantiating chaincode.