In Two Org setup in which each Org has its own CA for issuing certs, then how Orderering nodes identifies that particular request is coming from a known Org identity.
It attempts to match the identity with each of the available MSP's and whichever had passed, verifies the identity to belong to that MSP.
This can be verified by looking at docker logs of orderer.
Related
I am reading hyperledger fabric read the docs and I am confused how local MSPs of the users allow the user side to authenticate itself in its transactions.
explain the meaning of this paragraph
Node local MSPs define the permissions for that node (who the peer admins are, for example). The local MSPs of the users allow the user side to authenticate itself in its transactions as a member of a channel (e.g. in chaincode transactions), or as the owner of a specific role into the system (an org admin, for example, in configuration transactions).
but we use x.509 certificate to authenticate the users right ?
You bring up a very good point in terms of the overloaded use / meaning of the term MSP as well as the "file / folder" structure used to hold cryptographic material for the various entities in Fabric.
Fabric currently supports two types of MSP: X509 and Identity Mixer. The default is to use X509 which means that you validate that users are part of an organization by ensuring that their X509 certificates were issued by the root/intermediate CAs defined in the organization's MSP (which typically ends up stored as part of each channel's config).
So broadly speaking, an organization's MSP defines the mechanism for validating identities (based on the issuer present in the MSP definition) and defining how to determine the "role" of those identities (for example admins are explicitly defined by having their certs in the admins folder and in 1.4.3 and later optionally by a specific OU in the cert).
A "local" MSP holds the actual crypto material issued by an organization's MSP. In the case of a peer, this includes the key pair (found under keystore and signcerts) used to sign endorsements as well as the information needed to determine administrator's for the peer itself. In the case of ordering nodes, the key pair is used for signing blocks. For clients / users, the key pair is used to sign transactions.
To your point, a client really does not need the MSP structure ... you really just need the signing / enrollment key pair and the MSPID ... but unfortunately the MSP concept is also carried over to clients even though most of the material in an MSP structure is not required for signing transactions.
I have setup Multiple Organization on different machines.
Machine 1
-> peer0.org1.example.com
-> ca.org1.example.com
-> orderer.example.com
Machine 2
-> peer0.org2.example.com
-> peer0.org3.example.com
I have created a channel which is shared by all three organization.
Now the issue is When I try to access the data from Org 2 and Org 3, it gives me below error message
UNKNOWN: access denied: channel [mychannel] creator org [Org2MSP]
On other hands, If I tried to execute the same query through CLI, the transaction gets executed successfully without any error
My question is: Can we setup one CA for multiple Organization. if yes, How to resolve access denied issue?
To answer your primary question: Is it possible for 1 ca server to contain more then 1 root identity. The answer is yes Multiple CAs. This solution uses one 1 fabric-ca-server to serve more then 1 root identity. In Hyperledger fabric the root identity is used as the root Identity 1 organization.
But should you use this kind of architecture? To answer this question we have to know the role of the fabric-ca-server and how identity is handled within the blockchain network(Hyperledger specific.)
To validate identity within the blockchain network and in between the different components (peers, orderders, clients). HLF(Hyperledger Fabric) uses the abstract concept of an MSP (Membership Service Provider). In the current implementation of HLF it uses X509 certificate to construct this identity. It is import to know that the only requirements is that of X509 certificates. You do not need a fabric-ca-server. To construct the MSP fabric needs a specific structure on disk of MSP certificates to construct the identity. All components need (some part) of this structure.
The fabric-ca-server is used to create the X509 certificate needed for the MSP structure. For instance this is used when you want to enroll an extra peer , orderer, client etc... To get all this material in general you can use fabric-ca-client or the SDK. The client is able to export this material in the correct folder structure used by the default MSP.
So should you use 1 fabric-ca-server for multiple organization? My answer would be no. What you want is that all the organization are independent of each other and that 1 ORG can not construct an identity for another ORG. If you use 1 server to contain multiple identities this also means that the private-key material is stored on 1 server, and thus you can create identities for all organizations.
So the next question How to resolve access denied is actually a different question. This is most likely due to incorrect configuration of the environment variables that HLF uses to point to specific parts inside of an MSP folder structure. So you need to see what kind of environments variables are used inside the CLI and use the same inside your other container (if you want to have to same identity).
TL;DR; fabric-ca-server is used to create X509 certificates that can be used to construct an MSP. The MSP is what is the actual identity inside of HLF, best practice is to use 1 root-ca for every organization.
In all of the fabric examples and documentation, usually there is a unique private certificate authority issuing certificates for each organization.
However, playing around with the code base, I do not see a limitation that different orgs need to each have different Root CAs.
Is there an issue with having the same Root CA for multiple organizations? Can the subject fields in the certificates be sufficient to use for identity verification in different fabric workflows?
If you want to ensure that one organization does not masquerade as another, there must be something unique about the certificates that are issued by or for an organization. Of course the easiest way to handle this is to have a separate root CA per organization. It's also possible to have a common root but have different intermediate CAs for each organization.
But given your question is about basically using a single fabric-ca to issue certificates for multiple organizations, this is possible using the Organization Unit (OU) identifier feature introduced in v1.1 and later. Basically, you can differentiate organizations using an OU in the issued certificates. With Fabric CA v1.1 and later, you can create different affiliations for each organization and when certificates are issued, the OU will be set to the affiliation associated with the identity during the registration process. You can either trust a single admin to properly register identities for multiple organizations, or you can create an hierarchical set of admins (meaning create multiple CA admins but assign each a different affiliation as admins can only register users under their own affiliation).
Then within your MSP definitions, you can using the config.yaml file to specify the OU with which to associate the MSP. For example, if you look at https://github.com/hyperledger/fabric/blob/release-1.1/sampleconfig/msp/config.yaml, then
OrganizationalUnitIdentifiers:
- Certificate: "cacerts/cacert.pem"
OrganizationalUnitIdentifier: "COP"
means that this org is identified by the root CA PLUS having OU=COP in the certificates. This would also mean that the affiliation within fabric-ca would be "COP" as well
What exactly is difference between enrolling and registering a certificate in Hyperledger Fabric CA. I am new to cryptography and i am really confused about the working of Fabric CA. Also how are certificates generated via cryptogen is diffrent from certificates generated via Fabric CA.
So from what i understand when you "enrol" an identity you get the certificates and private keys for it. When you "register" the identity, you are simply creating the user name and password for that identity with the CA server.
The certificates that the cryptogen tool generate are not any different to the ones generated by the Fabric CA, the cryptogen tool is there for convenience in development. It should not be used in a live / production environment. Under the hood the cryptogen tool actually spins up a fabric ca server locally.
Here is a link to the latest documentation for Fabric CA:
https://hyperledger-fabric-ca.readthedocs.io/en/latest/
"Registration" is done by the CA admin. A username and password is assigned to an identity, along with attributes (will the identity be an admin or a node, for example?). This registration places the username and password, along with the relevant other information about the identity, in the database of the CA. No certificates have been generated at this point. The identity has simply been registered.
"Enrollment" is the process where certificates are created and given to the user of the identity. The username and password is given to this user out of band, and they use the name and password as part of a fabric-ca-client call to the CA. The public and private keys --- encoded with the relevant attributes registered with the CA --- are then generated.
The reason for the separate between registration and enrollment is to ensure that only the user of an identity receives their private key.
The certificates created by a CA are identical to those created by cryptogen --- an x.509 certificate is an x.509 certificate --- but cryptogen is a tool for quickly creating certs in a test environment, not a true method for creating certificates for anything resembling production.
Registering identity means adding its details in Fabric CA.
Enrolling means process when registered identity connects to CA and sends Certificate Signing Request (CSR) to it. CA checks if the identity is registered and performs some other validations, if checks are successful then it returns signed certificate to the identity. Since the certificate is signed by CA trusted by blockchain network, the identity has now means to interact with the network using this certificate.
So, to make the identity being able to interact with the network it must pass two steps in this particular sequence:
Be registered on CA
Be enrolled
Admin is preregistered in CA using when it is started
fabric-ca-server start -b admin:adminpw
The details are here:
https://hyperledger-fabric-ca.readthedocs.io/en/release-1.4/users-guide.html
also you can refer to source
The concept of first register(Saving username,password and other attributes in CA's DB) then registered identity can enroll to get certificates is the same in the latest version of Fabric CA as it was previously.
Refer to the latest link:
https://hyperledger-fabric.readthedocs.io/en/latest/deployment_guide_overview.html#step-four-use-the-ca-to-create-identities-and-msps
"Register and enroll an admin identity and create an MSP. After the CA that will be associated with an organization has been created, it can be used to first register a user and then enroll an identity (producing the certificate pair used by all entities on the network). In the first step, a username and password for the identity is assigned by the admin of the CA."
I am new to hyperledger and I want to understand more on channel. I am working on POC, where I need to have private transaction between 2 parties,so I want to understand how should i configure my network.
Should I have different chaincode for each channel or one chaincode can be used across 2 channels.
It is multi user application and user coming across and can do transaction on any channel, how should the identity be configured. Should we have intermediate user or identity to communicate or is it good to use application user identity can be used.
If you are creating a network comprised many organizations, but want to design a means of preserving confidentiality of a transaction between two organizations A and B, then you would create a channel that has org A and B as participants, and deploy the chaincode(s) to the endorsing peer nodes for each org.
As for end-user identity, that would typically be designed such that the end-users were members of one or the other org, and their authentication and authorization would be somehow managed by each org. For instance, let's say that the end users are employees of org A and org B, then you could use your corporate LDAP as a means of authenticating and authorizing them to perform certain transactions.
Alternately, if they are customers of A and B, then whatever user authentication and authorization you have for managing end users could be used. Whatever authentication is used, the MSP (membership services provider) for each org would need to be adapted to support the means used when issuing identity certificates.
The Hyperledger Fabric CA Users Guide has specifics.