I am able to interact with CA via fabric ca client of node SDK, But I can't access REST server, Can anybody provide me a getting started guide with CA API? This is my docker compose file
ca:
image: hyperledger/fabric-ca
environment:
- FABRIC_CA_HOME=/etc/hyperledger/fabric-ca-server
- FABRIC_CA_SERVER_CA_NAME=ca
- FABRIC_CA_SERVER_TLS_ENABLED=true
- FABRIC_CA_SERVER_TLS_CERTFILE=/etc/hyperledger/fabric-ca-server-config/ca.peers.test.com-cert.pem
- FABRIC_CA_SERVER_TLS_KEYFILE=/etc/hyperledger/fabric-ca-server-config/CA_PRIVATE_KEY
- FABRIC_CA_SERVER_CA_CERTFILE=/etc/hyperledger/fabric-ca-server-config/ca.peers.test.com-cert.pem
- FABRIC_CA_SERVER_CA_KEYFILE=/etc/hyperledger/fabric-ca-server-config/CA_PRIVATE_KEY
ports:
- "7054:7054"
command: sh -c 'fabric-ca-server start --ca.certfile /etc/hyperledger/fabric-ca-server-config/ca.peers.test.com-cert.pem --ca.keyfile /etc/hyperledger/fabric-ca-server-config/CA_PRIVATE_KEY -b admin:adminpw -d'
volumes:
- ./crypto-config/peerOrganizations/peers.test.com/ca/:/etc/hyperledger/fabric-ca-server-config
container_name: ca
networks:
- test
Have you looked at the swagger doc on the Fabric CA Github Repo (https://github.com/hyperledger/fabric-ca/blob/release-1.3/swagger/swagger-fabric-ca.json)? This defines all the APIs that are available on the CA.
There is no documentation for direct access to the REST API (except for the swagger docs mentioned by Saad - which only documents the individual API calls, not how to use them). The API can be accessed either via the Node SDK, or the fabric-ca-server CLI.
Please see my answer to this question for more details.
You can trigger normal REST call by browser or postman or curl etc.. based on swagger doc here
Port is 7054 and make sure you ignore the certificate error if you are using localhost as host name - like this:
https://localhost:7054/api/v1/cainfo
Related
How to I configure my MongoDB's ssl certificates?
I want to host my MongoDB myself. I currently have a Linode container running, on it I've installed certbot and had it acquire certificates for the domain I want to use for my database.
I'm using this docker-compose.yml file to deploy the MongoDB container:
version: '2'
services:
mongo:
image: mongo:latest
volumes:
- ./db-data:/data/db
- ./mongo-config:/data/config
- ./certs:/data/certs
ports:
- "0.0.0.0:27017:27017"
restart: always
environment:
- MONGO_INITDB_ROOT_USERNAME=exampleuser
- MONGO_INITDB_ROOT_PASSWORD=examplepassword
command: --config=/data/config/mongo.conf
and before someone mentions using nginx streams, certbot doesn't support them (see issue)
An my mongo config found at ./mongo-config/mongo.conf:
net:
port: 27017
bindIp: 0.0.0.0
ssl:
mode: requireSSL
PEMKeyFile: # This is where I need help, it would be in /data/certs from the container's perspective
Every guide mentions copying Certbot's files into a docker volume, so I setup ./certs to mount into /data/certs and copied them their. I've tried ever combination of every permutation of the files Certbot creates in the PEMKeyFile and the CAFile fields and nothing works. I'd get this error every time I tried:
error:0909006C:PEM routines:get_name:no start line
Guides I've already tried:
How to: Configure SSL For MongoDB
Configure mongod and mongos for TLS/SSL
Certbot User Guide
Setup Mongo 3.6 TSL/SSL with Letsencrypt | this one mentioned that I have to download a certificate that expires TODAY (sept 30, 2021)
Securing MongoDB with TLS, Authentication and LetsEncrypt
Related: LetsEncrypt SSL Certificate Validation Failed with MongoDB
This is working for me:
docker run -it --name data.domain.com --network docker_network -v /path/to/ssl/certs:/ssl:ro -e MONGO_INITDB_ROOT_USERNAME=admin -e MONGO_INITDB_ROOT_PASSWORD=pass mongo --tlsMode requireTLS --tlsCertificateKeyFile /ssl/fullchain-key.pem --tlsCAFile /etc/ssl/certs/ISRG_Root_X1.pem
Important things:
name of docker container has to match certificate
do 'cat fullchain.pem privkey.pem > fullchain-key.pem'
You have to adapt this to docker-compose. Try this out and if you need more help, let me know
I am trying to integrate softHSM with Hyperledger Fabric. I have followed the below steps:
I have cloned the repo from this link
https://github.com/hyperledger/fabric-ca (main-branch)
Executed the below 3 commands from the above directory. After execution, I got the new binary and the new Fabric-CA image.
make fabric-ca-server GO_TAGS=pkcs11
make fabric-ca-client GO_TAGS=pkcs11
make docker GO_TAGS=pkcs11
I have replaced the old binary(fabric-ca-client and fabric-ca-server)
I am trying to spin up the Fabric-CA in the docker container and passing the environment variables as per the official documentation.
ORG1_RCA:
image: hyperledger/fabric-ca:1.5.1
container_name: ORG1_RCA
environment:
- FABRIC_CA_HOME=/etc/hyperledger/fabric-ca-server
- FABRIC_CA_SERVER_CA_NAME=ORG1_RCA
- FABRIC_CA_SERVER_TLS_ENABLED=true
- FABRIC_CA_SERVER_PORT=7054
- FABRIC_CA_SERVER_BCCSP_DEFAULT=PKCS11
- FABRIC_CA_SERVER_BCCSP_PKCS11_LIBRARY=/etc/hyperledger/fabric/libsofthsm2.so
- FABRIC_CA_SERVER_BCCSP_PKCS11_PIN=
- FABRIC_CA_SERVER_BCCSP_PKCS11_LABEL=
ports:
- 7054:7054
command: sh -c 'fabric-ca-server start -b admin:adminpw -d'
environment:
- SOFTHSM2_CONF=/etc/hyperledger/fabric/config.file
volumes:
- ./fabric-ca/verizon:/etc/hyperledger/fabric-ca-server
- /home/softhsm/config.file:/etc/hyperledger/fabric/config.file
- /usr/local/lib/softhsm/libsofthsm2.so:/etc/hyperledger/fabric/libsofthsm2.so
networks:
- contract
I am not providing the PIN and label for security purposes.When I am running this container, the private keys are still getting saved into the msp/keystore folder instead of HSM.
I am trying to deploy a Hyperledger BNA using docker-compose. How can I do it in the cleanest way?
version: '2'
networks:
basic:
services:
playground:
container_name: composer-playground
image: hyperledger/composer-playground
ports:
- 8080:8080
networks:
- basic
command: composer-playground
ca.example.com:
image: hyperledger/fabric-ca
...
orderer.example.com:
container_name: orderer.example.com
image: hyperledger/fabric-orderer
...
peer0.org1.example.com:
container_name: peer0.org1.example.com
image: hyperledger/fabric-peer
...
cli:
container_name: cli
image: hyperledger/fabric-tools
...
This is a docker-compose.yml from This github repisitory
I know that I can deploy a network using this tutorial, but as I sad. I want to deploy it using docker-compose.Thanks in advance!
If you want to use Composer, be aware that 'today' Composer supports Fabric 1.1 and you are looking at Fabric 1.2 docs, and Will likely download the 'latest' Fabric 1.2 unless you specifically do something different. (Composer support for Fabric 1.2 is coming shortly. Keep an out out for the Release notes for the latest information.)
There is a Docker container for the Composer CLI which will enable you to deploy your BNA.
There are Composer tutorials on creating and deploying BNAs, but they start with the assumption that the Composer CLI is installed locally, not in a Container so you will need to adapt the approach. The key to connecting Composer to the Fabric is the connection profile, so you will need to understand the addressing and networking aspects of your Docker environment to build the right connection profile.
While doing Hyperledger fabric setup, we create crypto material and mention users for organizations and and correspondingly user crypto material gets generated which is used to invoke chaincode while logging through CLI. Also, when we try to connect network through SDK we also need to enroll and register user to connect to network. So, what is the difference between these two users?
Cryptogen utility used for generating Hyperledger Fabric key material is mainly meant to be used for testing environment only.
It generates the CA certificate before the Fabric CA Server is up. {This won't be the case in production env.}
This certificate is mounted to fabric-ca in docker-compose.yaml file. This is done via volumes keyword as in the below snippet:
ca.example.com:
image: hyperledger/fabric-ca
environment:
- FABRIC_CA_HOME=/etc/hyperledger/fabric-ca-server
- FABRIC_CA_SERVER_CA_NAME=ca.example.com
- FABRIC_CA_SERVER_CA_CERTFILE=/etc/hyperledger/fabric-ca-server-config/ca.org1.example.com-cert.pem
- FABRIC_CA_SERVER_CA_KEYFILE=/etc/hyperledger/fabric-ca-server-config/4239aa0dcd76daeeb8ba0cda701851d14504d31aad1b2ddddbac6a57365e497c_sk
ports:
- "7054:7054"
command: sh -c 'fabric-ca-server start -b admin:adminpw -d'
volumes:
- ./crypto-config/peerOrganizations/org1.example.com/ca/:/etc/hyperledger/fabric-ca-server-config
container_name: ca.example.com
networks:
- basic
The command 'fabric-ca-server start -b admin:adminpw -d' in above script registers a bootstrap identity. This bootstrap identity is used by the application to enroll the 'admin' user. During this enrollment, fabric-ca-server gives the app a ecert, users private key and cacert chain PEM files.
From the above reference, the users certs generated by cryptogen and via application will be issued using the same root CA Cert.
When using CLI to execute commands such install chaincode, instantiate chaincode etc. you will be using the user certs generated by the cryptogen as these are mounted into the corresponding peer. Again refer to the volumes section of peer in docker-compose.yaml for this:
volumes:
- /var/run/:/host/var/run/
- ./crypto-config/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/msp:/etc/hyperledger/msp/peer
- ./crypto-config/peerOrganizations/org1.example.com/users:/etc/hyperledger/msp/users
- ./config:/etc/hyperledger/configtx
I have question regarding environment variables which are passed through docker-compose file.
I have chaincode which does security checks when security is enabled. It checks if security is enabled through core.SecurityEnabled() api. I enable / disable security using docker-compose env. variable CORE_SECURITY_ENABLED.
This works fine in dev mode. However when I deploy chaincode in non-dev mode, I get core.SecurityEnabled() as false although my env variable is passed as true. I examined the docker containers. Docker container running peer, returns env variable CORE_SECURITY_ENABLED=true on env command. However docker container running chaincode does not have env variable CORE_SECURITY_ENABLED. It would be picking up value from core.yaml which is set as false.
Is this as per design? In production mode should we be making changes in core.yaml file rather than to depend on env variable passed through docker-compose?
I am using the docker-compose as given below to get the CORE_SECURITY_ENABLED=true/false. Have you tried specifying the environment variables in this manner ?
membersrvc:
image: hyperledger/fabric-membersrvc
ports:
- "7054:7054"
command: membersrvc
vp0:
image: hyperledger/fabric-peer
ports:
- "8085:7050"
- "8080:7053"
- "30303:30303"
- "30304:30304"
environment:
- CORE_PEER_ADDRESSAUTODETECT=true
- CORE_SECURITY_ENABLED=true
- CORE_SECURITY_PRIVACY=true
- CORE_VM_ENDPOINT=http://172.17.0.1:2375
- CORE_PEER_PKI_ECA_PADDR=membersrvc:7054
- CORE_PEER_PKI_TCA_PADDR=membersrvc:7054
- CORE_PEER_PKI_TLSCA_PADDR=membersrvc:7054
- CORE_LOGGING_LEVEL=DEBUG
- CORE_PEER_ID=vp0
- CORE_SECURITY_ENROLLID=test_vp0
- CORE_SECURITY_ENROLLSECRET=MwYpmSRjupbT
links:
- membersrvc
command: sh -c "sleep 35; peer node start --logging-level=DEBUG"
If you got your query answered from the FAB jira, kindly ignore this post.