Trying to add a new organisation from a separate host.(Modifying steps from ./eyfn.sh when necessary).
Managed to create and import network admin card using Hyperledger Composer. (https://medium.com/#mahoney_33893/hyperledger-composer-adding-another-organization-to-an-existing-running-multi-organization-fff5c8104a82).
However when pinging the network I got:
Error: Error trying to ping. Error: 2 UNKNOWN: access denied: channel [composerchannel] creator org [Org3MSP]
Upon getting the logs from peer I got
-Principal deserialization failure (MSP Org3MSP is unknown) for identity
-[channel: composerchannel] Client authorization revoked for deliver request from 10.0.1.6:48262: Failed evaluating policy on signed data during check policy on channel [composerchannel] with policy [/Channel/Application/Readers]: [Failed to reach implicit threshold of 1 sub-policies, required 1 remaining]
My problem is actually similar to that of Hyperledger-Composer: Getting "access denied" when pinging network admin card.
The solution did mention to include msp files of my new org into volumes of the orderer which I did as
docker cp msp <containername>:/etc/hyperledger/msp/peerOrganizations/org3.example.com
My first organisation was set up using the default ./startFabric.sh
Take note that im not using TLS for the time being.
The error still persist though and Im wondering why. I do however suspect that the way im giving msp to the orderer is somehow wrong. or Im putting it in a wrong file.
Maybe you will need to migrate from Composer to other framework.
Hundreds of devs are taking is using Convector. Convector is a Hyperledger Labs project that was created before Hyperledger Composer was deprecated but that looks similar to developers. It follows a model controller pattern (similar to Composer assets and transactions) however it compiles natively to Fabric code and does not create a runtime.
Related
New Peer is unable to join the channel.
I have created a new peer in an existing organization and when I am running
docker network inspect bridge I can see that new peer is part of the organization.
When I am trying this peer to join the channel (mychannel) it is throwing below error.
Error: 2 UNKNOWN: access denied: channel [] creator org [Org1MSP]
In the above error, channel is an empty string while I am sending the mychannel as an argument.
I am using the join-channel script of balance transfer. It is working perfectly fine for the peers which created during the network creation.
Any idea why it is taking an empty string?
thanks
I figured out the reason.
Actually, the new peer is generated using different CA.
Previously I moved my organization's crypto-config directory to a different folder and then when I created new Peer it created new certificates for complete organization.
But I don't know the significance of the error as it must be different in this scenario.
I have set up a fabric network of three organizations. 1 endorser peer each. 1 orderer across all three. I packaged the contract code(node) and installed on all three. Instantiated it via CLI of one of the peer.
Points to consider:
My chaincode tries to create a key value or I should say update the
World State.On invoking the function that does so, I always end up
getting [ENDORSEMENT_POLICY_FAILURE].
I have specified AND policy. OR policy seems to work fine. But I
have a scenario where AND is the necessity.
I invoke the chaincode via CLI of one peer. All other peers start
showing activity but ends up saying [ENDORSEMENT_POLICY_FAILURE].
Exact Error : "VSCCValidateTx for transaction txId =
3c0f7b5c5f81b5c261d1a981720273cdc617424ea264b157898dd17ad2de07ce
returned error: VSCC error: endorsement policy failure, err:
signature set did not satisfy policy".
I have monitored the chaincode containers of all three orgs. Only
the the container of the chaincode corresponding to the calling peer
shows activity.
As I perceive from my reading of the book Hands-On Blockchain with
Hyperledger, all the peers execute the chaincode. But in my case,
nothing is happening on other two peers' chaincode container.
I would be grateful to obtain help on this issue.
I am able to invoke my chaincode from docker cli successfully (fabric-shim).
i ran enrollAdmin.js and registerUser.js sucessfully,
but when i try to run invoke.js or query.js, i get Error: 2 UNKNOWN: access denied: channel [mychannel] creator org [Org1MSP].
Though there are limited information shows above, the peer log give the essential hint about the problem:
WARN 044 channel [mychannel]: MSP error: the supplied identity is not valid: x509: certificate signed by unknown authority (possibly because of "x509: ECDSA verification failure" while trying to verify candidate authority certificate "ca.org1.example.com"
Here is the suggestions that may help your to solve this problem:
Change your peer's logging level to DEBUG on docker-compose file, you will be more easily to find the solution followed by the debug information.
Make sure your CA container is running and its logs not throws out error, like some certifications verify error, which commonly causes by wrong configuration.
Now that the logs shows up some information about x509 ECDSA, which related to the signature and and the peers endorsement keycert. Also, this keycerts may storage on /tmp/hfc-key-store or any other place that you defined on you code. Try to clean up this temporary file and restart network again.
Noticed that your are using the fabric-sample repo, I think this problem may not caused by some code issues since you just modified a few parameters. So I recommend you to follow this tutorial to get the right step.
I came across similar issue.
I found out then channel name in network config and the channel I created was different. So I changed the channel name in the network config and it got fixed.
I have setup a dev hyperledger fabric blockchain successfully and added an user/participant to the network. Execute the operations again and the blockchain all worked fine with using the card that was generated initially. But now, I have lost this card, can I export/download it again? I tried using identity "revoke" api, but it is failing with this error -
Error: Error trying invoke business network. Error: No valid responses from any peers.
Response from attempted peer comms was an error: Error: 2 UNKNOWN: error executing chaincode: transaction returned with failure: Error: attempt to get property state on an InvalidRelationship is not allowed. InvalidRelationship created due to Object with ID 'partcipant_1' in collection with ID 'Asset:org.hyperledger.composer.system.Identity' does not exist
I am not exactly sure what you mean when you say you "lost" the card.
The process goes like this:
you have an admin user with full rights to the network and an admin card to connect with, using this admin
you request a new identity, this gives you the required certificates, both public and private
you create a network card for this new identity using the certificates. This results in a physical .card file on disk
you import the physical file and you have a properly registered card and can now interact with the ledger, using this new identity.
if anything happens to the card itself, ie you deleted the registered card and got rid of the file as well, then you need to go through the process and recreate the card from scratch.
your commands could look like this:
composer identity request -c PeerAdmin#hlfv1 -u admin -s adminpw -d alice
this requests everything for a new user called alice, using the peer admin card which is created against the original network admin
composer card create -p your_connection.json -u alice -n your-network -c alice/admin-pub.pem -k alice/admin-priv.pem
this creates the card file
composer card import -f alice#your-network.card
this imports the card
composer network ping -c alice#your-network
check everything works
so, if you no longer have a registered card, you should still have the .card file and if you have that you can simply import it again.
if you don't have the .card file either, you should still have the certificates for "alice" and should be able to create the .card file
if you don't have the certs either then request them again ( I've never tried this particular scenario so we need to see what happens in that case )
According to hyperledger-fabric node-sdk documentation both functions
'queryChannels' and 'queryInstalledChaincodes' must be called by admin. I am
able to access 'queryChannels'(both from the Client class) but on accessing
queryInstalledChaincodes, an error occurs saying :
(status: 500, message: Authorization for GETINSTALLEDCHAINCODES on channel getinstalledchaincodes has been denied with error Failed verifying that proposal's creator satisfies local MSP principal during channelless check policy with policy [Admins]: [This identity is not an admin])
Can somebody propose a solution? Thanks in advance.
Well this is sample, you should find out which identity you are using for the client.
The problem is your fabric ACL policy(which is in the configtx.yaml) has set the chaincode area to a Admin access.
Which means you should use the admin identity to call the queryInstalledChaincodes function.
Further infos please check this page:
https://hyperledger-fabric.readthedocs.io/en/release-1.4/access_control.html#what-is-an-access-control-list
Also this question has been asked 1 year, 6 months ago, so I bet you have worked it out on your own, congrats!