fabric-ca-server is not able to start with softhsm configuration - hyperledger-fabric

I have enabled the PKCS11 in fabric ca , but when starting the fabric-ca-server natively then throwing below error. Please note it works fine with default SW option.
Checkout the fabric-ca v1.3.0
Update BCCSP property as below
bccsp:
default: PKCS11
pkcs11:
library: /usr/local/lib/softhsm/libsofthsm2.so
pin: daily123
label: org1label
hash: SHA2
security: 256
filekeystore:
# The directory used for the software file-based keystore
keystore: msp/keystore
Run server with command
./fabric-ca-server start -b admin:adminpw -d
Error2018/10/12 07:27:01 [INFO] Configuration file location: /opt/gopath/bin/fabric-ca-server-config.yaml
2018/10/12 07:27:01 [INFO] Starting server in home directory: /opt/gopath/bin
2018/10/12 07:27:01 [INFO] Server Version: 1.3.0
2018/10/12 07:27:01 [INFO] Server Levels: &{Identity:1 Affiliation:1 Certificate:1 Credential:1 RAInfo:1 Nonce:1}
2018/10/12 07:27:01 [DEBUG] Making server filenames absolute
2018/10/12 07:27:01 [DEBUG] Initializing default CA in directory /opt/gopath/bin
2018/10/12 07:27:01 [DEBUG] Init CA with home /opt/gopath/bin and config {Version:1.3.0 Cfg:{Identities:{AllowRemove:false} Affiliations:{AllowRemove:false}} CA:{Name: Keyfile: Certfile:ca-cert.pem Chainfile:ca-chain.pem} Signing:0xc4204ce7d0 CSR:{CN:fabric-ca-server Names:[{C:US ST:North Carolina L: O:Hyperledger OU:Fabric SerialNumber:}] Hosts:[safenet localhost] KeyRequest:0xc4204b1ac0 CA:0xc4204b1b40 SerialNumber:} Registry:{MaxEnrollments:-1 Identities:[{ Name:**** Pass:**** Type:client Affiliation: MaxEnrollments:0 Attrs:map[hf.Registrar.Roles:* hf.Registrar.DelegateRoles:* hf.Revoker:1 hf.IntermediateCA:1 hf.GenCRL:1 hf.Registrar.Attributes:* hf.AffiliationMgr:1] }]} Affiliations:map[org2:[department1] org1:[department1 department2]] LDAP:{ Enabled:false URL:ldap://****:****#<host>:<port>/<base> UserFilter:(uid=%s) GroupFilter:(memberUid=%s) Attribute:{[uid member] [{ }] map[groups:[{ }]]} TLS:{false [] { }} } DB:{ Type:sqlite3 Datasource:fabric-ca-server.db TLS:{false [] { }} } CSP:0xc4204de060 Client:<nil> Intermediate:{ParentServer:{ URL: CAName: } TLS:{Enabled:false CertFiles:[] Client:{KeyFile: CertFile:}} Enrollment:{ Name: Secret:**** CAName: AttrReqs:[] Profile: Label: CSR:<nil> Type:x509 }} CRL:{Expiry:24h0m0s} Idemix:{IssuerPublicKeyfile: IssuerSecretKeyfile: RevocationPublicKeyfile: RevocationPrivateKeyfile: RHPoolSize:1000 NonceExpiration:15s NonceSweepInterval:15m}}
2018/10/12 07:27:01 [DEBUG] CA Home Directory: /opt/gopath/bin
2018/10/12 07:27:01 [DEBUG] Checking configuration file version '1.3.0' against server version: '1.3.0'
2018/10/12 07:27:01 [DEBUG] Initializing BCCSP: &{ProviderName:PKCS11 SwOpts:<nil> PluginOpts:<nil>}
2018/10/12 07:27:01 [DEBUG] Closing server DBs
Error: Failed to initialize BCCSP Factories: %!s(<nil>)
Could not find defaultPKCS11BCCSP

It works fine with latest fabric-ca images (as of now latest 1.4.0-snapshot-cb7353f).

If you use fabric-ca 1.3 code base, follow below steps to make it work
GO_TAGS=pkcs11 make fabric-ca-server
update fabric-ca-server-config.yaml with the softHSM data like token, label, pin, library (follow here https://hyperledger-fabric-ca.readthedocs.io/en/release-1.3/users-guide.html#configuring-fabric-ca-server-to-use-softhsm2)
restart fabric-ca server with fabric-ca-server start -b admin:adminpw
fabric-ca server is restarted as expected.

Related

Hyperledger Go SDK Client error connection is in TRANSIENT_FAILURE remote error: tls: bad certificate

I know there are several errors like this one, but I see most of them are with the test-network, using a local environment and my case is different.
I have a blockchain running using k8s it used to be running in V1.4 and we migrated it to V2.3 so the certificates were generated without a SAN but to make them work with the new version we are using the env variable GODEBUG="x509ignoreCN=0" I can connect to it using a console client to do changes in the channel and configuration, and I can connect with a node js client and execute contracts, I want to connect using a Go client for a different app but I'm having trouble with the config.
I'm getting a TRANSIENT_FAILURE error in the Go Client and a tls: bad certificate in the peer but the certificates are the same that work for the other environments, the config.yaml I'm using is based on my configuration from the test-network that's also working.
Something weird though, is that the configPath doesn't seem to work and I need to add the users individualy to make it run.
So this is my config.yaml
---
name: network-company
version: 1.0.0
client:
organization: company
logging:
level: debug
connection:
timeout:
peer:
endorser: "300"
cryptoconfig:
path: /home/company
credentialStore:
path: /home/company/users
cryptoStore:
path: /home/company/users/admin#mycompany.com/msp
BCCSP:
security:
enabled: true
default:
provider: "SW"
hashAlgorithm: "SHA2"
softVerify: true
level: 256
tlsCerts:
systemCertPool: false
client:
cert:
path: /home/company/users/admin#mycompany.com/tls/cert.pem
key:
path: /home/company/users/admin#mycompany.com/tls/key.pem
organizations:
company:
mspid: company
cryptoPath: /home/company/users/admin#mycompany.com/msp
users:
admin:
cert:
path: /home/company/users/admin#mycompany.com/msp/signcerts/cert.pem
key:
path: /home/company/users/admin#mycompany.com/msp/keystore/key.pem
peers:
- peer1.mycompany.com
- peer2.mycompany.com
peers:
peer1.mycompany.com:
url: grpcs://peer1.mycompany.com:443
tlsCACerts:
path: /home/company/users/admin#mycompany.com/tls/ca.pem
grpcOptions:
ssl-target-name-override: peer1.mycompany.com
hostnameOverride: peer1.mycompany.com
keep-alive-time: 10s
keep-alive-timeout: 20s
keep-alive-permit: false
fail-fast: false
httpOptions:
verify: false
peer2.mycompany.com:
url: grpcs://peer2.mycompany.com:443
tlsCACerts:
path: /home/company/users/admin#mycompany.com/tls/ca.pem
grpcOptions:
ssl-target-name-override: peer2.mycompany.com
hostnameOverride: peer2.mycompany.com
keep-alive-time: 10s
keep-alive-timeout: 20s
keep-alive-permit: false
fail-fast: false
allow-insecure: true
httpOptions:
verify: false
channels:
mychannel:
peers:
peer1.mycompany.com:
endorsingPeer: true
chaincodeQuery: true
ledgerQuery: true
eventSource: true
peer2.mycompany.com:
endorsingPeer: true
chaincodeQuery: true
ledgerQuery: true
eventSource: true
policies:
queryChannelConfig:
minResponses: 1
maxTargets: 1
retryOpts:
attempts: 5
initialBackoff: 500ms
maxBackoff: 5s
backoffFactor: 2.0
entityMatchers:
peer:
- pattern: peer1.mycompany.com
urlSubstitutionExp: peer1.mycompany.com:443
sslTargetOverrideUrlSubstitutionExp: peer1.mycompany.com
mappedHost: peer1.mycompany.com
- pattern: peer2.mycompany.com
urlSubstitutionExp: peer2.mycompany.com:443
sslTargetOverrideUrlSubstitutionExp: peer2.mycompany.com
mappedHost: peer2.mycompany.com
These are my certificates paths:
/home/company/users/admin#mycompany.com
+ msp
+ admincerts/<empty>
+ signcerts/cert.pem
+ cacerts/ca.pem
+ intermediatecerts/ca.pem
+ tlscacerts/ca.pem
+ tlsintermediatecerts/ca.pem
+ keystore/key.pem
+ tls
+ ca.pem
+ cert.pem
+ key.pem
These are the logs from the client:
[fabsdk/core] 2022/01/04 14:34:09 UTC - sw.getOptsByConfig -> DEBU Initialized SW cryptosuite
[fabsdk/fab] 2022/01/04 14:34:09 UTC - n/a -> DEBU KeyStore opened at [/home/company/users/admin#mycompany.com/msp/keystore]...done
[fabsdk/fab] 2022/01/04 14:34:09 UTC - fab.(*EndpointConfig).loadEndpointConfiguration -> DEBU Client is: {Organization:company TLSCerts:{Client:{Key:{Path:/home/company/users/admin-tls#mycompany.com/tls/key.pem Pem: bytes:[]} Cert:{Path:/home/company/users/admin-tls#mycompany.com/tls/cert.pem Pem: bytes:[]}}}}
[fabsdk/fab] 2022/01/04 14:34:09 UTC - fab.(*EndpointConfig).loadEndpointConfiguration -> DEBU channels are: map[mychannel:{Orderers:[] Peers:map[peer1.mycompany.com:{EndorsingPeer:true ChaincodeQuery:true LedgerQuery:true EventSource:true} peer2.mycompany.com:{EndorsingPeer:true ChaincodeQuery:true LedgerQuery:true EventSource:true}] Policies:{QueryChannelConfig:{MinResponses:1 MaxTargets:1 RetryOpts:{Attempts:5 InitialBackoff:500ms MaxBackoff:5s BackoffFactor:2 RetryableCodes:map[]}} Discovery:{MinResponses:0 MaxTargets:0 RetryOpts:{Attempts:0 InitialBackoff:0s MaxBackoff:0s BackoffFactor:0 RetryableCodes:map[]}} Selection:{SortingStrategy: Balancer: BlockHeightLagThreshold:0} EventService:{ResolverStrategy: MinBlockHeightResolverMode: Balancer: BlockHeightLagThreshold:0 PeerMonitor: ReconnectBlockHeightLagThreshold:0 PeerMonitorPeriod:0s}}}]
[fabsdk/fab] 2022/01/04 14:34:09 UTC - fab.(*EndpointConfig).loadEndpointConfiguration -> DEBU organizations are: map[company:{MSPID:company CryptoPath:/home/company/users/admin#mycompany.com/msp Users:map[admin:{Key:{Path:/home/company/users/admin#mycompany.com/msp/keystore/key.pem Pem: bytes:[]} Cert:{Path:/home/company/users/admin#mycompany.com/msp/signcerts/cert.pem Pem: bytes:[]}}] Peers:[peer1.mycompany.com peer2.mycompany.com] CertificateAuthorities:[]}]
[fabsdk/fab] 2022/01/04 14:34:09 UTC - fab.(*EndpointConfig).loadEndpointConfiguration -> DEBU orderers are: map[]
[fabsdk/fab] 2022/01/04 14:34:09 UTC - fab.(*EndpointConfig).loadEndpointConfiguration -> DEBU peers are: map[peer1.mycompany.com:{URL:grpcs://peer1.mycompany.com:443 GRPCOptions:map[allow-insecure:true fail-fast:false hostnameoverride:peer1.mycompany.com keep-alive-permit:false keep-alive-time:10s keep-alive-timeout:20s ssl-target-name-override:peer1.mycompany.com] TLSCACerts:{Path:/home/company/users/admin#mycompany.com/tls/ca.pem Pem: bytes:[]}} peer2.mycompany.com:{URL:grpcs://peer2.mycompany.com:443 GRPCOptions:map[allow-insecure:true fail-fast:false hostnameoverride:peer2.mycompany.com keep-alive-permit:false keep-alive-time:10s keep-alive-timeout:20s ssl-target-name-override:peer2.mycompany.com] TLSCACerts:{Path:/home/company/users/admin#mycompany.com/tls/ca.pem Pem: bytes:[]}}]
[fabsdk/fab] 2022/01/04 14:34:09 UTC - fab.(*EndpointConfig).compileMatchers -> DEBU Matchers are: {matchers:map[]}
[fabsdk/fab] 2022/01/04 14:34:09 UTC - fab.(*EndpointConfig).compileMatchers -> DEBU Entity matchers are not configured
[fabsdk/fab] 2022/01/04 14:34:09 UTC - fab.(*EndpointConfig).loadTLSClientCerts -> DEBU Reading pk from config, unable to retrieve from cert: Could not find matching key for SKI: Failed getting key for SKI [[91 7 147 74 144 157 11 46 234 18 159 199 54 134 208 140 16 147 185 225 158 7 112 91 182 170 49 46 139 190 194 99]]: key with SKI 5b07934a909d0b2eea129fc73686d08c1093b9e19e07705bb6aa312e8bbec263 not found in /home/company/users/admin#mycompany.com/msp/keystore
[fabsdk/fab] 2022/01/04 14:34:09 UTC - fab.(*EndpointConfig).loadPrivateKeyFromConfig -> DEBU pk read from config successfully
[fabsdk/msp] 2022/01/04 14:34:09 UTC - msp.(*IdentityConfig).loadIdentityConfigEntities -> DEBU Client is: {Organization:company Logging:{Level:debug} CryptoConfig:{Path:/home/company} TLSCerts:{Client:{Key:{Path:/home/company/users/admin-tls#mycompany.com/tls/key.pem Pem: bytes:[]} Cert:{Path:/home/company/users/admin-tls#mycompany.com/tls/cert.pem Pem: bytes:[]}} SystemCertPool:false} CredentialStore:{Path:/home/company/users CryptoStore:{Path:/home/company/users/admin#mycompany.com/msp}}}
[fabsdk/msp] 2022/01/04 14:34:09 UTC - msp.(*IdentityConfig).loadIdentityConfigEntities -> DEBU organizations are: map[company:{MSPID:company CryptoPath:/home/company/users/admin#mycompany.com/msp Users:map[admin:{Key:{Path:/home/company/users/admin#mycompany.com/msp/keystore/key.pem Pem: bytes:[]} Cert:{Path:/home/company/users/admin#mycompany.com/msp/signcerts/cert.pem Pem: bytes:[]}}] Peers:[peer1.mycompany.com peer2.mycompany.com] CertificateAuthorities:[]}]
[fabsdk/msp] 2022/01/04 14:34:09 UTC - msp.(*IdentityConfig).loadIdentityConfigEntities -> DEBU certificateAuthorities are: map[]
[fabsdk/msp] 2022/01/04 14:34:09 UTC - msp.(*IdentityConfig).compileMatchers -> DEBU Matchers are: {matchers:map[]}
[fabsdk] 2022/01/04 14:34:09 UTC - fabsdk.initSDK -> DEBU SDK initialized successfully
SDK created
resourceManagerClient created
[fabsdk/fab] 2022/01/04 14:34:09 UTC - chconfig.(*params).SetChConfigRefreshInterval -> DEBU RefreshInterval: 1m30s
[fabsdk/util] 2022/01/04 14:34:09 UTC - lazyref.WithRefreshInterval.func1 -> DEBU Checking refreshIntervalSetter
[fabsdk/fab] 2022/01/04 14:34:09 UTC - peer.(*peerEndorser).ProcessTransactionProposal -> DEBU Processing proposal using endorser: peer2.mycompany.com:443
[fabsdk/fab] 2022/01/04 14:34:09 UTC - comm.(*CachingConnector).DialContext -> DEBU DialContext: peer2.mycompany.com:443
[fabsdk/fab] 2022/01/04 14:34:09 UTC - comm.(*CachingConnector).createConn -> DEBU creating connection [peer2.mycompany.com:443]
[fabsdk/fab] 2022/01/04 14:34:09 UTC - comm.(*CachingConnector).createConn -> DEBU storing connection [peer2.mycompany.com:443]
[fabsdk/fab] 2022/01/04 14:34:09 UTC - comm.(*CachingConnector).removeConn -> DEBU removing connection [peer2.mycompany.com:443]
[fabsdk/fab] 2022/01/04 14:34:09 UTC - txn.SendProposal.func1 -> DEBU Received error response from txn proposal processing: Transaction processing for endorser [peer2.mycompany.com:443]: Endorser Client Status Code: (2) CONNECTION_FAILED. Description: dialing connection on target [peer2.mycompany.com:443]: connection is in TRANSIENT_FAILURE
[fabsdk/common] 2022/01/04 14:34:09 UTC - retry.(*RetryableInvoker).Invoke -> DEBU Failed with err [queryChaincode failed: Transaction processing for endorser [peer2.mycompany.com:443]: Endorser Client Status Code: (2) CONNECTION_FAILED. Description: dialing connection on target [peer2.mycompany.com:443]: connection is in TRANSIENT_FAILURE] on attempt #1. Checking if retry is warranted...
[fabsdk/common] 2022/01/04 14:34:09 UTC - retry.(*RetryableInvoker).Invoke -> DEBU ... retry for err [queryChaincode failed: Transaction processing for endorser [peer2.mycompany.com:443]: Endorser Client Status Code: (2) CONNECTION_FAILED. Description: dialing connection on target [peer2.mycompany.com:443]: connection is in TRANSIENT_FAILURE] is NOT warranted after 1 attempt(s).
2022/01/04 14:34:09 error inicializando el SDK: error creando el cliente del canal: event service creation failed: could not get chConfig cache reference: QueryBlockConfig failed: QueryBlockConfig failed: queryChaincode failed: Transaction processing for endorser [peer2.mycompany.com:443]: Endorser Client Status Code: (2) CONNECTION_FAILED. Description: dialing connection on target [peer2.mycompany.com:443]: connection is in TRANSIENT_FAILURE
These are the logs from the peer:
2022-01-04 15:23:56.740 UTC [core.comm] ServerHandshake -> ERRO 335 Server TLS handshake failed in 7.869808ms with error remote error: tls: bad certificate server=PeerServer remoteaddress=10.250.37.211:33666
2022-01-04 15:23:56.740 UTC [grpc] WarningDepth -> DEBU 336 [core]grpc: Server.Serve failed to complete security handshake from "10.250.37.211:33666": remote error: tls: bad certificate
A couple of weird things: I need to add the users to the organization, some how it's not able to extract the users from the configPath and I get an error user not found.
It's looking for the tls private key in the msp/keystore folder and of course that isn't there
I tried adding the GODEBUG="x509ignoreCN=0" but it doesn't change the result
I generated an extra TLS certificates just for the client adding the SAN to them as "email:admin-tls#mycompany.com" and mapped it to the configuration with the same result.
I have tried adding and removing the entityMatchers with the same result.
I also did a tcp dump on it server answers to the Client hello with Server hello and then fails with a 400 bad request error.
I have used the configurations referenced from here and here but everything looks good to me.
I'm running out of ideas, is my configuration right? why do I need to force the clients and configPath doesn't work? why is it looking for the tls key in the msp keystore? but mostly why do I get a tls bad certificate if the certificates are good and pass an openssl verify against the ca.pem?
Thanks
UPDATE
This is my certificate info using openssl x509 -in certificate.pem -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
56:00:01:ba:18:d9:cf:ed:a7:00:b9:af:b3:00:01:00:01:ba:18
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = CO, L = Medellin, O = mycompany, CN = CA My Company, emailAddress = admin#mycompany.com
Validity
Not Before: Jan 5 12:36:08 2022 GMT
Not After : Jan 5 12:36:08 2023 GMT
Subject: C = CO, ST = ANTIOQUIA, L = MEDELLIN, O = mycompany, OU = admin, CN = admin-tls#mycompany.com
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:d0:c8:3b:20:2f:8f:3b:91:72:f8:71:27:30:cf:
b5:6e:38:e3:5f:e6:1b:42:77:fd:00:f2:8c:1b:ae:
6c:2e:7d:50:03:75:d5:03:db:72:d5:33:27:f3:65:
c1:2a:09:72:6a:d5:cc:c5:45:ca:e5:e5:8c:65:4b:
f2:51:dc:dd:ac
ASN1 OID: prime256v1
NIST CURVE: P-256
X509v3 extensions:
X509v3 Key Usage:
Digital Signature
X509v3 Extended Key Usage:
TLS Web Server Authentication, Microsoft Encrypted File System, E-mail Protection, TLS Web Client Authentication, Any Extended Key Usage
X509v3 Subject Alternative Name:
DNS:mycompany.com
X509v3 Subject Key Identifier:
9E:C5:4B:E8:67:B1:84:BF:67:E9:BE:A3:DE:B5:EB:E3:3B:4E:D3:D0
X509v3 Authority Key Identifier:
keyid:40:54:B4:93:16:92:20:E3:DB:AA:7A:A3:13:06:EC:65:4F:83:B3:58
X509v3 CRL Distribution Points:
Full Name:
URI:http://crl.epm.com.co/CRL/CAEPMClaseI.crl
URI:http://crl2.epm.com.co/CRL/CAEPMClaseI.crl
Authority Information Access:
OCSP - URI:http://ocsp.epm.com.co/OCSP
CA Issuers - URI:http://crl.epm.com.co/CRL/CAEPMClaseI.crt
1.3.6.1.4.1.311.21.7:
0-.%+.....7.....-...K..=...>...k8...,...A..d..
S/MIME Capabilities:
......0...+....0050...*.H..
..*.H..
Signature Algorithm: sha256WithRSAEncryption
6f:d6:85:b1:08:cd:07:78:3d:92:50:85:14:3a:f0:2e:1f:84:
10:7c:1d:15:10:0f:9f:66:e7:1a:41:63:12:83:0c:7c:04:c7:
c8:f4:8b:97:d9:6e:28:78:cb:9b:af:89:6b:1a:f3:06:40:1e:
6f:90:81:8f:f9:03:ff:92:5a:de:8c:7c:35:f9:21:00:fd:85:
c0:73:48:71:c0:82:7a:17:6d:09:ce:b6:03:5a:c5:1f:4f:47:
6d:95:94:a3:e2:cd:19:03:3d:85:a0:7e:5e:cf:a5:55:32:9f:
28:cf:d4:10:c8:42:57:a1:9b:cc:9a:4b:82:75:86:15:92:b9:
ef:d2:b2:1c:5d:a9:fe:ff:d4:f2:83:9d:31:46:50:26:ea:78:
88:9c:72:0a:1e:81:42:88:7b:04:4b:4b:2b:86:3d:ed:f9:4d:
8f:5e:47:1b:0b:8e:a9:8a:ed:ed:8a:09:92:58:6b:14:6e:aa:
50:c1:ae:2f:75:41:5b:e9:28:2b:85:9f:70:0a:d3:27:64:44:
f4:f6:61:99:a0:db:90:05:8c:af:09:fa:36:a5:67:3a:b8:f5:
b3:06:fe:ba:50:aa:1f:2e:43:af:a6:3a:81:01:d1:26:cc:61:
3b:c3:d9:b5:50:d7:27:61:f6:3e:a3:1d:99:0f:f1:37:20:d4:
ea:6d:59:a9:56:09:09:74:90:d4:52:64:69:b5:ad:09:b8:67:
74:ca:52:76:0a:37:0e:29:e0:5b:5a:bc:24:42:a1:14:77:1f:
72:f5:e9:f8:64:17:2e:fc:57:e1:d3:74:3a:1d:a5:fb:f4:c3:
a3:1e:97:f3:ba:d6:33:6a:24:d5:79:d7:9c:07:b4:9d:d0:52:
24:dc:0d:d5:a1:37:42:25:09:3b:96:a5:91:19:6c:7e:58:71:
99:ff:04:14:4d:ea:25:57:23:58:2b:44:84:f9:c3:c4:f6:a6:
ed:81:75:0a:07:e4:ab:bf:74:ec:e6:8c:9e:b8:75:82:47:20:
75:64:94:45:93:2f:ec:8b:8f:2c:19:c8:b0:29:a0:4c:f7:05:
6d:c8:3d:54:78:9e:ac:17:1c:19:5e:3c:1a:ba:93:db:1c:41:
ab:09:e2:d7:e3:11:87:eb:b7:38:e6:cf:85:1e:8a:75:9d:8c:
68:44:5d:d6:60:e7:91:52:ec:08:5b:26:7b:a4:42:d6:49:fc:
3c:74:6c:96:23:99:86:6b:6b:57:89:94:ad:08:98:35:1d:38:
07:09:ae:c3:8c:1f:3c:36:94:a9:da:74:73:ff:5e:c1:0d:f7:
45:a6:85:94:1d:34:46:56:fd:82:3f:8d:c0:d0:a1:20:1b:76:
d3:2e:f8:a7:6c:3f:25:f4
So the issue seemed to be with the TLS certificates from the peers, they where generated before go 1.16 and didn't had the SANs in them, and the error seemed to be getting reflected to the go SDK. #yacovm thank you for your help figuring it out.

TLS handshake fails between organizations

I am running a custom Hyperledger Fabric network with TLS enabled in all communications. Everyting looks great inside of an organizations and CLI can connect to its org peers with TLS and CLIENTAUTH enabled. This is the status of the network:
org1
- peer0
anchor: true
tls_enabled: true
tls_clientauth_enabled: true
- peer1
tls_enabled: true
tls_clientauth_enabled: true
- orderer0
tls_enabled: true
tls_clientauth_enabled: false
org2
- peer0
anchor: true
tls_enabled: true
tls_clientauth_enabled: true
- peer1
tls_enabled: true
tls_clientauth_enabled: true
- orderer0
tls_enabled: true
tls_clientauth_enabled: false
org3
- orderer0
tls_enabled: true
tls_clientauth_enabled: false
However, once I start a channel than involves multiple organizations, I get Gossip and TLS hanshake related errors. This is an example (log from peer0.org1):
2019-10-07 10:01:45.615 UTC [gossip.service] func1 -> INFO 046 Elected as a leader, starting delivery service for channel global
2019-10-07 10:01:48.620 UTC [ConnProducer] NewConnection -> ERRO 047 Failed connecting to {orderer0.org2:7050 [org1MSP org2MSP org3MSP]} , error: context deadline exceeded
2019-10-07 10:01:51.622 UTC [ConnProducer] NewConnection -> ERRO 048 Failed connecting to {orderer0.org1:7050 [org1MSP org2MSP org3MSP]} , error: context deadline exceeded
2019-10-07 10:01:54.638 UTC [ConnProducer] NewConnection -> ERRO 049 Failed connecting to {orderer0.org3:7050 [org1MSP org2MSP org3MSP]} , error: context deadline exceeded
2019-10-07 10:01:54.638 UTC [ConnProducer] NewConnection -> ERRO 04a Could not connect to any of the endpoints: [{orderer0.org2:7050 [org1MSP org2MSP org3MSP]} {orderer0.org1:7050 [org1MSP org2MSP org3MSP]} {orderer0.org3:7050 [org1MSP org2MSP org3MSP]}]
2019-10-07 10:01:54.638 UTC [deliveryClient] connect -> ERRO 04b Failed obtaining connection: could not connect to any of the endpoints: [{orderer0.org2:7050 [org1MSP org2MSP org3MSP]} {orderer0.org1:7050 [org1MSP org2MSP org3MSP]} {orderer0.org3:7050 [org1MSP org2MSP org3MSP]}]
2019-10-07 10:01:54.638 UTC [deliveryClient] try -> WARN 04c Got error: could not connect to any of the endpoints: [{orderer0.org2:7050 [org1MSP org2MSP org3MSP]} {orderer0.org1:7050 [org1MSP org2MSP org3MSP]} {orderer0.org3:7050 [org1MSP org2MSP org3MSP]}] , at 1 attempt. Retrying in 1s
2019-10-07 10:01:58.640 UTC [ConnProducer] NewConnection -> ERRO 04d Failed connecting to {orderer0.org2:7050 [org1MSP org2MSP org3MSP]} , error: context deadline exceeded
2019-10-07 10:01:59.833 UTC [core.comm] ServerHandshake -> ERRO 04e TLS handshake failed with error remote error: tls: bad certificate server=PeerServer remoteaddress=172.17.0.24:54590
2019-10-07 10:02:00.828 UTC [core.comm] ServerHandshake -> ERRO 04f TLS handshake failed with error remote error: tls: bad certificate server=PeerServer remoteaddress=172.17.0.24:54604
2019-10-07 10:02:01.642 UTC [ConnProducer] NewConnection -> ERRO 050 Failed connecting to {orderer0.org1:7050 [org1MSP org2MSP org3MSP]} , error: context deadline exceeded
2019-10-07 10:02:02.609 UTC [core.comm] ServerHandshake -> ERRO 051 TLS handshake failed with error remote error: tls: bad certificate server=PeerServer remoteaddress=172.17.0.24:54624
2019-10-07 10:02:04.647 UTC [ConnProducer] NewConnection -> ERRO 052 Failed connecting to {orderer0.org3:7050 [org1MSP org2MSP org3MSP]} , error: context deadline exceeded
2019-10-07 10:02:04.647 UTC [ConnProducer] NewConnection -> ERRO 053 Could not connect to any of the endpoints: [{orderer0.org2:7050 [org1MSP org2MSP org3MSP]} {orderer0.org1:7050 [org1MSP org2MSP org3MSP]} {orderer0.org3:7050 [org1MSP org2MSP org3MSP]}]
2019-10-07 10:02:04.647 UTC [deliveryClient] connect -> ERRO 054 Failed obtaining connection: could not connect to any of the endpoints: [{orderer0.org2:7050 [org1MSP org2MSP org3MSP]} {orderer0.org1:7050 [org1MSP org2MSP org3MSP]} {orderer0.org3:7050 [org1MSP org2MSP org3MSP]}]
2019-10-07 10:02:04.647 UTC [deliveryClient] try -> WARN 055 Got error: could not connect to any of the endpoints: [{orderer0.org2:7050 [org1MSP org2MSP org3MSP]} {orderer0.org1:7050 [org1MSP org2MSP org3MSP]} {orderer0.org3:7050 [org1MSP org2MSP org3MSP]}] , at 2 attempt. Retrying in 2s
2019-10-07 10:02:04.755 UTC [core.comm] ServerHandshake -> ERRO 056 TLS handshake failed with error remote error: tls: bad certificate server=PeerServer remoteaddress=172.17.0.19:48822
2019-10-07 10:02:05.755 UTC [core.comm] ServerHandshake -> ERRO 057 TLS handshake failed with error remote error: tls: bad certificate server=PeerServer remoteaddress=172.17.0.19:48836
2019-10-07 10:02:07.118 UTC [core.comm] ServerHandshake -> ERRO 058 TLS handshake failed with error remote error: tls: bad certificate server=PeerServer remoteaddress=172.17.0.19:48854
2019-10-07 10:02:09.651 UTC [ConnProducer] NewConnection -> ERRO 059 Failed connecting to {orderer0.org2:7050 [org1MSP org2MSP org3MSP]} , error: context deadline exceeded
2019-10-07 10:02:10.595 UTC [gossip.gossip] func1 -> WARN 05a Deep probe of peer0.org2:7051 failed: context deadline exceeded
github.com/hyperledger/fabric/gossip/gossip.(*gossipServiceImpl).learnAnchorPeers.func1
/opt/gopath/src/github.com/hyperledger/fabric/gossip/gossip/gossip_impl.go:251
github.com/hyperledger/fabric/gossip/discovery.(*gossipDiscoveryImpl).Connect.func1
/opt/gopath/src/github.com/hyperledger/fabric/gossip/discovery/discovery_impl.go:153
runtime.goexit
/opt/go/src/runtime/asm_amd64.s:1333
2019-10-07 10:02:10.595 UTC [gossip.discovery] func1 -> WARN 05b Could not connect to Endpoint: peer0.org2:7051, InternalEndpoint: peer0.org2:7051, PKI-ID: <nil>, Metadata: : context deadline exceeded
How can I solve it? I tried to share CA Pems between orgs and set CORE_PEER_TLS_CLIENTROOTCAS_FILES to "/public/org1/ca-chain.pem /public/org2/ca-chain.pem /public/org3/ca-chain.pem", but it does not work. Do I have to add the client cert for each peer/orderer to every one of my nodes? Where? Is this problem not related to TLS? I am really lost.
Thank you.
Have you specified CORE_PEER_TLS_CERT_FILE, CORE_PEER_TLS_KEY_FILE and CORE_PEER_TLS_ROOTCERT_FILE (this one is for the CA) for each peer?
And if you run your CA Server with TLS you have to specify the cert and keyfiles for TLS there as well.

how to configure hyperledger node sdk with kubernetes cluster?

i am able to configure hyperledger fabric and kubernetes with cli. But now i want to configure hyperledger fabric node sdk with kubernetes. I have created with files but, not able to connect it through node sdk rest endpoints.
my hyperledger services:
[ec2-user#ip-172-31-21-223 ~]$ kubectl get services --namespace=fabrick8s
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
ca0-org1 NodePort 10.110.184.19 <none> 30101:30101/TCP,30102:30102/TCP 26h
orderer0-orgorderer1 NodePort 10.99.12.255 <none> 32000:32000/TCP 46h
peer0-org1 NodePort 10.101.50.225 <none> 30001:30001/TCP,30002:30002/TCP 3h5m
i have added cluser ip into node network config file but i am not able to connect. getting following error:
[2019-09-12 09:12:08.169] [INFO] SampleWebApp - ****************** SERVER STARTED ************************
[2019-09-12 09:12:08.175] [INFO] SampleWebApp - *************** http://localhost:4000 ******************
(node:2199) DeprecationWarning: grpc.load: Use the #grpc/proto-loader module with grpc.loadPackageDefinition instead
[2019-09-12 09:12:16.427] [DEBUG] SampleWebApp - ------>>>>>> new request for /users
[2019-09-12 09:12:16.428] [DEBUG] SampleWebApp - End point : /users
[2019-09-12 09:12:16.428] [DEBUG] SampleWebApp - User name : test
[2019-09-12 09:12:16.428] [DEBUG] SampleWebApp - Org name : Org1
[2019-09-12 09:12:16.432] [DEBUG] Helper - getClientForOrg - ****** START Org1 undefined
[2019-09-12 09:12:16.439] [DEBUG] Helper - [NetworkConfig101.js]: constructor, network_config: {"name":"HlfV1","x-type":"hlfv1","description":"Hyperledger Node SDK","version":"1.0","channels":{"mychannel":{"orderers":["orderer0-orgorderer1"],"peers":{"peer0-org1":{"endorsingPeer":true,"chaincodeQuery":true,"ledgerQuery":true,"eventSource":true}},"chaincodes":["mycc:v0"]}},"organizations":{"Org1":{"mspid":"Org1MSP","peers":["peer0-org1"],"certificateAuthorities":["ca0-org1"],"adminPrivateKey":{"path":"/var/lib/nfs-share/crypto-config/peerOrganizations/org1/users/Admin#org1/msp/keystore/a6b8f684b67417335a33972cf115efe2222fdf07de1187cfab36c4873e7591af_sk"},"signedCert":{"path":"/var/lib/nfs-share/crypto-config/peerOrganizations/org1/users/Admin#org1/msp/signcerts/Admin#org1-cert.pem"}}},"orderers":{"orderer0-orgorderer1":{"url":"grpcs://localhost:32000","grpcOptions":{"ssl-target-name-override":"orderer0-orgorderer1"},"tlsCACerts":{"path":"/var/lib/nfs-share/crypto-config/ordererOrganizations/orgorderer1/orderers/orderer0.orgorderer1/tls/ca.crt"}}},"peers":{"peer0-org1":{"url":"grpcs://localhost:30001","grpcOptions":{"ssl-target-name-override":"peer0-org1"},"tlsCACerts":{"path":"/var/lib/nfs-share/crypto-config/peerOrganizations/org1/peers/peer0.org1/tls/ca.crt"}}},"certificateAuthorities":{"ca0-org1":{"url":"https://localhost:30101","httpOptions":{"verify":false},"tlsCACerts":{"path":"/var/lib/nfs-share/crypto-config/peerOrganizations/org1/ca/ca.org1-cert.pem"},"registrar":[{"enrollId":"admin","enrollSecret":"adminpw"}],"caName":"ca0-org1"}}}
[2019-09-12 09:12:16.439] [DEBUG] Helper - [NetworkConfig101.js]: constructor, network_config: {"name":"HLF-Framework-Org1","x-type":"hlfv1","description":"HLF-Framework - client definition for Org1","version":"1.0","client":{"organization":"Org1","credentialStore":{"path":"./fabric-client-kv-Org1","cryptoStore":{"path":"/tmp/fabric-client-kv-Org1"},"wallet":"wallet-name"}}}
[2019-09-12 09:12:16.440] [DEBUG] Helper - [NetworkConfig101.js]: mergeSettings - additions start
[2019-09-12 09:12:16.440] [DEBUG] Helper - [NetworkConfig101.js]: getOrganization - name Org1
[2019-09-12 09:12:16.440] [DEBUG] Helper - [Organization.js]: Organization.const
[2019-09-12 09:12:16.441] [DEBUG] Helper - [NetworkConfig101.js]: getCertificateAuthority - name ca0-org1
[2019-09-12 09:12:16.444] [DEBUG] Helper - [CertificateAuthority.js]: CertificateAuthority.const
[2019-09-12 09:12:16.626] [DEBUG] Helper - [crypto_ecdsa_aes]: Hash algorithm: SHA2, hash output size: 256
[2019-09-12 09:12:16.696] [DEBUG] Helper - [crypto_ecdsa_aes]: importKey - start
[2019-09-12 09:12:16.698] [DEBUG] Helper - [crypto_ecdsa_aes]: importKey - have the key [Circular]
[2019-09-12 09:12:16.699] [DEBUG] Helper - [crypto_ecdsa_aes]: importKey - start
[2019-09-12 09:12:16.701] [DEBUG] Helper - [crypto_ecdsa_aes]: importKey - have the key [Circular]
[2019-09-12 09:12:16.701] [DEBUG] Helper - [NetworkConfig101.js]: getOrganization - name Org1
[2019-09-12 09:12:16.702] [DEBUG] Helper - [Organization.js]: Organization.const
[2019-09-12 09:12:16.702] [DEBUG] Helper - [NetworkConfig101.js]: getCertificateAuthority - name ca0-org1
[2019-09-12 09:12:16.702] [DEBUG] Helper - [CertificateAuthority.js]: CertificateAuthority.const
[2019-09-12 09:12:16.703] [DEBUG] Helper - [FileKeyValueStore.js]: constructor { options:
{ path: '/home/ec2-user/kube-node-sdk/fabric-client-kv-Org1',
wallet: 'wallet-name',
cryptoStore: { path: '/tmp/fabric-client-kv-Org1' } } }
[2019-09-12 09:12:16.708] [DEBUG] Helper - [crypto_ecdsa_aes]: Hash algorithm: SHA2, hash output size: 256
[2019-09-12 09:12:16.709] [DEBUG] Helper - [utils.CryptoKeyStore]: CryptoKeyStore, constructor - start
[2019-09-12 09:12:16.709] [DEBUG] Helper - [utils.CryptoKeyStore]: constructor, no super class specified, using config: fabric-client/lib/impl/FileKeyValueStore.js
[2019-09-12 09:12:16.709] [DEBUG] Helper - getClientForOrg - ****** END Org1 undefined
[2019-09-12 09:12:16.709] [DEBUG] Helper - Successfully initialized the credential stores
[2019-09-12 09:12:16.710] [DEBUG] Helper - [FileKeyValueStore.js]: getValue { key: 'test' }
[2019-09-12 09:12:16.716] [INFO] Helper - User test was not enrolled, so we will need an admin user object to register
[2019-09-12 09:12:16.717] [DEBUG] Helper - [FileKeyValueStore.js]: getValue { key: 'admin' }
[2019-09-12 09:12:16.717] [DEBUG] Helper - [NetworkConfig101.js]: getOrganization - name Org1
[2019-09-12 09:12:16.717] [DEBUG] Helper - [Organization.js]: Organization.const
[2019-09-12 09:12:16.717] [DEBUG] Helper - [NetworkConfig101.js]: getCertificateAuthority - name ca0-org1
[2019-09-12 09:12:16.718] [DEBUG] Helper - [CertificateAuthority.js]: CertificateAuthority.const
[2019-09-12 09:12:16.718] [DEBUG] Helper - [NetworkConfig101.js]: getOrganization - name Org1
[2019-09-12 09:12:16.718] [DEBUG] Helper - [Organization.js]: Organization.const
[2019-09-12 09:12:16.718] [DEBUG] Helper - [NetworkConfig101.js]: getCertificateAuthority - name ca0-org1
[2019-09-12 09:12:16.718] [DEBUG] Helper - [CertificateAuthority.js]: CertificateAuthority.const
[2019-09-12 09:12:16.732] [DEBUG] Helper - [FabricCAClient.js]: Successfully constructed Fabric CA client from options - {"caname":"ca0-org1","protocol":"https","hostname":"localhost","port":30101,"tlsOptions":{"trustedRoots":["-----BEGIN CERTIFICATE-----\nMIICIjCCAcigAwIBAgIRANPRopfisvYPfsGHY1tke+MwCgYIKoZIzj0EAwIwWzEL\nMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDVNhbiBG\ncmFuY2lzY28xDTALBgNVBAoTBG9yZzExEDAOBgNVBAMTB2NhLm9yZzEwHhcNMTkw\nNzA5MjMzMDAwWhcNMjkwNzA2MjMzMDAwWjBbMQswCQYDVQQGEwJVUzETMBEGA1UE\nCBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzENMAsGA1UEChME\nb3JnMTEQMA4GA1UEAxMHY2Eub3JnMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBMQsUoC5j79WG1YA0ZgfjnxYkv3TQlFUujWvSpcSG3911uxWBBG8tBxalcY6XubW\ndEk+QNReLYz5XWVclzmJZZujbTBrMA4GA1UdDwEB/wQEAwIBpjAdBgNVHSUEFjAU\nBggrBgEFBQcDAgYIKwYBBQUHAwEwDwYDVR0TAQH/BAUwAwEB/zApBgNVHQ4EIgQg\nxbTg5ty+qp3Jny2uw/eHWhfPT3w0LrE/MeG74D9Vd2YwCgYIKoZIzj0EAwIDSAAw\nRQIhANJxDvpI0R59X3DLoegKxwpFKKwnA3yhJZCtsoQ4TvPAAiBOKIf3AMpBrfFl\nx9DjYULlHqYcCMCG9jROisk8e0y2uA==\n-----END CERTIFICATE-----\n"],"verify":false}}
[2019-09-12 09:12:16.732] [DEBUG] Helper - [FabricCAClientService.js]: Successfully constructed Fabric CA service client: endpoint - {"protocol":"https","hostname":"localhost","port":30101}
[2019-09-12 09:12:16.785] [DEBUG] Helper - [utils.CryptoKeyStore]: This class requires a CryptoKeyStore to save keys, using the store: {"opts":{"path":"/tmp/fabric-client-kv-Org1"}}
[2019-09-12 09:12:16.785] [DEBUG] Helper - [FileKeyValueStore.js]: constructor { options: { path: '/tmp/fabric-client-kv-Org1' } }
[2019-09-12 09:12:16.786] [DEBUG] Helper - [utils.CryptoKeyStore]: _getKeyStore returning ks
[2019-09-12 09:12:16.786] [DEBUG] Helper - [crypto_ecdsa_aes]: generateKey, store.setValue
[2019-09-12 09:12:16.786] [DEBUG] Helper - [ecdsa/key.js]: ECDSA curve param X: c93658d3386293eed8cbbd07d9124d7e0bb354ceb1bbbba80099dc9a942b9ed3
[2019-09-12 09:12:16.787] [DEBUG] Helper - [ecdsa/key.js]: ECDSA curve param Y: 3444c31a9342c0bedae13aff1e5d43ed610ca641a597355e5af25c973708c4ef
[2019-09-12 09:12:16.791] [DEBUG] Helper - [FileKeyValueStore.js]: setValue { key:
'4ef322eb862cc68caf4341999813959a931baa492a0dcd227f73bf8afa803301-priv' }
[2019-09-12 09:12:16.843] [ERROR] Helper - Failed to get registered user: test with error: Error: Calling enrollment endpoint failed with error [Error: connect ECONNREFUSED 127.0.0.1:30101]
[2019-09-12 09:12:16.843] [DEBUG] SampleWebApp - -- returned from registering the username test for organization Org1
[2019-09-12 09:12:16.843] [DEBUG] SampleWebApp - Failed to register the username test for organization Org1 with::failed Error: Calling enrollment endpoint failed with error [Error: connect ECONNREFUSED 127.0.0.1:30101]
i have given the wrong targetPort.. for CA target port is 7054.
solved my issue :)
apiVersion: v1
kind: Service
metadata:
namespace: fabrick8s
name: ca0-org1
spec:
selector:
name: ca0-org1
type: NodePort
ports:
- name: grpc
protocol: TCP
port: 30101
targetPort: 7054
nodePort: 30101

Cannot access user attribute using Attribute Based Access Control (ABAC) in Hyperledger Fabric 1.1

I am trying out Attribute based access control using GoLang and facing an issue in getting the attribute in the chaincode. I'm using cid.GetAttributeValue() function and the function returns nothing. It prints blank and the found variable is set to false.
The things I have done are:
Registered a user defined attribute named "firstName" with value "*" to the admin. (Also tried setting it to a specific value)
Enrolled that admin to the network
Registered and enrolled the user with the same attribute "firstName" (with ecert flag set to true)
Invoked a chaincode to get the attribute value using the enrolled user
Snippets of relevant code have been attached below:
Fabric-CA-Server Config File
identities:
- name: admin
pass: adminpw
type: client
affiliation: ""
attrs:
hf.Registrar.Roles: "*"
hf.Registrar.DelegateRoles: "*"
hf.Revoker: true
hf.IntermediateCA: true
hf.GenCRL: true
hf.Registrar.Attributes: "firstName"
hf.AffiliationMgr: true
firstName: "*"
Code for registering and enrolling an user.
user = {
enrollmentID: username,
affiliation: orgName + '.department1',
maxEnrollments: 5,
role: 'client',
attrs: [{ name: 'firstName', value: 'Mathan_sir', ecert: true }]
}
console.log(user);
var enrollmentSecret = await fabric_CA_Client.register(user, admin);
console.log('client registered');
console.log('Successfully registered user - secret:' + enrollmentSecret);
var enrollment = await fabric_CA_Client.enroll({
enrollmentID: username,
enrollmentSecret: enrollmentSecret,
attr_reqs: [
{ name: "firstName", optional: false }
// { name: "lastName", optional: false }
]
});
Chaincode.
value, found, err := cid.GetAttributeValue(stub, "firstName")
if err != nil {
return shim.Error("could not do abac")
}
fmt.Println("value is ", value)
fmt.Println("found is ", found)
Log in Fabric - CA :
2018/07/17 04:23:00 [INFO] Created default configuration file at /etc/hyperledger/fabric-ca-server/fabric-ca-server-config.yaml
2018/07/17 04:23:00 [INFO] Starting server in home directory: /etc/hyperledger/fabric-ca-server
2018/07/17 04:23:00 [INFO] Server Version: 1.2.0-stable
2018/07/17 04:23:00 [INFO] Server Levels: &{Identity:1 Affiliation:1 Certificate:1 Credential:1 RAInfo:1 Nonce:1}
2018/07/17 04:23:00 [DEBUG] Default CA configuration, if necessary, will be used to replace missing values for additional CAs: {Version:1.2.0-stable Cfg:{Identities:{AllowRemove:false} Affiliations:{AllowRemove:false}} CA:{Name: Keyfile: Certfile:ca-cert.pem Chainfile:ca-chain.pem} Signing:0xc420555bc0 CSR:{CN:fabric-ca-server Names:[{C:US ST:North Carolina L: O:Hyperledger OU:Fabric SerialNumber:}] Hosts:[e3c7da43b062 localhost] KeyRequest:<nil> CA:0xc4200ffec0 SerialNumber:} Registry:{MaxEnrollments:-1 Identities:[{ Name:**** Pass:**** Type:client Affiliation: MaxEnrollments:0 Attrs:map[hf.GenCRL:1 hf.Registrar.Attributes:* hf.AffiliationMgr:1 hf.Registrar.Roles:* hf.Registrar.DelegateRoles:* hf.Revoker:1 hf.IntermediateCA:1] }]} Affiliations:map[org2:[department1] org1:[department1 department2]] LDAP:{ Enabled:false URL:ldap://****:****#<host>:<port>/<base> UserFilter:(uid=%s) GroupFilter:(memberUid=%s) Attribute:{[uid member] [{ }] map[groups:[{ }]]} TLS:{false [] { }} } DB:{ Type:sqlite3 Datasource:fabric-ca-server.db TLS:{false [] { }} } CSP:0xc4204e5080 Client:<nil> Intermediate:{ParentServer:{ URL: CAName: } TLS:{Enabled:false CertFiles:[] Client:{KeyFile: CertFile:}} Enrollment:{ Name: Secret:**** CAName: AttrReqs:[] Profile: Label: CSR:<nil> Type:x509 }} CRL:{Expiry:24h0m0s} Idemix:{IssuerPublicKeyfile: IssuerSecretKeyfile: RevocationPublicKeyfile: RevocationPrivateKeyfile: RHPoolSize:0 NonceExpiration: NonceSweepInterval:}}
2018/07/17 04:23:00 [DEBUG] Additional CAs to be started: [/etc/hyperledger/fabric-ca-server/ca/ca-config.yaml]
2018/07/17 04:23:00 [INFO] Loading CA from /etc/hyperledger/fabric-ca-server/ca/ca-config.yaml
2018/07/17 04:23:00 [DEBUG] CA configuration after checking for missing values: &{Version:1.1.0 Cfg:{Identities:{AllowRemove:false} Affiliations:{AllowRemove:false}} CA:{Name:ca-org1 Keyfile:/etc/hyperledger/fabric-ca-server-config/3099498edb13f731965246b01e74514e4b80e978a058cf4cb9b99ab1408e2569_sk Certfile:/etc/hyperledger/fabric-ca-server-config/ca.org1.example.com-cert.pem Chainfile:ca-chain.pem} Signing:0xc4205a0e50 CSR:{CN:fabric-ca-server Names:[{C:US ST:North Carolina L: O:Hyperledger OU:Fabric SerialNumber:}] Hosts:[e3c7da43b062 localhost] KeyRequest:<nil> CA:0xc42059cea0 SerialNumber:} Registry:{MaxEnrollments:-1 Identities:[{ Name:**** Pass:**** Type:client Affiliation: MaxEnrollments:0 Attrs:map[hf.Registrar.Roles:* hf.Registrar.DelegateRoles:* hf.Revoker:1 hf.IntermediateCA:1 hf.GenCRL:1 hf.Registrar.Attributes:firstName hf.AffiliationMgr:1 firstName:*] }]} Affiliations:map[org2:[department1] org1:[department1 department2]] LDAP:{ Enabled:false URL:ldap://****:****#<host>:<port>/<base> UserFilter:(uid=%s) GroupFilter:(memberUid=%s) Attribute:{[uid member] [{ }] map[groups:[{ }]]} TLS:{false [] { }} } DB:{ Type:sqlite3 Datasource:fabric-ca-server.db TLS:{false [] { }} } CSP:0xc42059eba0 Client:<nil> Intermediate:{ParentServer:{ URL: CAName: } TLS:{Enabled:false CertFiles:[] Client:{KeyFile: CertFile:}} Enrollment:{ Name: Secret:**** CAName: AttrReqs:[] Profile: Label: CSR:<nil> Type:x509 }} CRL:{Expiry:24h0m0s} Idemix:{IssuerPublicKeyfile: IssuerSecretKeyfile: RevocationPublicKeyfile: RevocationPrivateKeyfile: RHPoolSize:1000 NonceExpiration:15s NonceSweepInterval:15m}}
2018/07/17 04:23:00 [DEBUG] Init CA with home /etc/hyperledger/fabric-ca-server/ca and config {Version:1.1.0 Cfg:{Identities:{AllowRemove:false} Affiliations:{AllowRemove:false}} CA:{Name:ca-org1 Keyfile:/etc/hyperledger/fabric-ca-server-config/3099498edb13f731965246b01e74514e4b80e978a058cf4cb9b99ab1408e2569_sk Certfile:/etc/hyperledger/fabric-ca-server-config/ca.org1.example.com-cert.pem Chainfile:ca-chain.pem} Signing:0xc4205a0e50 CSR:{CN:fabric-ca-server Names:[{C:US ST:North Carolina L: O:Hyperledger OU:Fabric SerialNumber:}] Hosts:[e3c7da43b062 localhost] KeyRequest:<nil> CA:0xc42059cea0 SerialNumber:} Registry:{MaxEnrollments:-1 Identities:[{ Name:**** Pass:**** Type:client Affiliation: MaxEnrollments:0 Attrs:map[hf.AffiliationMgr:1 firstName:* hf.Registrar.Roles:* hf.Registrar.DelegateRoles:* hf.Revoker:1 hf.IntermediateCA:1 hf.GenCRL:1 hf.Registrar.Attributes:firstName] }]} Affiliations:map[org2:[department1] org1:[department1 department2]] LDAP:{ Enabled:false URL:ldap://****:****#<host>:<port>/<base> UserFilter:(uid=%s) GroupFilter:(memberUid=%s) Attribute:{[uid member] [{ }] map[groups:[{ }]]} TLS:{false [] { }} } DB:{ Type:sqlite3 Datasource:fabric-ca-server.db TLS:{false [] { }} } CSP:0xc42059eba0 Client:<nil> Intermediate:{ParentServer:{ URL: CAName: } TLS:{Enabled:false CertFiles:[] Client:{KeyFile: CertFile:}} Enrollment:{ Name: Secret:**** CAName: AttrReqs:[] Profile: Label: CSR:<nil> Type:x509 }} CRL:{Expiry:24h0m0s} Idemix:{IssuerPublicKeyfile: IssuerSecretKeyfile: RevocationPublicKeyfile: RevocationPrivateKeyfile: RHPoolSize:1000 NonceExpiration:15s NonceSweepInterval:15m}}
2018/07/17 04:23:00 [DEBUG] CA Home Directory: /etc/hyperledger/fabric-ca-server/ca
2018/07/17 04:23:00 [DEBUG] Checking configuration file version '1.1.0' against server version: '1.2.0-stable'
2018/07/17 04:23:00 [DEBUG] Initializing BCCSP: &{ProviderName:SW SwOpts:0xc42059ec00 PluginOpts:<nil> Pkcs11Opts:<nil>}
2018/07/17 04:23:00 [DEBUG] Initializing BCCSP with software options &{SecLevel:256 HashFamily:SHA2 Ephemeral:false FileKeystore:0xc4205a1890 DummyKeystore:<nil>}
2018/07/17 04:23:00 [DEBUG] Initialize key material
2018/07/17 04:23:00 [DEBUG] Making CA filenames absolute
2018/07/17 04:23:00 [INFO] The CA key and certificate files already exist
2018/07/17 04:23:00 [INFO] Key file location: /etc/hyperledger/fabric-ca-server-config/3099498edb13f731965246b01e74514e4b80e978a058cf4cb9b99ab1408e2569_sk
2018/07/17 04:23:00 [INFO] Certificate file location: /etc/hyperledger/fabric-ca-server-config/ca.org1.example.com-cert.pem
2018/07/17 04:23:00 [DEBUG] Validating the CA certificate and key
2018/07/17 04:23:00 [DEBUG] Check CA certificate for valid dates
2018/07/17 04:23:00 [DEBUG] Check CA certificate for valid usages
2018/07/17 04:23:00 [DEBUG] Check CA certificate for valid IsCA value
2018/07/17 04:23:00 [DEBUG] Check that key type is supported
2018/07/17 04:23:00 [DEBUG] Check that key size is of appropriate length
2018/07/17 04:23:00 [DEBUG] Check that public key and private key match
2018/07/17 04:23:00 [DEBUG] Validation of CA certificate and key successful
2018/07/17 04:23:00 [DEBUG] Loading CN from existing enrollment information
2018/07/17 04:23:00 [DEBUG] Initializing DB
2018/07/17 04:23:00 [DEBUG] Initializing 'sqlite3' database at '/etc/hyperledger/fabric-ca-server/ca/fabric-ca-server.db'
2018/07/17 04:23:00 [DEBUG] Using sqlite database, connect to database in home (/etc/hyperledger/fabric-ca-server/ca/fabric-ca-server.db) directory
2018/07/17 04:23:00 [DEBUG] Creating SQLite database (/etc/hyperledger/fabric-ca-server/ca/fabric-ca-server.db) if it does not exist...
2018/07/17 04:23:00 [DEBUG] Creating users table if it does not exist
2018/07/17 04:23:00 [DEBUG] Creating affiliations table if it does not exist
2018/07/17 04:23:00 [DEBUG] Creating certificates table if it does not exist
2018/07/17 04:23:00 [DEBUG] Creating credentials table if it does not exist
2018/07/17 04:23:00 [DEBUG] Creating revocation_authority_info table if it does not exist
2018/07/17 04:23:00 [DEBUG] Creating nonces table if it does not exist
2018/07/17 04:23:01 [DEBUG] Creating properties table if it does not exist
2018/07/17 04:23:02 [DEBUG] Successfully opened sqlite3 DB
2018/07/17 04:23:02 [DEBUG] Checking database schema...
2018/07/17 04:23:02 [DEBUG] Update SQLite schema, if using outdated schema
2018/07/17 04:23:02 [DEBUG] Upgrade identities table
2018/07/17 04:23:02 [DEBUG] Creating users table if it does not exist
2018/07/17 04:23:03 [DEBUG] Upgrade affiliation table
2018/07/17 04:23:03 [DEBUG] Creating affiliations table if it does not exist
2018/07/17 04:23:04 [DEBUG] Upgrade certificates table
2018/07/17 04:23:04 [DEBUG] Creating certificates table if it does not exist
2018/07/17 04:23:05 [DEBUG] Initializing identity registry
2018/07/17 04:23:05 [DEBUG] Initialized DB identity registry
2018/07/17 04:23:05 [DEBUG] DB: Get properties [identity.level affiliation.level certificate.level]
2018/07/17 04:23:05 [DEBUG] Checking database levels 'map[affiliation.level:0 certificate.level:0 identity.level:0]' against server levels '&{Identity:1 Affiliation:1 Certificate:1 Credential:1 RAInfo:1 Nonce:1}'
2018/07/17 04:23:05 [DEBUG] Loading identity table
2018/07/17 04:23:05 [DEBUG] Loading identity 'admin'
2018/07/17 04:23:05 [DEBUG] DB: Getting identity admin
2018/07/17 04:23:05 [DEBUG] Max enrollment value verification - User specified max enrollment: 0, CA max enrollment: -1
2018/07/17 04:23:05 [DEBUG] DB: Add identity admin
2018/07/17 04:23:05 [DEBUG] Successfully added identity admin to the database
2018/07/17 04:23:05 [DEBUG] Registered identity: { Name:**** Pass:**** Type:client Affiliation: MaxEnrollments:-1 Attrs:map[hf.Revoker:1 hf.IntermediateCA:1 hf.GenCRL:1 hf.Registrar.Attributes:firstName hf.AffiliationMgr:1 firstName:* hf.Registrar.Roles:* hf.Registrar.DelegateRoles:*] }
2018/07/17 04:23:05 [DEBUG] Successfully loaded identity table
2018/07/17 04:23:05 [DEBUG] Loading affiliations table
2018/07/17 04:23:05 [DEBUG] DB: Add affiliation org2
2018/07/17 04:23:06 [DEBUG] Affiliation 'org2' added
2018/07/17 04:23:06 [DEBUG] DB: Add affiliation org2.department1
2018/07/17 04:23:07 [DEBUG] Affiliation 'org2.department1' added
2018/07/17 04:23:07 [DEBUG] DB: Add affiliation org1
2018/07/17 04:23:07 [DEBUG] Affiliation 'org1' added
2018/07/17 04:23:07 [DEBUG] DB: Add affiliation org1.department1
2018/07/17 04:23:08 [DEBUG] Affiliation 'org1.department1' added
2018/07/17 04:23:08 [DEBUG] DB: Add affiliation org1.department2
2018/07/17 04:23:08 [DEBUG] Affiliation 'org1.department2' added
2018/07/17 04:23:08 [DEBUG] Successfully loaded affiliations table
2018/07/17 04:23:08 [DEBUG] Checking and performing migration, if needed
2018/07/17 04:23:18 [DEBUG] Initializing enrollment signer
2018/07/17 04:23:18 [DEBUG] No key found in BCCSP keystore, attempting fallback
2018/07/17 04:23:18 [DEBUG] validating configuration
2018/07/17 04:23:18 [DEBUG] validate local profile
2018/07/17 04:23:18 [DEBUG] profile is valid
2018/07/17 04:23:18 [DEBUG] validate local profile
2018/07/17 04:23:18 [DEBUG] profile is valid
2018/07/17 04:23:18 [DEBUG] validate local profile
2018/07/17 04:23:18 [DEBUG] profile is valid
2018/07/17 04:23:18 [DEBUG] CA initialization successful
2018/07/17 04:23:18 [INFO] The issuer key was successfully stored. The public key is at: /etc/hyperledger/fabric-ca-server/IssuerPublicKey, secret key is at: /etc/hyperledger/fabric-ca-server/msp/keystore/IssuerSecretKey
2018/07/17 04:23:18 [INFO] The revocation key was successfully stored. The public key is at: /etc/hyperledger/fabric-ca-server/IssuerRevocationPublicKey, private key is at: /etc/hyperledger/fabric-ca-server/msp/keystore/IssuerRevocationPrivateKey
2018/07/17 04:23:18 [DEBUG] Comparing DNs from certificates: /etc/hyperledger/fabric-ca-server-config/ca.org1.example.com-cert.pem and /etc/hyperledger/fabric-ca-server/ca-cert.pem
2018/07/17 04:23:18 [DEBUG] Loading DNs from certificate /etc/hyperledger/fabric-ca-server-config/ca.org1.example.com-cert.pem
2018/07/17 04:23:18 [DEBUG] Loading DNs from certificate /etc/hyperledger/fabric-ca-server/ca-cert.pem
2018/07/17 04:23:18 [DEBUG] Check to see if two DNs are equal - &{issuer:CN=ca.org1.example.com,O=org1.example.com,L=San Francisco,ST=California,C=US subject:CN=ca.org1.example.com,O=org1.example.com,L=San Francisco,ST=California,C=US} and &{issuer:CN=example.com,OU=WWW,O=Internet Widgets\, Inc.,L=San Francisco,ST=California,C=US subject:CN=example.com,OU=WWW,O=Internet Widgets\, Inc.,L=San Francisco,ST=California,C=US}
2018/07/17 04:23:18 [INFO] Home directory for default CA: /etc/hyperledger/fabric-ca-server
2018/07/17 04:23:18 [DEBUG] 2 CA instance(s) running on server
2018/07/17 04:23:18 [INFO] Listening on http://0.0.0.0:7054
2018/07/17 04:38:12 [DEBUG] Cleaning up expired nonces for CA 'ca-org1'
2018/07/17 04:38:18 [DEBUG] Cleaning up expired nonces for CA ''
2018/07/17 04:46:57 [DEBUG] Received request for /api/v1/enroll
2018/07/17 04:46:57 [DEBUG] ca.Config: &{Version:1.1.0 Cfg:{Identities:{AllowRemove:false} Affiliations:{AllowRemove:false}} CA:{Name:ca-org1 Keyfile:/etc/hyperledger/fabric-ca-server-config/3099498edb13f731965246b01e74514e4b80e978a058cf4cb9b99ab1408e2569_sk Certfile:/etc/hyperledger/fabric-ca-server-config/ca.org1.example.com-cert.pem Chainfile:/etc/hyperledger/fabric-ca-server/ca/ca-chain.pem} Signing:0xc4205a0e50 CSR:{CN:ca.org1.example.com Names:[{C:US ST:North Carolina L: O:Hyperledger OU:Fabric SerialNumber:}] Hosts:[e3c7da43b062 localhost] KeyRequest:<nil> CA:0xc42059cea0 SerialNumber:} Registry:{MaxEnrollments:-1 Identities:[{ Name:**** Pass:**** Type:client Affiliation: MaxEnrollments:0 Attrs:map[hf.Registrar.DelegateRoles:* hf.Revoker:1 hf.IntermediateCA:1 hf.GenCRL:1 hf.Registrar.Attributes:firstName hf.AffiliationMgr:1 firstName:* hf.Registrar.Roles:*] }]} Affiliations:map[org2:[department1] org1:[department1 department2]] LDAP:{ Enabled:false URL:ldap://****:****#<host>:<port>/<base> UserFilter:(uid=%s) GroupFilter:(memberUid=%s) Attribute:{[uid member] [{ }] map[groups:[{ }]]} TLS:{false [] { }} } DB:{ Type:sqlite3 Datasource:/etc/hyperledger/fabric-ca-server/ca/fabric-ca-server.db TLS:{false [] { }} } CSP:0xc42059eba0 Client:<nil> Intermediate:{ParentServer:{ URL: CAName: } TLS:{Enabled:false CertFiles:[] Client:{KeyFile: CertFile:}} Enrollment:{ Name: Secret:**** CAName: AttrReqs:[] Profile: Label: CSR:<nil> Type:x509 }} CRL:{Expiry:24h0m0s} Idemix:{IssuerPublicKeyfile:/etc/hyperledger/fabric-ca-server/ca/IssuerPublicKey IssuerSecretKeyfile:/etc/hyperledger/fabric-ca-server/ca/msp/keystore/IssuerSecretKey RevocationPublicKeyfile:/etc/hyperledger/fabric-ca-server/ca/IssuerRevocationPublicKey RevocationPrivateKeyfile:/etc/hyperledger/fabric-ca-server/ca/msp/keystore/IssuerRevocationPrivateKey RHPoolSize:1000 NonceExpiration:15s NonceSweepInterval:15m}}
2018/07/17 04:46:57 [DEBUG] DB: Getting identity admin
2018/07/17 04:46:57 [DEBUG] DB: Login user admin with max enrollments of -1 and state of 0
2018/07/17 04:46:57 [DEBUG] DB: identity admin successfully logged in
2018/07/17 04:46:57 [DEBUG] DB: Getting identity admin
2018/07/17 04:46:57 [DEBUG] Processing sign request: id=admin, CommonName=admin, Subject=<nil>
2018/07/17 04:46:57 [DEBUG] Request is not for a CA signing certificate
2018/07/17 04:46:57 [DEBUG] Checking CSR fields to make sure that they do not exceed maximum character limits
2018/07/17 04:46:57 [DEBUG] Finished processing sign request
2018/07/17 04:46:57 [DEBUG] DB: Getting identity admin
2018-07-17T04:46:57.558556370Z 2018/07/17 04:46:57 [DEBUG] Attribute extension being added to certificate is: &{ID:[1 2 3 4 5 6 7 8 1] Critical:false Value:7b226174747273223a7b2266697273744e616d65223a222a222c2268662e5265676973747261722e41747472696275746573223a2266697273744e616d65227d7d}
2018/07/17 04:46:57 [DEBUG] Adding attribute extension to CSR: &{ID:[1 2 3 4 5 6 7 8 1] Critical:false Value:7b226174747273223a7b2266697273744e616d65223a222a222c2268662e5265676973747261722e41747472696275746573223a2266697273744e616d65227d7d}
2018/07/17 04:46:57 [INFO] signed certificate with serial number 624665886532998504441151201588115183399742601456
2018/07/17 04:46:57 [DEBUG] DB: Insert Certificate
2018/07/17 04:46:57 [DEBUG] Saved serial number as hex 6d6afcb3ed661e7f059b8a0b51829330fdfdf8f0
2018/07/17 04:46:57 [DEBUG] saved certificate with serial number 624665886532998504441151201588115183399742601456
2018/07/17 04:46:57 [DEBUG] Successfully incremented state for identity admin to 1
2018/07/17 04:46:57 [INFO] 172.18.0.1:47506 POST /api/v1/enroll 201 0 "OK"
2018/07/17 04:47:02 [DEBUG] Received request for /api/v1/register
2018/07/17 04:47:02 [DEBUG] Checking for revocation/expiration of certificate owned by 'admin'
2018/07/17 04:47:02 [DEBUG] DB: Get certificate by serial (6d6afcb3ed661e7f059b8a0b51829330fdfdf8f0) and aki (3099498edb13f731965246b01e74514e4b80e978a058cf4cb9b99ab1408e2569)
2018/07/17 04:47:02 [DEBUG] DB: Getting identity admin
2018/07/17 04:47:02 [DEBUG] Successful token authentication of 'admin'
2018/07/17 04:47:02 [DEBUG] Received registration request from admin: { Name:vijay Type:client Secret:**** MaxEnrollments:5 Affiliation:org1.department1 Attributes:[{firstName Lohith true}] CAName:ca-org1 }
2018/07/17 04:47:02 [DEBUG] canRegister - Check to see if user 'admin' can register
2018/07/17 04:47:02 [DEBUG] Checking to see if caller 'admin' can act on type 'client'
2018/07/17 04:47:02 [DEBUG] Checking to see if caller 'admin' is a registrar
2018/07/17 04:47:02 [DEBUG] Validating affiliation: org1.department1
2018/07/17 04:47:02 [DEBUG] Checking to see if affiliation 'org1.department1' contains caller's affiliation ''
2018/07/17 04:47:02 [DEBUG] Caller has root affiliation
2018/07/17 04:47:02 [DEBUG] DB: Get affiliation org1.department1
2018/07/17 04:47:02 [DEBUG] Checking to see if registrar can register the requested attributes: [{Name:firstName Value:Lohith ECert:true}]
2018/07/17 04:47:02 [DEBUG] Validating that registrar with the following values for hf.Registrar.Attributes 'firstName' is authorized to register the requested attribute '&{Name:firstName Value:Lohith ECert:true}'
2018/07/17 04:47:02 [DEBUG] Checking if registrar can register attribute: firstName
2018/07/17 04:47:02 [DEBUG] Performing authorization check...
2018/07/17 04:47:02 [DEBUG] Registering user id: vijay
2018/07/17 04:47:02 [DEBUG] Max enrollment value verification - User specified max enrollment: 5, CA max enrollment: -1
2018/07/17 04:47:02 [DEBUG] DB: Getting identity vijay
2018/07/17 04:47:02 [DEBUG] DB: Add identity vijay
2018/07/17 04:47:02 [DEBUG] Successfully added identity vijay to the database
2018/07/17 04:47:02 [INFO] 172.18.0.1:47512 POST /api/v1/register 201 0 "OK"
2018/07/17 04:47:02 [DEBUG] Received request for /api/v1/enroll
2018/07/17 04:47:02 [DEBUG] ca.Config: &{Version:1.1.0 Cfg:{Identities:{AllowRemove:false} Affiliations:{AllowRemove:false}} CA:{Name:ca-org1 Keyfile:/etc/hyperledger/fabric-ca-server-config/3099498edb13f731965246b01e74514e4b80e978a058cf4cb9b99ab1408e2569_sk Certfile:/etc/hyperledger/fabric-ca-server-config/ca.org1.example.com-cert.pem Chainfile:/etc/hyperledger/fabric-ca-server/ca/ca-chain.pem} Signing:0xc4205a0e50 CSR:{CN:ca.org1.example.com Names:[{C:US ST:North Carolina L: O:Hyperledger OU:Fabric SerialNumber:}] Hosts:[e3c7da43b062 localhost] KeyRequest:<nil> CA:0xc42059cea0 SerialNumber:} Registry:{MaxEnrollments:-1 Identities:[{ Name:**** Pass:**** Type:client Affiliation: MaxEnrollments:0 Attrs:map[hf.GenCRL:1 hf.Registrar.Attributes:firstName hf.AffiliationMgr:1 firstName:* hf.Registrar.Roles:* hf.Registrar.DelegateRoles:* hf.Revoker:1 hf.IntermediateCA:1] }]} Affiliations:map[org2:[department1] org1:[department1 department2]] LDAP:{ Enabled:false URL:ldap://****:****#<host>:<port>/<base> UserFilter:(uid=%s) GroupFilter:(memberUid=%s) Attribute:{[uid member] [{ }] map[groups:[{ }]]} TLS:{false [] { }} } DB:{ Type:sqlite3 Datasource:/etc/hyperledger/fabric-ca-server/ca/fabric-ca-server.db TLS:{false [] { }} } CSP:0xc42059eba0 Client:<nil> Intermediate:{ParentServer:{ URL: CAName: } TLS:{Enabled:false CertFiles:[] Client:{KeyFile: CertFile:}} Enrollment:{ Name: Secret:**** CAName: AttrReqs:[] Profile: Label: CSR:<nil> Type:x509 }} CRL:{Expiry:24h0m0s} Idemix:{IssuerPublicKeyfile:/etc/hyperledger/fabric-ca-server/ca/IssuerPublicKey IssuerSecretKeyfile:/etc/hyperledger/fabric-ca-server/ca/msp/keystore/IssuerSecretKey RevocationPublicKeyfile:/etc/hyperledger/fabric-ca-server/ca/IssuerRevocationPublicKey RevocationPrivateKeyfile:/etc/hyperledger/fabric-ca-server/ca/msp/keystore/IssuerRevocationPrivateKey RHPoolSize:1000 NonceExpiration:15s NonceSweepInterval:15m}}
2018/07/17 04:47:02 [DEBUG] DB: Getting identity vijay
2018/07/17 04:47:02 [DEBUG] DB: Login user vijay with max enrollments of 5 and state of 0
2018/07/17 04:47:02 [DEBUG] DB: identity vijay successfully logged in
2018/07/17 04:47:02 [DEBUG] DB: Getting identity vijay
2018/07/17 04:47:02 [DEBUG] Processing sign request: id=vijay, CommonName=vijay, Subject=<nil>
2018/07/17 04:47:02 [DEBUG] Request is not for a CA signing certificate
2018/07/17 04:47:02 [DEBUG] Checking CSR fields to make sure that they do not exceed maximum character limits
2018/07/17 04:47:02 [DEBUG] Finished processing sign request
2018/07/17 04:47:02 [DEBUG] DB: Getting identity vijay
2018/07/17 04:47:02 [DEBUG] Attribute extension being added to certificate is: &{ID:[1 2 3 4 5 6 7 8 1] Critical:false Value:7b226174747273223a7b2266697273744e616d65223a224c6f68697468227d7d}
2018/07/17 04:47:02 [DEBUG] Adding attribute extension to CSR: &{ID:[1 2 3 4 5 6 7 8 1] Critical:false Value:7b226174747273223a7b2266697273744e616d65223a224c6f68697468227d7d}
2018/07/17 04:47:02 [INFO] signed certificate with serial number 124540954052671924407683868974981960232864106719
2018/07/17 04:47:02 [DEBUG] DB: Insert Certificate
2018/07/17 04:47:02 [DEBUG] Saved serial number as hex 15d09c09d65b92d0f28dc7287fdd01d52764c8df
2018/07/17 04:47:02 [DEBUG] saved certificate with serial number 124540954052671924407683868974981960232864106719
2018/07/17 04:47:02 [DEBUG] Successfully incremented state for identity vijay to 1
2018/07/17 04:47:02 [INFO] 172.18.0.1:47516 POST /api/v1/enroll 201 0 "OK"
I suggest trying the following:
Adding more conditional statements in order to evaluate what is going wrong with your application, such as something like:
func (t* SimpleChaincode) get_attribute(stub shim.ChaincodeStubInterface, args []string) pb.Response {
var attribute_name string
if len(args) != 1 {
return shim.Error("Incorrect number of arguments. Expecting only attribute name")
}
attribute_name = args[0]
val, ok, err := cid.GetAttributeValue(stub, attribute_name)
if err != nil {
return shim.Error("Error retriving attribute " + attribute_name + ", error: " + err.Error())
}
if !ok {
return shim.Error("User does not have attribute " + attribute_name)
}
return shim.Success([]byte(val))
}
Reviewing an example of how to query chaincode:
var Fabric_Client = require('fabric-client');
var path = require('path');
var util = require('util');
var os = require('os');
//
var fabric_client = new Fabric_Client();
var attribute = ''
var user = ''
if ((process.argv).length > 3) {
user = process.argv[2]
attribute = process.argv[3]
} else {
console.log("Usage: node " + process.argv[1] + " username attribute")
process.exit(1)
}
// setup the fabric network
var channel = fabric_client.newChannel('mychannel');
var peer = fabric_client.newPeer('grpc://peer0.org1.example.com:7051');
channel.addPeer(peer);
//
var member_user = null;
var store_path = path.join(__dirname, 'hfc-key-store');
console.log('Store path:'+store_path);
var tx_id = null;
// create the key value store as defined in the fabric-client/config/default.json 'key-value-store' setting
Fabric_Client.newDefaultKeyValueStore({ path: store_path
}).then((state_store) => {
// assign the store to the fabric client
fabric_client.setStateStore(state_store);
var crypto_suite = Fabric_Client.newCryptoSuite();
// use the same location for the state store (where the users' certificate are kept)
// and the crypto store (where the users' keys are kept)
var crypto_store = Fabric_Client.newCryptoKeyStore({path: store_path});
crypto_suite.setCryptoKeyStore(crypto_store);
fabric_client.setCryptoSuite(crypto_suite);
// get the enrolled user from persistence, this user will sign all requests
return fabric_client.getUserContext(user, true);
}).then((user_from_store) => {
if (user_from_store && user_from_store.isEnrolled()) {
console.log('Successfully loaded ' + user + ' from persistence');
member_user = user_from_store;
} else {
throw new Error('Failed to get ' + user + ' run registerUser.js');
}
// queryCar chaincode function - requires 1 argument, ex: args: ['CAR4'],
// queryAllCars chaincode function - requires no arguments , ex: args: [''],
const request = {
//targets : --- letting this default to the peers assigned to the channel
chaincodeId: 'acl',
fcn: 'get_attribute',
args: [attribute]
};
// send the query proposal to the peer
return channel.queryByChaincode(request);
}).then((query_responses) => {
console.log("Query has completed, checking results");
// query_responses could have more than one results if there multiple peers were used as targets
if (query_responses && query_responses.length == 1) {
if (query_responses[0] instanceof Error) {
console.error("error from query = ", query_responses[0]);
} else {
console.log("Response is ", query_responses[0].toString());
}
} else {
console.log("No payloads were returned from query");
}
}).catch((err) => {
console.error('Failed to query successfully :: ' + err);
});
Source URL for code: https://gist.github.com/tboloo/e06e2a86f99fc8e7fca295daf4d3f34c
Implementing ABAC
It wasn't clear to me how you are enforcing the decision making for your ABAC with Hyperledger Fabric. My understanding is that Hyperledger Fabric doesn't come with a built in architecture to handle this (PDP, etc.). I suggest using an implementation of XACML to externally handle dynamic authorization.
If you are using
var tx_id = client.newTransactionID(true);
try setting it to
var tx_id = client.newTransactionID();

Error trying to invoke chaincode using Node.js SDK

I am trying to implement Node.js SDK for my Hyperledger Fabric business network. My network has one organisation, four peers, one channel, solo ordered and one CA.
I have successful managed to issue the JWT identity for user Jim and org1 organization.
When I try to invoke the the chaincode using:
curl -s -X POST \
http://localhost:4000/channels/c1/chaincodes/txman \
-H "authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE1MTAwODIyNzMsInVzZXJuYW1lIjoiSmltIiwib3JnTmFtZSI6Im9yZzEiLCJpYXQiOjE1MTAwNDYyNzN9.NTDYky6jj_y1COP163Z_HA6q4v7S1_jN6BxL00Bo-Xo" \
-H "content-type: application/json" \
-d '{
"fcn":"queryTx",
"args":["TX0"]
}'
I am getting the following error:
2017-11-07 11:18:34.286] [DEBUG] SampleWebApp - Decoded from JWT token: username - Jim, orgname - org1
[2017-11-07 11:18:34.287] [DEBUG] SampleWebApp - ==================== INVOKE ON CHAINCODE ==================
[2017-11-07 11:18:34.287] [DEBUG] SampleWebApp - USERNAME: Jim
[2017-11-07 11:18:34.287] [DEBUG] SampleWebApp - ORGNAME: org1
[2017-11-07 11:18:34.287] [DEBUG] SampleWebApp - channelName : c1
[2017-11-07 11:18:34.288] [DEBUG] SampleWebApp - chaincodeName : txman
[2017-11-07 11:18:34.288] [DEBUG] SampleWebApp - fcn : queryTx
[2017-11-07 11:18:34.288] [DEBUG] SampleWebApp - args : TX0
[2017-11-07 11:18:34.292] [DEBUG] invoke-chaincode -
============ invoke transaction on organization org1 ============
[2017-11-07 11:18:34.292] [DEBUG] Helper - [FileKeyValueStore.js]: FileKeyValueStore.js - constructor
[2017-11-07 11:18:34.293] [DEBUG] Helper - [FileKeyValueStore.js]: FileKeyValueStore -- getValue
[2017-11-07 11:18:34.298] [DEBUG] Helper - [crypto_ecdsa_aes]: importKey - start
[2017-11-07 11:18:34.298] [DEBUG] Helper - [crypto_ecdsa_aes]: importKey - have the key [Circular]
[2017-11-07 11:18:34.300] [DEBUG] Helper - [utils.CryptoKeyStore]: _getKeyStore resolving store
[2017-11-07 11:18:34.300] [DEBUG] Helper - [ecdsa/key.js]: ECDSA curve param X: c3cd1a318e957b0200852e4ed6c9601eadc8225eb9f79acc11b1c65df142446a
[2017-11-07 11:18:34.300] [DEBUG] Helper - [ecdsa/key.js]: ECDSA curve param Y: f7bbe9fd43eaae1a0a1d2eb3024ecd79bd63c39a8d1b3b978bc8b4a652d0ef63
[2017-11-07 11:18:34.301] [DEBUG] Helper - [FileKeyValueStore.js]: FileKeyValueStore -- setValue
[2017-11-07 11:18:34.303] [DEBUG] Helper - [utils.CryptoKeyStore]: _getKeyStore resolving store
[2017-11-07 11:18:34.303] [DEBUG] Helper - [FileKeyValueStore.js]: FileKeyValueStore -- getValue
[2017-11-07 11:18:34.304] [DEBUG] Helper - [ecdsa/key.js]: ECDSA curve param X: c3cd1a318e957b0200852e4ed6c9601eadc8225eb9f79acc11b1c65df142446a
[2017-11-07 11:18:34.304] [DEBUG] Helper - [ecdsa/key.js]: ECDSA curve param Y: f7bbe9fd43eaae1a0a1d2eb3024ecd79bd63c39a8d1b3b978bc8b4a652d0ef63
[2017-11-07 11:18:34.305] [DEBUG] Helper - [ecdsa/key.js]: ECDSA curve param X: c3cd1a318e957b0200852e4ed6c9601eadc8225eb9f79acc11b1c65df142446a
[2017-11-07 11:18:34.306] [DEBUG] Helper - [ecdsa/key.js]: ECDSA curve param Y: f7bbe9fd43eaae1a0a1d2eb3024ecd79bd63c39a8d1b3b978bc8b4a652d0ef63
[2017-11-07 11:18:34.308] [DEBUG] Helper - [ecdsa/key.js]: ECDSA curve param X: c3cd1a318e957b0200852e4ed6c9601eadc8225eb9f79acc11b1c65df142446a
[2017-11-07 11:18:34.308] [DEBUG] Helper - [ecdsa/key.js]: ECDSA curve param Y: f7bbe9fd43eaae1a0a1d2eb3024ecd79bd63c39a8d1b3b978bc8b4a652d0ef63
[2017-11-07 11:18:34.309] [DEBUG] Helper - [FileKeyValueStore.js]: FileKeyValueStore -- setValue
[2017-11-07 11:18:34.309] [INFO] Helper - Successfully loaded member from persistence
[2017-11-07 11:18:34.313] [DEBUG] invoke-chaincode - Sending transaction "{"_nonce":{"type":"Buffer","data":[218,130,209,154,87,123,73,36,118,155,194,91,27,250,14,216,117,202,164,5,16,237,96,208]},"_transaction_id":"dba107be47745c51eb75b6a927d68f0afd58b325c5e36326b40a729f9d858f43"}"
[2017-11-07 11:18:34.341] [DEBUG] Helper - [crypto_ecdsa_aes]: ecdsa signature: Signature {
r: <BN: cf5e0aaef0fd10d9abf468e025c6f6c1e8991d0dcddf5f5aa6b285ebdcd920ad>,
s: <BN: 8de356dcfda3ba3fb0d6decfc0e43995b3297bc7037fd3997bfba561e6d626d>,
recoveryParam: 0 }
error: [client-utils.js]: sendPeersProposal - Promise is rejected: Error: Failed to deserialize creator identity, err The supplied identity is not valid, Verify() returned x509: certificate signed by unknown authority (possibly because of "x509: ECDSA verification failure" while trying to verify candidate authority certificate "ca.org1.example.com")
at /home/brankoterzic/Desktop/devGC/txman/node_modules/grpc/src/client.js:554:15
error: [client-utils.js]: sendPeersProposal - Promise is rejected: Error: Failed to deserialize creator identity, err The supplied identity is not valid, Verify() returned x509: certificate signed by unknown authority (possibly because of "x509: ECDSA verification failure" while trying to verify candidate authority certificate "ca.org1.example.com")
at /home/brankoterzic/Desktop/devGC/txman/node_modules/grpc/src/client.js:554:15
error: [client-utils.js]: sendPeersProposal - Promise is rejected: Error: Failed to deserialize creator identity, err The supplied identity is not valid, Verify() returned x509: certificate signed by unknown authority (possibly because of "x509: ECDSA verification failure" while trying to verify candidate authority certificate "ca.org1.example.com")
at /home/brankoterzic/Desktop/devGC/txman/node_modules/grpc/src/client.js:554:15
error: [client-utils.js]: sendPeersProposal - Promise is rejected: Error: Failed to deserialize creator identity, err The supplied identity is not valid, Verify() returned x509: certificate signed by unknown authority (possibly because of "x509: ECDSA verification failure" while trying to verify candidate authority certificate "ca.org1.example.com")
at /home/brankoterzic/Desktop/devGC/txman/node_modules/grpc/src/client.js:554:15
error: [client-utils.js]: sendPeersProposal - Promise is rejected: Error: Failed to deserialize creator identity, err The supplied identity is not valid, Verify() returned x509: certificate signed by unknown authority (possibly because of "x509: ECDSA verification failure" while trying to verify candidate authority certificate "ca.org1.example.com")
at /home/brankoterzic/Desktop/devGC/txman/node_modules/grpc/src/client.js:554:15
[2017-11-07 11:18:34.400] [ERROR] invoke-chaincode - transaction proposal was bad
[2017-11-07 11:18:34.401] [ERROR] invoke-chaincode - transaction proposal was bad
[2017-11-07 11:18:34.401] [ERROR] invoke-chaincode - transaction proposal was bad
[2017-11-07 11:18:34.401] [ERROR] invoke-chaincode - transaction proposal was bad
[2017-11-07 11:18:34.401] [ERROR] invoke-chaincode - transaction proposal was bad
[2017-11-07 11:18:34.401] [ERROR] invoke-chaincode - Failed to send Proposal or receive valid response. Response null or status is not 200. exiting...
[2017-11-07 11:18:34.401] [ERROR] invoke-chaincode - Failed to order the transaction. Error code: undefined
I was following the balance-transfer Node.js example: https://github.com/hyperledger/fabric-samples/tree/release/balance-transfer
Thank you for your answers!
I have solved this by setting up the generated crypto for CA
crypto-config/peerOrganizations/org1.example.com/ca/361a9254173cb1a97c057432094a20db9578ca69a152725f96323e00379c5ad6_sk
to
FABRIC_CA_SERVER_CA_KEYFILE=/etc/hyperledger/fabric-ca-server-config/361a9254173cb1a97c057432094a20db9578ca69a152725f96323e00379c5ad6_sk
in docker-compose-base.yaml env variable.

Resources