Background
I am studying the hyperledger fabic tutorial: Building Your First Network (BYFN), and studying the details of the scripts. The source codes can be found here.
Question
The commandbyfn.sh generate runs cryptogen generate ./config=./crypto-config.yaml and then generates certificates. A directory crypto-config/ is produced with sub-directories ordererOrganization/ and peerOrganizations/.
In the path crypto-config/peerOrganizations/org1.example.com/. It consists of
ca/
msp/
peers
tlsca/
users/
I have difficulties in understanding the structures in this directory.
Q1: There are certs and private keys in ca/, msp/ and tlsa/. But what are they representing? and why do we need them? It confuses me because inside directory of peer/, there are also msp/ and tls/.
Q2: What is the purpose of users/ directory? (I only know the network has peers and orderers). Are user and admin representing the end-users for this organization? and what is the difference between user and admin? Take this network picture for example, where are user and admin?
Many Thanks
So, public channel configuration is loaded only with what is found under msp/.
This is used to verify certificates of clients, and network nodes (peers, orderers).
The ca/ folder just represents what a CA would have had it exited.
The tlsca/ folder is basically used to define the same thing the ca/ folder, only for TLS certificates. In fabric, there is a different certificate chain for TLS and for enrollment certificates.
Now, the peers, orderers , users contain the material for the local MSP of the node, as well as its signing identity (certificate, and private key).
The user is basically anyone that can authenticate to fabric as a client, and an admin is a special type of users who is authorized to sign transactions that have administrative changes on the organization it belongs to, like - adding anchor peers when sending a configuration transaction to the orderer, or - instantiating chaincode.
Related
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 2 years ago.
Improve this question
I want to create a Hyperledger Fabric network which has a frontend. The web application is having feature of registering and login the user.The question is :-
Does registering a user through web application require also to register the user in fabric-ca-server (Fabric CA).
Do we need to create credentials for the newly registered users like we generate credentials for peers, orderers or other participants in the network?
What will be the "role" of the newly registered participant in the network? What role should we give to the newly added member?
Is there any need to properly create an MSP structure for a new user?
How many users can be registered through Fabric Certificate Authority?
How many participants/users can belong to one peer node? Do the users/participants which belongs to any one peer organisation will share the same ledger data?
what should be the login logic when after registering the user in the network ?
First of all, I will try to explain you how are organized at Hyperledger Fabric the different components. Hyperledger Fabric is focused on organizations, because of it, Blockchain nodes belong to the different organizations. However, each organization then will have many users.
Now, I will try to answer your questions:
Web application users can be managed as you want. If they will operate against the Blockchain, they need a certificate. However, many users could user the same certificate, for example a generic certificate for all the users of that organization.
You need at lest one client certificate.
It role will be client.
Yes, each component requires a MSP structure. At that structure, it will have its public and private key, as well as the certificates of its trust chain. So, for each user it will be created a MSP directory. However, it could be mentioned that each individual belongs to an organization. And each organization it is identified by each MSP.
You can registry as many as users as you want. The attributes option will be also interesting for it. However, there are many options to manage it.
The ledger data is shared among the organizations that are at the same channel. Then, you can define at your Chaincode restrictions about who can execute a function.
In my opinión, you should think about your users management strategy and decide if they will operate with the same certificate of each of them will have one.
I would like to use roles to identify what an organization can do in my hyperledger fabric blockchain, so, if org1 is an distributor it can call the contract1 and the contract2 but org2 that has an auditor role can only call contract2.
I am planning of doing it, by storing the msp roles in the blockchain and querying them in the contract to do the validation, and this roles can be stored in the blockchain on the instantiate method.
Something like this:
public async contract1(ctx: context) {
const cid = ctx.clientIdentity;
const role = await ctx.stub.getState(cid);
if (role === 'auditor') {
throw new Error('An Auditor can not issue a transference');
}
....
return response;
}
Is there a better way to associate a role to an mspid? Like directly on the certificate? But if the organization manages the CA, how can I warranty that they don't give themselves super powers and super roles? Or should I check directly on my code for each mspId?
Thanks
I am planning of doing it, by storing the msp roles in the blockchain
and querying them in the contract to do the validation, and this roles
can be stored in the blockchain on the instantiate method.
I think your approach is reasonable. It's open to changes and extensions later on.
Is there a better way to associate a role to an mspid? Like directly
on the certificate?
Embedding Attributes in Certs: As you mentioned, we cannot trust attributes on certificates on organization-wise roles. Our system knows about the root certificate of organizations, so only these can be our reference for such solution. Since client certificates are sighed with these root certificates, we can reach these certificate's issuer certificate as well. If we enforce organizations to put some attributes there, this would bring us a solution. This enforcement occurs during on-boarding time and validated manually by admins. Obviously this is a bad approach. Because it's static and we enforce some certificate actions for our custom solution, etc.
Here is a quick and dirty solution method I used before:
Embedding roles on MSP IDs: This is really a quick and dirty solution. i.e. MSP ID will be set as Org1_xyz where x, y and z are the different roles. You can easily get client's MSP ID and extract the organization's roles from here. It's a safe method since MSP ID is assigned to an organization by the admins during introducing the organization to the system channel. Afterwards it's not changeable at all and also this is information is very dependent on a chaincode logic, where MSP IDs are on higher level definition.
Relying on the contents of an enrollment certificate does indeed introduce a lot of trust on the CA issuing the cert. I know this is the idea behind attribute based access control (ABAC), and in some cases will work, but the trust issues are significant as any CA can issue a certificate with arbitrary "roles". I think the only real way to handle this is to maintain in chaincode a list of identities that you want to grant access to certain functions. Basically create your own access control lists that are maintained onchain.
I need to know about Hyperledger fabric and fabric CA
1. How to create the orderer and peer certificate and key pair using fabric-ca
2. How to query the affiliation and CA name using fabric, do we need to write chain code and query them, or can I query them without using chain code through fabric node js.
3. I see Domain in crypto-config file. Do I need run any domain service or need to buy some domain name. If I am using fabric ca is there anything equivalent to a cryoto-config domain?
4. Is it possible to update the member details once it's created? If it's possible, if I change the password of the member or affiliation of the member does the certificate will get reflect to?
By registering entities, enrolling both MSP and TLS profiles, and copying missing stuff between folders. Make your own scripts if you wish. https://hyperledger-fabric-ca.readthedocs.io/en/release-1.4/users-guide.html#fabric-ca-client https://hyperledger-fabric-ca.readthedocs.io/en/latest/clientcli.html
https://fabric-sdk-node.github.io/release-1.4/FabricCAServices.html https://godoc.org/github.com/hyperledger/fabric-sdk-go/pkg/client/msp
That domain in crypto-config is used to compound peer and orderer domain/names, as you should have observed. As always, you can buy a domain, use docker internal name services or work directly with IP addresses if you wish. Everything works if you configure it correctly. Be careful that TLS certificates include the domain name or IP used in CN or SAN fields (--csr.hosts parameter in fabric-ca-client).
You can edit an identity, enroll the new certificates that reflect those changes and update your nodes with them whenever you want. Be careful that certificates inside admin folder define which certificates are recognised as admin (the admin role is per certificate, not per identity), so re-enrolling an admin certificate can be tiresome.
I have an API with an endpoint creating a channel, joining a peer to it and instantiating chaincodes on it. While coding the process I encountered some interrogations about how things are done.
An organization admin certificate is tested byte per byte while other roles use OUs. Do we have an explication to why the admin verification behaves this way?
I could never manage to enroll and submit the exact same certificate for an organization admin. Due to the above problem, it means that the only solution I found to be able to perform admin operations was to copy the admin cert/key to the sdk crypto-{msp,store}. Is there a way to avoid doing the copy of the admin certificate and private key using fabric-ca?
I could not manage to instantiate a chaincode on a newly created channel without having an entry for it in the sdk config file due to the fact that the sdk does not find any channelPeer for it. Is there a way to avoid the config file update if we can programmatically know which peer has the channel?
If anyone has an hint on how to solve any of the above question I would appreciate it.
Thanks!
I read the docs on Hyperledger Fabric Membership Service Providers (MSPs) and not everything was really clear to me.
The link to the part of the docs on MSPs is this:
https://hyperledger-fabric.readthedocs.io/en/release-1.2/membership/membership.html
Quote from the docs:
This is where a Membership Service Provider (MSP) comes into play —
it identifies which Root CAs and Intermediate CAs are trusted to
define the members of a trust domain, e.g., an organization, either by
listing the identities of their members, or by identifying which CAs
are authorized to issue valid identities for their members, or — as
will usually be the case — through a combination of both.
My understanding of this paragraph is this: An MSP of OrgX either has a list of OrgX's members (so a participant on the network can simply be checked against the list) or, alternatively, the MSP defines which Certificate Authority is allowed to issue identities for members of OrgX.
Is this understanding correct?
If an MSP of OrgX defines the Certificate Authority that is allowed to issue identities to members of OrgX, then how does this protect the network from unwanted participants entering? Let's say that the MSP of OrgX uses "Symantec" as its CA. So everybody with a certificate from Symantec is regarded as member of OrgX and can participate in the network. But what if I (who is not a member of OrgX) get myself a certificate from "Symantec"? Am I now automatically considered a ember of OrgX and can join the network?
There are channel MSPs and local MSPs. According to the docs, both the channel MSP and the local MSP define which identities belong to a certain organisation (for example, OrgX). But what's the point of instantiating the channel MSP to nodes, if the channel MSP contains the same information as the local MSP (namely basically a list of identities)?
My understanding of this paragraph is this: An MSP of OrgX either has
a list of OrgX's members (so a participant on the network can simply
be checked against the list) or, alternatively, the MSP defines which
Certificate Authority is allowed to issue identities for members of
OrgX. Is this understanding correct?
Correct. But... in practice, the only certificates that are explicitly configured in the MSP, are administrator certificates. The rest are not configured, and are verified by standard x509 PKI validation (finding a validation path to some intermediate or root CA), while the admin certificates are identified by a byte-by-byte comparison.
If an MSP of OrgX defines the Certificate Authority that is allowed to
issue identities to members of OrgX, then how does this protect the
network from unwanted participants entering?
Unwanted participants are not expected to have a private key that has a corresponding certificate that is ussed by OrgX.
Let's say that the MSP of OrgX uses "Symantec" as its CA. So everybody
with a certificate from Symantec is regarded as member of OrgX and can
participate in the network. But what if I (who is not a member of
OrgX) get myself a certificate from "Symantec"? Am I now automatically
considered a ember of OrgX and can join the network?
If you get a private key corresponding to the public key of a certificate that is issued by Symantec's CA, and the CA has a certificate that is configured as a root CA or intermediate CA in the fabric channel config, then - you can authenticate as a member of OrgX.
There are channel MSPs and local MSPs. According to the docs, both the
channel MSP and the local MSP define which identities belong to a
certain organisation (for example, OrgX). But what's the point of
instantiating the channel to nodes, if the channel MSP contains the
same information as the local MSP (namely basically a list of
identities)?
the channel MSP doesn't contain the same information as the local MSP.
The local MSP, contains only information regarding the organization that the local MSP's node (peer, orderer) belongs to.
However - a channel MSP, can contain information about any organization that is a member of the channel.
Actually, a channel has several MSPs - 1 for each organization!
Consider an example - you have orgs A, B C in channel Foo.
So, the channel configuration would have 3 MSPs - each used to verify an identity belonging to the corresponding organization.