I am reading the docs and other information regarding using the hyperledger fabric and everywhere I see the Fabric CA.
I undertand the concept how it works and I also understand pretty well PKI.
Is it mandatory to use Fabric CA in order to provide identities in hyperledger? I do not see any reason why not to use any other deployed PKI in order to issue certificates and CRL to hyperledger peers, orderers, etc.
I tried to use it in developmen environment and private keys and certificates has standard format which can be produced by any PKI solution.
No. It's not mandatory to use Fabric CA. My network runs well with keys and certificates generated by other CA. For instance, you can generate all the materials by openssl. By the way, it's worth noting that currently the Java/Node SDK only supports ECDSA algorithms (per my knowledge), you want to pay attention to the algorithms when generating keys and certificates from your CA.
Related
While reading the documentation on Hyperledger Fabric I couldn't understand what MSP is. It is really unclear to me what an MSP exactly is and how it differs from CA?
What I understand is CA issue certificates and MSP says which of these are valid and belong to a certain organization. But, what exactly it is?
Is the MSP some kind of a server that has some kind of an interface, that other peers and orderers use, or is it a bunch of directories that contain configuration, or what exactly it is? How can I view it?
The documentation describes what its role is and how it fits into the blockchain network. But not what exactly what it is.
When I run a simple dev fabric network, decker contains a process for peer, orderer, and a CA. Where is the MSP?
I've checked these questions but none of them explains what MSP actually is.
Hyperledger Fabric docs on Membership Service Provider - Questions
Hyperledger fabric understanding MSP
What is the difference between MSP and Fabric CA?
OK, so I was able, hopefully, to answer my question. I will answer it in the form of points.
The name "MSP" is, in my opinion, a poorly chosen name. The word "service" implies having a working process/program/server in place, like Web Service, Rest Service etc. The word "Provider" also implies that it provides the membership service and finally I imagine that this is some kind of an OAuth or LDAP Server or something alike, it is not. It a bunch of directories with digital certificates. Probably a better name would be Members Certificates Directory (MCD) or Members Certificates Registry (MCR).
After realizing that these are directories from the documentation
To set up a local MSP (for either a peer or an orderer), the
administrator should create a folder (e.g. $MY_PATH/mspconfig) that
contains six subfolders and a file
Also set up implies starting and configure a process/server or something alike.
So I entered the peer container of the Dev Servers created for Hyperledger Composer development and searched for a $FABRIC_CFG_PATH
the /msp DIRECTORY is the MSP directory and it contains directories explained in the docs
And it is configured as required by the documents:
The path to the mspconfig folder is expected to be relative to
FABRIC_CFG_PATH and is provided as the value of parameter
mspConfigPath for the peer, and LocalMSPDir for the orderer
I hope this clears uncertainty for others as it did for me and the docs of fabric updated for more clarity.
Hyperledger fabric 2.2. documentation explains it as per the accepted answer.
https://hyperledger-fabric.readthedocs.io/en/release-2.2/membership/membership.html
What is MSP
Despite its name, the Membership Service Provider does not actually provide anything. Rather, the implementation of the MSP requirement is a set of folders that are added to the configuration of the network... Whereas Certificate Authorities generate the certificates that represent identities, the MSP contains a list of permissioned identities.
Two types of MSP :
Local MSPs are represented as a folder structure on the file system
Channel MSPs are described in a channel configuration.
The confusion may come from the fact HLF is both defining the MSP as an abstraction layer and providing a simplistic implementation (using directories).
MSP documentation -link above- clearly states In the rest of this document we elaborate on the setup of the MSP **implementation** supported by Hyperledger Fabric
Both Hyperledger Fabric and Hyperledger Iroha are platforms for building distributed ledger applications.
What are the main differences between them? When to choose one over the other to implement a blockchain solution?
Hyperledger Iroha and Fabric are just 2 of 5 independent Hyperledger blockchain technologies:
Hyperledger Fabric
Hyperledger Sawtooth
Hyperledger Indy (Identity Management focus)
Hyperledger Iroha (Extensive client API support, including mobile platforms)
Hyperledger Burrow (Ethereum EVM implementation)
How is Iroha different?
Byzantine fault tolerant consensus algorithm (called YAC) is high-performance and allows for finality of transactions with low latency.
Includes built-in commands for common tasks such as create digital assets, register accounts, and transfer assets between accounts.
Has a robust permission system, allowing permissions to be set for all commands, queries, and joining of the network.
I would evaluate each technology to see which one best fits your needs.
Fabric and Iroha are different Hyperledger technologies.
Unlike Fabric where peers polls for validation, Iroha applications interacts with peers in a simple client-server fashion.
Iroha uses YAC consensus algorithm.
The most significant difference is provided by the entity called accounts. Accounts have roles associated with them and only those accounts that holds grantable permission can perform any actions.
I don't know about your use case, so I'll generalise using a small example here. Go for Iroha in use cases similar to KYC. Iroha specialises in accounts and roles(set of permissions) associated with it. You can handle similar scenario with Fabric too, but then you need to take care about access rights, grants etc. Similarly, various use cases can be solved using multiple technologies. Iroha would also be preferable in scenarios involving creation and transfer of assets.
This will be helpful for you. Cheers!
I’m interested into the development of Blockchain Apps using Fabric and Composer.
I’ve got just one question: while Ethereum is a public blockchain so you can deploy your Smart Contract on it and use them freely, can we do the same thing with Fabric? Let me explain: Ethereum has a running Blockchain on which we can work and access, but Fabric has not, right? Should I set up an entire new blockchain network before (setting up all the nodes, giving permissions etc.)?
Thank you
Hyperledger Fabric is different to the blockchain systems you mention in it is private and permissioned. Rather than an open permissionless system that allows unknown identities to participate in the network (requiring protocols like “proof of work” to validate transactions and secure the network), the members of a Hyperledger Fabric network enroll through a trusted Membership Service Provider (MSP). Member organisations would generally set up their own Fabric infrastructure, if they're participating in the blockchain network (context provided earlier). See more on FAQ here -> http://hyperledger-fabric.readthedocs.io/en/release-1.2/Fabric-FAQ.html and understand more on key Fabric Concepts here -> http://hyperledger-fabric.readthedocs.io/en/release-1.2/key_concepts.html . As for Hyperledger Composer, that is a development framework, with tools etc to accelerate development and abstract things to a business level (ie App development using structure/validated, model driven development as a given). See more here -> https://hyperledger.github.io/composer/latest/introduction/introduction (and also see the architectural and key concept links there).
So yes, you will have a running, private blockchain network (including all of the functionality discussed in the docs) with Hyperledger Fabric.
As in Ethereum we can able to create public blockchain and then the user can able to run smart contract on it, same thing we can do in Hyperledger fabric also.
Hyperledger Fabric has the same functionality as smart contracts called as “chaincode”.
A chaincode is a program that is written to read and update the ledger state. All the business logic handled by chaincode.
For example, if a transaction created then chaincode share and update the ledger throughout the network.
About a Fabric based running blockchain we can work on it and can access it but that's only possible when someone from existing network invites you.
It is quite difficult to say you should setup an entire new blockchain network until I know your use case. Based on your use case you can setup an entire new blockchain network using fabric which will be private.
We were planning to build a blockchain based on below logic, but understand due to the private data(a portion of our data is private while some data is public), it is not possible on Ethereum. Would the same design / implementation be possible using Hyperledger Fabric?
Our current design : Blockchain on ethereum but keeping the data related to blocks in some distributed file storage system like IPFS or Storj and storing the hash of data in blocks. But we need our data to be private / shared, so to achieve that we are thinking of using some Key Management Service like NuCypher KMS. But we will have smart contracts on ethereum which can access the data and perform some operations.
We understand that the above logic is unable due to the private nature of data. Is there anyway to establish communication between Hyperledger fabric data and Ethereum smart contract?
It is quite possible to make a part of the transaction data private and other part of the transaction data private in Ethereum using various smart contract obfuscation techniques. One such technique is known as Zero Knowledge Proof which can be implemented in Ethereum at a Smart Contract level using Aztech Protocol. It is possible to implement Zero Knowledge Proofs in Ethereum in a further extended way using ZoKrates libraries which implements libsnarks. In Hyperledger Fabric, from version 1.2 onwards there is a feature known as 'Side DB' which helps us to have private transaction between two peers.
As you have mentioned, using NuCypher platform with homomorphic encryption and proxy re-encryption is always a good idea. We may need to push data from NuCypher into a Smart Contract through Web3.js or by some other easier approach.
With regard to your third question, yes, it is possible to integrated Ethereum and Hyperledger Fabric from Hyperledger 1.4 easily. It has integrated Hyperledger Burrow which makes compiling and deploying Ethereum Smart Contracts on Hyperledger Fabric easier. However I am not sure how much it will help your purpose.
Thinking again, I believe offline encryption using NuCypher / Decentralised Oracles and then invoking Smart Contracts with Meta Data from encrypted data vault looks like a good design choice. I feel Hyperledger Fabric may be an overkill for implementing an offline encryption vault.
Hyperledger offers etereum support. Please look for Seth, Burrow etc. May be that can be your lead.
I was wandering what is the "best" practice in ordering the steps for the HF development cycle? Here are some questions organized in different topics.
1. Specification of network infrastructure:
What are the mandatory members in one business
network definition (organizations, peers, ca)?
How many pears do we need in our business network (bn)?
I am aware of the semantic in
relationship between the channel and the peer, but I am not sure
about the relationship between the peer and the organization? Also,
what if just one organization (org1.example.com) will use the
developed network, how to specify the endorsement policy in that use
case (since we need at least two organization in chaincode
instantiate command specification)?
2. SDK development lifecycle
When we develop SDK (Node.js), in order to interact with our BN what are required CA certificates needed for our SDK app to be able to connect and issue chain-code functions?
How to issue the CA certificates needed for SDK app?
3. Chain-code development lifecycle
1.If I am using the CLI docker container for management of my BN, is it a good practice to git clone my chain-code to CLI and then to install it and instantiate it to certain peer node?
2.After I change my go chain-code, do I need to install it again with the different id to the same peer, or I can just update the existing instance of my chain-code?
My idea is to make this question sort of place where we can add all the relevant questions about these three topics, so please edit and add additional questions! Thank you for your answers.
Let me try to answer your questions:
What are the mandatory members in one business network definition (organizations, peers, ca)?
The only mandatory network entities are peers and ordering service. Of course to be able to define anything you should have a notion of organizations the parties which are going to transact. Each such party expected to have a number of peers which running chaincodes (smartcontracts) on organization behalf. CA is required to issue certificates and bind peers and clients identities to certain organization.
How many pears do we need in our business network (bn)?
The desired number of peers is completely up to your business logic and requirements, need to accommodate expectations for availability, scalability and your trust model (endorsement policies).
I am aware of the semantic in relationship between the channel and the peer, but I am not sure about the relationship between the peer and the organization?
Peer is the network entity which executes chaincodes on behalf of given organization increasing the organization confidence in correctness of execution results.
Also, what if just one organization (org1.example.com) will use the developed network, how to specify the endorsement policy in that use case (since we need at least two organization in chaincode instantiate command specification)?
You do not have to have at least two organizations to define endorsement policy, while with one org is a bit redundant since, default endorsement policy is to have some peer from the channel to sign on endorsement request.
When we develop SDK (Node.js), in order to interact with our BN what are required CA certificates needed for our SDK app to be able to connect and issue chain-code functions?
You do not need CA certificate, but you need a client certificated signed by root CA to prove client identity and enable peer to validate whenever client has correct access rights.
How to issue the CA certificates needed for SDK app?
You can use fabric-ca to enroll use and get client certificate, or you can simply leverage cryptogen to produce client certs for you.
If I am using the CLI docker container for management of my BN, is it a good practice to git clone my chain-code to CLI and then to install it and instantiate it to certain peer node?
Here is the thing, peer cli is a bit abused, since it's primary usage is to rapid testing in development and for demoing. The proper way to communicate with Hyperledger Fabric is by using SDK's, e.g. you basically need to implement a client which will be capable to install and instantiate chaincodes based on your own logic and parameters relevant for your application.
After I change my go chain-code, do I need to install it again with the different id to the same peer, or I can just update the existing instance of my chain-code?
You have an upgrade procedure which pretty well covered in Hyperledger Fabric documentation. Or you can see a short demo on video.
My idea is to make this question sort of place where we can add all the relevant questions about these three topics, so please edit and add additional questions!
Please consider to login into Rocket.Chat and use #fabric channel to ask your questions.
Additionally please take a look on documentation, since most of the information and details about your questions could be found there and it constantly being updated.