While doing Hyperledger fabric setup, we create crypto material and mention users for organizations and and correspondingly user crypto material gets generated which is used to invoke chaincode while logging through CLI. Also, when we try to connect network through SDK we also need to enroll and register user to connect to network. So, what is the difference between these two users?
Cryptogen utility used for generating Hyperledger Fabric key material is mainly meant to be used for testing environment only.
It generates the CA certificate before the Fabric CA Server is up. {This won't be the case in production env.}
This certificate is mounted to fabric-ca in docker-compose.yaml file. This is done via volumes keyword as in the below snippet:
ca.example.com:
image: hyperledger/fabric-ca
environment:
- FABRIC_CA_HOME=/etc/hyperledger/fabric-ca-server
- FABRIC_CA_SERVER_CA_NAME=ca.example.com
- FABRIC_CA_SERVER_CA_CERTFILE=/etc/hyperledger/fabric-ca-server-config/ca.org1.example.com-cert.pem
- FABRIC_CA_SERVER_CA_KEYFILE=/etc/hyperledger/fabric-ca-server-config/4239aa0dcd76daeeb8ba0cda701851d14504d31aad1b2ddddbac6a57365e497c_sk
ports:
- "7054:7054"
command: sh -c 'fabric-ca-server start -b admin:adminpw -d'
volumes:
- ./crypto-config/peerOrganizations/org1.example.com/ca/:/etc/hyperledger/fabric-ca-server-config
container_name: ca.example.com
networks:
- basic
The command 'fabric-ca-server start -b admin:adminpw -d' in above script registers a bootstrap identity. This bootstrap identity is used by the application to enroll the 'admin' user. During this enrollment, fabric-ca-server gives the app a ecert, users private key and cacert chain PEM files.
From the above reference, the users certs generated by cryptogen and via application will be issued using the same root CA Cert.
When using CLI to execute commands such install chaincode, instantiate chaincode etc. you will be using the user certs generated by the cryptogen as these are mounted into the corresponding peer. Again refer to the volumes section of peer in docker-compose.yaml for this:
volumes:
- /var/run/:/host/var/run/
- ./crypto-config/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/msp:/etc/hyperledger/msp/peer
- ./crypto-config/peerOrganizations/org1.example.com/users:/etc/hyperledger/msp/users
- ./config:/etc/hyperledger/configtx
Related
I am trying to integrate softHSM with Hyperledger Fabric. I have followed the below steps:
I have cloned the repo from this link
https://github.com/hyperledger/fabric-ca (main-branch)
Executed the below 3 commands from the above directory. After execution, I got the new binary and the new Fabric-CA image.
make fabric-ca-server GO_TAGS=pkcs11
make fabric-ca-client GO_TAGS=pkcs11
make docker GO_TAGS=pkcs11
I have replaced the old binary(fabric-ca-client and fabric-ca-server)
I am trying to spin up the Fabric-CA in the docker container and passing the environment variables as per the official documentation.
ORG1_RCA:
image: hyperledger/fabric-ca:1.5.1
container_name: ORG1_RCA
environment:
- FABRIC_CA_HOME=/etc/hyperledger/fabric-ca-server
- FABRIC_CA_SERVER_CA_NAME=ORG1_RCA
- FABRIC_CA_SERVER_TLS_ENABLED=true
- FABRIC_CA_SERVER_PORT=7054
- FABRIC_CA_SERVER_BCCSP_DEFAULT=PKCS11
- FABRIC_CA_SERVER_BCCSP_PKCS11_LIBRARY=/etc/hyperledger/fabric/libsofthsm2.so
- FABRIC_CA_SERVER_BCCSP_PKCS11_PIN=
- FABRIC_CA_SERVER_BCCSP_PKCS11_LABEL=
ports:
- 7054:7054
command: sh -c 'fabric-ca-server start -b admin:adminpw -d'
environment:
- SOFTHSM2_CONF=/etc/hyperledger/fabric/config.file
volumes:
- ./fabric-ca/verizon:/etc/hyperledger/fabric-ca-server
- /home/softhsm/config.file:/etc/hyperledger/fabric/config.file
- /usr/local/lib/softhsm/libsofthsm2.so:/etc/hyperledger/fabric/libsofthsm2.so
networks:
- contract
I am not providing the PIN and label for security purposes.When I am running this container, the private keys are still getting saved into the msp/keystore folder instead of HSM.
I am new to hyperledger fabric and I was trying to test hyperledger fabric sample "fabcar" network with hyperledger fabric.I have done some edit in "org1" to "dfarmadmin".I have edited fabric configtx.yaml,crypto-config.yaml and docker-compose.yml. I'm getting the following error when trying to run ./startFabric.sh into project.
Error response from daemon: Container 5266e6d8297848fb888d15b60aba3d66e5d31b7fc42a37616874c540eedb514e is not running. please see below screenshot for reference and link of files which I have edited "https://github.com/abhisamant7/tuna-Fish/tree/master/dfarm-network"
Please see the below docker logs of three docker container which was exited.
You have done the very basic mistake of naming the domains of both peer and orderer org the same. Check your crypto-config.yaml file and change the domain name here:
OrdererOrgs:
- Name: Orderer
Domain: dfarmadmin.com
PeerOrgs:
- Name: Dfarmadmin
Domain: **CHANGE THIS**
Also change this in your configtx file:
# MSPDir is the filesystem path which contains the MSP configuration
MSPDir: crypto-config/ordererOrganizations/example.com/msp
to this:
# MSPDir is the filesystem path which contains the MSP configuration
MSPDir: crypto-config/ordererOrganizations/dfarmadmin.com/msp
Your volumes in the compose file are pointing towards the msp's
present in the crypto-config folder,but the crypto-config folder
doesnt have all msps files,some files are missing(like ca-key-file).
Your compose file is pointing towards a file which isnt present.So i
would say delete and recreate the msps and point it correctly in the
compose file
Eg.
services:
ca.dfarmadmin.com:
image: hyperledger/fabric-ca
environment:
- FABRIC_CA_HOME=/etc/hyperledger/fabric-ca-server
- FABRIC_CA_SERVER_CA_NAME=ca.dfarmadmin.com
- FABRIC_CA_SERVER_CA_CERTFILE=/etc/hyperledger/fabric-ca-server-config/ca.dfarmadmin.com-cert.pem
- FABRIC_CA_SERVER_CA_KEYFILE=/etc/hyperledger/fabric-ca-server-config/4239aa0dcd76daeeb8ba0cda701851d14504d31aad1b2ddddbac6a57365e497c_sk
ports:
- "7054:7054"
command: sh -c 'fabric-ca-server start -b admin:adminpw -d'
volumes:
- ./crypto-config/peerOrganizations/dfarmadmin.com/ca/:/etc/hyperledger/fabric-ca-server-config
container_name: ca.dfarmadmin.com
networks:
- dfarm
As you can see your - FABRIC_CA_SERVER_CA_KEYFILE is pointing to a file which is not present.
I am able to interact with CA via fabric ca client of node SDK, But I can't access REST server, Can anybody provide me a getting started guide with CA API? This is my docker compose file
ca:
image: hyperledger/fabric-ca
environment:
- FABRIC_CA_HOME=/etc/hyperledger/fabric-ca-server
- FABRIC_CA_SERVER_CA_NAME=ca
- FABRIC_CA_SERVER_TLS_ENABLED=true
- FABRIC_CA_SERVER_TLS_CERTFILE=/etc/hyperledger/fabric-ca-server-config/ca.peers.test.com-cert.pem
- FABRIC_CA_SERVER_TLS_KEYFILE=/etc/hyperledger/fabric-ca-server-config/CA_PRIVATE_KEY
- FABRIC_CA_SERVER_CA_CERTFILE=/etc/hyperledger/fabric-ca-server-config/ca.peers.test.com-cert.pem
- FABRIC_CA_SERVER_CA_KEYFILE=/etc/hyperledger/fabric-ca-server-config/CA_PRIVATE_KEY
ports:
- "7054:7054"
command: sh -c 'fabric-ca-server start --ca.certfile /etc/hyperledger/fabric-ca-server-config/ca.peers.test.com-cert.pem --ca.keyfile /etc/hyperledger/fabric-ca-server-config/CA_PRIVATE_KEY -b admin:adminpw -d'
volumes:
- ./crypto-config/peerOrganizations/peers.test.com/ca/:/etc/hyperledger/fabric-ca-server-config
container_name: ca
networks:
- test
Have you looked at the swagger doc on the Fabric CA Github Repo (https://github.com/hyperledger/fabric-ca/blob/release-1.3/swagger/swagger-fabric-ca.json)? This defines all the APIs that are available on the CA.
There is no documentation for direct access to the REST API (except for the swagger docs mentioned by Saad - which only documents the individual API calls, not how to use them). The API can be accessed either via the Node SDK, or the fabric-ca-server CLI.
Please see my answer to this question for more details.
You can trigger normal REST call by browser or postman or curl etc.. based on swagger doc here
Port is 7054 and make sure you ignore the certificate error if you are using localhost as host name - like this:
https://localhost:7054/api/v1/cainfo
I am following the official tutorial about Deploying a Hyperledger Composer blockchain business network to Hyperledger Fabric (multiple organizations). I was able to up the network using the provider Org1 and Org2 example. Now I want to customize the organization as my own. But upon execution of ./byfn.sh -m up -s couchdb -a command. I am getting the below error; I inspect all the yaml files but I was not able to find the possible root cause of the error. I just really need a help on this. Thank you.
Starting for channel 'mychannel' with CLI timeout of '10' seconds and CLI delay of '3' seconds and using database 'couchdb', and using Fabric CAs
Continue? [Y/n] Y
proceeding ...
LOCAL_VERSION=1.2.0
DOCKER_IMAGE_VERSION=1.2.0
WARNING: The COMPOSE_PROJECT_NAME variable is not set. Defaulting to a blank string.
ERROR: The Compose file is invalid because:
Service peer0.org2.example.com has neither an image nor a build context specified. At least one must be provided.
ERROR !!!! Unable to start network
It looks like your peer-base.yaml file is not correct. One Problem is the COMPOSE_PROJECT_NAME variable. If it is not set, fabric uses the folder as the network-name. But if it is not right there will be some error while bootstrapping the network. We are building a bidding network and it is called trade-network. So the example of the entry in the peer-base.yaml file is:
- CORE_VM_DOCKER_HOSTCONFIG_NETWORKMODE=${COMPOSE_PROJECT_NAME}_basic
Before the boostrapping we define the COMPOSE_PROJECT_NAME with trade-network so the network is called trade-network_basic. I'm not 100% sure but I think after (or while) bootstrapping there is a point where fabric uses the folder name anyway. So we decicded to use the folder name by default and nothing happened wrong.
The other problem could be the image entry for the peer. In our file it is:
image: hyperledger/fabric-peer:x86_64-1.1.0
You can docker images list and will know which images you have, you have to use one for the peers. After the colon you can be more specific and I would suggest it.
Here is an example of our full peer-base.yaml file:
version: '2'
services:
peer-base:
image: hyperledger/fabric-peer:x86_64-1.1.0
environment:
- CORE_VM_ENDPOINT=unix:///host/var/run/docker.sock
# the following setting starts chaincode containers on the same
# bridge network as the peers
# https://docs.docker.com/compose/networking/
- CORE_VM_DOCKER_HOSTCONFIG_NETWORKMODE=${COMPOSE_PROJECT_NAME}_basic
#- CORE_LOGGING_LEVEL=INFO
- CORE_LOGGING_LEVEL=DEBUG
- CORE_PEER_TLS_ENABLED=true
- CORE_PEER_GOSSIP_USELEADERELECTION=true
- CORE_PEER_GOSSIP_ORGLEADER=false
- CORE_PEER_PROFILE_ENABLED=true
- CORE_PEER_TLS_CERT_FILE=/etc/hyperledger/fabric/tls/server.crt
- CORE_PEER_TLS_KEY_FILE=/etc/hyperledger/fabric/tls/server.key
- CORE_PEER_TLS_ROOTCERT_FILE=/etc/hyperledger/fabric/tls/ca.crt
working_dir: /opt/gopath/src/github.com/hyperledger/fabric/peer
command: peer node start
At command line i am executing :
fabric-ca-client register --id.name <> --id.type peer --id.affiliation peerorgs.1A --id.attrs <>
I am getting the error below:
"Failed getting affiliation" .
But, the affiliation entry is present in the fabric-ca-server.db. Can some one help me understand why I'm getting this error?
Thanks,
Smitha
Assuming you are using Docker and Docker Compose, then you should be able to do the following:
1) Use a docker-compose.yaml with the following contents (this is a slightly modified version of the one in the repo):
#
# Copyright IBM Corp. All Rights Reserved.
#
# SPDX-License-Identifier: Apache-2.0
#
fabric-ca-server:
image: hyperledger/fabric-ca
container_name: fabric-ca-server
ports:
- "7054:7054"
environment:
- FABRIC_CA_HOME=/etc/hyperledger/fabric-ca-server
- FABRIC_CA_SERVER_DEBUG=true
volumes:
- "./fabric-ca-server:/etc/hyperledger/fabric-ca-server"
command: sh -c 'fabric-ca-server start -b admin:adminpw'
2) The above mounts a volume where you can place your customized fabric-ca-server-config.yaml file. Simply create a directory named fabric-ca-server in the same directory as the docker-compose.yaml and then copy your fabric-ca-server-config.yaml there.
3) Run docker-compose up and check the logs. You should see that your affiliations have been created