I have an issue with the deployment of business network (composer version 0.14.2):
I request an identity to the fabric-ca (enrolling as admin password adminpw , same as the bootstrapping identity of the fabric-ca-server)
I receive a certificate and a private key back, I import that identity into the userID adminCC (matching the previous certificate and key to this userID) and I try to deploy a network with enrollmentID adminCC and businessnetworkadmin adminCC
I get an error saying that Error: Error trying deploy. Error: Error trying install composer runtime. Error: chaincode error (status: 500, message: Authorization for INSTALL has been denied (error-Failed verifying that proposal's creator satisfies local MSP principal during channelless check policy with policy [Admins]: [This identity is not an admin]))
Any help with this issue? Shouldn't the certificate requested to the fabric-ca be one with admin rights?
The error you have received is from the peer saying the identity you have used does not have admin rights so is not permitted to install the chaincode onto it.
The admin identity in your fabric-ca-server setup is just a bootstrap identity for the fabric-ca-server and as such has only issuer rights on the fabric-ca-server from which you obtained it and has no admin rights on any part of the fabric network.
If you were running on v0.13.2 or lower before, there was a breaking change when they upgrade to v0.14.0 or v0.14.2. You can read about it more here. But the gist of it was all previous releases of Composer, all digital certificates with admin in the name (case insensitive) have had "privileged access" to the business network - essentially it acted as if the access control rules were disabled. They replace this with a more secure model. So you can change your permissions.pcl file and add:
rule NetworkAdminUser {
description: "Grant business network administrators full access to user resources"
participant: "org.hyperledger.composer.system.NetworkAdmin"
operation: ALL
resource: "**"
action: ALLOW
}
rule NetworkAdminSystem {
description: "Grant business network administrators full access to
system resources"
participant: "org.hyperledger.composer.system.NetworkAdmin"
operation: ALL
resource: "org.hyperledger.composer.system.**"
action: ALLOW
}
Then after you archive your BNA, in order to deploy properly use:
composer network deploy -p hlfv1 -a {ban_location/ban_name.bna} -i PeerAdmin -s randomString -A admin -S adminpw
After this you can the old commands using admin and adminpw as before like:
composer-rest-server -p hlfv1 -n my-network -i admin -s adminpw -N never
Related
Note: I've tried to keep things as simple as possible in this question as that is as far as my knowledge goes. Any form of help is appreciated
I'm new to FreeIPA and I struggle to request a SSL certificate and key file from FreeIPA as Certificate Authority.
I verify I get a krbtgt using klist using the credentials of Certificate Admin.
$ klist
Valid starting Expires Service principal
01/05/2022 5:35:35 01/06/2022 5:35:35 krbtgt/MYDOM#MYDOM
renew until 01/12/2022 5:35:35
sudo /usr/bin/ipa-getcert request -r -w -k /tmp/test.key \
-f /tmp/test.cert.pem \
-g 4096
-K HTTP/service.mydom \
-T caIPAserviceCert \
-D test.myDom -N CN=test.myDom,O=MYDOM
New signing request "20220105093346" added.
Only thing being created is the private key:
$ ls /tmp
test.key
Why isn't the certificate being created ? Insufficient privileges.
Error:
$ sudo getcert list
Number of certificates and requests being tracked: 1.
Request ID '20220105093346':
status: CA_REJECTED
ca-error: Server at https://idm.myDom/ipa/xml denied our request, giving up: 2100 (RPC failed at server. Insufficient access: Insufficient 'write' privilege to the 'userCertificate' attribute of entry 'krbprincipalname=HTTP/service.mydom#MYDOM,cn=services,cn=accounts,dc=mydom'.).
stuck: yes
key pair storage: type=FILE,location='/tmp/test.key'
certificate: type=FILE,location='/tmp/test.cert.pem'
CA: IPA
issuer:
subject:
expires: unknown
pre-save command:
post-save command:
track: yes
auto-renew: yes
Though I am able to run
$ ipa service-mod HTTP/service.mydom --certificate=
Possible duplicatae freeipa-request-certificate-with-cname
Any ideas?
Turns out the machine I am requesting the certificate from needs to be allowed to manage the web service for web host.
Only the target machine can create a certificate (IPA uses the host
kerberos ticket) by default, so to be able to create the certificate
on your IPA server you need to allow it to manage the web service for
the www host.
[root#ipa-server ~]# ipa service-add-host --hosts=ipa-server.test.lan HTTP/www.test.lan
Source:
Creating certs and keys for services using freeipadogtag/
When we are deploying our hyperledger network where are these identity of user and admin stored and how is user authenticated
I hyperledger fabric total three identities
CA-Admin: certificate authority admin
command: sh -c 'fabric-ca-server start -b nbdadmin:nbdpw -d'
Org-Admin: we will register and enroll this admin and submit to all MSP's
User: Normal user
Storage:
User certs can be stored in KVS (File Store), data store(couchDB)
we get this error whenever we try to run fabric-ca-client. Example below:
# fabric-ca-client register --url https://ica-org:7054 --id.name user-org --id.affiliation=org
2019/03/19 20:18:07 [INFO] Configuration file location: /home/fabric-ca-client-config.yaml
2019/03/19 20:18:07 [INFO] TLS Enabled
2019/03/19 20:18:07 [ERROR] Enrollment check failed: Idemix enrollment information does not exist
Error: Enrollment information does not exist. Please execute enroll command first. Example: fabric-ca-client enroll -u http://user:userpw#serverAddr:serverPort
How can we fix this?
This happens when fabric-ca-client cannot find any X509 or Idemix identity. fabric-ca-client needs to be initialized with an identity (except when its being used to enroll a user). It first tries to load an X509 identity from the mspdir location specified in the fabric-ca-client-config.yaml file or the -M command line argument which takes precedence over mspdir in config file. And if its not able to find X509 identity it will look for an idemix identity. If this fails as well it displays the error in question.
For X509 identity:
its public cert needs to be in signcerts
and private key needs to be in keystore
and the public cert of the authority who issued the public/private keypair needs to be in cacerts folder (if an intermediate ca was used then its cert needs to be in intermediatecerts)
all the folders above are under the mspdir
Solution 1
A potential cause if the folder indicated by FABRIC_CA_CLIENT_HOME is not created you'll get that error. You have to check if FABRIC_CA_CLIENT_HOME points to an existing folder. This happens too when indicating a wrong MSP path
exp
fabric-ca-client gencrl -M ~/wrong_path
Solution2:
Resolution to issue fabric-ca-client identity list command is as follows:
start the network with the CA option
./network.sh up -ca
after the network is up, navigate to (assumes you are already in the test-network directory):
cd organizations/peerOrganizations/org1.example.com
export cert path using this command:
export FABRIC_CA_CLIENT_TLS_CERTFILES=$PWD/ca/ca.org1.example.com-cert.pem
export fabric-ca-client home using this command:
export FABRIC_CA_CLIENT_HOME=$PWD
issue the following command:
fabric-ca-client identity list
Since you use TLS, you should be using the --tls.certfiles flag or set the FABRIC_CA_CLIENT_TLS_CERTFILES environment variable when using the fabric-ca-client command. This should hold the full path to your organisation's TLS certificate.
I am trying to create a new identity with this command: composer identity issue -c admin#siemens-network -f administrator1.card -u Administrator1 -a "resource:org.siemens.Administrator#001"
But I get the following output:
Issue identity and create Network Card for: Administrator1
✖ Issuing identity. This may take a few seconds...
Error: fabric-ca request register failed with errors [[{"code":20,"message":"Authorization failure"}]]
Command failed
I already restarted the fabric but it still doesn't work
Please check admin#siemens-network card has existed
composer card list
If you do not have this card, access the folder containing the createPeerAdminCard.sh file and run
./createPeerAdminCard.sh
Hope it helps you.
I deleted all cards, restarted the network and reimported all cards. Now it's working
I have deployed two org hyperledger network. Now I want to create a new business card for a new user for connection byfn-network-org1.
I executed
composer identity request -c PeerAdmin#byfn-network-org1-only -u admin -s adminpw -d rock
and then
composer card create -p connection-org1.json -u rock -n supply-chain -c rock/admin-pub.pem -k rock/admin-priv.pem
and then imported the card.
Now when I am trying to ping the network with it its giving error :
Error: Error trying to ping. Error: Error trying to query business network. Error: chaincode error (status: 500, message: Error: The current identity has not been registered: admin).
What shall I do to now to make this card access the network.
The correct way to create a new card for new users is to Create a Participant in the Business Network, and then Issue an Identity to that Participant.
You can create the Partitipant via the Playground, the REST server or via the CLI - here is an example from the CLI:
composer participant add -c admin#tutorial-network -d '{"$class":"org.acme.biznet.Trader","tradeId":"t12","firstName":"Charles","lastName":"Thomas"}'
You can Issue the Identity to that Participant again via the Playground, REST server or CLI - here is an example for the CLI:
composer identity issue -c admin#tutorial-network -f ct02.card -u charlie -a "resource:org.acme.biznet.Trader#t12"
On the machine where you want to use the card - Import the card. CLI example here:
composer card import -f ct02.card
Test the card:
composer network ping -c charlie#tutorial-network