Hyperledger Fabric 二進制文件啓動 Org1 組織 CA
部署 Org1 TLS CA
初始化
./fabric-ca-server init -b tlscaadmin:tlscaadminpw
修改 fabric-ca-server-config.yaml 配置文件
#############################################################################
# This is a configuration file for the fabric-ca-server command.
#
# COMMAND LINE ARGUMENTS AND ENVIRONMENT VARIABLES
# ------------------------------------------------
# Each configuration element can be overridden via command line
# arguments or environment variables. The precedence for determining
# the value of each element is as follows:
# 1) command line argument
# Examples:
# a) --port 443
# To set the listening port
# b) --ca.keyfile ../mykey.pem
# To set the "keyfile" element in the "ca" section below;
# note the '.' separator character.
# 2) environment variable
# Examples:
# a) FABRIC_CA_SERVER_PORT=443
# To set the listening port
# b) FABRIC_CA_SERVER_CA_KEYFILE="../mykey.pem"
# To set the "keyfile" element in the "ca" section below;
# note the '_' separator character.
# 3) configuration file
# 4) default value (if there is one)
# All default values are shown beside each element below.
#
# FILE NAME ELEMENTS
# ------------------
# The value of all fields whose name ends with "file" or "files" are
# name or names of other files.
# For example, see "tls.certfile" and "tls.clientauth.certfiles".
# The value of each of these fields can be a simple filename, a
# relative path, or an absolute path. If the value is not an
# absolute path, it is interpreted as being relative to the location
# of this configuration file.
#
#############################################################################
# Version of config file
version: 1.5.2
# Server's listening port (default: 7054)
port: 7054
# Cross-Origin Resource Sharing (CORS)
cors:
enabled: false
origins:
- "*"
# Enables debug logging (default: false)
debug: true
# Size limit of an acceptable CRL in bytes (default: 512000)
crlsizelimit: 512000
#############################################################################
# TLS section for the server's listening port
#
# The following types are supported for client authentication: NoClientCert,
# RequestClientCert, RequireAnyClientCert, VerifyClientCertIfGiven,
# and RequireAndVerifyClientCert.
#
# Certfiles is a list of root certificate authorities that the server uses
# when verifying client certificates.
#############################################################################
tls:
# Enable TLS (default: false)
enabled: true
# TLS for the server's listening port
certfile:
keyfile:
clientauth:
type: noclientcert
certfiles:
#############################################################################
# The CA section contains information related to the Certificate Authority
# including the name of the CA, which should be unique for all members
# of a blockchain network. It also includes the key and certificate files
# used when issuing enrollment certificates (ECerts).
# The chainfile (if it exists) contains the certificate chain which
# should be trusted for this CA, where the 1st in the chain is always the
# root CA certificate.
#############################################################################
ca:
# Name of this CA
name: org1-tls-ca
# Key file (is only used to import a private key into BCCSP)
keyfile:
# Certificate file (default: ca-cert.pem)
certfile:
# Chain file
chainfile:
# Ignore Certificate Expiration in the case of re-enroll
reenrollIgnoreCertExpiry: false
#############################################################################
# The gencrl REST endpoint is used to generate a CRL that contains revoked
# certificates. This section contains configuration options that are used
# during gencrl request processing.
#############################################################################
crl:
# Specifies expiration for the generated CRL. The number of hours
# specified by this property is added to the UTC time, the resulting time
# is used to set the 'Next Update' date of the CRL.
expiry: 24h
#############################################################################
# The registry section controls how the fabric-ca-server does two things:
# 1) authenticates enrollment requests which contain a username and password
# (also known as an enrollment ID and secret).
# 2) once authenticated, retrieves the identity's attribute names and values.
# These attributes are useful for making access control decisions in
# chaincode.
# There are two main configuration options:
# 1) The fabric-ca-server is the registry.
# This is true if "ldap.enabled" in the ldap section below is false.
# 2) An LDAP server is the registry, in which case the fabric-ca-server
# calls the LDAP server to perform these tasks.
# This is true if "ldap.enabled" in the ldap section below is true,
# which means this "registry" section is ignored.
#############################################################################
registry:
# Maximum number of times a password/secret can be reused for enrollment
# (default: -1, which means there is no limit)
maxenrollments: -1
# Contains identity information which is used when LDAP is disabled
identities:
- name: tlscaadmin
pass: tlscaadminpw
type: client
affiliation: ""
attrs:
hf.Registrar.Roles: "*"
hf.Registrar.DelegateRoles: "*"
hf.Revoker: true
hf.IntermediateCA: true
hf.GenCRL: true
hf.Registrar.Attributes: "*"
hf.AffiliationMgr: true
#############################################################################
# Database section
# Supported types are: "sqlite3", "postgres", and "mysql".
# The datasource value depends on the type.
# If the type is "sqlite3", the datasource value is a file name to use
# as the database store. Since "sqlite3" is an embedded database, it
# may not be used if you want to run the fabric-ca-server in a cluster.
# To run the fabric-ca-server in a cluster, you must choose "postgres"
# or "mysql".
#############################################################################
db:
type: mysql
datasource: root:root@tcp(192.168.2.54:3306)/fabric_org1_tls_ca?parseTime=true
tls:
enabled: false
certfiles:
client:
certfile:
keyfile:
#############################################################################
# LDAP section
# If LDAP is enabled, the fabric-ca-server calls LDAP to:
# 1) authenticate enrollment ID and secret (i.e. username and password)
# for enrollment requests;
# 2) To retrieve identity attributes
#############################################################################
ldap:
# Enables or disables the LDAP client (default: false)
# If this is set to true, the "registry" section is ignored.
enabled: false
# The URL of the LDAP server
url: ldap://<adminDN>:<adminPassword>@<host>:<port>/<base>
# TLS configuration for the client connection to the LDAP server
tls:
certfiles:
client:
certfile:
keyfile:
# Attribute related configuration for mapping from LDAP entries to Fabric CA attributes
attribute:
# 'names' is an array of strings containing the LDAP attribute names which are
# requested from the LDAP server for an LDAP identity's entry
names: ['uid','member']
# The 'converters' section is used to convert an LDAP entry to the value of
# a fabric CA attribute.
# For example, the following converts an LDAP 'uid' attribute
# whose value begins with 'revoker' to a fabric CA attribute
# named "hf.Revoker" with a value of "true" (because the boolean expression
# evaluates to true).
# converters:
# - name: hf.Revoker
# value: attr("uid") =~ "revoker*"
converters:
- name:
value:
# The 'maps' section contains named maps which may be referenced by the 'map'
# function in the 'converters' section to map LDAP responses to arbitrary values.
# For example, assume a user has an LDAP attribute named 'member' which has multiple
# values which are each a distinguished name (i.e. a DN). For simplicity, assume the
# values of the 'member' attribute are 'dn1', 'dn2', and 'dn3'.
# Further assume the following configuration.
# converters:
# - name: hf.Registrar.Roles
# value: map(attr("member"),"groups")
# maps:
# groups:
# - name: dn1
# value: peer
# - name: dn2
# value: client
# The value of the user's 'hf.Registrar.Roles' attribute is then computed to be
# "peer,client,dn3". This is because the value of 'attr("member")' is
# "dn1,dn2,dn3", and the call to 'map' with a 2nd argument of
# "group" replaces "dn1" with "peer" and "dn2" with "client".
maps:
groups:
- name:
value:
#############################################################################
# Affiliations section. Fabric CA server can be bootstrapped with the
# affiliations specified in this section. Affiliations are specified as maps.
# For example:
# businessunit1:
# department1:
# - team1
# businessunit2:
# - department2
# - department3
#
# Affiliations are hierarchical in nature. In the above example,
# department1 (used as businessunit1.department1) is the child of businessunit1.
# team1 (used as businessunit1.department1.team1) is the child of department1.
# department2 (used as businessunit2.department2) and department3 (businessunit2.department3)
# are children of businessunit2.
# Note: Affiliations are case sensitive except for the non-leaf affiliations
# (like businessunit1, department1, businessunit2) that are specified in the configuration file,
# which are always stored in lower case.
#############################################################################
affiliations:
org1:
- department1
- department2
org2:
- department1
#############################################################################
# Signing section
#
# The "default" subsection is used to sign enrollment certificates;
# the default expiration ("expiry" field) is "8760h", which is 1 year in hours.
#
# The "ca" profile subsection is used to sign intermediate CA certificates;
# the default expiration ("expiry" field) is "43800h" which is 5 years in hours.
# Note that "isca" is true, meaning that it issues a CA certificate.
# A maxpathlen of 0 means that the intermediate CA cannot issue other
# intermediate CA certificates, though it can still issue end entity certificates.
# (See RFC 5280, section 4.2.1.9)
#
# The "tls" profile subsection is used to sign TLS certificate requests;
# the default expiration ("expiry" field) is "8760h", which is 1 year in hours.
#############################################################################
signing:
default:
usage:
- digital signature
expiry: 8760h
profiles:
# 由於這是一個不會頒發 CA 證書的 TLS CA,因此ca可以刪除配置文件部分。該signing.profiles塊應僅包含tls配置文件。
# ca:
# usage:
# - cert sign
# - crl sign
# expiry: 43800h
# caconstraint:
# isca: true
# maxpathlen: 0
tls:
usage:
- signing
- key encipherment
- server auth
- client auth
- key agreement
expiry: 8760h
###########################################################################
# Certificate Signing Request (CSR) section.
# This controls the creation of the root CA certificate.
# The expiration for the root CA certificate is configured with the
# "ca.expiry" field below, whose default value is "131400h" which is
# 15 years in hours.
# The pathlength field is used to limit CA certificate hierarchy as described
# in section 4.2.1.9 of RFC 5280.
# Examples:
# 1) No pathlength value means no limit is requested.
# 2) pathlength == 1 means a limit of 1 is requested which is the default for
# a root CA. This means the root CA can issue intermediate CA certificates,
# but these intermediate CAs may not in turn issue other CA certificates
# though they can still issue end entity certificates.
# 3) pathlength == 0 means a limit of 0 is requested;
# this is the default for an intermediate CA, which means it can not issue
# CA certificates though it can still issue end entity certificates.
###########################################################################
csr:
cn: fabric-ca-server
keyrequest:
algo: ecdsa
size: 256
names:
- C: US
ST: "North Carolina"
L:
O: Hyperledger
OU: Fabric
hosts:
- localhost.localdomain
- localhost
- tlsca.org1.example.com
- 192.168.0.105
ca:
expiry: 131400h
pathlength: 1
###########################################################################
# Each CA can issue both X509 enrollment certificate as well as Idemix
# Credential. This section specifies configuration for the issuer component
# that is responsible for issuing Idemix credentials.
###########################################################################
idemix:
# Specifies pool size for revocation handles. A revocation handle is an unique identifier of an
# Idemix credential. The issuer will create a pool revocation handles of this specified size. When
# a credential is requested, issuer will get handle from the pool and assign it to the credential.
# Issuer will repopulate the pool with new handles when the last handle in the pool is used.
# A revocation handle and credential revocation information (CRI) are used to create non revocation proof
# by the prover to prove to the verifier that her credential is not revoked.
rhpoolsize: 1000
# The Idemix credential issuance is a two step process. First step is to get a nonce from the issuer
# and second step is send credential request that is constructed using the nonce to the isuser to
# request a credential. This configuration property specifies expiration for the nonces. By default is
# nonces expire after 15 seconds. The value is expressed in the time.Duration format (see https://golang.org/pkg/time/#ParseDuration).
nonceexpiration: 15s
# Specifies interval at which expired nonces are removed from datastore. Default value is 15 minutes.
# The value is expressed in the time.Duration format (see https://golang.org/pkg/time/#ParseDuration)
noncesweepinterval: 15m
#############################################################################
# BCCSP (BlockChain Crypto Service Provider) section is used to select which
# crypto library implementation to use
#############################################################################
bccsp:
default: SW
sw:
hash: SHA2
security: 256
filekeystore:
# The directory used for the software file-based keystore
keystore: msp/keystore
#############################################################################
# Multi CA section
#
# Each Fabric CA server contains one CA by default. This section is used
# to configure multiple CAs in a single server.
#
# 1) --cacount <number-of-CAs>
# Automatically generate <number-of-CAs> non-default CAs. The names of these
# additional CAs are "ca1", "ca2", ... "caN", where "N" is <number-of-CAs>
# This is particularly useful in a development environment to quickly set up
# multiple CAs. Note that, this config option is not applicable to intermediate CA server
# i.e., Fabric CA server that is started with intermediate.parentserver.url config
# option (-u command line option)
#
# 2) --cafiles <CA-config-files>
# For each CA config file in the list, generate a separate signing CA. Each CA
# config file in this list MAY contain all of the same elements as are found in
# the server config file except port, debug, and tls sections.
#
# Examples:
# fabric-ca-server start -b admin:adminpw --cacount 2
#
# fabric-ca-server start -b admin:adminpw --cafiles ca/ca1/fabric-ca-server-config.yaml
# --cafiles ca/ca2/fabric-ca-server-config.yaml
#
#############################################################################
cacount:
cafiles:
#############################################################################
# Intermediate CA section
#
# The relationship between servers and CAs is as follows:
# 1) A single server process may contain or function as one or more CAs.
# This is configured by the "Multi CA section" above.
# 2) Each CA is either a root CA or an intermediate CA.
# 3) Each intermediate CA has a parent CA which is either a root CA or another intermediate CA.
#
# This section pertains to configuration of #2 and #3.
# If the "intermediate.parentserver.url" property is set,
# then this is an intermediate CA with the specified parent
# CA.
#
# parentserver section
# url - The URL of the parent server
# caname - Name of the CA to enroll within the server
#
# enrollment section used to enroll intermediate CA with parent CA
# profile - Name of the signing profile to use in issuing the certificate
# label - Label to use in HSM operations
#
# tls section for secure socket connection
# certfiles - PEM-encoded list of trusted root certificate files
# client:
# certfile - PEM-encoded certificate file for when client authentication
# is enabled on server
# keyfile - PEM-encoded key file for when client authentication
# is enabled on server
#############################################################################
intermediate:
parentserver:
url:
caname:
enrollment:
hosts:
profile:
label:
tls:
certfiles:
client:
certfile:
keyfile:
#############################################################################
# CA configuration section
#
# Configure the number of incorrect password attempts are allowed for
# identities. By default, the value of 'passwordattempts' is 10, which
# means that 10 incorrect password attempts can be made before an identity get
# locked out.
#############################################################################
cfg:
identities:
passwordattempts: 10
###############################################################################
#
# Operations section
#
###############################################################################
operations:
# host and port for the operations server
listenAddress: 127.0.0.1:9445
# TLS configuration for the operations endpoint
tls:
# TLS enabled
enabled: false
# path to PEM encoded server certificate for the operations server
cert:
file:
# path to PEM encoded server key for the operations server
key:
file:
# require client certificate authentication to access all resources
clientAuthRequired: false
# paths to PEM encoded ca certificates to trust for client authentication
clientRootCAs:
files: []
###############################################################################
#
# Metrics section
#
###############################################################################
metrics:
# statsd, prometheus, or disabled
provider: disabled
# statsd configuration
statsd:
# network type: tcp or udp
network: udp
# statsd server address
address: 127.0.0.1:8125
# the interval at which locally cached counters and gauges are pushed
# to statsd; timings are pushed immediately
writeInterval: 10s
# prefix is prepended to all emitted statsd metrics
prefix: server
啓動 Org1 TLS CA
nohup ./fabric-ca-server start > org1-tls-ca.log 2>&1 &
查看日誌:
tail -f org1-tls-ca.log
2022/03/08 21:49:43 [INFO] The Idemix issuer revocation public and secret key files already exist
2022/03/08 21:49:43 [INFO] private key file location: /usr/project/fabric-ca/org1-ca/tls-ca/msp/keystore/IssuerRevocationPrivateKey
2022/03/08 21:49:43 [INFO] public key file location: /usr/project/fabric-ca/org1-ca/tls-ca/IssuerRevocationPublicKey
2022/03/08 21:49:43 [DEBUG] Intializing nonce manager for issuer 'org1-tls-ca'
2022/03/08 21:49:43 [INFO] Home directory for default CA: /usr/project/fabric-ca/org1-ca/tls-ca
2022/03/08 21:49:43 [DEBUG] 1 CA instance(s) running on server
2022/03/08 21:49:43 [INFO] Operation Server Listening on 127.0.0.1:9445
2022/03/08 21:49:43 [DEBUG] TLS is enabled
2022/03/08 21:49:43 [DEBUG] Client authentication type requested: noclientcert
2022/03/08 21:49:43 [INFO] Listening on https://0.0.0.0:7054
使用 TLS CA 登記引導用戶
./fabric-ca-client enroll -d -u https://tlscaadmin:[email protected]:7054 --tls.certfiles /usr/project/fabric-ca/org1-ca/tls-ca/ca-cert.pem --enrollment.profile tls --csr.hosts '192.168.0.105,*.org1.example.com' --mspdir /usr/project/fabric-ca/org1-ca/tls-ca/tlscaadmin/msp
輸出如下:
2022/03/08 22:14:41 [DEBUG] newEnrollmentResponse root
2022/03/08 22:14:41 [INFO] Stored client certificate at /root/.fabric-ca-client/tls-ca/tlsadmin/msp/signcerts/cert.pem
2022/03/08 22:14:41 [INFO] Stored TLS root CA certificate at /root/.fabric-ca-client/tls-ca/tlsadmin/msp/tlscacerts/tls-tlsca-org1-example-com-7054.pem
2022/03/08 22:14:41 [INFO] Stored Issuer public key at /root/.fabric-ca-client/tls-ca/tlsadmin/msp/IssuerPublicKey
2022/03/08 22:14:41 [INFO] Stored Issuer revocation public key at /root/.fabric-ca-client/tls-ca/tlsadmin/msp/IssuerRevocationPublicKey
生成 MSP 結構如下:
tls-ca/tlscaadmin/
└── msp
├── cacerts
├── IssuerPublicKey
├── IssuerRevocationPublicKey
├── keystore
│ └── 1a3605866a5278e63c77a0f1025c86e4cace230cf22d3cc76558462c4b4aacc1_sk
├── signcerts
│ └── cert.pem
├── tlscacerts
│ └── tls-tlsca-org1-example-com-7054.pem
└── user
向 TLS CA 註冊和登記組織 CA 引導標識
TLS CA 服務器以具有服務器完全管理員權限的引導身份啓動。管理員的一項關鍵能力是註冊新身份的能力。組織中在網絡上進行交易的每個節點都需要向 TLS CA 註冊。因此,在我們設置組織 CA 之前,我們需要使用 TLS CA 來註冊和註冊組織 CA 引導身份,以獲取其 TLS 證書和私鑰。
./fabric-ca-client register -d --id.name rootcaadmin --id.secret rootcaadminpw -u https://tlscaadmin:[email protected]:7054 --tls.certfiles /usr/project/fabric-ca/org1-ca/tls-ca/ca-cert.pem --mspdir /usr/project/fabric-ca/org1-ca/tls-ca/tlscaadmin/msp
輸出如下:
2022/03/08 22:44:34 [DEBUG] No Idemix credential found at /usr/project/fabric-ca/org1-ca/tls-ca/tlsadmin/msp/user/SignerConfig
2022/03/08 22:44:34 [DEBUG] Register { Name:org1rootcaadmin Type:client Secret:**** MaxEnrollments:0 Affiliation: Attributes:[] CAName: }
2022/03/08 22:44:34 [DEBUG] Adding token-based authorization header
2022/03/08 22:44:34 [DEBUG] Sending request
POST https://root:[email protected]:7054/register
{"id":"org1rootcaadmin","type":"client","secret":"org1rootcaadminpw","affiliation":""}
2022/03/08 22:44:34 [DEBUG] Received response
statusCode=201 (201 Created)
2022/03/08 22:44:34 [DEBUG] Response body result: map[secret:org1rootcaadminpw]
2022/03/08 22:44:34 [DEBUG] The register request completed successfully
Password: org1rootcaadminpw
爲 org1rootcaadmin 用戶生成 TLS 證書:
./fabric-ca-client enroll -d -u https://rootcaadmin:[email protected]:7054 --tls.certfiles /usr/project/fabric-ca/org1-ca/tls-ca/ca-cert.pem --enrollment.profile tls --csr.hosts '192.168.0.105,*.org1.example.com' --mspdir /usr/project/fabric-ca/org1-ca/tls-ca/rootcaadmin/msp
輸出如下:
2022/03/08 22:45:23 [DEBUG] newEnrollmentResponse rootcaadmin
2022/03/08 22:45:23 [INFO] Stored client certificate at /usr/project/fabric-ca/org1-ca/tls-ca/rootcaadmin/msp/signcerts/cert.pem
2022/03/08 22:45:23 [INFO] Stored TLS root CA certificate at /usr/project/fabric-ca/org1-ca/tls-ca/rootcaadmin/msp/tlscacerts/tls-tlsca-org1-example-com-7054.pem
2022/03/08 22:45:23 [INFO] Stored Issuer public key at /usr/project/fabric-ca/org1-ca/tls-ca/rootcaadmin/msp/IssuerPublicKey
2022/03/08 22:45:23 [INFO] Stored Issuer revocation public key at /usr/project/fabric-ca/org1-ca/tls-ca/rootcaadmin/msp/IssuerRevocationPublicKey
生成 MSP 結構如下:
tls-ca/rootcaadmin/
└── msp
├── cacerts
├── IssuerPublicKey
├── IssuerRevocationPublicKey
├── keystore
│ └── 386443da0808d7bd90c1b88f103a676b9e3a383ee9322fd65913dcc53f72488f_sk
├── signcerts
│ └── cert.pem
├── tlscacerts
│ └── tls-tlsca-org1-example-com-7054.pem
└── user
(可選) 向 TLS CA 註冊和登記組織中間 CA 引導標識
./fabric-ca-client register -d --id.name intcaadmin --id.secret intcaadminpw -u https://tlscaadmin:[email protected]:7054 --tls.certfiles /usr/project/fabric-ca/org1-ca/tls-ca/ca-cert.pem --mspdir /usr/project/fabric-ca/org1-ca/tls-ca/tlscaadmin/msp
輸出如下:
2022/03/08 22:51:12 [DEBUG] Register { Name:org1intermediatecaadmin Type:client Secret:**** MaxEnrollments:0 Affiliation: Attributes:[] CAName: }
2022/03/08 22:51:12 [DEBUG] Adding token-based authorization header
2022/03/08 22:51:12 [DEBUG] Sending request
POST https://tlscaadmin:[email protected]:7054/register
{"id":"intcaadmin","type":"client","secret":"intcaadminpw","affiliation":""}
2022/03/08 22:51:12 [DEBUG] Received response
statusCode=201 (201 Created)
2022/03/08 22:51:12 [DEBUG] Response body result: map[secret:intcaadminpw]
2022/03/08 22:51:12 [DEBUG] The register request completed successfully
Password: intcaadminpw
爲 org1intermediatecaadmin 用戶生成 TLS 證書:
./fabric-ca-client enroll -d -u https://intcaadmin:[email protected]:7054 --tls.certfiles /usr/project/fabric-ca/org1-ca/tls-ca/ca-cert.pem --enrollment.profile tls --csr.hosts '192.168.0.105,*.org1.example.com' --mspdir /usr/project/fabric-ca/org1-ca/tls-ca/intcaadmin/msp
輸出如下:
2022/03/08 22:54:11 [DEBUG] newEnrollmentResponse intcaadmin
2022/03/08 22:54:11 [INFO] Stored client certificate at /usr/project/fabric-ca/org1-ca/tls-ca/intcaadmin/msp/signcerts/cert.pem
2022/03/08 22:54:11 [INFO] Stored TLS root CA certificate at /usr/project/fabric-ca/org1-ca/tls-ca/intcaadmin/msp/tlscacerts/tls-tlsca-org1-example-com-7054.pem
2022/03/08 22:54:11 [INFO] Stored Issuer public key at /usr/project/fabric-ca/org1-ca/tls-ca/intcaadmin/msp/IssuerPublicKey
2022/03/08 22:54:11 [INFO] Stored Issuer revocation public key at /usr/project/fabric-ca/org1-ca/tls-ca/intcaadmin/msp/IssuerRevocationPublicKey
生成 MSP 結構如下:
tls-ca/intcaadmin/
└── msp
├── cacerts
├── IssuerPublicKey
├── IssuerRevocationPublicKey
├── keystore
│ └── 2f9e6c388f7095186fa02da0d49d56e60af93bd8a5938a95e9362d97a94305b2_sk
├── signcerts
│ └── cert.pem
├── tlscacerts
│ └── tls-tlsca-org1-example-com-7054.pem
└── user
部署 Org1 Root CA
初始化組織根CA
./fabric-ca-server init -b rootcaadmin:rootcaadminpw
輸出如下:
2022/03/09 00:44:20 [INFO] Created default configuration file at /usr/project/fabric-ca/org1-ca/org1-root-ca/fabric-ca-server-config.yaml
2022/03/09 00:44:20 [INFO] Server Version: 1.5.2
2022/03/09 00:44:20 [INFO] Server Levels: &{Identity:2 Affiliation:1 Certificate:1 Credential:1 RAInfo:1 Nonce:1}
2022/03/09 00:44:20 [WARNING] &{69 The specified CA certificate file /usr/project/fabric-ca/org1-ca/org1-root-ca/ca-cert.pem does not exist}
2022/03/09 00:44:20 [INFO] generating key: &{A:ecdsa S:256}
2022/03/09 00:44:20 [INFO] encoded CSR
2022/03/09 00:44:20 [INFO] signed certificate with serial number 546254827741696287188172041494887425008823408464
2022/03/09 00:44:20 [INFO] The CA key and certificate were generated for CA
2022/03/09 00:44:20 [INFO] The key was stored by BCCSP provider 'SW'
2022/03/09 00:44:20 [INFO] The certificate is at: /usr/project/fabric-ca/org1-ca/org1-root-ca/ca-cert.pem
2022/03/09 00:44:21 [INFO] Initialized sqlite3 database at /usr/project/fabric-ca/org1-ca/org1-root-ca/fabric-ca-server.db
2022/03/09 00:44:21 [INFO] The issuer key was successfully stored. The public key is at: /usr/project/fabric-ca/org1-ca/org1-root-ca/IssuerPublicKey, secret key is at: /usr/project/fabric-ca/org1-ca/org1-root-ca/msp/keystore/IssuerSecretKey
2022/03/09 00:44:21 [INFO] Idemix issuer revocation public and secret keys were generated for CA ''
2022/03/09 00:44:21 [INFO] The revocation key was successfully stored. The public key is at: /usr/project/fabric-ca/org1-ca/org1-root-ca/IssuerRevocationPublicKey, private key is at: /usr/project/fabric-ca/org1-ca/org1-root-ca/msp/keystore/IssuerRevocationPrivateKey
2022/03/09 00:44:21 [INFO] Home directory for default CA: /usr/project/fabric-ca/org1-ca/org1-root-ca
2022/03/09 00:44:21 [INFO] Initialization was successful
編輯 fabric-ca-server-config.yaml 文件:
#############################################################################
# This is a configuration file for the fabric-ca-server command.
#
# COMMAND LINE ARGUMENTS AND ENVIRONMENT VARIABLES
# ------------------------------------------------
# Each configuration element can be overridden via command line
# arguments or environment variables. The precedence for determining
# the value of each element is as follows:
# 1) command line argument
# Examples:
# a) --port 443
# To set the listening port
# b) --ca.keyfile ../mykey.pem
# To set the "keyfile" element in the "ca" section below;
# note the '.' separator character.
# 2) environment variable
# Examples:
# a) FABRIC_CA_SERVER_PORT=443
# To set the listening port
# b) FABRIC_CA_SERVER_CA_KEYFILE="../mykey.pem"
# To set the "keyfile" element in the "ca" section below;
# note the '_' separator character.
# 3) configuration file
# 4) default value (if there is one)
# All default values are shown beside each element below.
#
# FILE NAME ELEMENTS
# ------------------
# The value of all fields whose name ends with "file" or "files" are
# name or names of other files.
# For example, see "tls.certfile" and "tls.clientauth.certfiles".
# The value of each of these fields can be a simple filename, a
# relative path, or an absolute path. If the value is not an
# absolute path, it is interpreted as being relative to the location
# of this configuration file.
#
#############################################################################
# Version of config file
version: 1.5.2
# Server's listening port (default: 7054)
port: 7055
# Cross-Origin Resource Sharing (CORS)
cors:
enabled: false
origins:
- "*"
# Enables debug logging (default: false)
debug: true
# Size limit of an acceptable CRL in bytes (default: 512000)
crlsizelimit: 512000
#############################################################################
# TLS section for the server's listening port
#
# The following types are supported for client authentication: NoClientCert,
# RequestClientCert, RequireAnyClientCert, VerifyClientCertIfGiven,
# and RequireAndVerifyClientCert.
#
# Certfiles is a list of root certificate authorities that the server uses
# when verifying client certificates.
#############################################################################
tls:
# Enable TLS (default: false)
enabled: true
# TLS for the server's listening port
certfile: /usr/project/fabric-ca/org1-ca/tls-ca/rootcaadmin/msp/signcerts/cert.pem
keyfile: /usr/project/fabric-ca/org1-ca/tls-ca/rootcaadmin/msp/keystore/key.pem
clientauth:
type: noclientcert
certfiles:
#############################################################################
# The CA section contains information related to the Certificate Authority
# including the name of the CA, which should be unique for all members
# of a blockchain network. It also includes the key and certificate files
# used when issuing enrollment certificates (ECerts).
# The chainfile (if it exists) contains the certificate chain which
# should be trusted for this CA, where the 1st in the chain is always the
# root CA certificate.
#############################################################################
ca:
# Name of this CA
name: org1-root-ca
# Key file (is only used to import a private key into BCCSP)
keyfile:
# Certificate file (default: ca-cert.pem)
certfile:
# Chain file
chainfile:
# Ignore Certificate Expiration in the case of re-enroll
reenrollIgnoreCertExpiry: false
#############################################################################
# The gencrl REST endpoint is used to generate a CRL that contains revoked
# certificates. This section contains configuration options that are used
# during gencrl request processing.
#############################################################################
crl:
# Specifies expiration for the generated CRL. The number of hours
# specified by this property is added to the UTC time, the resulting time
# is used to set the 'Next Update' date of the CRL.
expiry: 24h
#############################################################################
# The registry section controls how the fabric-ca-server does two things:
# 1) authenticates enrollment requests which contain a username and password
# (also known as an enrollment ID and secret).
# 2) once authenticated, retrieves the identity's attribute names and values.
# These attributes are useful for making access control decisions in
# chaincode.
# There are two main configuration options:
# 1) The fabric-ca-server is the registry.
# This is true if "ldap.enabled" in the ldap section below is false.
# 2) An LDAP server is the registry, in which case the fabric-ca-server
# calls the LDAP server to perform these tasks.
# This is true if "ldap.enabled" in the ldap section below is true,
# which means this "registry" section is ignored.
#############################################################################
registry:
# Maximum number of times a password/secret can be reused for enrollment
# (default: -1, which means there is no limit)
maxenrollments: -1
# Contains identity information which is used when LDAP is disabled
identities:
- name: rootcaadmin
pass: rootcaadminpw
type: client
affiliation: ""
attrs:
hf.Registrar.Roles: "*"
hf.Registrar.DelegateRoles: "*"
hf.Revoker: true
hf.IntermediateCA: true
hf.GenCRL: true
hf.Registrar.Attributes: "*"
hf.AffiliationMgr: true
#############################################################################
# Database section
# Supported types are: "sqlite3", "postgres", and "mysql".
# The datasource value depends on the type.
# If the type is "sqlite3", the datasource value is a file name to use
# as the database store. Since "sqlite3" is an embedded database, it
# may not be used if you want to run the fabric-ca-server in a cluster.
# To run the fabric-ca-server in a cluster, you must choose "postgres"
# or "mysql".
#############################################################################
db:
type: mysql
datasource: root:root@tcp(192.168.2.54:3306)/fabric_org1_root_ca?parseTime=true
tls:
enabled: false
certfiles:
client:
certfile:
keyfile:
#############################################################################
# LDAP section
# If LDAP is enabled, the fabric-ca-server calls LDAP to:
# 1) authenticate enrollment ID and secret (i.e. username and password)
# for enrollment requests;
# 2) To retrieve identity attributes
#############################################################################
ldap:
# Enables or disables the LDAP client (default: false)
# If this is set to true, the "registry" section is ignored.
enabled: false
# The URL of the LDAP server
url: ldap://<adminDN>:<adminPassword>@<host>:<port>/<base>
# TLS configuration for the client connection to the LDAP server
tls:
certfiles:
client:
certfile:
keyfile:
# Attribute related configuration for mapping from LDAP entries to Fabric CA attributes
attribute:
# 'names' is an array of strings containing the LDAP attribute names which are
# requested from the LDAP server for an LDAP identity's entry
names: ['uid','member']
# The 'converters' section is used to convert an LDAP entry to the value of
# a fabric CA attribute.
# For example, the following converts an LDAP 'uid' attribute
# whose value begins with 'revoker' to a fabric CA attribute
# named "hf.Revoker" with a value of "true" (because the boolean expression
# evaluates to true).
# converters:
# - name: hf.Revoker
# value: attr("uid") =~ "revoker*"
converters:
- name:
value:
# The 'maps' section contains named maps which may be referenced by the 'map'
# function in the 'converters' section to map LDAP responses to arbitrary values.
# For example, assume a user has an LDAP attribute named 'member' which has multiple
# values which are each a distinguished name (i.e. a DN). For simplicity, assume the
# values of the 'member' attribute are 'dn1', 'dn2', and 'dn3'.
# Further assume the following configuration.
# converters:
# - name: hf.Registrar.Roles
# value: map(attr("member"),"groups")
# maps:
# groups:
# - name: dn1
# value: peer
# - name: dn2
# value: client
# The value of the user's 'hf.Registrar.Roles' attribute is then computed to be
# "peer,client,dn3". This is because the value of 'attr("member")' is
# "dn1,dn2,dn3", and the call to 'map' with a 2nd argument of
# "group" replaces "dn1" with "peer" and "dn2" with "client".
maps:
groups:
- name:
value:
#############################################################################
# Affiliations section. Fabric CA server can be bootstrapped with the
# affiliations specified in this section. Affiliations are specified as maps.
# For example:
# businessunit1:
# department1:
# - team1
# businessunit2:
# - department2
# - department3
#
# Affiliations are hierarchical in nature. In the above example,
# department1 (used as businessunit1.department1) is the child of businessunit1.
# team1 (used as businessunit1.department1.team1) is the child of department1.
# department2 (used as businessunit2.department2) and department3 (businessunit2.department3)
# are children of businessunit2.
# Note: Affiliations are case sensitive except for the non-leaf affiliations
# (like businessunit1, department1, businessunit2) that are specified in the configuration file,
# which are always stored in lower case.
#############################################################################
affiliations:
org1:
- department1
- department2
org2:
- department1
#############################################################################
# Signing section
#
# The "default" subsection is used to sign enrollment certificates;
# the default expiration ("expiry" field) is "8760h", which is 1 year in hours.
#
# The "ca" profile subsection is used to sign intermediate CA certificates;
# the default expiration ("expiry" field) is "43800h" which is 5 years in hours.
# Note that "isca" is true, meaning that it issues a CA certificate.
# A maxpathlen of 0 means that the intermediate CA cannot issue other
# intermediate CA certificates, though it can still issue end entity certificates.
# (See RFC 5280, section 4.2.1.9)
#
# The "tls" profile subsection is used to sign TLS certificate requests;
# the default expiration ("expiry" field) is "8760h", which is 1 year in hours.
#############################################################################
signing:
default:
usage:
- digital signature
expiry: 8760h
profiles:
ca:
usage:
- cert sign
- crl sign
expiry: 43800h
caconstraint:
isca: true
maxpathlen: 1
tls:
usage:
- signing
- key encipherment
- server auth
- client auth
- key agreement
expiry: 8760h
###########################################################################
# Certificate Signing Request (CSR) section.
# This controls the creation of the root CA certificate.
# The expiration for the root CA certificate is configured with the
# "ca.expiry" field below, whose default value is "131400h" which is
# 15 years in hours.
# The pathlength field is used to limit CA certificate hierarchy as described
# in section 4.2.1.9 of RFC 5280.
# Examples:
# 1) No pathlength value means no limit is requested.
# 2) pathlength == 1 means a limit of 1 is requested which is the default for
# a root CA. This means the root CA can issue intermediate CA certificates,
# but these intermediate CAs may not in turn issue other CA certificates
# though they can still issue end entity certificates.
# 3) pathlength == 0 means a limit of 0 is requested;
# this is the default for an intermediate CA, which means it can not issue
# CA certificates though it can still issue end entity certificates.
###########################################################################
csr:
cn: fabric-org1-root-ca-server
keyrequest:
algo: ecdsa
size: 256
names:
- C: US
ST: "North Carolina"
L:
O: Hyperledger
OU: Fabric
hosts:
- localhost.localdomain
- localhost
- rootca.org1.example.com
- 192.168.0.105
ca:
expiry: 131400h
pathlength: 1
###########################################################################
# Each CA can issue both X509 enrollment certificate as well as Idemix
# Credential. This section specifies configuration for the issuer component
# that is responsible for issuing Idemix credentials.
###########################################################################
idemix:
# Specifies pool size for revocation handles. A revocation handle is an unique identifier of an
# Idemix credential. The issuer will create a pool revocation handles of this specified size. When
# a credential is requested, issuer will get handle from the pool and assign it to the credential.
# Issuer will repopulate the pool with new handles when the last handle in the pool is used.
# A revocation handle and credential revocation information (CRI) are used to create non revocation proof
# by the prover to prove to the verifier that her credential is not revoked.
rhpoolsize: 1000
# The Idemix credential issuance is a two step process. First step is to get a nonce from the issuer
# and second step is send credential request that is constructed using the nonce to the isuser to
# request a credential. This configuration property specifies expiration for the nonces. By default is
# nonces expire after 15 seconds. The value is expressed in the time.Duration format (see https://golang.org/pkg/time/#ParseDuration).
nonceexpiration: 15s
# Specifies interval at which expired nonces are removed from datastore. Default value is 15 minutes.
# The value is expressed in the time.Duration format (see https://golang.org/pkg/time/#ParseDuration)
noncesweepinterval: 15m
#############################################################################
# BCCSP (BlockChain Crypto Service Provider) section is used to select which
# crypto library implementation to use
#############################################################################
bccsp:
default: SW
sw:
hash: SHA2
security: 256
filekeystore:
# The directory used for the software file-based keystore
keystore: msp/keystore
#############################################################################
# Multi CA section
#
# Each Fabric CA server contains one CA by default. This section is used
# to configure multiple CAs in a single server.
#
# 1) --cacount <number-of-CAs>
# Automatically generate <number-of-CAs> non-default CAs. The names of these
# additional CAs are "ca1", "ca2", ... "caN", where "N" is <number-of-CAs>
# This is particularly useful in a development environment to quickly set up
# multiple CAs. Note that, this config option is not applicable to intermediate CA server
# i.e., Fabric CA server that is started with intermediate.parentserver.url config
# option (-u command line option)
#
# 2) --cafiles <CA-config-files>
# For each CA config file in the list, generate a separate signing CA. Each CA
# config file in this list MAY contain all of the same elements as are found in
# the server config file except port, debug, and tls sections.
#
# Examples:
# fabric-ca-server start -b admin:adminpw --cacount 2
#
# fabric-ca-server start -b admin:adminpw --cafiles ca/ca1/fabric-ca-server-config.yaml
# --cafiles ca/ca2/fabric-ca-server-config.yaml
#
#############################################################################
cacount:
cafiles:
#############################################################################
# Intermediate CA section
#
# The relationship between servers and CAs is as follows:
# 1) A single server process may contain or function as one or more CAs.
# This is configured by the "Multi CA section" above.
# 2) Each CA is either a root CA or an intermediate CA.
# 3) Each intermediate CA has a parent CA which is either a root CA or another intermediate CA.
#
# This section pertains to configuration of #2 and #3.
# If the "intermediate.parentserver.url" property is set,
# then this is an intermediate CA with the specified parent
# CA.
#
# parentserver section
# url - The URL of the parent server
# caname - Name of the CA to enroll within the server
#
# enrollment section used to enroll intermediate CA with parent CA
# profile - Name of the signing profile to use in issuing the certificate
# label - Label to use in HSM operations
#
# tls section for secure socket connection
# certfiles - PEM-encoded list of trusted root certificate files
# client:
# certfile - PEM-encoded certificate file for when client authentication
# is enabled on server
# keyfile - PEM-encoded key file for when client authentication
# is enabled on server
#############################################################################
intermediate:
parentserver:
url:
caname:
enrollment:
hosts:
profile:
label:
tls:
certfiles:
client:
certfile:
keyfile:
#############################################################################
# CA configuration section
#
# Configure the number of incorrect password attempts are allowed for
# identities. By default, the value of 'passwordattempts' is 10, which
# means that 10 incorrect password attempts can be made before an identity get
# locked out.
#############################################################################
cfg:
identities:
passwordattempts: 10
###############################################################################
#
# Operations section
#
###############################################################################
operations:
# host and port for the operations server
listenAddress: 127.0.0.1:9446
# TLS configuration for the operations endpoint
tls:
# TLS enabled
enabled: false
# path to PEM encoded server certificate for the operations server
cert:
file:
# path to PEM encoded server key for the operations server
key:
file:
# require client certificate authentication to access all resources
clientAuthRequired: false
# paths to PEM encoded ca certificates to trust for client authentication
clientRootCAs:
files: []
###############################################################################
#
# Metrics section
#
###############################################################################
metrics:
# statsd, prometheus, or disabled
provider: disabled
# statsd configuration
statsd:
# network type: tcp or udp
network: udp
# statsd server address
address: 127.0.0.1:8125
# the interval at which locally cached counters and gauges are pushed
# to statsd; timings are pushed immediately
writeInterval: 10s
# prefix is prepended to all emitted statsd metrics
prefix: server
在啓動服務器之前,如果您修改csr了配置 .yaml 文件塊中的任何值,則需要刪除該
ca-cert.pem文件和整個msp文件夾。當您在下一步啓動 CA 服務器時,這些證書將根據配置 .yaml 文件中的新設置重新生成。
啓動 ca 服務:
nohup ./fabric-ca-server start > org1-root-ca.log 2>&1 &
查看日誌輸出如下:
2022/03/09 00:57:43 [DEBUG] Intializing nonce manager for issuer 'org1-root-ca'
2022/03/09 00:57:43 [INFO] Home directory for default CA: /usr/project/fabric-ca/org1-ca/org1-root-ca
2022/03/09 00:57:43 [DEBUG] 1 CA instance(s) running on server
2022/03/09 00:57:43 [INFO] Operation Server Listening on 127.0.0.1:9446
2022/03/09 00:57:43 [DEBUG] TLS is enabled
2022/03/09 00:57:43 [DEBUG] TLS Certificate: /usr/project/fabric-ca/org1-ca/tls-ca/org1rootcaadmin/msp/signcerts/cert.pem, TLS Key: /usr/project/fabric-ca/org1-ca/tls-ca/org1rootcaadmin/msp/keystore/key.pem
2022/03/09 00:57:43 [DEBUG] Could not load TLS certificate with BCCSP: Could not find matching private key for SKI: Failed getting key for SKI [[52 160 11 191 139 56 223 161 107 227 29 92 106 178 120 63 173 151 219 229 198 133 127 139 212 184 117 189 136 56 132 95]]: Key with SKI 34a00bbf8b38dfa16be31d5c6ab2783fad97dbe5c6857f8bd4b875bd8838845f not found in /usr/project/fabric-ca/org1-ca/org1-root-ca/msp/keystore
2022/03/09 00:57:43 [DEBUG] Attempting fallback with certfile /usr/project/fabric-ca/org1-ca/tls-ca/org1rootcaadmin/msp/signcerts/cert.pem and keyfile /usr/project/fabric-ca/org1-ca/tls-ca/org1rootcaadmin/msp/keystore/key.pem
2022/03/09 00:57:43 [DEBUG] Client authentication type requested: noclientcert
2022/03/09 00:57:43 [INFO] Listening on https://0.0.0.0:7055
登記組織根 CA 管理員:
./fabric-ca-client enroll -d -u https://rootcaadmin:[email protected]:7055 --tls.certfiles /usr/project/fabric-ca/org1-ca/tls-ca/ca-cert.pem --csr.hosts '192.168.0.105,*.org1.example.com' --mspdir /usr/project/fabric-ca/org1-ca/org1-root-ca/rootcaadmin/msp
(可選)向組織(根)CA 註冊中間 CA 引導標識。
./fabric-ca-client register -d -u https://rootca.org1.example.com:7055 --id.name intcaadmin --id.secret intcaadmin --id.attrs '"hf.Registrar.Roles=user,admin","hf.Revoker=true","hf.IntermediateCA=true"' --tls.certfiles /usr/project/fabric-ca/org1-ca/tls-ca/ca-cert.pem --mspdir /usr/project/fabric-ca/org1-ca/org1-root-ca/rootcaadmin/msp
部署 Org1 Intermediate CA
./fabric-ca-server init -b intcaadmin:intcaadminpw
編輯 fabric-ca-server-config.yaml:
#############################################################################
# This is a configuration file for the fabric-ca-server command.
#
# COMMAND LINE ARGUMENTS AND ENVIRONMENT VARIABLES
# ------------------------------------------------
# Each configuration element can be overridden via command line
# arguments or environment variables. The precedence for determining
# the value of each element is as follows:
# 1) command line argument
# Examples:
# a) --port 443
# To set the listening port
# b) --ca.keyfile ../mykey.pem
# To set the "keyfile" element in the "ca" section below;
# note the '.' separator character.
# 2) environment variable
# Examples:
# a) FABRIC_CA_SERVER_PORT=443
# To set the listening port
# b) FABRIC_CA_SERVER_CA_KEYFILE="../mykey.pem"
# To set the "keyfile" element in the "ca" section below;
# note the '_' separator character.
# 3) configuration file
# 4) default value (if there is one)
# All default values are shown beside each element below.
#
# FILE NAME ELEMENTS
# ------------------
# The value of all fields whose name ends with "file" or "files" are
# name or names of other files.
# For example, see "tls.certfile" and "tls.clientauth.certfiles".
# The value of each of these fields can be a simple filename, a
# relative path, or an absolute path. If the value is not an
# absolute path, it is interpreted as being relative to the location
# of this configuration file.
#
#############################################################################
# Version of config file
version: 1.5.2
# Server's listening port (default: 7054)
port: 7056
# Cross-Origin Resource Sharing (CORS)
cors:
enabled: false
origins:
- "*"
# Enables debug logging (default: false)
debug: true
# Size limit of an acceptable CRL in bytes (default: 512000)
crlsizelimit: 512000
#############################################################################
# TLS section for the server's listening port
#
# The following types are supported for client authentication: NoClientCert,
# RequestClientCert, RequireAnyClientCert, VerifyClientCertIfGiven,
# and RequireAndVerifyClientCert.
#
# Certfiles is a list of root certificate authorities that the server uses
# when verifying client certificates.
#############################################################################
tls:
# Enable TLS (default: false)
enabled: true
# TLS for the server's listening port
certfile: /usr/project/fabric-ca/org1-ca/tls-ca/intcaadmin/msp/signcerts/cert.pem
keyfile: /usr/project/fabric-ca/org1-ca/tls-ca/intcaadmin/msp/keystore/key.pem
clientauth:
type: noclientcert
certfiles:
#############################################################################
# The CA section contains information related to the Certificate Authority
# including the name of the CA, which should be unique for all members
# of a blockchain network. It also includes the key and certificate files
# used when issuing enrollment certificates (ECerts).
# The chainfile (if it exists) contains the certificate chain which
# should be trusted for this CA, where the 1st in the chain is always the
# root CA certificate.
#############################################################################
ca:
# Name of this CA
name: org1-int-ca
# Key file (is only used to import a private key into BCCSP)
keyfile:
# Certificate file (default: ca-cert.pem)
certfile:
# Chain file
chainfile:
# Ignore Certificate Expiration in the case of re-enroll
reenrollIgnoreCertExpiry: false
#############################################################################
# The gencrl REST endpoint is used to generate a CRL that contains revoked
# certificates. This section contains configuration options that are used
# during gencrl request processing.
#############################################################################
crl:
# Specifies expiration for the generated CRL. The number of hours
# specified by this property is added to the UTC time, the resulting time
# is used to set the 'Next Update' date of the CRL.
expiry: 24h
#############################################################################
# The registry section controls how the fabric-ca-server does two things:
# 1) authenticates enrollment requests which contain a username and password
# (also known as an enrollment ID and secret).
# 2) once authenticated, retrieves the identity's attribute names and values.
# These attributes are useful for making access control decisions in
# chaincode.
# There are two main configuration options:
# 1) The fabric-ca-server is the registry.
# This is true if "ldap.enabled" in the ldap section below is false.
# 2) An LDAP server is the registry, in which case the fabric-ca-server
# calls the LDAP server to perform these tasks.
# This is true if "ldap.enabled" in the ldap section below is true,
# which means this "registry" section is ignored.
#############################################################################
registry:
# Maximum number of times a password/secret can be reused for enrollment
# (default: -1, which means there is no limit)
maxenrollments: -1
# Contains identity information which is used when LDAP is disabled
identities:
- name: intcaadmin
pass: intcaadminpw
type: client
affiliation: ""
attrs:
hf.Registrar.Roles: "*"
hf.Registrar.DelegateRoles: "*"
hf.Revoker: true
hf.IntermediateCA: true
hf.GenCRL: true
hf.Registrar.Attributes: "*"
hf.AffiliationMgr: true
#############################################################################
# Database section
# Supported types are: "sqlite3", "postgres", and "mysql".
# The datasource value depends on the type.
# If the type is "sqlite3", the datasource value is a file name to use
# as the database store. Since "sqlite3" is an embedded database, it
# may not be used if you want to run the fabric-ca-server in a cluster.
# To run the fabric-ca-server in a cluster, you must choose "postgres"
# or "mysql".
#############################################################################
db:
type: mysql
datasource: root:root@tcp(192.168.2.54:3306)/fabric_org1_int_ca?parseTime=true
tls:
enabled: false
certfiles:
client:
certfile:
keyfile:
#############################################################################
# LDAP section
# If LDAP is enabled, the fabric-ca-server calls LDAP to:
# 1) authenticate enrollment ID and secret (i.e. username and password)
# for enrollment requests;
# 2) To retrieve identity attributes
#############################################################################
ldap:
# Enables or disables the LDAP client (default: false)
# If this is set to true, the "registry" section is ignored.
enabled: false
# The URL of the LDAP server
url: ldap://<adminDN>:<adminPassword>@<host>:<port>/<base>
# TLS configuration for the client connection to the LDAP server
tls:
certfiles:
client:
certfile:
keyfile:
# Attribute related configuration for mapping from LDAP entries to Fabric CA attributes
attribute:
# 'names' is an array of strings containing the LDAP attribute names which are
# requested from the LDAP server for an LDAP identity's entry
names: ['uid','member']
# The 'converters' section is used to convert an LDAP entry to the value of
# a fabric CA attribute.
# For example, the following converts an LDAP 'uid' attribute
# whose value begins with 'revoker' to a fabric CA attribute
# named "hf.Revoker" with a value of "true" (because the boolean expression
# evaluates to true).
# converters:
# - name: hf.Revoker
# value: attr("uid") =~ "revoker*"
converters:
- name:
value:
# The 'maps' section contains named maps which may be referenced by the 'map'
# function in the 'converters' section to map LDAP responses to arbitrary values.
# For example, assume a user has an LDAP attribute named 'member' which has multiple
# values which are each a distinguished name (i.e. a DN). For simplicity, assume the
# values of the 'member' attribute are 'dn1', 'dn2', and 'dn3'.
# Further assume the following configuration.
# converters:
# - name: hf.Registrar.Roles
# value: map(attr("member"),"groups")
# maps:
# groups:
# - name: dn1
# value: peer
# - name: dn2
# value: client
# The value of the user's 'hf.Registrar.Roles' attribute is then computed to be
# "peer,client,dn3". This is because the value of 'attr("member")' is
# "dn1,dn2,dn3", and the call to 'map' with a 2nd argument of
# "group" replaces "dn1" with "peer" and "dn2" with "client".
maps:
groups:
- name:
value:
#############################################################################
# Affiliations section. Fabric CA server can be bootstrapped with the
# affiliations specified in this section. Affiliations are specified as maps.
# For example:
# businessunit1:
# department1:
# - team1
# businessunit2:
# - department2
# - department3
#
# Affiliations are hierarchical in nature. In the above example,
# department1 (used as businessunit1.department1) is the child of businessunit1.
# team1 (used as businessunit1.department1.team1) is the child of department1.
# department2 (used as businessunit2.department2) and department3 (businessunit2.department3)
# are children of businessunit2.
# Note: Affiliations are case sensitive except for the non-leaf affiliations
# (like businessunit1, department1, businessunit2) that are specified in the configuration file,
# which are always stored in lower case.
#############################################################################
affiliations:
org1:
- department1
- department2
org2:
- department1
#############################################################################
# Signing section
#
# The "default" subsection is used to sign enrollment certificates;
# the default expiration ("expiry" field) is "8760h", which is 1 year in hours.
#
# The "ca" profile subsection is used to sign intermediate CA certificates;
# the default expiration ("expiry" field) is "43800h" which is 5 years in hours.
# Note that "isca" is true, meaning that it issues a CA certificate.
# A maxpathlen of 0 means that the intermediate CA cannot issue other
# intermediate CA certificates, though it can still issue end entity certificates.
# (See RFC 5280, section 4.2.1.9)
#
# The "tls" profile subsection is used to sign TLS certificate requests;
# the default expiration ("expiry" field) is "8760h", which is 1 year in hours.
#############################################################################
signing:
default:
usage:
- digital signature
expiry: 8760h
profiles:
ca:
usage:
- cert sign
- crl sign
expiry: 43800h
caconstraint:
isca: true
maxpathlen: 0
tls:
usage:
- signing
- key encipherment
- server auth
- client auth
- key agreement
expiry: 8760h
###########################################################################
# Certificate Signing Request (CSR) section.
# This controls the creation of the root CA certificate.
# The expiration for the root CA certificate is configured with the
# "ca.expiry" field below, whose default value is "131400h" which is
# 15 years in hours.
# The pathlength field is used to limit CA certificate hierarchy as described
# in section 4.2.1.9 of RFC 5280.
# Examples:
# 1) No pathlength value means no limit is requested.
# 2) pathlength == 1 means a limit of 1 is requested which is the default for
# a root CA. This means the root CA can issue intermediate CA certificates,
# but these intermediate CAs may not in turn issue other CA certificates
# though they can still issue end entity certificates.
# 3) pathlength == 0 means a limit of 0 is requested;
# this is the default for an intermediate CA, which means it can not issue
# CA certificates though it can still issue end entity certificates.
###########################################################################
csr:
cn:
keyrequest:
algo: ecdsa
size: 256
names:
- C: US
ST: "North Carolina"
L:
O: Hyperledger
OU: Fabric
hosts:
- localhost.localdomain
- localhost
- intca.org1.example.com
- 192.168.0.105
ca:
expiry: 131400h
pathlength: 0
###########################################################################
# Each CA can issue both X509 enrollment certificate as well as Idemix
# Credential. This section specifies configuration for the issuer component
# that is responsible for issuing Idemix credentials.
###########################################################################
idemix:
# Specifies pool size for revocation handles. A revocation handle is an unique identifier of an
# Idemix credential. The issuer will create a pool revocation handles of this specified size. When
# a credential is requested, issuer will get handle from the pool and assign it to the credential.
# Issuer will repopulate the pool with new handles when the last handle in the pool is used.
# A revocation handle and credential revocation information (CRI) are used to create non revocation proof
# by the prover to prove to the verifier that her credential is not revoked.
rhpoolsize: 1000
# The Idemix credential issuance is a two step process. First step is to get a nonce from the issuer
# and second step is send credential request that is constructed using the nonce to the isuser to
# request a credential. This configuration property specifies expiration for the nonces. By default is
# nonces expire after 15 seconds. The value is expressed in the time.Duration format (see https://golang.org/pkg/time/#ParseDuration).
nonceexpiration: 15s
# Specifies interval at which expired nonces are removed from datastore. Default value is 15 minutes.
# The value is expressed in the time.Duration format (see https://golang.org/pkg/time/#ParseDuration)
noncesweepinterval: 15m
#############################################################################
# BCCSP (BlockChain Crypto Service Provider) section is used to select which
# crypto library implementation to use
#############################################################################
bccsp:
default: SW
sw:
hash: SHA2
security: 256
filekeystore:
# The directory used for the software file-based keystore
keystore: msp/keystore
#############################################################################
# Multi CA section
#
# Each Fabric CA server contains one CA by default. This section is used
# to configure multiple CAs in a single server.
#
# 1) --cacount <number-of-CAs>
# Automatically generate <number-of-CAs> non-default CAs. The names of these
# additional CAs are "ca1", "ca2", ... "caN", where "N" is <number-of-CAs>
# This is particularly useful in a development environment to quickly set up
# multiple CAs. Note that, this config option is not applicable to intermediate CA server
# i.e., Fabric CA server that is started with intermediate.parentserver.url config
# option (-u command line option)
#
# 2) --cafiles <CA-config-files>
# For each CA config file in the list, generate a separate signing CA. Each CA
# config file in this list MAY contain all of the same elements as are found in
# the server config file except port, debug, and tls sections.
#
# Examples:
# fabric-ca-server start -b admin:adminpw --cacount 2
#
# fabric-ca-server start -b admin:adminpw --cafiles ca/ca1/fabric-ca-server-config.yaml
# --cafiles ca/ca2/fabric-ca-server-config.yaml
#
#############################################################################
cacount:
cafiles:
#############################################################################
# Intermediate CA section
#
# The relationship between servers and CAs is as follows:
# 1) A single server process may contain or function as one or more CAs.
# This is configured by the "Multi CA section" above.
# 2) Each CA is either a root CA or an intermediate CA.
# 3) Each intermediate CA has a parent CA which is either a root CA or another intermediate CA.
#
# This section pertains to configuration of #2 and #3.
# If the "intermediate.parentserver.url" property is set,
# then this is an intermediate CA with the specified parent
# CA.
#
# parentserver section
# url - The URL of the parent server
# caname - Name of the CA to enroll within the server
#
# enrollment section used to enroll intermediate CA with parent CA
# profile - Name of the signing profile to use in issuing the certificate
# label - Label to use in HSM operations
#
# tls section for secure socket connection
# certfiles - PEM-encoded list of trusted root certificate files
# client:
# certfile - PEM-encoded certificate file for when client authentication
# is enabled on server
# keyfile - PEM-encoded key file for when client authentication
# is enabled on server
#############################################################################
intermediate:
parentserver:
url: https://rootcaadmin:[email protected]:7055
caname: org1-root-ca
enrollment:
hosts: incat.org1.example.com
profile: ca
label:
tls:
certfiles: /usr/project/fabric-ca/org1-ca/tls-ca/ca-cert.pem
client:
certfile:
keyfile:
#############################################################################
# CA configuration section
#
# Configure the number of incorrect password attempts are allowed for
# identities. By default, the value of 'passwordattempts' is 10, which
# means that 10 incorrect password attempts can be made before an identity get
# locked out.
#############################################################################
cfg:
identities:
passwordattempts: 10
###############################################################################
#
# Operations section
#
###############################################################################
operations:
# host and port for the operations server
listenAddress: 127.0.0.1:9443
# TLS configuration for the operations endpoint
tls:
# TLS enabled
enabled: false
# path to PEM encoded server certificate for the operations server
cert:
file:
# path to PEM encoded server key for the operations server
key:
file:
# require client certificate authentication to access all resources
clientAuthRequired: false
# paths to PEM encoded ca certificates to trust for client authentication
clientRootCAs:
files: []
###############################################################################
#
# Metrics section
#
###############################################################################
metrics:
# statsd, prometheus, or disabled
provider: disabled
# statsd configuration
statsd:
# network type: tcp or udp
network: udp
# statsd server address
address: 127.0.0.1:8125
# the interval at which locally cached counters and gauges are pushed
# to statsd; timings are pushed immediately
writeInterval: 10s
# prefix is prepended to all emitted statsd metrics
prefix: server
啓動 ca 服務:
nohup ./fabric-ca-server start > org1-int-ca.log 2>&1 &