How do I link my Orderer and Peers to the Fabric-CA using docker

Question

I am following the Hyperledger fabric-ca getting started guide and working with Hyperledger Fabric alpha2.

Here is what I would like to do:

• Start the fabric-ca
• Connect the orderer and the peers to the fabric-ca using the credentials I previously created
• And later, only allow authorized user to call the chaincode and access to their attributes

I started my fabric-ca server, registrered a new Identity (peer for example) and enrolled it. A msp directory was generated with the keystore, signcerts, cacerts. The fabric-ca msp directory et ca-cert.pam were also generated.

To start the orderer, I use this command:

docker run -it --name orderer.example.com -p 7050:7050 
-v $DIR/crypto-config/.../orderers/orderer.example.com:/var/hyperledger/orderer/msp 
-v $DIR/orderer.block:/var/hyperledger/orderer/orderer.block 
-w /opt/gopath/src/github.com/hyperledger/fabric
-e ORDERER_GENERAL_LOGLEVEL=debug 
-e ORDERER_GENERAL_LISTENADDRESS=0.0.0.0 
-e ORDERER_GENERAL_GENESISMETHOD=file 
-e ORDERER_GENERAL_GENESISFILE=/var/hyperledger/orderer/orderer.block 
-e ORDERER_GENERAL_LOCALMSPID=OrdererMSP 
-e ORDERER_GENERAL_LOCALMSPDIR=/var/hyperledger/orderer/msp 
hyperledger/fabric-orderer 

How can I start my orderer and peers and tell them to "connect" to the fabric-ca using docker? Which environment variable should I use ? I just don't really understand how the communication work between these entities.

Answer 1

The orderer and peer processes do not open a connection to the fabric-ca-server. They simply read from the "msp" directory.

In order to create the "msp" directory for an orderer or peer prior to starting it, you may use the "fabric-ca-client enroll -u " command as described at http://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html#enrolling-a-peer-identity.

Also see this change set https://gerrit.hyperledger.org/r/#/c/10871/ and note the comments. It provides a way to use fabric-ca instead of cryptogen to run the fabric/examples/e2e_cli example, which includes enrolling orderers and peers. See in particular the fabric-ca-cryptogen.sh script at https://gerrit.hyperledger.org/r/#/c/10871/6/examples/e2e_cli/fabric-ca-cryptogen.sh which I think is pretty readable.

Answer 2

You link your Orderer and Peers to the Fabric-CA when you register and enroll them. How you say, the Fabric-CA generates the keys that you need for the MSP.

Then, when you create the channel transaction artifact:

• You define which members will take part in the channel.
• You define the MSP directory for each member, introducing there the necessary certificates.

Then, you enter into a Peer and create the channel. There, you will use the channel transaction artifact that you have created previously. After that, each peer should join the channel.

You "connect" to the Fabric-CA through the MSP.

Briefly: you only need the Fabric-CA to generate the pair of keys. Once you have enrolled your Orderer and Peer, you don't need the Fabric-CA. So, it's better to stop it. If you need again the Fabric-CA, you will restart it.

Answer 3

The general project documentation at https://hyperledger-fabric.readthedocs.io/en/latest/getting_started.html includes a docker compose file which will startup an orderer, 4 peers, and two CA servers. The file to look at is docker-compose-e2e-template.yaml. If you want to run the example with the CA servers, you can change network_setup.sh to use docker-compose-e2e.yaml by changing the COMPOSE_FILE variable appropriately