CODEWITHSUNDEEP
hyperledger-fabrichyperledgerblockchain
lmc1913
lmc1913

Reputation: 71

how to configure certificate authority for hyperledger fabric?

In this configuration, I have 4 orgs, so I have made 4 ca for each of them. Is it necessary to have 4 ca? I was trying to refer to the fabcar example for the expected result for my configurations. They look so different and I cannot tell if I am doing it right.

When I run one of the ca log with "docker logs -f ca-gov", I got:

2018/12/28 15:16:38 [DEBUG] Home directory: /etc/hyperledger/fabric-ca-server
2018/12/28 15:16:38 [DEBUG] parent server URL: ''
2018/12/28 15:16:38 [INFO] Created default configuration file at /etc/hyperledger/fabric-ca-server/fabric-ca-server-config.yaml
2018/12/28 15:16:39 [INFO] Starting server in home directory: /etc/hyperledger/fabric-ca-server
2018/12/28 15:16:39 [DEBUG] Set log level: 
2018/12/28 15:16:39 [INFO] Server Version: 1.4.0-rc2
2018/12/28 15:16:39 [INFO] Server Levels: &{Identity:2 Affiliation:1 Certificate:1 Credential:1 RAInfo:1 Nonce:1}
2018/12/28 15:16:39 [DEBUG] Making server filenames absolute
2018/12/28 15:16:39 [DEBUG] Initializing default CA in directory /etc/hyperledger/fabric-ca-server
2018/12/28 15:16:39 [DEBUG] Init CA with home /etc/hyperledger/fabric-ca-server and config {Version:1.4.0-rc2 Cfg:{Identities:{PasswordAttempts:10 AllowRemove:false} Affiliations:{AllowRemove:false}} CA:{Name:ca-gov Keyfile:/etc/hyperledger/fabric-ca-server-config/d596ae436f5d8c8cb17511722a750ca29d1421b797c003912a3c3d5f646313a4_sk Certfile:/etc/hyperledger/fabric-ca-server-config/ca.gov.snts.com-cert.pem Chainfile:ca-chain.pem} Signing:0xc0003681d0 CSR:{CN:fabric-ca-server Names:[{C:US ST:North Carolina L: O:Hyperledger OU:Fabric SerialNumber:}] Hosts:[8b35f123f548 localhost] KeyRequest:0xc00035e280 CA:0xc00035e300 SerialNumber:} Registry:{MaxEnrollments:-1 Identities:[{ Name:**** Pass:**** Type:client Affiliation: MaxEnrollments:0 Attrs:map[hf.Registrar.DelegateRoles:* hf.Revoker:1 hf.IntermediateCA:1 hf.GenCRL:1 hf.Registrar.Attributes:* hf.AffiliationMgr:1 hf.Registrar.Roles:*]  }]} Affiliations:map[org2:[department1] org1:[department1 department2]] LDAP:{ Enabled:false URL:ldap://****:****@<host>:<port>/<base> UserFilter:(uid=%s) GroupFilter:(memberUid=%s) Attribute:{[uid member] [{ }] map[groups:[{ }]]} TLS:{false [] { }}  } DB:{ Type:sqlite3 Datasource:fabric-ca-server.db TLS:{false [] { }}  } CSP:0xc00035fec0 Client:<nil> Intermediate:{ParentServer:{ URL: CAName:  } TLS:{Enabled:false CertFiles:[] Client:{KeyFile: CertFile:}} Enrollment:{ Name: Secret:**** CAName: AttrReqs:[] Profile: Label: CSR:<nil> Type:x509  }} CRL:{Expiry:24h0m0s} Idemix:{IssuerPublicKeyfile: IssuerSecretKeyfile: RevocationPublicKeyfile: RevocationPrivateKeyfile: RHPoolSize:1000 NonceExpiration:15s NonceSweepInterval:15m}}
2018/12/28 15:16:39 [DEBUG] CA Home Directory: /etc/hyperledger/fabric-ca-server
2018/12/28 15:16:39 [DEBUG] Checking configuration file version '1.4.0-rc2' against server version: '1.4.0-rc2'
2018/12/28 15:16:39 [DEBUG] Initializing BCCSP: &{ProviderName:SW SwOpts:0xc000179280 PluginOpts:<nil>}
2018/12/28 15:16:39 [DEBUG] Initializing BCCSP with software options &{SecLevel:256 HashFamily:SHA2 Ephemeral:false FileKeystore:0xc000369520 DummyKeystore:<nil> InmemKeystore:<nil>}
2018/12/28 15:16:39 [DEBUG] Initialize key material
2018/12/28 15:16:39 [DEBUG] Making CA filenames absolute
2018/12/28 15:16:39 [INFO] The CA key and certificate files already exist
2018/12/28 15:16:39 [INFO] Key file location: /etc/hyperledger/fabric-ca-server-config/d596ae436f5d8c8cb17511722a750ca29d1421b797c003912a3c3d5f646313a4_sk
2018/12/28 15:16:39 [INFO] Certificate file location: /etc/hyperledger/fabric-ca-server-config/ca.gov.snts.com-cert.pem
2018/12/28 15:16:39 [DEBUG] Validating the CA certificate and key
2018/12/28 15:16:39 [DEBUG] Check CA certificate for valid dates
2018/12/28 15:16:39 [DEBUG] Check CA certificate for valid usages
2018/12/28 15:16:39 [DEBUG] Check CA certificate for valid IsCA value
2018/12/28 15:16:39 [DEBUG] Check that key type is supported
2018/12/28 15:16:39 [DEBUG] Check that key size is of appropriate length
2018/12/28 15:16:39 [DEBUG] Check that public key and private key match
2018/12/28 15:16:39 [DEBUG] Validation of CA certificate and key successful
2018/12/28 15:16:39 [DEBUG] Loading CN from existing enrollment information
2018/12/28 15:16:39 [DEBUG] Initializing DB
2018/12/28 15:16:39 [DEBUG] Initializing 'sqlite3' database at '/etc/hyperledger/fabric-ca-server/fabric-ca-server.db'
2018/12/28 15:16:39 [DEBUG] Using sqlite database, connect to database in home (/etc/hyperledger/fabric-ca-server/fabric-ca-server.db) directory
2018/12/28 15:16:39 [DEBUG] Creating SQLite database (/etc/hyperledger/fabric-ca-server/fabric-ca-server.db) if it does not exist...
2018/12/28 15:16:39 [DEBUG] Creating users table if it does not exist
2018/12/28 15:16:39 [DEBUG] Creating affiliations table if it does not exist
2018/12/28 15:16:39 [DEBUG] Creating certificates table if it does not exist
2018/12/28 15:16:39 [DEBUG] Creating credentials table if it does not exist
2018/12/28 15:16:39 [DEBUG] Creating revocation_authority_info table if it does not exist
2018/12/28 15:16:39 [DEBUG] Creating nonces table if it does not exist
2018/12/28 15:16:39 [DEBUG] Creating properties table if it does not exist
2018/12/28 15:16:39 [DEBUG] Successfully opened sqlite3 DB
2018/12/28 15:16:39 [DEBUG] Initializing identity registry
2018/12/28 15:16:39 [DEBUG] Initialized DB identity registry
2018/12/28 15:16:39 [DEBUG] Checking database levels '&{Identity:0 Affiliation:0 Certificate:0 Credential:0 RAInfo:0 Nonce:0}' against server levels '&{Identity:2 Affiliation:1 Certificate:1 Credential:1 RAInfo:1 Nonce:1}'
2018/12/28 15:16:39 [DEBUG] Getting current levels to check if any tables need to be migrated
2018/12/28 15:16:39 [DEBUG] Migrating users table...
2018/12/28 15:16:39 [DEBUG] Upgrade identity table to level 1
2018/12/28 15:16:39 [DEBUG] Creating users table if it does not exist
2018/12/28 15:16:39 [DEBUG] Upgrade identity table to level 2
2018/12/28 15:16:39 [DEBUG] Creating users table if it does not exist
2018/12/28 15:16:39 [DEBUG] Checking and performing migration of user table data, if needed
2018/12/28 15:16:39 [DEBUG] Migrating affiliation table...
2018/12/28 15:16:39 [DEBUG] Upgrade affiliations table to level 1
2018/12/28 15:16:39 [DEBUG] Creating affiliations table if it does not exist
2018/12/28 15:16:39 [DEBUG] Upgrade certificates table...
2018/12/28 15:16:39 [DEBUG] Upgrade certificates table to level 1
2018/12/28 15:16:39 [DEBUG] Creating certificates table if it does not exist
2018/12/28 15:16:39 [DEBUG] Migrating credentials table...
2018/12/28 15:16:39 [DEBUG] Migrating nonces table...
2018/12/28 15:16:39 [DEBUG] Migrating revocation_authority_info table...
2018/12/28 15:16:39 [DEBUG] Loading identity table
2018/12/28 15:16:39 [DEBUG] Loading identity 'admin'
2018/12/28 15:16:39 [DEBUG] DB: Getting identity admin
2018/12/28 15:16:39 [DEBUG] Max enrollment value verification - User specified max enrollment: 0, CA max enrollment: -1
2018/12/28 15:16:39 [DEBUG] DB: Add identity admin
2018/12/28 15:16:40 [DEBUG] Successfully added identity admin to the database
2018/12/28 15:16:40 [DEBUG] Registered identity: { Name:**** Pass:**** Type:client Affiliation: MaxEnrollments:-1 Attrs:map[hf.Registrar.DelegateRoles:* hf.Revoker:1 hf.IntermediateCA:1 hf.GenCRL:1 hf.Registrar.Attributes:* hf.AffiliationMgr:1 hf.Registrar.Roles:*]  }
2018/12/28 15:16:40 [DEBUG] Successfully loaded identity table
2018/12/28 15:16:40 [DEBUG] Loading affiliations table
2018/12/28 15:16:40 [DEBUG] DB: Add affiliation org2
2018/12/28 15:16:40 [DEBUG] Affiliation 'org2' added
2018/12/28 15:16:40 [DEBUG] DB: Add affiliation org2.department1
2018/12/28 15:16:40 [DEBUG] Affiliation 'org2.department1' added
2018/12/28 15:16:40 [DEBUG] DB: Add affiliation org1
2018/12/28 15:16:40 [DEBUG] Affiliation 'org1' added
2018/12/28 15:16:40 [DEBUG] DB: Add affiliation org1.department1
2018/12/28 15:16:40 [DEBUG] Affiliation 'org1.department1' added
2018/12/28 15:16:40 [DEBUG] DB: Add affiliation org1.department2
2018/12/28 15:16:40 [DEBUG] Affiliation 'org1.department2' added
2018/12/28 15:16:40 [DEBUG] Successfully loaded affiliations table
2018/12/28 15:16:40 [INFO] Initialized sqlite3 database at /etc/hyperledger/fabric-ca-server/fabric-ca-server.db
2018/12/28 15:16:40 [DEBUG] Initializing enrollment signer
2018/12/28 15:16:40 [DEBUG] No key found in BCCSP keystore, attempting fallback
2018/12/28 15:16:40 [DEBUG] validating configuration
2018/12/28 15:16:40 [DEBUG] validate local profile
2018/12/28 15:16:40 [DEBUG] profile is valid
2018/12/28 15:16:40 [DEBUG] validate local profile
2018/12/28 15:16:40 [DEBUG] profile is valid
2018/12/28 15:16:40 [DEBUG] validate local profile
2018/12/28 15:16:40 [DEBUG] profile is valid
2018/12/28 15:16:40 [DEBUG] CA initialization successful
2018/12/28 15:16:40 [DEBUG] Initializing Idemix issuer...
2018/12/28 15:16:41 [INFO] The issuer key was successfully stored. The public key is at: /etc/hyperledger/fabric-ca-server/IssuerPublicKey, secret key is at: /etc/hyperledger/fabric-ca-server/msp/keystore/IssuerSecretKey
2018/12/28 15:16:41 [DEBUG] Intializing revocation authority for issuer 'ca-gov'
2018/12/28 15:16:41 [DEBUG] Initialize Idemix issuer revocation key material
2018/12/28 15:16:41 [INFO] Idemix issuer revocation public and secret keys were generated for CA 'ca-gov'
2018/12/28 15:16:41 [INFO] The revocation key was successfully stored. The public key is at: /etc/hyperledger/fabric-ca-server/IssuerRevocationPublicKey, private key is at: /etc/hyperledger/fabric-ca-server/msp/keystore/IssuerRevocationPrivateKey
2018/12/28 15:16:41 [DEBUG] Intializing nonce manager for issuer 'ca-gov'
2018/12/28 15:16:41 [INFO] Home directory for default CA: /etc/hyperledger/fabric-ca-server
2018/12/28 15:16:41 [DEBUG] 1 CA instance(s) running on server
2018/12/28 15:16:41 [DEBUG] TLS is enabled
2018/12/28 15:16:41 [DEBUG] TLS Certificate: /etc/hyperledger/fabric-ca-server-config/ca.gov.snts.com-cert.pem, TLS Key: /etc/hyperledger/fabric-ca-server-config/d596ae436f5d8c8cb17511722a750ca29d1421b797c003912a3c3d5f646313a4_sk
2018/12/28 15:16:41 [DEBUG] Client authentication type requested: noclientcert
2018/12/28 15:16:41 [INFO] Listening on https://0.0.0.0:7054

I am especially concerned with these lines:

2018/12/28 15:16:40 [DEBUG] DB: Add affiliation org2
2018/12/28 15:16:40 [DEBUG] Affiliation 'org2' added
2018/12/28 15:16:40 [DEBUG] DB: Add affiliation org2.department1

What is this? Is org2 from the default thing or from my mistake? There are no org1 org2 and department1

2018/12/28 15:16:41 [DEBUG] Client authentication type requested: noclientcert
2018/12/28 10:29:57 [DEBUG] No key found in BCCSP keystore, attempting fallback

And will these cause problem? How can I make it work?

Upvotes: 2

Views: 1332

Answers (1)

abhi
abhi

Reputation: 489

  • You may choose to have 4 CAs for 4 organizations. Or not. It is up to how you want to configure your network. But it is good practice to protect the Root CA with an Intermediate CA.
  • As for the first part of your question, that is the default affiliation hierarchy that is generated when the fabric-ca-server is initialized. When you run fabric-ca-server init, it generates a default fabric-ca-server-config.yaml file and that is the affiliation configuration it follows. If you want to change it, you can modify it before you run fabric-ca-server start.
  • In short, NO, they will not cause a problem. The first part says that you haven't enabled client authentication. The second part says that the keystore path defined in your config file is empty.

Upvotes: 4

Related Questions