Reputation: 94
How to setup a blockchain network with TLS in peers and orderers?
This page in hyperledger documentation shows which enviroment variable should be used to setup peers and orderers: https://hyperledger-fabric.readthedocs.io/en/release-1.3/enable_tls.html
in peers:
CORE_PEER_TLS_ENABLED = true CORE_PEER_TLS_CERT_FILE = fully qualified path of the server certificate CORE_PEER_TLS_KEY_FILE = fully qualified path of the server private key CORE_PEER_TLS_ROOTCERT_FILE = fully qualified path of the CA chain file CORE_PEER_TLS_CLIENTAUTHREQUIRED = true CORE_PEER_TLS_CLIENTROOTCAS_FILES = fully qualified path of the CA chain file CORE_PEER_TLS_CLIENTCERT_FILE = fully qualified path of the client certificate CORE_PEER_TLS_CLIENTKEY_FILE = fully qualified path of the client key
and in the orderer:
ORDERER_GENERAL_TLS_ENABLED = true ORDERER_GENERAL_TLS_PRIVATEKEY = fully qualified path of the file that contains the server private key ORDERER_GENERAL_TLS_CERTIFICATE = fully qualified path of the file that contains the server certificate ORDERER_GENERAL_TLS_ROOTCAS = fully qualified path of the file that contains the certificate chain of the CA that issued TLS server certificate ORDERER_GENERAL_TLS_CLIENTAUTHREQUIRED = true ORDERER_GENERAL_TLS_CLIENTROOTCAS = fully qualified path of the file that contains the certificate chain of the CA that issued TLS server certificate
The problem is, I don't know which certificate from the crypto materal I should use in those env variables.
And I don't know each env variable should be used when, for example, when creating the channel, a command that requires the following arguments for a tls connection:
--cafile Path to file containing PEM-encoded trusted certificate(s) for the ordering endpoint --certfile Path to file containing PEM-encoded X509 public key to use for mutual TLS communication with the orderer endpoint --keyfile Path to file containing PEM-encoded private key to use for mutual TLS communication with the orderer endpoint
1) Which certificate from the crypto material generated I should use in while starting the peer and orderer?
2) Which certificate should I pass as arguments in the peer channel create command?
Upvotes: 0
Views: 1264
Answers (1)
Reputation: 86
This is what I'm doing (and works for me):
Orderer:
(....)
- ORDERER_GENERAL_TLS_ENABLED=true
- ORDERER_GENERAL_TLS_PRIVATEKEY=/var/hyperledger/orderer/tls/server.key
- ORDERER_GENERAL_TLS_CERTIFICATE=/var/hyperledger/orderer/tls/server.crt
- ORDERER_GENERAL_TLS_ROOTCAS=[/var/hyperledger/orderer/tls/ca.crt]
working_dir: /opt/gopath/src/github.com/hyperledger/fabric
command: orderer
volumes:
- ./crypto-config/ordererOrganizations/org1.example.com/orderers/orderer.org1.example.com/tls/:/var/hyperledger/orderer/tls
(....)
Peer:
(....)
- CORE_PEER_TLS_ENABLED=true
- CORE_PEER_TLS_CERT_FILE=/etc/hyperledger/fabric/tls/server.crt
- CORE_PEER_TLS_KEY_FILE=/etc/hyperledger/fabric/tls/server.key
- CORE_PEER_TLS_ROOTCERT_FILE=/etc/hyperledger/fabric/tls/ca.crt
working_dir: /opt/gopath/src/github.com/hyperledger/fabric/peer
command: peer node start
volumes:
- ./crypto-config/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls:/etc/hyperledger/fabric/tls
(....)
CLI:
(....)
- CORE_PEER_TLS_ENABLED=true
- CORE_PEER_TLS_CERT_FILE=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/server.crt
- CORE_PEER_TLS_KEY_FILE=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/server.key
- CORE_PEER_TLS_ROOTCERT_FILE=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/ca.crt
(....)
Create channel command:
peer channel create -o orderer.org1.example.com:7050 -c channelname --tls true --cafile /opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/ordererOrganizations/org1.example.com/orderers/orderer.org1.example.com/msp/tlscacerts/tlsca.org1.example.com-cert.pem -f ./channel-artifacts/channelname.tx
Upvotes: 2
Related Questions
- How to implement decentralized orderer or say peer-org-owned orderer in Hyperledger Fabric?
- Hyperledger Fabric: Each organization acting as peer and ordering role - which certificates should be used?
- hyperledger TLS problem when adding an orderer and exchanging crypto material
- How to create the orderer and peer key and certificates using Hyperledger fabric
- Hyperledger Fabric - Peer unable to connect to (raft) Orderer with Mutual TLS
- How to configure mutual TLS in Hyperledger Fabric?
- TLS Handshake Error while Creating Hyperledger Fabric Channel with Multiple Organisation Orderers
- Hyperledger Fabric Java SDK Use GRPCS for peer and orderer connections
- Setting up TLS communication between orderers and peers
- How do I link my Orderer and Peers to the Fabric-CA using docker