Fabric CA Operations

# Fabric CA Operations ubuntu@18.144.80.73 host0 for tls-ca(fabric-ca) ubuntu@18.144.90.194 host1 org0 org1 org2 ubuntu@54.183.33.120 host2 orderer org1-peer1 org2-peer1 ubuntu@54.177.226.54 host3 org1-peer2 org2-peer2 ssh -i /Users/emilyliang/.ssh/TWCC.pem ubuntu@18.144.80.73 ssh -i /Users/emilyliang/.ssh/TWCC.pem ubuntu@18.144.90.194 ssh -i /Users/emilyliang/.ssh/TWCC.pem ubuntu@54.183.33.120 ssh -i /Users/emilyliang/.ssh/TWCC.pem ubuntu@54.177.226.54 ## References [1] [Fabric CA Operations Guide](https://hyperledger-fabric-ca.readthedocs.io/en/latest/operations_guide.html#topology) [2] [Hyperledger Fabric動態配置Raft節點](https://www.itread01.com/content/1577779445.html) ## Prerequisites 1. [install Go](https://ithelp.ithome.com.tw/articles/10196459) ```javascript= wget https://storage.googleapis.com/golang/go1.15.4.linux-amd64.tar.gz ``` ```java= sudo tar -C /usr/local -xzf go1.15.4.linux-amd64.tar.gz ``` 設定環境變量 ```java= vim ~/.profile ``` 添加以下內容 ```java= export PATH=$PATH:/usr/local/go/bin export GOROOT=/usr/local/go export GOPATH=$HOME/go export PATH=$PATH:$HOME/go/bin export FABRICPATH=$HOME/documents/workspace/fabric ``` 載入修改的環境變量 ```shell= source ~/.profile ``` 因為將go的目錄GOPATH設置在$HOME/go，所以需要在$HOME目錄底下建置go目錄 ```shell= mkdir ~/go ``` 2. [install docker & docker-compose](https://hackmd.io/l3Cx_hfxTraRVKQZKLCatA) 3. install libtool and libtdhl-dev packages ```shell= sudo apt install libtool libltdl-dev ``` [client command line](https://hyperledger-fabric-ca.readthedocs.io/en/latest/configtx.html), [server command line]() 4. 安裝fabric-ca-server 及 fabric-ca-client binaries 到 $GOPATH/bin. ```shell= go get -u github.com/hyperledger/fabric-ca/cmd/... ``` ## 在不同機器上設置 CAs ###### note：我的工作的絕對路徑都設置為 ``` /home/ubuntu/documents/workspace/fabric ``` ### 在ubuntu@3.101.83.10設置TLS CA 1. 加入 docker-compose-catls.yml ```shell= version: "2" networks: fabric-ca: services: ca-tls: container_name: ca-tls image: hyperledger/fabric-ca:1.4.0 command: sh -c 'fabric-ca-server start -d -b tls-ca-admin:tls-ca-adminpw --port 7052' environment: - FABRIC_CA_SERVER_HOME=/home/ubuntu/documents/workspace/fabric/fabric-ca/crypto - FABRIC_CA_SERVER_CSR_CN=tls-ca - FABRIC_CA_SERVER_CSR_HOSTS=3.101.83.10 - FABRIC_CA_SERVER_DEBUG=true - FABRIC_CA_SERVER_TLS_ENABLED=true volumes: - /home/ubuntu/documents/workspace/fabric/tls-ca:/home/ubuntu/documents/workspace/fabric/fabric-ca networks: - fabric-ca ports: - 7052:7052 ``` 可以使用以下docker命令啟動此容器。 ```shell= docker-compose -f docker/docker-compose-catls.yml up ``` ###### 在command後面加上 -d 可以在背景中運行可以使用以下docker命令關閉此容器。 ```shell= docker-compose -f docker/docker-compose-catls.yml down --remove-orphans ``` #### enroll TLS CA's Admin 取得檔案權限。 ```shell= sudo chown -R ubuntu /home/ubuntu/ ``` 必須先獲取CA的TLS證書的簽名證書，然後才能開始使用CA客戶端。在我們的示例中，您將需要獲取運行TLS CA服務器的計算機上```/home/ubuntu/documents/workspace/fabric/tls-ca/crypto/ca-cert.pem```上的文件，並將該文件複製到要運行的主機上CA客戶端二進製文件。這個因為我運行TLS CA服務器與啟動的```docker-compose-catls.yml```是同一台，所以只是在改名或複製而已，因為TLS CA的簽名證書將需要在每台針對TLS CA運行命令的主機上可用，之後要複製到其他Host上。 ```shell= cp /home/ubuntu/documents/workspace/fabric/tls-ca/crypto/ca-cert.pem /home/ubuntu/documents/workspace/fabric/tls-ca/crypto/tls-ca-cert.pem ``` TLS CA服務器以引導程序身份啟動，該身份具有服務器的完全管理員特權。管理員的關鍵能力之一是註冊新身份的能力。該CA的管理員將使用Fabric CA client向CA註冊四個新的身份，每個身份用於一個peer，並在註冊一個用於orderer者。這些身份將用於為peer和orderer獲取TLS證書。 ```shell= export FABRIC_CA_CLIENT_TLS_CERTFILES=/home/ubuntu/documents/workspace/fabric/tls-ca/crypto/tls-ca-cert.pem export FABRIC_CA_CLIENT_HOME=/home/ubuntu/documents/workspace/fabric/tls-ca/admin fabric-ca-client enroll -d -u https://tls-ca-admin:tls-ca-adminpw@3.101.83.10:7052 fabric-ca-client register -d --id.name peer1-org1 --id.secret peer1PW --id.type peer -u https://3.101.83.10:7052 fabric-ca-client register -d --id.name peer2-org1 --id.secret peer2PW --id.type peer -u https://3.101.83.10:7052 fabric-ca-client register -d --id.name peer1-org2 --id.secret peer1PW --id.type peer -u https://3.101.83.10:7052 fabric-ca-client register -d --id.name peer2-org2 --id.secret peer2PW --id.type peer -u https://3.101.83.10:7052 fabric-ca-client register -d --id.name orderer1-org0 --id.secret ordererPW --id.type orderer -u https://3.101.83.10:7052 ``` 借助在TLS CA上註冊的身份，我們可以繼續建立每個組織的網絡。每當我們需要為組織中的節點獲取TLS證書時，我們都將引用此CA。 ### 在ubuntu@3.101.83.10設置Orderer Org CA 1. 加入 docker-compose-rca-org0.yml ```shell= version: "2" networks: fabric-ca: services: rca-org0: container_name: rca-org0 image: hyperledger/fabric-ca:1.4.0 command: sh -c 'fabric-ca-server start -d -b rca-org0-admin:rca-org0-adminpw --port 7053' environment: - FABRIC_CA_SERVER_HOME=/home/ubuntu/documents/workspace/fabric/fabric-ca/crypto - FABRIC_CA_SERVER_TLS_ENABLED=true - FABRIC_CA_SERVER_CSR_CN=rca-org0 - FABRIC_CA_SERVER_CSR_HOSTS=3.101.83.10 - FABRIC_CA_SERVER_DEBUG=true volumes: - /home/ubuntu/documents/workspace/fabric/org0/ca:/home/ubuntu/documents/workspace/fabric/fabric-ca networks: - fabric-ca ports: - 7053:7053 ``` 每個組織必須具有自己的證書頒發機構（CA）來頒發註冊證書。 CA將為組織中的每個peer和client頒發證書。您的CA將創建屬於您的組織的身份，並向每個身份頒發公共和私有密鑰。這些密鑰使您所有的節點和應用程序都能簽名並驗證其操作。網絡的其他成員將理解您CA簽名的任何身份，以識別屬於您組織的components。 Org0的管理員將啟動Fabric CA docker容器，Org0將使用該容器來為Org0中的身份頒發加密材料。可以使用以下docker命令啟動此容器。 ```shell= docker-compose -f docker/docker-compose-rca-org0.yml up ``` ### Enroll Orderer Org’s CA Admin on ubuntu@3.101.63.145 #### 按照 Prerequisites 設定機器 #### 將 run Org0 server 產生的 ca-cert.pem 複製過來取得檔案權限。 ```shell= sudo chown -R ubuntu /home/ubuntu/ ``` 必須先獲取CA的TLS證書的簽名證書，然後才能開始使用CA客戶端。在我們的示例中，您將需要獲取運行Org0 CA服務器的計算機上```/home/ubuntu/documents/workspace/fabric/org0/ca/crypto/ca-cert.pem```上的文件，並將該文件利用cyberduck複製到要運行的主機ubuntu@3.101.63.145上CA客戶端二進製文件。在 ubuntu@3.101.63.145註冊CA管理員，然後註冊兩個Org0的身份。 ```shell= mkdir -p /home/ubuntu/documents/workspace/fabric/org0/ca/crypto/ ``` ```shell= export FABRIC_CA_CLIENT_TLS_CERTFILES=/home/ubuntu/documents/workspace/fabric/org0/ca/crypto/ca-cert.pem export FABRIC_CA_CLIENT_HOME=/home/ubuntu/documents/workspace/fabric/org0/ca/admin fabric-ca-client enroll -d -u https://rca-org0-admin:rca-org0-adminpw@3.101.83.10:7053 fabric-ca-client register -d --id.name orderer1-org0 --id.secret ordererpw --id.type orderer -u https://3.101.83.10:7053 fabric-ca-client register -d --id.name admin-org0 --id.secret org0adminpw --id.type admin --id.attrs "hf.Registrar.Roles=client,hf.Registrar.Attributes=*,hf.Revoker=true,hf.GenCRL=true,admin=true:ecert,abac.init=true:ecert" -u https://3.101.83.10:7053 ``` #### Setup Org1’s CA 利用shell script在機器上設定, shell script 當如下所示，命名為 deploy-fabric-ca.sh ```shell= wget https://storage.googleapis.com/golang/go1.15.4.linux-amd64.tar.gz sudo tar -C /usr/local -xzf go1.15.4.linux-amd64.tar.gz mkdir ~/go echo ' export PATH=$PATH:/usr/local/go/bin export GOROOT=/usr/local/go export GOPATH=$HOME/go export PATH=$PATH:$HOME/go/bin export FABRICPATH=$HOME/fabric ' >> ~/.profile source ~/.profile sudo apt-get update sudo apt-get install docker.io -y sudo usermod -aG docker ubuntu sudo service docker start export COMPOSE_VERSION=1.27.4 sudo curl -L "https://github.com/docker/compose/releases/download/$COMPOSE_VERSION/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose sudo chmod +x /usr/local/bin/docker-compose docker-compose version sudo setfacl --modify user:$USER:rw /var/run/docker.sock sudo apt install libtool libltdl-dev -y go get -u github.com/hyperledger/fabric-ca/cmd/... mkdir -p ~/fabric/docker touch ~/fabric/docker/docker-compose-rca-org1.yml echo ' version: "2" networks: fabric-ca: services: rca-org1: container_name: rca-org1 image: hyperledger/fabric-ca:1.4.0 command: sh -c "fabric-ca-server start -d -b rca-org1-admin:rca-org1-adminpw --port 7054" environment: - FABRIC_CA_SERVER_HOME=/home/ubuntu/fabric/fabric-ca/crypto - FABRIC_CA_SERVER_TLS_ENABLED=true - FABRIC_CA_SERVER_CSR_CN=rca-org1 - FABRIC_CA_SERVER_CSR_HOSTS=54.219.15.153 - FABRIC_CA_SERVER_DEBUG=true volumes: - /home/ubuntu/fabric/org1/ca:/home/ubuntu/fabric/fabric-ca networks: - fabric-ca ports: - 7054:7054 ' >> ~/fabric/docker/docker-compose-rca-org1.yml docker-compose -f ~/fabric/docker/docker-compose-rca-org1.yml up -d sudo chown -R ubuntu /home/ubuntu export FABRIC_CA_CLIENT_TLS_CERTFILES=~/fabric/org1/ca/crypto/ca-cert.pem export FABRIC_CA_CLIENT_HOME=~/fabric/org1/ca/admin fabric-ca-client enroll -d -u https://rca-org1-admin:rca-org1-adminpw@54.219.15.153:7054 fabric-ca-client register -d --id.name peer1-org1 --id.secret peer1PW --id.type peer -u https://54.219.15.153:7054 fabric-ca-client register -d --id.name peer2-org1 --id.secret peer2PW --id.type peer -u https://54.219.15.153:7054 fabric-ca-client register -d --id.name admin-org1 --id.secret org1AdminPW --id.type user -u https://54.219.15.153:7054 fabric-ca-client register -d --id.name user-org1 --id.secret org1UserPW --id.type user -u https://54.219.15.153:7054 ``` 目前在安裝 fabric-ca-client 有的時候會沒有安裝好，所以以下兩部要分開做 ```shell= go get -u github.com/hyperledger/fabric-ca/cmd/... ``` ```shell= fabric-ca-client enroll -d -u https://rca-org1-admin:rca-org1-adminpw@54.219.15.153:7054 fabric-ca-client register -d --id.name peer1-org1 --id.secret peer1PW --id.type peer -u https://54.219.15.153:7054 fabric-ca-client register -d --id.name peer2-org1 --id.secret peer2PW --id.type peer -u https://54.219.15.153:7054 fabric-ca-client register -d --id.name admin-org1 --id.secret org1AdminPW --id.type user -u https://54.219.15.153:7054 fabric-ca-client register -d --id.name user-org1 --id.secret org1UserPW --id.type user -u https://54.219.15.153:7054 ``` #### Setup Org2’s CA same as Setup Org2’s CA except set on the machine ```ubuntu@ec2-3-101-69-212.us-west-1.compute.amazonaws.com``` ### Setup Peers 一旦CA啟動並運行，我們就可以開始註冊對等方 #### Setup Org1’s Peers ##### Enroll Peer1 要將Org1的受信任根證書復製到Peer1的主機上。下面會在ubuntu@54.153.43.119實驗。 ###### 先設定環境安裝go及fabric-ca-client ###### 將Org1的ce-cert.pem複製到ubuntu@54.153.43.119的工作資料夾上 ```shell= mkdir -p /home/ubuntu/fabric/org1/peer1/assets/ca ``` ```shell= sudo chown -R ubuntu /home/ubuntu export FABRIC_CA_CLIENT_HOME=/home/ubuntu/fabric/org1/peer1 export FABRIC_CA_CLIENT_TLS_CERTFILES=/home/ubuntu/fabric/org1/peer1/assets/ca/ca-cert.pem export FABRIC_CA_CLIENT_MSPDIR=msp fabric-ca-client enroll -d -u https://peer1-org1:peer1PW@54.219.15.153:7054 ``` 下一步是獲取peer的TLS加密材料。這需要再次註冊，但是這次您將針對TLS CA上的tls配置文件進行註冊。您還需要在註冊請求中提供Peer1主機的地址，作為csr.hosts標誌的輸入。在下面的命令中，我們假定TLS CA的證書已復製到Peer1主機上的/home/ubuntu/fabri/org1/peer1/assets/tls-ca/tls-ca-cert.pem中。 ```shell= mkdir -p /home/ubuntu/fabric/org1/peer1/assets/tls-ca/ ``` ```shell= export FABRIC_CA_CLIENT_MSPDIR=tls-msp export FABRIC_CA_CLIENT_TLS_CERTFILES=/home/ubuntu/fabric/org1/peer1/assets/tls-ca/tls-ca-cert.pem fabric-ca-client enroll -d -u https://peer1-org1:peer1PW@3.101.83.10:7052 --enrollment.profile tls --csr.hosts 54.153.43.119 ``` ##### Enroll Peer2 在 org1 的機器上 enroll pm2 ```shell= mkdir -p /home/ubuntu/fabric/org1/peer2/assets/ca ``` ```shell= sudo chown -R ubuntu /home/ubuntu export FABRIC_CA_CLIENT_HOME=/home/ubuntu/fabric/org1/peer2 export FABRIC_CA_CLIENT_TLS_CERTFILES=/home/ubuntu/fabric/org1/peer2/assets/ca/ca-cert.pem export FABRIC_CA_CLIENT_MSPDIR=msp fabric-ca-client enroll -d -u https://peer2-org1:peer2PW@54.219.15.153:7054 ``` ```shell= mkdir -p /home/ubuntu/fabric/org1/peer2/assets/tls-ca/ ``` ```shell= export FABRIC_CA_CLIENT_MSPDIR=tls-msp export FABRIC_CA_CLIENT_TLS_CERTFILES=/home/ubuntu/fabric/org1/peer2/assets/tls-ca/tls-ca-cert.pem fabric-ca-client enroll -d -u https://peer2-org1:peer2PW@3.101.83.10:7052 --enrollment.profile tls --csr.hosts 54.219.15.153 ``` ##### Enroll Org1’s Admin 至此，兩個同伴都已經註冊。現在，您將註冊Org1的管理員身份。管理員身份負責諸如安裝和實例化chaincode的活動。以下步驟將註冊管理員。在下面的命令中，我們假定它們正在Peer1的主機上執行。下面的命令僅用於Peer1, the exchange of the admin certificate to Peer2 will happen out-of-band. ```shell= export FABRIC_CA_CLIENT_HOME=/home/ubuntu/fabric/org1/admin export FABRIC_CA_CLIENT_TLS_CERTFILES=/home/ubuntu/fabric/org1/peer1/assets/ca/ca-cert.pem export FABRIC_CA_CLIENT_MSPDIR=msp fabric-ca-client enroll -d -u https://admin-org1:org1AdminPW@054.219.15.153:7054 ``` ```shell= mkdir /home/ubuntu/fabric/org1/peer1/msp/admincerts cp /home/ubuntu/fabric/org1/admin/msp/signcerts/cert.pem /home/ubuntu/fabric/org1/peer1/msp/admincerts/org1-admin-cert.pem ``` #### Launch Org1’s Peers docker-compose-peer-org1.yml ```shell= version: "2" networks: fabric-ca: services: peer1-org1: container_name: peer1-org1 image: hyperledger/fabric-peer:1.4.0 environment: - CORE_PEER_ID=peer1-org1 - CORE_PEER_ADDRESS=peer1-org1:7051 - CORE_PEER_LOCALMSPID=org1MSP - CORE_PEER_MSPCONFIGPATH=/home/ubuntu/fabric/org1/peer1/msp - CORE_VM_ENDPOINT=unix:///host/var/run/docker.sock - CORE_VM_DOCKER_HOSTCONFIG_NETWORKMODE=guide_fabric-ca - FABRIC_LOGGING_SPEC=debug - CORE_PEER_TLS_ENABLED=true - CORE_PEER_TLS_CERT_FILE=/home/ubuntu/fabric/org1/peer1/tls-msp/signcerts/cert.pem - CORE_PEER_TLS_KEY_FILE=/home/ubuntu/fabric/org1/peer1/tls-msp/keystore/key.pem - CORE_PEER_TLS_ROOTCERT_FILE=/home/ubuntu/fabric/org1/peer1/tls-msp/tlscacerts/tls-3-101-83-10-7052.pem - CORE_PEER_GOSSIP_USELEADERELECTION=true - CORE_PEER_GOSSIP_ORGLEADER=false - CORE_PEER_GOSSIP_EXTERNALENDPOINT=peer1-org1:7051 - CORE_PEER_GOSSIP_SKIPHANDSHAKE=true working_dir: /opt/gopath/src/github.com/hyperledger/fabric/org1/peer1 volumes: - /var/run:/host/var/run - /home/ubuntu/fabric/org1/peer1:/home/ubuntu/fabric/org1/peer1 networks: - fabric-ca ``` ### Create Genesis Block and Channel Transaction