# Multi Org Setup with Root Certification Authority ## Case Study & Test Environment Setup   ## Fabric CA Server Setup, Roles & Identities - Roles in the setup  - CA Server Admin: For All org - Register identities - Remove | Revoke - Manage affiliation - Organization Admin: For their Org - Register identities - Remove | Revoke - Manage affiliation - Admin for all identities - Organization identities: - Type defined by org admin - Authority as set by org admin - CA Folders  - `ca` CA Home Folders - `multi-org-ca` Root folder - `server` Server root folder Fabric-CA-Sever `fabric-ca-server-config` - :::info ### Execise: Setup Fabric CA Server All scripts to be executed in the folder: `ca/multi-org` - Setup Root CA Server `./server.sh start` 1. `export FABRIC_CA_HOME=ca/multi-org-ca/server` 2. Copy the `setup/config/multi-org-ca/yaml.0/fabric-ca-server-config` form following to `./server` Bootstrap Identity ID & secret: admin:pw 4. `fabric-ca-server start` - Enroll Admin Identity `./server.sh enroll` 1. `export FABRIC_CA_HOME=ca/multi-org-ca/client/caserver/admin` 2. Copy the `setup/config/multi-org-ca/yaml.0/fabric-ca-client-config` form following to `$FABRIC_CA_CLIENT_HOME` 3. Execute `enroll` command for admin ::: ## Register & Enroll Organization Identities After CA Admin (Registrar) register and Admin enroll, each of the admins will have their own admin sub-folder.  Setup for each admin is different (`fabric-ca-client-config`) - `admin` Holds the crypto material for the organization's admin - `msp` Holds MSP setup for the organization - `<Enrollment-ID>` Multiple sub-folder for each identity created under the organization. Run any identity related action Organization Identity enrollment: - Human actor (User & Client) Enrollment carried out by Identity owner - Non-human actor (Peer & Orderer) Enrollment carried out by organization Admin :::info ### Execise: Setup Organization Admins `./register-enroll-admins.sh` in `ca/multi-org`: - `. ./setclient.sh <ORG-Name> <Enrollment-ID>` To set the FABRIC_CA_CLIENT_HOME - `mkdir -p $FABRIC_CA_CLIENT_HOME` To create the necessary client folders for an identity - As CA Admin Registers identities  1. `export FABRIC_CA_CLIENT_HOME=ca/multi-org/client/caserver/admin` 2. Execute the register command for each of the admins use all the specifications mentioned here 3. Create home folder for each of the Org admins  4. `fabric-ca-client identity list` to check 4 identities (execute as caserver admin) - As ORG Admin Identity(s) Enroll 1. Copy client YAML files from `setup/config/multi-org-ca/yaml.0` to Org admins home folder 2. For each admin execute enroll ::: ## Local MSP setup for Identities & Organizations All identities need Local MSP Setup which is created on the local file system for the identity. MSP consist of multiple sub-folder with crypto material. Typical setup with root certification authority only need: - Root CA Cert `cacets` - Admin Certs `admincerts` - Identities need Admin Certs - Multiple admincerts are OK - When identities have enrolled, CA client does not know about the admin that need to add. ::: info Added admincerts sub-folder manually after jdoe enrolled. 1. `mkdir jdoe/msp/admincerts ` 2. Copy `client/acme/msp/signcerts/cert.pem` the Acme admin's signed certificate to `adminerts` ::: - Signing Cert `signcerts` - Private Key `keystore` Others: - Intermediate CA Cert - Revoked Certs - Root CA TLS - ICA TLS Organization need MSP setup - This MSP will be setup under the organization folder MSP access from Config YAML | Binaries  fabric-ca-client uses MSP under the FABRIC_CA_CLIENT_HOME folder :::info ### Exercise: Setup MSP for User Identity All scripts to be executed in the folder `ca/multo-org` - Register & Enroll User Identity Execute fabric-ca-client register & enroll 1. As Acme Admin Register the User identity  `. setclient.sh acme admin` `fabric-ca-client register --id.type user --id.name jdoe --id.secret pw --id.affiliation acme.logistics` 2. Setup the `fabric-ca-client-config.yaml`, specifically the `csr` section (optional step) 3. As "John Doe" Enroll the identity `. setclient.sh acme jdoe` `fabric-ca-client enroll -u http://jdoe:pw@localhost:7054` 5. `fabric-ca-client identity list` check jdoe identity(execute as acme admin) - Setup the MSP for USer Identity `./add-admincerts.sh acme jdoe` 1. Create the admincerts subfolder for jdoe/msp 2. Copy ACME Admin's cert to the jdoe/msp/admincerts ::: :::info ### Recipe: Setup Organization MSP Prerequisite - CA Server started - Organization Admins Enrolled Organization Level MSP setup for Network (each org) - Manually setup the MSP folders - Copy the appropriate certificates to the folders  configtx.yaml file will refer to there MSP folders for each of the organizations in the organizations section Minimal Setup the MSP for Organization - Requires only the CA Cert and Admin Cert, No TLS and ICA 1. Create msp subfolder structure  3. Copy Root CA Certificate `ca/multi-org-ca/server/msp/ca-cert.pem` to `msp/cacets` 5. Copy Org Admin's Certificate An organization may have multiple admins `<org>/admin/msp/signcerts/cert.pem` to `msp/admincerts` `./setup-org-msp.sh <ORG-Name>` executed in the folder `ca/multi-org` ::: ## Orderer Setup Tasks  1. Setup configtx.yaml 2. Generate the Genesis Block 3. As Orderer admin Setup Orderer identity & MSP This "orderer identity" is different form the "orderer organization identity", because every company in Hyperledger network needs to have its own identity setup by way of certificate  Orderer identity name can be anything 5. Setup orderer.yaml :::info ### Exercise: Setup the Orderer  Administrators form the respective organizations will create the identities for their own organizations The configuration of the components will be carried out by accessing the MSP generated under the the various identities under the `client` subfolder under `multi-org-ca` Copy `setup/config/multi-org-ca/yaml.0/configtx.yaml|orderer.yaml` to `orderer/multi-org-ca` 1. Setup configtx.yaml - `Organizations`  MSP directory pointing to the `orderer/msp` & `acme/msp` - `Orgderer` Default: Solo - `Profiles` `AirlineOrdererGenesis` is Profile for generating genesis block 3. Generate the Genesis Block 4. As Orderer admin Setup Orderer identity & MSP 5. Setup orderer.yaml - `General` The local MSP directory is pointing to the MSP for the `ca/muulti-org-ca/client/orgderer/orderer/msp` Orderer identity under the Orderer organization All scripts to be executed in the folder: `orderer/multi-org-ca` `./clean.sh` `./launch.sh` - Generate the Genesis Block `./generate-genesis.sh`  - Setup the Orderer Identity & MSP `./register-enroll-orderer.sh` 1. As Orderer admin register orderer identity  3. Copy `setup/config/multi-org-ca/yaml.0/identities/orderer/fabric-ca-client-config` to orderer CA client Home 4. As Orderer execute the enroll command 5. Setup the orderer identity's MSP After these two scripts you can simply execute `orderer` that should launch ::: ## Peer and Channel Setup Tasks  Anchor peers are discoverable from outside the Org Adding an Anchor to network requires config update transaction - Task for setting up the peer  1. Organization admin sets up the peer identity 2. Organization admin sets up the `core.yaml` - Task for Application Channel Creation  1. One of the Org Admin creates the Channel Tx 2. Organization Admins sign thee Channel Tx 3. One of the Org Admin submits the Channel Create Tx - Peer joins the application channel  1. Launch the Peer for organization 2. Organizations Admins execute join channel for peer :::info ### Exercise: Setup Airline Channel executed in the folder: `orderer/multi-org-ca` 1. As orderer org admin create the airlinechaneel Tx `./generate-channel-tx.sh` Use profile(`setup/config/multi-org-ca/yaml.0/configtx.yaml:AirlineChannel`) to generate channel Tx executed in the folder: `peer/multi-org-ca` 2. As acme org admin sign the airlinechannel Tx `./sign-chennel-tx.sh`  (configtx.yaml:Policies defines how many signatures are needed) 3. As acme org admin submit the Create Channel Tx `./submit-create-channel.sh`  5. ::: :::info ### Recipe: Setup Anchor Peer  Recipe may be applied for adding Anchor Peer Org admin takes the action described in the Recipe Orderer, airlinechannel, CA Server must be configured and launched executed in the folder: `peer/multi-org-ca` 1. Setup the anchor peer identity  - Type=peer : there is no special identity for anchor peer `./register-enroll-peer.sh` 3. Launch the peer & join airlinechannel - Copy `setup/config/multi-org-ca/core.yaml` to `peer/multi-org-ca/acme` - Launch the peer(peer1) with a script `./launch-peer.sh` - User Peer binary to join th airlinechannel `./join-airline-channel.sh` 1. Validate the setup `. ./set-identity.sh acme admin` `peer channel list` ::: :::info ### Recipe: Setup Regular Peer Anchor peer requires to be configured at network level Regular peer does not require config update transaction (Org admin is in full control of adding and removing regular peers) Adding a peer to the existing setup because: - Scale the infrastructure - Setup isolated/dedicated peers for application `core.yaml:peer:gossip:bootstrap` set list of bootstrap for new peer initializing by connecting to the bootstrap peers  ACME peer1 is set as the bootstrap peer Note: - Multiple peers on same HOST/VM will lead to port contention/error - Peer to be configured with different port numbers - In REAL infrastructure with multiple Hosts/VM/Docker container same port numbers may be used   1. `./register-enroll-peer.sh acme peers` 2. `./launch-peer.sh acme peer1 7050 ` 2. `./launch-peer.sh acme peer2 8050 ` 4. `ps -eal | grep peer` 5. Fetch airlinechannel genesis block - `. ./set-env.sh acme peer2 8050 admin` - `peer channel fetch 0 -c airlinechannel -o localhost:7050` - `ls *.block` 6. Join the airlinechannel using genesis block - `. ./set-env.sh acme peer2 8050 admin` - `peer channel join -o loclahost:7050 -b airlinechannel_0.block` 7. Validate the setup - `. ./set-env.sh acme peer2 8050 admin` - `./validate-with-chaincode-2.sh` :::