# Hyperledger Fabric - proxy: 分成 forward & reverse 兩種, load balance 屬於 reverse proxy - HA proxy 為一種 load balance proxy - 非法交易 vs 失敗交易 - atomic: 全接受或全不接受 ## CA (Certificate Authority) > [CA Deployment steps](https://hyperledger-fabric-ca.readthedocs.io/en/latest/deployguide/cadeploy.html) 1. Certificates of the admin of an organization, the MSP of that organization, and any nodes owned by that organization. 2. Each organization should have at least 2 CAs: Enrollment CA and TLS CA 3. TLS: responsible for generating certificates that secure communications between all nodes in the organization. 4. A server may contain multiple CAs. Each CA is either a root CA or an intermediate CA. Each intermediate CA has a parent CA which is either a root CA or another intermediate CA. 5. 公鑰 & 私鑰：公鑰可以給所有人，私鑰只能自己保存。別人要傳訊息給我時需要使用公鑰先加密，自己再用私鑰解密。在區塊鏈中會使用自己的私鑰對每筆交易做加密，鏈上的每個人會知道是我發的 6. CSR (Certificate Signing Request): * Is a request generated when provided some information * 自己先產生 private key & public key * 將一些 info + public key 產生 csr 給 CA * CA 利用自己的 private key 加密傳來的 csr，將加密過的 csr 附在未加密 csr 的下面 7. Download binary: ```shell= wget https://github.com/hyperledger/fabric-ca/releases/download/v1.4.9/hyperledger-fabric-ca-linux-amd64-1.4.9.tar.gz` tar zxvf hyperledger-fabric-ca-linux-amd64-1.4.9.tar.gz ``` 7. Setup Fabric CA: * Order: TLS CA, Organization CA, Intermediate CA (optional) * Fabric CA client: register and enroll node admin identities * make directories: each subfolder is connected to each CA server fabric-ca-client |- int-ca |- org1-ca |- tls-ca |- tls-root-cert: for each organization *(!!!what is the difference between tls-ca adn tls-root-cert?)* 8. **Deploy TLS CA**: * Setup folder: * make directory "fabric-ca-server-tls" * copy "fabric-ca-server" binary to this folder * Initialize the TLS CA server *(!!!why do we need admin? )* ```shell= mkdir fabric-ca-server-tls cd fabric-ca-server-tls ./fabric-ca-server init -b tls-admin:tls-adminpw ``` * All CA users need to be “registered” and then “enrolled” with the CA, except for this CA admin identity which is implicitly registered by using the -b flag. * After these commands, "fabric-ca-server-config.yaml" and "ca-cert.pem" will be created. * **fabric-ca-server-config.yaml**: template for your server configuration * **ca-cert.pem**: Public key that must be shared with all clients. When any client or node submits a transaction to another node, it must include this certificate as part of the transaction. *(!!!why need to include this?)* * Generates the CA server private key and stores it in /msp/keystore * Initializes a default SQLite database for the server * Read fabric-ca-server.db: ``` sqlite3 -column -header .open <DBname> select... ``` * Modify the TLS CA server configuration: In fabric-ca-server-config.yaml,  * When you modify settings in the configuration .yaml file and restart the server, the previously issued certificates are not replaced. If you want the certificates to be regenerated when the server is started, you need to delete them (msp folder and ca-cert.pem) then restart the server * Start the TLS CA server: ``` ./fabric-ca-server start ``` * **tls-cert.pem** is generated: responsible for generating certificates that secure communications between all nodes in the organization. (for the TLS handshake that occurs between the nodes.) * Enroll bootstrap user with TLS CA * Copy "ca-cert.pem" to "fabric-ca-client/tls-root-cert/" and rename it to "tls-ca-cert.pem" * Set the directory path: ```export FABRIC_CA_CLIENT_HOME=$PWD``` * Use the Fabric CA client CLI to enroll the TLS CA admin user: ``` ./fabric-ca-client enroll -d -u localhost:7054 --tls.certfiles tls-root-cert/tls-ca-cert.pem --enrollment.profile tls --csr.hosts 'localhost' --mspdir tls-ca/tlsadmin/msp ``` * After this command, a new folder "tlsadmin" will be created with its private key and public key inside.  * Register and enroll the organization CA bootstrap identity with the TLS CA * Before we set up the organization CA, we need to use the TLS CA to register and enroll the organization CA bootstrap identity to get its TLS certificate and private key. * After those command, a new folder "rcaadmin" will be created with its private key and public key inside. ``` ./fabric-ca-client register -d --id.name rcaadmin --id.secret rcaadminpw -u localhost:7054 --tls.certfiles tls-root-cert/tls-ca-cert.pem --mspdir tls-ca/tlsadmin/msp ./fabric-ca-client enroll -d -u localhost:7054 --tls.certfiles tls-root-cert/tls-ca-cert.pem --enrollment.profile tls --csr.hosts 'localhost' --mspdir tls-ca/rcaadmin/msp ``` 9. **Deploy an Organization CA** * Set up folder: * make directory "fabric-ca-server-org1" * copy "fabric-ca-server" binary to this folder * copy the organization CA TLS certificate and key pair from TLS CA ``` cd fabric-ca-server-org1 mkdir tls cp ../fabric-ca-client/tls-ca/rcaadmin/msp/signcerts/cert.pem tls && cp ../fabric-ca-client/tls-ca/rcaadmin/msp/keystore/key.pem tls ``` * Initialize the CA server ``` ./fabric-ca-server init -b rcaadmin:rcaadminpw ``` * After initialization, the folder should look like the below  * Modify the CA server configuration  * Start the CA server: ./fabric-ca-server start * Enroll the CA admin: ``` ./fabric-ca-client enroll -d -u localhost:7055 --tls.certfiles tls-root-cert/tls-ca-cert.pem --csr.hosts 'localhost' --mspdir org1-ca/rcaadmin/msp ``` 10. What happened in enrollment?  - [ ] option `-home` in fabric-ca server cli - [ ] customize the configuration file, delete the files specified by the ca.certfile and ca.keyfile configuration items, and then run the fabric-ca-server init -b admin:adminpw command again