table of Contents
The Fabric-ca project is an open source project launched specifically to solve the problem of Fabric account. It perfectly solves the problem of Fabric account generation. It consists of two modules, Fabric-ca-server and Fabric-ca-client. Fabric-ca-server plays a very important role in the Fabric-ca project.
1. Compilation and installation of Fabric-ca
Step 1: Install the system component package
sudo apt-get install libtool libltdl-dev
Step 2: Download the source code and compile
cd $GOPATH/src/github.com/hyperledger/
git clone http://gerrit.hyperledger.org/r/fabric-ca
cd fabric-ca/
#编译server和client
make fabric-ca-server
make fabric-ca-client
Step 3: Install the compiled executable file
cd $GOPATH/github.com/hyperledger/fabric-ca/bin/
cp $GOPATH/github.com/hyperledger/fabric-ca/bin/* /usr/local/bin/
Step 4: Check whether the installation is successful
fabric-ca-server version
fabric-ca-client version
2. Startup and configuration of Fabric-ca-server
After fabric-ca-server is started, it exists as a daemon process, and requests can be initiated through fabric-ca-client or other clients that implement the communication protocol. There are three ways to set configuration information in faric-ca-server, which are startup parameters, environment variables, and configuration files.
1. Fabric-ca-server command line options
The fabric-ca-server module has three subcommands, namely:
- init: initialize fabric-ca server
- start: start fabric-ca server
- version: display version
2. Fabric-ca-server options
3. Fabric-ca-server initialization
Fabric-ca-server can be parameterized through configuration files. Execute the subcommand init of fabric-ca-server to initialize and generate related configuration files. Before executing the init command, you need to create related folders. This article creates the following folders (actually, you can specify the folder path at will):
mkdir -p ~/go/src/github.com/hyperledger/fabric-ca-server
Fabric-ca-server server initialization:
cd ~/go/src/github.com/hyperledger/fabric-ca-server
fabric-ca-server init -b admin:adminpw
After the fabric-ca-server initialization command is executed, the corresponding configuration files will be generated in the current directory. The names and functions of these files are as follows:
fabric-ca-server-config.yaml:配置文件
fabric-ca-server.db:数据库文件(数据库选择sqlite3时有效)
ca-cert.pem:证书文件
msp:私钥文件夹
4. Fabric-ca-server start
After editing the configuration file, the startup command is as follows:
fabric-ca-server start -H '/home/yulin/go/src/github.com/hyperledger/fabric-ca' --boot admin:adminpw
Three, the use of Fabric-ca-client
fabric-ca-server provides a set of RESTAPI interfaces for third-party applications to call. Fabric-ca-client encapsulates these RESTAPI interfaces, and only needs to set simple parameters to complete account registration, account authorization and other operations.
1. Fabric-ca-client module subcommand
- enroll: Register account
- gencrl: revoke certificate
- gencsr: create certificate signature
- getcacert: Get CA
- reenroll: re-register account
- register: register a new account
- revoke: revoke an account
- version: Display version information
2. Fabric-ca-client module parameter options
The fabric-ca-client module is the same as the fabric-ca-server module. All subcommands share a set of global options. Different subcommands require different options. The options of the fabric-ca-client module and their functions are as follows:
(1) Basic management commands
--caname: #CA服务器的名称
-H,--home: #客户端的目录,用来存放客户端相关的文件,默认为"~/.fabric-ca-client"
-M, --mspdir: #客户端的账号文件目录,默认为"msp"
-d, --debug: #将客户端的日志设为debug模式
-u, --url: #fabric-ca-server地址,默认为0.0.0.0:7054
(2) Account registration related orders
--enrollment.attrs: #账号登记请求中的属性
--enrollment.label: #账号登记请求中HSM相关的标签
--enrollment.profile: #登记请求中的profile
(3) Account registration
--id.affiliation: #账号注册时组织部门信息
--id.attrs: #账号注册时属性列表
--id.maxenrollments: #当前注册后可以进行登记的次数,默认为-1
--id.name #账号注册时的用户名
--id.secret #账号注册时的密码
--id.type #账号注册的类型,目前支持('peer,app,user'),默认值为"user"。
(4) Certificate revocation
-a,--revoke.aki: #注销证书时需要的公钥
-e,--revoke.name: #注销证书时的实体名称
-r,--revoke.reason: #注销原因
-s,--revoke.serial: #注销证书的序列号
(5) CA certificate signature
--csr.cn: #CA证书请求时,请求报文中的通用名
--csr.hosts: #CA签名请求时,请求报文中的主机名
--csr.names: #CA签名请求时,请求报文中的附加名称
--csr.serialnumber: #CA签名请求时,请求报文中的序列号
-m,--myhost: #CA签名请求时,请求报文中请求主机名称,默认值是本地主机
(6) TLS communication
--tls.certfiles: #TLS通信模式下的证书文件,PEM文件格式。
--tls.client.certfile: #TLS通信模式下客户端的文件,PEM文件格式。
--tls.client.keyfile: #TLS通信模式下客户端的私钥文件。
(7) Commonly used commands
Register an account
fabric-ca-client register --id.name peer2 --id.type peer --id.affiliation org1.department1 --id.secret peer2wd -u http://hocalhost:7054
Load account information
fabric-ca-client enroll -u http://admin:adminpw@localhost:7054 -M '/home/yulin/go/src/github.com/hyperledger/fabric-client'
Obtain the certificate of the CA server
fabric-ca-client getcacert -u http://localhost:7054 -M ~/go/src/github.com/hyperledger/testuser/msp
Fourth, integrate fabric-ca-server into existing projects
Fabric-ca is a powerful supplement to Fabric's cryptogen module and plays a very important role in actual projects. In the fabric project, the cryptogen module is generally used to generate the account files of the organization, peer node, order node and other modules. However, if the user account file needs to be dynamically generated in the project, at this time Fabric-ca can provide better help in order to make Fabric-ca To dynamically generate user accounts for the specified organization, it is necessary to bind fabric-ca and related organizations.
1. Bind fabric-ca-server to existing organization
Here we bind fabric-ca-server to the previous [Introduction to Hyperledger Fabric] (1) Quickly run a simple Fabric network 1 in org1.
First open the fabric-ca-server configuration file fabric-ca-server-config.yaml, and find the following content in the configuration file:
ca:
# Name of this CA
name:
# Key file (is only used to import a private key into BCCSP)
keyfile:
# Certificate file (default: ca-cert.pem)
certfile:
# Chain file
chainfile:
Then enter [Introduction to Hyperledger Fabric] (1) Quickly run a simple Fabric network 1 to store the org1-related certificate folder, and execute tree -L 2 to view account information:
$ cd '/home/yulin/blockchain/fabric/Hyperledger/fabricconfig/crypto-config/peerOrganizations/org1.example.com'
$ tree -L 2
Modify the relevant configuration in the fabric-ca-server configuration file fabric-ca-server-config.yaml as follows:
ca:
# Name of this CA
name: ca-org1
# Key file (is only used to import a private key into BCCSP)
keyfile: /home/yulin/blockchain/fabric/Hyperledger/fabricconfig/crypto-config/peerOrganizations/org1.example.com/ca/priv_sk
# Certificate file (default: ca-cert.pem)
certfile: /home/yulin/blockchain/fabric/Hyperledger/fabricconfig/crypto-config/peerOrganizations/org1.example.com/ca/ca.org1.example.com-cert.pem
# Chain file
chainfile: ca-chain.pem
- keyfile: Corresponding to the file with the file name suffix _sk in the ca folder.
- certfile: Corresponding to the file named ca.org1.example.com-cert.pem in the ca folder.
Through the above steps, fabric-ca-server is bound to the organization org1.
2. Generate an account from the bound fabric-ca-server through the client
Step 1: Set Fabric-ca-client environment variables
Create a directory to store fabric-ca-client account (msp) files.
mkdir ~/go/src/github.com/hyperledger/fabric-client
After the directory is created, register with the administrator account and password to obtain the integer file of the administrator account (msp).
export FABRIC_CA_CLIENT_HOME=$GOPATH/src/github.com/hyperledger/fabric-client
fabric-ca-client enroll -u http://admin:adminpw@localhost:7054 -M ~/go/src/github.com/hyperledger/fabric-client
Note: fabric-ca-server needs to be started.
Step 2: Register an account
. After the administrator registers, register an account with the user name user_test and the password user2wd. The command is as follows:
$ fabric-ca-client register --id.name user_test --id.type user --id.affiliation org1.department1 --id.secret user2wd -u http://localhost:7054 -H ~/go/src/github.com/hyperledger/fabric-client
2021/03/28 15:26:26 [INFO] Configuration file location: /home/yulin/go/src/github.com/hyperledger/fabric-client/fabric-ca-client-config.yaml
Password: user2wd
Step 3: Load
the account To load the account user_test registered in the previous step to the local, you first need to create a local directory to store the new user's certificate downloaded from the server. The directory can be any directory. The contents of this article are as follows:
mkdir ~/go/src/github.com/hyperledger/testuser
Enter the above directory, register the account user_test, and save the account file in the directory specified by -M.
$ fabric-ca-client enroll -u http://user_test:user2wd@localhost:7054 -M ~/go/src/github.com/hyperledger/fabric-client/testuser/msp
2021/03/28 15:31:33 [INFO] generating key: &{
A:ecdsa S:256}
2021/03/28 15:31:33 [INFO] encoded CSR
2021/03/28 15:31:33 [INFO] Stored client certificate at /home/yulin/go/src/github.com/hyperledger/fabric-client/testuser/msp/signcerts/cert.pem
2021/03/28 15:31:33 [INFO] Stored root CA certificate at /home/yulin/go/src/github.com/hyperledger/fabric-client/testuser/msp/cacerts/localhost-7054.pem
2021/03/28 15:31:33 [INFO] Stored Issuer public key at /home/yulin/go/src/github.com/hyperledger/fabric-client/testuser/msp/IssuerPublicKey
2021/03/28 15:31:33 [INFO] Stored Issuer revocation public key at /home/yulin/go/src/github.com/hyperledger/fabric-client/testuser/msp/IssuerRevocationPublicKey
Step 4: Copy the administrator's signature and public TLS certificate file The
copy command is as follows:
$ cp /home/yulin/blockchain/fabric/Hyperledger/fabricconfig/crypto-config/peerOrganizations/org1.example.com/users/[email protected]/msp/signcerts/* /home/yulin/go/src/github.com/hyperledger/fabric-client/testuser/msp/admincerts
$ cp /home/yulin/blockchain/fabric/Hyperledger/fabricconfig/crypto-config/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/* /home/yulin/go/src/github.com/hyperledger/fabric-client/testuser/tls
Step 5: Check the account.
By observing the file structure, it is found that the account file generated by the cryptogen module is consistent, but the file name is different. This is normal.