Fabric CA is the certificate authentication center of Hyperledger FBric , which provides the following functions: registration and registration of user information, issuance and management of digital certificates .
foreword
Before using the CA service
docker, the downloaded CA image was run in the container, and the CA server was accessed in the application through the interface integrated in the Node SDK. This time, I tried to manually deploy the CA service;Fabric CA consists of server and client components. The CA server (
fabric-ca-server) can be regarded as a web service. After executing the binary file compiled by Go code, it will listen to a port and process the received request;The CA client (
fabric-ca-client) is actually a program that sends a request to the CA server, executes the compiled binary file with different parameters, and can send the corresponding http request to the CA server to complete a series of operations.
Ready to work
Install the Go language and configure the
GOPATHenvironment variables, download and configuredocker, refer to the environment configuration for detailsinstall
libtoolandlibtdhl-devsudo apt install libtool libltdl-dev
Install and start CA via command line
Download and compile directly from github
go get -u github.com/hyperledger/fabric-ca/cmd/fabric-ca-server go get -u github.com/hyperledger/fabric-ca/cmd/fabric-ca-clientgo getThe command will automatically obtain the source code and compile it to$GOPATH/bin, my directory is~/go/bin, the compiled binary executable filefabric-ca-serverandfabric-ca-clientThen initialize and start
fabric-ca-server, you need to set the name and password of an administrator userfabric-ca-server init -b admin:adminpw fabric-ca-server start -b admin:adminpwAn error is reported here
panic: Version is not set for fabric-ca library, which may be related to the downloaded v1.1 versionfabric-ca.Manual compilation and generation
Since there is an error in the version downloaded directly from github, you can choose to compile and generate the specified version yourselffabric-ca-server.
First downloadfabric-cathe source code and switch to the corresponding version:git clone https://github.com/hyperledger/fabric-ca.git git checkout v1.1.0Then
fabric-cacompile in the directorymake fabric-ca-server make fabric-ca-clientwill
.../fabric-ca/bingeneratefabric-ca-serverand in the directoryfabric-ca-client. Then enter thebindirectory to initialize the CA server:fabric-ca-server init -b admin:adminpwGenerated in the directory after initialization
msp: Contains keystore, the private key of the CA serverca-cert.pem: CA server certificatefabric-ca-server.db: The embedded database SQLite used by CA by defaultfabric-ca-server-config.yaml: CA server configuration file
Then start the CA server
fabric-ca-server start -b admin:adminpwThe CA server starts to listen, and the default listening address is
http://0.0.0.0:7054. If thestartcommand is executed directly, it will automatically initialize firstinitand then start the service to start listening.
Install and start CA via docker image
dockerThe image contains both fabric-ca-serverandfabric-ca-client
Download the fabric-ca mirror
directly First, you can chooseDocker Hubto download thefabric-camirror directly from:docker pull hyperledger/fabric-ca:x86_64-1.1.0Use the
docker-compose.ymlfile to start the mirror, the configuration file is in.../fabric-ca/docker/server, and start after entering the directory:docker-compose upYou can start the ca container. If the image does not exist, it will actively pull the image.
.../server/fabric-ca-serverThe above configuration file (this isdocker-compose.ymlthe mapping using file settings), certificate private key, database file, etc. will be generated in the directory, and start listening on a port.Manually compiling docker images
In addition toDocker Hubpulling images directlyfabric-ca, you can also generate images by compiling from source code.
Execute in thefabric-cadirectory:make dockerFour images will be generated
fabric-ca,fabric-ca-tool,fabric-ca-peer, ,fabric-ca-ordererand the images will be stored in , and then start the ca node.../fabric-ca/build/imageaccording to the file in the same way as the above method .docker-compose.yml
Use of Fabric CA
There are two ways to access the Fabric CA server: through the client tool ( fabric-ca-client) and the RESTfulinterface. In essence, the client tool is also implemented by calling the RESTfulinterface of the server. Here the method of client tool is used to access.
First, initialize and start the CA server (execute fabric-ca-serveror start the CA container) according to the above steps. If it has been downloaded fabric-ca-client, move it to the corresponding directory to start the operation (if it has been added to the environment variable, it is not necessary). If the dockerCA server is run in container mode and the client tool is not downloaded, you can enter the container for testing (the ca image integrates the server and client components), and the binary file is placed /usr/local/binand the environment variable has been added. The entry method is:
docker exec -it fabric-ca-server bashHere choose the method of running the compiled executable file, first start the CA server under a terminal:
fabric-ca-server start -b admin:adminpwOperate the CA client in another terminal. First, you need to register (enroll) the administrator user set at startup. Before registration, you need to set the environment variable of the certificate storage directory:
export FABRIC_CA_CLIENT_HOME=$HOME/ca
fabric-ca-client enroll -u http://admin:adminpw@localhost:7054It can be found that ~/caa fabric-ca-client-config.yamlconfiguration file is generated in the directory, and the mspdirectory contains the administrator's certificate and private key. With the admin user who has successfully enrolled, then use the admin as a Registrar to register a new user:
fabric-ca-client register --id.name Jim --id.type user --id.affiliation org1.department1 --id.attrs 'hf.Revoker=true,foo=bar'The client can receive a password and use this registration password to enroll the user:
fabric-ca-client enroll -u http://Jim:IGIMqptUPBRc@localhost:7054 -M $FABRIC_CA_CLIENT_HOME/JimIn this way, a new user is successfully registered and obtains its own certificate and private key.
Summarize
To sum up, manually deploying CA services can be divided into two methods:
One method is to directly run the compiled executable file on the command line, which can be
go getobtained and compiled automatically through the command (the latest version has an error), or you can manually obtain the source code, switch the version before compiling; then initialize and compile on the command line. Start the CA server;Another method is to run
dockerthe image in the container. The image contains the compiled executable file. The image canDocker Hubbe downloaded directly from the image, or manually compiled in thefabric-cadirectory , and then used to start the CA container.make dockerdocker-compose