Fabric CA is the certificate authentication center of Hyperledger FBric , which provides the following functions: registration and registration of user information, issuance and management of digital certificates .
foreword
Before using the CA service
docker
, the downloaded CA image was run in the container, and the CA server was accessed in the application through the interface integrated in the Node SDK. This time, I tried to manually deploy the CA service;Fabric CA consists of server and client components. The CA server (
fabric-ca-server
) can be regarded as a web service. After executing the binary file compiled by Go code, it will listen to a port and process the received request;The CA client (
fabric-ca-client
) is actually a program that sends a request to the CA server, executes the compiled binary file with different parameters, and can send the corresponding http request to the CA server to complete a series of operations.
Ready to work
Install the Go language and configure the
GOPATH
environment variables, download and configuredocker
, refer to the environment configuration for detailsinstall
libtool
andlibtdhl-dev
sudo apt install libtool libltdl-dev
Install and start CA via command line
Download and compile directly from github
go get -u github.com/hyperledger/fabric-ca/cmd/fabric-ca-server go get -u github.com/hyperledger/fabric-ca/cmd/fabric-ca-client
go get
The command will automatically obtain the source code and compile it to$GOPATH/bin
, my directory is~/go/bin
, the compiled binary executable filefabric-ca-server
andfabric-ca-client
Then initialize and start
fabric-ca-server
, you need to set the name and password of an administrator userfabric-ca-server init -b admin:adminpw fabric-ca-server start -b admin:adminpw
An error is reported here
panic: Version is not set for fabric-ca library
, which may be related to the downloaded v1.1 versionfabric-ca
.Manual compilation and generation
Since there is an error in the version downloaded directly from github, you can choose to compile and generate the specified version yourselffabric-ca-server
.
First downloadfabric-ca
the source code and switch to the corresponding version:git clone https://github.com/hyperledger/fabric-ca.git git checkout v1.1.0
Then
fabric-ca
compile in the directorymake fabric-ca-server make fabric-ca-client
will
.../fabric-ca/bin
generatefabric-ca-server
and in the directoryfabric-ca-client
. Then enter thebin
directory to initialize the CA server:fabric-ca-server init -b admin:adminpw
Generated in the directory after initialization
msp
: Contains keystore, the private key of the CA serverca-cert.pem
: CA server certificatefabric-ca-server.db
: The embedded database SQLite used by CA by defaultfabric-ca-server-config.yaml
: CA server configuration file
Then start the CA server
fabric-ca-server start -b admin:adminpw
The CA server starts to listen, and the default listening address is
http://0.0.0.0:7054
. If thestart
command is executed directly, it will automatically initialize firstinit
and then start the service to start listening.
Install and start CA via docker image
docker
The image contains both fabric-ca-server
andfabric-ca-client
Download the fabric-ca mirror
directly First, you can chooseDocker Hub
to download thefabric-ca
mirror directly from:docker pull hyperledger/fabric-ca:x86_64-1.1.0
Use the
docker-compose.yml
file to start the mirror, the configuration file is in.../fabric-ca/docker/server
, and start after entering the directory:docker-compose up
You can start the ca container. If the image does not exist, it will actively pull the image.
.../server/fabric-ca-server
The above configuration file (this isdocker-compose.yml
the mapping using file settings), certificate private key, database file, etc. will be generated in the directory, and start listening on a port.Manually compiling docker images
In addition toDocker Hub
pulling images directlyfabric-ca
, you can also generate images by compiling from source code.
Execute in thefabric-ca
directory:make docker
Four images will be generated
fabric-ca
,fabric-ca-tool
,fabric-ca-peer
, ,fabric-ca-orderer
and the images will be stored in , and then start the ca node.../fabric-ca/build/image
according to the file in the same way as the above method .docker-compose.yml
Use of Fabric CA
There are two ways to access the Fabric CA server: through the client tool ( fabric-ca-client
) and the RESTful
interface. In essence, the client tool is also implemented by calling the RESTful
interface of the server. Here the method of client tool is used to access.
First, initialize and start the CA server (execute fabric-ca-server
or start the CA container) according to the above steps. If it has been downloaded fabric-ca-client
, move it to the corresponding directory to start the operation (if it has been added to the environment variable, it is not necessary). If the docker
CA server is run in container mode and the client tool is not downloaded, you can enter the container for testing (the ca image integrates the server and client components), and the binary file is placed /usr/local/bin
and the environment variable has been added. The entry method is:
docker exec -it fabric-ca-server bash
Here choose the method of running the compiled executable file, first start the CA server under a terminal:
fabric-ca-server start -b admin:adminpw
Operate the CA client in another terminal. First, you need to register (enroll) the administrator user set at startup. Before registration, you need to set the environment variable of the certificate storage directory:
export FABRIC_CA_CLIENT_HOME=$HOME/ca
fabric-ca-client enroll -u http://admin:adminpw@localhost:7054
It can be found that ~/ca
a fabric-ca-client-config.yaml
configuration file is generated in the directory, and the msp
directory contains the administrator's certificate and private key. With the admin user who has successfully enrolled, then use the admin as a Registrar to register a new user:
fabric-ca-client register --id.name Jim --id.type user --id.affiliation org1.department1 --id.attrs 'hf.Revoker=true,foo=bar'
The client can receive a password and use this registration password to enroll the user:
fabric-ca-client enroll -u http://Jim:IGIMqptUPBRc@localhost:7054 -M $FABRIC_CA_CLIENT_HOME/Jim
In this way, a new user is successfully registered and obtains its own certificate and private key.
Summarize
To sum up, manually deploying CA services can be divided into two methods:
One method is to directly run the compiled executable file on the command line, which can be
go get
obtained and compiled automatically through the command (the latest version has an error), or you can manually obtain the source code, switch the version before compiling; then initialize and compile on the command line. Start the CA server;Another method is to run
docker
the image in the container. The image contains the compiled executable file. The image canDocker Hub
be downloaded directly from the image, or manually compiled in thefabric-ca
directory , and then used to start the CA container.make docker
docker-compose