Hyperledger Fabric (Blockchain)
Configure your Hyperledger Fabric (Blockchain) to generate and secure the Hyperledger Admin Certificate Authority (CA), Peer, and Orderer private keys in a Luna Cloud HSM Service. The Luna Cloud HSM Service provides full key life-cycle management with FIPS-certified hardware and reduces the cryptographic load on the host server CPU.
We recommend you use the Luna Cloud HSM for Hyperledger service for this integration.
This integration guide uses the following third party applications:
- Hyperledger Fabric
- Hyperledger Fabric CA
The following platforms were tested for this integration:
Platforms Tested | Golang | Docker | Docker Compose |
---|---|---|---|
RHEL 64-bit | 1.8.3 | 17.06.0-ce | 1.8.0 |
About the Hyperledger Fabric CA Server
Hyperledger Fabric is a variant of the Hyperledger Blockchain project. Hyperledger Fabric allows for private access, the members of the network must enroll through a Membership service Provider (MSP).
Hyperledger Fabric has a ledger, uses smart contracts, and is a system that allows participants to manage their transactions. Ledger data can be stored in multiple formats, consensus mechanisms may be switched in and out, and multiple MSPs are supported. Hyperledger Fabric also offers the ability to create channels, allowing you to create a separate ledger of transactions.
The following diagram illustrates how the Hyperledger Fabric CA server fits into the overall Hyperledger Fabric architecture:
There are two methods of interacting with a Hyperledger Fabric CA server:
- The Hyperledger Fabric CA client
- The Hyperledger Fabric SDK
The Hyperledger Fabric CA client or SDK may connect to a server in a cluster of Hyperledger Fabric CA servers (see the Cluster of Fabric-CA Servers in the diagram). In this configuration the client routes to an HA proxy endpoint which load balances traffic to one of the fabric-ca-server cluster members.
A server may contain multiple CAs. Each CA is either a root CA or an intermediate CA. Each intermediate CA has a parent CA which is either a root CA or another intermediate CA.
All Hyperledger Fabric CA servers in a cluster share the same database for keeping track of identities and certificates. If an LDAP is configured the identity information is stored by the LDAP, rather than the database.
Prerequisites
Before proceeding with the integration complete the following:
Provision Luna Cloud HSM Service
Complete the following:
-
Select the Hyperledger tile and create the following three HSM on Demand services.
org1.example.com
org2.example.com
orderer.example.com
-
For each service create a client with the same name, and download the zip to the host machine.
-
Execute the following commands to create the service directories on the host machine.
mkdir -p /etc/hyperledger/fabric/DPoD/org1.example.com mkdir -p /etc/hyperledger/fabric/DPoD/org2.example.com mkdir -p /etc/hyperledger/fabric/DPoD/orderer.example.com
-
Unzip the three clients in their respective directories.
-
Initialize the service, Crypto Officer, and Crypto User roles on the services. For the purpose of this integration guide, the demonstration passwords have been set to
userpin
. -
Set the ChrystokiConfigurationPath environment variable to point to the Chrystoki.conf file.
In a production configuration the passwords should be set to coincide with your organization's security policy.
Install UNIX Components
The following components must be installed on the host system where you will generate the keys for the User, Peer, and Orderer:
Git
Curl
Alien
Python
Execute the following command as a user with privileges to install the components:
Ubuntu: sudo apt-get install git curl alien python-pip libtool libltdl-dev
RHEL: sudo yum install git curl alien python-pip libtool-ltdl-devel
Set up Golang
Hyperledger Fabric uses the Go programming language. Download the golang binaries from https://golang.org/dl/ and follow the instructions at https://golang.org/doc/install to install the golang binaries.
Ensure that the GO program is in the PATH variable - export PATH=/usr/local/go/bin:$PATH
.
If the GOPATH is not set, set it. The value will be a directory of the development workspace.
export GOPATH=/opt/gopath
mkdir -p $GOPATH/src/github.com/hyperledger
cd $GOPATH/src/github.com/hyperledger
Set up Docker
Docker and Docker-compose need to be installed on the host system. Follow the instructions at https://docs.docker.com/engine/installation/linux/docker-ce/ubuntu/ to install the Docker-CE.
-
Execute sudo pip install docker-compose==1.8.0 to install the docker-compose.
-
Configure Docker so that it does not require sudo. Execute:
sudo gpasswd -a $USER docker newgrp docker
-
Open the images/orderer/Dockerfile.in in a text editor and add:
RUN apt-get update && apt-get install -y libtool
after
RUN mkdir -p /var/hyperledger/production $FABRIC_CFG_PATH
-
Open the images/peer/Dockerfile.in in a text editor and add:
RUN apt-get update && apt-get install -y libtool
after
RUN mkdir -p /var/hyperledger/production $FABRIC_CFG_PATH
You need to add a command to the peer and orderer Dockerfile.in to install the libtool.
Set up Hyperledger Fabric and Fabric CA
Install and configure the Hyperledger Fabric repository and the Fabric CA role for integration with the Luna Cloud HSM Service. Install the features and modify the Hyperledger Fabric configuration files to generate keys using the PKCS11 Blockchain Cryptographic service Provider (BCCSP).
To set up Hyperledger Fabric and Fabric CA
-
Create the Hyperledger Fabric repository.
git clone https://gerrit.hyperledger.org/r/fabric cd fabric git checkout -b v1.1.0 v1.1.0
The instructions were developed against the tag v1.1.0 and v1.3.0. It is advisable to use the repo checkout from these tags as the instructions may not be compatible with the latest check-in in the master branch of fabric.
-
If using v1.1.0 proceed to Step 4. If not, modify the Makefile as below for v1.3.0:
Change:
GO_TAGS ?=
To:
GO_TAGS ?= pkcs11
-
Remove the -static linking option in "docker-env.mk" file.
Change:
DOCKER_GO_LDFLAGS += -linkmode external -extldflags '-static -lpthread'
To:
DOCKER_GO_LDFLAGS += -linkmode external -extldflags '-lpthread'
-
Add command to images/orderer/Dockerfile.in and images/peer/Dockerfile.in to install libtool.
After the line:
RUN mkdir -p /var/hyperledger/production $FABRIC_CFG_PATH
Add:
RUN apt-get update && apt-get install -y libtool
-
Build the Docker Images and executables.
make docker make release
-
Clone the fabric-ca project and build the fabric-ca-client binary.
cd $GOPATH/src/github.com/hyperledger git clone https://gerrit.hyperledger.org/r/fabric-ca cd fabric-ca git checkout -b v1.1.0 v1.1.0
or
git checkout -b v1.3.0 v1.3.0 make fabric-ca-client cd $GOPATH/src/github.com/hyperledger/fabric-ca/bin ./fabric-ca-client gencsr
The instructions were developed against the tag v1.1.0 and v1.3.0. It is advisable to use the repo checkout from this tag as the instructions may not be compatible with the latest check-in in the master branch of fabric-ca.
Integration
This guide will detail how to generate keys for the User, Peer, and Orderer roles on the HSM on Demand service in an example configuration. It will then demonstrate the e2e_cli end-to-end execution for creating channels and querying the chain code.
Generating a Certificate Signing Request using fabric-ca-client and PKCS11 BCCSP
The fabric-ca-client utility can be used to generate certificate signing requests (CSR) for Peers, Orderers, and Users in their respective MSP directories.
The fabric-ca-client utility uses the BCCSP to generate cryptographic material. If you configure the BCCSP to use a PKCS11 implementation, you can generate and store the keys using the Luna Cloud HSM Service.
You must update the fabric-ca-client-config.yaml
to use the PKCS11 cryptographic provider, configure the Orderer and Peer nodes, and initialize communication between the objects.
Configuring the User Nodes
You must configure the User nodes by updating the /.fabric-ca-client/fabric-ca-client-config.yaml file to use the PKCS11 cryptographic provider.
The /.fabric-ca-client/fabric-ca-client-config.yaml file is available only after executing ./fabric-ca-client gencsr
from the $GOPATH/src/github.com/hyperledger/fabric-ca/bin
directory.
You can do this by updating the file in a text editor or exporting the environment variables. See:
- To update the fabric-ca-client-config.yaml in a text editor
- To update the fabric-ca-client-config.yaml using environment variables
Update the fabric-ca-client-config.yaml in a text editor
Open the \~/.fabric-ca-client/fabric-ca-client-config.yaml file in a text editor and update the file for your configuration. The following is an example of a BCCSP configuration using a Luna Cloud HSM Service.
bccsp:
default: PKCS11
sw:
hash: SHA2
security: 256
filekeystore:
#the directory used for the software file-based keystore
keystore: msp/keystore
pkcs11:
library: /etc/hyperledger/fabric/DPoD/org1.example.com/libs/64/libCryptoki2.so
pin: userpin
label:
hash: SHA2
security: 256
filekeystore:
#the directory used for the software file-based keystore
keystore: msp/keystore
Add a keyrequest setting to the csr section to specify the key size.
KeyRequest:
A: ecdsa
S: 256
Update the fabric-ca-client-config.yaml using environment variables
Export the following environment variables to configure the fabric-ca-client-config.yaml file. Execute the following to export the values:
export FABRIC_CA_CLIENT_BCCSP_DEFAULT=PKCS11
export FABRIC_CA_CLIENT_BCCSP_PKCS11_LABEL=<service_label>
export FABRIC_CA_CLIENT_BCCSP_PKCS11_PIN=<service_SO_password>
export FABRIC_CA_CLIENT_BCCSP_PKCS11_LIBRARY=<PKCS11_library>
Configuring the Peer Nodes
To configure the Peer nodes to access the HSM on Demand service keys you must update the core.yaml file or set the environment variables for the following:
- PKCS11 BCCSP cryptographic library
- Luna Cloud HSM service
- Luna Cloud HSM service password
- location of the configuration files
You can do this by updating the file in a text editor or exporting the environment variables. A sample core.yaml file is available at ../../sampleconfig/core.yaml
. See:
- To update the core.yaml file in a text editor
- To update the core.yaml file using environment variables
Additionally, you must mount the core.yaml file in the volumes section . The core.yaml file provides basic configuration options for Peer modules.
Update the core.yaml file in a text editor
Open the core.yaml file in a text editor.
Specify PKCS11 as the default cryptographic provider in the BCCSP section. The file should appear as follows:
BCCSP:
Default: PKCS11
PKCS11:
# TODO: The default Hash and Security level needs refactoring to be
# fully configurable. Changing these defaults requires coordination
# SHA2 is hardcoded in several places, not only BCCSP
Hash: SHA2
Security: 384
Library: /etc/hyperledger/fabric/DPoD/org1.example.com/libs/64/libCryptoki2.so
Label: <organization_label>
Pin: <password>
SoftwareVerify: true
SensitiveKeys: true
#FileKeyStore:
# KeyStore:
Update the core.yaml file using environment variables
Export the following environment variables to change the configuration settings of the core.yaml file.
export CORE_PEER_BCCSP_DEFAULT=PKCS11
export CORE_PEER_BCCSP_PKCS11_LABEL=<service_label>
export CORE_PEER_BCCSP_PKCS11_PIN=<service_SO_password>
export CORE_PEER_BCCSP_PKCS11_LIBRARY=<PKCS11_library>
Ensure that the Luna Cloud HSM Service Client installation directory is available to the peer, and is using the correct Luna Cloud HSM Service for the peer. The ChrystokiConfigurationPath must point to the Luna Cloud HSM Service Client installation directory, where the Crystoki.conf is stored.
export ChrystokiConfigurationPath=<path_to_Chrystoki.conf>
Configuring the Orderer Nodes
To configure the Orderer nodes to access the Luna Cloud HSM Service keys you must update the orderer.yaml file or set the environment variables for the following:
- PKCS11 BCCSP cryptographic library
- the Luna Cloud HSM Service
- Luna Cloud HSM Service crypto officer password
- location of the configuration files
You can do this by updating the file in a text editor or exporting the environment variables. A sample orderer.yaml file is available at ../../sampleconfig/orderer.yaml
See:
- To update the orderer.yaml file in a text editor
- To update the orderer.yaml file using environment variables
Additionally, you must mount the orderer.yaml file in the volume section. The orderer.yaml file provides basic configuration options for Orderer modules.
Update the orderer.yaml file in a text editor
Open the orderer.yaml file in a text editor.
Specify PKCS11 as the default cryptographic provider in the BCCSP section. The file should appear as follows:
BCCSP:
Default: PKCS11
PKCS11:
# TODO: The default Hash and Security level needs refactoring to be
# fully configurable. Changing these defaults requires coordination
# SHA2 is hardcoded in several places, not only BCCSP
Hash: SHA2
Security: 384
Library: /etc/hyperledger/fabric/DPoD/orderer.example.com/libs/64/libCryptoki2.so
Label: <organization_label>
Pin: <password>
SoftwareVerify: true
SensitiveKeys: true
#FileKeyStore:
#KeyStore:
Update the orderer.yaml file using environment variables
Export the following environment variables to change the configuration settings of the orderer.yaml file.
export ORDERER_GENERAL_BCCSP_PKCS11_LABEL=<service_label>
export ORDERER_GENERAL_BCCSP_PKCS11_PIN=<service_SO_password>
export ORDERER_GENERAL_BCCSP_PKCS11_LIBRARY=<PKCS11_library>
Ensure that the Luna Cloud HSM Service Client installation directory is available to the peer, and is using the correct Luna Cloud HSM Service for the peer. The ChrystokiConfigurationPath must point to the Luna Cloud HSM Service Client directory, where the Crystoki.conf is stored.
export ChrystokiConfigurationPath=<path_to_Chrystoki.conf>
Generating a CSR
You must generate a CSR for each role node in the configuration. You need to adjust the options and variables for the requirements of the particular CSR.
The command to generate a CSR utilizes the following syntax:
./fabric-ca-client gencsr --csr.cn <value> --mspdir <value> --csr.names <value>
Where:
--csr.cn <value>
is the common name field of the certificate signing request.--mspdir <value>
is the path to the Membership service Provider Directory.--csr.names <value>
is a a list of comma-separated CSR labels of the form<name>=<value>
. Values include:C=<country>
,ST=<state>
,OU=<user_role>
.
When generating CSR requests ensure that you specify the correct CN, MSP directory, and CSR names. The OU value should equate to peer, orderer or client, depending on the CSR.
Execute the following to generate the User CSR for org1.example.com.
./fabric-ca-client gencsr --csr.cn <common_name_for_CSR> --mspdir <MSP_directory> --csr.names "C=US,ST=California,L=San Francisco,OU=<OU>"
Submit the CSR to your CA to obtain the signed certificate for the role, and place the signed certificate in the respective msp/signcerts directory.
Integrating Hyperledger Fabric Client SDK for Node.js with a Luna Cloud HSM Service
The Hyperledger Fabric Client (HFC) SDK for Node.js provides a powerful and easy to use API to interact with a Hyperledger Fabric Blockchain. The HFC is designed to be used in the Node.js Javascript runtime.
Install the node.js
and npm
using Linux package manager.
Add the fabric-ca-client
and configxtgen
binaries in the path.
export PATH=/opt/gopath/src/github.com/hyperledger/fabric-ca/bin:/opt/gopath/src/github.com/hyperledger/fabric/release/linux-amd64/bin:$PATH
Checkout the fabric-sdk-node
source code.
cd $GOPATH/src/github.com/hyperledger
git clone https://gerrit.hyperledger.org/r/fabric-sdk-node
cd fabric-sdk-node
git checkout -b v1.4.0 v1.4.0
cd ..
The instructions were developed against the tag v1.4.0 for Hyperledger Fabric and Hyperledger Fabric Client SDK. It is advisable to use the repo checkout from these tags as the instructions may not be compatible with the latest check-in in the master branch of Fabric and Client SDK.
Checkout the Fabric SDK HSM integration repo.
git clone https://github.com/gemalto/fabric-sdk-hsm
Generate the fabric-ca-client
default configuration file.
fabric-ca-client gencsr
Modify the bccsp
section in the ~./fabric-ca-client/fabric-ca-client-config.yaml
to add PCKS#11 as the default bccsp.
Use spaces not tabs and pay attention to the indentation. Ensure that the library path points to the correct SafeNet Cryptoki library.
bccsp:
default: PKCS11
pkcs11:
hash: SHA2
security: 256
library: /usr/safenet/lunaclient/lib/libCryptoki2_64.so
label:
pin:
filekeystore:
# The directory used for the software file-based keystore
keystore: msp/keystore
Run the helper script to generate private keys in the HSM, create CSRs for the Peer, and Orderer Admin users and create certificates.
Where fabric-sdk
is the partition label and userpin
is the service Crypto Officer password. The helper script executes configxtgen
and generates the genesis block with new certificates.
PKCS11_LABEL=fabric-sdk PKCS11_PIN=userpin ./fabric-sdk-hsm/node/genAdminPkcs11Node.sh
Copy the required javascript files from fabric-sdk-hsm
to fabric-sdk-node
.
cp fabric-sdk-hsm/node/e2eHSM.js fabric-sdk-node/test/integration
sp fabric-sdk-hsm/node/utilHSM.js fabric-sdk-node/test unit
Install gulp and the required dependencies.
cd fabric-sdk-node
sudo npm install -g gulp
npm install
gulp ca
Open a new terminal in the fabric-sdk-node
directory and start the fabric docker containers.
cd test/fixtures
export DOCKER_IMG_TAG=:1.4.0
docker-compose up
In the previous terminal, configure the constant values for the slot and partition password if required in the test/unit/utilHSM.js
file.
Ensure that the PKCS11_LIB path points to the correct SafeNet Cryptoki library.
const PKCS11_LIB = '/usr/safenet/lunaclient/lib/libCryptoki2_64.so';
const PKCS11_SLOT = 0;
const PKCS11_PIN = 'userpin';
const PKCS11_USER_TYPE = 1;
Run the end-2-end HSM integration test.
node test/integration/e2eHSM.js
The system will return the following when the test completes successfully.
***** TransientMap Support in Proposals *****
ok 207 Successfully retrieved TLS certificate
ok 208 Successfully loaded member from persistence
ok 209 Successfully enrolled user 'admin' (e2eUtil 4)
ok 210 Checking the result has the transientMap value returned by the chaincode
ok 211 Checking the result has the transientMap value returned by the chaincode
ok 212 Successfully verified transient map values
1..212
# tests 212
# pass 212
# ok
To clean up the docker containers in the docker-compose terminal press ctrl-c and run the following commands:
docker rm -f $(docker ps -aq)
docker-compose up
Now step 12 can be performed to execute end-2-end HSM integration again.
Integrating Hyperledger Fabric Client SDK for Java with a Luna Cloud HSM Service
The Hyperledger Fabric Client (HFC) SDK for Java provides a powerful and easy to use API to interact with a Hyperledger Fabric Blockchain. The SDK helps facilitate Java applications to manage the lifecycle of Hyperledger channels and user chaincode. The SDK also provides a means to execute user chaincode, query blocks and transactions on the channel, and monitor events on the channel.
To generate the keys on the Luna Cloud HSM Service and run end-2-end execution, complete the following.
Install java
and maven
using the Linux package manager.
Add the fabric-ca-client
and configxtgen
binaries in the path.
export PATH=/opt/gopath/src/github.com/hyperledger/fabric-ca/bin:/opt/gopath/src/github.com/hyperledger/fabric/release/linux-amd64/bin:$PATH
Copy the LunaProvider.jar
and libLunaAPI.so
in the <Java_installation_path>/jre/lib/ext
directory.
The LunaProvider.jar
and libLunaAPI.so
for Luna Cloud HSM Service are available in the <service_installation_directory>/jsp/LunaProvider.jar
and <service_installation_directory>/jsp/64/libLunaAPI.so
.
cp /usr/safenet/lunaclient/jsp/lib/LunaProvider.jar /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.201.b09-2.el7_6.x86_64/jre/lib/ext
cp /usr/safenet/lunaclient/jsp/lib/libLunaAPI.so /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.201.b09-2.el7_6.x86_64/jre/lib/ext
Checkout the fabric-sdk-java
source code.
git clone https://gerrit.hyperledger.org/r/fabric-sdk-java
cd fabric-sdk-java
git checkout -b v1.4.0 v1.4.0
cd ..
The instructions were developed against the tag v1.4.0 for Hyperledger Fabric and Hyperledger Fabric Client SDK. It is advisable to use the repo checkout from these tags as the instructions may not be compatible with the latest check-in in the master branch of Fabric and Fabric Client SDK.
Checkout the Fabric SDK HSM integration repo.
git clone https://github.com/gemalto/fabric-sdk-hsm
Generate the fabric-ca-client default configuration file.
fabric-ca-client gencsr
Modify the bccsp
section in ~/.fabric-ca-client/fabric-ca-client-config.yaml
to add PKCS#11
as the default bccsp
.
Use spaces not tabs and pay attention to the indentation. Ensure that the library path points to the correct SafeNet Cryptoki library.
bccsp:
default: PKCS11
pkcs11:
hash: SHA2
security: 256
library: /usr/safenet/lunaclient/lib/lib2Cryptoki2_64.so
label:
pin:
filekeystore:
# The directory used for the software file-based keystore
keystore: msp/keystore
Run the helper script to generate private keys in the HSM, create CSRs for the Peer and Orderer Admin users and create certificates.
Where fabric-sdk
is the partition label and userpin
is the service Crypto Officer password. The helper script executes configtxgen
and generates the genesis block with new certificates.
PKCS11_LABEL=fabric-sdk PKCS11_PIN=userpin ./fabric-sdk-hsm/java/genAdminPkcs11Java.sh
Copy the required java files from fabric-sdk-hsm
to fabric-sdk-java
.
cp fabric-sdk-hsm/java/End2endHSMIT.java fabric-sdk-java/src/test/java/org/hyperledger/fabric/sdkintegration/
cp fabric-sdk-hsm/java/SampleHSMStore.java fabric-sdk-java/src/test/java/org/hyperledger/fabric/sdkintegration/
Open a new terminal in the fabric-sdk-java
directory and start the fabric docker containers.
cd ./fabric-sdk-java/src/test/fixture/sdkintegration
export DOCKER_IMG_TAG=:1.4.0
docker-compose up
In the previous terminal, configure the constant values for the slot and partition password if required in the fabric-sdk-java/src/test/java/org/hyperledger/fabric/sdkintegration/End2endHSMIT.java
file.
private static final String TOKEN_LABEL = "fabric-sdk";
private static final String PARTITION_PASSWORD = "userpin";
Run the end-2-end HSM integration test.
cd fabric-sdk-java
mvn failsafe:integration-test -Dtest=End2endHSMIT test
When the test completes successfully it will return the following.
That's all folks!
Tests run: 1, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 40.431 sec - in org.hyperledger.fabric.sdkintegration.End2endHSMIT
Results :
Tests run: 1, Failures: 0, Errors: 0, Skipped: 0
[INFO]
[INFO] --- jacoco-maven-plugin:0.7.9:report (post-unit-test) @ fabric-sdk-java ---
[INFO] Loading execution data file /opt/gopath/src/github.com/hyperledger/fabric-sdk-java/target/coverage-reports/jacoco-ut.exec
[INFO] Analyzed bundle 'fabric-java-sdk' with 231 classes
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 1:42.468s
[INFO] Finished at: Mon Apr 08 13:04:06 IST 2019
[INFO] Final Memory: 30M/188M
[INFO] ------------------------------------------------------------------------
To cleanup the docker containers in the docker-compose terminal press Ctrl and *C and run the following commands:
docker rm -f $ (docker ps -aq)
docker-compose up
Now step 12 can be performed to execute end-2-end HSM integration again.
Example Configuration: Running cli end-2-end execution
The following procedural set provides an example e2e\_cli
end-2-end execution configuration.
Before beginning this procedural set, it is assumed you have completed the prerequisite sections of the documentation set, and the preceding integration tasks.
Copy the compiled fabric-ca-client to the examples/e2e_cli directory.
cd $GOPATH/src/github.com/hyperledger/fabric-ca/
cp bin/fabric-ca-client ../fabric/examples/e2e\_cli
Copy the following script and save the file as gencerts.sh.
The script works in conjunction with the cryptogen tool. The script generates all of the Peer, Orderer, and Admin user MSPs using the fabric-ca-client gencsr command. Certificate are generated using openssl
.
--------------------------------------------------------------------------
#!/bin/bash
# This script generates certificates and keys to work with the cryptogen util
# to be used with the e2e_cli hyperledger fabric example.
# This allows the keys for the certificate to be generated with the
# PKCS11 BCCSP which in turn allows keys to be generated in an HSM.
##########################################################################
CA_CLIENT=./fabric-ca-client
CRYPTO_CONFIG=$PWD/crypto-config
ROOT=$PWD
BCCSP_DEFAULT=PKCS11
PIN=userpin
check_error() {
if [ $? -ne 0 ]; then
echo "ERROR: Something went wrong!"
exit 1
fi
}
signcsr() {
MSP=$1
CN=$2
CA_DIR=$3
CA_NAME=$4
CA_CERT=$(find $CA_DIR -name "*.pem")
CA_KEY=$(find $CA_DIR -name "*_sk")
CSR=$MSP/signcerts/$CN.csr
CERT=$MSP/signcerts/$CN-cert.pem
openssl x509 -req -sha256 -days 3650 -in $CSR -CA $CA_CERT -CAkey $CA_KEY -CAcreateserial -out $CERT check_error }
genmsp() {
ORG_DIR=$1
ORG_NAME=$2
NODE_DIR=$3
NODE_NAME=$4
NODE_OU=$6
CN=${NODE_NAME}${ORG_NAME}
CA_PATH=$CRYPTO_CONFIG/$ORG_DIR/$ORG_NAME
NODE_PATH=$CA_PATH/$NODE_DIR/$CN
MSP=$NODE_PATH/msp
TLS=$NODE_PATH/tls
LABEL=$5
rm -rf $MSP/keystore/*
rm -rf $MSP/signcerts/*
echo $LABEL
export FABRIC_CA_CLIENT_BCCSP_DEFAULT=$BCCSP_DEFAULT
export FABRIC_CA_CLIENT_BCCSP_PKCS11_LABEL=$LABEL
export FABRIC_CA_CLIENT_BCCSP_PKCS11_PIN=$PIN
export ChrystokiConfigurationPath=/etc/hyperledger/fabric/DPoD/$LABEL
export FABRIC_CA_CLIENT_BCCSP_PKCS11_LIBRARY=/etc/hyperledger/fabric/DPoD/$LABEL/libs/64/libCryptoki2.so
$CA_CLIENT gencsr --csr.cn $CN --mspdir $MSP --csr.names "C=US,ST=California,L=San Francisco,OU=$NODE_OU"
check_error
signcsr $MSP $CN $CA_PATH/ca $ORG_NAME
}
copy_admin_cert_node() {
ORG_DIR=$1
ORG_NAME=$2
NODE_DIR=$3
NODE_NAME=$4
CN=$NODE_NAME.$ORG_NAME
CA_PATH=$CRYPTO_CONFIG/$ORG_DIR/$ORG_NAME
NODE_PATH=$CA_PATH/$NODE_DIR/$CN
MSP=$NODE_PATH/msp
ADMIN_CN=Admin@$ORG_NAME
ADMIN_CERT=$CA_PATH/users/$ADMIN_CN/msp/signcerts/$ADMIN_CN-cert.pem
cp $ADMIN_CERT $NODE_PATH/msp/admincerts
check_error
}
copy_admin_cert_ca() {
ORG_DIR=$1 ORG_NAME=$2
CA_PATH=$CRYPTO_CONFIG/$ORG_DIR/$ORG_NAME
ADMIN_CN=Admin@$ORG_NAME
ADMIN_CERT=$CA_PATH/users/$ADMIN_CN/msp/signcerts/$ADMIN_CN-cert.pem
cp $ADMIN_CERT $CA_PATH/msp/admincerts
check_error
cp $ADMIN_CERT $CA_PATH/users/$ADMIN_CN/msp/admincerts
check_error
}
for org in 1 2; do
for peer in 0 1; do
genmsp peerOrganizations org${org}.example.com peers peer${peer}. org${org}.example.com peer
done
genmsp peerOrganizations org${org}.example.com users Admin@ org${org}.example.com client for peer in 0 1; do
copy_admin_cert_node peerOrganizations org${org}.example.com peers peer${peer}
done
copy_admin_cert_ca peerOrganizations org${org}.example.com
done
genmsp ordererOrganizations example.com orderers orderer. orderer.example.com orderer
genmsp ordererOrganizations example.com users Admin@ orderer.example.com client
copy_admin_cert_node ordererOrganizations example.com orderers orderer orderer.example.com
copy_admin_cert_ca ordererOrganizations example.com
------------------------------------------------------------------------
Copy the core.yaml and orderer.yaml files to the examples/e2e_cli directory.
cp ../../sampleconfig/core.yaml ../../sampleconfig/orderer.yaml .
Open both the core.yaml and orderer.yaml files in a text editor. Edit the BCCSP section in both files to use the following values.
BCCSP:
Default: PKCS11
PKCS11:
# TODO: The default Hash and Security level needs refactoring to be
# fully configurable. Changing these defaults requires coordination
# SHA2 is hardcoded in several places, not only BCCSP
Hash: SHA2
Security: 256
Library:
Label:
Pin:
SoftwareVerify: true
SensitiveKeys: true
#FileKeyStore:
#KeyStore:
Open the base/peer-base.yaml file in a text editor.
a. Add the following line to the Environment section:
CORE_PEER_BCCSP_PKCS11_PIN=userpin
b. Add a Volumes section with the following entries to the base of the services section:
volumes:
- ../core.yaml:/etc/hyperledger/fabric/core.yaml
Open the base/docker-compose-base.yaml file in a text editor.
a. Add the following line to the Environment section of orderer.example.com:
- ORDERER_GENERAL_BCCSP_PKCS11_PIN=userpin
b. Add the following line to the Volumes section of orderer.example.com:
- ../orderer.yaml:/etc/hyperledger/fabric/orderer.yaml
Open the docker-compose-cli.yaml file in a text editor.
a. Add the following lines to the end of the orderer.example.com section:
environment:
- ORDERER_GENERAL_BCCSP_PKCS11_LABEL=orderer.example.com
- ORDERER_GENERAL_BCCSP_PKCS11_LIBRARY= /etc/hyperledger/fabric/DPoD/orderer.example.com/libs/64/libCryptoki2.so
- ChrystokiConfigurationPath=/etc/hyperledger/fabric/DPoD/orderer.example.com
volumes:
- etc/hyperledger/fabric/DPoD/orderer.example.com:
/etc/hyperledger/fabric/DPoD/orderer.example.com
b. Add the following lines to the end of the peer.0.org1.example.com and peer1.org1.example.com sections:
environment:
- CORE_PEER_BCCSP_PKCS11_LABEL=org1.example.com
- CORE_PEER_BCCSP_PKCS11_LIBRARY=
/etc/hyperledger/fabric/DPoD/org1.example.com/libs/64/libCryptoki2.so
- ChrystokiConfigurationPath=/etc/hyperledger/fabric/DPoD/org1.example.com
volumes:
- /etc/hyperledger/fabric/DPoD/org1.example.com:
/etc/hyperledger/fabric/DPoD/org1.example.com
c. Add the following lines to the end of the peer0.org2.example.com and peer1.org2.example.com sections:
environment:
- CORE_PEER_BCCSP_PKCS11_LABEL=org2.example.com
- CORE_PEER_BCCSP_PKCS11_LIBRARY=
/etc/hyperledger/fabric/DPoD/org2.example.com/libs/64/libCryptoki2.so
- ChrystokiConfigurationPath=/etc/hyperledger/fabric/DPoD/org2.example.com
volumes:
- /etc/hyperledger/fabric/DPoD/org2.example.com:
/etc/hyperledger/fabric/DPoD/org2.example.com
d. Add the following lines to the cli volumes section:
- /etc/hyperledger/fabric/DPoD:/etc/hyperledger/fabric/DPoD
- ./core.yaml:/etc/hyperledger/fabric/core.yaml
Open the scripts/scripts.sh file in a text editor.
a. Add the following lines to the setGlobals function after "if [\$1 --eq 0 --o \$1 --eq 1] ; then":
export CORE_PEER_BCCSP_PKCS11_LIBRARY=/etc/hyperledger/fabric/DPoD/org1.example.com/libs/64/libCryptoki2.so
export CORE_PEER_BCCSP_PKCS11_PIN=userpin
export CORE_PEER_BCCSP_PKCS11_LABEL=org1.example.com
export ChrystokiConfigurationPath=/etc/hyperledger/fabric/DPoD/org1.example.com
b. Add the following lines to the setGlobals function after "else":
export CORE_PEER_BCCSP_PKCS11_LIBRARY=/etc/hyperledger/fabric/DPoD/org2.example.com/libs/64/libCryptoki2.so
export CORE_PEER_BCCSP_PKCS11_PIN=userpin
export CORE_PEER_BCCSP_PKCS11_LABEL=org2.example.com
export ChrystokiConfigurationPath=/etc/hyperledger/fabric/DPoD/org2.example.com
c. Add the following lines to the beginning of the checkOSNAvailability function:
export CORE_PEER_BCCSP_PKCS11_LIBRARY=/etc/hyperledger/fabric/DPoD/orderer.example.com/libs/64/libCryptoki2.so
export CORE_PEER_BCCSP_PKCS11_PIN=userpin
export CORE_PEER_BCCSP_PKCS11_LABEL=orderer.example.com
export ChrystokiConfigurationPath=/etc/hyperledger/fabric/DPoD/orderer.example.com
Open the generateArtifacts.sh file in a text editor. Edit the bottom section of the file to use gencerts.sh to create key material. Modify the file so it appears as the following:
generateCerts
generateIdemixMaterial
replacePrivateKey
./gencerts.sh
generateChannelArtifacts
Open the network_setup.sh file in a text editor. Comment the networkDown function so that artifacts are not deleted. Comment the line:
rm -rf channel-artifacts/*.block channel-artifacts/*.tx crypto-config
Enter the following command to run e2e_cli.
./generateArtifacts.sh
./network\_setup.sh up