fabric-ca部署

发表于 | 分类于 | 浏览

部署一个fabric-ca

创建一个由两个组织org1.example.comorg2.example.com组成的的联盟

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
还有一个组织example.com用来部署orderer。

组织example.com部署了一个solo模式的orderer。(多个orderer的部署方式,以后探讨)
orderer.example.com

组织org1.example.com部署了两个peer:
peer0.org1.example.com
peer1.org1.example.com

组织org2.example.com部署了一个peer:
peer0.org2.example.com

每个组织都要有一个Admin用户,每个组件(peer/orderer)也需要一个账号,因此需要通过FabricCA创建7个用户:
example.com:       Admin@example.com       orderer.example.com
org1.example.com:  Admin@org1.example.com  peer0.org1.example.com  peer1.org1.example.com  
org2.example.com:  Admin@org2.example.com  peer0.org2.example.com

这里只创建了Admin用户和每个组件的账号,普通用户的创建方式相同,只是普通用户的证书不需要添加到目标组件的admincerts目录中。

或者说一个用户的证书如果被添加到了对应组织或组件的msp/admincerts目录中,那么这个用户就称为对应的管理员。

启动fabric-ca

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
fabirc-ca的编译:

$ go get -u github.com/hyperledger/fabric-ca
$ cd $GOPATH/src/github.com/hyperledger/fabric-ca
$ make fabric-ca-server
$ make fabric-ca-client
$ ls bin/
fabric-ca-client  fabric-ca-server
这里将fabric-ca部署在/opt/app/fabric-ca/server目录中:

mkdir -p /opt/app/fabric-ca/server
cp -rf $GOPATH/src/github.com/hyperledger/fabric-ca/bin/*  /opt/app/fabric-ca/server
ln -s /opt/app/fabric-ca/server/fabric-ca-client  /usr/bin/fabric-ca-client
直接启动ca,fabric-ca admin的名称为admin,密码为pass。(这里只是演示,生产中使用,你需要根据实际的情况配置)

cd /opt/app/fabric-ca/server
./fabric-ca-server start -b  admin:pass &
如果有删除联盟和删除用户的需求,需要用下面的方式启动:

cd /opt/app/fabric-ca/server
./fabric-ca-server start -b admin:pass --cfg.affiliations.allowremove  --cfg.identities.allowremove &

生成fabric-ca admin的凭证

1
2
3
4
5
6
7
8
9
10
11
12
mkdir /root/fabric-deploy
cd ~/fabric-deploy
mkdir fabric-ca-files 
生成fabric-ca admin的凭证,用-H参数指定client目录:

mkdir -p `pwd`/fabric-ca-files/admin
fabric-ca-client enroll -u http://admin:pass@localhost:7054 -H `pwd`/fabric-ca-files/admin
也可以用环境变量FABRIC_CA_CLIENT_HOME指定了client的工作目录,生成的用户凭证将存放在这个目录中。

export FABRIC_CA_CLIENT_HOME=`pwd`/fabric-ca-files/admin
mkdir -p $FABRIC_CA_CLIENT_HOME
fabric-ca-client enroll -u http://admin:pass@localhost:7054

创建联盟

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
上面的启动方式默认会创建两个组织:

$ fabric-ca-client  -H `pwd`/fabric-ca-files/admin  affiliation list
2018/05/07 02:36:46 [INFO] [::1]:56148 GET /affiliations 200 0 "OK"
affiliation: .
   affiliation: org2
      affiliation: org2.department1
   affiliation: org1
      affiliation: org1.department1
      affiliation: org1.department2

为了查看信息的时候,看到的输出比较简洁,用下面的命令将其删除:
fabric-ca-client -H `pwd`/fabric-ca-files/admin  affiliation remove --force  org1
fabric-ca-client -H `pwd`/fabric-ca-files/admin  affiliation remove --force  org2

执行下面命令创建联盟:
fabric-ca-client  -H `pwd`/fabric-ca-files/admin  affiliation add com 
fabric-ca-client  -H `pwd`/fabric-ca-files/admin  affiliation add com.example
fabric-ca-client  -H `pwd`/fabric-ca-files/admin  affiliation add com.example.org1
fabric-ca-client  -H `pwd`/fabric-ca-files/admin  affiliation add com.example.org2

注意:联盟是有层级的。

创建联盟如下:
$ fabric-ca-client -H `pwd`/fabric-ca-files/admin  affiliation list
2018/04/28 15:19:34 [INFO] 127.0.0.1:38160 GET /affiliations 201 0 "OK"
affiliation: com
   affiliation: com.example
      affiliation: com.example.org1
      affiliation: com.example.org2

为每个组织准备msp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
就是从Fabric-CA中,读取出用来签署用户的根证书等。

为example.com准备msp,将ca证书等存放example.com组织的目录中:
mkdir -p ./fabric-ca-files/example.com/msp
fabric-ca-client getcacert -M `pwd`/fabric-ca-files/example.com/msp    //-M需要指定绝对路径

命令执行结束后,会在fabric-ca-files/example.com/msp得到文件:
$ tree fabric-ca-files/example.com/msp/
example.com/msp/
|-- cacerts
|   `-- localhost-7054.pem
|-- intermediatecerts
|   `-- localhost-7054.pem
|-- keystore
`-- signcerts

注意通过getcacert得到msp目录中只有CA证书,而且这里没有使用中间CA,fabric-ca-files/example.com/msp/intermediatecerts/localhost-7054.pem是一个空文件。

同样的方式为org1.example.com获取msp:
mkdir -p fabric-ca-files/org1.example.com/msp
fabric-ca-client getcacert -M `pwd`/fabric-ca-files/org1.example.com/msp

为org2.example.com准备msp:
mkdir -p ./fabric-ca-files/org2.example.com/msp
fabric-ca-client getcacert -M `pwd`/fabric-ca-files/org2.example.com/msp

这里是用getcacert为每个组织准备需要的ca文件,在生成创始块的时候会用到。
在1.1.0版本的fabric-ca中,只会生成用户在操作区块链的时候用到的证书和密钥,不会生成用来加密grpc通信的证书。

这里复用之前用cryptogen生成的tls证书,需要将验证tls证书的ca添加到msp目录中,如下:
cp -rf certs/ordererOrganizations/example.com/msp/tlscacerts  fabric-ca-files/example.com/msp/
cp -rf certs/peerOrganizations/org1.example.com/msp/tlscacerts/ fabric-ca-files/org1.example.com/msp/
cp -rf certs/peerOrganizations/org2.example.com/msp/tlscacerts/ fabric-ca-files/org2.example.com/msp/

如果在你的环境中,各个组件域名的证书,是由第三方CA签署的,就将第三方CA的根证书添加到msp/tlscacerts目录中。

组织的msp目录中,包含都是CA根证书,分别是TLS加密的根证书,和用于身份验证的根证书。另外还需要admin用户的证书,后面的操作中会添加。

注册example.com的管理员Admin@example.com

可以直接用命令行(命令比较长,这里用\\截断了): 

1
2
3
fabric-ca-client register --id.name Admin@example.com --id.type client --id.affiliation "com.example.org1"  \
    --id.attrs '"hf.Registrar.Roles=client,orderer,peer,user","hf.Registrar.DelegateRoles=client,orderer,peer,user",\
                 hf.Registrar.Attributes=*,hf.GenCRL=true,hf.Revoker=true,hf.AffiliationMgr=true,hf.IntermediateCA=true,role=admin:ecert'

也可以将命令行参数写在fabric-ca admin的配置文件fabric-ca-files/admin/fabric-ca-client-config.yaml中。 

1
2
$ ls fabric-ca-files/admin/admin/
fabric-ca-client-config.yaml  msp

为了演示清楚,这里使用修改配置文件的方式,将fabric-ca-files/admin/fabric-ca-client-config.yaml其中的id部分修改为: 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
id:
  name: Admin@example.com
  type: client
  affiliation: com.example
  maxenrollments: 0
  attributes:
    - name: hf.Registrar.Roles
      value: client,orderer,peer,user
    - name: hf.Registrar.DelegateRoles
      value: client,orderer,peer,user
    - name: hf.Registrar.Attributes
      value: "*"
    - name: hf.GenCRL
      value: true
    - name: hf.Revoker
      value: true
    - name: hf.AffiliationMgr
      value: true
    - name: hf.IntermediateCA
      value: true
    - name: role
      value: admin
      ecert: true

注意最后一行role属性,是我们自定义的属性,对于自定义的属性,要设置certs,在配置文件中需要单独设置ecert属性为true或者false。如果在命令行中,添加后缀:ecert表示true,例如: 

1
fabric-ca-client register --id.affiliation "com.example.org1" --id.attrs "role=admin:ecert"

直接执行下面的命令,即可完成用户`Admin@example.com`注册,注意这时候的注册使用fabricCA的admin账号完成的: 

1
fabric-ca-client register -H `pwd`/fabric-ca-files/admin --id.secret=password

如果不用--id.secret指定密码,会自动生成密码。

其它配置的含义是用户名为`Admin@example.com,类型是client,它能够管理com.example.*`下的用户,如下:

1
2
3
4
5
6
7
8
9
10
11
--id.name  Admin@example.com                           //用户名
--id.type client                                       //类型为client
--id.affiliation "com.example"                         //权利访问
hf.Registrar.Roles=client,orderer,peer,user            //能够管理的用户类型
hf.Registrar.DelegateRoles=client,orderer,peer,user    //可以授权给子用户管理的用户类型
hf.Registrar.Attributes=*                              //可以为子用户设置所有属性
hf.GenCRL=true                                         //可以生成撤销证书列表
hf.Revoker=true                                        //可以撤销用户
hf.AffiliationMgr=true                                 //能够管理联盟
hf.IntermediateCA=true                                 //可以作为中间CA
role=admin:ecert                                       //自定义属性

完成注册之后,还需生成Admin@example.com凭证: 

1
2
3
4
$ mkdir -p ./fabric-ca-files/example.com/admin
$ fabric-ca-client enroll -u http://Admin@example.com:password@localhost:7054  -H `pwd`/fabric-ca-files/example.com/admin
$ ls ./fabric-ca-files/example.com/admin
fabric-ca-client-config.yaml  msp/

这时候可以用Admin@example.com的身份查看联盟: 

1
2
3
4
5
6
$ fabric-ca-client affiliation list -H `pwd`/fabric-ca-files/example.com/admin
2018/04/28 15:35:10 [INFO] 127.0.0.1:38172 GET /affiliations 201 0 "OK"
affiliation: com
   affiliation: com.example
      affiliation: com.example.org1
      affiliation: com.example.org2

最后将Admin@example.com的证书复制到example.com/msp/admincerts/中: 

1
2
mkdir fabric-ca-files/example.com/msp/admincerts/
cp fabric-ca-files/example.com/admin/msp/signcerts/cert.pem  fabric-ca-files/example.com/msp/admincerts/

注册org1.example.com的管理员Admin@org1.example.com

为org1.example.com的管理员Admin@org1.example.com准备一个目录:

1
2
cd ~/fabric-deploy
mkdir -p ./fabric-ca-files/org1.example.com/admin

fabric-ca-files/admin/fabric-ca-client-config.yaml其中的id部分修改为:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
id:
  name: Admin@org1.example.com
  type: client
  affiliation: com.example.org1
  maxenrollments: 0
  attributes:
    - name: hf.Registrar.Roles
      value: client,orderer,peer,user
    - name: hf.Registrar.DelegateRoles
      value: client,orderer,peer,user
    - name: hf.Registrar.Attributes
      value: "*"
    - name: hf.GenCRL
      value: true
    - name: hf.Revoker
      value: true
    - name: hf.AffiliationMgr
      value: true
    - name: hf.IntermediateCA
      value: true
    - name: role
      value: admin
      ecert: true

注册:

1
fabric-ca-client register -H `pwd`/fabric-ca-files/admin --id.secret=password

生成凭证:

1
2
3
$ fabric-ca-client enroll -u http://Admin@org1.example.com:password@localhost:7054  -H `pwd`/fabric-ca-files/org1.example.com/admin
$ ls ./fabric-ca-files/org1.example.com/admin
fabric-ca-client-config.yaml  msp/

查看联盟:

1
2
3
4
5
$ fabric-ca-client affiliation list -H `pwd`/fabric-ca-files/org1.example.com/admin
2018/05/04 15:42:53 [INFO] 127.0.0.1:51298 GET /affiliations 201 0 "OK"
affiliation: com
   affiliation: com.example
      affiliation: com.example.org1

注意与`Admin@example.com`的区别,这里只能看到组织com.example.org1

Admin@org1.example.com的证书复制到org1.example.commsp/admincerts中:

1
2
mkdir fabric-ca-files/org1.example.com/msp/admincerts/
cp fabric-ca-files/org1.example.com/admin/msp/signcerts/cert.pem  fabric-ca-files/org1.example.com/msp/admincerts/

`Admin@org1.example.com目录`中也需要创建msp/admincerts目录,通过peer命令操作fabric的时候会要求admincerts存在:

1
2
mkdir fabric-ca-files/org1.example.com/admin/msp/admincerts/     # 注意是org1.example.com/admin目录
cp fabric-ca-files/org1.example.com/admin/msp/signcerts/cert.pem  fabric-ca-files/org1.example.com/admin/msp/admincerts/

另外,这里没有使用中间CA,将intermediatecerts中的空文件删除,否则peer会提示Warning:

1
rm fabric-ca-files/org1.example.com/admin/msp/intermediatecerts/*

注册org2.example.com的管理员Admin@org2.example.com

为org2.example.com的管理员Admin@org2.example.com准备一个目录:

1
2
cd ~/fabric-deploy
mkdir -p ./fabric-ca-files/org2.example.com/admin

fabric-ca-files/admin/fabric-ca-client-config.yaml其中的id部分修改为:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
id:
  name: Admin@org2.example.com
  type: client
  affiliation: com.example.org2
  maxenrollments: 0
  attributes:
    - name: hf.Registrar.Roles
      value: client,orderer,peer,user
    - name: hf.Registrar.DelegateRoles
      value: client,orderer,peer,user
    - name: hf.Registrar.Attributes
      value: "*"
    - name: hf.GenCRL
      value: true
    - name: hf.Revoker
      value: true
    - name: hf.AffiliationMgr
      value: true
    - name: hf.IntermediateCA
      value: true
    - name: role
      value: admin
      ecert: true

注册:

1
fabric-ca-client register -H `pwd`/fabric-ca-files/admin --id.secret=password

生成凭证:

1
2
3
$ fabric-ca-client enroll -u http://Admin@org2.example.com:password@localhost:7054  -H `pwd`/fabric-ca-files/org2.example.com/admin
$ ls ./fabric-ca-files/org2.example.com/admin
fabric-ca-client-config.yaml  msp/

查看联盟:

1
2
3
4
5
$ fabric-ca-client affiliation list -H `pwd`/fabric-ca-files/org2.example.com/admin
2018/05/02 16:49:00 [INFO] 127.0.0.1:50828 GET /affiliations 201 0 "OK"
affiliation: com
   affiliation: com.example
      affiliation: com.example.org2

Admin@org2.example.com只能看到组织com.example.org2

Admin@org2.example.com的证书复制到org2.example.com的msp/admincerts中:

1
2
mkdir fabric-ca-files/org2.example.com/msp/admincerts/
cp fabric-ca-files/org2.example.com/admin/msp/signcerts/cert.pem  fabric-ca-files/org2.example.com/msp/admincerts/

Admin@org2.example.com中也需要创建msp/admincerts目录,通过peer命令操作fabric的时候会要求admincerts存在:

1
2
mkdir fabric-ca-files/org2.example.com/admin/msp/admincerts/
cp fabric-ca-files/org2.example.com/admin/msp/signcerts/cert.pem  fabric-ca-files/org2.example.com/admin/msp/admincerts/

另外,这里没有使用中间CA,将intermediatecerts中的空文件删除,否则peer会提示Warning:

1
rm fabric-ca-files/org2.example.com/admin/msp/intermediatecerts/*

各个组织分别使用自己的Admin账户创建其它账号

example.com、org1.example.com、org2.example.com三个组织这时候可以分别使用自己的Admin账号创建子账号。

orderer.example.com

使用`Admin@example.com注册账号orderer.example.com。注意这时候指定的目录是fabric-ca-files/example.com`/admin/。

修改fabric-ca-files/example.com/admin/fabric-ca-client-config.yaml:

1
2
3
4
5
6
7
8
9
id:
  name: orderer.example.com
  type: orderer
  affiliation: com.example
  maxenrollments: 0
  attributes:
    - name: role
      value: orderer
      ecert: true

注册以及生成凭证:

1
2
3
fabric-ca-client register -H `pwd`/fabric-ca-files/example.com/admin --id.secret=password
mkdir ./fabric-ca-files/example.com/orderer
fabric-ca-client enroll -u http://orderer.example.com:password@localhost:7054 -H `pwd`/fabric-ca-files/example.com/orderer

`Admin@example.com`的证书复制到fabric-ca-files/example.com/orderer/msp/admincerts:

1
2
mkdir fabric-ca-files/example.com/orderer/msp/admincerts
cp fabric-ca-files/example.com/admin/msp/signcerts/cert.pem fabric-ca-files/example.com/orderer/msp/admincerts/

peer0.org1.example.com

使用`Admin@org1.example.com注册账号peer0.org1.example.com。这时候指定的目录是fabric-ca-files/org1.example.com`/admin/。

修改fabric-ca-files/org1.example.com/admin/fabric-ca-client-config.yaml:

1
2
3
4
5
6
7
8
9
id:
  name: peer0.org1.example.com
  type: peer
  affiliation: com.example.org1
  maxenrollments: 0
  attributes:
    - name: role
      value: peer
      ecert: true

注册以及生成凭证:

1
2
3
fabric-ca-client register -H `pwd`/fabric-ca-files/org1.example.com/admin --id.secret=password
mkdir ./fabric-ca-files/org1.example.com/peer0
fabric-ca-client enroll -u http://peer0.org1.example.com:password@localhost:7054 -H `pwd`/fabric-ca-files/org1.example.com/peer0

`Admin@org1.example.com`的证书复制到fabric-ca-files/org1.example.com/peer0/msp/admincerts:

1
2
mkdir fabric-ca-files/org1.example.com/peer0/msp/admincerts
cp fabric-ca-files/org1.example.com/admin/msp/signcerts/cert.pem fabric-ca-files/org1.example.com/peer0/msp/admincerts/

peer1.org1.example.com

使用`Admin@org1.example.com注册账号peer1.org1.example.com。这时候指定的目录是fabric-ca-files/org1.example.com`/admin/。

修改fabric-ca-files/org1.example.com/admin/fabric-ca-client-config.yaml:

1
2
3
4
5
6
7
8
9
id:
  name: peer1.org1.example.com
  type: peer
  affiliation: com.example.org1
  maxenrollments: 0
  attributes:
    - name: role
      value: peer
      ecert: true

注册以及生成凭证:

1
2
3
fabric-ca-client register -H `pwd`/fabric-ca-files/org1.example.com/admin --id.secret=password
mkdir ./fabric-ca-files/org1.example.com/peer1
fabric-ca-client enroll -u http://peer1.org1.example.com:password@localhost:7054 -H `pwd`/fabric-ca-files/org1.example.com/peer1

`Admin@org1.example.com`的证书复制到fabric-ca-files/org1.example.com/peer1/msp/admincerts:

1
2
mkdir fabric-ca-files/org1.example.com/peer1/msp/admincerts
cp fabric-ca-files/org1.example.com/admin/msp/signcerts/cert.pem fabric-ca-files/org1.example.com/peer1/msp/admincerts/

peer0.org2.example.com

使用`Admin@org2.example.com注册账号peer0.org2.example.com。这时候指定的目录是fabric-ca-files/org2.example.com`/admin/。

修改fabric-ca-files/org2.example.com/admin/fabric-ca-client-config.yaml:

1
2
3
4
5
6
7
8
9
id:
  name: peer0.org2.example.com
  type: peer
  affiliation: com.example.org2
  maxenrollments: 0
  attributes:
    - name: role
      value: peer
      ecert: true

注册以及生成凭证:

1
2
3
fabric-ca-client register -H `pwd`/fabric-ca-files/org2.example.com/admin --id.secret=password
mkdir ./fabric-ca-files/org2.example.com/peer0
fabric-ca-client enroll -u http://peer0.org2.example.com:password@localhost:7054 -H `pwd`/fabric-ca-files/org2.example.com/peer0

`Admin@org2.example.com`的证书复制到fabric-ca-files/org2.example.com/peer0/msp/admincerts:

1
2
mkdir fabric-ca-files/org2.example.com/peer0/msp/admincerts
cp fabric-ca-files/org2.example.com/admin/msp/signcerts/cert.pem fabric-ca-files/org2.example.com/peer0/msp/admincerts/

注意:

之前发现直接这么生成的证书,会少东西,需要在每个组织的msp目录下面配置下config.yaml

1
2
3
4
5
6
7
8
9
10
11
[root@localhost msp]# pwd
/data/fabric/fabric-ca-files/gzyb.vaccine.com/msp
[root@localhost msp]# cat config.yaml 
NodeOUs:
  Enable: true
  ClientOUIdentifier:
    Certificate: cacerts/localhost-7054.pem
    OrganizationalUnitIdentifier: client
  PeerOUIdentifier:
    Certificate: cacerts/localhost-7054.pem
    OrganizationalUnitIdentifier: peer
Donate