关键词:
Fabric CA 学习记录
加入Fabric联盟链的计算机结点和用户都必须要经过注册并获得CA颁发的证书,才能在联盟链中操作。证书颁发机构可以提供的功能如下:
身份的注册 或连接到LDAP(Lightweight Directory Access Protocol,轻量目录访问协议)作为用户注册表;
签发登记证书(ECerts)(Enrollment Certificates)
签发交易证书(TCerts)(Transaction Certificates),在Hyperledger Fabric blockchain上交易时提供匿名性和不可链接性。
证书续期和撤销
与 Hyperledger Fabric CA 服务器交互的方式有两种:通过 Hyperledger Fabric CA 客户端或通过其中一个 Fabric SDK。与 Hyperledger Fabric CA 服务器的所有通信都是通过 REST API 进行的。
集群中的所有 Hyperledger Fabric CA 服务器共享同一个数据库以跟踪身份和证书。如果配置了 LDAP,身份信息将保存在 LDAP 而不是数据库中。
一个服务器可能包含多个 CA。每个 CA 要么是根 CA,要么是中间 CA。每个中间 CA 都有一个父 CA,它要么是根 CA,要么是另一个中间 CA。
什么是Fabric CA
Hyperledger Fabric CA 是 Hyperledger Fabric 的证书颁发机构 (CA)。
它提供以下功能:
- 身份注册,或作为用户注册表连接到 LDAP
- 颁发注册证书 (ECerts)
- 证书更新和撤销
Fabric CA 由服务器和客户端组件组成
TLS证书用于TLS协商。这些证书用于确保组件之间的网络链路完整性。使用标准的TLS,可以确保客户端连接到的服务器实际上就是他们想要的服务器,而不是伪装成他们的目的地的另一方。当相互TLS被启用时,除了来自标准TLS的标准客户端->服务器保证之外,服务器还可以验证客户端被授权形成TLS链接。
CA证书用于在Fabric网络上进行交易。客户使用他们的签名者证书来签署发送给对等点的提案和发送给订单者的事务,对等点使用他们的签名者证书来签署提案响应(创建背书),而订购者使用他们的签名者证书来签署块,这些块被传播回对等点和客户。当你看到一个没有明确注明为TLS的“证书”的引用时,这个证书通常是一个签名者证书
生产环境建议
建议为每个组织部署两个 CA,一个组织 CA 和一个 TLS CA
- TLS CA:
用来保护组织中节点之间的通信,生成所有节点的通信证书 - 组织CA:
用于生成组织和节点身份
排序服务节点不应该与peer所属同一组织,因此需要为peer所在组织和排序服务节点单独创建组织
部署CA 服务时应遵循部署顺序为:
1)TLS CA
2) 组织 CA
总体架构
官方采用的是多机部署环境、这里就简化下下,所有操作就简化下都在一台机器上。
下面介绍下本文所采用的整体架构
三个组织
Org0 —> 组织0
Org1 —> 组织1
Org2 —> 组织2
组织中的成员
Org0: 一个orderer节点,一个Org0的Admin节点
Org1: 两个Peer节点,一个Org1的Admin节点,一个Org1的User节点
Org2: 两个Peer节点,一个Org2的Admin节点,一个Org2的User节点
四台CA服务器
TLS服务器:为网络中所有节点颁发TLS证书,用于通信的加密
Org1的CA服务器:为组织1中所有用户颁发证书
Org2的Ca服务器:为组织2中所有用户颁发证书
Org0的CA服务器:为组织0中所有用户颁发证书
这里的四台CA服务器都是根服务器。彼此之间都是独立的存在,没有任何关系。,也就是说每一个CA服务器生成的证书在其他CA服务器都是不能用的。
一、 安装
1. 依赖条件
###依赖及go环境
yum install libtool libltdl-dev go docker
###另需要
docker-compose
二、设置TLS CA
TLS CA 用于颁发 TLS 证书。需要这些证书来保护各种进程之间的通信。
1启动TLS CA 容器
ca-tls:
container_name: ca-tls
image: hyperledger/fabric-ca:1.4.9
command: sh -c 'fabric-ca-server start -d -b tls-ca-admin:tls-ca-adminpw --port 7052'
environment:
- FABRIC_CA_SERVER_HOME=/tmp/hyperledger/fabric-ca/crypto
- FABRIC_CA_SERVER_TLS_ENABLED=true
- FABRIC_CA_SERVER_CSR_CN=tls-ca
- FABRIC_CA_SERVER_CSR_HOSTS=0.0.0.0
- FABRIC_CA_SERVER_DEBUG=true
volumes:
- /tmp/hyperledger/tls-ca:/tmp/hyperledger/fabric-ca
networks:
- fabric-ca
ports:
- 7052:7052
docker-compose up -d ca-tls
1.2 目录结构
[root@10 hyperledger]# tree
crypto
├── ca-cert.pem ####TLS CA 的签名证书
├── fabric-ca-server-config.yaml
├── fabric-ca-server.db
├── IssuerPublicKey
├── IssuerRevocationPublicKey
├── msp ###是定义管理该组织有效身份规则的组件,存放签名用的证书文件和加密用的私钥文件
│ ├── cacerts ##CA服务器的证书
│ ├── keystore ####节点或者账号的私钥
│ │ ├── 5d3c6784f5d5d0df8f368e6cda6c483f5ebe8b7189fa8817c3543b487b654bdf_sk
│ │ ├── IssuerRevocationPrivateKey
│ │ └── IssuerSecretKey
│ ├── signcerts ##符合X.509的节点或者账户证书文件。可以理解为账户的ID,将其复制到某个peer或Org的admincerts目录下代表管理员账号
│ └── user
└── tls-cert.pem ###TLS根CA的证书
在/tmp/hyperledger/tls-ca/crypto/路径下的ca-cert.pem文件。这是TLS CA服务器的签名根证书,目的是用来对CA的TLS证书进行验证,同时也需要持有这个证书才可以进行证书的颁发。
多环境下我们需要将它复制到每一台机器上。
2.注册 TLS CA 的管理员
export FABRIC_CA_CLIENT_TLS_CERTFILES=/tmp/hyperledger/tls-ca/crypto/tls-cert.pem
export FABRIC_CA_CLIENT_HOME=/tmp/hyperledger/tls-ca/admin
fabric-ca-client enroll -d -u https://tls-ca-admin:tls-ca-adminpw@0.0.0.0:7052
fabric-ca-client register -d --id.name peer1-org1 --id.secret peer1PW --id.type peer -u https://0.0.0.0:7052
fabric-ca-client register -d --id.name peer2-org1 --id.secret peer2PW --id.type peer -u https://0.0.0.0:7052
fabric-ca-client register -d --id.name peer1-org2 --id.secret peer1PW --id.type peer -u https://0.0.0.0:7052
fabric-ca-client register -d --id.name peer2-org2 --id.secret peer2PW --id.type peer -u https://0.0.0.0:7052
fabric-ca-client register -d --id.name orderer1-org0 --id.secret ordererPW --id.type orderer -u https://0.0.0.0:7052
####查看注册的实体
[root@10 tls-ca]# fabric-ca-client identity list
Name: tls-ca-admin, Type: client, Affiliation: , Max Enrollments: -1, Attributes: [Name:hf.GenCRL Value:1 ECert:false Name:hf.Registrar.Attributes Value:* ECert:false Name:hf.AffiliationMgr Value:1 ECert:false Name:hf.Registrar.Roles Value:* ECert:false Name:hf.Registrar.DelegateRoles Value:* ECert:false Name:hf.Revoker Value:1 ECert:false Name:hf.IntermediateCA Value:1 ECert:false]
Name: peer1-org1, Type: peer, Affiliation: , Max Enrollments: -1, Attributes: [Name:hf.EnrollmentID Value:peer1-org1 ECert:true Name:hf.Type Value:peer ECert:true Name:hf.Affiliation Value: ECert:true]
Name: peer2-org1, Type: peer, Affiliation: , Max Enrollments: -1, Attributes: [Name:hf.EnrollmentID Value:peer2-org1 ECert:true Name:hf.Type Value:peer ECert:true Name:hf.Affiliation Value: ECert:true]
Name: peer1-org2, Type: peer, Affiliation: , Max Enrollments: -1, Attributes: [Name:hf.EnrollmentID Value:peer1-org2 ECert:true Name:hf.Type Value:peer ECert:true Name:hf.Affiliation Value: ECert:true]
Name: peer2-org2, Type: peer, Affiliation: , Max Enrollments: -1, Attributes: [Name:hf.EnrollmentID Value:peer2-org2 ECert:true Name:hf.Type Value:peer ECert:true Name:hf.Affiliation Value: ECert:true]
Name: orderer1-org0, Type: orderer, Affiliation: , Max Enrollments: -1, Attributes: [Name:hf.EnrollmentID Value:orderer1-org0 ECert:true Name:hf.Type Value:orderer ECert:true Name:hf.Affiliation Value: ECert:true]
三、设置Orderer的CA 管理
1. 启动容器
rca-org0:
container_name: rca-org0
image: hyperledger/fabric-ca:1.4.9
command: sh -c 'fabric-ca-server start -d -b rca-org0-admin:rca-org0-adminpw --port 7053'
environment:
- FABRIC_CA_SERVER_HOME=/tmp/hyperledger/fabric-ca/crypto
- FABRIC_CA_SERVER_TLS_ENABLED=true
- FABRIC_CA_SERVER_CSR_CN=rca-org0
- FABRIC_CA_SERVER_CSR_HOSTS=0.0.0.0
- FABRIC_CA_SERVER_DEBUG=true
volumes:
- /tmp/hyperledger/org0/ca:/tmp/hyperledger/fabric-ca
networks:
- fabric-ca
ports:
- 7053:7053
docker-compose up -d rca-org0
2.注册orderer的 CA 管理员
export FABRIC_CA_CLIENT_TLS_CERTFILES=/tmp/hyperledger/org0/ca/crypto/ca-cert.pem
export FABRIC_CA_CLIENT_HOME=/tmp/hyperledger/org0/ca/admin
fabric-ca-client enroll -d -u https://rca-org0-admin:rca-org0-adminpw@0.0.0.0:7053
sleep 5
fabric-ca-client register -d --id.name orderer1-org0 --id.secret ordererpw --id.type orderer -u https://0.0.0.0:7053
fabric-ca-client register -d --id.name admin-org0 --id.secret org0adminpw --id.type user -u https://0.0.0.0:7053
目录结构
admin/
├── fabric-ca-client-config.yaml
└── msp
├── cacerts
│ └── 0-0-0-0-7053.pem ##CA 的公共证书
├── IssuerPublicKey
├── IssuerRevocationPublicKey
├── keystore
│ └── 2da4e5e8d777be61fc29e81b4295c97f40395a0d9cbe7dddbfd12e8c6beda6af_sk ##客户端生成的私钥
├── signcerts
│ └── cert.pem ##CA 签发的 admin 的证书
└── user
四、设置 Org1 的 CA
1.启动容器
rca-org1:
container_name: rca-org1
image: hyperledger/fabric-ca:1.4.9
command: sh -c 'fabric-ca-server start -d -b rca-org1-admin:rca-org1-adminpw --port 7054'
environment:
- FABRIC_CA_SERVER_HOME=/tmp/hyperledger/fabric-ca/crypto
- FABRIC_CA_SERVER_TLS_ENABLED=true
- FABRIC_CA_SERVER_CSR_CN=rca-org1
- FABRIC_CA_SERVER_CSR_HOSTS=0.0.0.0
- FABRIC_CA_SERVER_DEBUG=true
volumes:
- /tmp/hyperledger/org1/ca:/tmp/hyperledger/fabric-ca
networks:
- fabric-ca
ports:
- 7054:7054
docker-compose up -d rca-org1
2.注册 Org1 的 CA 管理员
Peer 1 (peer1-org1)
Peer 2 (peer2-org1)
Admin (admin1-org1)
End user (user-org1)
export FABRIC_CA_CLIENT_TLS_CERTFILES=/tmp/hyperledger/org1/ca/crypto/ca-cert.pem
export FABRIC_CA_CLIENT_HOME=/tmp/hyperledger/org1/ca/admin
fabric-ca-client enroll -d -u https://rca-org1-admin:rca-org1-adminpw@0.0.0.0:7054
fabric-ca-client register -d --id.name peer1-org1 --id.secret peer1PW --id.type peer -u https://0.0.0.0:7054
fabric-ca-client register -d --id.name peer2-org1 --id.secret peer2PW --id.type peer -u https://0.0.0.0:7054
fabric-ca-client register -d --id.name admin-org1 --id.secret org1AdminPW --id.type user -u https://0.0.0.0:7054
fabric-ca-client register -d --id.name user-org1 --id.secret org1UserPW --id.type user -u https://0.0.0.0:7054
五、设置 org2 的CA
1.启动容器
rca-org2:
container_name: rca-org2
image: hyperledger/fabric-ca:1.4.9
command: /bin/bash -c 'fabric-ca-server start -d -b rca-org2-admin:rca-org2-adminpw --port 7055'
environment:
- FABRIC_CA_SERVER_HOME=/tmp/hyperledger/fabric-ca/crypto
- FABRIC_CA_SERVER_TLS_ENABLED=true
- FABRIC_CA_SERVER_CSR_CN=rca-org2
- FABRIC_CA_SERVER_CSR_HOSTS=0.0.0.0
- FABRIC_CA_SERVER_DEBUG=true
volumes:
- /tmp/hyperledger/org2/ca:/tmp/hyperledger/fabric-ca
networks:
- fabric-ca
ports:
- 7055:7055
docker-compose up -d rca-org2
2.注册org2的管理员
export FABRIC_CA_CLIENT_TLS_CERTFILES=/tmp/hyperledger/org2/ca/crypto/ca-cert.pem
export FABRIC_CA_CLIENT_HOME=/tmp/hyperledger/org2/ca/admin
fabric-ca-client enroll -d -u https://rca-org2-admin:rca-org2-adminpw@0.0.0.0:7055
fabric-ca-client register -d --id.name peer1-org2 --id.secret peer1PW --id.type peer -u https://0.0.0.0:7055
fabric-ca-client register -d --id.name peer2-org2 --id.secret peer2PW --id.type peer -u https://0.0.0.0:7055
fabric-ca-client register -d --id.name admin-org2 --id.secret org2AdminPW --id.type user --id.attrs "abac.init=true:ecert" -u https://0.0.0.0:7055
fabric-ca-client register -d --id.name user-org2 --id.secret org2UserPW --id.type user -u https://0.0.0.0:7055
六 、注册org0
1. 准备证书
mkdir -p /tmp/hyperledger/org0/orderer/assets/ca
cp /tmp/hyperledger/org0/ca/admin/msp/cacerts/0-0-0-0-7053.pem /tmp/hyperledger/org0/orderer/assets/ca/org0-ca-cert.pem
mkdir -p /tmp/hyperledger/org0/orderer/assets/tls-ca
cp /tmp/hyperledger/tls-ca/admin/msp/cacerts/0-0-0-0-7052.pem /tmp/hyperledger/org0/orderer/assets/tls-ca/tls-ca-cert.pem
2. 注册身份
export FABRIC_CA_CLIENT_HOME=/tmp/hyperledger/org0/orderer
export FABRIC_CA_CLIENT_TLS_CERTFILES=/tmp/hyperledger/org0/orderer/assets/ca/org0-ca-cert.pem
export FABRIC_CA_CLIENT_MSPDIR=msp
fabric-ca-client enroll -d -u https://orderer1-org0:ordererpw@0.0.0.0:7053
3. tls-ca注册
export FABRIC_CA_CLIENT_MSPDIR=tls-msp
export FABRIC_CA_CLIENT_TLS_CERTFILES=/tmp/hyperledger/org0/orderer/assets/tls-ca/tls-ca-cert.pem
fabric-ca-client enroll -d -u https://orderer1-org0:ordererPW@0.0.0.0:7052 --enrollment.profile tls --csr.hosts orderer1-org0
####修改私钥名称为key.pem
cp /tmp/hyperledger/org0/orderer/tls-msp/keystore/*_sk /tmp/hyperledger/org0/orderer/tls-msp/keystore/key.pem
echo "Enroll Admin"
export FABRIC_CA_CLIENT_HOME=/tmp/hyperledger/org0/admin
export FABRIC_CA_CLIENT_TLS_CERTFILES=/tmp/hyperledger/org0/orderer/assets/ca/org0-ca-cert.pem
export FABRIC_CA_CLIENT_MSPDIR=msp
fabric-ca-client enroll -d -u https://admin-org0:org0adminpw@0.0.0.0:7053
mkdir -p /tmp/hyperledger/org0/orderer/msp/admincerts
cp /tmp/hyperledger/org0/admin/msp/signcerts/cert.pem /tmp/hyperledger/org0/orderer/msp/admincerts/orderer-admin-cert.pem
mkdir -p /tmp/hyperledger/org0/msp/admincerts,cacerts,tlscacerts,users
cp /tmp/hyperledger/org0/orderer/assets/ca/org0-ca-cert.pem /tmp/hyperledger/org0/msp/cacerts/
cp /tmp/hyperledger/org0/orderer/assets/tls-ca/tls-ca-cert.pem /tmp/hyperledger/org0/msp/tlscacerts/
cp /tmp/hyperledger/org0/admin/msp/signcerts/cert.pem /tmp/hyperledger/org0/msp/admincerts/admin-org0-cert.pem
echo "Org0 done"
七、注册org1
1. 准备证书
echo "Enroll Peer1"
mkdir -p /tmp/hyperledger/org1/peer1/assets/ca
cp /tmp/hyperledger/org1/ca/admin/msp/cacerts/0-0-0-0-7054.pem /tmp/hyperledger/org1/peer1/assets/ca/org1-ca-cert.pem
mkdir -p /tmp/hyperledger/org1/peer1/assets/tls-ca
cp /tmp/hyperledger/tls-ca/admin/msp/cacerts/0-0-0-0-7052.pem /tmp/hyperledger/org1/peer1/assets/tls-ca/tls-ca-cert.pem
2. 注册peer1
export FABRIC_CA_CLIENT_HOME=/tmp/hyperledger/org1/peer1
export FABRIC_CA_CLIENT_TLS_CERTFILES=/tmp/hyperledger/org1/peer1/assets/ca/org1-ca-cert.pem
export FABRIC_CA_CLIENT_MSPDIR=msp
fabric-ca-client enroll -d -u https://peer1-org1:peer1PW@0.0.0.0:7054
3. tls-ca注册
mkdir -p /tmp/hyperledger/org1/peer2/assets/tls-ca/
cp /tmp/hyperledger/tls-ca/crypto/tls-ca-cert.pem /tmp/hyperledger/org1/peer2/assets/tls-ca/tls-ca-cert.pem
export FABRIC_CA_CLIENT_MSPDIR=tls-msp
export FABRIC_CA_CLIENT_TLS_CERTFILES=/tmp/hyperledger/org1/peer2/assets/tls-ca/tls-ca-cert.pem
fabric-ca-client enroll -d -u https://peer2-org1:peer2PW@0.0.0.0:7052 --enrollment.profile tls --csr.hosts peer2-org1
mv /tmp/hyperledger/org1/peer2/tls-msp/keystore/* /tmp/hyperledger/org1/peer2/tls-msp/keystore/key.pem
4.准备证书
echo "Enroll Peer2"
mkdir -p /tmp/hyperledger/org1/peer2/assets/ca
cp /tmp/hyperledger/org1/ca/admin/msp/cacerts/0-0-0-0-7054.pem /tmp/hyperledger/org1/peer2/assets/ca/org1-ca-cert.pem
mkdir -p /tmp/hyperledger/org1/peer2/assets/tls-ca
cp /tmp/hyperledger/tls-ca/admin/msp/cacerts/0-0-0-0-7052.pem /tmp/hyperledger/org1/peer2/assets/tls-ca/tls-ca-cert.pem
5.注册peer2
export FABRIC_CA_CLIENT_HOME=/tmp/hyperledger/org1/peer2
export FABRIC_CA_CLIENT_TLS_CERTFILES=/tmp/hyperledger/org1/peer2/assets/ca/org1-ca-cert.pem
export FABRIC_CA_CLIENT_MSPDIR=msp
fabric-ca-client enroll -d -u https://peer2-org1:peer2PW@0.0.0.0:7054
6.tls-ca 注册
export FABRIC_CA_CLIENT_MSPDIR=tls-msp
export FABRIC_CA_CLIENT_TLS_CERTFILES=/tmp/hyperledger/org1/peer2/assets/tls-ca/tls-ca-cert.pem
fabric-ca-client enroll -d -u https://peer2-org1:peer2PW@0.0.0.0:7052 --enrollment.profile tls --csr.hosts peer2-org1
cp /tmp/hyperledger/org1/peer2/tls-msp/keystore/*_sk /tmp/hyperledger/org1/peer2/tls-msp/keystore/key.pem
7.注册org1的admin
echo "Enroll Admin"
export FABRIC_CA_CLIENT_HOME=/tmp/hyperledger/org1/admin
export FABRIC_CA_CLIENT_TLS_CERTFILES=/tmp/hyperledger/org1/peer1/assets/ca/org1-ca-cert.pem
export FABRIC_CA_CLIENT_MSPDIR=msp
fabric-ca-client enroll -d -u https://admin-org1:org1AdminPW@0.0.0.0:7054
mkdir -p /tmp/hyperledger/org1/peer1/msp/admincerts
cp /tmp/hyperledger/org1/admin/msp/signcerts/cert.pem /tmp/hyperledger/org1/peer1/msp/admincerts/org1-admin-cert.pem
mkdir -p /tmp/hyperledger/org1/peer2/msp/admincerts
cp /tmp/hyperledger/org1/admin/msp/signcerts/cert.pem /tmp/hyperledger/org1/peer2/msp/admincerts/org1-admin-cert.pem
mkdir -p /tmp/hyperledger/org1/admin/msp/admincerts
cp /tmp/hyperledger/org1/admin/msp/signcerts/cert.pem /tmp/hyperledger/org1/admin/msp/admincerts/org1-admin-cert.pem
mkdir -p /tmp/hyperledger/org1/msp/admincerts,cacerts,tlscacerts,users
cp /tmp/hyperledger/org1/peer1/assets/ca/org1-ca-cert.pem /tmp/hyperledger/org1/msp/cacerts/
cp /tmp/hyperledger/org1/peer1/assets/tls-ca/tls-ca-cert.pem /tmp/hyperledger/org1/msp/tlscacerts/
cp /tmp/hyperledger/org1/admin/msp/signcerts/cert.pem /tmp/hyperledger/org1/msp/admincerts/admin-org1-cert.pem
八、注册0rg2
1.准备证书
echo "Enroll Peer1"
mkdir -p /tmp/hyperledger/org2/peer1/assets/ca
cp /tmp/hyperledger/org2/ca/admin/msp/cacerts/0-0-0-0-7055.pem /tmp/hyperledger/org2/peer1/assets/ca/org2-ca-cert.pem
mkdir -p /tmp/hyperledger/org2/peer1/assets/tls-ca
cp /tmp/hyperledger/tls-ca/admin/msp/cacerts/0-0-0-0-7052.pem /tmp/hyperledger/org2/peer1/assets/tls-ca/tls-ca-cert.pem
2.注册peer1
export FABRIC_CA_CLIENT_HOME=/tmp/hyperledger/org2/peer1
export FABRIC_CA_CLIENT_TLS_CERTFILES=/tmp/hyperledger/org2/peer1/assets/ca/org2-ca-cert.pem
export FABRIC_CA_CLIENT_MSPDIR=msp
fabric-ca-client enroll -d -u https://peer1-org2:peer1PW@0.0.0.0:7055
3.tls-ca注册
export FABRIC_CA_CLIENT_MSPDIR=tls-msp
export FABRIC_CA_CLIENT_TLS_CERTFILES=/tmp/hyperledger/org2/peer1/assets/tls-ca/tls-ca-cert.pem
fabric-ca-client enroll -d -u https://peer1-org2:peer1PW@0.0.0.0:7052 --enrollment.profile tls --csr.hosts peer1-org2
sleep 5
cp /tmp/hyperledger/org2/peer1/tls-msp/keystore/*_sk /tmp/hyperledger/org2/peer1/tls-msp/keystore/key.pem
4.准备证书
echo "Enroll Peer2"
mkdir -p /tmp/hyperledger/org2/peer2/assets/ca
cp /tmp/hyperledger/org2/ca/admin/msp/cacerts/0-0-0-0-7055.pem /tmp/hyperledger/org2/peer2/assets/ca/org2-ca-cert.pem
mkdir -p /tmp/hyperledger/org2/peer2/assets/tls-ca
cp /tmp/hyperledger/tls-ca/admin/msp/cacerts/0-0-0-0-7052.pem /tmp/hyperledger/org2/peer2/assets/tls-ca/tls-ca-cert.pem
5.注册peer2
export FABRIC_CA_CLIENT_HOME=/tmp/hyperledger/org2/peer2
export FABRIC_CA_CLIENT_TLS_CERTFILES=/tmp/hyperledger/org2/peer2/assets/ca/org2-ca-cert.pem
export FABRIC_CA_CLIENT_MSPDIR=msp
fabric-ca-client enroll -d -u https://peer2-org2:peer2PW@0.0.0.0:7055
6.tls-ca 注册
export FABRIC_CA_CLIENT_MSPDIR=tls-msp
export FABRIC_CA_CLIENT_TLS_CERTFILES=/tmp/hyperledger/org2/peer2/assets/tls-ca/tls-ca-cert.pem
fabric-ca-client enroll -d -u https://peer2-org2:peer2PW@0.0.0.0:7052 --enrollment.profile tls --csr.hosts peer2-org2
sleep 5
cp /tmp/hyperledger/org2/peer2/tls-msp/keystore/*_sk /tmp/hyperledger/org2/peer2/tls-msp/keystore/key.pem
7.注册org2的admin
echo "Enroll Admin"
export FABRIC_CA_CLIENT_HOME=/tmp/hyperledger/org2/admin
export FABRIC_CA_CLIENT_TLS_CERTFILES=/tmp/hyperledger/org2/peer1/assets/ca/org2-ca-cert.pem
export FABRIC_CA_CLIENT_MSPDIR=msp
fabric-ca-client enroll -d -u https://admin-org2:org2AdminPW@0.0.0.0:7055
mkdir -p /tmp/hyperledger/org2/peer1/msp/admincerts
cp /tmp/hyperledger/org2/admin/msp/signcerts/cert.pem /tmp/hyperledger/org2/peer1/msp/admincerts/org2-admin-cert.pem
mkdir -p /tmp/hyperledger/org2/peer2/msp/admincerts
cp /tmp/hyperledger/org2/admin/msp/signcerts/cert.pem /tmp/hyperledger/org2/peer2/msp/admincerts/org2-admin-cert.pem
mkdir -p /tmp/hyperledger/org2/admin/msp/admincerts
cp /tmp/hyperledger/org2/admin/msp/signcerts/cert.pem /tmp/hyperledger/org2/admin/msp/admincerts/org2-admin-cert.pem
mkdir -p /tmp/hyperledger/org2/msp/admincerts,cacerts,tlscacerts,users
cp /tmp/hyperledger/org2/peer1/assets/ca/org2-ca-cert.pem /tmp/hyperledger/org2/msp/cacerts/
cp /tmp/hyperledger/org2/peer1/assets/tls-ca/tls-ca-cert.pem /tmp/hyperledger/org2/msp/tlscacerts/
cp /tmp/hyperledger/org2/admin/msp/signcerts/cert.pem /tmp/hyperledger/org2/msp/admincerts/admin-org2-cert.pem
九、启动org1,org2、orderer
1.启动org1,org2的peer节点
查看docker-compose 文件
peer1-org1:
container_name: peer1-org1
image: hyperledger/fabric-peer:2.2.2
environment:
- CORE_PEER_ID=peer1-org1
- CORE_PEER_ADDRESS=peer1-org1:7051
- CORE_PEER_LOCALMSPID=org1MSP
- CORE_PEER_MSPCONFIGPATH=/tmp/hyperledger/org1/peer1/msp
- CORE_VM_ENDPOINT=unix:///host/var/run/docker.sock
- CORE_VM_DOCKER_HOSTCONFIG_NETWORKMODE=guide_fabric-ca
- FABRIC_LOGGING_SPEC=info
- CORE_PEER_TLS_ENABLED=true
- CORE_PEER_TLS_CERT_FILE=/tmp/hyperledger/org1/peer1/tls-msp/signcerts/cert.pem
- CORE_PEER_TLS_KEY_FILE=/tmp/hyperledger/org1/peer1/tls-msp/keystore/key.pem
- CORE_PEER_TLS_ROOTCERT_FILE=/tmp/hyperledger/org1/peer1/tls-msp/tlscacerts/tls-0-0-0-0-7052.pem
- CORE_PEER_GOSSIP_USELEADERELECTION=true
- CORE_PEER_GOSSIP_ORGLEADER=false
- CORE_PEER_GOSSIP_EXTERNALENDPOINT=peer1-org1:7051
- CORE_PEER_GOSSIP_SKIPHANDSHAKE=true
working_dir: /opt/gopath/src/github.com/hyperledger/fabric/org1/peer1
volumes:
- /var/run:/host/var/run
- /tmp/hyperledger/org1/peer1:/tmp/hyperledger/org1/peer1
networks:
- fabric-ca
peer2-org1:
container_name: peer2-org1
image: hyperledger/fabric-peer:2.2.2
environment:
- CORE_PEER_ID=peer2-org1
- CORE_PEER_ADDRESS=peer2-org1:7051
- CORE_PEER_LOCALMSPID=org1MSP
- CORE_PEER_MSPCONFIGPATH=/tmp/hyperledger/org1/peer2/msp
- CORE_VM_ENDPOINT=unix:///host/var/run/docker.sock
- CORE_VM_DOCKER_HOSTCONFIG_NETWORKMODE=guide_fabric-ca
- FABRIC_LOGGING_SPEC=info
- CORE_PEER_TLS_ENABLED=true
- CORE_PEER_TLS_CERT_FILE=/tmp/hyperledger/org1/peer2/tls-msp/signcerts/cert.pem
- CORE_PEER_TLS_KEY_FILE=/tmp/hyperledger/org1/peer2/tls-msp/keystore/key.pem
- CORE_PEER_TLS_ROOTCERT_FILE=/tmp/hyperledger/org1/peer2/tls-msp/tlscacerts/tls-0-0-0-0-7052.pem
- CORE_PEER_GOSSIP_USELEADERELECTION=true
- CORE_PEER_GOSSIP_ORGLEADER=false
- CORE_PEER_GOSSIP_EXTERNALENDPOINT=peer2-org1:7051
- CORE_PEER_GOSSIP_SKIPHANDSHAKE=true
- CORE_PEER_GOSSIP_BOOTSTRAP=peer1-org1:7051
working_dir: /opt/gopath/src/github.com/hyperledger/fabric/org1/peer2
volumes:
- /var/run:/host/var/run
- /tmp/hyperledger/org1/peer2:/tmp/hyperledger/org1/peer2
networks:
- fabric-ca
peer1-org2:
container_name: peer1-org2
image: hyperledger/fabric-peer:2.2.2
environment:
- CORE_PEER_ID=peer1-org2
- CORE_PEER_ADDRESS=peer1-org2:7051
- CORE_PEER_LOCALMSPID=org2MSP
- CORE_PEER_MSPCONFIGPATH=/tmp/hyperledger/org2/peer1/msp
- CORE_VM_ENDPOINT=unix:///host/var/run/docker.sock
- CORE_VM_DOCKER_HOSTCONFIG_NETWORKMODE=guide_fabric-ca
- FABRIC_LOGGING_SPEC=info
- CORE_PEER_TLS_ENABLED=true
- CORE_PEER_TLS_CERT_FILE=/tmp/hyperledger/org2/peer1/tls-msp/signcerts/cert.pem
- CORE_PEER_TLS_KEY_FILE=/tmp/hyperledger/org2/peer1/tls-msp/keystore/key.pem
- CORE_PEER_TLS_ROOTCERT_FILE=/tmp/hyperledger/org2/peer1/tls-msp/tlscacerts/tls-0-0-0-0-7052.pem
- CORE_PEER_GOSSIP_USELEADERELECTION=true
- CORE_PEER_GOSSIP_ORGLEADER=false
- CORE_PEER_GOSSIP_EXTERNALENDPOINT=peer1-org2:7051
- CORE_PEER_GOSSIP_SKIPHANDSHAKE=true
working_dir: /opt/gopath/src/github.com/hyperledger/fabric/org2/peer1
volumes:
- /var/run:/host/var/run
- /tmp/hyperledger/org2/peer1:/tmp/hyperledger/org2/peer1
networks:
- fabric-ca
peer2-org2:
container_name: peer2-org2
image: hyperledger/fabric-peer:2.2.2
environment:
- CORE_PEER_ID=peer2-org2
- CORE_PEER_ADDRESS=peer2-org2:7051
- CORE_PEER_LOCALMSPID=org2MSP
- CORE_PEER_MSPCONFIGPATH=/tmp/hyperledger/org2/peer2/msp
- CORE_VM_ENDPOINT=unix:///host/var/run/docker.sock
- CORE_VM_DOCKER_HOSTCONFIG_NETWORKMODE=guide_fabric-ca
- FABRIC_LOGGING_SPEC=info
- CORE_PEER_TLS_ENABLED=true
- CORE_PEER_TLS_CERT_FILE=/tmp/hyperledger/org2/peer2/tls-msp/signcerts/cert.pem
- CORE_PEER_TLS_KEY_FILE=/tmp/hyperledger/org2/peer2/tls-msp/keystore/key.pem
- CORE_PEER_TLS_ROOTCERT_FILE=/tmp/hyperledger/org2/peer2/tls-msp/tlscacerts/tls-0-0-0-0-7052.pem
- CORE_PEER_GOSSIP_USELEADERELECTION=true
- CORE_PEER_GOSSIP_ORGLEADER=false
- CORE_PEER_GOSSIP_EXTERNALENDPOINT=peer2-org2:7051
- CORE_PEER_GOSSIP_SKIPHANDSHAKE=true
- CORE_PEER_GOSSIP_BOOTSTRAP=peer1-org2:7051
working_dir: /opt/gopath/src/github.com/hyperledger/fabric/org2/peer2
volumes:
- /var/run:/host/var/run
- /tmp/hyperledger/org2/peer2:/tmp/hyperledger/org2/peer2
networks:
- fabric-ca
docker-compose up -d peer1-org1 peer2-org1 peer1-org2 peer2-org2
2.查看configtx.yaml
export FABRIC_CFG_PATH=$PWD
# Copyright IBM Corp. All Rights Reserved.
#
# SPDX-License-Identifier: Apache-2.0
#
---
################################################################################
#
# Section: Organizations
#
# - This section defines the different organizational identities which will
# be referenced later in the configuration.
#
################################################################################
Organizations:
# SampleOrg defines an MSP using the sampleconfig. It should never be used
# in production but may be used as a template for other definitions
- &org0
# DefaultOrg defines the organization which is used in the sampleconfig
# of the fabric.git development environment
Name: org0MSP
# ID to load the MSP definition as
ID: org0MSP
# MSPDir is the filesystem path which contains the MSP configuration
#MSPDir: ../configtx/org0/msp
MSPDir: /tmp/hyperledger/org0/msp
# Policies defines the set of policies at this level of the config tree
# For organization policies, their canonical path is usually
# /Channel/<Application|Orderer>/<OrgName>/<PolicyName>
Policies:
Readers:
Type: Signature
Rule: "OR('org0MSP.member')"
Writers:
Type: Signature
Rule: "OR('org0MSP.member')"
Admins:
Type: Signature
Rule: "OR('org0MSP.admin')"
OrdererEndpoints:
- orderer1-org0:7050
- &org1
# DefaultOrg defines the organization which is used in the sampleconfig
# of the fabric.git development environment
Name: org1MSP
# ID to load the MSP definition as
ID: org1MSP
#MSPDir: ../configtx/org1/msp
MSPDir: /tmp/hyperledger/org1/msp
# Policies defines the set of policies at this level of the config tree
# For organization policies, their canonical path is usually
# /Channel/<Application|Orderer>/<OrgName>/<PolicyName>
Policies:
Readers:
Type: Signature
Rule: "OR('org1MSP.admin', 'org1MSP.peer', 'org1MSP.client')"
Writers:
Type: Signature
Rule: "OR('org1MSP.admin', 'org1MSP.client')"
Admins:
Type: Signature
Rule: "OR('org1MSP.admin')"
Endorsement:
Type: Signature
Rule: "OR('org1MSP.peer')"
# leave this flag set to true.
AnchorPeers:
# AnchorPeers defines the location of peers which can be used
# for cross org gossip communication. Note, this value is only
# encoded in the genesis block in the Application section context
- Host: peer1-org1
Port: 7051
- &org2
# DefaultOrg defines the organization which is used in the sampleconfig
# of the fabric.git development environment
Name: org2MSP
# ID to load the MSP definition as
ID: org2MSP
#MSPDir: ../configtx/org2/msp
MSPDir: /tmp/hyperledger/org2/msp
# Policies defines the set of policies at this level of the config tree
# For organization policies, their canonical path is usually
# /Channel/<Application|Orderer>/<OrgName>/<PolicyName>
Policies:
Readers:
Type: Signature
Rule: "OR('org2MSP.admin', 'org2MSP.peer', 'org2MSP.client')"
Writers:
Type: Signature
Rule: "OR('org2MSP.admin', 'org2MSP.client')"
Admins:
Type: Signature
Rule: "OR('org2MSP.admin')"
Endorsement:
Type: Signature
Rule: "OR('org2MSP.peer')"
AnchorPeers:
# AnchorPeers defines the location of peers which can be used
# for cross org gossip communication. Note, this value is only
# encoded in the genesis block in the Application section context
- Host: peer1-org2
Port: 7051
################################################################################
#
# SECTION: Capabilities
#
# - This section defines the capabilities of fabric network. This is a new
# concept as of v1.1.0 and should not be utilized in mixed networks with
# v1.0.x peers and orderers. Capabilities define features which must be
# present in a fabric binary for that binary to safely participate in the
# fabric network. For instance, if a new MSP type is added, newer binaries
# might recognize and validate the signatures from this type, while older
# binaries without this support would be unable to validate those
# transactions. This could lead to different versions of the fabric binaries
# having different world states. Instead, defining a capability for a channel
# informs those binaries without this capability that they must cease
# processing transactions until they have been upgraded. For v1.0.x if any
# capabilities are defined (including a map with all capabilities turned off)
# then the v1.0.x peer will deliberately crash.
#
################################################################################
Capabilities:
# Channel capabilities apply to both the orderers and the peers and must be
# supported by both.
# Set the value of the capability to true to require it.
Channel: &ChannelCapabilities
# V2_0 capability ensures that orderers and peers behave according
# to v2.0 channel capabilities. Orderers and peers from
# prior releases would behave in an incompatible way, and are therefore
# not able to participate in channels at v2.0 capability.
# Prior to enabling V2.0 channel capabilities, ensure that all
# orderers and peers on a channel are at v2.0.0 or later.
V2_0: true
# Orderer capabilities apply only to the orderers, and may be safely
# used with prior release peers.
# Set the value of the capability to true to require it.
Orderer: &OrdererCapabilities
# V2_0 orderer capability ensures that orderers behave according
# to v2.0 orderer capabilities. Orderers from
# prior releases would behave in an incompatible way, and are therefore
# not able to participate in channels at v2.0 orderer capability.
# Prior to enabling V2.0 orderer capabilities, ensure that all
# orderers on channel are at v2.0.0 or later.
V2_0: true
# Application capabilities apply only to the peer network, and may be safely
# used with prior release orderers.
# Set the value of the capability to true to require it.
Application: &ApplicationCapabilities
# V2_0 application capability ensures that peers behave according
# to v2.0 application capabilities. Peers from
# prior releases would behave in an incompatible way, and are therefore
# not able to participate in channels at v2.0 application capability.
# Prior to enabling V2.0 application capabilities, ensure that all
# peers on channel are at v2.0.0 or later.
V2_0: true
################################################################################
#
# SECTION: Applica(转)fabricca环境的集成(代码片段)
PS:因为我部署的是集群(4peer+1order),需要为order,org1,org2分别建立一个CA,拿org1使用举例,获取org1根证书私钥名称:PRIVATE_KEY.sh#!/bin/bashfolder="crypto-config/peerOrganizations/org1.example.com/ca"privName=""forfile_ain$folder/*dote 查看详情
solidity学习记录——第二章(代码片段)
Solidity学习记录第一章创建生产僵尸的工厂第二章设置僵尸的攻击功能文章目录Solidity学习记录前言一、本章主要目的二、学习过程1.本节课程知识点2.最终代码总结前言本人平时比较忙,只能在周末自学Solidity,尽量在周... 查看详情
python入门基础学习记录汇率案例学习记录(代码片段)
一、汇总整理1.操作①新建python文件工程右键--new--pythonfile 2.注意问题与知识点 》变量定义:直接写变量名即可,例如定义一个字符串并赋值123:rmb_str=‘123’。特别需要注意的,python对格式的要求,等号左右要有... 查看详情
pygame学习记录画面更新(代码片段)
画面更新简要描述:-使用pygame.display.flip()进行画面的更新-设置屏幕的颜色importpygame#---------------------------------分割线--------------------------------------------------------pygame.init()#--------------------------------- 查看详情
solr学习记录:gettingstarted(代码片段)
目录Solr学习记录:Gettingstarted1.SolrTutorial2.AQuickOverviewSolr学习记录:Gettingstarted本教程使用环境:java8或者更高版本、Solr8.1、centos71.SolrTutorial1.1简介本篇将用三个部分具体练习以引领对Solr的快速体验。每个练习将基于前一个练习。第... 查看详情
学习记录:快速幂(代码片段)
目录学习记录快速幂快速幂的递归实现非递归实现学习记录快速幂快速幂的递归实现假设要算(7^9),如果采取普通计算,也就是(7*7*7*7*7*7*7*7*7),共需要8次运算。运用二分的思想,先算(7^4),然后通过(7^4*7^4*7)来计算$7^9$,这样就... 查看详情
solidity学习记录——第五章(代码片段)
Solidity学习记录第一章创建生产僵尸的工厂第二章设置僵尸的攻击功能第三章编写DAPP所需的基础理论第四章完善僵尸功能第五章ERC721标准和加密资产文章目录Solidity学习记录前言一、本章主要目的二、学习过程1.本节课程知识点2.... 查看详情
r2学习记录(代码片段)
SettinguptheLibeventlibrary1.重写log行为#include<event2/event.h>#include<stdio.h>staticvoiddiscard_cb(intseverity,constchar*msg)/*Thiscallbackdoesnothing.*/staticFILE*logfile=NULL;staticvoid 查看详情
学习记录combinefileinputformat类(代码片段)
基本摘自网上给自己做一记录,如有错误请斧正CombineFileInputFormat是一个抽象类。Hadoop提供了两个实现类CombineTextInputFormat和CombineSequenceFileInputFormat。其继承关系如下:InputFormat--->FileInputFormat------>CombineFileInputFormatCombineTe 查看详情
lstmfullyconvolutionalnetworksfortimeseriesclassification学习记录(代码片段)
LSTMFullyConvolutionalNetworksforTimeSeriesClassification用于时间序列分类的LSTM+FCN网络(Longshort-termMemory+FullyConvolutionalNetworks)INTRODUCTIONAplethoraofresearchhavebeendoneusingfeature-base 查看详情
学习记录223/6(代码片段)
helloworld1.随便新建一个文件夹,存放代码2.新建一个JAVA文件文件名后缀.javaHello.java3.编写代码publicclasshay publicstaticvoidmain(String[]args) System.out.print("Helloworld"); 4.编译javacjava文件,会遇到class文件5.运行class文件运行机制1.编译型类似... 查看详情
[git]git版本管理学习记录(代码片段)
今天看到别人用这玩意记录自己的进度,我也学习了一下.1,适当的工具会提升效率2,关注点还是得放在代码本身上.github/gitignoregithub提供了各种gitignore文件有python的也有node的 查看详情
caffe学习记录(代码片段)
继续layer的学习。cafee中的卷积层:layername:"conv1"type:"Convolution"bottom:"data"top:"conv1"paramlr_mult:1paramlr_mult:2convolution_paramnum_output:20kernel_size:5stride:1weight_fillertype:"xavier"bias_f 查看详情
caffe学习记录(代码片段)
在深度学习零率,caffe是一个非常高效的的图像处理框架,结合了nvidia的cuda,cudnn加速技术,非常适合进行AICNN方向的图像分类,回归,分割等。但是由于caffe的教程较少,而且配置比较复杂,可能用的人没有tf那么广泛。昨天在U... 查看详情
pilimage学习记录(代码片段)
fromPILimportImageim01=Image.open("./timg.jpg")im02=Image.open("./1234.jpg")print(im01.format)print(im01.mode)print(im01.size)print(im02.size)out=im01.resize((1001,1191),Image.ANTIALIAS).save("./1234_ 查看详情
学习记录--hooksystemcall(代码片段)
前言:这两天看了一个github上的项目,记录一下学习的心得。Win32API大多数都要从Ring3层进入Ring0层,在内核中完成主要操作。这中间肯定要经过KiFastSystemCall这个过程,这个调用是Ring3层的。这些知识在《Windows内核安全与驱动开... 查看详情
mybatis学习过程记录(代码片段)
一、Mybatis1、mybatis-config.xml<?xmlversion="1.0"encoding="UTF-8"?><!DOCTYPEconfigurationPUBLIC"-//mybatis.org//DTDConfig3.0//EN""http://mybatis.org/dtd/myba 查看详情
python学习记录8——numpy模块的深入了解学习(记录api)(代码片段)
零之前言因为后面机器学习需要使用到np,所以需要更高要求的了解Numpy这个包,我就根据菜鸟论坛上面的Numpy教程来学习并记录了。参考:菜鸟教程-NumPyNdarray对象一.创建Ndarray对象1.概念先看看创建ndaary对象的参数nump... 查看详情