| Hands | 您所在的位置:网站首页 › ca账号是什么 › Hands |
Hands
|
文章目录
Fabric证书是什么Fabric证书服务器:Fabric-cafabric-ca-server的初始化fabric-ca-server 配置文件fabric-ca-client 使用
将Fabric-ca-server绑定到现有项目中绑定Fabric-ca-server到现有组织通过客户端从已经绑定的fabric-ca-server中生成账号
Fabric证书是什么
我们知道Fabric包含了MSP,也表明其是联盟链,用户在非授权的情况下不得接入区块链。因此Fabric包含一套授权体系。 Fabric账号实际上就是根据PKI规范生成的一组证书和密钥文件。在之前Fabric模块命令之cryptogen就已经介绍过了。 什么地方需要使用Fabric证书呢? Fabric中Orderer、Peer、客户端SDK、CLI接口等操作都需要用到证书。Fabric中的每个具体的动作,创建通道、部署chaincode、调用chaincode等都需要指定证书。 一般是通过环境变量来指定,具体到K8s,分享一段我的K8s创建容器的文件: ... env: - name: GOPATH value: /opt/gopath - name: CORE_VM_ENDPOINT value: 'unix:///host/var/run/docker.sock' # - name: CORE_PEER_ID # value: fabric-cli - name: CORE_PEER_ADDRESS value: "peer0-org1:7051" - name: CORE_PEER_LOCALMSPID value: "Org1MSP" - name: CORE_PEER_TLS_ENABLED value: "false" - name: CORE_PEER_TLS_CERT_FILE value: "/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/server.crt" - name: CORE_PEER_TLS_KEY_FILE value: "/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/server.key" - name: CORE_PEER_TLS_ROOTCERT_FILE value: "/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/ca.crt" - name: CORE_PEER_MSPCONFIGPATH value: "/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org1.example.com/users/[email protected]/msp" ...通过env来配置cryptogen生成的证书即可,细心的小朋友可能看到了,如果需要增加组织中的节点或者用户的数目怎么办呢,证书能不能动态增加呢?目前最新的Fabric版本中并没有提供相关的功能。下面将介绍专门为了解决证书问题而发起的项目Fabric-ca。 Fabric证书服务器:Fabric-cafabric-ca-server的命令如下: root@cloud-fabric-ca-5bd689b8dd-9kjp2:/# fabric-ca-server --help Hyperledger Fabric Certificate Authority Server Usage: fabric-ca-server [command] Available Commands: init Initialize the fabric-ca server start Start the fabric-ca server version Prints Fabric CA Server version Flags: ....Flags太长了,可以通过配置文件进行参数化的配置 Use "fabric-ca-server [command] --help" for more information about a command. fabric-ca-server的初始化fabric-ca-server初始化的命令如下(如果使用docker-compose或者k8s只需要初始化容器的时候执行命令fabric-ca-server start -b ): # 启动服务器,开发环境可以使用简单的账号密码 root@cloud-fabric-ca-5bd689b8dd-9kjp2:/opt/hyperledger/fabric-ca-server# fabric-ca-server init -b kexin228:kexin228 2019/11/18 06:57:24 [INFO] Created default configuration file at /etc/hyperledger/fabric-ca-server/fabric-ca-server-config.yaml 2019/11/18 06:57:24 [INFO] Server Version: 1.4.3 2019/11/18 06:57:24 [INFO] Server Levels: &{Identity:2 Affiliation:1 Certificate:1 Credential:1 RAInfo:1 Nonce:1} 2019/11/18 06:57:24 [INFO] The CA key and certificate files already exist 2019/11/18 06:57:24 [INFO] Key file location: /etc/hyperledger/fabric-ca-server/ca-key.pem 2019/11/18 06:57:24 [INFO] Certificate file location: /etc/hyperledger/fabric-ca-server/ca-cert.pem 2019/11/18 06:57:25 [INFO] Initialized sqlite3 database at /etc/hyperledger/fabric-ca-server/fabric-ca-server.db 2019/11/18 06:57:25 [INFO] The issuer key was successfully stored. The public key is at: /etc/hyperledger/fabric-ca-server/IssuerPublicKey, secret key is at: /etc/hyperledger/fabric-ca-server/msp/keystore/IssuerSecretKey 2019/11/18 06:57:25 [INFO] Idemix issuer revocation public and secret keys were generated for CA '' 2019/11/18 06:57:25 [INFO] The revocation key was successfully stored. The public key is at: /etc/hyperledger/fabric-ca-server/IssuerRevocationPublicKey, private key is at: /etc/hyperledger/fabric-ca-server/msp/keystore/IssuerRevocationPrivateKey 2019/11/18 06:57:25 [INFO] Home directory for default CA: /etc/hyperledger/fabric-ca-server 2019/11/18 06:57:25 [INFO] Initialization was successful根据输出的信息,可以看出在目录/etc/hyperledger/fabric-ca-server下生成了如下的配置文件: root@kexin228-lab:~/containers_volume/fabric/ca# tree -L 4 . ├── ca-cert.pem # 证书文件 ├── fabric-ca-server-config.yaml # 配置文件,代替初始化--flag参数 ├── fabric-ca-server.db # 数据库文件(数据库选择sqlite3有效,默认为sqlite3) ├── IssuerPublicKey ├── IssuerRevocationPublicKey └── msp # 私钥文件夹 └── keystore ├── 35e2aee01c0b37dce74e9c9ef27eeadc1b201f561d5a2bf3a1ded15f8879caee_sk ├── IssuerRevocationPrivateKey └── IssuerSecretKey 2 directories, 8 files fabric-ca-server 配置文件这里重点说明fabric-ca-server的配置文件,该配置文件可以分为11个部分cat fabric-ca-server-config.yaml,由于太长了,这里简单说下两个部分: 通用配置部分 包括系统的公用属性:端口、运行模式之类的。 # Version of config file version: 1.4.3 # Server's listening port (default: 7054) port: 7054 # Cross-Origin Resource Sharing (CORS) cors: enabled: false origins: - "*" # Enables debug logging (default: false) debug: false # Size limit of an acceptable CRL in bytes (default: 512000) crlsizelimit: 512000 affiliations部分 包含了组织中部分的相关配置信息,在客户端SDK调用时相关的参数必须保持一致,否则无法正确访问。 affiliations: org1: - department1 - department2 org2: - department1 fabric-ca-client 使用fabric-ca-server提供了一组Restful API接口供第三方应用程序调用,fabric-ca-client对这些API进行了封装,只需要简单的参数就可以完成账号注册、账号授权等操作。 root@cloud-fabric-ca-5c87d6784c-js2xt:/# fabric-ca-client --help Hyperledger Fabric Certificate Authority Client Usage: fabric-ca-client [command] Available Commands: affiliation Manage affiliations certificate Manage certificates enroll Enroll an identity gencrl Generate a CRL gencsr Generate a CSR getcainfo Get CA certificate chain and Idemix public key identity Manage identities reenroll Reenroll an identity register Register an identity revoke Revoke an identity version Prints Fabric CA Client version Flags: ....省略众多的flags,后面会提到 Use "fabric-ca-client [command] --help" for more information about a command.这里介绍几个常用命令: (1)注册新账号peer1:peer1wd和peer2:peer2wd # 如果要注册一个新账号,可能需要用到以下的flag --id.affiliation string The identity's affiliation --id.attrs stringSlice A list of comma-separated attributes of the form = (e.g. foo=foo1,bar=bar1) --id.maxenrollments int The maximum number of times the secret can be reused to enroll (default CA's Max Enrollment) --id.name string Unique name of the identity --id.secret string The enrollment secret for the identity being registered --id.type string Type of identity being registered (e.g. 'peer, app, user') (default "client") -u, --url string URL of fabric-ca-server (default "http://localhost:7054") -H, --home string Client's home directory (default "/etc/hyperledger/fabric-ca-server")由于地址和url我们都是用默认的,我们使用下面的命令: root@cloud-fabric-ca-5c87d6784c-js2xt:/# fabric-ca-client register --id.name peer2 --id.type peer --id.affiliation org1.department1 --id.secret peer2wd 2019/11/18 07:46:30 [INFO] Configuration file location: /etc/hyperledger/fabric-ca-server/fabric-ca-client-config.yaml 2019/11/18 07:46:30 [ERROR] Enrollment check failed: Idemix enrollment information does not exist Error: Enrollment information does not exist. Please execute enroll command first. Example: fabric-ca-client enroll -u http://user:userpw@serverAddr:serverPort报错了,应该是要先载入账号信息 root@cloud-fabric-ca-5c87d6784c-js2xt:/# fabric-ca-client enroll -u http://kexin228:kexin228@localhost:7054 2019/11/18 07:51:04 [INFO] generating key: &{A:ecdsa S:256} 2019/11/18 07:51:04 [INFO] encoded CSR 2019/11/18 07:51:04 [INFO] Stored client certificate at /etc/hyperledger/fabric-ca-server/msp/signcerts/cert.pem 2019/11/18 07:51:04 [INFO] Stored root CA certificate at /etc/hyperledger/fabric-ca-server/msp/cacerts/localhost-7054.pem 2019/11/18 07:51:04 [INFO] Stored Issuer public key at /etc/hyperledger/fabric-ca-server/msp/IssuerPublicKey 2019/11/18 07:51:04 [INFO] Stored Issuer revocation public key at /etc/hyperledger/fabric-ca-server/msp/IssuerRevocationPublicKey然后才注册新账号: root@cloud-fabric-ca-5c87d6784c-js2xt:/# fabric-ca-client register --id.name peer2 --id.type peer --id.affiliation org1.department1 --id.secret peer2wd -u http://kexin228@kexin228@localhost:7054 2019/11/18 07:51:55 [INFO] Configuration file location: /etc/hyperledger/fabric-ca-server/fabric-ca-client-config.yaml Password: peer2wd root@cloud-fabric-ca-5c87d6784c-js2xt:/# fabric-ca-client register --id.name peer1 --id.type peer --id.affiliation org1.department1 --id.secret peer1wd -u http://kexin228@kexin228@localhost:7054 2019/11/18 07:52:10 [INFO] Configuration file location: /etc/hyperledger/fabric-ca-server/fabric-ca-client-config.yaml Password: peer1wd(2)载入账号信息peer1:peer1wd和peer2:peer2wd: root@cloud-fabric-ca-5c87d6784c-js2xt:/# fabric-ca-client enroll -u http://peer1:peer1wd@localhost:7054 2019/11/18 07:54:05 [INFO] generating key: &{A:ecdsa S:256} 2019/11/18 07:54:05 [INFO] encoded CSR 2019/11/18 07:54:05 [INFO] Stored client certificate at /etc/hyperledger/fabric-ca-server/msp/signcerts/cert.pem 2019/11/18 07:54:05 [INFO] Stored root CA certificate at /etc/hyperledger/fabric-ca-server/msp/cacerts/localhost-7054.pem 2019/11/18 07:54:05 [INFO] Stored Issuer public key at /etc/hyperledger/fabric-ca-server/msp/IssuerPublicKey 2019/11/18 07:54:05 [INFO] Stored Issuer revocation public key at /etc/hyperledger/fabric-ca-server/msp/IssuerRevocationPublicKey root@cloud-fabric-ca-5c87d6784c-js2xt:/# fabric-ca-client enroll -u http://peer2:peer2wd@localhost:7054 2019/11/18 07:54:12 [INFO] generating key: &{A:ecdsa S:256} 2019/11/18 07:54:12 [INFO] encoded CSR 2019/11/18 07:54:13 [INFO] Stored client certificate at /etc/hyperledger/fabric-ca-server/msp/signcerts/cert.pem 2019/11/18 07:54:13 [INFO] Stored root CA certificate at /etc/hyperledger/fabric-ca-server/msp/cacerts/localhost-7054.pem 2019/11/18 07:54:13 [INFO] Stored Issuer public key at /etc/hyperledger/fabric-ca-server/msp/IssuerPublicKey 2019/11/18 07:54:13 [INFO] Stored Issuer revocation public key at /etc/hyperledger/fabric-ca-server/msp/IssuerRevocationPublicKey(3)获取CA服务器证书 root@cloud-fabric-ca-5c87d6784c-js2xt:/etc/hyperledger/fabric-ca-server# fabric-ca-client getcacert -u http://localhost:7054 2019/11/18 08:00:21 [INFO] Configuration file location: /etc/hyperledger/fabric-ca-server/fabric-ca-client-config.yaml 2019/11/18 08:00:21 [INFO] Stored root CA certificate at /etc/hyperledger/fabric-ca-server/msp/cacerts/localhost-7054.pem 2019/11/18 08:00:21 [INFO] Stored Issuer public key at /etc/hyperledger/fabric-ca-server/msp/IssuerPublicKey 2019/11/18 08:00:21 [INFO] Stored Issuer revocation public key at /etc/hyperledger/fabric-ca-server/msp/IssuerRevocationPublicKey root@cloud-fabric-ca-5c87d6784c-js2xt:/etc/hyperledger/fabric-ca-server# fabric-ca-client getcacert -u http://localhost:7054 2019/11/18 08:00:26 [INFO] Configuration file location: /etc/hyperledger/fabric-ca-server/fabric-ca-client-config.yaml 2019/11/18 08:00:26 [INFO] Stored root CA certificate at /etc/hyperledger/fabric-ca-server/msp/cacerts/localhost-7054.pem 2019/11/18 08:00:26 [INFO] Stored Issuer public key at /etc/hyperledger/fabric-ca-server/msp/IssuerPublicKey 2019/11/18 08:00:26 [INFO] Stored Issuer revocation public key at /etc/hyperledger/fabric-ca-server/msp/IssuerRevocationPublicKey 将Fabric-ca-server绑定到现有项目中fabric-ca是对Fabric的cryptogen模块的有力补充,在Fabric项目中一般采用cryptogen模块生成组织、Peer节点、Orderer节点等模块的账号文件,但是如果需要动态的生成账号文件,这时候就需要Fabric-ca的帮助。 绑定Fabric-ca-server到现有组织首先在fabric-ca中的配置文件fabric-ca-server-config.yaml中找到以下内容: ca: # Name of this CA name: # Key file (is only used to import a private key into BCCSP) keyfile: # Certificate file (default: ca-cert.pem) certfile: # Chain file chainfile:然后,找到之前用cryptogen生成的证书的文件夹,执行命令tree -L 2查看结构: root@kexin228-lab:~/containers_volume/fabric/tools/crypto-config/peerOrganizations# tree -L 2 org1.example.com/ org1.example.com/ ├── ca │ ├── 981446ead484bad518eccca5bc95b9ea1a4a971715c739f2e6cb9cf0c497e8f7_sk │ └── ca.org1.example.com-cert.pem ├── msp │ ├── admincerts │ ├── cacerts │ └── tlscacerts ├── peers │ ├── peer0.org1.example.com │ └── peer1.org1.example.com ├── tlsca │ ├── 799ef8047b060cdd556260e4af82810c8e40180b3611f09b870c2b246eec04cd_sk │ └── tlsca.org1.example.com-cert.pem └── users ├── [email protected] └── [email protected]在ca文件夹中存放org1.example.com组织相关的文件,这需要将该文件夹外挂到容器fabric-ca上。 现在可以绑定这些文件了,绑定之后fabric-ca-server-config.yaml文件如下: ca: name: org1.example.com # keyfile对应后缀为_sk的文件 keyfile: /etc/hyperledger/fabric-tools/config/peerOrganizations/org1.example.com/ca/981446ead484bad518eccca5bc95b9ea1a4a971715c739f2e6cb9cf0c497e8f7_sk # certfile对应.pem文件 certfile: /etc/hyperledger/fabric-tools/config/peerOrganizations/org1.example.com/ca/ca.org1.example.com-cert.pem chainfile: ca-chain.pem通过上述步骤 fabric-ca-server就已经被绑定到组织org1.example.com中了。 通过客户端从已经绑定的fabric-ca-server中生成账号现在我们通过一个例子来演示如何通过fabric-ca-client从已经绑定到指定组织中的fabric-ca-server中获取一个新的用户账号。 第一步登记管理员账号密码(msp)到指定目录中: # 创建一个fabric-ca-client来存储账号的msp文件 root@cloud-fabric-ca-58cbdf7fb4-rl8v4:/etc/hyperledger# mkdir fabric-ca-client # 将管理员账号enroll,获取管理员账号msp的证书文件 root@cloud-fabric-ca-58cbdf7fb4-rl8v4:/etc/hyperledger# fabric-ca-client enroll -u http://kexin228:kexin228@localhost:7054 -M /etc/hyperledger/fabric-ca-client/ 2019/11/18 11:22:10 [INFO] Created a default configuration file at /etc/hyperledger/fabric-ca-server/fabric-ca-client-config.yaml 2019/11/18 11:22:10 [INFO] generating key: &{A:ecdsa S:256} 2019/11/18 11:22:10 [INFO] encoded CSR 2019/11/18 11:22:10 [INFO] Stored client certificate at /etc/hyperledger/fabric-ca-client/signcerts/cert.pem 2019/11/18 11:22:10 [INFO] Stored root CA certificate at /etc/hyperledger/fabric-ca-client/cacerts/localhost-7054.pem 2019/11/18 11:22:10 [INFO] Stored Issuer public key at /etc/hyperledger/fabric-ca-client/IssuerPublicKey 2019/11/18 11:22:10 [INFO] Stored Issuer revocation public key at /etc/hyperledger/fabric-ca-client/IssuerRevocationPublicKey第二步注册账号:账号名为user1,密码为user1wd,注册命令如下所示: root@cloud-fabric-ca-58cbdf7fb4-rl8v4:/etc/hyperledger/fabric-ca-client# fabric-ca-client register --id.name user1 --id.type user --id.affiliation org1.department1 --id.secret user1wd -u http://localhost:7054 2019/11/18 11:27:31 [INFO] Configuration file location: /etc/hyperledger/fabric-ca-server/fabric-ca-client-config.yaml Password: user1wd第三步载入账号,将上一步注册的账号user1家在到本地,首先需要在本地创建存放从服务器下载的证书的目录。我存放的目录如下: root@cloud-fabric-ca-58cbdf7fb4-rl8v4:/etc/hyperledger/user# pwd /etc/hyperledger/user在上述目录中登记账号user1,并将相关文件保存到目录中: root@cloud-fabric-ca-58cbdf7fb4-rl8v4:/etc/hyperledger/user# fabric-ca-client enroll -u http://user1:user1wd@localhost:7054 -M /etc/hyperledger/user/msp 2019/11/18 11:31:00 [INFO] generating key: &{A:ecdsa S:256} 2019/11/18 11:31:01 [INFO] encoded CSR 2019/11/18 11:31:01 [INFO] Stored client certificate at /etc/hyperledger/user/msp/signcerts/cert.pem 2019/11/18 11:31:01 [INFO] Stored root CA certificate at /etc/hyperledger/user/msp/cacerts/localhost-7054.pem 2019/11/18 11:31:01 [INFO] Stored Issuer public key at /etc/hyperledger/user/msp/IssuerPublicKey 2019/11/18 11:31:01 [INFO] Stored Issuer revocation public key at /etc/hyperledger/user/msp/IssuerRevocationPublicKey第四步复制管理员签名和公用的TLS证书文件。 复制管理账号的签名的命令如下: # 创建admincerts文件夹 root@cloud-fabric-ca-58cbdf7fb4-rl8v4:/:# mkdir -p /etc/hyperledger/user/msp/admincerts/ # 复制管理账号的签名 root@cloud-fabric-ca-58cbdf7fb4-rl8v4:/# cp /etc/hyperledger/fabric-tools/config/peerOrganizations/org1.example.com/users/Admin\@org1.example.com/msp/signcerts/* /etc/hyperledger/user/msp/admincerts/然后复制公用TLS证书文件的命令如下: # 创建tls文件夹 root@cloud-fabric-ca-58cbdf7fb4-rl8v4:/# mkdir -p /etc/hyperledger/user/tls # 复制tls签名证书 root@cloud-fabric-ca-58cbdf7fb4-rl8v4:/etc/hyperledger/user# cp /etc/hyperledger/fabric-tools/config/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/* /etc/hyperledger/user/tls第五步,查看账号。 进入文件夹通过tree命令查看: root@cloud-fabric-ca-58cbdf7fb4-rl8v4:/etc/hyperledger/user# tree -L 4 . |-- msp | |-- IssuerPublicKey | |-- IssuerRevocationPublicKey | |-- admincerts | | `-- [email protected] | |-- cacerts | | `-- localhost-7054.pem | |-- keystore | | `-- a34acf5c4c53e67d12193ac28a57a21b1cd05190d0bb64b29e0f6a9299e52d72_sk | |-- signcerts | | `-- cert.pem | |-- tls | `-- user `-- tls |-- ca.crt |-- server.crt `-- server.key 8 directories, 9 files通过观察,我们知道,这与cryptogen生成的账号文件格式是一致的。 Fabric项目中更多的应用场景是客户端程序通过fabric-ca-server提供的Restful API接口完成账号的注册、登记等操作,以后会再详细说明。 |
外挂后的路径如下:【本文地址】
公司简介
联系我们