一、为什么要有fabric-ca
1.1 Fabric账号
1.1.1 为什么要有Fabric账号
不同于传统的账号体系(由账号和密码两个属性组成,账号和密码只是获取操作权限的工具)
区块链系统的一个特点:记录在区块链中的数据具有不可逆、不可篡改的特性。 根据这一特性,Fabric中每条交易都会加上发起者的标签(签名证书),同时用发起人的私钥进行加密。如果交易需要其他租住的节点提供背书功能,背书节点也会在交易中加入自己的签名。这样每一笔交易的操作过程会非常清晰且不可篡改。
为了完成上面的功能,Fabric设计了基于PKI规范(Public Key Infrastructure,公钥基础设施)的账号系统满足这样的要求
1.1.2 一个完整的Fabric账号:
├── msp
│ ├── admincerts
│ ├── cacerts
│ ├── keystore
│ ├── signcerts
│ └── tlscacerts
└── tls
├── ca.crt
├── server.crt
└── server.key
- msp中主要存放签名用的证书文件和加密用的私钥文件
- admincerts: 管理员证书
- cacerts: 根CA服务器的证书
- keystore:节点或账号的私钥
- signcerts:符合X.509的节点或者用户证书文件
- tlscacerts:TLS根CA的证书
- tls文件夹中存放加密通信相关的证书文件
- ca.crt: 组织的根证书
- server.crt:管理员身份的证书
- server.key: 管理员的私钥
1.1.3 Fabric账号使用场景
- Fabric中Orderer、Peer、客户端SDK、CLI接口等所有操作都需要账号
- Fabric中每个具体动作,创建通道、部署chaincode、调用chaincode等都需要指定的账号
- 每个Peer向Orderer发送请求的时候也需要Peer的账号
- 在Fabric中如果需要新增加一个Peer节点,首先做的事情是给这个Peer创建账号
1.2 使用cryptogen管理账号
可以参见fabric五大模块来学习cryptogen的使用方法
使用crtyptogen增加peer节点:
- tree命令查看当前org1组织内有两个peer节点的账号:
...
└── peerOrganizations
├── org1.testcryptogen.com
│ ├── ca
│ │ ├── 0b272c0067147eb26fe0ef41366bd8e841d41062df6209b0943dfaa4e67264f7_sk
│ │ └── ca.org1.testcryptogen.com-cert.pem
│ ├── msp
│ │ ├── admincerts
│ │ ├── cacerts
│ │ └── tlscacerts
│ ├── peers
│ │ ├── peer0.org1.testcryptogen.com
│ │ └── peer1.org1.testcryptogen.com
│ ├── tlsca
│ │ ├── fe340ca55a6bec7593be46883c9aca164a007fea19dc6a07459a3099dd4e132f_sk
│ │ └── tlsca.org1.testcryptogen.com-cert.pem
│ └── users
│ ├── Admin@org1.testcryptogen.com
│ ├── User1@org1.testcryptogen.com
│ ├── User2@org1.testcryptogen.com
│ └── User3@org1.testcryptogen.com
...
- 通过如下配置文件,向org1组织内增加两个peer节点:
extend.yaml:
PeerOrgs:
- Name: Org1
Domain: org1.testcryptogen.com
EnableNodeOUs: false
Template:
Count: 2
Start: 2
执行:
cryptogen extend --config=/opt/hyperledger/fabricconfig/extend.yaml --output /opt/hyperledger/fabricconfig/crypto-config
- 可以看到生成了2个Peer节点账号文件:
├── org1.testcryptogen.com
│ ├── ca
│ │ ├── 0b272c0067147eb26fe0ef41366bd8e841d41062df6209b0943dfaa4e67264f7_sk
│ │ └── ca.org1.testcryptogen.com-cert.pem
│ ├── msp
│ │ ├── admincerts
│ │ ├── cacerts
│ │ └── tlscacerts
│ ├── peers
│ │ ├── peer0.org1.testcryptogen.com
│ │ ├── peer1.org1.testcryptogen.com
│ │ ├── peer2.org1.testcryptogen.com
│ │ └── peer3.org1.testcryptogen.com
│ ├── tlsca
│ │ ├── fe340ca55a6bec7593be46883c9aca164a007fea19dc6a07459a3099dd4e132f_sk
│ │ └── tlsca.org1.testcryptogen.com-cert.pem
│ └── users
│ ├── Admin@org1.testcryptogen.com
│ ├── User1@org1.testcryptogen.com
│ ├── User2@org1.testcryptogen.com
│ └── User3@org1.testcryptogen.com
1.3 fabric-ca 的来由
可以看到上面通过使用cryptogen模块和配置文件增加了三个Peer节点的配置文件,但是如果我们想要动态地增加用户账号该怎么办?而且这样每次增加用户账号就要写一遍配置文件,非常麻烦。
所以为了专门解决Fabric账号问题,hyperledger项目组发起了Fabric-ca项目
二、Fabric CA
2.1 Fabric CA简介
2.1.1 Fabric CA的功能
Fabric CA为Hyperledger Fabric提供证书机构功能,主要功能:
- 身份注册,或者将连接到LDAP作为用户注册
- 颁发登录证书
- 证书续期与撤销
2.2.2 Fabric CA适应整个Hyperledger Fabric架构
- 树形结构的CA服务器,一个根CA服务器(Root Server),多个中间CA服务器(Intermediate CA)
- 每个中间CA服务器可以是一个CA服务器群,通过HA Proxy实现负载均衡
- 两种方式与Fabric CA服务端进行交互,client或者SDK
- 与Fabric CA服务器通信都是通过REST API进行的
2.2 Fabric CA入门
2.2.1 安装
(1) 前置条件:
- go 1.10+
- GOPATH环境变量设置正确
- libtool和libtdhl-dev两个包安装好
sudo apt install libtool libltdl-dev
(2) 安装
go get -u github.com/hyperledger/fabric-ca/cmd/...
或者git下来源文件编译,最终生成fabric-ca-server和fabric-ca-client
(3) 启动服务器
原生启动服务器,(默认配置):
fabric-ca-server start -b admin:adminpw
- -b选项来提供管理员登录ID和密码
- 默认配置文件fabric-ca-server-config.yaml会自动在本地目录创建
通过docker启动服务器:
- 修改$GOPATH/src/github.com/hyperledger/fabric-ca/docker/server/docker-compose.yml文件,image一行修改成对应的镜像
docker-compose.yml
fabric-ca-server:
image: hyperledger/fabric-ca:1.3.0
container_name: fabric-ca-server
ports:
- "7054:7054"
environment:
- FABRIC_CA_HOME=/etc/hyperledger/fabric-ca-server
volumes:
- "./fabric-ca-server:/etc/hyperledger/fabric-ca-server"
command: sh -c 'fabric-ca-server start -b admin:adminpw'
- 运行:
docker-compose up -d
- 结果:
通过docker ps 看到服务已经起了:
root@i:/home/admin/src/github.com/hyperledger/fabric-ca/docker/server# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
e00e0eda9afd hyperledger/fabric-ca:1.3.0 "sh -c 'fabric-ca-se…" 4 seconds ago Up 3 seconds 0.0.0.0:7054->7054/tcp fabric-ca-server
(4) Fabric CA命令
使用–help可以查看fabric-ca-server和fabric-ca-client的使用帮助
# ./fabric-ca-server --help
Hyperledger Fabric Certificate Authority Server
Usage:
fabric-ca-server [command]
Available Commands:
init Initialize the fabric-ca server
start Start the fabric-ca server
version Prints Fabric CA Server version
Flags:
--address string Listening address of fabric-ca-server (default "0.0.0.0")
-b, --boot string The user:pass for bootstrap admin which is required to build default config file
--ca.certfile string PEM-encoded CA certificate file (default "ca-cert.pem")
--ca.chainfile string PEM-encoded CA chain file (default "ca-chain.pem")
--ca.keyfile string PEM-encoded CA key file
-n, --ca.name string Certificate Authority name
--cacount int Number of non-default CA instances
--cafiles stringSlice A list of comma-separated CA configuration files
--cfg.affiliations.allowremove Enables removal of affiliations dynamically
--cfg.identities.allowremove Enables removal of identities dynamically
--crl.expiry duration Expiration for the CRL generated by the gencrl request (default 24h0m0s)
--crlsizelimit int Size limit of an acceptable CRL in bytes (default 512000)
--csr.cn string The common name field of the certificate signing request to a parent fabric-ca-server
--csr.hosts stringSlice A list of space-separated host names in a certificate signing request to a parent fabric-ca-server
--csr.keyrequest.algo string Specify key algorithm
--csr.keyrequest.size int Specify key size
--csr.serialnumber string The serial number in a certificate signing request to a parent fabric-ca-server
--db.datasource string Data source which is database specific (default "fabric-ca-server.db")
--db.tls.certfiles stringSlice A list of comma-separated PEM-encoded trusted certificate files (e.g. root1.pem,root2.pem)
--db.tls.client.certfile string PEM-encoded certificate file when mutual authenticate is enabled
--db.tls.client.keyfile string PEM-encoded key file when mutual authentication is enabled
--db.type string Type of database; one of: sqlite3, postgres, mysql (default "sqlite3")
-d, --debug Enable debug level logging
-H, --home string Server's home directory (default ".")
--idemix.nonceexpiration string Duration after which a nonce expires (default "15s")
--idemix.noncesweepinterval string Interval at which expired nonces are deleted (default "15m")
--idemix.rhpoolsize int Specifies revocation handle pool size (default 100)
--intermediate.enrollment.label string Label to use in HSM operations
--intermediate.enrollment.profile string Name of the signing profile to use in issuing the certificate
--intermediate.enrollment.type string The type of enrollment request: 'x509' or 'idemix' (default "x509")
--intermediate.parentserver.caname string Name of the CA to connect to on fabric-ca-server
-u, --intermediate.parentserver.url string URL of the parent fabric-ca-server (e.g. http://<username>:<password>@<address>:<port)
--intermediate.tls.certfiles stringSlice A list of comma-separated PEM-encoded trusted certificate files (e.g. root1.pem,root2.pem)
--intermediate.tls.client.certfile string PEM-encoded certificate file when mutual authenticate is enabled
--intermediate.tls.client.keyfile string PEM-encoded key file when mutual authentication is enabled
--ldap.attribute.names stringSlice The names of LDAP attributes to request on an LDAP search
--ldap.enabled Enable the LDAP client for authentication and attributes
--ldap.groupfilter string The LDAP group filter for a single affiliation group (default "(memberUid=%s)")
--ldap.tls.certfiles stringSlice A list of comma-separated PEM-encoded trusted certificate files (e.g. root1.pem,root2.pem)
--ldap.tls.client.certfile string PEM-encoded certificate file when mutual authenticate is enabled
--ldap.tls.client.keyfile string PEM-encoded key file when mutual authentication is enabled
--ldap.url string LDAP client URL of form ldap://adminDN:adminPassword@host[:port]/base
--ldap.userfilter string The LDAP user filter to use when searching for users (default "(uid=%s)")
-p, --port int Listening port of fabric-ca-server (default 7054)
--registry.maxenrollments int Maximum number of enrollments; valid if LDAP not enabled (default -1)
--tls.certfile string PEM-encoded TLS certificate file for server's listening port (default "tls-cert.pem")
--tls.clientauth.certfiles stringSlice A list of comma-separated PEM-encoded trusted certificate files (e.g. root1.pem,root2.pem)
--tls.clientauth.type string Policy the server will follow for TLS Client Authentication. (default "noclientcert")
--tls.enabled Enable TLS on the listening port
--tls.keyfile string PEM-encoded TLS key for server's listening port
Use "fabric-ca-server [command] --help" for more information about a command.
2.3 Fabric-CA-Server
通过help可以得到帮助信息
- fabric-ca-server的命令行选项:
- init:初始化fabric-ca服务器
- start:启动fabric-ca服务器
- version:显示版本
- fabric-ca-server的选项(太多了,略):
初始化并启动fabric-ca-server
fabric-ca-server init -b admin:adminpw
fabric-ca-server start -H /opt/hyperledger/fabric-ca --boot admin :adminpw
2.4 Fabric-CA-Client
fabric-ca-server提供了一组REST API接口工第三方应用程序调用,fabric-ca-client对这些RESTAPI接口进行了封装,通过设置参数可以完成账号注册、账号授权等操作。
help查看帮助,大概的命令如下:
- enroll:登记账号
- gencrl:撤销证书
- gencsr:创建证书签名
- getcainfo:获取CA链证书
- reenroll:重新登记账号
- register:注册一个新账号
- revoke:撤销一个账号
- version:显示版本信息
fabric-ca-client使用:
- 载入账号信息:
./fabric-ca-client enroll -M ./msp -u http:peer1:peer1pw@localhost:7054
- 注册新账号
./fabric-ca-client register --id.name peer2 --id.type peer --id.affiliation org1.department1 --id.secret peer2wd
- 获取CA服务器的证书
./fabric-ca-client getcacert -u http://localhost:7054 -M ./my/msp