diff --git a/fabric-ca/makeDocker.sh b/fabric-ca/makeDocker.sh index 83244097ea..4ca3e946d3 100755 --- a/fabric-ca/makeDocker.sh +++ b/fabric-ca/makeDocker.sh @@ -187,6 +187,8 @@ function writeOrderer { - ORDERER_GENERAL_TLS_PRIVATEKEY=$MYHOME/tls/server.key - ORDERER_GENERAL_TLS_CERTIFICATE=$MYHOME/tls/server.crt - ORDERER_GENERAL_TLS_ROOTCAS=[$CA_CHAINFILE] + - ORDERER_GENERAL_TLS_CLIENTAUTHREQUIRED=true + - ORDERER_GENERAL_TLS_CLIENTROOTCAS=[$CA_CHAINFILE] - ORDERER_GENERAL_LOGLEVEL=debug - ORDERER_DEBUG_BROADCASTTRACEDIR=$LOGDIR - ORG=$ORG @@ -211,6 +213,7 @@ function writePeer { - FABRIC_CA_CLIENT_HOME=$MYHOME - FABRIC_CA_CLIENT_TLS_CERTFILES=$CA_CHAINFILE - ENROLLMENT_URL=https://$PEER_NAME_PASS@$CA_HOST:7054 + - PEER_NAME=$PEER_NAME - PEER_HOME=$MYHOME - PEER_HOST=$PEER_HOST - PEER_NAME_PASS=$PEER_NAME_PASS @@ -222,10 +225,13 @@ function writePeer { - CORE_VM_DOCKER_HOSTCONFIG_NETWORKMODE=net_${NETWORK} - CORE_LOGGING_LEVEL=DEBUG - CORE_PEER_TLS_ENABLED=true - - CORE_PEER_PROFILE_ENABLED=true - CORE_PEER_TLS_CERT_FILE=$MYHOME/tls/server.crt - CORE_PEER_TLS_KEY_FILE=$MYHOME/tls/server.key - CORE_PEER_TLS_ROOTCERT_FILE=$CA_CHAINFILE + - CORE_PEER_TLS_CLIENTAUTHREQUIRED=true + - CORE_PEER_TLS_CLIENTROOTCAS_FILES=$CA_CHAINFILE + - CORE_PEER_TLS_CLIENTCERT_FILE=/$DATA/tls/$PEER_NAME-client.crt + - CORE_PEER_TLS_CLIENTKEY_FILE=/$DATA/tls/$PEER_NAME-client.key - CORE_PEER_GOSSIP_USELEADERELECTION=true - CORE_PEER_GOSSIP_ORGLEADER=false - CORE_PEER_GOSSIP_EXTERNALENDPOINT=$PEER_HOST:7051 diff --git a/fabric-ca/scripts/env.sh b/fabric-ca/scripts/env.sh index bad894a517..740da8955b 100755 --- a/fabric-ca/scripts/env.sh +++ b/fabric-ca/scripts/env.sh @@ -172,6 +172,25 @@ function initOrdererVars { export ORDERER_GENERAL_TLS_ROOTCAS=[$INT_CA_CHAINFILE] } +function genClientTLSCert { + if [ $# -ne 3 ]; then + echo "Usage: genClientTLSCert : $*" + exit 1 + fi + + HOST_NAME=$1 + CERT_FILE=$2 + KEY_FILE=$3 + + # Get a client cert + fabric-ca-client enroll -d --enrollment.profile tls -u $ENROLLMENT_URL -M /tmp/tls --csr.hosts $HOST_NAME + + mkdir /$DATA/tls || true + cp /tmp/tls/signcerts/* $CERT_FILE + cp /tmp/tls/keystore/* $KEY_FILE + rm -rf /tmp/tls +} + # initPeerVars function initPeerVars { if [ $# -ne 2 ]; then @@ -201,10 +220,11 @@ function initPeerVars { # export CORE_LOGGING_LEVEL=ERROR export CORE_LOGGING_LEVEL=DEBUG export CORE_PEER_TLS_ENABLED=true - export CORE_PEER_PROFILE_ENABLED=true - export CORE_PEER_TLS_CERT_FILE=$TLSDIR/server.crt - export CORE_PEER_TLS_KEY_FILE=$TLSDIR/server.key + export CORE_PEER_TLS_CLIENTAUTHREQUIRED=true export CORE_PEER_TLS_ROOTCERT_FILE=$INT_CA_CHAINFILE + export CORE_PEER_TLS_CLIENTCERT_FILE=/$DATA/tls/$PEER_NAME-cli-client.crt + export CORE_PEER_TLS_CLIENTKEY_FILE=/$DATA/tls/$PEER_NAME-cli-client.key + export CORE_PEER_PROFILE_ENABLED=true # gossip variables export CORE_PEER_GOSSIP_USELEADERELECTION=true export CORE_PEER_GOSSIP_ORGLEADER=false diff --git a/fabric-ca/scripts/start-peer.sh b/fabric-ca/scripts/start-peer.sh index 7543fd3311..9dd7438cac 100755 --- a/fabric-ca/scripts/start-peer.sh +++ b/fabric-ca/scripts/start-peer.sh @@ -11,7 +11,10 @@ source $(dirname "$0")/env.sh awaitSetup -# Enroll the peer to get a TLS cert +# Although a peer may use the same TLS key and certificate file for both inbound and outbound TLS, +# we generate a different key and certificate for inbound and outbound TLS simply to show that it is permissible + +# Generate server TLS cert and key pair for the peer fabric-ca-client enroll -d --enrollment.profile tls -u $ENROLLMENT_URL -M /tmp/tls --csr.hosts $PEER_HOST # Copy the TLS key and cert to the appropriate place @@ -21,6 +24,12 @@ cp /tmp/tls/signcerts/* $CORE_PEER_TLS_CERT_FILE cp /tmp/tls/keystore/* $CORE_PEER_TLS_KEY_FILE rm -rf /tmp/tls +# Generate client TLS cert and key pair for the peer +genClientTLSCert $PEER_NAME $CORE_PEER_TLS_CLIENTCERT_FILE $CORE_PEER_TLS_CLIENTKEY_FILE + +# Generate client TLS cert and key pair for the peer CLI +genClientTLSCert $PEER_NAME /$DATA/tls/$PEER_NAME-cli-client.crt /$DATA/tls/$PEER_NAME-cli-client.key + # Enroll the peer to get an enrollment certificate and set up the core's local MSP directory fabric-ca-client enroll -d -u $ENROLLMENT_URL -M $CORE_PEER_MSPCONFIGPATH finishMSPSetup $CORE_PEER_MSPCONFIGPATH