diff --git a/test-network-nano-bash/.gitignore b/test-network-nano-bash/.gitignore index ad2d6f784f..2dc34f0328 100644 --- a/test-network-nano-bash/.gitignore +++ b/test-network-nano-bash/.gitignore @@ -1,6 +1,7 @@ channel-artifacts/ crypto-config/ data/ +data_ca/ logs/ *.gz chaincode-external/ diff --git a/test-network-nano-bash/README.md b/test-network-nano-bash/README.md index 7d276eccf8..8c8540c028 100644 --- a/test-network-nano-bash/README.md +++ b/test-network-nano-bash/README.md @@ -59,6 +59,16 @@ If you have trouble running bash scripts in your environment, you can just as ea Note the syntax of running the scripts. The peer admin scripts set the admin environment variables and must be run with the `source` command in order that the exported environment variables can be utilized by any subsequent user commands. +## Running each component separately with CAs + +These instructions are for running the CAs from terminal sessions. Open terminal windows for 3 CAs as seen in the following terminal setup. These instructions should be followd before opening the ordering and peer windows described above. + +![CA Terminal setup](ca_terminal_setup.png) + +- cd to the `test-network-nano-bash` directory in each terminal window +- Before running the `./generate_artifacts.sh -ca` in the first orderer terminal, run `./ordererca.sh`, `./org1ca.sh`, `./org2ca.sh` in the repsective terminals. +- In the first orderer terminal, run `./generate_artifacts.sh -ca` to generate crypto material using the CAs and application channel genesis block and configuration transactions (calls configtxgen). The artifacts will be created in the `crypto-config` and `channel-artifacts` directories. If you are running BFT consensus then run `./generate_artifacts.sh BFT -ca`. All artifacts generated with the CA will conform to the same directory structure as cryptogen. + ## Starting the network with one command Using the individual scripts above gives you more control of the process of starting a Fabric network and demonstrates how all the required components fit together, however the same network can also be started using a single script for convenience. @@ -73,6 +83,11 @@ For BFT consensus type: ./network.sh start -o BFT ``` +For Raft consensus type using CAs: +```shell +./network.sh start -ca +``` + After the network has started, use separate terminals to run peer commands. You will need to configure the peer environment for each new terminal. For example to run against peer1, use: diff --git a/test-network-nano-bash/ca/ca_config/ca/fabric-ca-server-config.yaml b/test-network-nano-bash/ca/ca_config/ca/fabric-ca-server-config.yaml new file mode 100644 index 0000000000..51291b5a39 --- /dev/null +++ b/test-network-nano-bash/ca/ca_config/ca/fabric-ca-server-config.yaml @@ -0,0 +1,511 @@ +############################################################################# +# This is a configuration file for the fabric-ca-server command. +# +# COMMAND LINE ARGUMENTS AND ENVIRONMENT VARIABLES +# ------------------------------------------------ +# Each configuration element can be overridden via command line +# arguments or environment variables. The precedence for determining +# the value of each element is as follows: +# 1) command line argument +# Examples: +# a) --port 443 +# To set the listening port +# b) --ca.keyfile ../mykey.pem +# To set the "keyfile" element in the "ca" section below; +# note the '.' separator character. +# 2) environment variable +# Examples: +# a) FABRIC_CA_SERVER_PORT=443 +# To set the listening port +# b) FABRIC_CA_SERVER_CA_KEYFILE="../mykey.pem" +# To set the "keyfile" element in the "ca" section below; +# note the '_' separator character. +# 3) configuration file +# 4) default value (if there is one) +# All default values are shown beside each element below. +# +# FILE NAME ELEMENTS +# ------------------ +# The value of all fields whose name ends with "file" or "files" are +# name or names of other files. +# For example, see "tls.certfile" and "tls.clientauth.certfiles". +# The value of each of these fields can be a simple filename, a +# relative path, or an absolute path. If the value is not an +# absolute path, it is interpreted as being relative to the location +# of this configuration file. +# +############################################################################# + +# Version of config file +version: v1.5.9 + +# Server's listening port (default: 7054) +port: 7052 + +# Cross-Origin Resource Sharing (CORS) +cors: + enabled: false + origins: + - "*" + +# Enables debug logging (default: false) +debug: false + +# Size limit of an acceptable CRL in bytes (default: 512000) +crlsizelimit: 512000 + +############################################################################# +# TLS section for the server's listening port +# +# The following types are supported for client authentication: NoClientCert, +# RequestClientCert, RequireAnyClientCert, VerifyClientCertIfGiven, +# and RequireAndVerifyClientCert. +# +# Certfiles is a list of root certificate authorities that the server uses +# when verifying client certificates. +############################################################################# +tls: + # Enable TLS (default: false) + enabled: true + # TLS for the server's listening port + certfile: + keyfile: + clientauth: + type: noclientcert + certfiles: + +############################################################################# +# The CA section contains information related to the Certificate Authority +# including the name of the CA, which should be unique for all members +# of a blockchain network. It also includes the key and certificate files +# used when issuing enrollment certificates (ECerts). +# The chainfile (if it exists) contains the certificate chain which +# should be trusted for this CA, where the 1st in the chain is always the +# root CA certificate. +############################################################################# +ca: + # Name of this CA + name: ca + # Key file (is only used to import a private key into BCCSP) + keyfile: + # Certificate file (default: ca-cert.pem) + certfile: + # Chain file + chainfile: + # Ignore Certificate Expiration in the case of re-enroll + reenrollIgnoreCertExpiry: false + +############################################################################# +# The gencrl REST endpoint is used to generate a CRL that contains revoked +# certificates. This section contains configuration options that are used +# during gencrl request processing. +############################################################################# +crl: + # Specifies expiration for the generated CRL. The number of hours + # specified by this property is added to the UTC time, the resulting time + # is used to set the 'Next Update' date of the CRL. + expiry: 24h + +############################################################################# +# The registry section controls how the fabric-ca-server does two things: +# 1) authenticates enrollment requests which contain a username and password +# (also known as an enrollment ID and secret). +# 2) once authenticated, retrieves the identity's attribute names and values. +# These attributes are useful for making access control decisions in +# chaincode. +# There are two main configuration options: +# 1) The fabric-ca-server is the registry. +# This is true if "ldap.enabled" in the ldap section below is false. +# 2) An LDAP server is the registry, in which case the fabric-ca-server +# calls the LDAP server to perform these tasks. +# This is true if "ldap.enabled" in the ldap section below is true, +# which means this "registry" section is ignored. +############################################################################# +registry: + # Maximum number of times a password/secret can be reused for enrollment + # (default: -1, which means there is no limit) + maxenrollments: -1 + + # Contains identity information which is used when LDAP is disabled + identities: + - name: admin + pass: adminpw + type: client + affiliation: "" + attrs: + hf.Registrar.Roles: "*" + hf.Registrar.DelegateRoles: "*" + hf.Revoker: true + hf.IntermediateCA: true + hf.GenCRL: true + hf.Registrar.Attributes: "*" + hf.AffiliationMgr: true + +############################################################################# +# Database section +# Supported types are: "sqlite3", "postgres", and "mysql". +# The datasource value depends on the type. +# If the type is "sqlite3", the datasource value is a file name to use +# as the database store. Since "sqlite3" is an embedded database, it +# may not be used if you want to run the fabric-ca-server in a cluster. +# To run the fabric-ca-server in a cluster, you must choose "postgres" +# or "mysql". +############################################################################# +db: + type: sqlite3 + datasource: ../db/fabric-ca-server.db + tls: + enabled: false + certfiles: + client: + certfile: + keyfile: + +############################################################################# +# LDAP section +# If LDAP is enabled, the fabric-ca-server calls LDAP to: +# 1) authenticate enrollment ID and secret (i.e. username and password) +# for enrollment requests; +# 2) To retrieve identity attributes +############################################################################# +ldap: + # Enables or disables the LDAP client (default: false) + # If this is set to true, the "registry" section is ignored. + enabled: false + # The URL of the LDAP server + url: ldap://:@:/ + # TLS configuration for the client connection to the LDAP server + tls: + certfiles: + client: + certfile: + keyfile: + # Attribute related configuration for mapping from LDAP entries to Fabric CA attributes + attribute: + # 'names' is an array of strings containing the LDAP attribute names which are + # requested from the LDAP server for an LDAP identity's entry + names: ['uid','member'] + # The 'converters' section is used to convert an LDAP entry to the value of + # a fabric CA attribute. + # For example, the following converts an LDAP 'uid' attribute + # whose value begins with 'revoker' to a fabric CA attribute + # named "hf.Revoker" with a value of "true" (because the boolean expression + # evaluates to true). + # converters: + # - name: hf.Revoker + # value: attr("uid") =~ "revoker*" + converters: + - name: + value: + # The 'maps' section contains named maps which may be referenced by the 'map' + # function in the 'converters' section to map LDAP responses to arbitrary values. + # For example, assume a user has an LDAP attribute named 'member' which has multiple + # values which are each a distinguished name (i.e. a DN). For simplicity, assume the + # values of the 'member' attribute are 'dn1', 'dn2', and 'dn3'. + # Further assume the following configuration. + # converters: + # - name: hf.Registrar.Roles + # value: map(attr("member"),"groups") + # maps: + # groups: + # - name: dn1 + # value: peer + # - name: dn2 + # value: client + # The value of the user's 'hf.Registrar.Roles' attribute is then computed to be + # "peer,client,dn3". This is because the value of 'attr("member")' is + # "dn1,dn2,dn3", and the call to 'map' with a 2nd argument of + # "group" replaces "dn1" with "peer" and "dn2" with "client". + maps: + groups: + - name: + value: + +############################################################################# +# Affiliations section. Fabric CA server can be bootstrapped with the +# affiliations specified in this section. Affiliations are specified as maps. +# For example: +# businessunit1: +# department1: +# - team1 +# businessunit2: +# - department2 +# - department3 +# +# Affiliations are hierarchical in nature. In the above example, +# department1 (used as businessunit1.department1) is the child of businessunit1. +# team1 (used as businessunit1.department1.team1) is the child of department1. +# department2 (used as businessunit2.department2) and department3 (businessunit2.department3) +# are children of businessunit2. +# Note: Affiliations are case sensitive except for the non-leaf affiliations +# (like businessunit1, department1, businessunit2) that are specified in the configuration file, +# which are always stored in lower case. +############################################################################# +affiliations: + org1: + - department1 + - department2 + org2: + - department1 + +############################################################################# +# Signing section +# +# The "default" subsection is used to sign enrollment certificates; +# the default expiration ("expiry" field) is "8760h", which is 1 year in hours. +# +# The "ca" profile subsection is used to sign intermediate CA certificates; +# the default expiration ("expiry" field) is "43800h" which is 5 years in hours. +# Note that "isca" is true, meaning that it issues a CA certificate. +# A maxpathlen of 0 means that the intermediate CA cannot issue other +# intermediate CA certificates, though it can still issue end entity certificates. +# (See RFC 5280, section 4.2.1.9) +# +# The "tls" profile subsection is used to sign TLS certificate requests; +# the default expiration ("expiry" field) is "8760h", which is 1 year in hours. +############################################################################# +signing: + default: + usage: + - digital signature + expiry: 8760h + profiles: + ca: + usage: + - cert sign + - crl sign + expiry: 43800h + caconstraint: + isca: true + maxpathlen: 0 + tls: + usage: + - signing + - key encipherment + - server auth + - client auth + - key agreement + expiry: 8760h + +########################################################################### +# Certificate Signing Request (CSR) section. +# This controls the creation of the root CA certificate. +# The expiration for the root CA certificate is configured with the +# "ca.expiry" field below, whose default value is "131400h" which is +# 15 years in hours. +# The pathlength field is used to limit CA certificate hierarchy as described +# in section 4.2.1.9 of RFC 5280. +# Examples: +# 1) No pathlength value means no limit is requested. +# 2) pathlength == 1 means a limit of 1 is requested which is the default for +# a root CA. This means the root CA can issue intermediate CA certificates, +# but these intermediate CAs may not in turn issue other CA certificates +# though they can still issue end entity certificates. +# 3) pathlength == 0 means a limit of 0 is requested; +# this is the default for an intermediate CA, which means it can not issue +# CA certificates though it can still issue end entity certificates. +# The "hosts" field will be used to specify Subject Alternative Names +# if the server creates a self-signed TLS certificate. +########################################################################### +csr: + cn: fabric-ca-server + keyrequest: + algo: ecdsa + size: 256 + names: + - C: US + ST: "North Carolina" + L: + O: Hyperledger + OU: Fabric + hosts: + - chriss-mbp.raleigh.ibm.com + - localhost + ca: + expiry: 131400h + pathlength: 1 + +########################################################################### +# Each CA can issue both X509 enrollment certificate as well as Idemix +# Credential. This section specifies configuration for the issuer component +# that is responsible for issuing Idemix credentials. +########################################################################### +idemix: + # Specifies pool size for revocation handles. A revocation handle is an unique identifier of an + # Idemix credential. The issuer will create a pool revocation handles of this specified size. When + # a credential is requested, issuer will get handle from the pool and assign it to the credential. + # Issuer will repopulate the pool with new handles when the last handle in the pool is used. + # A revocation handle and credential revocation information (CRI) are used to create non revocation proof + # by the prover to prove to the verifier that her credential is not revoked. + rhpoolsize: 1000 + + # The Idemix credential issuance is a two step process. First step is to get a nonce from the issuer + # and second step is send credential request that is constructed using the nonce to the isuser to + # request a credential. This configuration property specifies expiration for the nonces. By default is + # nonces expire after 15 seconds. The value is expressed in the time.Duration format (see https://golang.org/pkg/time/#ParseDuration). + nonceexpiration: 15s + + # Specifies interval at which expired nonces are removed from datastore. Default value is 15 minutes. + # The value is expressed in the time.Duration format (see https://golang.org/pkg/time/#ParseDuration) + noncesweepinterval: 15m + + # Specifies the Elliptic Curve used by Identity Mixer. + # It can be any of: {"amcl.Fp256bn", "gurvy.Bn254", "amcl.Fp256Miraclbn"}. + # If unspecified, it defaults to 'amcl.Fp256bn'. + curve: amcl.Fp256bn + +############################################################################# +# BCCSP (BlockChain Crypto Service Provider) section is used to select which +# crypto library implementation to use +############################################################################# +bccsp: + default: SW + sw: + hash: SHA2 + security: 256 + filekeystore: + # The directory used for the software file-based keystore + keystore: msp/keystore + +############################################################################# +# Multi CA section +# +# Each Fabric CA server contains one CA by default. This section is used +# to configure multiple CAs in a single server. +# +# 1) --cacount +# Automatically generate non-default CAs. The names of these +# additional CAs are "ca1", "ca2", ... "caN", where "N" is +# This is particularly useful in a development environment to quickly set up +# multiple CAs. Note that, this config option is not applicable to intermediate CA server +# i.e., Fabric CA server that is started with intermediate.parentserver.url config +# option (-u command line option) +# +# 2) --cafiles +# For each CA config file in the list, generate a separate signing CA. Each CA +# config file in this list MAY contain all of the same elements as are found in +# the server config file except port, debug, and tls sections. +# +# Examples: +# fabric-ca-server start -b admin:adminpw --cacount 2 +# +# fabric-ca-server start -b admin:adminpw --cafiles ca/ca1/fabric-ca-server-config.yaml +# --cafiles ca/ca2/fabric-ca-server-config.yaml +# +############################################################################# + +cacount: + +cafiles: +- ../tlsca/fabric-ca-server-config.yaml + +############################################################################# +# Intermediate CA section +# +# The relationship between servers and CAs is as follows: +# 1) A single server process may contain or function as one or more CAs. +# This is configured by the "Multi CA section" above. +# 2) Each CA is either a root CA or an intermediate CA. +# 3) Each intermediate CA has a parent CA which is either a root CA or another intermediate CA. +# +# This section pertains to configuration of #2 and #3. +# If the "intermediate.parentserver.url" property is set, +# then this is an intermediate CA with the specified parent +# CA. +# +# parentserver section +# url - The URL of the parent server +# caname - Name of the CA to enroll within the server +# +# enrollment section used to enroll intermediate CA with parent CA +# profile - Name of the signing profile to use in issuing the certificate +# label - Label to use in HSM operations +# +# tls section for secure socket connection +# certfiles - PEM-encoded list of trusted root certificate files +# client: +# certfile - PEM-encoded certificate file for when client authentication +# is enabled on server +# keyfile - PEM-encoded key file for when client authentication +# is enabled on server +############################################################################# +intermediate: + parentserver: + url: + caname: + + enrollment: + hosts: + profile: + label: + + tls: + certfiles: + client: + certfile: + keyfile: + +############################################################################# +# CA configuration section +# +# Configure the number of incorrect password attempts are allowed for +# identities. By default, the value of 'passwordattempts' is 10, which +# means that 10 incorrect password attempts can be made before an identity get +# locked out. +############################################################################# +cfg: + identities: + passwordattempts: 10 + +############################################################################### +# +# Operations section +# +############################################################################### +operations: + # host and port for the operations server + listenAddress: 127.0.0.1:9443 + + # TLS configuration for the operations endpoint + tls: + # TLS enabled + enabled: false + + # path to PEM encoded server certificate for the operations server + cert: + file: + + # path to PEM encoded server key for the operations server + key: + file: + + # require client certificate authentication to access all resources + clientAuthRequired: false + + # paths to PEM encoded ca certificates to trust for client authentication + clientRootCAs: + files: [] + +############################################################################### +# +# Metrics section +# +############################################################################### +metrics: + # statsd, prometheus, or disabled + provider: disabled + + # statsd configuration + statsd: + # network type: tcp or udp + network: udp + + # statsd server address + address: 127.0.0.1:8125 + + # the interval at which locally cached counters and gauges are pushed + # to statsd; timings are pushed immediately + writeInterval: 10s + + # prefix is prepended to all emitted statsd metrics + prefix: server diff --git a/test-network-nano-bash/ca/ca_config/tlsca/fabric-ca-server-config.yaml b/test-network-nano-bash/ca/ca_config/tlsca/fabric-ca-server-config.yaml new file mode 100644 index 0000000000..2c4b0489aa --- /dev/null +++ b/test-network-nano-bash/ca/ca_config/tlsca/fabric-ca-server-config.yaml @@ -0,0 +1,494 @@ +############################################################################# +# This is a configuration file for the fabric-ca-server command. +# +# COMMAND LINE ARGUMENTS AND ENVIRONMENT VARIABLES +# ------------------------------------------------ +# Each configuration element can be overridden via command line +# arguments or environment variables. The precedence for determining +# the value of each element is as follows: +# 1) command line argument +# Examples: +# a) --port 443 +# To set the listening port +# b) --ca.keyfile ../mykey.pem +# To set the "keyfile" element in the "ca" section below; +# note the '.' separator character. +# 2) environment variable +# Examples: +# a) FABRIC_CA_SERVER_PORT=443 +# To set the listening port +# b) FABRIC_CA_SERVER_CA_KEYFILE="../mykey.pem" +# To set the "keyfile" element in the "ca" section below; +# note the '_' separator character. +# 3) configuration file +# 4) default value (if there is one) +# All default values are shown beside each element below. +# +# FILE NAME ELEMENTS +# ------------------ +# The value of all fields whose name ends with "file" or "files" are +# name or names of other files. +# For example, see "tls.certfile" and "tls.clientauth.certfiles". +# The value of each of these fields can be a simple filename, a +# relative path, or an absolute path. If the value is not an +# absolute path, it is interpretted as being relative to the location +# of this configuration file. +# +############################################################################# + +# Version of config file +version: 1.4.9 + +# Server's listening port (default: 7054) +port: 7054 + +# Cross-Origin Resource Sharing (CORS) +cors: + enabled: false + origins: + - "*" + +# Enables debug logging (default: false) +debug: false + +# Size limit of an acceptable CRL in bytes (default: 512000) +crlsizelimit: 512000 + +############################################################################# +# TLS section for the server's listening port +# +# The following types are supported for client authentication: NoClientCert, +# RequestClientCert, RequireAnyClientCert, VerifyClientCertIfGiven, +# and RequireAndVerifyClientCert. +# +# Certfiles is a list of root certificate authorities that the server uses +# when verifying client certificates. +############################################################################# +tls: + # Enable TLS (default: false) + enabled: true + # TLS for the server's listening port + certfile: + keyfile: + clientauth: + type: noclientcert + certfiles: + +############################################################################# +# The CA section contains information related to the Certificate Authority +# including the name of the CA, which should be unique for all members +# of a blockchain network. It also includes the key and certificate files +# used when issuing enrollment certificates (ECerts) and transaction +# certificates (TCerts). +# The chainfile (if it exists) contains the certificate chain which +# should be trusted for this CA, where the 1st in the chain is always the +# root CA certificate. +############################################################################# +ca: + # Name of this CA + name: tlsca + # Key file (is only used to import a private key into BCCSP) + keyfile: + # Certificate file (default: ca-cert.pem) + certfile: + # Chain file + chainfile: + +############################################################################# +# The gencrl REST endpoint is used to generate a CRL that contains revoked +# certificates. This section contains configuration options that are used +# during gencrl request processing. +############################################################################# +crl: + # Specifies expiration for the generated CRL. The number of hours + # specified by this property is added to the UTC time, the resulting time + # is used to set the 'Next Update' date of the CRL. + expiry: 24h + +############################################################################# +# The registry section controls how the fabric-ca-server does two things: +# 1) authenticates enrollment requests which contain a username and password +# (also known as an enrollment ID and secret). +# 2) once authenticated, retrieves the identity's attribute names and +# values which the fabric-ca-server optionally puts into TCerts +# which it issues for transacting on the Hyperledger Fabric blockchain. +# These attributes are useful for making access control decisions in +# chaincode. +# There are two main configuration options: +# 1) The fabric-ca-server is the registry. +# This is true if "ldap.enabled" in the ldap section below is false. +# 2) An LDAP server is the registry, in which case the fabric-ca-server +# calls the LDAP server to perform these tasks. +# This is true if "ldap.enabled" in the ldap section below is true, +# which means this "registry" section is ignored. +############################################################################# +registry: + # Maximum number of times a password/secret can be reused for enrollment + # (default: -1, which means there is no limit) + maxenrollments: -1 + + # Contains identity information which is used when LDAP is disabled + identities: + - name: admin + pass: adminpw + type: client + affiliation: "" + attrs: + hf.Registrar.Roles: "*" + hf.Registrar.DelegateRoles: "*" + hf.Revoker: true + hf.IntermediateCA: true + hf.GenCRL: true + hf.Registrar.Attributes: "*" + hf.AffiliationMgr: true + +############################################################################# +# Database section +# Supported types are: "sqlite3", "postgres", and "mysql". +# The datasource value depends on the type. +# If the type is "sqlite3", the datasource value is a file name to use +# as the database store. Since "sqlite3" is an embedded database, it +# may not be used if you want to run the fabric-ca-server in a cluster. +# To run the fabric-ca-server in a cluster, you must choose "postgres" +# or "mysql". +############################################################################# +db: + type: sqlite3 + datasource: ../db/fabric-ca-server.db + tls: + enabled: false + certfiles: + client: + certfile: + keyfile: + +############################################################################# +# LDAP section +# If LDAP is enabled, the fabric-ca-server calls LDAP to: +# 1) authenticate enrollment ID and secret (i.e. username and password) +# for enrollment requests; +# 2) To retrieve identity attributes +############################################################################# +ldap: + # Enables or disables the LDAP client (default: false) + # If this is set to true, the "registry" section is ignored. + enabled: false + # The URL of the LDAP server + url: ldap://:@:/ + # TLS configuration for the client connection to the LDAP server + tls: + certfiles: + client: + certfile: + keyfile: + # Attribute related configuration for mapping from LDAP entries to Fabric CA attributes + attribute: + # 'names' is an array of strings containing the LDAP attribute names which are + # requested from the LDAP server for an LDAP identity's entry + names: ['uid','member'] + # The 'converters' section is used to convert an LDAP entry to the value of + # a fabric CA attribute. + # For example, the following converts an LDAP 'uid' attribute + # whose value begins with 'revoker' to a fabric CA attribute + # named "hf.Revoker" with a value of "true" (because the boolean expression + # evaluates to true). + # converters: + # - name: hf.Revoker + # value: attr("uid") =~ "revoker*" + converters: + - name: + value: + # The 'maps' section contains named maps which may be referenced by the 'map' + # function in the 'converters' section to map LDAP responses to arbitrary values. + # For example, assume a user has an LDAP attribute named 'member' which has multiple + # values which are each a distinguished name (i.e. a DN). For simplicity, assume the + # values of the 'member' attribute are 'dn1', 'dn2', and 'dn3'. + # Further assume the following configuration. + # converters: + # - name: hf.Registrar.Roles + # value: map(attr("member"),"groups") + # maps: + # groups: + # - name: dn1 + # value: peer + # - name: dn2 + # value: client + # The value of the user's 'hf.Registrar.Roles' attribute is then computed to be + # "peer,client,dn3". This is because the value of 'attr("member")' is + # "dn1,dn2,dn3", and the call to 'map' with a 2nd argument of + # "group" replaces "dn1" with "peer" and "dn2" with "client". + maps: + groups: + - name: + value: + +############################################################################# +# Affiliations section. Fabric CA server can be bootstrapped with the +# affiliations specified in this section. Affiliations are specified as maps. +# For example: +# businessunit1: +# department1: +# - team1 +# businessunit2: +# - department2 +# - department3 +# +# Affiliations are hierarchical in nature. In the above example, +# department1 (used as businessunit1.department1) is the child of businessunit1. +# team1 (used as businessunit1.department1.team1) is the child of department1. +# department2 (used as businessunit2.department2) and department3 (businessunit2.department3) +# are children of businessunit2. +# Note: Affiliations are case sensitive except for the non-leaf affiliations +# (like businessunit1, department1, businessunit2) that are specified in the configuration file, +# which are always stored in lower case. +############################################################################# +affiliations: + org1: + - department1 + - department2 + org2: + - department1 + +############################################################################# +# Signing section +# +# The "default" subsection is used to sign enrollment certificates; +# the default expiration ("expiry" field) is "8760h", which is 1 year in hours. +# +# The "ca" profile subsection is used to sign intermediate CA certificates; +# the default expiration ("expiry" field) is "43800h" which is 5 years in hours. +# Note that "isca" is true, meaning that it issues a CA certificate. +# A maxpathlen of 0 means that the intermediate CA cannot issue other +# intermediate CA certificates, though it can still issue end entity certificates. +# (See RFC 5280, section 4.2.1.9) +# +# The "tls" profile subsection is used to sign TLS certificate requests; +# the default expiration ("expiry" field) is "8760h", which is 1 year in hours. +############################################################################# +signing: + default: + authremote: {} + caconstraint: {} + expiry: 131400h0m0s + usage: + - signing + - key encipherment + - server auth + - client auth + - key agreement + profiles: null + +########################################################################### +# Certificate Signing Request (CSR) section. +# This controls the creation of the root CA certificate. +# The expiration for the root CA certificate is configured with the +# "ca.expiry" field below, whose default value is "131400h" which is +# 15 years in hours. +# The pathlength field is used to limit CA certificate hierarchy as described +# in section 4.2.1.9 of RFC 5280. +# Examples: +# 1) No pathlength value means no limit is requested. +# 2) pathlength == 1 means a limit of 1 is requested which is the default for +# a root CA. This means the root CA can issue intermediate CA certificates, +# but these intermediate CAs may not in turn issue other CA certificates +# though they can still issue end entity certificates. +# 3) pathlength == 0 means a limit of 0 is requested; +# this is the default for an intermediate CA, which means it can not issue +# CA certificates though it can still issue end entity certificates. +########################################################################### +csr: + cn: fabric-tlsca-server + keyrequest: + algo: ecdsa + size: 256 + names: + - C: US + ST: "North Carolina" + L: + O: Hyperledger + OU: Fabric + hosts: + - localhost + - 127.0.0.1 + ca: + expiry: 131400h + pathlength: 1 + +########################################################################### +# Each CA can issue both X509 enrollment certificate as well as Idemix +# Credential. This section specifies configuration for the issuer component +# that is responsible for issuing Idemix credentials. +########################################################################### +idemix: + # Specifies pool size for revocation handles. A revocation handle is an unique identifier of an + # Idemix credential. The issuer will create a pool revocation handles of this specified size. When + # a credential is requested, issuer will get handle from the pool and assign it to the credential. + # Issuer will repopulate the pool with new handles when the last handle in the pool is used. + # A revocation handle and credential revocation information (CRI) are used to create non revocation proof + # by the prover to prove to the verifier that her credential is not revoked. + rhpoolsize: 1000 + + # The Idemix credential issuance is a two step process. First step is to get a nonce from the issuer + # and second step is send credential request that is constructed using the nonce to the isuser to + # request a credential. This configuration property specifies expiration for the nonces. By default is + # nonces expire after 15 seconds. The value is expressed in the time.Duration format (see https://golang.org/pkg/time/#ParseDuration). + nonceexpiration: 15s + + # Specifies interval at which expired nonces are removed from datastore. Default value is 15 minutes. + # The value is expressed in the time.Duration format (see https://golang.org/pkg/time/#ParseDuration) + noncesweepinterval: 15m + +############################################################################# +# BCCSP (BlockChain Crypto Service Provider) section is used to select which +# crypto library implementation to use +############################################################################# +bccsp: + default: SW + sw: + hash: SHA2 + security: 256 + filekeystore: + # The directory used for the software file-based keystore + keystore: msp/keystore + +############################################################################# +# Multi CA section +# +# Each Fabric CA server contains one CA by default. This section is used +# to configure multiple CAs in a single server. +# +# 1) --cacount +# Automatically generate non-default CAs. The names of these +# additional CAs are "ca1", "ca2", ... "caN", where "N" is +# This is particularly useful in a development environment to quickly set up +# multiple CAs. Note that, this config option is not applicable to intermediate CA server +# i.e., Fabric CA server that is started with intermediate.parentserver.url config +# option (-u command line option) +# +# 2) --cafiles +# For each CA config file in the list, generate a separate signing CA. Each CA +# config file in this list MAY contain all of the same elements as are found in +# the server config file except port, debug, and tls sections. +# +# Examples: +# fabric-ca-server start -b admin:adminpw --cacount 2 +# +# fabric-ca-server start -b admin:adminpw --cafiles ca/ca1/fabric-ca-server-config.yaml +# --cafiles ca/ca2/fabric-ca-server-config.yaml +# +############################################################################# + +cacount: + +cafiles: + +############################################################################# +# Intermediate CA section +# +# The relationship between servers and CAs is as follows: +# 1) A single server process may contain or function as one or more CAs. +# This is configured by the "Multi CA section" above. +# 2) Each CA is either a root CA or an intermediate CA. +# 3) Each intermediate CA has a parent CA which is either a root CA or another intermediate CA. +# +# This section pertains to configuration of #2 and #3. +# If the "intermediate.parentserver.url" property is set, +# then this is an intermediate CA with the specified parent +# CA. +# +# parentserver section +# url - The URL of the parent server +# caname - Name of the CA to enroll within the server +# +# enrollment section used to enroll intermediate CA with parent CA +# profile - Name of the signing profile to use in issuing the certificate +# label - Label to use in HSM operations +# +# tls section for secure socket connection +# certfiles - PEM-encoded list of trusted root certificate files +# client: +# certfile - PEM-encoded certificate file for when client authentication +# is enabled on server +# keyfile - PEM-encoded key file for when client authentication +# is enabled on server +############################################################################# +intermediate: + parentserver: + url: + caname: + + enrollment: + hosts: + profile: + label: + + tls: + certfiles: + client: + certfile: + keyfile: + +############################################################################# +# CA configuration section +# +# Configure the number of incorrect password attempts are allowed for +# identities. By default, the value of 'passwordattempts' is 10, which +# means that 10 incorrect password attempts can be made before an identity get +# locked out. +############################################################################# +cfg: + identities: + passwordattempts: 10 + +############################################################################### +# +# Operations section +# +############################################################################### +operations: + # host and port for the operations server + listenAddress: 127.0.0.1:9443 + + # TLS configuration for the operations endpoint + tls: + # TLS enabled + enabled: false + + # path to PEM encoded server certificate for the operations server + cert: + file: + + # path to PEM encoded server key for the operations server + key: + file: + + # require client certificate authentication to access all resources + clientAuthRequired: false + + # paths to PEM encoded ca certificates to trust for client authentication + clientRootCAs: + files: [] + +############################################################################### +# +# Metrics section +# +############################################################################### +metrics: + # statsd, prometheus, or disabled + provider: disabled + + # statsd configuration + statsd: + # network type: tcp or udp + network: udp + + # statsd server address + address: 127.0.0.1:8125 + + # the interval at which locally cached counters and gauges are pushsed + # to statsd; timings are pushed immediately + writeInterval: 10s + + # prefix is prepended to all emitted statsd merics + prefix: server diff --git a/test-network-nano-bash/ca/ca_utils.sh b/test-network-nano-bash/ca/ca_utils.sh new file mode 100755 index 0000000000..640e0a78a2 --- /dev/null +++ b/test-network-nano-bash/ca/ca_utils.sh @@ -0,0 +1,117 @@ +#!/usr/bin/env sh +# +# SPDX-License-Identifier: Apache-2.0 +# + +###################################################################################### +# createEnrollment() +# +# This is a convenience method for creating enrollments only +# Primary purpose it to create enrollment certificates for CA admins. +###################################################################################### + +function createEnrollment() { + + local port=$1 # port of the CA used for creating the enrollment + local username=$2 # username of the registered user on the CA + local password=$3 # password of the registered user on the CA + local orgname=$4 # name of the org (e.g. Org1, Org2) can be blank + local component_dir=$5 # path of the component, this will be the directory where the artifacts will be created + local tlscert=$6 # tls cert for connecting to the CA + + # Enroll the identity + fabric-ca-client enroll -d -u https://${username}:${password}@localhost:${port} --caname ca --mspdir "${component_dir}/msp" --tls.certfiles $tlscert + + # Rename private key to mimic cryptogen + find ${component_dir} -type f -name '*_sk' | sed -e 'p;s/\(.*\)\/\(.*\)$/\1\/priv_sk/' | xargs -n2 mv -v + + # Rename the cacert to mimic cryptogen + mv ${component_dir}/msp/cacerts/localhost-${port}-ca.pem ${component_dir}/msp/cacerts/ca.${orgname:+$orgname.}example.com-cert.pem + +} + +###################################################################################### +# createMSP() +# +# This is a convenience method for creating the Membership Service Provider directories +# +###################################################################################### + +function createMSP() { + + local caname=$1 # name of the ca (ordererca, org1ca, org2ca) + local orgname=$2 # name of the org (org1, org2) Ordering Org is blank + local org_dir=$3 # directory of the organizatio + + mkdir -p ${org_dir}/msp/admincerts + mkdir -p ${org_dir}/msp/cacerts + mkdir -p ${org_dir}/msp/tlscacerts + + cp data_ca/${caname}/ca/ca-cert.pem ${org_dir}/msp/cacerts/ca.${orgname:+$orgname.}example.com-cert.pem + cp data_ca/${caname}/tlsca/ca-cert.pem ${org_dir}/msp/tlscacerts/tlsca.${orgname:+$orgname.}example.com-cert.pem + awk -v cacert_name="ca.${orgname:+$orgname.}example.com-cert" '{gsub(/ca.example.com-cert/,cacert_name)}1' ca/config.yaml > ${org_dir}/msp/config.yaml + +} + +###################################################################################### +# registerAndEnroll() +# +# This is a convenience method for creating enrollments and TLS certificates +# Primary purpose it to create enrollment certificates for org admin identities, and +# enrollent and TLS certificates for peers and orderers. +###################################################################################### + +function registerAndEnroll() { + + local port=$1 # port of the CA used for creating the enrollment + local username=$2 # username of the user to register on the CA + local password=$3 # password of the user to register on the CA + local type=$4 # type of registation, must be one of (peer, orderer, admin) + local orgname=$5 # name of the org (e.g. Org1, Org2) can be blank + local component_dir=$6 # directory of the component, this will be the directory where the artifacts will be created + local org_dir=$7 # directory of the organization, this is the directory that contains the credentials for the registration + local tlscert=$8 # tls cert for connecting to the CA + + if [ "$type" = "admin" ]; then + local attrs="hf.Registrar.Roles=client,hf.Registrar.Attributes=*,hf.Revoker=true,hf.GenCRL=true,admin=true:ecert,abac.init=true:ecert" + else + local attrs="" + fi + + # Register the username + fabric-ca-client register -d -u https://localhost:${port} --id.name ${username} --id.secret ${password} --id.type ${type} --id.attrs "${attrs}" --caname ca --tls.certfiles $tlscert --mspdir "${org_dir}/ca/msp" + + # Enroll the identity + fabric-ca-client enroll -d -u https://${username}:${password}@localhost:${port} --caname ca --mspdir "${component_dir}/msp" --tls.certfiles $tlscert + + # Rename private key to mimic cryptogen + find ${component_dir} -type f -name '*_sk' | sed -e 'p;s/\(.*\)\/\(.*\)$/\1\/priv_sk/' | xargs -n2 mv -v + + # Rename the cacert to mimic cryptogen + mv ${component_dir}/msp/cacerts/localhost-${port}-ca.pem ${component_dir}/msp/cacerts/ca.${orgname:+$orgname.}example.com-cert.pem + + # Set the cacert name and copy the config.json for NodeOU + awk -v cacert_name="ca.${orgname:+$orgname.}example.com-cert" '{gsub(/ca.example.com-cert/,cacert_name)}1' ca/config.yaml > ${component_dir}/msp/config.yaml + + # If this is a peer or orderer type then create a TLS cert + if [ "$type" = "peer" ] || [ "$type" = "orderer" ]; then + + # Enroll the TLS cert + fabric-ca-client enroll -d -u https://${username}:${password}@localhost:${port} --caname tlsca --mspdir "${component_dir}/tls" --tls.certfiles $tlscert --csr.hosts 'localhost,127.0.0.1' + + # Rename private key to mimic cryptogen + find ${component_dir} -type f -name '*_sk' | sed -e 'p;s/\(.*\)\/\(.*\)$/\1\/priv_sk/' | xargs -n2 mv -v + + # Copy and rename TLS certs and keys to mimic cryptogen + cp ${component_dir}/tls/cacerts/localhost-${port}-tlsca.pem ${component_dir}/tls/ca.crt + cp ${component_dir}/tls/keystore/priv_sk ${component_dir}/tls/server.key + cp ${component_dir}/tls/signcerts/cert.pem ${component_dir}/tls/server.crt + + # Rename the tls cacert to mimic cryptogen + mv ${component_dir}/tls/cacerts/localhost-${port}-tlsca.pem ${component_dir}/tls/cacerts/tlsca.${orgname:+$orgname.}example.com-cert.pem + + fi + +} + + diff --git a/test-network-nano-bash/ca/config.yaml b/test-network-nano-bash/ca/config.yaml new file mode 100644 index 0000000000..8846e9d4d9 --- /dev/null +++ b/test-network-nano-bash/ca/config.yaml @@ -0,0 +1,14 @@ +NodeOUs: + Enable: true + ClientOUIdentifier: + Certificate: cacerts/ca.example.com-cert.pem + OrganizationalUnitIdentifier: client + PeerOUIdentifier: + Certificate: cacerts/ca.example.com-cert.pem + OrganizationalUnitIdentifier: peer + AdminOUIdentifier: + Certificate: cacerts/ca.example.com-cert.pem + OrganizationalUnitIdentifier: admin + OrdererOUIdentifier: + Certificate: cacerts/ca.example.com-cert.pem + OrganizationalUnitIdentifier: orderer diff --git a/test-network-nano-bash/ca/createEnrollments.sh b/test-network-nano-bash/ca/createEnrollments.sh new file mode 100755 index 0000000000..5b109b192a --- /dev/null +++ b/test-network-nano-bash/ca/createEnrollments.sh @@ -0,0 +1,118 @@ +#!/usr/bin/env sh +# +# SPDX-License-Identifier: Apache-2.0 +# +export PATH="${PWD}"/../../fabric/build/bin:"${PWD}"/../bin:"$PATH" + +export crypto_dir=$PWD/crypto-config + +export orderer_org_dir=${crypto_dir}/ordererOrganizations/example.com +export org1_dir=${crypto_dir}/peerOrganizations/org1.example.com +export org2_dir=${crypto_dir}/peerOrganizations/org2.example.com + +export orderer1_dir=${orderer_org_dir}/orderers/orderer.example.com +export orderer2_dir=${orderer_org_dir}/orderers/orderer2.example.com +export orderer3_dir=${orderer_org_dir}/orderers/orderer3.example.com +export orderer4_dir=${orderer_org_dir}/orderers/orderer4.example.com +export orderer5_dir=${orderer_org_dir}/orderers/orderer5.example.com + +export peer0org1_dir=${org1_dir}/peers/peer0.org1.example.com +export peer1org1_dir=${org1_dir}/peers/peer1.org1.example.com + +export peer0org2_dir=${org2_dir}/peers/peer0.org2.example.com +export peer1org2_dir=${org2_dir}/peers/peer1.org2.example.com + +export orderer_org_tls=${PWD}/data_ca/ordererca/ca/ca-cert.pem +export org1_tls=${PWD}/data_ca/org1ca/ca/ca-cert.pem +export org2_tls=${PWD}/data_ca/org2ca/ca/ca-cert.pem + +# import utilies +. ca/ca_utils.sh + +###################################################################################### +# Create admin certificates for the CAs +###################################################################################### + +# Enroll CA Admin for ordererca +createEnrollment "7052" "admin" "adminpw" "" "${orderer_org_dir}/ca" "${orderer_org_tls}" + +# Enroll CA Admin for org1ca +createEnrollment "7053" "admin" "adminpw" "org1" "${org1_dir}/ca" "${org1_tls}" + +# Enroll CA Admin for org2ca +createEnrollment "7054" "admin" "adminpw" "org2" "${org2_dir}/ca" "${org2_tls}" + + +###################################################################################### +# Create admin and user certificates for the Organizations +###################################################################################### + +# Enroll Admin certificate for the ordering service org +registerAndEnroll "7052" "osadmin" "osadminpw" "admin" "" "${orderer_org_dir}/users/Admin@example.com" "${orderer_org_dir}" "${orderer_org_tls}" + +# Enroll Admin certificate for org1 +registerAndEnroll "7053" "org1admin" "org1adminpw" "admin" "org1" "${org1_dir}/users/Admin@org1.example.com" "${org1_dir}" "${org1_tls}" + +# Enroll User certificate for org1 +registerAndEnroll "7053" "org1user1" "org1user1pw" "client" "org1" "${org1_dir}/users/User1@org1.example.com" "${org1_dir}" "${org1_tls}" + +# Enroll Admin certificate for org2 +registerAndEnroll "7054" "org2admin" "org2adminpw" "admin" "org2" "${org2_dir}/users/Admin@org2.example.com" "${org2_dir}" "${org2_tls}" + +# Enroll User certificate for org1 +registerAndEnroll "7054" "org2user1" "org2user1pw" "client" "org2" "${org2_dir}/users/User1@org2.example.com" "${org2_dir}" "${org2_tls}" + +###################################################################################### +# Create the certificates for the Ordering Organization +###################################################################################### + +# Create enrollment and TLS certificates for orderer1 +registerAndEnroll "7052" "orderer1" "orderer1pw" "orderer" "" "${orderer1_dir}" "${orderer_org_dir}" "${orderer_org_tls}" + +# Create enrollment and TLS certificates for orderer2 +registerAndEnroll "7052" "orderer2" "orderer2pw" "orderer" "" "${orderer2_dir}" "${orderer_org_dir}" "${orderer_org_tls}" + +# Create enrollment and TLS certificates for orderer3 +registerAndEnroll "7052" "orderer3" "orderer3pw" "orderer" "" "${orderer3_dir}" "${orderer_org_dir}" "${orderer_org_tls}" + +# Create enrollment and TLS certificates for orderer4 +registerAndEnroll "7052" "orderer4" "orderer4pw" "orderer" "" "${orderer4_dir}" "${orderer_org}" "${orderer_org_tls}" + +# Create enrollment and TLS certificates for orderer5 +registerAndEnroll "7052" "orderer5" "orderer5pw" "orderer" "" "${orderer5_dir}" "${orderer_org_dir}" "${orderer_org_tls}" + + +###################################################################################### +# Create the certificates for Org1 +###################################################################################### + +# Create enrollment and TLS certificates for peer0org1 +registerAndEnroll "7053" "org1peer0" "org1peer0pw" "peer" "org1" "${peer0org1_dir}" "${org1_dir}" "${org1_tls}" + +# Create enrollment and TLS certificates for peer1org1 +registerAndEnroll "7053" "org1peer1" "org1peer1pw" "peer" "org1" "${peer1org1_dir}" "${org1_dir}" "${org1_tls}" + + +###################################################################################### +# Create the certificates for Org2 +###################################################################################### + +# Create enrollment and TLS certificates for peer0org2 +registerAndEnroll "7054" "org2peer0" "org2peer0pw" "peer" "org2" "${peer0org2_dir}" "${org2_dir}" "${org2_tls}" + +# Create enrollment and TLS certificates for peer1org2 +registerAndEnroll "7054" "org2peer1" "org2peer1pw" "peer" "org2" "${peer1org2_dir}" "${org2_dir}" "${org2_tls}" + + +###################################################################################### +# Create the Membership Service Providers (MSPs) +###################################################################################### + +# Create the MSP for the Orderering Org +createMSP "ordererca" "" "${orderer_org_dir}" + +# Create the MSP for Org1 +createMSP "org1ca" "org1" "${org1_dir}" + +# Create the MSP for Org2 +createMSP "org2ca" "org2" "${org2_dir}" diff --git a/test-network-nano-bash/ca_terminal_setup.png b/test-network-nano-bash/ca_terminal_setup.png new file mode 100644 index 0000000000..1ada8c63c3 Binary files /dev/null and b/test-network-nano-bash/ca_terminal_setup.png differ diff --git a/test-network-nano-bash/generate_artifacts.sh b/test-network-nano-bash/generate_artifacts.sh index 9ad8324068..daa8ed300e 100755 --- a/test-network-nano-bash/generate_artifacts.sh +++ b/test-network-nano-bash/generate_artifacts.sh @@ -4,6 +4,29 @@ # set -eu +ordererType="etcdraft" +INCLUDE_CA=false + +# parse flags +while [ $# -ge 1 ] ; do + key="$1" + case $key in + etcdraft ) + ordererType="etcdraft" + ;; + BFT ) + ordererType="BFT" + ;; + -ca ) + INCLUDE_CA=true + ;; + * ) + ;; + esac + shift +done + + # remove existing artifacts, or proceed on if the directories don't exist rm -r "${PWD}"/channel-artifacts || true rm -r "${PWD}"/crypto-config || true @@ -12,14 +35,26 @@ rm -r "${PWD}"/data || true # look for binaries in local dev environment /build/bin directory and then in local samples /bin directory export PATH="${PWD}"/../../fabric/build/bin:"${PWD}"/../bin:"$PATH" -echo "Generating MSP certificates using cryptogen tool" -cryptogen generate --config="${PWD}"/crypto-config.yaml +# if INCLUDE_CA is false (default), then use cryptogen +if [ "${INCLUDE_CA}" = false ]; then + + echo "Generating MSP certificates using cryptogen tool" + cryptogen generate --config="${PWD}"/crypto-config.yaml + +else + + mkdir -p "${PWD}"/logs + + # execute the script to configure the default set of enrollments + echo "Generating MSP certificates using the Fabric CAs" + ./ca/createEnrollments.sh > ./logs/createEnrollments.log 2>&1 + +fi # set FABRIC_CFG_PATH to configtx.yaml directory that contains the profiles export FABRIC_CFG_PATH="${PWD}" -ordererType="etcdraft" -if [ $# -gt 0 ] && [ "$1" = "BFT" ] +if [ "${ordererType}" = "BFT" ] then profile="ChannelUsingBFT" ordererType="BFT" diff --git a/test-network-nano-bash/network.sh b/test-network-nano-bash/network.sh index 288a1cf0b4..a478a18c33 100755 --- a/test-network-nano-bash/network.sh +++ b/test-network-nano-bash/network.sh @@ -14,7 +14,9 @@ printHelp() { echo " Starts the test network" echo echo " Flags:" - echo " -d - CLI delays for a certain number of seconds (defaults to 3)" + echo " -d - CLI delays for a certain number of seconds (defaults to 3)" + echo " -o - Specify the orderer type. BFT or etcdraft. (defaults to etcdraft)" + echo " -ca - Use CAs instead of cryptogen. (defaults to cryptogen)" echo " -h - Print this message" elif [ "$USAGE" = "clean" ]; then echo "Usage: " @@ -52,18 +54,31 @@ networkStart() { # shellcheck disable=SC2064 trap networkStop 0 1 2 3 15 + echo "Creating logs directory..." + mkdir -p "${PWD}"/logs + + if [ "${INCLUDE_CA}" = true ]; then + echo "Starting CAs..." + ./ordererca.sh > ./logs/ordererca.log 2>&1 & + ./org1ca.sh > ./logs/org1ca.log 2>&1 & + ./org2ca.sh > ./logs/org2ca.log 2>&1 & + echo "Waiting ${CLI_DELAY}s..." + sleep ${CLI_DELAY} + fi + if [ -d "${PWD}"/channel-artifacts ] && [ -d "${PWD}"/crypto-config ]; then echo "Using existing artifacts..." CREATE_CHANNEL=false else echo "Generating artifacts..." - ./generate_artifacts.sh "${ORDERER_TYPE}" + INCLUDE_CA_PARAM="" + if [ "${INCLUDE_CA}" = true ]; then + INCLUDE_CA_PARAM="-ca" + fi + ./generate_artifacts.sh "${ORDERER_TYPE}" "${INCLUDE_CA_PARAM}" CREATE_CHANNEL=true fi - echo "Creating logs directory..." - mkdir -p "${PWD}"/logs - echo "Starting orderers..." ./orderer1.sh "${ORDERER_TYPE}" > ./logs/orderer1.log 2>&1 & ./orderer2.sh "${ORDERER_TYPE}" > ./logs/orderer2.log 2>&1 & @@ -116,6 +131,7 @@ networkClean() { rm -r "${PWD}"/channel-artifacts || true rm -r "${PWD}"/crypto-config || true rm -r "${PWD}"/data || true + rm -r "${PWD}"/data_ca || true rm -r "${PWD}"/logs || true } @@ -131,6 +147,7 @@ else fi ORDERER_TYPE="etcdraft" +INCLUDE_CA=false # parse flags while [ $# -ge 1 ] ; do @@ -144,6 +161,9 @@ while [ $# -ge 1 ] ; do ORDERER_TYPE="$2" shift ;; + -ca ) + INCLUDE_CA=true + ;; -h ) printHelp "$MODE" exit 0 diff --git a/test-network-nano-bash/ordererca.sh b/test-network-nano-bash/ordererca.sh new file mode 100755 index 0000000000..679e12982f --- /dev/null +++ b/test-network-nano-bash/ordererca.sh @@ -0,0 +1,39 @@ +#!/usr/bin/env sh +# +# SPDX-License-Identifier: Apache-2.0 +# +export PATH="${PWD}"/../../fabric/build/bin:"${PWD}"/../bin:"${PATH}" +export FABRIC_CFG_PATH="${PWD}"/../config + +#Configure the CA_NAME, CA_PORT, OPERATIONS_PORT and CSR_HOSTS for the CA +export CA_NAME=ordererca +export CA_PORT=7052 +export OPERATIONS_PORT=9843 +export CSR_HOSTS=ordererca,localhost,127.0.0.1 + +export CA_DIRECTORY="${PWD}"/data_ca/"${CA_NAME}" +export CA_HOME="${CA_DIRECTORY}"/ca +export TLSCA_HOME="${CA_DIRECTORY}"/tlsca +export DB_HOME="${CA_DIRECTORY}"/db +export TEMPLATE_DIR="${PWD}"/ca/ca_config + +# Check to see if the CA directory exists +if [ ! -d "${CA_DIRECTORY}" ]; then + + # Create the new CA directory + mkdir -p "${CA_HOME}" + mkdir -p "${TLSCA_HOME}" + mkdir -p "${DB_HOME}" + + # Copy the CA template files + cp "${TEMPLATE_DIR}"/ca/fabric-ca-server-config.yaml "${CA_HOME}"/fabric-ca-server-config.yaml + cp "${TEMPLATE_DIR}"/tlsca/fabric-ca-server-config.yaml "${TLSCA_HOME}"/fabric-ca-server-config.yaml + +fi + +export FABRIC_CA_SERVER_TLS_ENABLED=true +export FABRIC_CA_SERVER_CSR_CN="${CA_NAME}" +export FABRIC_CA_SERVER_CSR_HOSTS="${CSR_HOSTS}" +export FABRIC_CA_SERVER_DEBUG=true +export FABRIC_CA_SERVER_OPERATIONS_LISTENADDRESS=localhost:"${OPERATIONS_PORT}" +fabric-ca-server start -d -b admin:adminpw --port "${CA_PORT}" --home "${CA_HOME}" diff --git a/test-network-nano-bash/org1ca.sh b/test-network-nano-bash/org1ca.sh new file mode 100755 index 0000000000..bdfc918d2b --- /dev/null +++ b/test-network-nano-bash/org1ca.sh @@ -0,0 +1,39 @@ +#!/usr/bin/env sh +# +# SPDX-License-Identifier: Apache-2.0 +# +export PATH="${PWD}"/../../fabric/build/bin:"${PWD}"/../bin:"${PATH}" +export FABRIC_CFG_PATH="${PWD}"/../config + +#Configure the CA_NAME, CA_PORT, OPERATIONS_PORT and CSR_HOSTS for the CA +export CA_NAME=org1ca +export CA_PORT=7053 +export OPERATIONS_PORT=9844 +export CSR_HOSTS=org1ca,localhost,127.0.0.1 + +export CA_DIRECTORY="${PWD}"/data_ca/"${CA_NAME}" +export CA_HOME="${CA_DIRECTORY}"/ca +export TLSCA_HOME="${CA_DIRECTORY}"/tlsca +export DB_HOME="${CA_DIRECTORY}"/db +export TEMPLATE_DIR="${PWD}"/ca/ca_config + +# Check to see if the CA directory exists +if [ ! -d "${CA_DIRECTORY}" ]; then + + # Create the new CA directory + mkdir -p "${CA_HOME}" + mkdir -p "${TLSCA_HOME}" + mkdir -p "${DB_HOME}" + + # Copy the CA template files + cp "${TEMPLATE_DIR}"/ca/fabric-ca-server-config.yaml "${CA_HOME}"/fabric-ca-server-config.yaml + cp "${TEMPLATE_DIR}"/tlsca/fabric-ca-server-config.yaml "${TLSCA_HOME}"/fabric-ca-server-config.yaml + +fi + +export FABRIC_CA_SERVER_TLS_ENABLED=true +export FABRIC_CA_SERVER_CSR_CN="${CA_NAME}" +export FABRIC_CA_SERVER_CSR_HOSTS="${CSR_HOSTS}" +export FABRIC_CA_SERVER_DEBUG=true +export FABRIC_CA_SERVER_OPERATIONS_LISTENADDRESS=localhost:"${OPERATIONS_PORT}" +fabric-ca-server start -d -b admin:adminpw --port "${CA_PORT}" --home "${CA_HOME}" diff --git a/test-network-nano-bash/org2ca.sh b/test-network-nano-bash/org2ca.sh new file mode 100755 index 0000000000..a325fd4c8b --- /dev/null +++ b/test-network-nano-bash/org2ca.sh @@ -0,0 +1,39 @@ +#!/usr/bin/env sh +# +# SPDX-License-Identifier: Apache-2.0 +# +export PATH="${PWD}"/../../fabric/build/bin:"${PWD}"/../bin:"${PATH}" +export FABRIC_CFG_PATH="${PWD}"/../config + +#Configure the CA_NAME, CA_PORT, OPERATIONS_PORT and CSR_HOSTS for the CA +export CA_NAME=org2ca +export CA_PORT=7054 +export OPERATIONS_PORT=9845 +export CSR_HOSTS=org2ca,localhost,127.0.0.1 + +export CA_DIRECTORY="${PWD}"/data_ca/"${CA_NAME}" +export CA_HOME="${CA_DIRECTORY}"/ca +export TLSCA_HOME="${CA_DIRECTORY}"/tlsca +export DB_HOME="${CA_DIRECTORY}"/db +export TEMPLATE_DIR="${PWD}"/ca/ca_config + +# Check to see if the CA directory exists +if [ ! -d "${CA_DIRECTORY}" ]; then + + # Create the new CA directory + mkdir -p "${CA_HOME}" + mkdir -p "${TLSCA_HOME}" + mkdir -p "${DB_HOME}" + + # Copy the CA template files + cp "${TEMPLATE_DIR}"/ca/fabric-ca-server-config.yaml "${CA_HOME}"/fabric-ca-server-config.yaml + cp "${TEMPLATE_DIR}"/tlsca/fabric-ca-server-config.yaml "${TLSCA_HOME}"/fabric-ca-server-config.yaml + +fi + +export FABRIC_CA_SERVER_TLS_ENABLED=true +export FABRIC_CA_SERVER_CSR_CN="${CA_NAME}" +export FABRIC_CA_SERVER_CSR_HOSTS="${CSR_HOSTS}" +export FABRIC_CA_SERVER_DEBUG=true +export FABRIC_CA_SERVER_OPERATIONS_LISTENADDRESS=localhost:"${OPERATIONS_PORT}" +fabric-ca-server start -d -b admin:adminpw --port "${CA_PORT}" --home "${CA_HOME}"