-
Notifications
You must be signed in to change notification settings - Fork 8.9k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[FAB-3710] /examples/cluster: configure CA
We need to ensure we configure the CA with the MSP artifacts or it will be unable to generate usable ECerts. Change-Id: Iec5f1bf033d92a9d11ab7feca2aaf3e78eac8d78 Signed-off-by: Greg Haskins <gregory.haskins@gmail.com>
- Loading branch information
Showing
3 changed files
with
244 additions
and
7 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,239 @@ | ||
############################################################################# | ||
# This is a configuration file for the fabric-ca-server command. | ||
# | ||
# COMMAND LINE ARGUMENTS AND ENVIRONMENT VARIABLES | ||
# ------------------------------------------------ | ||
# Each configuration element can be overridden via command line | ||
# arguments or environment variables. The precedence for determining | ||
# the value of each element is as follows: | ||
# 1) command line argument | ||
# Examples: | ||
# a) --port 443 | ||
# To set the listening port | ||
# b) --ca-keyfile ../mykey.pem | ||
# To set the "keyfile" element in the "ca" section below; | ||
# note the '-' separator character. | ||
# 2) environment variable | ||
# Examples: | ||
# a) FABRIC_CA_SERVER_PORT=443 | ||
# To set the listening port | ||
# b) FABRIC_CA_SERVER_CA_KEYFILE="../mykey.pem" | ||
# To set the "keyfile" element in the "ca" section below; | ||
# note the '_' separator character. | ||
# 3) configuration file | ||
# 4) default value (if there is one) | ||
# All default values are shown beside each element below. | ||
# | ||
# FILE NAME ELEMENTS | ||
# ------------------ | ||
# All filename elements below end with the word "file". | ||
# For example, see "certfile" and "keyfile" in the "ca" section. | ||
# The value of each filename element can be a simple filename, a | ||
# relative path, or an absolute path. If the value is not an | ||
# absolute path, it is interpretted as being relative to the location | ||
# of this configuration file. | ||
# | ||
############################################################################# | ||
|
||
# Server's listening port (default: 7054) | ||
port: 7054 | ||
|
||
# Enables debug logging (default: false) | ||
debug: false | ||
|
||
############################################################################# | ||
# TLS section for the server's listening port | ||
# | ||
# The following types are supported for client authentication: NoClientCert, | ||
# RequestClientCert, RequireAnyClientCert, VerfiyClientCertIfGiven, | ||
# and RequireAndVerifyClientCert. | ||
# | ||
# Certfiles is a list of root certificate authorities that the server uses | ||
# when verifying client certificates. | ||
############################################################################# | ||
tls: | ||
# Enable TLS (default: false) | ||
enabled: false | ||
# TLS for the server's listening port | ||
certfile: ca.crt | ||
keyfile: ca.key | ||
clientauth: | ||
type: noclientcert | ||
certfiles: | ||
|
||
############################################################################# | ||
# The CA section contains information related to the Certificate Authority | ||
# including the name of the CA, which should be unique for all members | ||
# of a blockchain network. It also includes the key and certificate files | ||
# used when issuing enrollment certificates (ECerts) and transaction | ||
# certificates (TCerts). | ||
# The chainfile (if it exists) contains the certificate chain which | ||
# should be trusted for this CA, where the 1st in the chain is always the | ||
# root CA certificate. | ||
############################################################################# | ||
ca: | ||
# Name of this CA | ||
name: | ||
certfile: ca.crt | ||
keyfile: ca.key | ||
# Chain file (default: chain-cert.pem) | ||
chainfile: ca-chain.pem | ||
|
||
############################################################################# | ||
# The registry section controls how the fabric-ca-server does two things: | ||
# 1) authenticates enrollment requests which contain a username and password | ||
# (also known as an enrollment ID and secret). | ||
# 2) once authenticated, retrieves the identity's attribute names and | ||
# values which the fabric-ca-server optionally puts into TCerts | ||
# which it issues for transacting on the Hyperledger Fabric blockchain. | ||
# These attributes are useful for making access control decisions in | ||
# chaincode. | ||
# There are two main configuration options: | ||
# 1) The fabric-ca-server is the registry | ||
# 2) An LDAP server is the registry, in which case the fabric-ca-server | ||
# calls the LDAP server to perform these tasks. | ||
############################################################################# | ||
registry: | ||
# Maximum number of times a password/secret can be reused for enrollment | ||
# (default: 0, which means there is no limit) | ||
maxEnrollments: 0 | ||
|
||
# Contains identity information which is used when LDAP is disabled | ||
identities: | ||
- name: admin | ||
pass: adminpw | ||
type: client | ||
affiliation: "" | ||
attrs: | ||
hf.Registrar.Roles: "client,user,peer,validator,auditor,ca" | ||
hf.Registrar.DelegateRoles: "client,user,validator,auditor" | ||
hf.Revoker: true | ||
hf.IntermediateCA: true | ||
|
||
############################################################################# | ||
# Database section | ||
# Supported types are: "sqlite3", "postgres", and "mysql". | ||
# The datasource value depends on the type. | ||
# If the type is "sqlite3", the datasource value is a file name to use | ||
# as the database store. Since "sqlite3" is an embedded database, it | ||
# may not be used if you want to run the fabric-ca-server in a cluster. | ||
# To run the fabric-ca-server in a cluster, you must choose "postgres" | ||
# or "mysql". | ||
############################################################################# | ||
db: | ||
type: sqlite3 | ||
datasource: /var/hyperledger/fabric-ca-server.db | ||
tls: | ||
enabled: false | ||
certfiles: | ||
- db-server-cert.pem | ||
client: | ||
certfile: db-client-cert.pem | ||
keyfile: db-client-key.pem | ||
|
||
############################################################################# | ||
# LDAP section | ||
# If LDAP is enabled, the fabric-ca-server calls LDAP to: | ||
# 1) authenticate enrollment ID and secret (i.e. username and password) | ||
# for enrollment requests; | ||
# 2) To retrieve identity attributes | ||
############################################################################# | ||
ldap: | ||
# Enables or disables the LDAP client (default: false) | ||
enabled: false | ||
# The URL of the LDAP server | ||
url: ldap://<adminDN>:<adminPassword>@<host>:<port>/<base> | ||
tls: | ||
certfiles: | ||
- ldap-server-cert.pem | ||
client: | ||
certfile: ldap-client-cert.pem | ||
keyfile: ldap-client-key.pem | ||
|
||
############################################################################# | ||
# Affiliation section | ||
############################################################################# | ||
affiliations: | ||
org1: | ||
- department1 | ||
- department2 | ||
org2: | ||
- department1 | ||
|
||
############################################################################# | ||
# Signing section | ||
############################################################################# | ||
signing: | ||
profiles: | ||
ca: | ||
usage: | ||
- cert sign | ||
expiry: 8000h | ||
caconstraint: | ||
isca: true | ||
default: | ||
usage: | ||
- cert sign | ||
expiry: 8000h | ||
|
||
########################################################################### | ||
# Certificate Signing Request section for generating the CA certificate | ||
########################################################################### | ||
csr: | ||
cn: fabric-ca-server | ||
names: | ||
- C: US | ||
ST: "North Carolina" | ||
L: | ||
O: Hyperledger | ||
OU: Fabric | ||
hosts: | ||
- 2008f00aff38 | ||
ca: | ||
pathlen: | ||
pathlenzero: | ||
expiry: | ||
|
||
############################################################################# | ||
# BCCSP (BlockChain Crypto Service Provider) section is used to select which | ||
# crypto library implementation to use | ||
############################################################################# | ||
|
||
bccsp: | ||
default: SW | ||
sw: | ||
hash: SHA2 | ||
security: 256 | ||
filekeystore: | ||
# The directory used for the software file-based keystore | ||
keystore: keystore | ||
|
||
############################################################################# | ||
# The fabric-ca-server init and start commands support the following two | ||
# additional mutually exclusive options: | ||
# | ||
# 1) --cacount <number-of-CAs> | ||
# Automatically generate multiple default CA instances. | ||
# This is particularly useful in a development environment to quickly set up | ||
# multiple CAs. | ||
# For example, | ||
# fabric-ca-server start -b admin:adminpw --cacount 2 | ||
# starts a server with a default CA and two non-default CA's with names | ||
# 'ca1' and 'ca2'. | ||
# | ||
# 2) --cafiles <CA-config-files> | ||
# For each CA config file in the list, generate a separate signing CA. Each CA | ||
# config file in this list MAY contain all of the same elements as are found in | ||
# the server config file except port, debug, and tls sections. | ||
# For example, | ||
# fabric-ca-server start -b admin:adminpw \ | ||
# --cafiles ca/ca1/fabric-ca-server-config.yaml \ | ||
# --cafiles ca/ca2/fabric-ca-server-config.yaml | ||
# is equivalent to the previous example, except the files CA config files | ||
# must already exist and can be customized. | ||
# | ||
############################################################################# | ||
|
||
cacount: | ||
|
||
cafiles: |