From 013162df0d38c80d371fcd9207f5800d2e1b00ca Mon Sep 17 00:00:00 2001 From: Kurt Seifried Date: Tue, 16 Mar 2021 20:49:00 -0600 Subject: [PATCH] ORG6 setup --- test-network/addOrg6/README.md | 28 ++ test-network/addOrg6/addOrg6.sh | 263 ++++++++++++ test-network/addOrg6/ccp-generate.sh | 36 ++ test-network/addOrg6/ccp-template.json | 49 +++ test-network/addOrg6/ccp-template.yaml | 34 ++ test-network/addOrg6/configtx.yaml | 38 ++ .../docker/docker-compose-ca-org6.yaml | 27 ++ .../docker/docker-compose-couch-org6.yaml | 42 ++ .../addOrg6/docker/docker-compose-org6.yaml | 52 +++ .../org6/fabric-ca-server-config.yaml | 406 ++++++++++++++++++ .../addOrg6/fabric-ca/registerEnroll.sh | 87 ++++ test-network/addOrg6/org6-crypto.yaml | 21 + 12 files changed, 1083 insertions(+) create mode 100644 test-network/addOrg6/README.md create mode 100644 test-network/addOrg6/addOrg6.sh create mode 100644 test-network/addOrg6/ccp-generate.sh create mode 100644 test-network/addOrg6/ccp-template.json create mode 100644 test-network/addOrg6/ccp-template.yaml create mode 100644 test-network/addOrg6/configtx.yaml create mode 100644 test-network/addOrg6/docker/docker-compose-ca-org6.yaml create mode 100644 test-network/addOrg6/docker/docker-compose-couch-org6.yaml create mode 100644 test-network/addOrg6/docker/docker-compose-org6.yaml create mode 100644 test-network/addOrg6/fabric-ca/org6/fabric-ca-server-config.yaml create mode 100644 test-network/addOrg6/fabric-ca/registerEnroll.sh create mode 100644 test-network/addOrg6/org6-crypto.yaml diff --git a/test-network/addOrg6/README.md b/test-network/addOrg6/README.md new file mode 100644 index 00000000..baeb4ba8 --- /dev/null +++ b/test-network/addOrg6/README.md @@ -0,0 +1,28 @@ +## Adding Org6 to the test network + +You can use the `addOrg6.sh` script to add another organization to the Fabric test network. The `addOrg6.sh` script generates the Org6 crypto material, creates an Org6 organization definition, and adds Org6 to a channel on the test network. + +You first need to run `./network.sh up createChannel` in the `test-network` directory before you can run the `addOrg6.sh` script. + +``` +./network.sh up createChannel +cd addOrg6 +./addOrg6.sh up +``` + +If you used `network.sh` to create a channel other than the default `mychannel`, you need pass that name to the `addorg6.sh` script. +``` +./network.sh up createChannel -c channel1 +cd addOrg6 +./addOrg6.sh up -c channel1 +``` + +You can also re-run the `addOrg6.sh` script to add Org6 to additional channels. +``` +cd .. +./network.sh createChannel -c channel2 +cd addOrg6 +./addOrg6.sh up -c channel2 +``` + +For more information, use `./addOrg6.sh -h` to see the `addOrg6.sh` help text. diff --git a/test-network/addOrg6/addOrg6.sh b/test-network/addOrg6/addOrg6.sh new file mode 100644 index 00000000..76dc342f --- /dev/null +++ b/test-network/addOrg6/addOrg6.sh @@ -0,0 +1,263 @@ +#!/bin/bash +# +# Copyright IBM Corp All Rights Reserved +# +# SPDX-License-Identifier: Apache-2.0 +# + +# This script extends the Hyperledger Fabric test network by adding +# adding a third organization to the network +# + +# prepending $PWD/../bin to PATH to ensure we are picking up the correct binaries +# this may be commented out to resolve installed version of tools if desired +export PATH=${PWD}/../../bin:${PWD}:$PATH +export FABRIC_CFG_PATH=${PWD} +export VERBOSE=false + +. ../scripts/utils.sh + +# Print the usage message +function printHelp () { + echo "Usage: " + echo " addOrg6.sh up|down|generate [-c ] [-t ] [-d ] [-f ] [-s ]" + echo " addOrg6.sh -h|--help (print this message)" + echo " - one of 'up', 'down', or 'generate'" + echo " - 'up' - add org6 to the sample network. You need to bring up the test network and create a channel first." + echo " - 'down' - bring down the test network and org6 nodes" + echo " - 'generate' - generate required certificates and org definition" + echo " -c - test network channel name (defaults to \"mychannel\")" + echo " -ca - Use a CA to generate the crypto material" + echo " -t - CLI timeout duration in seconds (defaults to 10)" + echo " -d - delay duration in seconds (defaults to 3)" + echo " -s - the database backend to use: goleveldb (default) or couchdb" + echo " -verbose - verbose mode" + echo + echo "Typically, one would first generate the required certificates and " + echo "genesis block, then bring up the network. e.g.:" + echo + echo " addOrg6.sh generate" + echo " addOrg6.sh up" + echo " addOrg6.sh up -c mychannel -s couchdb" + echo " addOrg6.sh down" + echo + echo "Taking all defaults:" + echo " addOrg6.sh up" + echo " addOrg6.sh down" +} + +# We use the cryptogen tool to generate the cryptographic material +# (x509 certs) for the new org. After we run the tool, the certs will +# be put in the organizations folder with org1 and org2 + +# Create Organziation crypto material using cryptogen or CAs +function generateOrg6() { + # Create crypto material using cryptogen + if [ "$CRYPTO" == "cryptogen" ]; then + which cryptogen + if [ "$?" -ne 0 ]; then + fatalln "cryptogen tool not found. exiting" + fi + infoln "Generating certificates using cryptogen tool" + + infoln "Creating Org6 Identities" + + set -x + cryptogen generate --config=org6-crypto.yaml --output="../organizations" + res=$? + { set +x; } 2>/dev/null + if [ $res -ne 0 ]; then + fatalln "Failed to generate certificates..." + fi + + fi + + # Create crypto material using Fabric CA + if [ "$CRYPTO" == "Certificate Authorities" ]; then + fabric-ca-client version > /dev/null 2>&1 + if [[ $? -ne 0 ]]; then + echo "ERROR! fabric-ca-client binary not found.." + echo + echo "Follow the instructions in the Fabric docs to install the Fabric Binaries:" + echo "https://hyperledger-fabric.readthedocs.io/en/latest/install.html" + exit 1 + fi + + infoln "Generating certificates using Fabric CA" + docker-compose -f $COMPOSE_FILE_CA_ORG6 up -d 2>&1 + + . fabric-ca/registerEnroll.sh + + sleep 10 + + infoln "Creating Org6 Identities" + createOrg6 + + fi + + infoln "Generating CCP files for Org6" + ./ccp-generate.sh +} + +# Generate channel configuration transaction +function generateOrg6Definition() { + which configtxgen + if [ "$?" -ne 0 ]; then + fatalln "configtxgen tool not found. exiting" + fi + infoln "Generating Org6 organization definition" + export FABRIC_CFG_PATH=$PWD + set -x + configtxgen -printOrg Org6MSP > ../organizations/peerOrganizations/org6.example.com/org6.json + res=$? + { set +x; } 2>/dev/null + if [ $res -ne 0 ]; then + fatalln "Failed to generate Org6 organization definition..." + fi +} + +function Org6Up () { + # start org6 nodes + if [ "${DATABASE}" == "couchdb" ]; then + docker-compose -f $COMPOSE_FILE_ORG6 -f $COMPOSE_FILE_COUCH_ORG6 up -d 2>&1 + else + docker-compose -f $COMPOSE_FILE_ORG6 up -d 2>&1 + fi + if [ $? -ne 0 ]; then + fatalln "ERROR !!!! Unable to start Org6 network" + fi +} + +# Generate the needed certificates, the genesis block and start the network. +function addOrg6 () { + # If the test network is not up, abort + if [ ! -d ../organizations/ordererOrganizations ]; then + fatalln "ERROR: Please, run ./network.sh up createChannel first." + fi + + # generate artifacts if they don't exist + if [ ! -d "../organizations/peerOrganizations/org6.example.com" ]; then + generateOrg6 + generateOrg6Definition + fi + + infoln "Bringing up Org6 peer" + Org6Up + + # Use the CLI container to create the configuration transaction needed to add + # Org6 to the network + infoln "Generating and submitting config tx to add Org6" + docker exec cli ./scripts/org6-scripts/updateChannelConfig.sh $CHANNEL_NAME $CLI_DELAY $CLI_TIMEOUT $VERBOSE + if [ $? -ne 0 ]; then + fatalln "ERROR !!!! Unable to create config tx" + fi + + infoln "Joining Org6 peers to network" + docker exec cli ./scripts/org6-scripts/joinChannel.sh $CHANNEL_NAME $CLI_DELAY $CLI_TIMEOUT $VERBOSE + if [ $? -ne 0 ]; then + fatalln "ERROR !!!! Unable to join Org6 peers to network" + fi +} + +# Tear down running network +function networkDown () { + cd .. + ./network.sh down +} + +# Using crpto vs CA. default is cryptogen +CRYPTO="cryptogen" +# timeout duration - the duration the CLI should wait for a response from +# another container before giving up +CLI_TIMEOUT=10 +#default for delay +CLI_DELAY=3 +# channel name defaults to "mychannel" +CHANNEL_NAME="mychannel" +# use this as the docker compose couch file +COMPOSE_FILE_COUCH_ORG6=docker/docker-compose-couch-org6.yaml +# use this as the default docker-compose yaml definition +COMPOSE_FILE_ORG6=docker/docker-compose-org6.yaml +# certificate authorities compose file +COMPOSE_FILE_CA_ORG6=docker/docker-compose-ca-org6.yaml +# database +DATABASE="leveldb" + +# Parse commandline args + +## Parse mode +if [[ $# -lt 1 ]] ; then + printHelp + exit 0 +else + MODE=$1 + shift +fi + +# parse flags + +while [[ $# -ge 1 ]] ; do + key="$1" + case $key in + -h ) + printHelp + exit 0 + ;; + -c ) + CHANNEL_NAME="$2" + shift + ;; + -ca ) + CRYPTO="Certificate Authorities" + ;; + -t ) + CLI_TIMEOUT="$2" + shift + ;; + -d ) + CLI_DELAY="$2" + shift + ;; + -s ) + DATABASE="$2" + shift + ;; + -verbose ) + VERBOSE=true + shift + ;; + * ) + errorln "Unknown flag: $key" + printHelp + exit 1 + ;; + esac + shift +done + + +# Determine whether starting, stopping, restarting or generating for announce +if [ "$MODE" == "up" ]; then + infoln "Adding org6 to channel '${CHANNEL_NAME}' with '${CLI_TIMEOUT}' seconds and CLI delay of '${CLI_DELAY}' seconds and using database '${DATABASE}'" + echo +elif [ "$MODE" == "down" ]; then + EXPMODE="Stopping network" +elif [ "$MODE" == "generate" ]; then + EXPMODE="Generating certs and organization definition for Org6" +else + printHelp + exit 1 +fi + +#Create the network using docker compose +if [ "${MODE}" == "up" ]; then + addOrg6 +elif [ "${MODE}" == "down" ]; then ## Clear the network + networkDown +elif [ "${MODE}" == "generate" ]; then ## Generate Artifacts + generateOrg6 + generateOrg6Definition +else + printHelp + exit 1 +fi diff --git a/test-network/addOrg6/ccp-generate.sh b/test-network/addOrg6/ccp-generate.sh new file mode 100644 index 00000000..8efb9568 --- /dev/null +++ b/test-network/addOrg6/ccp-generate.sh @@ -0,0 +1,36 @@ +#!/bin/bash + +function one_line_pem { + echo "`awk 'NF {sub(/\\n/, ""); printf "%s\\\\\\\n",$0;}' $1`" +} + +function json_ccp { + local PP=$(one_line_pem $4) + local CP=$(one_line_pem $5) + sed -e "s/\${ORG}/$1/" \ + -e "s/\${P0PORT}/$2/" \ + -e "s/\${CAPORT}/$3/" \ + -e "s#\${PEERPEM}#$PP#" \ + -e "s#\${CAPEM}#$CP#" \ + ccp-template.json +} + +function yaml_ccp { + local PP=$(one_line_pem $4) + local CP=$(one_line_pem $5) + sed -e "s/\${ORG}/$1/" \ + -e "s/\${P0PORT}/$2/" \ + -e "s/\${CAPORT}/$3/" \ + -e "s#\${PEERPEM}#$PP#" \ + -e "s#\${CAPEM}#$CP#" \ + ccp-template.yaml | sed -e $'s/\\\\n/\\\n /g' +} + +ORG=6 +P0PORT=17051 +CAPORT=17054 +PEERPEM=../organizations/peerOrganizations/org6.example.com/tlsca/tlsca.org6.example.com-cert.pem +CAPEM=../organizations/peerOrganizations/org6.example.com/ca/ca.org6.example.com-cert.pem + +echo "$(json_ccp $ORG $P0PORT $CAPORT $PEERPEM $CAPEM)" > ../organizations/peerOrganizations/org6.example.com/connection-org6.json +echo "$(yaml_ccp $ORG $P0PORT $CAPORT $PEERPEM $CAPEM)" > ../organizations/peerOrganizations/org6.example.com/connection-org6.yaml diff --git a/test-network/addOrg6/ccp-template.json b/test-network/addOrg6/ccp-template.json new file mode 100644 index 00000000..2b19d1b9 --- /dev/null +++ b/test-network/addOrg6/ccp-template.json @@ -0,0 +1,49 @@ +{ + "name": "test-network-org${ORG}", + "version": "1.0.0", + "client": { + "organization": "Org${ORG}", + "connection": { + "timeout": { + "peer": { + "endorser": "300" + } + } + } + }, + "organizations": { + "Org${ORG}": { + "mspid": "Org${ORG}MSP", + "peers": [ + "peer0.org${ORG}.example.com" + ], + "certificateAuthorities": [ + "ca.org${ORG}.example.com" + ] + } + }, + "peers": { + "peer0.org${ORG}.example.com": { + "url": "grpcs://localhost:${P0PORT}", + "tlsCACerts": { + "pem": "${PEERPEM}" + }, + "grpcOptions": { + "ssl-target-name-override": "peer0.org${ORG}.example.com", + "hostnameOverride": "peer0.org${ORG}.example.com" + } + } + }, + "certificateAuthorities": { + "ca.org${ORG}.example.com": { + "url": "https://localhost:${CAPORT}", + "caName": "ca-org${ORG}", + "tlsCACerts": { + "pem": "${CAPEM}" + }, + "httpOptions": { + "verify": false + } + } + } +} diff --git a/test-network/addOrg6/ccp-template.yaml b/test-network/addOrg6/ccp-template.yaml new file mode 100644 index 00000000..7e65965f --- /dev/null +++ b/test-network/addOrg6/ccp-template.yaml @@ -0,0 +1,34 @@ +--- +name: test-network-org${ORG} +version: 1.0.0 +client: + organization: Org${ORG} + connection: + timeout: + peer: + endorser: '300' +organizations: + Org${ORG}: + mspid: Org${ORG}MSP + peers: + - peer0.org${ORG}.example.com + certificateAuthorities: + - ca.org${ORG}.example.com +peers: + peer0.org${ORG}.example.com: + url: grpcs://localhost:${P0PORT} + tlsCACerts: + pem: | + ${PEERPEM} + grpcOptions: + ssl-target-name-override: peer0.org${ORG}.example.com + hostnameOverride: peer0.org${ORG}.example.com +certificateAuthorities: + ca.org${ORG}.example.com: + url: https://localhost:${CAPORT} + caName: ca-org${ORG} + tlsCACerts: + pem: | + ${CAPEM} + httpOptions: + verify: false diff --git a/test-network/addOrg6/configtx.yaml b/test-network/addOrg6/configtx.yaml new file mode 100644 index 00000000..c515aafc --- /dev/null +++ b/test-network/addOrg6/configtx.yaml @@ -0,0 +1,38 @@ +# Copyright IBM Corp. All Rights Reserved. +# +# SPDX-License-Identifier: Apache-2.0 +# + +--- +################################################################################ +# +# Section: Organizations +# +# - This section defines the different organizational identities which will +# be referenced later in the configuration. +# +################################################################################ +Organizations: + - &Org6 + # DefaultOrg defines the organization which is used in the sampleconfig + # of the fabric.git development environment + Name: Org6MSP + + # ID to load the MSP definition as + ID: Org6MSP + + MSPDir: ../organizations/peerOrganizations/org6.example.com/msp + + Policies: + Readers: + Type: Signature + Rule: "OR('Org6MSP.admin', 'Org6MSP.peer', 'Org6MSP.client')" + Writers: + Type: Signature + Rule: "OR('Org6MSP.admin', 'Org6MSP.client')" + Admins: + Type: Signature + Rule: "OR('Org6MSP.admin')" + Endorsement: + Type: Signature + Rule: "OR('Org6MSP.peer')" diff --git a/test-network/addOrg6/docker/docker-compose-ca-org6.yaml b/test-network/addOrg6/docker/docker-compose-ca-org6.yaml new file mode 100644 index 00000000..0dd48414 --- /dev/null +++ b/test-network/addOrg6/docker/docker-compose-ca-org6.yaml @@ -0,0 +1,27 @@ +# Copyright IBM Corp. All Rights Reserved. +# +# SPDX-License-Identifier: Apache-2.0 +# + +version: '2' + +networks: + test: + name: fabric_test + +services: + ca_org6: + image: hyperledger/fabric-ca:latest + labels: + service: hyperledger-fabric + environment: + - FABRIC_CA_HOME=/etc/hyperledger/fabric-ca-server + - FABRIC_CA_SERVER_CA_NAME=ca-org6 + - FABRIC_CA_SERVER_TLS_ENABLED=true + - FABRIC_CA_SERVER_PORT=17054 + ports: + - "17054:17054" + command: sh -c 'fabric-ca-server start -b admin:adminpw -d' + volumes: + - ../fabric-ca/org6:/etc/hyperledger/fabric-ca-server + container_name: ca_org6 diff --git a/test-network/addOrg6/docker/docker-compose-couch-org6.yaml b/test-network/addOrg6/docker/docker-compose-couch-org6.yaml new file mode 100644 index 00000000..4c8a5a0a --- /dev/null +++ b/test-network/addOrg6/docker/docker-compose-couch-org6.yaml @@ -0,0 +1,42 @@ +# Copyright IBM Corp. All Rights Reserved. +# +# SPDX-License-Identifier: Apache-2.0 +# + +version: '2' + +networks: + test: + name: fabric_test + +services: + couchdb4: + container_name: couchdb4 + image: couchdb:3.1.1 + labels: + service: hyperledger-fabric + # Populate the COUCHDB_USER and COUCHDB_PASSWORD to set an admin user and password + # for CouchDB. This will prevent CouchDB from operating in an "Admin Party" mode. + environment: + - COUCHDB_USER=admin + - COUCHDB_PASSWORD=adminpw + # Comment/Uncomment the port mapping if you want to hide/expose the CouchDB service, + # for example map it to utilize Fauxton User Interface in dev environments. + ports: + - "9984:5984" + networks: + - test + + peer0.org6.example.com: + environment: + - CORE_LEDGER_STATE_STATEDATABASE=CouchDB + - CORE_LEDGER_STATE_COUCHDBCONFIG_COUCHDBADDRESS=couchdb4:5984 + # The CORE_LEDGER_STATE_COUCHDBCONFIG_USERNAME and CORE_LEDGER_STATE_COUCHDBCONFIG_PASSWORD + # provide the credentials for ledger to connect to CouchDB. The username and password must + # match the username and password set for the associated CouchDB. + - CORE_LEDGER_STATE_COUCHDBCONFIG_USERNAME=admin + - CORE_LEDGER_STATE_COUCHDBCONFIG_PASSWORD=adminpw + depends_on: + - couchdb4 + networks: + - test diff --git a/test-network/addOrg6/docker/docker-compose-org6.yaml b/test-network/addOrg6/docker/docker-compose-org6.yaml new file mode 100644 index 00000000..52575d02 --- /dev/null +++ b/test-network/addOrg6/docker/docker-compose-org6.yaml @@ -0,0 +1,52 @@ +# Copyright IBM Corp. All Rights Reserved. +# +# SPDX-License-Identifier: Apache-2.0 +# + +version: '2' + +volumes: + peer0.org6.example.com: + +networks: + test: + name: fabric_test + +services: + + peer0.org6.example.com: + container_name: peer0.org6.example.com + image: hyperledger/fabric-peer:latest + labels: + service: hyperledger-fabric + environment: + #Generic peer variables + - CORE_VM_ENDPOINT=unix:///host/var/run/docker.sock + - CORE_VM_DOCKER_HOSTCONFIG_NETWORKMODE=fabric_test + - FABRIC_LOGGING_SPEC=INFO + #- FABRIC_LOGGING_SPEC=DEBUG + - CORE_PEER_TLS_ENABLED=true + - CORE_PEER_PROFILE_ENABLED=true + - CORE_PEER_TLS_CERT_FILE=/etc/hyperledger/fabric/tls/server.crt + - CORE_PEER_TLS_KEY_FILE=/etc/hyperledger/fabric/tls/server.key + - CORE_PEER_TLS_ROOTCERT_FILE=/etc/hyperledger/fabric/tls/ca.crt + # Peer specific variabes + - CORE_PEER_ID=peer0.org6.example.com + - CORE_PEER_ADDRESS=peer0.org6.example.com:17051 + - CORE_PEER_LISTENADDRESS=0.0.0.0:17051 + - CORE_PEER_CHAINCODEADDRESS=peer0.org6.example.com:17052 + - CORE_PEER_CHAINCODELISTENADDRESS=0.0.0.0:17052 + - CORE_PEER_GOSSIP_BOOTSTRAP=peer0.org6.example.com:17051 + - CORE_PEER_GOSSIP_EXTERNALENDPOINT=peer0.org6.example.com:17051 + - CORE_PEER_LOCALMSPID=Org6MSP + volumes: + - /var/run/docker.sock:/host/var/run/docker.sock + - ../../organizations/peerOrganizations/org6.example.com/peers/peer0.org6.example.com/msp:/etc/hyperledger/fabric/msp + - ../../organizations/peerOrganizations/org6.example.com/peers/peer0.org6.example.com/tls:/etc/hyperledger/fabric/tls + - peer0.org6.example.com:/var/hyperledger/production + working_dir: /opt/gopath/src/github.com/hyperledger/fabric/peer + command: peer node start + ports: + - 17051:17051 + networks: + - test diff --git a/test-network/addOrg6/fabric-ca/org6/fabric-ca-server-config.yaml b/test-network/addOrg6/fabric-ca/org6/fabric-ca-server-config.yaml new file mode 100644 index 00000000..97cddeb1 --- /dev/null +++ b/test-network/addOrg6/fabric-ca/org6/fabric-ca-server-config.yaml @@ -0,0 +1,406 @@ +############################################################################# +# This is a configuration file for the fabric-ca-server command. +# +# COMMAND LINE ARGUMENTS AND ENVIRONMENT VARIABLES +# ------------------------------------------------ +# Each configuration element can be overridden via command line +# arguments or environment variables. The precedence for determining +# the value of each element is as follows: +# 1) command line argument +# Examples: +# a) --port 443 +# To set the listening port +# b) --ca.keyfile ../mykey.pem +# To set the "keyfile" element in the "ca" section below; +# note the '.' separator character. +# 2) environment variable +# Examples: +# a) FABRIC_CA_SERVER_PORT=443 +# To set the listening port +# b) FABRIC_CA_SERVER_CA_KEYFILE="../mykey.pem" +# To set the "keyfile" element in the "ca" section below; +# note the '_' separator character. +# 3) configuration file +# 4) default value (if there is one) +# All default values are shown beside each element below. +# +# FILE NAME ELEMENTS +# ------------------ +# The value of all fields whose name ends with "file" or "files" are +# name or names of other files. +# For example, see "tls.certfile" and "tls.clientauth.certfiles". +# The value of each of these fields can be a simple filename, a +# relative path, or an absolute path. If the value is not an +# absolute path, it is interpretted as being relative to the location +# of this configuration file. +# +############################################################################# + +# Version of config file +version: 1.2.0 + +# Server's listening port (default: 7054) +port: 17054 + +# Enables debug logging (default: false) +debug: false + +# Size limit of an acceptable CRL in bytes (default: 512000) +crlsizelimit: 512000 + +############################################################################# +# TLS section for the server's listening port +# +# The following types are supported for client authentication: NoClientCert, +# RequestClientCert, RequireAnyClientCert, VerifyClientCertIfGiven, +# and RequireAndVerifyClientCert. +# +# Certfiles is a list of root certificate authorities that the server uses +# when verifying client certificates. +############################################################################# +tls: + # Enable TLS (default: false) + enabled: true + # TLS for the server's listening port + certfile: + keyfile: + clientauth: + type: noclientcert + certfiles: + +############################################################################# +# The CA section contains information related to the Certificate Authority +# including the name of the CA, which should be unique for all members +# of a blockchain network. It also includes the key and certificate files +# used when issuing enrollment certificates (ECerts) and transaction +# certificates (TCerts). +# The chainfile (if it exists) contains the certificate chain which +# should be trusted for this CA, where the 1st in the chain is always the +# root CA certificate. +############################################################################# +ca: + # Name of this CA + name: Org6CA + # Key file (is only used to import a private key into BCCSP) + keyfile: + # Certificate file (default: ca-cert.pem) + certfile: + # Chain file + chainfile: + +############################################################################# +# The gencrl REST endpoint is used to generate a CRL that contains revoked +# certificates. This section contains configuration options that are used +# during gencrl request processing. +############################################################################# +crl: + # Specifies expiration for the generated CRL. The number of hours + # specified by this property is added to the UTC time, the resulting time + # is used to set the 'Next Update' date of the CRL. + expiry: 24h + +############################################################################# +# The registry section controls how the fabric-ca-server does two things: +# 1) authenticates enrollment requests which contain a username and password +# (also known as an enrollment ID and secret). +# 2) once authenticated, retrieves the identity's attribute names and +# values which the fabric-ca-server optionally puts into TCerts +# which it issues for transacting on the Hyperledger Fabric blockchain. +# These attributes are useful for making access control decisions in +# chaincode. +# There are two main configuration options: +# 1) The fabric-ca-server is the registry. +# This is true if "ldap.enabled" in the ldap section below is false. +# 2) An LDAP server is the registry, in which case the fabric-ca-server +# calls the LDAP server to perform these tasks. +# This is true if "ldap.enabled" in the ldap section below is true, +# which means this "registry" section is ignored. +############################################################################# +registry: + # Maximum number of times a password/secret can be reused for enrollment + # (default: -1, which means there is no limit) + maxenrollments: -1 + + # Contains identity information which is used when LDAP is disabled + identities: + - name: admin + pass: adminpw + type: client + affiliation: "" + attrs: + hf.Registrar.Roles: "*" + hf.Registrar.DelegateRoles: "*" + hf.Revoker: true + hf.IntermediateCA: true + hf.GenCRL: true + hf.Registrar.Attributes: "*" + hf.AffiliationMgr: true + +############################################################################# +# Database section +# Supported types are: "sqlite3", "postgres", and "mysql". +# The datasource value depends on the type. +# If the type is "sqlite3", the datasource value is a file name to use +# as the database store. Since "sqlite3" is an embedded database, it +# may not be used if you want to run the fabric-ca-server in a cluster. +# To run the fabric-ca-server in a cluster, you must choose "postgres" +# or "mysql". +############################################################################# +db: + type: sqlite3 + datasource: fabric-ca-server.db + tls: + enabled: false + certfiles: + client: + certfile: + keyfile: + +############################################################################# +# LDAP section +# If LDAP is enabled, the fabric-ca-server calls LDAP to: +# 1) authenticate enrollment ID and secret (i.e. username and password) +# for enrollment requests; +# 2) To retrieve identity attributes +############################################################################# +ldap: + # Enables or disables the LDAP client (default: false) + # If this is set to true, the "registry" section is ignored. + enabled: false + # The URL of the LDAP server + url: ldap://:@:/ + # TLS configuration for the client connection to the LDAP server + tls: + certfiles: + client: + certfile: + keyfile: + # Attribute related configuration for mapping from LDAP entries to Fabric CA attributes + attribute: + # 'names' is an array of strings containing the LDAP attribute names which are + # requested from the LDAP server for an LDAP identity's entry + names: ['uid','member'] + # The 'converters' section is used to convert an LDAP entry to the value of + # a fabric CA attribute. + # For example, the following converts an LDAP 'uid' attribute + # whose value begins with 'revoker' to a fabric CA attribute + # named "hf.Revoker" with a value of "true" (because the boolean expression + # evaluates to true). + # converters: + # - name: hf.Revoker + # value: attr("uid") =~ "revoker*" + converters: + - name: + value: + # The 'maps' section contains named maps which may be referenced by the 'map' + # function in the 'converters' section to map LDAP responses to arbitrary values. + # For example, assume a user has an LDAP attribute named 'member' which has multiple + # values which are each a distinguished name (i.e. a DN). For simplicity, assume the + # values of the 'member' attribute are 'dn1', 'dn2', and 'dn3'. + # Further assume the following configuration. + # converters: + # - name: hf.Registrar.Roles + # value: map(attr("member"),"groups") + # maps: + # groups: + # - name: dn1 + # value: peer + # - name: dn2 + # value: client + # The value of the user's 'hf.Registrar.Roles' attribute is then computed to be + # "peer,client,dn3". This is because the value of 'attr("member")' is + # "dn1,dn2,dn3", and the call to 'map' with a 2nd argument of + # "group" replaces "dn1" with "peer" and "dn2" with "client". + maps: + groups: + - name: + value: + +############################################################################# +# Affiliations section. Fabric CA server can be bootstrapped with the +# affiliations specified in this section. Affiliations are specified as maps. +# For example: +# businessunit1: +# department1: +# - team1 +# businessunit2: +# - department2 +# - department3 +# +# Affiliations are hierarchical in nature. In the above example, +# department1 (used as businessunit1.department1) is the child of businessunit1. +# team1 (used as businessunit1.department1.team1) is the child of department1. +# department2 (used as businessunit2.department2) and department3 (businessunit2.department3) +# are children of businessunit2. +# Note: Affiliations are case sensitive except for the non-leaf affiliations +# (like businessunit1, department1, businessunit2) that are specified in the configuration file, +# which are always stored in lower case. +############################################################################# +affiliations: + org1: + - department1 + - department2 + org2: + - department1 + +############################################################################# +# Signing section +# +# The "default" subsection is used to sign enrollment certificates; +# the default expiration ("expiry" field) is "8760h", which is 1 year in hours. +# +# The "ca" profile subsection is used to sign intermediate CA certificates; +# the default expiration ("expiry" field) is "43800h" which is 5 years in hours. +# Note that "isca" is true, meaning that it issues a CA certificate. +# A maxpathlen of 0 means that the intermediate CA cannot issue other +# intermediate CA certificates, though it can still issue end entity certificates. +# (See RFC 5280, section 4.2.1.9) +# +# The "tls" profile subsection is used to sign TLS certificate requests; +# the default expiration ("expiry" field) is "8760h", which is 1 year in hours. +############################################################################# +signing: + default: + usage: + - digital signature + expiry: 8760h + profiles: + ca: + usage: + - cert sign + - crl sign + expiry: 43800h + caconstraint: + isca: true + maxpathlen: 0 + tls: + usage: + - signing + - key encipherment + - server auth + - client auth + - key agreement + expiry: 8760h + +########################################################################### +# Certificate Signing Request (CSR) section. +# This controls the creation of the root CA certificate. +# The expiration for the root CA certificate is configured with the +# "ca.expiry" field below, whose default value is "131400h" which is +# 15 years in hours. +# The pathlength field is used to limit CA certificate hierarchy as described +# in section 4.2.1.9 of RFC 5280. +# Examples: +# 1) No pathlength value means no limit is requested. +# 2) pathlength == 1 means a limit of 1 is requested which is the default for +# a root CA. This means the root CA can issue intermediate CA certificates, +# but these intermediate CAs may not in turn issue other CA certificates +# though they can still issue end entity certificates. +# 3) pathlength == 0 means a limit of 0 is requested; +# this is the default for an intermediate CA, which means it can not issue +# CA certificates though it can still issue end entity certificates. +########################################################################### +csr: + cn: ca.org6.example.com + names: + - C: US + ST: "North Carolina" + L: "Raleigh" + O: org6.example.com + OU: + hosts: + - localhost + - org6.example.com + ca: + expiry: 131400h + pathlength: 1 + +############################################################################# +# BCCSP (BlockChain Crypto Service Provider) section is used to select which +# crypto library implementation to use +############################################################################# +bccsp: + default: SW + sw: + hash: SHA2 + security: 256 + filekeystore: + # The directory used for the software file-based keystore + keystore: msp/keystore + +############################################################################# +# Multi CA section +# +# Each Fabric CA server contains one CA by default. This section is used +# to configure multiple CAs in a single server. +# +# 1) --cacount +# Automatically generate non-default CAs. The names of these +# additional CAs are "ca1", "ca2", ... "caN", where "N" is +# This is particularly useful in a development environment to quickly set up +# multiple CAs. Note that, this config option is not applicable to intermediate CA server +# i.e., Fabric CA server that is started with intermediate.parentserver.url config +# option (-u command line option) +# +# 2) --cafiles +# For each CA config file in the list, generate a separate signing CA. Each CA +# config file in this list MAY contain all of the same elements as are found in +# the server config file except port, debug, and tls sections. +# +# Examples: +# fabric-ca-server start -b admin:adminpw --cacount 2 +# +# fabric-ca-server start -b admin:adminpw --cafiles ca/ca1/fabric-ca-server-config.yaml +# --cafiles ca/ca2/fabric-ca-server-config.yaml +# +############################################################################# + +cacount: + +cafiles: + +############################################################################# +# Intermediate CA section +# +# The relationship between servers and CAs is as follows: +# 1) A single server process may contain or function as one or more CAs. +# This is configured by the "Multi CA section" above. +# 2) Each CA is either a root CA or an intermediate CA. +# 3) Each intermediate CA has a parent CA which is either a root CA or another intermediate CA. +# +# This section pertains to configuration of #2 and #3. +# If the "intermediate.parentserver.url" property is set, +# then this is an intermediate CA with the specified parent +# CA. +# +# parentserver section +# url - The URL of the parent server +# caname - Name of the CA to enroll within the server +# +# enrollment section used to enroll intermediate CA with parent CA +# profile - Name of the signing profile to use in issuing the certificate +# label - Label to use in HSM operations +# +# tls section for secure socket connection +# certfiles - PEM-encoded list of trusted root certificate files +# client: +# certfile - PEM-encoded certificate file for when client authentication +# is enabled on server +# keyfile - PEM-encoded key file for when client authentication +# is enabled on server +############################################################################# +intermediate: + parentserver: + url: + caname: + + enrollment: + hosts: + profile: + label: + + tls: + certfiles: + client: + certfile: + keyfile: diff --git a/test-network/addOrg6/fabric-ca/registerEnroll.sh b/test-network/addOrg6/fabric-ca/registerEnroll.sh new file mode 100644 index 00000000..0fbb0e2e --- /dev/null +++ b/test-network/addOrg6/fabric-ca/registerEnroll.sh @@ -0,0 +1,87 @@ +#!/bin/bash +# +# Copyright IBM Corp All Rights Reserved +# +# SPDX-License-Identifier: Apache-2.0 +# + +function createOrg6 { + infoln "Enrolling the CA admin" + mkdir -p ../organizations/peerOrganizations/org6.example.com/ + + export FABRIC_CA_CLIENT_HOME=${PWD}/../organizations/peerOrganizations/org6.example.com/ + + set -x + fabric-ca-client enroll -u https://admin:adminpw@localhost:17054 --caname ca-org6 --tls.certfiles "${PWD}/fabric-ca/org6/tls-cert.pem" + { set +x; } 2>/dev/null + + echo 'NodeOUs: + Enable: true + ClientOUIdentifier: + Certificate: cacerts/localhost-17054-ca-org6.pem + OrganizationalUnitIdentifier: client + PeerOUIdentifier: + Certificate: cacerts/localhost-17054-ca-org6.pem + OrganizationalUnitIdentifier: peer + AdminOUIdentifier: + Certificate: cacerts/localhost-17054-ca-org6.pem + OrganizationalUnitIdentifier: admin + OrdererOUIdentifier: + Certificate: cacerts/localhost-17054-ca-org6.pem + OrganizationalUnitIdentifier: orderer' > "${PWD}/../organizations/peerOrganizations/org6.example.com/msp/config.yaml" + + infoln "Registering peer0" + set -x + fabric-ca-client register --caname ca-org6 --id.name peer0 --id.secret peer0pw --id.type peer --tls.certfiles "${PWD}/fabric-ca/org6/tls-cert.pem" + { set +x; } 2>/dev/null + + infoln "Registering user" + set -x + fabric-ca-client register --caname ca-org6 --id.name user1 --id.secret user1pw --id.type client --tls.certfiles "${PWD}/fabric-ca/org6/tls-cert.pem" + { set +x; } 2>/dev/null + + infoln "Registering the org admin" + set -x + fabric-ca-client register --caname ca-org6 --id.name org6admin --id.secret org6adminpw --id.type admin --tls.certfiles "${PWD}/fabric-ca/org6/tls-cert.pem" + { set +x; } 2>/dev/null + + infoln "Generating the peer0 msp" + set -x + fabric-ca-client enroll -u https://peer0:peer0pw@localhost:17054 --caname ca-org6 -M "${PWD}/../organizations/peerOrganizations/org6.example.com/peers/peer0.org6.example.com/msp" --csr.hosts peer0.org6.example.com --tls.certfiles "${PWD}/fabric-ca/org6/tls-cert.pem" + { set +x; } 2>/dev/null + + cp "${PWD}/../organizations/peerOrganizations/org6.example.com/msp/config.yaml" "${PWD}/../organizations/peerOrganizations/org6.example.com/peers/peer0.org6.example.com/msp/config.yaml" + + infoln "Generating the peer0-tls certificates" + set -x + fabric-ca-client enroll -u https://peer0:peer0pw@localhost:17054 --caname ca-org6 -M "${PWD}/../organizations/peerOrganizations/org6.example.com/peers/peer0.org6.example.com/tls" --enrollment.profile tls --csr.hosts peer0.org6.example.com --csr.hosts localhost --tls.certfiles "${PWD}/fabric-ca/org6/tls-cert.pem" + { set +x; } 2>/dev/null + + + cp "${PWD}/../organizations/peerOrganizations/org6.example.com/peers/peer0.org6.example.com/tls/tlscacerts/"* "${PWD}/../organizations/peerOrganizations/org6.example.com/peers/peer0.org6.example.com/tls/ca.crt" + cp "${PWD}/../organizations/peerOrganizations/org6.example.com/peers/peer0.org6.example.com/tls/signcerts/"* "${PWD}/../organizations/peerOrganizations/org6.example.com/peers/peer0.org6.example.com/tls/server.crt" + cp "${PWD}/../organizations/peerOrganizations/org6.example.com/peers/peer0.org6.example.com/tls/keystore/"* "${PWD}/../organizations/peerOrganizations/org6.example.com/peers/peer0.org6.example.com/tls/server.key" + + mkdir "${PWD}/../organizations/peerOrganizations/org6.example.com/msp/tlscacerts" + cp "${PWD}/../organizations/peerOrganizations/org6.example.com/peers/peer0.org6.example.com/tls/tlscacerts/"* "${PWD}/../organizations/peerOrganizations/org6.example.com/msp/tlscacerts/ca.crt" + + mkdir "${PWD}/../organizations/peerOrganizations/org6.example.com/tlsca" + cp "${PWD}/../organizations/peerOrganizations/org6.example.com/peers/peer0.org6.example.com/tls/tlscacerts/"* "${PWD}/../organizations/peerOrganizations/org6.example.com/tlsca/tlsca.org6.example.com-cert.pem" + + mkdir "${PWD}/../organizations/peerOrganizations/org6.example.com/ca" + cp "${PWD}/../organizations/peerOrganizations/org6.example.com/peers/peer0.org6.example.com/msp/cacerts/"* "${PWD}/../organizations/peerOrganizations/org6.example.com/ca/ca.org6.example.com-cert.pem" + + infoln "Generating the user msp" + set -x + fabric-ca-client enroll -u https://user1:user1pw@localhost:17054 --caname ca-org6 -M "${PWD}/../organizations/peerOrganizations/org6.example.com/users/User1@org6.example.com/msp" --tls.certfiles "${PWD}/fabric-ca/org6/tls-cert.pem" + { set +x; } 2>/dev/null + + cp "${PWD}/../organizations/peerOrganizations/org6.example.com/msp/config.yaml" "${PWD}/../organizations/peerOrganizations/org6.example.com/users/User1@org6.example.com/msp/config.yaml" + + infoln "Generating the org admin msp" + set -x + fabric-ca-client enroll -u https://org6admin:org6adminpw@localhost:17054 --caname ca-org6 -M "${PWD}/../organizations/peerOrganizations/org6.example.com/users/Admin@org6.example.com/msp" --tls.certfiles "${PWD}/fabric-ca/org6/tls-cert.pem" + { set +x; } 2>/dev/null + + cp "${PWD}/../organizations/peerOrganizations/org6.example.com/msp/config.yaml" "${PWD}/../organizations/peerOrganizations/org6.example.com/users/Admin@org6.example.com/msp/config.yaml" +} diff --git a/test-network/addOrg6/org6-crypto.yaml b/test-network/addOrg6/org6-crypto.yaml new file mode 100644 index 00000000..8b97e3d7 --- /dev/null +++ b/test-network/addOrg6/org6-crypto.yaml @@ -0,0 +1,21 @@ +# Copyright IBM Corp. All Rights Reserved. +# +# SPDX-License-Identifier: Apache-2.0 +# + +# --------------------------------------------------------------------------- +# "PeerOrgs" - Definition of organizations managing peer nodes +# --------------------------------------------------------------------------- +PeerOrgs: + # --------------------------------------------------------------------------- + # Org6 + # --------------------------------------------------------------------------- + - Name: Org6 + Domain: org6.example.com + EnableNodeOUs: true + Template: + Count: 1 + SANS: + - localhost + Users: + Count: 1