epistemophiliac/fabric-samples
1
0
Fork 0
mirror of https://github.com/hyperledger/fabric-samples.git synced 2026-06-26 03:25:09 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

ORG6 setup

Browse source
This commit is contained in:
Kurt Seifried 2021-03-16 20:49:00 -06:00
parent 7b5ae169e7
commit 013162df0d
No known key found for this signature in database
GPG key ID: F15CADC4A00F8174
12 changed files with 1083 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

28
test-network/addOrg6/README.md Normal file
View file

@ -0,0 +1,28 @@
## Adding Org6 to the test network
You can use the `addOrg6.sh` script to add another organization to the Fabric test network. The `addOrg6.sh` script generates the Org6 crypto material, creates an Org6 organization definition, and adds Org6 to a channel on the test network.
You first need to run `./network.sh up createChannel` in the `test-network` directory before you can run the `addOrg6.sh` script.
```
./network.sh up createChannel
cd addOrg6
./addOrg6.sh up
```
If you used `network.sh` to create a channel other than the default `mychannel`, you need pass that name to the `addorg6.sh` script.
```
./network.sh up createChannel -c channel1
cd addOrg6
./addOrg6.sh up -c channel1
```
You can also re-run the `addOrg6.sh` script to add Org6 to additional channels.
```
cd ..
./network.sh createChannel -c channel2
cd addOrg6
./addOrg6.sh up -c channel2
```
For more information, use `./addOrg6.sh -h` to see the `addOrg6.sh` help text.

263
test-network/addOrg6/addOrg6.sh Normal file
View file

@ -0,0 +1,263 @@
#!/bin/bash
#
# Copyright IBM Corp All Rights Reserved
#
# SPDX-License-Identifier: Apache-2.0
#
# This script extends the Hyperledger Fabric test network by adding
# adding a third organization to the network
#
# prepending $PWD/../bin to PATH to ensure we are picking up the correct binaries
# this may be commented out to resolve installed version of tools if desired
export PATH=${PWD}/../../bin:${PWD}:$PATH
export FABRIC_CFG_PATH=${PWD}
export VERBOSE=false
. ../scripts/utils.sh
# Print the usage message
function printHelp () {
echo "Usage: "
echo " addOrg6.sh up|down|generate [-c <channel name>] [-t <timeout>] [-d <delay>] [-f <docker-compose-file>] [-s <dbtype>]"
echo " addOrg6.sh -h|--help (print this message)"
echo " <mode> - one of 'up', 'down', or 'generate'"
echo " - 'up' - add org6 to the sample network. You need to bring up the test network and create a channel first."
echo " - 'down' - bring down the test network and org6 nodes"
echo " - 'generate' - generate required certificates and org definition"
echo " -c <channel name> - test network channel name (defaults to \"mychannel\")"
echo " -ca <use CA> - Use a CA to generate the crypto material"
echo " -t <timeout> - CLI timeout duration in seconds (defaults to 10)"
echo " -d <delay> - delay duration in seconds (defaults to 3)"
echo " -s <dbtype> - the database backend to use: goleveldb (default) or couchdb"
echo " -verbose - verbose mode"
echo
echo "Typically, one would first generate the required certificates and "
echo "genesis block, then bring up the network. e.g.:"
echo
echo " addOrg6.sh generate"
echo " addOrg6.sh up"
echo " addOrg6.sh up -c mychannel -s couchdb"
echo " addOrg6.sh down"
echo
echo "Taking all defaults:"
echo " addOrg6.sh up"
echo " addOrg6.sh down"
}
# We use the cryptogen tool to generate the cryptographic material
# (x509 certs) for the new org. After we run the tool, the certs will
# be put in the organizations folder with org1 and org2
# Create Organziation crypto material using cryptogen or CAs
function generateOrg6() {
# Create crypto material using cryptogen
if [ "$CRYPTO" == "cryptogen" ]; then
which cryptogen
if [ "$?" -ne 0 ]; then
fatalln "cryptogen tool not found. exiting"
fi
infoln "Generating certificates using cryptogen tool"
infoln "Creating Org6 Identities"
set -x
cryptogen generate --config=org6-crypto.yaml --output="../organizations"
res=$?
{ set +x; } 2>/dev/null
if [ $res -ne 0 ]; then
fatalln "Failed to generate certificates..."
fi
fi
# Create crypto material using Fabric CA
if [ "$CRYPTO" == "Certificate Authorities" ]; then
fabric-ca-client version > /dev/null 2>&1
if [[ $? -ne 0 ]]; then
echo "ERROR! fabric-ca-client binary not found.."
echo
echo "Follow the instructions in the Fabric docs to install the Fabric Binaries:"
echo "https://hyperledger-fabric.readthedocs.io/en/latest/install.html"
exit 1
fi
infoln "Generating certificates using Fabric CA"
docker-compose -f $COMPOSE_FILE_CA_ORG6 up -d 2>&1
. fabric-ca/registerEnroll.sh
sleep 10
infoln "Creating Org6 Identities"
createOrg6
fi
infoln "Generating CCP files for Org6"
./ccp-generate.sh
}
# Generate channel configuration transaction
function generateOrg6Definition() {
which configtxgen
if [ "$?" -ne 0 ]; then
fatalln "configtxgen tool not found. exiting"
fi
infoln "Generating Org6 organization definition"
export FABRIC_CFG_PATH=$PWD
set -x
configtxgen -printOrg Org6MSP > ../organizations/peerOrganizations/org6.example.com/org6.json
res=$?
{ set +x; } 2>/dev/null
if [ $res -ne 0 ]; then
fatalln "Failed to generate Org6 organization definition..."
fi
}
function Org6Up () {
# start org6 nodes
if [ "${DATABASE}" == "couchdb" ]; then
docker-compose -f $COMPOSE_FILE_ORG6 -f $COMPOSE_FILE_COUCH_ORG6 up -d 2>&1
else
docker-compose -f $COMPOSE_FILE_ORG6 up -d 2>&1
fi
if [ $? -ne 0 ]; then
fatalln "ERROR !!!! Unable to start Org6 network"
fi
}
# Generate the needed certificates, the genesis block and start the network.
function addOrg6 () {
# If the test network is not up, abort
if [ ! -d ../organizations/ordererOrganizations ]; then
fatalln "ERROR: Please, run ./network.sh up createChannel first."
fi
# generate artifacts if they don't exist
if [ ! -d "../organizations/peerOrganizations/org6.example.com" ]; then
generateOrg6
generateOrg6Definition
fi
infoln "Bringing up Org6 peer"
Org6Up
# Use the CLI container to create the configuration transaction needed to add
# Org6 to the network
infoln "Generating and submitting config tx to add Org6"
docker exec cli ./scripts/org6-scripts/updateChannelConfig.sh $CHANNEL_NAME $CLI_DELAY $CLI_TIMEOUT $VERBOSE
if [ $? -ne 0 ]; then
fatalln "ERROR !!!! Unable to create config tx"
fi
infoln "Joining Org6 peers to network"
docker exec cli ./scripts/org6-scripts/joinChannel.sh $CHANNEL_NAME $CLI_DELAY $CLI_TIMEOUT $VERBOSE
if [ $? -ne 0 ]; then
fatalln "ERROR !!!! Unable to join Org6 peers to network"
fi
}
# Tear down running network
function networkDown () {
cd ..
./network.sh down
}
# Using crpto vs CA. default is cryptogen
CRYPTO="cryptogen"
# timeout duration - the duration the CLI should wait for a response from
# another container before giving up
CLI_TIMEOUT=10
#default for delay
CLI_DELAY=3
# channel name defaults to "mychannel"
CHANNEL_NAME="mychannel"
# use this as the docker compose couch file
COMPOSE_FILE_COUCH_ORG6=docker/docker-compose-couch-org6.yaml
# use this as the default docker-compose yaml definition
COMPOSE_FILE_ORG6=docker/docker-compose-org6.yaml
# certificate authorities compose file
COMPOSE_FILE_CA_ORG6=docker/docker-compose-ca-org6.yaml
# database
DATABASE="leveldb"
# Parse commandline args
## Parse mode
if [[ $# -lt 1 ]] ; then
printHelp
exit 0
else
MODE=$1
shift
fi
# parse flags
while [[ $# -ge 1 ]] ; do
key="$1"
case $key in
-h )
printHelp
exit 0
;;
-c )
CHANNEL_NAME="$2"
shift
;;
-ca )
CRYPTO="Certificate Authorities"
;;
-t )
CLI_TIMEOUT="$2"
shift
;;
-d )
CLI_DELAY="$2"
shift
;;
-s )
DATABASE="$2"
shift
;;
-verbose )
VERBOSE=true
shift
;;
* )
errorln "Unknown flag: $key"
printHelp
exit 1
;;
esac
shift
done
# Determine whether starting, stopping, restarting or generating for announce
if [ "$MODE" == "up" ]; then
infoln "Adding org6 to channel '${CHANNEL_NAME}' with '${CLI_TIMEOUT}' seconds and CLI delay of '${CLI_DELAY}' seconds and using database '${DATABASE}'"
echo
elif [ "$MODE" == "down" ]; then
EXPMODE="Stopping network"
elif [ "$MODE" == "generate" ]; then
EXPMODE="Generating certs and organization definition for Org6"
else
printHelp
exit 1
fi
#Create the network using docker compose
if [ "${MODE}" == "up" ]; then
addOrg6
elif [ "${MODE}" == "down" ]; then ## Clear the network
networkDown
elif [ "${MODE}" == "generate" ]; then ## Generate Artifacts
generateOrg6
generateOrg6Definition
else
printHelp
exit 1
fi

36
test-network/addOrg6/ccp-generate.sh Normal file
View file

@ -0,0 +1,36 @@
#!/bin/bash
function one_line_pem {
echo "`awk 'NF {sub(/\\n/, ""); printf "%s\\\\\\\n",$0;}' $1`"
}
function json_ccp {
local PP=$(one_line_pem $4)
local CP=$(one_line_pem $5)
sed -e "s/\${ORG}/$1/" \
-e "s/\${P0PORT}/$2/" \
-e "s/\${CAPORT}/$3/" \
-e "s#\${PEERPEM}#$PP#" \
-e "s#\${CAPEM}#$CP#" \
ccp-template.json
}
function yaml_ccp {
local PP=$(one_line_pem $4)
local CP=$(one_line_pem $5)
sed -e "s/\${ORG}/$1/" \
-e "s/\${P0PORT}/$2/" \
-e "s/\${CAPORT}/$3/" \
-e "s#\${PEERPEM}#$PP#" \
-e "s#\${CAPEM}#$CP#" \
ccp-template.yaml | sed -e $'s/\\\\n/\\\n /g'
}
ORG=6
P0PORT=17051
CAPORT=17054
PEERPEM=../organizations/peerOrganizations/org6.example.com/tlsca/tlsca.org6.example.com-cert.pem
CAPEM=../organizations/peerOrganizations/org6.example.com/ca/ca.org6.example.com-cert.pem
echo "$(json_ccp $ORG $P0PORT $CAPORT $PEERPEM $CAPEM)" > ../organizations/peerOrganizations/org6.example.com/connection-org6.json
echo "$(yaml_ccp $ORG $P0PORT $CAPORT $PEERPEM $CAPEM)" > ../organizations/peerOrganizations/org6.example.com/connection-org6.yaml

49
test-network/addOrg6/ccp-template.json Normal file
View file

@ -0,0 +1,49 @@
{
"name": "test-network-org${ORG}",
"version": "1.0.0",
"client": {
"organization": "Org${ORG}",
"connection": {
"timeout": {
"peer": {
"endorser": "300"
}
}
}
},
"organizations": {
"Org${ORG}": {
"mspid": "Org${ORG}MSP",
"peers": [
"peer0.org${ORG}.example.com"
],
"certificateAuthorities": [
"ca.org${ORG}.example.com"
]
}
},
"peers": {
"peer0.org${ORG}.example.com": {
"url": "grpcs://localhost:${P0PORT}",
"tlsCACerts": {
"pem": "${PEERPEM}"
},
"grpcOptions": {
"ssl-target-name-override": "peer0.org${ORG}.example.com",
"hostnameOverride": "peer0.org${ORG}.example.com"
}
}
},
"certificateAuthorities": {
"ca.org${ORG}.example.com": {
"url": "https://localhost:${CAPORT}",
"caName": "ca-org${ORG}",
"tlsCACerts": {
"pem": "${CAPEM}"
},
"httpOptions": {
"verify": false
}
}
}
}

34
test-network/addOrg6/ccp-template.yaml Normal file
View file

@ -0,0 +1,34 @@
---
name: test-network-org${ORG}
version: 1.0.0
client:
organization: Org${ORG}
connection:
timeout:
peer:
endorser: '300'
organizations:
Org${ORG}:
mspid: Org${ORG}MSP
peers:
- peer0.org${ORG}.example.com
certificateAuthorities:
- ca.org${ORG}.example.com
peers:
peer0.org${ORG}.example.com:
url: grpcs://localhost:${P0PORT}
tlsCACerts:
pem: |
${PEERPEM}
grpcOptions:
ssl-target-name-override: peer0.org${ORG}.example.com
hostnameOverride: peer0.org${ORG}.example.com
certificateAuthorities:
ca.org${ORG}.example.com:
url: https://localhost:${CAPORT}
caName: ca-org${ORG}
tlsCACerts:
pem: |
${CAPEM}
httpOptions:
verify: false

38
test-network/addOrg6/configtx.yaml Normal file
View file

@ -0,0 +1,38 @@
# Copyright IBM Corp. All Rights Reserved.
#
# SPDX-License-Identifier: Apache-2.0
#
---
################################################################################
#
# Section: Organizations
#
# - This section defines the different organizational identities which will
# be referenced later in the configuration.
#
################################################################################
Organizations:
- &Org6
# DefaultOrg defines the organization which is used in the sampleconfig
# of the fabric.git development environment
Name: Org6MSP
# ID to load the MSP definition as
ID: Org6MSP
MSPDir: ../organizations/peerOrganizations/org6.example.com/msp
Policies:
Readers:
Type: Signature
Rule: "OR('Org6MSP.admin', 'Org6MSP.peer', 'Org6MSP.client')"
Writers:
Type: Signature
Rule: "OR('Org6MSP.admin', 'Org6MSP.client')"
Admins:
Type: Signature
Rule: "OR('Org6MSP.admin')"
Endorsement:
Type: Signature
Rule: "OR('Org6MSP.peer')"

27
test-network/addOrg6/docker/docker-compose-ca-org6.yaml Normal file
View file

@ -0,0 +1,27 @@
# Copyright IBM Corp. All Rights Reserved.
#
# SPDX-License-Identifier: Apache-2.0
#
version: '2'
networks:
test:
name: fabric_test
services:
ca_org6:
image: hyperledger/fabric-ca:latest
labels:
service: hyperledger-fabric
environment:
- FABRIC_CA_HOME=/etc/hyperledger/fabric-ca-server
- FABRIC_CA_SERVER_CA_NAME=ca-org6
- FABRIC_CA_SERVER_TLS_ENABLED=true
- FABRIC_CA_SERVER_PORT=17054
ports:
- "17054:17054"
command: sh -c 'fabric-ca-server start -b admin:adminpw -d'
volumes:
- ../fabric-ca/org6:/etc/hyperledger/fabric-ca-server
container_name: ca_org6

42
test-network/addOrg6/docker/docker-compose-couch-org6.yaml Normal file
View file

@ -0,0 +1,42 @@
# Copyright IBM Corp. All Rights Reserved.
#
# SPDX-License-Identifier: Apache-2.0
#
version: '2'
networks:
test:
name: fabric_test
services:
couchdb4:
container_name: couchdb4
image: couchdb:3.1.1
labels:
service: hyperledger-fabric
# Populate the COUCHDB_USER and COUCHDB_PASSWORD to set an admin user and password
# for CouchDB. This will prevent CouchDB from operating in an "Admin Party" mode.
environment:
- COUCHDB_USER=admin
- COUCHDB_PASSWORD=adminpw
# Comment/Uncomment the port mapping if you want to hide/expose the CouchDB service,
# for example map it to utilize Fauxton User Interface in dev environments.
ports:
- "9984:5984"
networks:
- test
peer0.org6.example.com:
environment:
- CORE_LEDGER_STATE_STATEDATABASE=CouchDB
- CORE_LEDGER_STATE_COUCHDBCONFIG_COUCHDBADDRESS=couchdb4:5984
# The CORE_LEDGER_STATE_COUCHDBCONFIG_USERNAME and CORE_LEDGER_STATE_COUCHDBCONFIG_PASSWORD
# provide the credentials for ledger to connect to CouchDB. The username and password must
# match the username and password set for the associated CouchDB.
- CORE_LEDGER_STATE_COUCHDBCONFIG_USERNAME=admin
- CORE_LEDGER_STATE_COUCHDBCONFIG_PASSWORD=adminpw
depends_on:
- couchdb4
networks:
- test

52
test-network/addOrg6/docker/docker-compose-org6.yaml Normal file
View file

@ -0,0 +1,52 @@
# Copyright IBM Corp. All Rights Reserved.
#
# SPDX-License-Identifier: Apache-2.0
#
version: '2'
volumes:
peer0.org6.example.com:
networks:
test:
name: fabric_test
services:
peer0.org6.example.com:
container_name: peer0.org6.example.com
image: hyperledger/fabric-peer:latest
labels:
service: hyperledger-fabric
environment:
#Generic peer variables
- CORE_VM_ENDPOINT=unix:///host/var/run/docker.sock
- CORE_VM_DOCKER_HOSTCONFIG_NETWORKMODE=fabric_test
- FABRIC_LOGGING_SPEC=INFO
#- FABRIC_LOGGING_SPEC=DEBUG
- CORE_PEER_TLS_ENABLED=true
- CORE_PEER_PROFILE_ENABLED=true
- CORE_PEER_TLS_CERT_FILE=/etc/hyperledger/fabric/tls/server.crt
- CORE_PEER_TLS_KEY_FILE=/etc/hyperledger/fabric/tls/server.key
- CORE_PEER_TLS_ROOTCERT_FILE=/etc/hyperledger/fabric/tls/ca.crt
# Peer specific variabes
- CORE_PEER_ID=peer0.org6.example.com
- CORE_PEER_ADDRESS=peer0.org6.example.com:17051
- CORE_PEER_LISTENADDRESS=0.0.0.0:17051
- CORE_PEER_CHAINCODEADDRESS=peer0.org6.example.com:17052
- CORE_PEER_CHAINCODELISTENADDRESS=0.0.0.0:17052
- CORE_PEER_GOSSIP_BOOTSTRAP=peer0.org6.example.com:17051
- CORE_PEER_GOSSIP_EXTERNALENDPOINT=peer0.org6.example.com:17051
- CORE_PEER_LOCALMSPID=Org6MSP
volumes:
- /var/run/docker.sock:/host/var/run/docker.sock
- ../../organizations/peerOrganizations/org6.example.com/peers/peer0.org6.example.com/msp:/etc/hyperledger/fabric/msp
- ../../organizations/peerOrganizations/org6.example.com/peers/peer0.org6.example.com/tls:/etc/hyperledger/fabric/tls
- peer0.org6.example.com:/var/hyperledger/production
working_dir: /opt/gopath/src/github.com/hyperledger/fabric/peer
command: peer node start
ports:
- 17051:17051
networks:
- test

406
test-network/addOrg6/fabric-ca/org6/fabric-ca-server-config.yaml Normal file
View file

@ -0,0 +1,406 @@
#############################################################################
# This is a configuration file for the fabric-ca-server command.
#
# COMMAND LINE ARGUMENTS AND ENVIRONMENT VARIABLES
# ------------------------------------------------
# Each configuration element can be overridden via command line
# arguments or environment variables. The precedence for determining
# the value of each element is as follows:
# 1) command line argument
# Examples:
# a) --port 443
# To set the listening port
# b) --ca.keyfile ../mykey.pem
# To set the "keyfile" element in the "ca" section below;
# note the '.' separator character.
# 2) environment variable
# Examples:
# a) FABRIC_CA_SERVER_PORT=443
# To set the listening port
# b) FABRIC_CA_SERVER_CA_KEYFILE="../mykey.pem"
# To set the "keyfile" element in the "ca" section below;
# note the '_' separator character.
# 3) configuration file
# 4) default value (if there is one)
# All default values are shown beside each element below.
#
# FILE NAME ELEMENTS
# ------------------
# The value of all fields whose name ends with "file" or "files" are
# name or names of other files.
# For example, see "tls.certfile" and "tls.clientauth.certfiles".
# The value of each of these fields can be a simple filename, a
# relative path, or an absolute path. If the value is not an
# absolute path, it is interpretted as being relative to the location
# of this configuration file.
#
#############################################################################
# Version of config file
version: 1.2.0
# Server's listening port (default: 7054)
port: 17054
# Enables debug logging (default: false)
debug: false
# Size limit of an acceptable CRL in bytes (default: 512000)
crlsizelimit: 512000
#############################################################################
# TLS section for the server's listening port
#
# The following types are supported for client authentication: NoClientCert,
# RequestClientCert, RequireAnyClientCert, VerifyClientCertIfGiven,
# and RequireAndVerifyClientCert.
#
# Certfiles is a list of root certificate authorities that the server uses
# when verifying client certificates.
#############################################################################
tls:
# Enable TLS (default: false)
enabled: true
# TLS for the server's listening port
certfile:
keyfile:
clientauth:
type: noclientcert
certfiles:
#############################################################################
# The CA section contains information related to the Certificate Authority
# including the name of the CA, which should be unique for all members
# of a blockchain network. It also includes the key and certificate files
# used when issuing enrollment certificates (ECerts) and transaction
# certificates (TCerts).
# The chainfile (if it exists) contains the certificate chain which
# should be trusted for this CA, where the 1st in the chain is always the
# root CA certificate.
#############################################################################
ca:
# Name of this CA
name: Org6CA
# Key file (is only used to import a private key into BCCSP)
keyfile:
# Certificate file (default: ca-cert.pem)
certfile:
# Chain file
chainfile:
#############################################################################
# The gencrl REST endpoint is used to generate a CRL that contains revoked
# certificates. This section contains configuration options that are used
# during gencrl request processing.
#############################################################################
crl:
# Specifies expiration for the generated CRL. The number of hours
# specified by this property is added to the UTC time, the resulting time
# is used to set the 'Next Update' date of the CRL.
expiry: 24h
#############################################################################
# The registry section controls how the fabric-ca-server does two things:
# 1) authenticates enrollment requests which contain a username and password
# (also known as an enrollment ID and secret).
# 2) once authenticated, retrieves the identity's attribute names and
# values which the fabric-ca-server optionally puts into TCerts
# which it issues for transacting on the Hyperledger Fabric blockchain.
# These attributes are useful for making access control decisions in
# chaincode.
# There are two main configuration options:
# 1) The fabric-ca-server is the registry.
# This is true if "ldap.enabled" in the ldap section below is false.
# 2) An LDAP server is the registry, in which case the fabric-ca-server
# calls the LDAP server to perform these tasks.
# This is true if "ldap.enabled" in the ldap section below is true,
# which means this "registry" section is ignored.
#############################################################################
registry:
# Maximum number of times a password/secret can be reused for enrollment
# (default: -1, which means there is no limit)
maxenrollments: -1
# Contains identity information which is used when LDAP is disabled
identities:
- name: admin
pass: adminpw
type: client
affiliation: ""
attrs:
hf.Registrar.Roles: "*"
hf.Registrar.DelegateRoles: "*"
hf.Revoker: true
hf.IntermediateCA: true
hf.GenCRL: true
hf.Registrar.Attributes: "*"
hf.AffiliationMgr: true
#############################################################################
# Database section
# Supported types are: "sqlite3", "postgres", and "mysql".
# The datasource value depends on the type.
# If the type is "sqlite3", the datasource value is a file name to use
# as the database store. Since "sqlite3" is an embedded database, it
# may not be used if you want to run the fabric-ca-server in a cluster.
# To run the fabric-ca-server in a cluster, you must choose "postgres"
# or "mysql".
#############################################################################
db:
type: sqlite3
datasource: fabric-ca-server.db
tls:
enabled: false
certfiles:
client:
certfile:
keyfile:
#############################################################################
# LDAP section
# If LDAP is enabled, the fabric-ca-server calls LDAP to:
# 1) authenticate enrollment ID and secret (i.e. username and password)
# for enrollment requests;
# 2) To retrieve identity attributes
#############################################################################
ldap:
# Enables or disables the LDAP client (default: false)
# If this is set to true, the "registry" section is ignored.
enabled: false
# The URL of the LDAP server
url: ldap://<adminDN>:<adminPassword>@<host>:<port>/<base>
# TLS configuration for the client connection to the LDAP server
tls:
certfiles:
client:
certfile:
keyfile:
# Attribute related configuration for mapping from LDAP entries to Fabric CA attributes
attribute:
# 'names' is an array of strings containing the LDAP attribute names which are
# requested from the LDAP server for an LDAP identity's entry
names: ['uid','member']
# The 'converters' section is used to convert an LDAP entry to the value of
# a fabric CA attribute.
# For example, the following converts an LDAP 'uid' attribute
# whose value begins with 'revoker' to a fabric CA attribute
# named "hf.Revoker" with a value of "true" (because the boolean expression
# evaluates to true).
# converters:
# - name: hf.Revoker
# value: attr("uid") =~ "revoker*"
converters:
- name:
value:
# The 'maps' section contains named maps which may be referenced by the 'map'
# function in the 'converters' section to map LDAP responses to arbitrary values.
# For example, assume a user has an LDAP attribute named 'member' which has multiple
# values which are each a distinguished name (i.e. a DN). For simplicity, assume the
# values of the 'member' attribute are 'dn1', 'dn2', and 'dn3'.
# Further assume the following configuration.
# converters:
# - name: hf.Registrar.Roles
# value: map(attr("member"),"groups")
# maps:
# groups:
# - name: dn1
# value: peer
# - name: dn2
# value: client
# The value of the user's 'hf.Registrar.Roles' attribute is then computed to be
# "peer,client,dn3". This is because the value of 'attr("member")' is
# "dn1,dn2,dn3", and the call to 'map' with a 2nd argument of
# "group" replaces "dn1" with "peer" and "dn2" with "client".
maps:
groups:
- name:
value:
#############################################################################
# Affiliations section. Fabric CA server can be bootstrapped with the
# affiliations specified in this section. Affiliations are specified as maps.
# For example:
# businessunit1:
# department1:
# - team1
# businessunit2:
# - department2
# - department3
#
# Affiliations are hierarchical in nature. In the above example,
# department1 (used as businessunit1.department1) is the child of businessunit1.
# team1 (used as businessunit1.department1.team1) is the child of department1.
# department2 (used as businessunit2.department2) and department3 (businessunit2.department3)
# are children of businessunit2.
# Note: Affiliations are case sensitive except for the non-leaf affiliations
# (like businessunit1, department1, businessunit2) that are specified in the configuration file,
# which are always stored in lower case.
#############################################################################
affiliations:
org1:
- department1
- department2
org2:
- department1
#############################################################################
# Signing section
#
# The "default" subsection is used to sign enrollment certificates;
# the default expiration ("expiry" field) is "8760h", which is 1 year in hours.
#
# The "ca" profile subsection is used to sign intermediate CA certificates;
# the default expiration ("expiry" field) is "43800h" which is 5 years in hours.
# Note that "isca" is true, meaning that it issues a CA certificate.
# A maxpathlen of 0 means that the intermediate CA cannot issue other
# intermediate CA certificates, though it can still issue end entity certificates.
# (See RFC 5280, section 4.2.1.9)
#
# The "tls" profile subsection is used to sign TLS certificate requests;
# the default expiration ("expiry" field) is "8760h", which is 1 year in hours.
#############################################################################
signing:
default:
usage:
- digital signature
expiry: 8760h
profiles:
ca:
usage:
- cert sign
- crl sign
expiry: 43800h
caconstraint:
isca: true
maxpathlen: 0
tls:
usage:
- signing
- key encipherment
- server auth
- client auth
- key agreement
expiry: 8760h
###########################################################################
# Certificate Signing Request (CSR) section.
# This controls the creation of the root CA certificate.
# The expiration for the root CA certificate is configured with the
# "ca.expiry" field below, whose default value is "131400h" which is
# 15 years in hours.
# The pathlength field is used to limit CA certificate hierarchy as described
# in section 4.2.1.9 of RFC 5280.
# Examples:
# 1) No pathlength value means no limit is requested.
# 2) pathlength == 1 means a limit of 1 is requested which is the default for
# a root CA. This means the root CA can issue intermediate CA certificates,
# but these intermediate CAs may not in turn issue other CA certificates
# though they can still issue end entity certificates.
# 3) pathlength == 0 means a limit of 0 is requested;
# this is the default for an intermediate CA, which means it can not issue
# CA certificates though it can still issue end entity certificates.
###########################################################################
csr:
cn: ca.org6.example.com
names:
- C: US
ST: "North Carolina"
L: "Raleigh"
O: org6.example.com
OU:
hosts:
- localhost
- org6.example.com
ca:
expiry: 131400h
pathlength: 1
#############################################################################
# BCCSP (BlockChain Crypto Service Provider) section is used to select which
# crypto library implementation to use
#############################################################################
bccsp:
default: SW
sw:
hash: SHA2
security: 256
filekeystore:
# The directory used for the software file-based keystore
keystore: msp/keystore
#############################################################################
# Multi CA section
#
# Each Fabric CA server contains one CA by default. This section is used
# to configure multiple CAs in a single server.
#
# 1) --cacount <number-of-CAs>
# Automatically generate <number-of-CAs> non-default CAs. The names of these
# additional CAs are "ca1", "ca2", ... "caN", where "N" is <number-of-CAs>
# This is particularly useful in a development environment to quickly set up
# multiple CAs. Note that, this config option is not applicable to intermediate CA server
# i.e., Fabric CA server that is started with intermediate.parentserver.url config
# option (-u command line option)
#
# 2) --cafiles <CA-config-files>
# For each CA config file in the list, generate a separate signing CA. Each CA
# config file in this list MAY contain all of the same elements as are found in
# the server config file except port, debug, and tls sections.
#
# Examples:
# fabric-ca-server start -b admin:adminpw --cacount 2
#
# fabric-ca-server start -b admin:adminpw --cafiles ca/ca1/fabric-ca-server-config.yaml
# --cafiles ca/ca2/fabric-ca-server-config.yaml
#
#############################################################################
cacount:
cafiles:
#############################################################################
# Intermediate CA section
#
# The relationship between servers and CAs is as follows:
# 1) A single server process may contain or function as one or more CAs.
# This is configured by the "Multi CA section" above.
# 2) Each CA is either a root CA or an intermediate CA.
# 3) Each intermediate CA has a parent CA which is either a root CA or another intermediate CA.
#
# This section pertains to configuration of #2 and #3.
# If the "intermediate.parentserver.url" property is set,
# then this is an intermediate CA with the specified parent
# CA.
#
# parentserver section
# url - The URL of the parent server
# caname - Name of the CA to enroll within the server
#
# enrollment section used to enroll intermediate CA with parent CA
# profile - Name of the signing profile to use in issuing the certificate
# label - Label to use in HSM operations
#
# tls section for secure socket connection
# certfiles - PEM-encoded list of trusted root certificate files
# client:
# certfile - PEM-encoded certificate file for when client authentication
# is enabled on server
# keyfile - PEM-encoded key file for when client authentication
# is enabled on server
#############################################################################
intermediate:
parentserver:
url:
caname:
enrollment:
hosts:
profile:
label:
tls:
certfiles:
client:
certfile:
keyfile:

87
test-network/addOrg6/fabric-ca/registerEnroll.sh Normal file
View file

@ -0,0 +1,87 @@
#!/bin/bash
#
# Copyright IBM Corp All Rights Reserved
#
# SPDX-License-Identifier: Apache-2.0
#
function createOrg6 {
infoln "Enrolling the CA admin"
mkdir -p ../organizations/peerOrganizations/org6.example.com/
export FABRIC_CA_CLIENT_HOME=${PWD}/../organizations/peerOrganizations/org6.example.com/
set -x
fabric-ca-client enroll -u https://admin:adminpw@localhost:17054 --caname ca-org6 --tls.certfiles "${PWD}/fabric-ca/org6/tls-cert.pem"
{ set +x; } 2>/dev/null
echo 'NodeOUs:
Enable: true
ClientOUIdentifier:
Certificate: cacerts/localhost-17054-ca-org6.pem
OrganizationalUnitIdentifier: client
PeerOUIdentifier:
Certificate: cacerts/localhost-17054-ca-org6.pem
OrganizationalUnitIdentifier: peer
AdminOUIdentifier:
Certificate: cacerts/localhost-17054-ca-org6.pem
OrganizationalUnitIdentifier: admin
OrdererOUIdentifier:
Certificate: cacerts/localhost-17054-ca-org6.pem
OrganizationalUnitIdentifier: orderer' > "${PWD}/../organizations/peerOrganizations/org6.example.com/msp/config.yaml"
infoln "Registering peer0"
set -x
fabric-ca-client register --caname ca-org6 --id.name peer0 --id.secret peer0pw --id.type peer --tls.certfiles "${PWD}/fabric-ca/org6/tls-cert.pem"
{ set +x; } 2>/dev/null
infoln "Registering user"
set -x
fabric-ca-client register --caname ca-org6 --id.name user1 --id.secret user1pw --id.type client --tls.certfiles "${PWD}/fabric-ca/org6/tls-cert.pem"
{ set +x; } 2>/dev/null
infoln "Registering the org admin"
set -x
fabric-ca-client register --caname ca-org6 --id.name org6admin --id.secret org6adminpw --id.type admin --tls.certfiles "${PWD}/fabric-ca/org6/tls-cert.pem"
{ set +x; } 2>/dev/null
infoln "Generating the peer0 msp"
set -x
fabric-ca-client enroll -u https://peer0:peer0pw@localhost:17054 --caname ca-org6 -M "${PWD}/../organizations/peerOrganizations/org6.example.com/peers/peer0.org6.example.com/msp" --csr.hosts peer0.org6.example.com --tls.certfiles "${PWD}/fabric-ca/org6/tls-cert.pem"
{ set +x; } 2>/dev/null
cp "${PWD}/../organizations/peerOrganizations/org6.example.com/msp/config.yaml" "${PWD}/../organizations/peerOrganizations/org6.example.com/peers/peer0.org6.example.com/msp/config.yaml"
infoln "Generating the peer0-tls certificates"
set -x
fabric-ca-client enroll -u https://peer0:peer0pw@localhost:17054 --caname ca-org6 -M "${PWD}/../organizations/peerOrganizations/org6.example.com/peers/peer0.org6.example.com/tls" --enrollment.profile tls --csr.hosts peer0.org6.example.com --csr.hosts localhost --tls.certfiles "${PWD}/fabric-ca/org6/tls-cert.pem"
{ set +x; } 2>/dev/null
cp "${PWD}/../organizations/peerOrganizations/org6.example.com/peers/peer0.org6.example.com/tls/tlscacerts/"* "${PWD}/../organizations/peerOrganizations/org6.example.com/peers/peer0.org6.example.com/tls/ca.crt"
cp "${PWD}/../organizations/peerOrganizations/org6.example.com/peers/peer0.org6.example.com/tls/signcerts/"* "${PWD}/../organizations/peerOrganizations/org6.example.com/peers/peer0.org6.example.com/tls/server.crt"
cp "${PWD}/../organizations/peerOrganizations/org6.example.com/peers/peer0.org6.example.com/tls/keystore/"* "${PWD}/../organizations/peerOrganizations/org6.example.com/peers/peer0.org6.example.com/tls/server.key"
mkdir "${PWD}/../organizations/peerOrganizations/org6.example.com/msp/tlscacerts"
cp "${PWD}/../organizations/peerOrganizations/org6.example.com/peers/peer0.org6.example.com/tls/tlscacerts/"* "${PWD}/../organizations/peerOrganizations/org6.example.com/msp/tlscacerts/ca.crt"
mkdir "${PWD}/../organizations/peerOrganizations/org6.example.com/tlsca"
cp "${PWD}/../organizations/peerOrganizations/org6.example.com/peers/peer0.org6.example.com/tls/tlscacerts/"* "${PWD}/../organizations/peerOrganizations/org6.example.com/tlsca/tlsca.org6.example.com-cert.pem"
mkdir "${PWD}/../organizations/peerOrganizations/org6.example.com/ca"
cp "${PWD}/../organizations/peerOrganizations/org6.example.com/peers/peer0.org6.example.com/msp/cacerts/"* "${PWD}/../organizations/peerOrganizations/org6.example.com/ca/ca.org6.example.com-cert.pem"
infoln "Generating the user msp"
set -x
fabric-ca-client enroll -u https://user1:user1pw@localhost:17054 --caname ca-org6 -M "${PWD}/../organizations/peerOrganizations/org6.example.com/users/User1@org6.example.com/msp" --tls.certfiles "${PWD}/fabric-ca/org6/tls-cert.pem"
{ set +x; } 2>/dev/null
cp "${PWD}/../organizations/peerOrganizations/org6.example.com/msp/config.yaml" "${PWD}/../organizations/peerOrganizations/org6.example.com/users/User1@org6.example.com/msp/config.yaml"
infoln "Generating the org admin msp"
set -x
fabric-ca-client enroll -u https://org6admin:org6adminpw@localhost:17054 --caname ca-org6 -M "${PWD}/../organizations/peerOrganizations/org6.example.com/users/Admin@org6.example.com/msp" --tls.certfiles "${PWD}/fabric-ca/org6/tls-cert.pem"
{ set +x; } 2>/dev/null
cp "${PWD}/../organizations/peerOrganizations/org6.example.com/msp/config.yaml" "${PWD}/../organizations/peerOrganizations/org6.example.com/users/Admin@org6.example.com/msp/config.yaml"
}

21
test-network/addOrg6/org6-crypto.yaml Normal file
View file

@ -0,0 +1,21 @@
# Copyright IBM Corp. All Rights Reserved.
#
# SPDX-License-Identifier: Apache-2.0
#
# ---------------------------------------------------------------------------
# "PeerOrgs" - Definition of organizations managing peer nodes
# ---------------------------------------------------------------------------
PeerOrgs:
# ---------------------------------------------------------------------------
# Org6
# ---------------------------------------------------------------------------
- Name: Org6
Domain: org6.example.com
EnableNodeOUs: true
Template:
Count: 1
SANS:
- localhost
Users:
Count: 1