epistemophiliac/fabric-samples
1
0
Fork 0
mirror of https://github.com/hyperledger/fabric-samples.git synced 2026-06-17 15:35:09 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Add CA capability to test-network-nano-bash

Browse source 
This change adds:
- shell scripts to start CAs for each org
- optional flag (-c) to network.sh to start CAs
- generate crypto material in the same format as cryptogen using the CAs
- describe how to start the CAs using terminals

Signed-off-by: Chris Elder <celder@chriss-mbp.raleigh.ibm.com>
This commit is contained in:
Chris Elder 2024-05-23 11:08:06 -04:00 committed by Dave Enyeart
parent 92f028c08d
commit 3c63eac4e3
13 changed files with 1451 additions and 9 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
test-network-nano-bash/.gitignore vendored
View file

@ -1,6 +1,7 @@
channel-artifacts/ channel-artifacts/
crypto-config/ crypto-config/
data/ data/
data_ca/
logs/ logs/
*.gz *.gz
chaincode-external/ chaincode-external/

15
test-network-nano-bash/README.md
View file

@ -59,6 +59,16 @@ If you have trouble running bash scripts in your environment, you can just as ea
Note the syntax of running the scripts. The peer admin scripts set the admin environment variables and must be run with the `source` command in order that the exported environment variables can be utilized by any subsequent user commands. Note the syntax of running the scripts. The peer admin scripts set the admin environment variables and must be run with the `source` command in order that the exported environment variables can be utilized by any subsequent user commands.
## Running each component separately with CAs
These instructions are for running the CAs from terminal sessions. Open terminal windows for 3 CAs as seen in the following terminal setup. These instructions should be followd before opening the ordering and peer windows described above.
![CA Terminal setup](ca_terminal_setup.png)
- cd to the `test-network-nano-bash` directory in each terminal window
- Before running the `./generate_artifacts.sh -ca` in the first orderer terminal, run `./ordererca.sh`, `./org1ca.sh`, `./org2ca.sh` in the repsective terminals.
- In the first orderer terminal, run `./generate_artifacts.sh -ca` to generate crypto material using the CAs and application channel genesis block and configuration transactions (calls configtxgen). The artifacts will be created in the `crypto-config` and `channel-artifacts` directories. If you are running BFT consensus then run `./generate_artifacts.sh BFT -ca`. All artifacts generated with the CA will conform to the same directory structure as cryptogen.
## Starting the network with one command ## Starting the network with one command
Using the individual scripts above gives you more control of the process of starting a Fabric network and demonstrates how all the required components fit together, however the same network can also be started using a single script for convenience. Using the individual scripts above gives you more control of the process of starting a Fabric network and demonstrates how all the required components fit together, however the same network can also be started using a single script for convenience.
@ -73,6 +83,11 @@ For BFT consensus type:
./network.sh start -o BFT ./network.sh start -o BFT
``` ```
For Raft consensus type using CAs:
```shell
./network.sh start -ca
```
After the network has started, use separate terminals to run peer commands. After the network has started, use separate terminals to run peer commands.
You will need to configure the peer environment for each new terminal. You will need to configure the peer environment for each new terminal.
For example to run against peer1, use: For example to run against peer1, use:

511
test-network-nano-bash/ca/ca_config/ca/fabric-ca-server-config.yaml Normal file
View file

@ -0,0 +1,511 @@
#############################################################################
# This is a configuration file for the fabric-ca-server command.
#
# COMMAND LINE ARGUMENTS AND ENVIRONMENT VARIABLES
# ------------------------------------------------
# Each configuration element can be overridden via command line
# arguments or environment variables. The precedence for determining
# the value of each element is as follows:
# 1) command line argument
# Examples:
# a) --port 443
# To set the listening port
# b) --ca.keyfile ../mykey.pem
# To set the "keyfile" element in the "ca" section below;
# note the '.' separator character.
# 2) environment variable
# Examples:
# a) FABRIC_CA_SERVER_PORT=443
# To set the listening port
# b) FABRIC_CA_SERVER_CA_KEYFILE="../mykey.pem"
# To set the "keyfile" element in the "ca" section below;
# note the '_' separator character.
# 3) configuration file
# 4) default value (if there is one)
# All default values are shown beside each element below.
#
# FILE NAME ELEMENTS
# ------------------
# The value of all fields whose name ends with "file" or "files" are
# name or names of other files.
# For example, see "tls.certfile" and "tls.clientauth.certfiles".
# The value of each of these fields can be a simple filename, a
# relative path, or an absolute path. If the value is not an
# absolute path, it is interpreted as being relative to the location
# of this configuration file.
#
#############################################################################
# Version of config file
version: v1.5.9
# Server's listening port (default: 7054)
port: 7052
# Cross-Origin Resource Sharing (CORS)
cors:
enabled: false
origins:
- "*"
# Enables debug logging (default: false)
debug: false
# Size limit of an acceptable CRL in bytes (default: 512000)
crlsizelimit: 512000
#############################################################################
# TLS section for the server's listening port
#
# The following types are supported for client authentication: NoClientCert,
# RequestClientCert, RequireAnyClientCert, VerifyClientCertIfGiven,
# and RequireAndVerifyClientCert.
#
# Certfiles is a list of root certificate authorities that the server uses
# when verifying client certificates.
#############################################################################
tls:
# Enable TLS (default: false)
enabled: true
# TLS for the server's listening port
certfile:
keyfile:
clientauth:
type: noclientcert
certfiles:
#############################################################################
# The CA section contains information related to the Certificate Authority
# including the name of the CA, which should be unique for all members
# of a blockchain network. It also includes the key and certificate files
# used when issuing enrollment certificates (ECerts).
# The chainfile (if it exists) contains the certificate chain which
# should be trusted for this CA, where the 1st in the chain is always the
# root CA certificate.
#############################################################################
ca:
# Name of this CA
name: ca
# Key file (is only used to import a private key into BCCSP)
keyfile:
# Certificate file (default: ca-cert.pem)
certfile:
# Chain file
chainfile:
# Ignore Certificate Expiration in the case of re-enroll
reenrollIgnoreCertExpiry: false
#############################################################################
# The gencrl REST endpoint is used to generate a CRL that contains revoked
# certificates. This section contains configuration options that are used
# during gencrl request processing.
#############################################################################
crl:
# Specifies expiration for the generated CRL. The number of hours
# specified by this property is added to the UTC time, the resulting time
# is used to set the 'Next Update' date of the CRL.
expiry: 24h
#############################################################################
# The registry section controls how the fabric-ca-server does two things:
# 1) authenticates enrollment requests which contain a username and password
# (also known as an enrollment ID and secret).
# 2) once authenticated, retrieves the identity's attribute names and values.
# These attributes are useful for making access control decisions in
# chaincode.
# There are two main configuration options:
# 1) The fabric-ca-server is the registry.
# This is true if "ldap.enabled" in the ldap section below is false.
# 2) An LDAP server is the registry, in which case the fabric-ca-server
# calls the LDAP server to perform these tasks.
# This is true if "ldap.enabled" in the ldap section below is true,
# which means this "registry" section is ignored.
#############################################################################
registry:
# Maximum number of times a password/secret can be reused for enrollment
# (default: -1, which means there is no limit)
maxenrollments: -1
# Contains identity information which is used when LDAP is disabled
identities:
- name: admin
pass: adminpw
type: client
affiliation: ""
attrs:
hf.Registrar.Roles: "*"
hf.Registrar.DelegateRoles: "*"
hf.Revoker: true
hf.IntermediateCA: true
hf.GenCRL: true
hf.Registrar.Attributes: "*"
hf.AffiliationMgr: true
#############################################################################
# Database section
# Supported types are: "sqlite3", "postgres", and "mysql".
# The datasource value depends on the type.
# If the type is "sqlite3", the datasource value is a file name to use
# as the database store. Since "sqlite3" is an embedded database, it
# may not be used if you want to run the fabric-ca-server in a cluster.
# To run the fabric-ca-server in a cluster, you must choose "postgres"
# or "mysql".
#############################################################################
db:
type: sqlite3
datasource: ../db/fabric-ca-server.db
tls:
enabled: false
certfiles:
client:
certfile:
keyfile:
#############################################################################
# LDAP section
# If LDAP is enabled, the fabric-ca-server calls LDAP to:
# 1) authenticate enrollment ID and secret (i.e. username and password)
# for enrollment requests;
# 2) To retrieve identity attributes
#############################################################################
ldap:
# Enables or disables the LDAP client (default: false)
# If this is set to true, the "registry" section is ignored.
enabled: false
# The URL of the LDAP server
url: ldap://<adminDN>:<adminPassword>@<host>:<port>/<base>
# TLS configuration for the client connection to the LDAP server
tls:
certfiles:
client:
certfile:
keyfile:
# Attribute related configuration for mapping from LDAP entries to Fabric CA attributes
attribute:
# 'names' is an array of strings containing the LDAP attribute names which are
# requested from the LDAP server for an LDAP identity's entry
names: ['uid','member']
# The 'converters' section is used to convert an LDAP entry to the value of
# a fabric CA attribute.
# For example, the following converts an LDAP 'uid' attribute
# whose value begins with 'revoker' to a fabric CA attribute
# named "hf.Revoker" with a value of "true" (because the boolean expression
# evaluates to true).
# converters:
# - name: hf.Revoker
# value: attr("uid") =~ "revoker*"
converters:
- name:
value:
# The 'maps' section contains named maps which may be referenced by the 'map'
# function in the 'converters' section to map LDAP responses to arbitrary values.
# For example, assume a user has an LDAP attribute named 'member' which has multiple
# values which are each a distinguished name (i.e. a DN). For simplicity, assume the
# values of the 'member' attribute are 'dn1', 'dn2', and 'dn3'.
# Further assume the following configuration.
# converters:
# - name: hf.Registrar.Roles
# value: map(attr("member"),"groups")
# maps:
# groups:
# - name: dn1
# value: peer
# - name: dn2
# value: client
# The value of the user's 'hf.Registrar.Roles' attribute is then computed to be
# "peer,client,dn3". This is because the value of 'attr("member")' is
# "dn1,dn2,dn3", and the call to 'map' with a 2nd argument of
# "group" replaces "dn1" with "peer" and "dn2" with "client".
maps:
groups:
- name:
value:
#############################################################################
# Affiliations section. Fabric CA server can be bootstrapped with the
# affiliations specified in this section. Affiliations are specified as maps.
# For example:
# businessunit1:
# department1:
# - team1
# businessunit2:
# - department2
# - department3
#
# Affiliations are hierarchical in nature. In the above example,
# department1 (used as businessunit1.department1) is the child of businessunit1.
# team1 (used as businessunit1.department1.team1) is the child of department1.
# department2 (used as businessunit2.department2) and department3 (businessunit2.department3)
# are children of businessunit2.
# Note: Affiliations are case sensitive except for the non-leaf affiliations
# (like businessunit1, department1, businessunit2) that are specified in the configuration file,
# which are always stored in lower case.
#############################################################################
affiliations:
org1:
- department1
- department2
org2:
- department1
#############################################################################
# Signing section
#
# The "default" subsection is used to sign enrollment certificates;
# the default expiration ("expiry" field) is "8760h", which is 1 year in hours.
#
# The "ca" profile subsection is used to sign intermediate CA certificates;
# the default expiration ("expiry" field) is "43800h" which is 5 years in hours.
# Note that "isca" is true, meaning that it issues a CA certificate.
# A maxpathlen of 0 means that the intermediate CA cannot issue other
# intermediate CA certificates, though it can still issue end entity certificates.
# (See RFC 5280, section 4.2.1.9)
#
# The "tls" profile subsection is used to sign TLS certificate requests;
# the default expiration ("expiry" field) is "8760h", which is 1 year in hours.
#############################################################################
signing:
default:
usage:
- digital signature
expiry: 8760h
profiles:
ca:
usage:
- cert sign
- crl sign
expiry: 43800h
caconstraint:
isca: true
maxpathlen: 0
tls:
usage:
- signing
- key encipherment
- server auth
- client auth
- key agreement
expiry: 8760h
###########################################################################
# Certificate Signing Request (CSR) section.
# This controls the creation of the root CA certificate.
# The expiration for the root CA certificate is configured with the
# "ca.expiry" field below, whose default value is "131400h" which is
# 15 years in hours.
# The pathlength field is used to limit CA certificate hierarchy as described
# in section 4.2.1.9 of RFC 5280.
# Examples:
# 1) No pathlength value means no limit is requested.
# 2) pathlength == 1 means a limit of 1 is requested which is the default for
# a root CA. This means the root CA can issue intermediate CA certificates,
# but these intermediate CAs may not in turn issue other CA certificates
# though they can still issue end entity certificates.
# 3) pathlength == 0 means a limit of 0 is requested;
# this is the default for an intermediate CA, which means it can not issue
# CA certificates though it can still issue end entity certificates.
# The "hosts" field will be used to specify Subject Alternative Names
# if the server creates a self-signed TLS certificate.
###########################################################################
csr:
cn: fabric-ca-server
keyrequest:
algo: ecdsa
size: 256
names:
- C: US
ST: "North Carolina"
L:
O: Hyperledger
OU: Fabric
hosts:
- chriss-mbp.raleigh.ibm.com
- localhost
ca:
expiry: 131400h
pathlength: 1
###########################################################################
# Each CA can issue both X509 enrollment certificate as well as Idemix
# Credential. This section specifies configuration for the issuer component
# that is responsible for issuing Idemix credentials.
###########################################################################
idemix:
# Specifies pool size for revocation handles. A revocation handle is an unique identifier of an
# Idemix credential. The issuer will create a pool revocation handles of this specified size. When
# a credential is requested, issuer will get handle from the pool and assign it to the credential.
# Issuer will repopulate the pool with new handles when the last handle in the pool is used.
# A revocation handle and credential revocation information (CRI) are used to create non revocation proof
# by the prover to prove to the verifier that her credential is not revoked.
rhpoolsize: 1000
# The Idemix credential issuance is a two step process. First step is to get a nonce from the issuer
# and second step is send credential request that is constructed using the nonce to the isuser to
# request a credential. This configuration property specifies expiration for the nonces. By default is
# nonces expire after 15 seconds. The value is expressed in the time.Duration format (see https://golang.org/pkg/time/#ParseDuration).
nonceexpiration: 15s
# Specifies interval at which expired nonces are removed from datastore. Default value is 15 minutes.
# The value is expressed in the time.Duration format (see https://golang.org/pkg/time/#ParseDuration)
noncesweepinterval: 15m
# Specifies the Elliptic Curve used by Identity Mixer.
# It can be any of: {"amcl.Fp256bn", "gurvy.Bn254", "amcl.Fp256Miraclbn"}.
# If unspecified, it defaults to 'amcl.Fp256bn'.
curve: amcl.Fp256bn
#############################################################################
# BCCSP (BlockChain Crypto Service Provider) section is used to select which
# crypto library implementation to use
#############################################################################
bccsp:
default: SW
sw:
hash: SHA2
security: 256
filekeystore:
# The directory used for the software file-based keystore
keystore: msp/keystore
#############################################################################
# Multi CA section
#
# Each Fabric CA server contains one CA by default. This section is used
# to configure multiple CAs in a single server.
#
# 1) --cacount <number-of-CAs>
# Automatically generate <number-of-CAs> non-default CAs. The names of these
# additional CAs are "ca1", "ca2", ... "caN", where "N" is <number-of-CAs>
# This is particularly useful in a development environment to quickly set up
# multiple CAs. Note that, this config option is not applicable to intermediate CA server
# i.e., Fabric CA server that is started with intermediate.parentserver.url config
# option (-u command line option)
#
# 2) --cafiles <CA-config-files>
# For each CA config file in the list, generate a separate signing CA. Each CA
# config file in this list MAY contain all of the same elements as are found in
# the server config file except port, debug, and tls sections.
#
# Examples:
# fabric-ca-server start -b admin:adminpw --cacount 2
#
# fabric-ca-server start -b admin:adminpw --cafiles ca/ca1/fabric-ca-server-config.yaml
# --cafiles ca/ca2/fabric-ca-server-config.yaml
#
#############################################################################
cacount:
cafiles:
- ../tlsca/fabric-ca-server-config.yaml
#############################################################################
# Intermediate CA section
#
# The relationship between servers and CAs is as follows:
# 1) A single server process may contain or function as one or more CAs.
# This is configured by the "Multi CA section" above.
# 2) Each CA is either a root CA or an intermediate CA.
# 3) Each intermediate CA has a parent CA which is either a root CA or another intermediate CA.
#
# This section pertains to configuration of #2 and #3.
# If the "intermediate.parentserver.url" property is set,
# then this is an intermediate CA with the specified parent
# CA.
#
# parentserver section
# url - The URL of the parent server
# caname - Name of the CA to enroll within the server
#
# enrollment section used to enroll intermediate CA with parent CA
# profile - Name of the signing profile to use in issuing the certificate
# label - Label to use in HSM operations
#
# tls section for secure socket connection
# certfiles - PEM-encoded list of trusted root certificate files
# client:
# certfile - PEM-encoded certificate file for when client authentication
# is enabled on server
# keyfile - PEM-encoded key file for when client authentication
# is enabled on server
#############################################################################
intermediate:
parentserver:
url:
caname:
enrollment:
hosts:
profile:
label:
tls:
certfiles:
client:
certfile:
keyfile:
#############################################################################
# CA configuration section
#
# Configure the number of incorrect password attempts are allowed for
# identities. By default, the value of 'passwordattempts' is 10, which
# means that 10 incorrect password attempts can be made before an identity get
# locked out.
#############################################################################
cfg:
identities:
passwordattempts: 10
###############################################################################
#
# Operations section
#
###############################################################################
operations:
# host and port for the operations server
listenAddress: 127.0.0.1:9443
# TLS configuration for the operations endpoint
tls:
# TLS enabled
enabled: false
# path to PEM encoded server certificate for the operations server
cert:
file:
# path to PEM encoded server key for the operations server
key:
file:
# require client certificate authentication to access all resources
clientAuthRequired: false
# paths to PEM encoded ca certificates to trust for client authentication
clientRootCAs:
files: []
###############################################################################
#
# Metrics section
#
###############################################################################
metrics:
# statsd, prometheus, or disabled
provider: disabled
# statsd configuration
statsd:
# network type: tcp or udp
network: udp
# statsd server address
address: 127.0.0.1:8125
# the interval at which locally cached counters and gauges are pushed
# to statsd; timings are pushed immediately
writeInterval: 10s
# prefix is prepended to all emitted statsd metrics
prefix: server

494
test-network-nano-bash/ca/ca_config/tlsca/fabric-ca-server-config.yaml Normal file
View file

@ -0,0 +1,494 @@
#############################################################################
# This is a configuration file for the fabric-ca-server command.
#
# COMMAND LINE ARGUMENTS AND ENVIRONMENT VARIABLES
# ------------------------------------------------
# Each configuration element can be overridden via command line
# arguments or environment variables. The precedence for determining
# the value of each element is as follows:
# 1) command line argument
# Examples:
# a) --port 443
# To set the listening port
# b) --ca.keyfile ../mykey.pem
# To set the "keyfile" element in the "ca" section below;
# note the '.' separator character.
# 2) environment variable
# Examples:
# a) FABRIC_CA_SERVER_PORT=443
# To set the listening port
# b) FABRIC_CA_SERVER_CA_KEYFILE="../mykey.pem"
# To set the "keyfile" element in the "ca" section below;
# note the '_' separator character.
# 3) configuration file
# 4) default value (if there is one)
# All default values are shown beside each element below.
#
# FILE NAME ELEMENTS
# ------------------
# The value of all fields whose name ends with "file" or "files" are
# name or names of other files.
# For example, see "tls.certfile" and "tls.clientauth.certfiles".
# The value of each of these fields can be a simple filename, a
# relative path, or an absolute path. If the value is not an
# absolute path, it is interpretted as being relative to the location
# of this configuration file.
#
#############################################################################
# Version of config file
version: 1.4.9
# Server's listening port (default: 7054)
port: 7054
# Cross-Origin Resource Sharing (CORS)
cors:
enabled: false
origins:
- "*"
# Enables debug logging (default: false)
debug: false
# Size limit of an acceptable CRL in bytes (default: 512000)
crlsizelimit: 512000
#############################################################################
# TLS section for the server's listening port
#
# The following types are supported for client authentication: NoClientCert,
# RequestClientCert, RequireAnyClientCert, VerifyClientCertIfGiven,
# and RequireAndVerifyClientCert.
#
# Certfiles is a list of root certificate authorities that the server uses
# when verifying client certificates.
#############################################################################
tls:
# Enable TLS (default: false)
enabled: true
# TLS for the server's listening port
certfile:
keyfile:
clientauth:
type: noclientcert
certfiles:
#############################################################################
# The CA section contains information related to the Certificate Authority
# including the name of the CA, which should be unique for all members
# of a blockchain network. It also includes the key and certificate files
# used when issuing enrollment certificates (ECerts) and transaction
# certificates (TCerts).
# The chainfile (if it exists) contains the certificate chain which
# should be trusted for this CA, where the 1st in the chain is always the
# root CA certificate.
#############################################################################
ca:
# Name of this CA
name: tlsca
# Key file (is only used to import a private key into BCCSP)
keyfile:
# Certificate file (default: ca-cert.pem)
certfile:
# Chain file
chainfile:
#############################################################################
# The gencrl REST endpoint is used to generate a CRL that contains revoked
# certificates. This section contains configuration options that are used
# during gencrl request processing.
#############################################################################
crl:
# Specifies expiration for the generated CRL. The number of hours
# specified by this property is added to the UTC time, the resulting time
# is used to set the 'Next Update' date of the CRL.
expiry: 24h
#############################################################################
# The registry section controls how the fabric-ca-server does two things:
# 1) authenticates enrollment requests which contain a username and password
# (also known as an enrollment ID and secret).
# 2) once authenticated, retrieves the identity's attribute names and
# values which the fabric-ca-server optionally puts into TCerts
# which it issues for transacting on the Hyperledger Fabric blockchain.
# These attributes are useful for making access control decisions in
# chaincode.
# There are two main configuration options:
# 1) The fabric-ca-server is the registry.
# This is true if "ldap.enabled" in the ldap section below is false.
# 2) An LDAP server is the registry, in which case the fabric-ca-server
# calls the LDAP server to perform these tasks.
# This is true if "ldap.enabled" in the ldap section below is true,
# which means this "registry" section is ignored.
#############################################################################
registry:
# Maximum number of times a password/secret can be reused for enrollment
# (default: -1, which means there is no limit)
maxenrollments: -1
# Contains identity information which is used when LDAP is disabled
identities:
- name: admin
pass: adminpw
type: client
affiliation: ""
attrs:
hf.Registrar.Roles: "*"
hf.Registrar.DelegateRoles: "*"
hf.Revoker: true
hf.IntermediateCA: true
hf.GenCRL: true
hf.Registrar.Attributes: "*"
hf.AffiliationMgr: true
#############################################################################
# Database section
# Supported types are: "sqlite3", "postgres", and "mysql".
# The datasource value depends on the type.
# If the type is "sqlite3", the datasource value is a file name to use
# as the database store. Since "sqlite3" is an embedded database, it
# may not be used if you want to run the fabric-ca-server in a cluster.
# To run the fabric-ca-server in a cluster, you must choose "postgres"
# or "mysql".
#############################################################################
db:
type: sqlite3
datasource: ../db/fabric-ca-server.db
tls:
enabled: false
certfiles:
client:
certfile:
keyfile:
#############################################################################
# LDAP section
# If LDAP is enabled, the fabric-ca-server calls LDAP to:
# 1) authenticate enrollment ID and secret (i.e. username and password)
# for enrollment requests;
# 2) To retrieve identity attributes
#############################################################################
ldap:
# Enables or disables the LDAP client (default: false)
# If this is set to true, the "registry" section is ignored.
enabled: false
# The URL of the LDAP server
url: ldap://<adminDN>:<adminPassword>@<host>:<port>/<base>
# TLS configuration for the client connection to the LDAP server
tls:
certfiles:
client:
certfile:
keyfile:
# Attribute related configuration for mapping from LDAP entries to Fabric CA attributes
attribute:
# 'names' is an array of strings containing the LDAP attribute names which are
# requested from the LDAP server for an LDAP identity's entry
names: ['uid','member']
# The 'converters' section is used to convert an LDAP entry to the value of
# a fabric CA attribute.
# For example, the following converts an LDAP 'uid' attribute
# whose value begins with 'revoker' to a fabric CA attribute
# named "hf.Revoker" with a value of "true" (because the boolean expression
# evaluates to true).
# converters:
# - name: hf.Revoker
# value: attr("uid") =~ "revoker*"
converters:
- name:
value:
# The 'maps' section contains named maps which may be referenced by the 'map'
# function in the 'converters' section to map LDAP responses to arbitrary values.
# For example, assume a user has an LDAP attribute named 'member' which has multiple
# values which are each a distinguished name (i.e. a DN). For simplicity, assume the
# values of the 'member' attribute are 'dn1', 'dn2', and 'dn3'.
# Further assume the following configuration.
# converters:
# - name: hf.Registrar.Roles
# value: map(attr("member"),"groups")
# maps:
# groups:
# - name: dn1
# value: peer
# - name: dn2
# value: client
# The value of the user's 'hf.Registrar.Roles' attribute is then computed to be
# "peer,client,dn3". This is because the value of 'attr("member")' is
# "dn1,dn2,dn3", and the call to 'map' with a 2nd argument of
# "group" replaces "dn1" with "peer" and "dn2" with "client".
maps:
groups:
- name:
value:
#############################################################################
# Affiliations section. Fabric CA server can be bootstrapped with the
# affiliations specified in this section. Affiliations are specified as maps.
# For example:
# businessunit1:
# department1:
# - team1
# businessunit2:
# - department2
# - department3
#
# Affiliations are hierarchical in nature. In the above example,
# department1 (used as businessunit1.department1) is the child of businessunit1.
# team1 (used as businessunit1.department1.team1) is the child of department1.
# department2 (used as businessunit2.department2) and department3 (businessunit2.department3)
# are children of businessunit2.
# Note: Affiliations are case sensitive except for the non-leaf affiliations
# (like businessunit1, department1, businessunit2) that are specified in the configuration file,
# which are always stored in lower case.
#############################################################################
affiliations:
org1:
- department1
- department2
org2:
- department1
#############################################################################
# Signing section
#
# The "default" subsection is used to sign enrollment certificates;
# the default expiration ("expiry" field) is "8760h", which is 1 year in hours.
#
# The "ca" profile subsection is used to sign intermediate CA certificates;
# the default expiration ("expiry" field) is "43800h" which is 5 years in hours.
# Note that "isca" is true, meaning that it issues a CA certificate.
# A maxpathlen of 0 means that the intermediate CA cannot issue other
# intermediate CA certificates, though it can still issue end entity certificates.
# (See RFC 5280, section 4.2.1.9)
#
# The "tls" profile subsection is used to sign TLS certificate requests;
# the default expiration ("expiry" field) is "8760h", which is 1 year in hours.
#############################################################################
signing:
default:
authremote: {}
caconstraint: {}
expiry: 131400h0m0s
usage:
- signing
- key encipherment
- server auth
- client auth
- key agreement
profiles: null
###########################################################################
# Certificate Signing Request (CSR) section.
# This controls the creation of the root CA certificate.
# The expiration for the root CA certificate is configured with the
# "ca.expiry" field below, whose default value is "131400h" which is
# 15 years in hours.
# The pathlength field is used to limit CA certificate hierarchy as described
# in section 4.2.1.9 of RFC 5280.
# Examples:
# 1) No pathlength value means no limit is requested.
# 2) pathlength == 1 means a limit of 1 is requested which is the default for
# a root CA. This means the root CA can issue intermediate CA certificates,
# but these intermediate CAs may not in turn issue other CA certificates
# though they can still issue end entity certificates.
# 3) pathlength == 0 means a limit of 0 is requested;
# this is the default for an intermediate CA, which means it can not issue
# CA certificates though it can still issue end entity certificates.
###########################################################################
csr:
cn: fabric-tlsca-server
keyrequest:
algo: ecdsa
size: 256
names:
- C: US
ST: "North Carolina"
L:
O: Hyperledger
OU: Fabric
hosts:
- localhost
- 127.0.0.1
ca:
expiry: 131400h
pathlength: 1
###########################################################################
# Each CA can issue both X509 enrollment certificate as well as Idemix
# Credential. This section specifies configuration for the issuer component
# that is responsible for issuing Idemix credentials.
###########################################################################
idemix:
# Specifies pool size for revocation handles. A revocation handle is an unique identifier of an
# Idemix credential. The issuer will create a pool revocation handles of this specified size. When
# a credential is requested, issuer will get handle from the pool and assign it to the credential.
# Issuer will repopulate the pool with new handles when the last handle in the pool is used.
# A revocation handle and credential revocation information (CRI) are used to create non revocation proof
# by the prover to prove to the verifier that her credential is not revoked.
rhpoolsize: 1000
# The Idemix credential issuance is a two step process. First step is to get a nonce from the issuer
# and second step is send credential request that is constructed using the nonce to the isuser to
# request a credential. This configuration property specifies expiration for the nonces. By default is
# nonces expire after 15 seconds. The value is expressed in the time.Duration format (see https://golang.org/pkg/time/#ParseDuration).
nonceexpiration: 15s
# Specifies interval at which expired nonces are removed from datastore. Default value is 15 minutes.
# The value is expressed in the time.Duration format (see https://golang.org/pkg/time/#ParseDuration)
noncesweepinterval: 15m
#############################################################################
# BCCSP (BlockChain Crypto Service Provider) section is used to select which
# crypto library implementation to use
#############################################################################
bccsp:
default: SW
sw:
hash: SHA2
security: 256
filekeystore:
# The directory used for the software file-based keystore
keystore: msp/keystore
#############################################################################
# Multi CA section
#
# Each Fabric CA server contains one CA by default. This section is used
# to configure multiple CAs in a single server.
#
# 1) --cacount <number-of-CAs>
# Automatically generate <number-of-CAs> non-default CAs. The names of these
# additional CAs are "ca1", "ca2", ... "caN", where "N" is <number-of-CAs>
# This is particularly useful in a development environment to quickly set up
# multiple CAs. Note that, this config option is not applicable to intermediate CA server
# i.e., Fabric CA server that is started with intermediate.parentserver.url config
# option (-u command line option)
#
# 2) --cafiles <CA-config-files>
# For each CA config file in the list, generate a separate signing CA. Each CA
# config file in this list MAY contain all of the same elements as are found in
# the server config file except port, debug, and tls sections.
#
# Examples:
# fabric-ca-server start -b admin:adminpw --cacount 2
#
# fabric-ca-server start -b admin:adminpw --cafiles ca/ca1/fabric-ca-server-config.yaml
# --cafiles ca/ca2/fabric-ca-server-config.yaml
#
#############################################################################
cacount:
cafiles:
#############################################################################
# Intermediate CA section
#
# The relationship between servers and CAs is as follows:
# 1) A single server process may contain or function as one or more CAs.
# This is configured by the "Multi CA section" above.
# 2) Each CA is either a root CA or an intermediate CA.
# 3) Each intermediate CA has a parent CA which is either a root CA or another intermediate CA.
#
# This section pertains to configuration of #2 and #3.
# If the "intermediate.parentserver.url" property is set,
# then this is an intermediate CA with the specified parent
# CA.
#
# parentserver section
# url - The URL of the parent server
# caname - Name of the CA to enroll within the server
#
# enrollment section used to enroll intermediate CA with parent CA
# profile - Name of the signing profile to use in issuing the certificate
# label - Label to use in HSM operations
#
# tls section for secure socket connection
# certfiles - PEM-encoded list of trusted root certificate files
# client:
# certfile - PEM-encoded certificate file for when client authentication
# is enabled on server
# keyfile - PEM-encoded key file for when client authentication
# is enabled on server
#############################################################################
intermediate:
parentserver:
url:
caname:
enrollment:
hosts:
profile:
label:
tls:
certfiles:
client:
certfile:
keyfile:
#############################################################################
# CA configuration section
#
# Configure the number of incorrect password attempts are allowed for
# identities. By default, the value of 'passwordattempts' is 10, which
# means that 10 incorrect password attempts can be made before an identity get
# locked out.
#############################################################################
cfg:
identities:
passwordattempts: 10
###############################################################################
#
# Operations section
#
###############################################################################
operations:
# host and port for the operations server
listenAddress: 127.0.0.1:9443
# TLS configuration for the operations endpoint
tls:
# TLS enabled
enabled: false
# path to PEM encoded server certificate for the operations server
cert:
file:
# path to PEM encoded server key for the operations server
key:
file:
# require client certificate authentication to access all resources
clientAuthRequired: false
# paths to PEM encoded ca certificates to trust for client authentication
clientRootCAs:
files: []
###############################################################################
#
# Metrics section
#
###############################################################################
metrics:
# statsd, prometheus, or disabled
provider: disabled
# statsd configuration
statsd:
# network type: tcp or udp
network: udp
# statsd server address
address: 127.0.0.1:8125
# the interval at which locally cached counters and gauges are pushsed
# to statsd; timings are pushed immediately
writeInterval: 10s
# prefix is prepended to all emitted statsd merics
prefix: server

117
test-network-nano-bash/ca/ca_utils.sh Executable file
View file

@ -0,0 +1,117 @@
#!/usr/bin/env sh
#
# SPDX-License-Identifier: Apache-2.0
#
######################################################################################
# createEnrollment()
#
# This is a convenience method for creating enrollments only
# Primary purpose it to create enrollment certificates for CA admins.
######################################################################################
function createEnrollment() {
local port=$1 # port of the CA used for creating the enrollment
local username=$2 # username of the registered user on the CA
local password=$3 # password of the registered user on the CA
local orgname=$4 # name of the org (e.g. Org1, Org2) can be blank
local component_dir=$5 # path of the component, this will be the directory where the artifacts will be created
local tlscert=$6 # tls cert for connecting to the CA
# Enroll the identity
fabric-ca-client enroll -d -u https://${username}:${password}@localhost:${port} --caname ca --mspdir "${component_dir}/msp" --tls.certfiles $tlscert
# Rename private key to mimic cryptogen
find ${component_dir} -type f -name '*_sk' | sed -e 'p;s/\(.*\)\/\(.*\)$/\1\/priv_sk/' | xargs -n2 mv -v
# Rename the cacert to mimic cryptogen
mv ${component_dir}/msp/cacerts/localhost-${port}-ca.pem ${component_dir}/msp/cacerts/ca.${orgname:+$orgname.}example.com-cert.pem
}
######################################################################################
# createMSP()
#
# This is a convenience method for creating the Membership Service Provider directories
#
######################################################################################
function createMSP() {
local caname=$1 # name of the ca (ordererca, org1ca, org2ca)
local orgname=$2 # name of the org (org1, org2) Ordering Org is blank
local org_dir=$3 # directory of the organizatio
mkdir -p ${org_dir}/msp/admincerts
mkdir -p ${org_dir}/msp/cacerts
mkdir -p ${org_dir}/msp/tlscacerts
cp data_ca/${caname}/ca/ca-cert.pem ${org_dir}/msp/cacerts/ca.${orgname:+$orgname.}example.com-cert.pem
cp data_ca/${caname}/tlsca/ca-cert.pem ${org_dir}/msp/tlscacerts/tlsca.${orgname:+$orgname.}example.com-cert.pem
awk -v cacert_name="ca.${orgname:+$orgname.}example.com-cert" '{gsub(/ca.example.com-cert/,cacert_name)}1' ca/config.yaml > ${org_dir}/msp/config.yaml
}
######################################################################################
# registerAndEnroll()
#
# This is a convenience method for creating enrollments and TLS certificates
# Primary purpose it to create enrollment certificates for org admin identities, and
# enrollent and TLS certificates for peers and orderers.
######################################################################################
function registerAndEnroll() {
local port=$1 # port of the CA used for creating the enrollment
local username=$2 # username of the user to register on the CA
local password=$3 # password of the user to register on the CA
local type=$4 # type of registation, must be one of (peer, orderer, admin)
local orgname=$5 # name of the org (e.g. Org1, Org2) can be blank
local component_dir=$6 # directory of the component, this will be the directory where the artifacts will be created
local org_dir=$7 # directory of the organization, this is the directory that contains the credentials for the registration
local tlscert=$8 # tls cert for connecting to the CA
if [ "$type" = "admin" ]; then
local attrs="hf.Registrar.Roles=client,hf.Registrar.Attributes=*,hf.Revoker=true,hf.GenCRL=true,admin=true:ecert,abac.init=true:ecert"
else
local attrs=""
fi
# Register the username
fabric-ca-client register -d -u https://localhost:${port} --id.name ${username} --id.secret ${password} --id.type ${type} --id.attrs "${attrs}" --caname ca --tls.certfiles $tlscert --mspdir "${org_dir}/ca/msp"
# Enroll the identity
fabric-ca-client enroll -d -u https://${username}:${password}@localhost:${port} --caname ca --mspdir "${component_dir}/msp" --tls.certfiles $tlscert
# Rename private key to mimic cryptogen
find ${component_dir} -type f -name '*_sk' | sed -e 'p;s/\(.*\)\/\(.*\)$/\1\/priv_sk/' | xargs -n2 mv -v
# Rename the cacert to mimic cryptogen
mv ${component_dir}/msp/cacerts/localhost-${port}-ca.pem ${component_dir}/msp/cacerts/ca.${orgname:+$orgname.}example.com-cert.pem
# Set the cacert name and copy the config.json for NodeOU
awk -v cacert_name="ca.${orgname:+$orgname.}example.com-cert" '{gsub(/ca.example.com-cert/,cacert_name)}1' ca/config.yaml > ${component_dir}/msp/config.yaml
# If this is a peer or orderer type then create a TLS cert
if [ "$type" = "peer" ] || [ "$type" = "orderer" ]; then
# Enroll the TLS cert
fabric-ca-client enroll -d -u https://${username}:${password}@localhost:${port} --caname tlsca --mspdir "${component_dir}/tls" --tls.certfiles $tlscert --csr.hosts 'localhost,127.0.0.1'
# Rename private key to mimic cryptogen
find ${component_dir} -type f -name '*_sk' | sed -e 'p;s/\(.*\)\/\(.*\)$/\1\/priv_sk/' | xargs -n2 mv -v
# Copy and rename TLS certs and keys to mimic cryptogen
cp ${component_dir}/tls/cacerts/localhost-${port}-tlsca.pem ${component_dir}/tls/ca.crt
cp ${component_dir}/tls/keystore/priv_sk ${component_dir}/tls/server.key
cp ${component_dir}/tls/signcerts/cert.pem ${component_dir}/tls/server.crt
# Rename the tls cacert to mimic cryptogen
mv ${component_dir}/tls/cacerts/localhost-${port}-tlsca.pem ${component_dir}/tls/cacerts/tlsca.${orgname:+$orgname.}example.com-cert.pem
fi
}

14
test-network-nano-bash/ca/config.yaml Normal file
View file

@ -0,0 +1,14 @@
NodeOUs:
Enable: true
ClientOUIdentifier:
Certificate: cacerts/ca.example.com-cert.pem
OrganizationalUnitIdentifier: client
PeerOUIdentifier:
Certificate: cacerts/ca.example.com-cert.pem
OrganizationalUnitIdentifier: peer
AdminOUIdentifier:
Certificate: cacerts/ca.example.com-cert.pem
OrganizationalUnitIdentifier: admin
OrdererOUIdentifier:
Certificate: cacerts/ca.example.com-cert.pem
OrganizationalUnitIdentifier: orderer

118
test-network-nano-bash/ca/createEnrollments.sh Executable file
View file

@ -0,0 +1,118 @@
#!/usr/bin/env sh
#
# SPDX-License-Identifier: Apache-2.0
#
export PATH="${PWD}"/../../fabric/build/bin:"${PWD}"/../bin:"$PATH"
export crypto_dir=$PWD/crypto-config
export orderer_org_dir=${crypto_dir}/ordererOrganizations/example.com
export org1_dir=${crypto_dir}/peerOrganizations/org1.example.com
export org2_dir=${crypto_dir}/peerOrganizations/org2.example.com
export orderer1_dir=${orderer_org_dir}/orderers/orderer.example.com
export orderer2_dir=${orderer_org_dir}/orderers/orderer2.example.com
export orderer3_dir=${orderer_org_dir}/orderers/orderer3.example.com
export orderer4_dir=${orderer_org_dir}/orderers/orderer4.example.com
export orderer5_dir=${orderer_org_dir}/orderers/orderer5.example.com
export peer0org1_dir=${org1_dir}/peers/peer0.org1.example.com
export peer1org1_dir=${org1_dir}/peers/peer1.org1.example.com
export peer0org2_dir=${org2_dir}/peers/peer0.org2.example.com
export peer1org2_dir=${org2_dir}/peers/peer1.org2.example.com
export orderer_org_tls=${PWD}/data_ca/ordererca/ca/ca-cert.pem
export org1_tls=${PWD}/data_ca/org1ca/ca/ca-cert.pem
export org2_tls=${PWD}/data_ca/org2ca/ca/ca-cert.pem
# import utilies
. ca/ca_utils.sh
######################################################################################
# Create admin certificates for the CAs
######################################################################################
# Enroll CA Admin for ordererca
createEnrollment "7052" "admin" "adminpw" "" "${orderer_org_dir}/ca" "${orderer_org_tls}"
# Enroll CA Admin for org1ca
createEnrollment "7053" "admin" "adminpw" "org1" "${org1_dir}/ca" "${org1_tls}"
# Enroll CA Admin for org2ca
createEnrollment "7054" "admin" "adminpw" "org2" "${org2_dir}/ca" "${org2_tls}"
######################################################################################
# Create admin and user certificates for the Organizations
######################################################################################
# Enroll Admin certificate for the ordering service org
registerAndEnroll "7052" "osadmin" "osadminpw" "admin" "" "${orderer_org_dir}/users/Admin@example.com" "${orderer_org_dir}" "${orderer_org_tls}"
# Enroll Admin certificate for org1
registerAndEnroll "7053" "org1admin" "org1adminpw" "admin" "org1" "${org1_dir}/users/Admin@org1.example.com" "${org1_dir}" "${org1_tls}"
# Enroll User certificate for org1
registerAndEnroll "7053" "org1user1" "org1user1pw" "client" "org1" "${org1_dir}/users/User1@org1.example.com" "${org1_dir}" "${org1_tls}"
# Enroll Admin certificate for org2
registerAndEnroll "7054" "org2admin" "org2adminpw" "admin" "org2" "${org2_dir}/users/Admin@org2.example.com" "${org2_dir}" "${org2_tls}"
# Enroll User certificate for org1
registerAndEnroll "7054" "org2user1" "org2user1pw" "client" "org2" "${org2_dir}/users/User1@org2.example.com" "${org2_dir}" "${org2_tls}"
######################################################################################
# Create the certificates for the Ordering Organization
######################################################################################
# Create enrollment and TLS certificates for orderer1
registerAndEnroll "7052" "orderer1" "orderer1pw" "orderer" "" "${orderer1_dir}" "${orderer_org_dir}" "${orderer_org_tls}"
# Create enrollment and TLS certificates for orderer2
registerAndEnroll "7052" "orderer2" "orderer2pw" "orderer" "" "${orderer2_dir}" "${orderer_org_dir}" "${orderer_org_tls}"
# Create enrollment and TLS certificates for orderer3
registerAndEnroll "7052" "orderer3" "orderer3pw" "orderer" "" "${orderer3_dir}" "${orderer_org_dir}" "${orderer_org_tls}"
# Create enrollment and TLS certificates for orderer4
registerAndEnroll "7052" "orderer4" "orderer4pw" "orderer" "" "${orderer4_dir}" "${orderer_org}" "${orderer_org_tls}"
# Create enrollment and TLS certificates for orderer5
registerAndEnroll "7052" "orderer5" "orderer5pw" "orderer" "" "${orderer5_dir}" "${orderer_org_dir}" "${orderer_org_tls}"
######################################################################################
# Create the certificates for Org1
######################################################################################
# Create enrollment and TLS certificates for peer0org1
registerAndEnroll "7053" "org1peer0" "org1peer0pw" "peer" "org1" "${peer0org1_dir}" "${org1_dir}" "${org1_tls}"
# Create enrollment and TLS certificates for peer1org1
registerAndEnroll "7053" "org1peer1" "org1peer1pw" "peer" "org1" "${peer1org1_dir}" "${org1_dir}" "${org1_tls}"
######################################################################################
# Create the certificates for Org2
######################################################################################
# Create enrollment and TLS certificates for peer0org2
registerAndEnroll "7054" "org2peer0" "org2peer0pw" "peer" "org2" "${peer0org2_dir}" "${org2_dir}" "${org2_tls}"
# Create enrollment and TLS certificates for peer1org2
registerAndEnroll "7054" "org2peer1" "org2peer1pw" "peer" "org2" "${peer1org2_dir}" "${org2_dir}" "${org2_tls}"
######################################################################################
# Create the Membership Service Providers (MSPs)
######################################################################################
# Create the MSP for the Orderering Org
createMSP "ordererca" "" "${orderer_org_dir}"
# Create the MSP for Org1
createMSP "org1ca" "org1" "${org1_dir}"
# Create the MSP for Org2
createMSP "org2ca" "org2" "${org2_dir}"

BIN
test-network-nano-bash/ca_terminal_setup.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 60 KiB

43
test-network-nano-bash/generate_artifacts.sh
View file

@ -4,6 +4,29 @@
# #
set -eu set -eu
ordererType="etcdraft"
INCLUDE_CA=false
# parse flags
while [ $# -ge 1 ] ; do
key="$1"
case $key in
etcdraft )
ordererType="etcdraft"
;;
BFT )
ordererType="BFT"
;;
-ca )
INCLUDE_CA=true
;;
* )
;;
esac
shift
done
# remove existing artifacts, or proceed on if the directories don't exist # remove existing artifacts, or proceed on if the directories don't exist
rm -r "${PWD}"/channel-artifacts || true rm -r "${PWD}"/channel-artifacts || true
rm -r "${PWD}"/crypto-config || true rm -r "${PWD}"/crypto-config || true
@ -12,14 +35,26 @@ rm -r "${PWD}"/data || true
# look for binaries in local dev environment /build/bin directory and then in local samples /bin directory # look for binaries in local dev environment /build/bin directory and then in local samples /bin directory
export PATH="${PWD}"/../../fabric/build/bin:"${PWD}"/../bin:"$PATH" export PATH="${PWD}"/../../fabric/build/bin:"${PWD}"/../bin:"$PATH"
echo "Generating MSP certificates using cryptogen tool" # if INCLUDE_CA is false (default), then use cryptogen
cryptogen generate --config="${PWD}"/crypto-config.yaml if [ "${INCLUDE_CA}" = false ]; then
echo "Generating MSP certificates using cryptogen tool"
cryptogen generate --config="${PWD}"/crypto-config.yaml
else
mkdir -p "${PWD}"/logs
# execute the script to configure the default set of enrollments
echo "Generating MSP certificates using the Fabric CAs"
./ca/createEnrollments.sh > ./logs/createEnrollments.log 2>&1
fi
# set FABRIC_CFG_PATH to configtx.yaml directory that contains the profiles # set FABRIC_CFG_PATH to configtx.yaml directory that contains the profiles
export FABRIC_CFG_PATH="${PWD}" export FABRIC_CFG_PATH="${PWD}"
ordererType="etcdraft" if [ "${ordererType}" = "BFT" ]
if [ $# -gt 0 ] && [ "$1" = "BFT" ]
then then
profile="ChannelUsingBFT" profile="ChannelUsingBFT"
ordererType="BFT" ordererType="BFT"

30
test-network-nano-bash/network.sh
View file

@ -14,7 +14,9 @@ printHelp() {
echo " Starts the test network" echo " Starts the test network"
echo echo
echo " Flags:" echo " Flags:"
echo " -d <delay> - CLI delays for a certain number of seconds (defaults to 3)" echo " -d <delay> - CLI delays for a certain number of seconds (defaults to 3)"
echo " -o <orderer_type> - Specify the orderer type. BFT or etcdraft. (defaults to etcdraft)"
echo " -ca - Use CAs instead of cryptogen. (defaults to cryptogen)"
echo " -h - Print this message" echo " -h - Print this message"
elif [ "$USAGE" = "clean" ]; then elif [ "$USAGE" = "clean" ]; then
echo "Usage: " echo "Usage: "
@ -52,18 +54,31 @@ networkStart() {
# shellcheck disable=SC2064 # shellcheck disable=SC2064
trap networkStop 0 1 2 3 15 trap networkStop 0 1 2 3 15
echo "Creating logs directory..."
mkdir -p "${PWD}"/logs
if [ "${INCLUDE_CA}" = true ]; then
echo "Starting CAs..."
./ordererca.sh > ./logs/ordererca.log 2>&1 &
./org1ca.sh > ./logs/org1ca.log 2>&1 &
./org2ca.sh > ./logs/org2ca.log 2>&1 &
echo "Waiting ${CLI_DELAY}s..."
sleep ${CLI_DELAY}
fi
if [ -d "${PWD}"/channel-artifacts ] && [ -d "${PWD}"/crypto-config ]; then if [ -d "${PWD}"/channel-artifacts ] && [ -d "${PWD}"/crypto-config ]; then
echo "Using existing artifacts..." echo "Using existing artifacts..."
CREATE_CHANNEL=false CREATE_CHANNEL=false
else else
echo "Generating artifacts..." echo "Generating artifacts..."
./generate_artifacts.sh "${ORDERER_TYPE}" INCLUDE_CA_PARAM=""
if [ "${INCLUDE_CA}" = true ]; then
INCLUDE_CA_PARAM="-ca"
fi
./generate_artifacts.sh "${ORDERER_TYPE}" "${INCLUDE_CA_PARAM}"
CREATE_CHANNEL=true CREATE_CHANNEL=true
fi fi
echo "Creating logs directory..."
mkdir -p "${PWD}"/logs
echo "Starting orderers..." echo "Starting orderers..."
./orderer1.sh "${ORDERER_TYPE}" > ./logs/orderer1.log 2>&1 & ./orderer1.sh "${ORDERER_TYPE}" > ./logs/orderer1.log 2>&1 &
./orderer2.sh "${ORDERER_TYPE}" > ./logs/orderer2.log 2>&1 & ./orderer2.sh "${ORDERER_TYPE}" > ./logs/orderer2.log 2>&1 &
@ -116,6 +131,7 @@ networkClean() {
rm -r "${PWD}"/channel-artifacts || true rm -r "${PWD}"/channel-artifacts || true
rm -r "${PWD}"/crypto-config || true rm -r "${PWD}"/crypto-config || true
rm -r "${PWD}"/data || true rm -r "${PWD}"/data || true
rm -r "${PWD}"/data_ca || true
rm -r "${PWD}"/logs || true rm -r "${PWD}"/logs || true
} }
@ -131,6 +147,7 @@ else
fi fi
ORDERER_TYPE="etcdraft" ORDERER_TYPE="etcdraft"
INCLUDE_CA=false
# parse flags # parse flags
while [ $# -ge 1 ] ; do while [ $# -ge 1 ] ; do
@ -144,6 +161,9 @@ while [ $# -ge 1 ] ; do
ORDERER_TYPE="$2" ORDERER_TYPE="$2"
shift shift
;; ;;
-ca )
INCLUDE_CA=true
;;
-h ) -h )
printHelp "$MODE" printHelp "$MODE"
exit 0 exit 0

39
test-network-nano-bash/ordererca.sh Executable file
View file

@ -0,0 +1,39 @@
#!/usr/bin/env sh
#
# SPDX-License-Identifier: Apache-2.0
#
export PATH="${PWD}"/../../fabric/build/bin:"${PWD}"/../bin:"${PATH}"
export FABRIC_CFG_PATH="${PWD}"/../config
#Configure the CA_NAME, CA_PORT, OPERATIONS_PORT and CSR_HOSTS for the CA
export CA_NAME=ordererca
export CA_PORT=7052
export OPERATIONS_PORT=9843
export CSR_HOSTS=ordererca,localhost,127.0.0.1
export CA_DIRECTORY="${PWD}"/data_ca/"${CA_NAME}"
export CA_HOME="${CA_DIRECTORY}"/ca
export TLSCA_HOME="${CA_DIRECTORY}"/tlsca
export DB_HOME="${CA_DIRECTORY}"/db
export TEMPLATE_DIR="${PWD}"/ca/ca_config
# Check to see if the CA directory exists
if [ ! -d "${CA_DIRECTORY}" ]; then
# Create the new CA directory
mkdir -p "${CA_HOME}"
mkdir -p "${TLSCA_HOME}"
mkdir -p "${DB_HOME}"
# Copy the CA template files
cp "${TEMPLATE_DIR}"/ca/fabric-ca-server-config.yaml "${CA_HOME}"/fabric-ca-server-config.yaml
cp "${TEMPLATE_DIR}"/tlsca/fabric-ca-server-config.yaml "${TLSCA_HOME}"/fabric-ca-server-config.yaml
fi
export FABRIC_CA_SERVER_TLS_ENABLED=true
export FABRIC_CA_SERVER_CSR_CN="${CA_NAME}"
export FABRIC_CA_SERVER_CSR_HOSTS="${CSR_HOSTS}"
export FABRIC_CA_SERVER_DEBUG=true
export FABRIC_CA_SERVER_OPERATIONS_LISTENADDRESS=localhost:"${OPERATIONS_PORT}"
fabric-ca-server start -d -b admin:adminpw --port "${CA_PORT}" --home "${CA_HOME}"

39
test-network-nano-bash/org1ca.sh Executable file
View file

@ -0,0 +1,39 @@
#!/usr/bin/env sh
#
# SPDX-License-Identifier: Apache-2.0
#
export PATH="${PWD}"/../../fabric/build/bin:"${PWD}"/../bin:"${PATH}"
export FABRIC_CFG_PATH="${PWD}"/../config
#Configure the CA_NAME, CA_PORT, OPERATIONS_PORT and CSR_HOSTS for the CA
export CA_NAME=org1ca
export CA_PORT=7053
export OPERATIONS_PORT=9844
export CSR_HOSTS=org1ca,localhost,127.0.0.1
export CA_DIRECTORY="${PWD}"/data_ca/"${CA_NAME}"
export CA_HOME="${CA_DIRECTORY}"/ca
export TLSCA_HOME="${CA_DIRECTORY}"/tlsca
export DB_HOME="${CA_DIRECTORY}"/db
export TEMPLATE_DIR="${PWD}"/ca/ca_config
# Check to see if the CA directory exists
if [ ! -d "${CA_DIRECTORY}" ]; then
# Create the new CA directory
mkdir -p "${CA_HOME}"
mkdir -p "${TLSCA_HOME}"
mkdir -p "${DB_HOME}"
# Copy the CA template files
cp "${TEMPLATE_DIR}"/ca/fabric-ca-server-config.yaml "${CA_HOME}"/fabric-ca-server-config.yaml
cp "${TEMPLATE_DIR}"/tlsca/fabric-ca-server-config.yaml "${TLSCA_HOME}"/fabric-ca-server-config.yaml
fi
export FABRIC_CA_SERVER_TLS_ENABLED=true
export FABRIC_CA_SERVER_CSR_CN="${CA_NAME}"
export FABRIC_CA_SERVER_CSR_HOSTS="${CSR_HOSTS}"
export FABRIC_CA_SERVER_DEBUG=true
export FABRIC_CA_SERVER_OPERATIONS_LISTENADDRESS=localhost:"${OPERATIONS_PORT}"
fabric-ca-server start -d -b admin:adminpw --port "${CA_PORT}" --home "${CA_HOME}"

39
test-network-nano-bash/org2ca.sh Executable file
View file

@ -0,0 +1,39 @@
#!/usr/bin/env sh
#
# SPDX-License-Identifier: Apache-2.0
#
export PATH="${PWD}"/../../fabric/build/bin:"${PWD}"/../bin:"${PATH}"
export FABRIC_CFG_PATH="${PWD}"/../config
#Configure the CA_NAME, CA_PORT, OPERATIONS_PORT and CSR_HOSTS for the CA
export CA_NAME=org2ca
export CA_PORT=7054
export OPERATIONS_PORT=9845
export CSR_HOSTS=org2ca,localhost,127.0.0.1
export CA_DIRECTORY="${PWD}"/data_ca/"${CA_NAME}"
export CA_HOME="${CA_DIRECTORY}"/ca
export TLSCA_HOME="${CA_DIRECTORY}"/tlsca
export DB_HOME="${CA_DIRECTORY}"/db
export TEMPLATE_DIR="${PWD}"/ca/ca_config
# Check to see if the CA directory exists
if [ ! -d "${CA_DIRECTORY}" ]; then
# Create the new CA directory
mkdir -p "${CA_HOME}"
mkdir -p "${TLSCA_HOME}"
mkdir -p "${DB_HOME}"
# Copy the CA template files
cp "${TEMPLATE_DIR}"/ca/fabric-ca-server-config.yaml "${CA_HOME}"/fabric-ca-server-config.yaml
cp "${TEMPLATE_DIR}"/tlsca/fabric-ca-server-config.yaml "${TLSCA_HOME}"/fabric-ca-server-config.yaml
fi
export FABRIC_CA_SERVER_TLS_ENABLED=true
export FABRIC_CA_SERVER_CSR_CN="${CA_NAME}"
export FABRIC_CA_SERVER_CSR_HOSTS="${CSR_HOSTS}"
export FABRIC_CA_SERVER_DEBUG=true
export FABRIC_CA_SERVER_OPERATIONS_LISTENADDRESS=localhost:"${OPERATIONS_PORT}"
fabric-ca-server start -d -b admin:adminpw --port "${CA_PORT}" --home "${CA_HOME}"