简介
作为许可的区块链平台,Hyperledger Fabric要求识别所有实体,无论是网络组件还是使用该平台的用户(客户端)。该识别通过数字证书来实现,并且需要用于证书发颁发和管理的基础设施。
虽然可以使用第三方来构建这个基础设施,但是Fabric CA提供了一种方便的方法,它可以生成Hyperledger Fabric系统所需的适当格式。在readthedoc中有一个很好的教程,《 Fabric CA操作指南》。它创建了一个典型的设置,并提供了非常详细的逐步说明。在实验过程中,我们会在各个角度进行某些观察以获得更全面的了解。同时,为了更好地工作,我还修正了一些命名不一致的问题,并更新了配置文件。希望这对您在学习本教程时有所帮助。
教程概述
Organization设置
整个设置总结如下:
1. 三个Organization:org0 是orderer organization, org1和org2 是peer organizations
2. org0有一个orderer(orderer1-org0),用于在Solo中提供orderer服务。
3. 在每个peer organizations(org1和org2)中,都有peer organizations(peer1-orgx,peer2-orgx)
4. 每个Organization都有一个管理员用户(admin-orgx)
以下是总体情况,供我们参考。我们将在下一部分立即解释最后一个专栏。
证书颁发机构设置
如果从CA角度看设置,那么本教程中有四个CA:
· TLS-CA:CA为整个网络的网络组件(订购者和对等方)颁发TLS服务器证书。该证书仅用于TLS通信,并且与该结构网络中的身份有关。
· RCA-ORGx(x = 0,1,2):它是每个organization中身份的根CA。一方面,它向组件和用户颁发所需的证书。另一方面,它代表形成结构网络时的organization(以MSP方式)。
最后一列供快速参考。我们将在本教程的后面部分看到这些目录。
本教程中使用的CA的摘要
完成证书颁发并完成结构网络设置后,在日常操作中不需要这些ca。他们不参与加入通道,部署链码,调用链码功能等。仅当新组件(添加一个orderer或多个peer)或新用户(添加更多客户端应用程序)加入设置和新证书时才需要它们生成。
操作流程:
这是本教程的整体流程(注意:这只是显示了一系列任务,此处显示的步骤不是教程中显示的步骤)
1. 启动四个CA,每个CA作为运行在容器中的Fabric-CA-Server。
2. 在localhost使用Fabric-CA-Client与这些CA进行交互。对于每个CA,请注册一个注册商,然后根据我们的教程设计开始所有organization的实体注册。
3. 对于每个organization,请使用Fabric-CA-Client来注册在2中注册的实体。现在,我们拥有所需的所有加密材料。
4. 将生成的加密材料放置在适当的目录中,这些目录将映射到docker-compose文件中定义的那些组件(order和peer)中。
5. 为每个组织准备MSP目录,创建结构网络时需要该目录。
6. 打开五个容器(一个order,四个peer)和两个CLI容器。
7. 创建通道并将peers连接到通道
8. 部署链码并观察链码中基于属性的访问控制(ABAC)功能。
配置文件
有两个配置文件:docker-compose文件(docker-compose.yaml)和通道工件文件(configtx.yaml)。
docker-compose.yaml被修改和更新以反映更改。
version: ‘2’
networks:
fabric-ca:
services:
ca-tls:
container_name: ca-tls
image: hyperledger/fabric-ca:1.4.2
command: sh -c ‘fabric-ca-server start -d -b tls-ca-admin:tls-ca-adminpw –port 7052’
environment:
– FABRIC_CA_SERVER_HOME=/tmp/hyperledger/fabric-ca/crypto
– FABRIC_CA_SERVER_TLS_ENABLED=true
– FABRIC_CA_SERVER_CSR_CN=tls-ca
– FABRIC_CA_SERVER_CSR_HOSTS=0.0.0.0
– FABRIC_CA_SERVER_DEBUG=true
volumes:
– /tmp/hyperledger/tls-ca:/tmp/hyperledger/fabric-ca
networks:
– fabric-ca
ports:
– 7052:7052
rca-org0:
container_name: rca-org0
image: hyperledger/fabric-ca:1.4.2
command: sh -c ‘fabric-ca-server start -d -b rca-org0-admin:rca-org0-adminpw –port 7053’
environment:
– FABRIC_CA_SERVER_HOME=/tmp/hyperledger/fabric-ca/crypto
– FABRIC_CA_SERVER_TLS_ENABLED=true
– FABRIC_CA_SERVER_CSR_CN=rca-org0
– FABRIC_CA_SERVER_CSR_HOSTS=0.0.0.0
– FABRIC_CA_SERVER_DEBUG=true
volumes:
– /tmp/hyperledger/org0/ca:/tmp/hyperledger/fabric-ca
networks:
– fabric-ca
ports:
– 7053:7053
rca-org1:
container_name: rca-org1
image: hyperledger/fabric-ca:1.4.2
command: sh -c ‘fabric-ca-server start -d -b rca-org1-admin:rca-org1-adminpw –port 7054’
environment:
– FABRIC_CA_SERVER_HOME=/tmp/hyperledger/fabric-ca/crypto
– FABRIC_CA_SERVER_TLS_ENABLED=true
– FABRIC_CA_SERVER_CSR_CN=rca-org1
– FABRIC_CA_SERVER_CSR_HOSTS=0.0.0.0
– FABRIC_CA_SERVER_DEBUG=true
volumes:
– /tmp/hyperledger/org1/ca:/tmp/hyperledger/fabric-ca
networks:
– fabric-ca
ports:
– 7054:7054
rca-org2:
container_name: rca-org2
image: hyperledger/fabric-ca:1.4.2
command: /bin/bash -c ‘fabric-ca-server start -d -b rca-org2-admin:rca-org2-adminpw –port 7055’
environment:
– FABRIC_CA_SERVER_HOME=/tmp/hyperledger/fabric-ca/crypto
– FABRIC_CA_SERVER_TLS_ENABLED=true
– FABRIC_CA_SERVER_CSR_CN=rca-org2
– FABRIC_CA_SERVER_CSR_HOSTS=0.0.0.0
– FABRIC_CA_SERVER_DEBUG=true
volumes:
– /tmp/hyperledger/org2/ca:/tmp/hyperledger/fabric-ca
networks:
– fabric-ca
ports:
– 7055:7055
peer1-org1:
container_name: peer1-org1
image: hyperledger/fabric-peer:1.4.2
environment:
– CORE_PEER_ID=peer1-org1
– CORE_PEER_ADDRESS=peer1-org1:7051
– CORE_PEER_LOCALMSPID=org1MSP
– CORE_PEER_MSPCONFIGPATH=/tmp/hyperledger/org1/peer1/msp
– CORE_VM_ENDPOINT=unix:///host/var/run/docker.sock
– CORE_VM_DOCKER_HOSTCONFIG_NETWORKMODE=guide_fabric-ca
– FABRIC_LOGGING_SPEC=info
– CORE_PEER_TLS_ENABLED=true
– CORE_PEER_TLS_CERT_FILE=/tmp/hyperledger/org1/peer1/tls-msp/signcerts/cert.pem
– CORE_PEER_TLS_KEY_FILE=/tmp/hyperledger/org1/peer1/tls-msp/keystore/key.pem
– CORE_PEER_TLS_ROOTCERT_FILE=/tmp/hyperledger/org1/peer1/tls-msp/tlscacerts/tls-0-0-0-0-7052.pem
– CORE_PEER_GOSSIP_USELEADERELECTION=true
– CORE_PEER_GOSSIP_ORGLEADER=false
– CORE_PEER_GOSSIP_EXTERNALENDPOINT=peer1-org1:7051
– CORE_PEER_GOSSIP_SKIPHANDSHAKE=true
working_dir: /opt/gopath/src/github.com/hyperledger/fabric/org1/peer1
volumes:
– /var/run:/host/var/run
– /tmp/hyperledger/org1/peer1:/tmp/hyperledger/org1/peer1
networks:
– fabric-ca
peer2-org1:
container_name: peer2-org1
image: hyperledger/fabric-peer:1.4.2
environment:
– CORE_PEER_ID=peer2-org1
– CORE_PEER_ADDRESS=peer2-org1:7051
– CORE_PEER_LOCALMSPID=org1MSP
– CORE_PEER_MSPCONFIGPATH=/tmp/hyperledger/org1/peer2/msp
– CORE_VM_ENDPOINT=unix:///host/var/run/docker.sock
– CORE_VM_DOCKER_HOSTCONFIG_NETWORKMODE=guide_fabric-ca
– FABRIC_LOGGING_SPEC=info
– CORE_PEER_TLS_ENABLED=true
– CORE_PEER_TLS_CERT_FILE=/tmp/hyperledger/org1/peer2/tls-msp/signcerts/cert.pem
– CORE_PEER_TLS_KEY_FILE=/tmp/hyperledger/org1/peer2/tls-msp/keystore/key.pem
– CORE_PEER_TLS_ROOTCERT_FILE=/tmp/hyperledger/org1/peer2/tls-msp/tlscacerts/tls-0-0-0-0-7052.pem
– CORE_PEER_GOSSIP_USELEADERELECTION=true
– CORE_PEER_GOSSIP_ORGLEADER=false
– CORE_PEER_GOSSIP_EXTERNALENDPOINT=peer2-org1:7051
– CORE_PEER_GOSSIP_SKIPHANDSHAKE=true
– CORE_PEER_GOSSIP_BOOTSTRAP=peer1-org1:7051
working_dir: /opt/gopath/src/github.com/hyperledger/fabric/org1/peer2
volumes:
– /var/run:/host/var/run
– /tmp/hyperledger/org1/peer2:/tmp/hyperledger/org1/peer2
networks:
– fabric-ca
peer1-org2:
container_name: peer1-org2
image: hyperledger/fabric-peer:1.4.2
environment:
– CORE_PEER_ID=peer1-org2
– CORE_PEER_ADDRESS=peer1-org2:7051
– CORE_PEER_LOCALMSPID=org2MSP
– CORE_PEER_MSPCONFIGPATH=/tmp/hyperledger/org2/peer1/msp
– CORE_VM_ENDPOINT=unix:///host/var/run/docker.sock
– CORE_VM_DOCKER_HOSTCONFIG_NETWORKMODE=guide_fabric-ca
– FABRIC_LOGGING_SPEC=info
– CORE_PEER_TLS_ENABLED=true
– CORE_PEER_TLS_CERT_FILE=/tmp/hyperledger/org2/peer1/tls-msp/signcerts/cert.pem
– CORE_PEER_TLS_KEY_FILE=/tmp/hyperledger/org2/peer1/tls-msp/keystore/key.pem
– CORE_PEER_TLS_ROOTCERT_FILE=/tmp/hyperledger/org2/peer1/tls-msp/tlscacerts/tls-0-0-0-0-7052.pem
– CORE_PEER_GOSSIP_USELEADERELECTION=true
– CORE_PEER_GOSSIP_ORGLEADER=false
– CORE_PEER_GOSSIP_EXTERNALENDPOINT=peer1-org2:7051
– CORE_PEER_GOSSIP_SKIPHANDSHAKE=true
working_dir: /opt/gopath/src/github.com/hyperledger/fabric/org2/peer1
volumes:
– /var/run:/host/var/run
– /tmp/hyperledger/org2/peer1:/tmp/hyperledger/org2/peer1
networks:
– fabric-ca
peer2-org2:
container_name: peer2-org2
image: hyperledger/fabric-peer:1.4.2
environment:
– CORE_PEER_ID=peer2-org2
– CORE_PEER_ADDRESS=peer2-org2:7051
– CORE_PEER_LOCALMSPID=org2MSP
– CORE_PEER_MSPCONFIGPATH=/tmp/hyperledger/org2/peer2/msp
– CORE_VM_ENDPOINT=unix:///host/var/run/docker.sock
– CORE_VM_DOCKER_HOSTCONFIG_NETWORKMODE=guide_fabric-ca
– FABRIC_LOGGING_SPEC=info
– CORE_PEER_TLS_ENABLED=true
– CORE_PEER_TLS_CERT_FILE=/tmp/hyperledger/org2/peer2/tls-msp/signcerts/cert.pem
– CORE_PEER_TLS_KEY_FILE=/tmp/hyperledger/org2/peer2/tls-msp/keystore/key.pem
– CORE_PEER_TLS_ROOTCERT_FILE=/tmp/hyperledger/org2/peer2/tls-msp/tlscacerts/tls-0-0-0-0-7052.pem
– CORE_PEER_GOSSIP_USELEADERELECTION=true
– CORE_PEER_GOSSIP_ORGLEADER=false
– CORE_PEER_GOSSIP_EXTERNALENDPOINT=peer2-org2:7051
– CORE_PEER_GOSSIP_SKIPHANDSHAKE=true
– CORE_PEER_GOSSIP_BOOTSTRAP=peer1-org2:7051
working_dir: /opt/gopath/src/github.com/hyperledger/fabric/org2/peer2
volumes:
– /var/run:/host/var/run
– /tmp/hyperledger/org2/peer2:/tmp/hyperledger/org2/peer2
networks:
– fabric-ca
orderer1-org0:
container_name: orderer1-org0
image: hyperledger/fabric-orderer:1.4.2
environment:
– ORDERER_HOME=/tmp/hyperledger/orderer
– ORDERER_HOST=orderer1-org0
– ORDERER_GENERAL_LISTENADDRESS=0.0.0.0
– ORDERER_GENERAL_GENESISMETHOD=file
– ORDERER_GENERAL_GENESISFILE=/tmp/hyperledger/org0/orderer/genesis.block
– ORDERER_GENERAL_LOCALMSPID=org0MSP
– ORDERER_GENERAL_LOCALMSPDIR=/tmp/hyperledger/org0/orderer/msp
– ORDERER_GENERAL_TLS_ENABLED=true
– ORDERER_GENERAL_TLS_CERTIFICATE=/tmp/hyperledger/org0/orderer/tls-msp/signcerts/cert.pem
– ORDERER_GENERAL_TLS_PRIVATEKEY=/tmp/hyperledger/org0/orderer/tls-msp/keystore/key.pem
– ORDERER_GENERAL_TLS_ROOTCAS=[/tmp/hyperledger/org0/orderer/tls-msp/tlscacerts/tls-0-0-0-0-7052.pem]
– ORDERER_GENERAL_LOGLEVEL=debug
– ORDERER_DEBUG_BROADCASTTRACEDIR=data/logs
volumes:
– /tmp/hyperledger/org0/orderer:/tmp/hyperledger/org0/orderer/
networks:
– fabric-ca
cli-org1:
container_name: cli-org1
image: hyperledger/fabric-tools:1.4.2
tty: true
stdin_open: true
environment:
– GOPATH=/opt/gopath
– FABRIC_LOGGING_SPEC=INFO
– CORE_PEER_ID=cli
– CORE_PEER_ADDRESS=peer1-org1:7051
– CORE_PEER_LOCALMSPID=org1MSP
– CORE_PEER_TLS_ENABLED=true
– CORE_PEER_TLS_ROOTCERT_FILE=/tmp/hyperledger/org1/peer1/tls-msp/tlscacerts/tls-0-0-0-0-7052.pem
– CORE_PEER_MSPCONFIGPATH=/tmp/hyperledger/org1/admin/msp
working_dir: /opt/gopath/src/github.com/hyperledger/fabric/org1
command: sh
volumes:
– /tmp/hyperledger/org1/peer1:/tmp/hyperledger/org1/peer1
– /tmp/hyperledger/org1/peer2:/tmp/hyperledger/org1/peer2
– /Users/kctam/hf142/fabric-samples/chaincode:/opt/gopath/src/github.com/hyperledger/fabric-samples/chaincode
– /tmp/hyperledger/org1/admin:/tmp/hyperledger/org1/admin
networks:
– fabric-ca
cli-org2:
container_name: cli-org2
image: hyperledger/fabric-tools:1.4.2
tty: true
stdin_open: true
environment:
– GOPATH=/opt/gopath
– FABRIC_LOGGING_SPEC=INFO
– CORE_PEER_ID=cli
– CORE_PEER_ADDRESS=peer1-org2:7051
– CORE_PEER_LOCALMSPID=org2MSP
– CORE_PEER_TLS_ENABLED=true
– CORE_PEER_TLS_ROOTCERT_FILE=/tmp/hyperledger/org2/peer1/tls-msp/tlscacerts/tls-0-0-0-0-7052.pem
– CORE_PEER_MSPCONFIGPATH=/tmp/hyperledger/org2/admin/msp
working_dir: /opt/gopath/src/github.com/hyperledger/fabric/org2
command: sh
volumes:
– /tmp/hyperledger/org2/peer1:/tmp/hyperledger/org2/peer1
– /tmp/hyperledger/org2/peer2:/tmp/hyperledger/org2/peer2
– /Users/kctam/hf142/fabric-samples/chaincode:/opt/gopath/src/github.com/hyperledger/fabric-samples/chaincode
– /tmp/hyperledger/org2/admin:/tmp/hyperledger/org2/admin
networks:
– fabric-ca
docker-compose.yaml
这是用于生成通道工件的配置(configtx.yaml)。
################################################################################
#
# Section: Organizations
#
# – This section defines the different organizational identities which will
# be referenced later in the configuration.
#
################################################################################
Organizations:
– &org0
Name: org0
# ID to load the MSP definition as
ID: org0MSP
# MSPDir is the filesystem path which contains the MSP configuration
MSPDir: /tmp/hyperledger/org0/msp
– &org1
Name: org1
# ID to load the MSP definition as
ID: org1MSP
# MSPDir is the filesystem path which contains the MSP configuration
MSPDir: /tmp/hyperledger/org1/msp
AnchorPeers:
# AnchorPeers defines the location of peers which can be used
# for cross org gossip communication. Note, this value is only
# encoded in the genesis block in the Application section context
– Host: peer1-org1
Port: 7051
– &org2
Name: org2
# ID to load the MSP definition as
ID: org2MSP
# MSPDir is the filesystem path which contains the MSP configuration
MSPDir: /tmp/hyperledger/org2/msp
AnchorPeers:
# AnchorPeers defines the location of peers which can be used
# for cross org gossip communication. Note, this value is only
# encoded in the genesis block in the Application section context
– Host: peer1-org2
Port: 7051
################################################################################
#
# SECTION: Application
#
# This section defines the values to encode into a config transaction or
# genesis block for application related parameters
#
################################################################################
Application: &ApplicationDefaults
# Organizations is the list of orgs which are defined as participants on
# the application side of the network
Organizations:
################################################################################
#
# Profile
#
# – Different configuration profiles may be encoded here to be specified
# as parameters to the configtxgen tool
#
################################################################################
Profiles:
OrgsOrdererGenesis:
Orderer:
# Orderer Type: The orderer implementation to start
# Available types are “solo” and “kafka”
OrdererType: solo
Addresses:
– orderer1-org0:7050
# Batch Timeout: The amount of time to wait before creating a batch
BatchTimeout: 2s
# Batch Size: Controls the number of messages batched into a block
BatchSize:
# Max Message Count: The maximum number of messages to permit in a batch
MaxMessageCount: 10
# Absolute Max Bytes: The absolute maximum number of bytes allowed for
# the serialized messages in a batch.
AbsoluteMaxBytes: 99 MB
# Preferred Max Bytes: The preferred maximum number of bytes allowed for
# the serialized messages in a batch. A message larger than the preferred
# max bytes will result in a batch larger than preferred max bytes.
PreferredMaxBytes: 512 KB
# Kafka:
# # Brokers: A list of Kafka brokers to which the orderer connects
# # NOTE: Use IP:port notation