关于fabric-ca的tls通信加密说明
本文章解决的是关于fabric-ca-server与fabric-ca-client之间使用tls进行通信的问题,包括fabric-ca-server与fabric-ca-client的安装以及关于tls通信的说明。
1.1fabric-ca-server与fabric-ca-client的安装 首先fabric-ca-server与fabric-ca-client的安装有两种方式,第一种通过go get 命令将fabric-ca-server与fabric-ca-client直接安装并编译好,第二种是通过git clone的方式将fabric-ca代码down下来 然后编译fabric-ca-server与fabric-ca-client。
1.1.1第一种安装方式
首先下载相关的依赖包,这里并没有系统的分别,无论是mac系统还是ubuntu系统执行下面的代码块中的命令即可:
sudo apt install libtool libltdl-dev
然后可以通过go get工具执行下面代码块中的命令将fabric-ca-server与fabric-ca-client安装并编译好,编译好的二进制工具会在$GOPATH/bin下面,命令如下:
go get -u github.com/hyperledger/fabric-ca/cmd/...
1.1.2第二种安装方式
首先通过git clone的方式将fabric-ca的源码down下来,执行下面代码块中的命令即可:
git clone https://github.com/hyperledger/fabric-ca.git
下载好fabric-ca源码后,进入到fabric-ca的项目目录下。通过git tag查看当前的fabric-ca的版本,我这里需要的是1.4.1的版本,所以通过git checkout -b v1.4.1命令将当前分支切换到v.1.4.1,执行下面代码块中的代码分别编译fabric-ca-server与fabric-ca-client的二进制工具,编译好的二进制工具在当前目录的bin目录中:
make fabric-ca-server
make fabric-ca-client
1.2启动fabric-ca-server
将编译好的fabric-ca-server的二进制工具放入到/usr/local/bin目录下,执行下面代码块中的命令创建一个文件夹,创建完成后并进入到文件夹中:
mkdir fabric-ca-server
cd fabric-ca-server
执行下面代码块中的内容,初始化fabric-ca-server:
fabric-ca-server init -b admin:adminpw
初始化之后的目录文件如下图所示:
[外链图片转存失败(img-N5SIgrT7-1569485473585)(https://github.com/TryAndDare/picture-of-bolg/blob/master/1569473158(1)].png?raw=true)
下面对目录下的文件进行介绍,ca-cert.pem证书是ca-server端的根ca证书,在/msp/keystore/下的带有sk后缀的文件为对应的根ca的私钥,这对密钥我们会在fabric-ca-server中去用到,这个可以在yaml配置文件中配置,如果不配置默认的也是这一对密钥。下面我们配置一下fabric-ca-server的配置文件,打开fabric-ca-server-config.yaml文件,先找到ca的字段,配置根ca的证书以及私钥,如下代码块。
ca:
# Name of this CA
name: ca-org1
# Key file (is only used to import a private key into BCCSP)
keyfile:/root/fabric-ca-server/msp/keystore/05e72bdf2a01e4878b7d58407b9c0d034d231662a1275426d321556d5c9b28b6_sk
# Certificate file (default: ca-cert.pem)
certfile:/root/fabric-ca-server1/ca-cert.pem
# Chain file
chainfile:
这样我们就已经将fabric-ca-server端的跟证书以及私钥填写好了 ,可以直接启动ca-server端 监听客户端的请求了,但是,这里为了安全我们还要使用tls去进行通信加密,tls加密需要另外的一对密钥,我本此使用的是fabric中提供好的cryptogen二进制工具去生成了一套证书,具体生成证书的yaml文件如下代码块所示:
# Copyright IBM Corp. All Rights Reserved.
#
# SPDX-License-Identifier: Apache-2.0
#
# ---------------------------------------------------------------------------
# "OrdererOrgs" - Definition of organizations managing orderer nodes
# ---------------------------------------------------------------------------
OrdererOrgs:
# ---------------------------------------------------------------------------
# Orderer
# ---------------------------------------------------------------------------
- Name: Orderer
Domain: example.com
EnableNodeOUs: true
# ---------------------------------------------------------------------------
# "Specs" - See PeerOrgs below for complete description
# ---------------------------------------------------------------------------
Specs:
- Hostname: orderer
# ---------------------------------------------------------------------------
# "PeerOrgs" - Definition of organizations managing peer nodes
# ---------------------------------------------------------------------------
PeerOrgs:
# ---------------------------------------------------------------------------
# Org1
# ---------------------------------------------------------------------------
- Name: Org1
Domain: org1.example.com
EnableNodeOUs: true
# ---------------------------------------------------------------------------
# "Specs"
# ---------------------------------------------------------------------------
# Uncomment this section to enable the explicit definition of hosts in your
# configuration. Most users will want to use Template, below
#
# Specs is an array of Spec entries. Each Spec entry consists of two fields:
# - Hostname: (Required) The desired hostname, sans the domain.
# - CommonName: (Optional) Specifies the template or explicit override for
# the CN. By default, this is the template:
#
# "{{.Hostname}}.{{.Domain}}"
#
# which obtains its values from the Spec.Hostname and
# Org.Domain, respectively.
# ---------------------------------------------------------------------------
# Specs:
# - Hostname: foo # implicitly "foo.org1.example.com"
# CommonName: foo27.org5.example.com # overrides Hostname-based FQDN set above
# - Hostname: bar
# - Hostname: baz
# ---------------------------------------------------------------------------
# "Template"
# ---------------------------------------------------------------------------
# Allows for the definition of 1 or more hosts that are created sequentially
# from a template. By default, this looks like "peer%d" from 0 to Count-1.
# You may override the number of nodes (Count), the starting index (Start)
# or the template used to construct the name (Hostname).
#
# Note: Template and Specs are not mutually exclusive. You may define both
# sections and the aggregate nodes will be created for you. Take care with
# name collisions
# ---------------------------------------------------------------------------
Template:
Count: 2
# Start: 5
# Hostname: {{.Prefix}}{{.Index}} # default
# ---------------------------------------------------------------------------
# "Users"
# ---------------------------------------------------------------------------
# Count: The number of user accounts _in addition_ to Admin
# ---------------------------------------------------------------------------
Users:
Count: 2
# ---------------------------------------------------------------------------
# Org2: See "Org1" for full specification
# ---------------------------------------------------------------------------
- Name: Org2
Domain: org2.example.com
EnableNodeOUs: true
Template:
Count: 2
Users:
Count: 2
通过以下命令就可以得到crypto-config的目录了,cryptogen二进制工具如何使用,可以参考我的这篇博客。
crytpogen generate --config=./crypto-config.yaml
下面将crypto-config目录下的组织1的tls自签名证书以及私钥cp到fabric-ca-server目录下,执行下面代码块中的命令:
cp crypto-config/peerOrganizations/org1.example.com/tlsca/tlsca.org1.example.com-cert.pem /root/fabric-ca-server
cp crypto-config/peerOrganizations/org1.example.com/tlsca/a7aebf51bd86591db1613daa55fc43aa82c93de77b1ec3f33cfdbb038a427a15_sk /root/fabric-ca-server/msp/keystore/
拷贝完成后可以直接进入到fabric-ca-server的配置文件中,找到下面代码块中的配置项并按照下面填写,这里,下面代码块中的enabled字段先设置为false,等使用fabric-ca-client访问server端生成配置文件时,再将tls的enabled字段设置为true,你产生的密钥对与我不同,以你的为标准。
tls:
# Enable TLS (default: false)
enabled: false
# TLS for the server's listening port
certfile: /root/fabric-ca-server/tlsca.org1.example.com-cert.pem
keyfile: /root/fabric-ca-server/msp/keystore/a7aebf51bd86591db1613daa55fc43aa82c93de77b1ec3f33cfdbb038a427a15_sk
clientauth:
type: noclientcert
certfiles:
到这一步完成,服务端就已经配置好了,执行下面代码块中的命令将fabric-ca-server端启动起来。
fabric-ca-server start -b admin:adminpw
1.3启动fabric-ca-client
执行下面代码块中的命令,使用客户端向服务端登录admin用户,生成客户端的文件。
fabric-ca-client enroll -u http://admin:adminpw@192.168.xxx.xxx:7054
执行之后在/root目录下会生成一个.fabric-ca-client的目录,目录内内存了client的配置文件以及相应的证书,目录结构入下图:
[外链图片转存失败(img-U9uQpXbZ-1569485473587)(https://github.com/TryAndDare/picture-of-bolg/blob/master/111.png?raw=true)]
fabric-ca-client通过tls加密访问fabric-ca-server需要一个关于tls组织的证书,这个证书我们需要从crypto-config里面拷贝,执行下面代码块中的命令:
cp crypto-config/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/ca.crt /root/.fabric-ca-client/msp/cacerts
进入到fabric-ca-client-config.yaml文件中配置fabric-ca-client的配置项,具体配置项如下代码块中所示:
url: https://192.168.xxx.xxx:7054 //这里是你的fabric-ca-server的服务器ip ip应该是默认改好的,这你只需要把http改成https
tls:
# TLS section for secure socket connection
certfiles: /root/.fabric-ca-client/msp/cacerts/ca.crt //这里就是和fabric-ca-server中配置的tls密钥配套的证书
client: //这里之所以是空的是因为我们没有开启双向的tls验证,如果需要 那么还需要另外一套tls密钥对
certfile:
keyfile:
进行到这一步配置文件就已经完成了,我们只需要在/etc/hosts文件中将server端所在的ip与域名绑定起来就可以了,具体操作入下代码块:
vi /etc/hosts //进入到hosts文件中
192.168.xxx.xxx tlsca.org1.example.com //这一行填写到文件中的末尾或者其他地方,前面为你fabric-ca-server的ip地址。
执行下面代码块中的命令完成在tls通信加密下的访问fabric-ca-server的操作。
fabric-ca-client enroll -u https://admin:adminpw@tlsca.org1.example.com:7054 --config ./fabric-ca-client-config.yaml //这条命令需要在.fabric-ca-client目录下去执行,因为他后面指定了配置文件的路径。
。
执行下面代码块中的命令完成在tls通信加密下的访问fabric-ca-server的操作。
fabric-ca-client enroll -u https://admin:adminpw@tlsca.org1.example.com:7054 --config ./fabric-ca-client-config.yaml //这条命令需要在.fabric-ca-client目录下去执行,因为他后面指定了配置文件的路径。
至此,fabric-ca-client与fabric-ca-server在tls通信加密下进行交互就介绍到这合理,关于客户端与服务端的一些命令这里不做过多介绍,欢迎大家批评指正,多多交流。
作者:S_Foolish
