fabric1.4搭建fabric-CA
2019-12-27 本文已影响0人
liurenhao
下载源码
$ git clone https://github.com/hyperledger/fabric-ca.git
启动镜像
$
Fabric CA环境集成
本文基于《手动搭建fabric1.4网络》的环境
修改docker-compose-cli.yaml文件
加入以下配置
ca1:
container_name: ca1
image: hyperledger/fabric-ca
environment:
- FABRIC_CA_HOME=/etc/hyperledger/fabric-ca-server
- FABRIC_CA_SERVER_CA_NAME=ca1
- FABRIC_CA_SERVER_TLS_ENABLED=true
ports:
- "7054:7054"
volumes:
- ./crypto-config/peerOrganizations/org1.liuhao.com/ca/:/etc/hyperledger/fabric-ca-server-config
command: sh -c 'fabric-ca-server start --ca.certfile /etc/hyperledger/fabric-ca-server-config/ca.org1.liuhao.com-cert.pem --ca.keyfile /etc/hyperledger/fabric-ca-server-config/${PRIVATE_KEY} -b admin:adminpw -d'
修改startup.sh脚本
修改如下
export COMPOSE_PROJECT_NAME=fabric-liuhao
export IMAGE_TAG=latest
export SYS_CHANNEL=syschannel
PRIVATE_KEY=8c04f0262eb1fa5f6bed720b1c17bf73df31d1e6d7c371cc4ed9bb747f542df1_sk docker-compose -f docker-compose-cli.yaml up -d
重新启动网络
$ docker-compose -f docker-compose-cli.yaml down
$ docker volume prune
$ sh startup.sh
进入fabric-ca-server
$ docker exec -it ca1 bash
注册认证管理员
$ export FABRIC_CA_CLIENT_HOME=$HOME/ca
$ export ROOT_CA=/etc/hyperledger/fabric-ca-server/tls-cert.pem
$ fabric-ca-client enroll -u httpS://admin:adminpw@localhost:7054 --tls.certfiles $ROOT_CA
添加联盟
$ fabric-ca-client affiliation add org1.liuhao -u https://localhost:7054 --tls.certfiles $ROOT_CA
删除联盟
$ fabric-ca-client affiliation remove yinhai -u https://localhost:7054 --tls.certfiles $ROOT_CA
注:默认是禁止删除联盟,如需开启,在启动fabric-ca-server时传入参数--cfg.affiliations.allowremove
注册新用户(liuhao)
$ fabric-ca-client register --id.name liuhao --id.type user --id.affiliation org1.liuhao --id.attrs 'hf.Revoker=true'
此处有坑:建立的用户身份为 user, 导致不满足组织、通道操作的策略。报如下错
Error: error endorsing invoke: rpc error: code = Unknown desc = access denied: channel [mychannel] creator org [Org1MSP] - proposal response: <nil>
此时应该建立满足策略的用户身份,或者调整策略(参数中添加admin=true:ecert)
$ fabric-ca-client register --id.name hao --id.type user --id.affiliation com.yinhai.liuhao --id.attrs 'hf.Revoker=true,admin=true:ecert' -u https://localhost:7054 --tls.certfiles $ROOT_CA
LFYFSpXZSmom
为新用户生成msp的私钥和证书
上一步执行会返回新用户的密码,用在下面命令中
fabric-ca-client enroll -u https://liuhao:GOuMzkcGgGzq@localhost:7054 --tls.certfiles $ROOT_CA -M $FABRIC_CA_CLIENT_HOME/liuhaomsp
设置新用户的证书和私钥文件夹
将上一步命令生成的liuhaomsp文件夹内容复制到org1中
# 先将文件夹移动至挂载的目录上
$ cp $FABRIC_CA_CLENT_HOME/liuhaomsp/ /etc/hyperledger/fabric-ca-server-config/ -R
# 然后进入外部容器org1的证书目录下
$ cd ~/hyperledger/fabric-liuhao/crypto-config/peerOrganizations/org1.liuhao.com/users
# 创建文件夹
$ mkdir liuhao
# 移动文件夹
$ sudo mv ../ca/liuhaomsp/ ./liuhao/msp
创建admincerts
mkdir liuhao/msp/admincerts
cp liuhao/msp/signcerts/cert.pem liuhao/msp/admincerts/
以上步骤如果不做,在调用链码时会报如下错误:
Cannot run peer because error when setting up MSP of type bccsp from directory /opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org1.liuhao.com/users/liuhao/msp: administrators must be declared when no admin ou classification is set
切换用户
进入cli 执行以下命令
$ CORE_PEER_MSPCONFIGPATH=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org1.liuhao.com/users/liuhao/msp
