Fabric CA User’s Guide——开始

先决条件

  • 安装Go 1.9+
  • 设置正确的GOPATH环境变量
  • 安装了libtool和libtdhl-dev包

下面是在Ubuntu上安装libtool依赖命令:

sudo apt install libtool libltdl-dev

下面是在MacOSX上安装libtool依赖命令:

brew install libtool

注意:在MacOSX上没有必要使用libtldl-dev

有关libtool的更多信息,请参见https://www.gnu.org/software/libtool

有关libltdl-dev的更多信息,请参见https://www.gnu.org/software/libtool/manual/html_node/Using-libltdl.html

安装

下面的代码将在$GOPATH/bin中安装fabric-ca-server 和fabric-ca-client二进制文件。

go get -u github.com/hyperledger/fabric-ca/cmd/...

注意:如果已经克隆了fabric-ca仓库,请确保在运行“go get”命令之前已经在主分支上了。否则,可能会看到以下错误:

<gopath>/src/github.com/hyperledger/fabric-ca; git pull --ff-only

There is no tracking information for the current branch.

Please specify which branch you want to merge with.

See git-pull() for details.

    git pull <remote> <branch>

If you wish to set tracking information for this branch you can do so with:

    git branch --set-upstream-to=<remote>/<branch> tlsdoc

package github.com/hyperledger/fabric-ca/cmd/fabric-ca-client: exit status

启动本地服务器

下面将使用缺省设置启动fabric-ca-server。

fabric-ca-server start -b admin:adminpw

-b选项提供了引导管理员的注册ID和密钥;如果LDAP没有启用“ldap.enabled”设置,那么这是必需的。

一个默认名为fabric-ca-ca-config.yaml的配置文件在可以定制的本地目录中被创建。

通过Docker启动服务

Go to: https://hub.docker.com/r/hyperledger/fabric-ca/tags/

找到与想要拉的fabric-ca构造和版本的标记相匹配的内容。

进入$GOPATH/src/github.com/hyperledger/fabric-ca/docker/server并打开编辑docker-compose.yml,更改镜像版本为目前最合适的版本信息,也许是一个类似x86架构的beta版本。

fabric-ca-server:

  image: hyperledger/fabric-ca:x86_64-1.0.-beta

  container_name: fabric-ca-server

  ports:

    - "7054:7054"

  environment:

    - FABRIC_CA_HOME=/etc/hyperledger/fabric-ca-server

  volumes:

    - "./fabric-ca-server:/etc/hyperledger/fabric-ca-server"

  command: sh -c 'fabric-ca-server start -b admin:adminpw'

在与docker-compose.yml文件相同的目录中打开一个终端,并执行以下操作:

# docker-compose up -d

如果不存在该镜像的话,这将在组合文件中拉取指定的fabric-ca镜像,并启动fabric-ca服务器的实例。

构建自己的Docker镜像

我们可以通过docker-compose构建和启动服务器,如下所示。

cd $GOPATH/src/github.com/hyperledger/fabric-ca

make docker

cd docker/server

docker-compose up -d

hyperledger/fabric-ca docker镜像包含了fabric-ca-server 和fabric-ca-client。

# cd $GOPATH/src/github.com/hyperledger/fabric-ca

# FABRIC_CA_DYNAMIC_LINK=true make docker

# cd docker/server

# docker-compose up -d

探索Fabric CA CLI

本节提供一些简单地Fabric CA服务端和客户端便捷使用消息。下面的小节提供了更多的使用信息。

服务器命令:

Hyperledger Fabric Certificate Authority Server

Usage:

  fabric-ca-server [command]

Available Commands:

  init        Initialize the fabric-ca server

  start       Start the fabric-ca server

  version     Prints Fabric CA Server version

Flags:

      --address string                            Listening address of fabric-ca-server (default "0.0.0.0")

  -b, --boot string                               The user:pass for bootstrap admin which is required to build default config file

      --ca.certfile string                        PEM-encoded CA certificate file (default "ca-cert.pem")

      --ca.chainfile string                       PEM-encoded CA chain file (default "ca-chain.pem")

      --ca.keyfile string                         PEM-encoded CA key file

  -n, --ca.name string                            Certificate Authority name

      --cacount int                               Number of non-default CA instances

      --cafiles stringSlice                       A list of comma-separated CA configuration files

      --cfg.affiliations.allowremove              Enables removing of affiliations dynamically

      --cfg.identities.allowremove                Enables removal of identities dynamically

      --crl.expiry duration                       Expiration for the CRL generated by the gencrl request (default 24h0m0s)

      --crlsizelimit int                          Size limit of an acceptable CRL in bytes (default )

      --csr.cn string                             The common name field of the certificate signing request to a parent fabric-ca-server

      --csr.hosts stringSlice                     A list of space-separated host names in a certificate signing request to a parent fabric-ca-server

      --csr.serialnumber string                   The serial number in a certificate signing request to a parent fabric-ca-server

      --db.datasource string                      Data source which is database specific (default "fabric-ca-server.db")

      --db.tls.certfiles stringSlice              A list of comma-separated PEM-encoded trusted certificate files (e.g. root1.pem,root2.pem)

      --db.tls.client.certfile string             PEM-encoded certificate file when mutual authenticate is enabled

      --db.tls.client.keyfile string              PEM-encoded key file when mutual authentication is enabled

      --db.type string                            Type of database; one of: sqlite3, postgres, mysql (default "sqlite3")

  -d, --debug                                     Enable debug level logging

  -H, --home string                               Server's home directory (default "/etc/hyperledger/fabric-ca")

      --intermediate.enrollment.label string      Label to use in HSM operations

      --intermediate.enrollment.profile string    Name of the signing profile to use in issuing the certificate

      --intermediate.parentserver.caname string   Name of the CA to connect to on fabric-ca-server

  -u, --intermediate.parentserver.url string      URL of the parent fabric-ca-server (e.g. http://<username>:<password>@<address>:<port)

      --intermediate.tls.certfiles stringSlice    A list of comma-separated PEM-encoded trusted certificate files (e.g. root1.pem,root2.pem)

      --intermediate.tls.client.certfile string   PEM-encoded certificate file when mutual authenticate is enabled

      --intermediate.tls.client.keyfile string    PEM-encoded key file when mutual authentication is enabled

      --ldap.enabled                              Enable the LDAP client for authentication and attributes

      --ldap.groupfilter string                   The LDAP group filter for a single affiliation group (default "(memberUid=%s)")

      --ldap.tls.certfiles stringSlice            A list of comma-separated PEM-encoded trusted certificate files (e.g. root1.pem,root2.pem)

      --ldap.tls.client.certfile string           PEM-encoded certificate file when mutual authenticate is enabled

      --ldap.tls.client.keyfile string            PEM-encoded key file when mutual authentication is enabled

      --ldap.url string                           LDAP client URL of form ldap://adminDN:adminPassword@host[:port]/base

      --ldap.userfilter string                    The LDAP user filter to use when searching for users (default "(uid=%s)")

  -p, --port int                                  Listening port of fabric-ca-server (default )

      --registry.maxenrollments int               Maximum number of enrollments; valid if LDAP not enabled (default -)

      --tls.certfile string                       PEM-encoded TLS certificate file for server's listening port

      --tls.clientauth.certfiles stringSlice      A list of comma-separated PEM-encoded trusted certificate files (e.g. root1.pem,root2.pem)

      --tls.clientauth.type string                Policy the server will follow for TLS Client Authentication. (default "noclientcert")

      --tls.enabled                               Enable TLS on the listening port

      --tls.keyfile string                        PEM-encoded TLS key for server's listening port

Use "fabric-ca-server [command] --help" for more information about a command.

客户端命令:

Hyperledger Fabric Certificate Authority Client

Usage:

  fabric-ca-client [command]

Available Commands:

  affiliation Manage affiliations

  enroll      Enroll an identity

  gencrl      Generate a CRL

  gencsr      Generate a CSR

  getcacert   Get CA certificate chain

  identity    Manage identities

  reenroll    Reenroll an identity

  register    Register an identity

  revoke      Revoke an identity

  version     Prints Fabric CA Client version

Flags:

      --caname string                  Name of CA

      --csr.cn string                  The common name field of the certificate signing request

      --csr.hosts stringSlice          A list of space-separated host names in a certificate signing request

      --csr.names stringSlice          A list of comma-separated CSR names of the form <name>=<value> (e.g. C=CA,O=Org1)

      --csr.serialnumber string        The serial number in a certificate signing request

  -d, --debug                          Enable debug level logging

      --enrollment.attrs stringSlice   A list of comma-separated attribute requests of the form <name>[:opt] (e.g. foo,bar:opt)

      --enrollment.label string        Label to use in HSM operations

      --enrollment.profile string      Name of the signing profile to use in issuing the certificate

  -H, --home string                    Client's home directory (default "$HOME/.fabric-ca-client")

      --id.affiliation string          The identity's affiliation

      --id.attrs stringSlice           A list of comma-separated attributes of the form <name>=<value> (e.g. foo=foo1,bar=bar1)

      --id.maxenrollments int          The maximum number of times the secret can be reused to enroll. (default -)

      --id.name string                 Unique name of the identity

      --id.secret string               The enrollment secret for the identity being registered

      --id.type string                 Type of identity being registered (e.g. 'peer, app, user') (default "client")

  -M, --mspdir string                  Membership Service Provider directory (default "msp")

  -m, --myhost string                  Hostname to include in the certificate signing request during enrollment (default "$HOSTNAME")

  -a, --revoke.aki string              AKI (Authority Key Identifier) of the certificate to be revoked

  -e, --revoke.name string             Identity whose certificates should be revoked

  -r, --revoke.reason string           Reason for revocation

  -s, --revoke.serial string           Serial number of the certificate to be revoked

      --tls.certfiles stringSlice      A list of comma-separated PEM-encoded trusted certificate files (e.g. root1.pem,root2.pem)

      --tls.client.certfile string     PEM-encoded certificate file when mutual authenticate is enabled

      --tls.client.keyfile string      PEM-encoded key file when mutual authentication is enabled

  -u, --url string                     URL of fabric-ca-server (default "http://localhost:7054")

Use "fabric-ca-client [command] --help" for more information about a command.

注意,可以通过指定带有逗号分隔的列表元素的选项或多次指定选项来指定命令行选项(列表),每个选项都有一个组成列表的字符串值。例如,为csr.hosts选项指定host1和host2,可以通过--csr 'host1,host2',或者--csr host1 --csr host2。使用前一种格式时,请确保在逗号前后没有空格。

Hyperledger Fabric CA User’s Guide——开始(三)的更多相关文章

  1. Hyperledger Fabric CA User’s Guide——概述(二)

    概述 下面的图表说明了如何将Hyperledger Fabric CA与总体的Hyperledger Fabric结构相匹配. 有两种方式与一种Hyperledger Fabric CA服务器进行交互 ...

  2. Hyperledger Fabric CA User’s Guide——CA用户指南(一)

    Fabric CA用户指南 Hyperledger Fabric CA是一种用于Hyperledger Fabric的认证机构(CA). 它提供了如下特性: 登记身份(注册ID),或者连接到作为用户注 ...

  3. Hyperledger Fabric CA User’s Guide——配置设置(四)

    配置设置 Fabric CA提供了三种方案去配置Fabric CA服务端和客户端,优先顺序是: CLI flags(标识) 环境变量 配置文件 在本文档的其余部分中,我们将对配置文件进行更改.但是,可 ...

  4. Hyperledger Fabric CA的命令行用法

    介绍Hyperledger Fabric CA的命令行方式简单用法 Hyperledger Fabric CA由server和client两部分组成. 设置两个环境变量 export FABRIC_C ...

  5. Hyperledger Fabric 1.0 学习搭建 (三)--- 运行测试e2e-Fabric

    3.1.运行fabric-samples的问题说明 该问题说明能够解决6.1.平台特定使用的二进制文件配置第一步的问题.可以选择继续阅读该说明,或者等参考到6.1小节时再反向阅读本说明,具体在6.1中 ...

  6. HyperLedger Fabric ca 1.2 正式环境部署

    生成一个根CA(RootCA),在根CA下3个中间CA(IntermediaCA). 1. 运行和配置RootCA服务#cd /opt/gopath/src/github.com/hyperledge ...

  7. Hyperledger Fabric Membership Service Providers (MSP)——成员服务

    Membership Service Providers (MSP) 本文将介绍有关MSPs的设置和最佳实践的详细方案. Membership Service Providers (MSP)是一个旨在 ...

  8. 搭建基于hyperledger fabric的联盟社区(三) --生成公私钥证书及配置文件

    一.生成公私钥和证书 Fabric中有两种类型的公私钥和证书,一种是给节点之前通讯安全而准备的TLS证书,另一种是用户登录和权限控制的用户证书.这些证书本来应该是由CA来颁发,但是目前只有两个社区,所 ...

  9. HyperLedger Fabric 1.4 生产环境使用ca生成msp和tls(12)

    在上一章:Fabric kafka生产环境部署的基础上部署Fabric CA,使用Fabric CA进行生成公私钥和证书等文件,全部替换cryptogen工具,包括生成TLS相关的私钥和证书等文件.  ...

随机推荐

  1. Oracle学习(十一):PL/SQL

    版权声明:本文为博主原创文章.未经博主同意不得转载. https://blog.csdn.net/v123411739/article/details/30231659 1.知识点:能够对照以下的录屏 ...

  2. Raft一致性算法

    所有的分布式系统,都面临的一个问题是多个节点之间的数据共享问题,这个和团队协作的道理是一样的,成员可以分头干活,但总是需要共享一些必须的信息,比如谁是 leader, 都有哪些成员,依赖任务之间的顺序 ...

  3. BZOJ1597:[USACO]土地购买(斜率优化DP)

    Description 农夫John准备扩大他的农场,他正在考虑N (1 <= N <= 50,000) 块长方形的土地. 每块土地的长宽满足(1 <= 宽 < = 1,000 ...

  4. Day7 访问权限

    构造者模式思想 进行初始化,解决了多个构造器重载,构造器参数过多记不住的情况. package day7;//声明一个程序包 class Employee{ private String name; ...

  5. 集合之LinkedList

    一.概述 LinkedList与ArrayList一样实现List接口,只是ArrayList是List接口的大小可变数组的实现,LinkedList是List接口链表的实现.基于链表实现的方式使得L ...

  6. HDU 1316 (斐波那契数列,大数相加,大数比较大小)

    题目链接: http://acm.hdu.edu.cn/showproblem.php?pid=1316 Recall the definition of the Fibonacci numbers: ...

  7. Debian 8 安装录屏软件kazam

    1 安装 $ sudo apt-get install kazam [sudo] password for z: 正在读取软件包列表... 完成 正在分析软件包的依赖关系树 正在读取状态信息... 完 ...

  8. 典型CAN通讯电路(带隔离)

    典型CAN通讯电路(带隔离) CAN是控制器局域网络(Controller Area Network, CAN)的简称,是由德国BOSCH公司开发的,并最终成为国际标准(ISO 11898),是国际上 ...

  9. 非const引用参数传入不同类型编译不过的理解(拒绝将临时对象绑定为非const的引用的形参是有道理的)

    int f (int & I) { cout<<I<<std::endl; } void main() { long L; f(L); // 编译不过 f((int)L ...

  10. 《数据结构算法分析C描述》引论:选择问题,字谜游戏问题

    #include <stdio.h> #include <stdlib.h> // 第一题 // 找出N个数的第k个最大者 // 方法1:排序(冒泡),降序找出第k个值 // ...