Wednesday, June 21, 2017

Fabric certificates

Each organization needs the following components:

1. ca
2. msp
3. orderers or peers
4. users

        The ca needs to have:
              1. private key
              2. certificate

        The msp needs:
              1. admin certificate
              2. the sign cert is the same as the CA certificate

        Each user needs: msp and tls
            for msp:
              1. keystore private key
            for tls
              2. tls server.key - need to generate
              3. tls server.crt - need to sign with CA certificate

        Each peer needs: msp and tls
            for msp:
              1.  keystore private key - need to generate
              2.  sign certificate - need to generate with ca certificate
            for tls:
              1. tls server.key - need to generate
              2. tls server.crt - need to generate with ca certificate

        Each orderer needs: msp and tls
            for msp:
              1. keystore private key - need to generate
              2. sign certificate - need to generate with the ca sign certificate
            for tls:
              1. tls server.key - need to generate
              2. tls server.crt - need to sign with the ca certificate

The process to create all the certificates
1. Create CA private key and certificate
2. Create a private key as the admin user keystore key, then use CA certificate sign the private key
   to create the admin certificate
3. For either orderer or peer, create a private key as the msp keystore private key, then use CA
   certificate sign the private key to create the peer or orderer certificate
4. Regardless it is a user or peer or orderer, each will need tls keys. Create a private key, then use
   CA certificate sign the private key to create the user, peer or orderer sign certificate.

Looks like fabric uses pkcs8 format rather than the traditional ec format, so use the following command to convert.

openssl pkcs8 -topk8 -nocrypt -in tradfile.pem -out p8file.pem
 
 
Here is an example. 
 
 
1. Generate a CA private key
 
  openssl ecparam -genkey -name prime256v1 -noout -out ca.key
 
2. Convert that key to pkcs8 format (Do not have to do this)
 
  openssl pkcs8 -topk8 -nocrypt -in ca.key -out ca.sk
 


3. Create certificate for CA



openssl req -x509 -new -SHA256 -nodes -key ca.sk -days 1000


   -out ca.crt -subj "/C=US/ST=NC/L=Cary/O=orga/CN=ca.orga" 


 


4. Generate a private key for a server or user and convert to pkcs8 format


 


  openssl ecparam -genkey -name prime256v1 -noout -out server.key
  openssl pkcs8 -topk8 -nocrypt -in server.key -out server.sk (optional)

 


5. Create a certificate signing request (CSR)




  openssl req -new -SHA256 -key server.sk -nodes -out server.csr


    -subj "/C=US/ST=NC/L=Cary/O=orga/CN=peer1.orga"  


 


6. Once generated, you can view the full details of the CSR:

   openssl req -in server.csr -noout -text 


 


7. Now sign the certificate using the CA keys:


 


   openssl x509 -req -SHA256 -days 1000 -in server.csr -CA ca.crt


    -CAkey ca.sk -CAcreateserial -out server.crt 










Posted by



at





No comments:
  


































          

        

          

        

Friday, June 16, 2017


          

        









Change Ubuntu machine search domain










 For ubuntu 16.04, add the following to file /etc/resolvconf/resolv.conf.d/base



search xxxxx



where xxxxx is the search domain to be added to resolv.conf.



After make that change, you will need to restart the networking services.



systemctl restart networking





The following procedure does not work for ubuntu 16.04. 

You will need to edit this file with your favorite editor:


 


sudo nano /etc/dhcp/dhclient.conf




Once in file, you should see a commented line with the word supersede next to it:


#supersede domain-name "...."


Uncomment that line, substitute the name supersede for append, then add the domain names you wish to search (follow the example below and leave a space after the first "):


append domain-name " ubuntu.com ubuntu.net test.ubunut.com";


 


If you just want to use complete different search domain, then just leave the


word supersede, only replace the domain names.


 


supersede domain-name " fabric.com whatever.io" 










Posted by



at





No comments:
  


































          

        

          

        

Monday, June 12, 2017


          

        









Creating Self-Signed ECDSA SSL Certificate using OpenSSL (Copy from another post)










Before generating a private key, you’ll need to decide which elliptic curve to use. To list the supported curves run:




openssl ecparam -list_curves




The list is quite long and unless you know what you’re doing you’ll be better off
choosing one of the sect* or secp*. For this tutorial I
choose secp521r1 (a curve over 521bit prime).


Generating the certificate is done in two steps: 

1. Create the private key, 



openssl ecparam -name secp521r1 -genkey \
  -param_enc explicit -out private-key.pem


2. Create the self-signed X509 certificate:


openssl req -new -x509 -key private-key.pem \
  -out server.pem -days 730


The newly created server.pem and private-key.pem are the certificate and the private key, respectively.
The -param_enc explicit tells openssl to embed the full parameters of the curve in the key, as 
opposed to just its name. This allows clients that are not aware of the 
specific curve name to work with it, at the cost of slightly increasing 
the size of the key (and the certificate).



You can examine the key and the certificate using


openssl ecparam -in private-key.pem -text -noout
openssl x509 -in server.pem -text -noout


Most webservers expect the private-key to be chained to the certificate in the same file. So run:


cat private-key.pem server.pem > server-private.pem


And install server-private.pem as your certificate. If 
you don’t concatenate the private key to the certificate, at least 
Lighttpd will complain with the following error:


SSL: Private key does not match
the certificate public key, reason: error:0906D06C:PEM
routines:PEM_read_bio:no start line










Posted by



at





No comments:
  


































          

        

          

        

Thursday, June 1, 2017


          

        









How to install Gerrit










1. Install java jdk or Oracle java if you do not have it already


apt install openjdk-8-jre-headless

2. Create directories named review


mkdir -p ~/review

3. Download gerrit.war here, assume the war you are getting is gerrit-2.14.6.war


wget https://www.gerritcodereview.com/download/gerrit-2.14.6.war

4. Run the following command from where gerrit war file is:


java -jar gerrit-2.14.6.war init -d ~/review



During this process, you can use most of the default values. For authentication, if this is for development, you can use this value DEVELOPMENT_BECOME_ANY_ACCOUNT. Otherwise, choose apropriate means such as OpenID or LDAP etc. To trigger the jenkins build, there is no need to install
events-log plugin unless you like jenkins to handle missed events.




5. Set up gerrit services

Execute the following commands to copy gerrit service file to the /lib/systemd/system directory:



sudo cp ~/review/bin/gerrit.service /lib/systemd/system


Edit /lib/systemd/system/gerrit.service file. Make sure that the StandardInput=socket is REMOVED:


# StandardInput=socket


 Without removing the above line, the service will wait for a socket which we do not really need.



Make sure WorkingDirectory and Environment set to the right values for GERRIT_HOME and JAVA_HOME in [Service] section. For the examples above, the two lines should look like the following:



Environment=GERRIT_HOME=/home/ubuntu/review
Environment=JAVA_HOME=/usr/lib/jvm/java-8-oracle/jre
ExecStart=/usr/bin/java -Xmx1024m -jar \
  ${GERRIT_HOME}/bin/gerrit.war daemon -d ${GERRIT_HOME}


6. Start the gerrit services


sudo systemctl start gerrit.service 



To allow remote administration, add the following to the etc/gerrit.config file, then restart the service




[plugins]
        allowRemoteAdmin = true

The events-log.jar download location:
https://gerrit-ci.gerritforge.com/job/plugin-events-log-bazel-stable-2.14/lastSuccessfulBuild/artifact/bazel-genfiles/plugins/events-log/events-log.jar

git-review may need to do this




git remote rename origin gerrit

If you like to use an existing gerrit.config file, save the following content in the review/etc/gerrit.config file, then run the java command.




[gerrit]
 basePath = git
 serverId = edb71efd-32fe-48ae-a18b-b287e9f825a5
 canonicalWebUrl = http://192.168.56.30:9090/
[database]
 type = h2
 database = /home/ubuntu/review/db/ReviewDB [index]
 type = LUCENE
[auth]
 type = DEVELOPMENT_BECOME_ANY_ACCOUNT
[plugins]
        allowRemoteAdmin = true
[receive]
 enableSignedPush = false
[sendemail]
 smtpServer = localhost
[container]
 user = ubuntu
 javaHome = /usr/lib/jvm/java-8-oracle/jre
[sshd]
 listenAddress = *:29418
[httpd]
 listenUrl = http://*:9090/
[cache]
 directory = cache











Posted by



at





No comments:
  










































How does gerrit trigger work on Jenkins












The gerrit trigger works like this:


    

  1. It connects to the gerrit server using ssh and uses the gerrit stream-events command
    2. 

  2. It then watches this stream as the data comes in
    3. 

  3. It will try to match the events to triggers that have defined in your projects
    4. 


Common issues:


    

  1. Jenkins user has improper ssh credentials
    2. 

  2. Jenkins user does not have the stream-events rights
    3. 

  3. The user public key was not added to gerrit
    4. 


How to check:


    

  1. Login as jenkins user, assume username is admin
    2. 

  2. ssh -p 29418 admin@gerrit_server gerrit stream-events
    3. 

  3. Push a commit to the server and you should see things on your stream
    4. 


Problems:


    

  1. ssh connection failed? setup you ssh key pair 
    2. 

  2. No streaming right? Go to the All-Projects->Access and under 
Global Capabilities add Stream Events to the Non-Interactive Users group
    3. 






Gerrit access rights


    

  1. Create the profile through in Gerrit web interface for your Jenkins user, and set up a SSH key for that user.
    2. 

  2. Gerrit web interface > Admin > Groups > Non-Interactive Users > Add your jenkins user.
    3. 

  3. Admin > Projects > ... > Access > Edit
      

    • Reference: refs/*
        

      • Read: ALLOW for Non-Interactive Users
        • 

      

      • 

    • Reference: refs/heads/*
        

      • Label Code-Review: -1, +1 for Non-Interactive Users
        • 

      • Label Verified: -1, +1 for Non-Interactive Users
        • 

      

      • 

    

    4. 


IMPORTANT:
 On Gerrit 2.7+, you also need to grant "Stream Events" capability. 
Without this, the plugin will not work, will try to connect to Gerrit 
repeatedly, and will eventually cause OutOfMemoryError on Gerrit.


    

  1. Gerrit web interface > People > Create New Group : "Event Streaming Users". Add your jenkins user.
    2. 

  2. Admin > Projects > All-Projects > Access > Edit
    3. 



    

    • 

    • Global Capabilities
        

      • Stream Events: ALLOW for Event Streaming Users
        • 

      

      • 

    

    • 





    













Posted by



at





1 comment:
  


































        

      









Subscribe to:
Posts (Atom)