Monday, November 4, 2019

What is needed to stand up a peer or orderer node in fabric

To stand up a fabric peer or orderer node, the following must be provided:

  • msp directory which contains at least the following:
    1. admincerts: admin certs, the actual admin user, can be shared cross all the peers in an org.
    2. cacerts: ca certificate
    3. keystore: the node signing key, that is the private key
    4. signcert: the node x509 certificate, the public key
  • tls directory which contains the following if tls is enabled:
    1. ca.crt
    2. server.crt
    3. server.key

So basically, you will need to enroll 3 times,

1. Enroll an admin user, so that you get admincert
2. Enroll a node, so that you get node keystore (private key) and signing key (public key)
3. Enroll a node tls certs, this is only required if you have tls enabled for the node.

Once these things are available, then you can start a node, either peer or orderer can use the same cert materials. remember to mount msp directory to /etc/hyperledger/fabric/msp, and tls directory to /etc/hyperledger/fabric/tls, with the default settings, peer and orderer will be able to find the right certs to start the node.

The above step is when you have a CA server available.

If you simply try to bootstrap a network using cryptogen, then you basically create crypto-config.yaml file, then run cryptogen command to generate necessary certs.

make sure that your file is named crypto-config.yaml, then run the following command:

cryptogen generate --output="a directory name" --config=configfile.yaml

Strange behavior of ca enroll command

There is really a very strange behavior, enroll always uses the current request user name as common name,  this creates a certificate always uses the current request user name as the common name, the only way that I can overcome this problem is to do the following:

1. enroll a new userid
2. register that user, then simply delete the entire directory which hold the new users certs
3. then enroll again using the new user's id and password

The right method to over come the strange behavior

1. make sure that your CA_CFG_PATH=$(pwd)
2. enroll the ca admin user first, and make sure
3. register the new user first
4. then enroll the new user using the new user id and password.

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)