Tuesday, January 8, 2019

Links

production environment of hyperledger fabric

https://dev.to/presto412/hyperledger-fabric-transitioning-from-development-to-production-4dch

https://medium.com/wearetheledger/how-to-deploy-early-production-ready-hyperledger-fabric-applications-using-ibm-cloud-caa7ecec22b5


https://www.altoros.com/blog/deploying-a-multi-node-hyperledger-fabric-network-in-5-steps/

build a rest api on hyperledger fabric

https://hackernoon.com/setting-up-restful-api-server-for-hyperledger-fabric-with-nodejs-sdk-a4642edaf98e

https://openblockchain.readthedocs.io/en/latest/API/CoreAPI/

Posted by at No comments:

Monday, January 7, 2019

Setup a blockchain Hyperledger Fabric network manually

Step 1
Call the byfn.sh script and networkUp method as follows:
  1. Verify the version.
  2. Use the cryptogen tool to generate public and private keys and certificates.
  3. Use the configtxgen tool to generate a genesis block, a channel configuration block, and two organization anchor points.
  4. Call the scripts/script.sh script to perform subsequent operations.
Fabric supports two types of public and private keys and certificates, namely, a TLS certificate for ensuring the communication security between nodes and a user certificate for user logon and permission control. These certificates should have been issued by the CA, but we use the test environment where the CA node is not enabled. Fabric has provided us with the cryptogen tool.

[root@fabric-test-01 first-network]# cryptogen generate --config=./crypto-config.yaml
org1.example.com
org2.example.com

The cryptogen tool generates a crypto-config folder in the current directory based on the crypto-config.yaml file. The folder structure is shown as follows.

[root@fabric-test-01 first-network]# yum install tree
[root@fabric-test-01 first-network]# tree -L 4 crypto-config
crypto-config
├── ordererOrganizations
│   └── example.com
│       ├── ca
│       │   ├── 16cdf940fba55b97f3cdf71eb44ed39bc08ff7149757ac34d7596707c97b18b8_sk
│       │   └── ca.example.com-cert.pem
│       ├── msp
│       │   ├── admincerts
│       │   ├── cacerts
│       │   └── tlscacerts
│       ├── orderers
│       │   └── orderer.example.com
│       ├── tlsca
│       │   ├── b38e560de1aa8138923ad0d2797b8b8f16ed082b8a14381190a0dea1829e749a_sk
│       │   └── tlsca.example.com-cert.pem
│       └── users
│           └── Admin@example.com
└── peerOrganizations
    ├── org1.example.com
    │   ├── ca
    │   │   ├── 0f7e3c534db8811228222fc7b16d2105e59b1002981745ca75d9c16a64e32287_sk
    │   │   └── ca.org1.example.com-cert.pem
    │   ├── msp
    │   │   ├── admincerts
    │   │   ├── cacerts
    │   │   ├── config.yaml
    │   │   └── tlscacerts
    │   ├── peers
    │   │   ├── peer0.org1.example.com
    │   │   └── peer1.org1.example.com
    │   ├── tlsca
    │   │   ├── 4d4a78f0c71d4a1247867f7d9e389cde56869dec283eb2555fd0825441fba0c3_sk
    │   │   └── tlsca.org1.example.com-cert.pem
    │   └── users
    │       ├── Admin@org1.example.com
    │       └── User1@org1.example.com
    └── org2.example.com
        ├── ca
        │   ├── 83b3d4ce5fb3877c76817da2a50329ddb4f4c4bc9f5cdbc9b7cf0fa44aa6fa17_sk
        │   └── ca.org2.example.com-cert.pem
        ├── msp
        │   ├── admincerts
        │   ├── cacerts
        │   ├── config.yaml
        │   └── tlscacerts
        ├── peers
        │   ├── peer0.org2.example.com
        │   └── peer1.org2.example.com
        ├── tlsca
        │   ├── 12e7338b1321c4660fbebf42dac0adc38ec6fd6e1b972bd6c13b27f5798cf95f_sk
        │   └── tlsca.org2.example.com-cert.pem
        └── users
            ├── Admin@org2.example.com
            └── User1@org2.example.com

39 directories, 14 files


The crypto-config.yaml file is parsed as follows.

# Copyright IBM Corp. All Rights Reserved.
#
# SPDX-License-Identifier: Apache-2.0
#

# ---------------------------------------------------------------------------
# "OrdererOrgs" - Definition of organizations managing orderer nodes
# ---------------------------------------------------------------------------
OrdererOrgs:  #Orderer organization
  # ---------------------------------------------------------------------------
  # Orderer
  # ---------------------------------------------------------------------------
  - Name: Orderer  #Organization name
    Domain: example.com #Organization's domain name
    # ---------------------------------------------------------------------------
    # "Specs" - See PeerOrgs below for complete description
    # ---------------------------------------------------------------------------
    Specs:
      - Hostname: orderer #Generate an additional orderer.example.com.
                          #The function of Spec is to personalize a domain name and exempt the domain name from being affected by the following template generation rules.
# ---------------------------------------------------------------------------
# "PeerOrgs" - Definition of organizations managing peer nodes
# ---------------------------------------------------------------------------
PeerOrgs: #Network node organization
  # ---------------------------------------------------------------------------
  # Org1
  # ---------------------------------------------------------------------------
  - Name: Org1 #Name of Org1
    Domain: org1.example.com #Domain name of Org1
    EnableNodeOUs: true #It is supported by Node.js, and is commented out in the Java SDK by default.
    # ---------------------------------------------------------------------------
    # "Specs"
    # ---------------------------------------------------------------------------
    # Uncomment this section to enable the explicit definition of hosts in your
    # configuration.  Most users will want to use Template, below
    #
    # Specs is an array of Spec entries.  Each Spec entry consists of two fields:
    #   - Hostname:   (Required) The desired hostname, sans the domain.
    #   - CommonName: (Optional) Specifies the template or explicit override for
    #                 the CN.  By default, this is the template:
    #
    #                              "{{.Hostname}}.{{.Domain}}"
    #
    #                 which obtains its values from the Spec.Hostname and
    #                 Org.Domain, respectively.
    # ---------------------------------------------------------------------------
    # Specs:
    #   - Hostname: foo # implicitly "foo.org1.example.com"
    #     CommonName: foo27.org5.example.com # overrides Hostname-based FQDN set above
    #   - Hostname: bar
    #   - Hostname: baz
    # ---------------------------------------------------------------------------
    # "Template"
    # ---------------------------------------------------------------------------
    # Allows for the definition of 1 or more hosts that are created sequentially
    # from a template. By default, this looks like "peer%d" from 0 to Count-1.
    # You may override the number of nodes (Count), the starting index (Start)
    # or the template used to construct the name (Hostname).
    #
    # Note: Template and Specs are not mutually exclusive.  You may define both
    # sections and the aggregate nodes will be created for you.  Take care with
    # name collisions
    # ---------------------------------------------------------------------------
    Template: #Generate two sets of public and private keys as well as certificates based on the preceding template. The default generation rule is based on peers 0 to 9.organization domain name.
      Count: 2 #Generate the public and private keys as well as certificates for the peer0.org1.example.com and peer1.org1.example.com nodes.
      # Start: 5
      # Hostname: {{.Prefix}}{{.Index}} # default
    # ---------------------------------------------------------------------------
    # "Users"
    # ---------------------------------------------------------------------------
    # Count: The number of user accounts _in addition_ to Admin
    # ---------------------------------------------------------------------------
    Users: #In addition to the admin account, a User1 account is generated.
      Count: 1
  # ---------------------------------------------------------------------------
  # Org2: See "Org1" for full specification
  # ---------------------------------------------------------------------------
  - Name: Org2
    Domain: org2.example.com
    EnableNodeOUs: true
    Template:
      Count: 2
    Users:
      Count: 1


The configtxgen tool generates four components based on the configtx.yaml file. Before this operation, specify the path to the configtx.yaml file for the configtxgen tool. We need to set an environment variable as the current directory, and the generated files will be stored in the channel-artifacts folder of this directory.
  1. Generate a genesis.block file for the orderer node.
  2. Generate a channel configuration transaction file channel.tx.
  3. Generate an anchor peer for Org1 of the channel.
  4. Generate an anchor peer for Org2 of the channel.
Anchor peer: specifies a peer that can be discovered by all other peers in the same channel. Each member of the channel has an anchor peer (or multiple anchor peers to prevent single-point failures). Peers belonging to different members are allowed to discover all existing peers in the same channel.

[root@fabric-test-01 first-network]# export FABRIC_CFG_PATH=$PWD
[root@fabric-test-01 first-network]# configtxgen -profile TwoOrgsOrdererGenesis -outputBlock ./channel-artifacts/genesis.block
[root@fabric-test-01 first-network]# configtxgen -profile TwoOrgsChannel -outputCreateChannelTx ./channel-artifacts/channel.tx -channelID mychannel
[root@fabric-test-01 first-network]# configtxgen -profile TwoOrgsChannel -outputAnchorPeersUpdate ./channel-artifacts/Org1MSPanchors.tx -channelID mychannel -asOrg Org1MSP
[root@fabric-test-01 first-network]# configtxgen -profile TwoOrgsChannel -outputAnchorPeersUpdate ./channel-artifacts/Org2MSPanchors.tx -channelID mychannel -asOrg Org2MSP


The configtx.yaml file contains TwoOrgsOrdererGenesis (the orderer consensus configuration for two organizations) and TwoOrgsChannel (the channel configuration for two organizations). The consensus algorithm can be set to Solo or Kafka for the orderer. The default values of the consensus time block size, timeout duration, and other parameters can be used. The configurations of peer nodes include the configurations of the MSP and anchor nodes. If more organizations or channels are required, you can modify the configurations based on the template.

Step 2

Enable each container of Fabric. The docker-compose tool uses the docker-compose-cli.yaml file in the current directory to initialize the environment. It then generates four fabric-peer transaction node containers, one fabric-order orderer node container, and one fabric-tools Cli container. The Cli container is used to replace the SDK client. Because the Java SDK was not started, a client tool needs to be created to connect to the Fabric network for testing.

Set these two environment variable.

COMPOSE_PROJECT_NAME=byfn
IMAGE_TAG=latest


[root@fabric-test-01 first-network]# docker-compose -f docker-compose-cli.yaml up -d
Creating network "net_byfn" with the default driver
Creating volume "net_orderer.example.com" with default driver
Creating volume "net_peer0.org1.example.com" with default driver
Creating volume "net_peer1.org1.example.com" with default driver
Creating volume "net_peer0.org2.example.com" with default driver
Creating volume "net_peer1.org2.example.com" with default driver
Creating orderer.example.com    ... done
Creating peer1.org1.example.com ... done
Creating peer0.org2.example.com ... done
Creating peer1.org2.example.com ... done
Creating peer0.org1.example.com ... done
Creating cli                    ... done
[root@fabric-test-01 first-network]# docker ps -a
CONTAINER ID        IMAGE                               COMMAND             CREATED             STATUS              PORTS                                              NAMES
2f3af7e64868        hyperledger/fabric-tools:latest     "/bin/bash"         18 seconds ago      Up 17 seconds                                                          cli
dfea53b15138        hyperledger/fabric-peer:latest      "peer node start"   19 seconds ago      Up 17 seconds       0.0.0.0:7051->7051/tcp, 0.0.0.0:7053->7053/tcp     peer0.org1.example.com
3eac41603863        hyperledger/fabric-peer:latest      "peer node start"   19 seconds ago      Up 17 seconds       0.0.0.0:10051->7051/tcp, 0.0.0.0:10053->7053/tcp   peer1.org2.example.com
ea1ef950b845        hyperledger/fabric-peer:latest      "peer node start"   19 seconds ago      Up 17 seconds       0.0.0.0:9051->7051/tcp, 0.0.0.0:9053->7053/tcp     peer0.org2.example.com
ec49121fbdd5        hyperledger/fabric-peer:latest      "peer node start"   19 seconds ago      Up 17 seconds       0.0.0.0:8051->7051/tcp, 0.0.0.0:8053->7053/tcp     peer1.org1.example.com
11ecb9d115f2        hyperledger/fabric-orderer:latest   "orderer"           19 seconds ago      Up 17 seconds       0.0.0.0:7050->7050/tcp                             orderer.example.com


The docker-compose-cli.yaml file inherits all the content parsed from the docker-compose-base.yaml file. The docker-compose-base.yaml file is parsed as follows. 

# Copyright IBM Corp. All Rights Reserved.
#
# SPDX-License-Identifier: Apache-2.0
#

version: '2'

services: #Orderer and transaction nodes provided

  orderer.example.com: #Orderer service
    container_name: orderer.example.com #Container name
    image: hyperledger/fabric-orderer:$IMAGE_TAG #Use the Fabric Docker image generation container.
    environment: #Environment variable configuration
      - ORDERER_GENERAL_LOGLEVEL=INFO #Log level
      - ORDERER_GENERAL_LISTENADDRESS=0.0.0.0 #Listening address segment. 0.0.0.0 indicates that requests from all terminals on the network are accepted.
      - ORDERER_GENERAL_GENESISMETHOD=file #Generate a file block.
      - ORDERER_GENERAL_GENESISFILE=/var/hyperledger/orderer/orderer.genesis.block
      - ORDERER_GENERAL_LOCALMSPID=OrdererMSP #Member management ID
      - ORDERER_GENERAL_LOCALMSPDIR=/var/hyperledger/orderer/msp #Member management directory in the Docker container
      # enabled TLS
      - ORDERER_GENERAL_TLS_ENABLED=true #Indicates whether TLS is enabled at the network layer. The following lists the paths of files in the Docker container.
      - ORDERER_GENERAL_TLS_PRIVATEKEY=/var/hyperledger/orderer/tls/server.key
      - ORDERER_GENERAL_TLS_CERTIFICATE=/var/hyperledger/orderer/tls/server.crt
      - ORDERER_GENERAL_TLS_ROOTCAS=[/var/hyperledger/orderer/tls/ca.crt]
    working_dir: /opt/gopath/src/github.com/hyperledger/fabric
    command: orderer
    volumes: #Map the directories generated on the local Linux terminal to the directories in the Docker container.
    - ../channel-artifacts/genesis.block:/var/hyperledger/orderer/orderer.genesis.block
    - ../crypto-config/ordererOrganizations/example.com/orderers/orderer.example.com/msp:/var/hyperledger/orderer/msp
    - ../crypto-config/ordererOrganizations/example.com/orderers/orderer.example.com/tls/:/var/hyperledger/orderer/tls
    - orderer.example.com:/var/hyperledger/production/orderer
    ports: #Map the port of the local Linux terminal to the port of the Docker container.
      - 7050:7050

  peer0.org1.example.com: #Transaction node peer0.org1. The following peer1.org1 has basically the same configuration.
    container_name: peer0.org1.example.com #Container name
    Extends:#:#Inherit the peer-base configuration.
      file: peer-base.yaml
      service: peer-base
    Environment:#:#Environment variables
      - CORE_PEER_ID=peer0.org1.example.com #Node network address and listening port
      - CORE_PEER_ADDRESS=peer0.org1.example.com:7051
      - CORE_PEER_GOSSIP_BOOTSTRAP=peer1.org1.example.com:7051 #Gossip protocol configuration
      - CORE_PEER_GOSSIP_EXTERNALENDPOINT=peer0.org1.example.com:7051
      - CORE_PEER_LOCALMSPID=Org1MSP #Member management name configured
    volumes:
        - /var/run/:/host/var/run/
        - ../crypto-config/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/msp:/etc/hyperledger/fabric/msp
        - ../crypto-config/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls:/etc/hyperledger/fabric/tls
        - peer0.org1.example.com:/var/hyperledger/production
    ports:
      - 7051:7051
      - 7053:7053
 
The peer-base.yaml file is parsed as follows.

# Copyright IBM Corp. All Rights Reserved.
#
# SPDX-License-Identifier: Apache-2.0
#

version: '2'

services:
  peer-base:
    image: hyperledger/fabric-peer:$IMAGE_TAG #Use the fabric-peer image generation container.
    environment: #Environment variables
      - CORE_VM_ENDPOINT=unix:///host/var/run/docker.sock
      # the following setting starts chaincode containers on the same
      # bridge network as the peers
      # https://docs.docker.com/compose/networking/
      - CORE_VM_DOCKER_HOSTCONFIG_NETWORKMODE=${COMPOSE_PROJECT_NAME}_byfn
      - CORE_LOGGING_LEVEL=INFO # Log level
      #- CORE_LOGGING_LEVEL=DEBUG
      - CORE_PEER_TLS_ENABLED=true #Indicates whether TLS is enabled.
      - CORE_PEER_GOSSIP_USELEADERELECTION=true #Enable leader election.
      - CORE_PEER_GOSSIP_ORGLEADER=false
      - CORE_PEER_PROFILE_ENABLED=true
      - CORE_PEER_TLS_CERT_FILE=/etc/hyperledger/fabric/tls/server.crt #TLS node certificate
      - CORE_PEER_TLS_KEY_FILE=/etc/hyperledger/fabric/tls/server.key #TLS public key
      - CORE_PEER_TLS_ROOTCERT_FILE=/etc/hyperledger/fabric/tls/ca.crt #TLS root certificate
    working_dir: /opt/gopath/src/github.com/hyperledger/fabric/peer
    command: peer node start


Step 3

After containers are created, create a channel, add peer nodes to the channel, and configure an anchor point for each organization. The channel is similar to that used in Netty and can be used to isolate transactions.
Run the docker exec -it cli bash command to enter the Bash of the simulated client Cli container. Then, run the channel creation command to create a channel in the container.

[root@fabric-test-01 first-network]# docker exec -it cli bash
root@2f3af7e64868:/opt/gopath/src/github.com/hyperledger/fabric/peer#
root@2f3af7e64868:/opt/gopath/src/github.com/hyperledger/fabric/peer# peer channel create -o orderer.example.com:7050 -c mychannel -f ./channel-artifacts/channel.tx --tls true --cafile /opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/ordererOrganizations/example.com/orderers/orderer.example.com/msp/tlscacerts/tlsca.example.com-cert.pem


Parameter description:
-o: specifies the orderer node orderer.example.com:7050. In the docker-compose-base.yaml file, port 7050 is specified for the orderer node.
-c mychannel -f ./channel-artifacts/channel.tx: specifies the channel name and uses the channel.tx configuration file that has been generated to initialize the channel.
--tls true: indicates that TLS is used for encrypted transmission on the network.
--cafile: specifies the CA certificate path.
Set the environment variables and add peers to the channel.
Note: peer0.org1 is connected to the Cli container by default. This means that peer0.org1 can use the peer channel join -b mychannel.block command directly. Other nodes can connect to the Cli container only if their environment variables have been modified correctly.

root@2f3af7e64868:/opt/gopath/src/github.com/hyperledger/fabric/peer# peer channel join -b mychannel.block
root@2f3af7e64868:/opt/gopath/src/github.com/hyperledger/fabric/peer# CORE_PEER_MSPCONFIGPATH=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org1.example.com/users/Admin@org1.example.com/msp CORE_PEER_ADDRESS=peer1.org1.example.com:7051 CORE_PEER_LOCALMSPID="Org1MSP" CORE_PEER_TLS_ROOTCERT_FILE=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/ca.crt peer channel join -b mychannel.block
root@2f3af7e64868:/opt/gopath/src/github.com/hyperledger/fabric/peer# CORE_PEER_MSPCONFIGPATH=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org2.example.com/users/Admin@org2.example.com/msp CORE_PEER_ADDRESS=peer0.org2.example.com:7051 CORE_PEER_LOCALMSPID="Org2MSP" CORE_PEER_TLS_ROOTCERT_FILE=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org2.example.com/peers/peer0.org2.example.com/tls/ca.crt peer channel join -b mychannel.block
root@2f3af7e64868:/opt/gopath/src/github.com/hyperledger/fabric/peer# CORE_PEER_MSPCONFIGPATH=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org2.example.com/users/Admin@org2.example.com/msp CORE_PEER_ADDRESS=peer1.org2.example.com:7051 CORE_PEER_LOCALMSPID="Org2MSP" CORE_PEER_TLS_ROOTCERT_FILE=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org2.example.com/peers/peer0.org2.example.com/tls/ca.crt peer channel join -b mychannel.block


Configure an anchor point for the two organizations respectively: peer0.org1.example.com:7051 and peer0.org2.example.com:7051.

root@2f3af7e64868:/opt/gopath/src/github.com/hyperledger/fabric/peer# CORE_PEER_MSPCONFIGPATH=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org1.example.com/users/Admin@org1.example.com/msp CORE_PEER_ADDRESS=peer0.org1.example.com:7051 CORE_PEER_LOCALMSPID="Org1MSP" CORE_PEER_TLS_ROOTCERT_FILE=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/ca.crt peer channel update -o orderer.example.com:7050 -c mychannel -f ./channel-artifacts/Org1MSPanchors.tx --tls true --cafile /opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/ordererOrganizations/example.com/orderers/orderer.example.com/msp/tlscacerts/tlsca.example.com-cert.pem
root@2f3af7e64868:/opt/gopath/src/github.com/hyperledger/fabric/peer# CORE_PEER_MSPCONFIGPATH=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org2.example.com/users/Admin@org2.example.com/msp CORE_PEER_ADDRESS=peer0.org2.example.com:7051 CORE_PEER_LOCALMSPID="Org2MSP" CORE_PEER_TLS_ROOTCERT_FILE=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org2.example.com/peers/peer0.org2.example.com/tls/ca.crt peer channel update -o orderer.example.com:7050 -c mychannel -f ./channel-artifacts/Org2MSPanchors.tx --tls true --cafile /opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/ordererOrganizations/example.com/orderers/orderer.example.com/msp/tlscacerts/tlsca.example.com-cert.pem


Step 4
Install the chain code, and create an instance. The chain code needs to be installed on each peer node. As described in step 3, peer0.org1 is connected to the Cli container by default, and its environment variables do not need to be set.
Install the chain code.

root@2f3af7e64868:/opt/gopath/src/github.com/hyperledger/fabric/peer# peer chaincode install -n mycc -v 1.0 -p github.com/chaincode/chaincode_example02/go/
root@2f3af7e64868:/opt/gopath/src/github.com/hyperledger/fabric/peer# CORE_PEER_MSPCONFIGPATH=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org1.example.com/users/Admin@org1.example.com/msp CORE_PEER_ADDRESS=peer1.org1.example.com:7051 CORE_PEER_LOCALMSPID="Org1MSP" CORE_PEER_TLS_ROOTCERT_FILE=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/ca.crt peer chaincode install -n mycc -v 1.0 -p github.com/chaincode/chaincode_example02/go/
root@2f3af7e64868:/opt/gopath/src/github.com/hyperledger/fabric/peer# CORE_PEER_MSPCONFIGPATH=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org2.example.com/users/Admin@org2.example.com/msp CORE_PEER_ADDRESS=peer0.org2.example.com:7051 CORE_PEER_LOCALMSPID="Org2MSP" CORE_PEER_TLS_ROOTCERT_FILE=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org2.example.com/peers/peer0.org2.example.com/tls/ca.crt peer chaincode install -n mycc -v 1.0 -p github.com/chaincode/chaincode_example02/go/
root@2f3af7e64868:/opt/gopath/src/github.com/hyperledger/fabric/peer# CORE_PEER_MSPCONFIGPATH=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org2.example.com/users/Admin@org2.example.com/msp CORE_PEER_ADDRESS=peer1.org2.example.com:7051 CORE_PEER_LOCALMSPID="Org2MSP" CORE_PEER_TLS_ROOTCERT_FILE=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org2.example.com/peers/peer0.org2.example.com/tls/ca.crt peer chaincode install -n mycc -v 1.0 -p github.com/chaincode/chaincode_example02/go/


Instantiate the chain code.
This operation is used to pack the previously installed chain code on the terminal where the peer is located, and generate the Docker image and container corresponding to the channel. An endorsement strategy can be specified during the instantiation.
The chain code needs to be instantiated only once.

root@2f3af7e64868:/opt/gopath/src/github.com/hyperledger/fabric/peer# peer chaincode instantiate -o orderer.example.com:7050 --tls true --cafile /opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/ordererOrganizations/example.com/orderers/orderer.example.com/msp/tlscacerts/tlsca.example.com-cert.pem -C mychannel -n mycc -l golang -v 1.0 -c '{"Args":["init","a","100","b","200"]}' -P 'OR   ('\''Org1MSP.peer'\'','\''Org2MSP.peer'\'')'

Start another terminal to view the corresponding logs and the started Docker container.

[root@fabric-test-01 ~]# docker logs -f peer0.org1.example.com
[root@fabric-test-01 ~]# docker ps -a


Step 5
Query and verify data.

root@2f3af7e64868:/opt/gopath/src/github.com/hyperledger/fabric/peer# peer chaincode query -C mychannel -n mycc -c '{"Args":["query","a"]}'
2018-06-07 09:15:04.862 UTC [chaincodeCmd] checkChaincodeCmdParams -> INFO 001 Using default escc
2018-06-07 09:15:04.862 UTC [chaincodeCmd] checkChaincodeCmdParams -> INFO 002 Using default vscc
Query Result: 100
2018-06-07 09:15:04.866 UTC [main] main -> INFO 003 Exiting.....


Simulate a scenario in which a transfers 10 dollars to b.



root@2f3af7e64868:/opt/gopath/src/github.com/hyperledger/fabric/peer# peer chaincode invoke -o orderer.example.com:7050  --tls true --cafile /opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/ordererOrganizations/example.com/orderers/orderer.example.com/msp/tlscacerts/tlsca.example.com-cert.pem -C mychannel -n mycc -c '{"Args":["invoke","a","b","10"]}'
2018-06-07 09:18:33.697 UTC [chaincodeCmd] checkChaincodeCmdParams -> INFO 001 Using default escc
2018-06-07 09:18:33.697 UTC [chaincodeCmd] checkChaincodeCmdParams -> INFO 002 Using default vscc
2018-06-07 09:18:33.704 UTC [chaincodeCmd] chaincodeInvokeOrQuery -> INFO 003 Chaincode invoke successful. result: status:200
2018-06-07 09:18:33.704 UTC [main] main -> INFO 004 Exiting.....
root@2f3af7e64868:/opt/gopath/src/github.com/hyperledger/fabric/peer# peer chaincode query -C mychannel -n mycc -c '{"Args":["query","a"]}'
2018-06-07 09:18:47.068 UTC [chaincodeCmd] checkChaincodeCmdParams -> INFO 001 Using default escc
2018-06-07 09:18:47.068 UTC [chaincodeCmd] checkChaincodeCmdParams -> INFO 002 Using default vscc
Query Result: 90
2018-06-07 09:18:47.073 UTC [main] main -> INFO 003 Exiting.....
[root@fabric-test-01 ~]# docker  logs --tail 200 dev-peer0.org1.example.com-mycc-1.0
ex02 Init
Aval = 100, Bval = 200
ex02 Invoke
Query Response:{"Name":"a","Amount":"100"}
ex02 Invoke
Aval = 90, Bval = 210
ex02 Invoke
Query Response:{"Name":"a","Amount":"90"}
ex02 Invoke
Query Response:{"Name":"a","Amount":"90"}

Posted by at No comments:

Tuesday, January 1, 2019

MSP in Hyperledger Fabric



MSP (Member Service Provider) is a component that offer an abstraction of a membership operation architecture.

Configuration: -

Parameters: -
The first part of the configuration is the parameter needed for MSP & they are ..
1. A list of Root CAs mainly the PEM files
2. A list of Intermediate CAs  mainly the PEM files
3. A list of Administrator CAs which can edit/update the MSP mainly the PEM files.
4. A list of Organizational Units [Classified Organization (Manufacturing/Sales etc), Client, Peer etc.]
5. A list of CRLs (Certificate Revocation List)
6. A list of TLS root CA for HTTPS url setup
7. A list of intermediate TLS CAs

Valid Identities:-
1. They are in form of X.509 certificate with a verifiable path and excatly one root CA.
2. Not included in CRL.
3. They list one or more Organizational Unit in the OU section of MSP configuration.

MSP to enable the node on which it is instantiated to sign or authenticate need to supply: -

1. Signing key used for signing by the node.
2. Node certificate i.e. it is a valid identity.

Setup on the Peer & Orderer side: -
To setup a local MSP admin must create a folder $MYPATH/mspconfig under which 6 subfolder needs to be created..
1. admincert include corresponding admin CAs PEM files to that MSP.
2. cacert include corresponding root CAs PEM files.
3. intermediatecert include corresponding intermediate CAs PEM files.
4. config.yaml file which is used for classification of organizational unit and Identity.
5. crl folder to include the list of CRLs
6. keystore contains all private key i.e. the PEM file with node signing key
7. signcert public key corresponding to private key of keystore
8. tlscert & tlsintermediatecert for corresponding PEM files of CAs

Additional Configuration: -
Need to put the path of mspconfig in files (in mspConfigPath parameter of core.yaml for peer & in LocalMSPDir parameter of orderer.yaml for orderer ) also need to mention identifier of the node msp(localMspId  & LocalMSPID ).

Organizational Unit(in config.yaml): -
Certificate refer to the relative path of the certificate which as set up in mspconfig. Also the classification in OrganizationalUnitIdentifier.


OrganizationalUnitIdentifiers:
  - Certificate: "cacerts/cacert1.pem"
    OrganizationalUnitIdentifier: "commercial"
  - Certificate: "cacerts/cacert2.pem"
    OrganizationalUnitIdentifier: "administrators"


Identity Classification(in config.yaml): -
NodeOUs Enable to true for enabling identity classification by ClientOUIdentifier  or PeerOUIdentifier.  

NodeOUs:
  Enable: true
  ClientOUIdentifier:
    Certificate: "cacerts/cacert.pem"
    OrganizationalUnitIdentifier: "client"
  PeerOUIdentifier:
    Certificate: "cacerts/cacert.pem"
    OrganizationalUnitIdentifier: "peer"





There are really two "types" of MSPs:
  • An MSP which is used as a signing identity
For the default MSP type (X509-based), the signing identity uses the crypto material in the keystore (private key) and signcerts (X509 public key which matches the keystore private key). Peers and orderers use their "local MSP" for signing; examples would be peers signing endorsement responses and orderers signing blocks (deliver responses)
  • An MSP which is used to verify signatures / identities
In this case, when a node needs to verify the signature (e.g. a peer verifying the signature of an endorsement proposal from a client), it will extract the MSPID from the creator field in the message it receives, look to see if it has a copy of the MSP for that MSPID.
If the role requires MEMBER, it then uses the "cacerts" / "intermediatecerts" content to verify that the identity was indeed issued by that MSP. It then uses the public key which is also in the creator field to validate the signature.
In the case where an ADMIN role is required, it actually checks to make sure that the creator public key is an exact match for one of the X509 public certs in the "admincerts" folder.
NOTE: There is technically no difference between an "admin" cert and a "member" cert. An identity becomes an "ADMIN" role by simply adding the public certificate to the "admincerts" folder of the MSP.
NOTE: The MSPs for all members of a channel are distributed to all the peers that are part of a channel via config blocks. The orderer also has the MSPs for all members of each channel / consortium as well.
Posted by at No comments:
Subscribe to: Comments (Atom)