MSP (Member Service Provider) is a component that offer an abstraction of a membership operation architecture.
Configuration: -
Parameters: -
The first part of the configuration is the parameter needed for MSP & they are ..
1. A list of Root CAs mainly the PEM files
2. A list of Intermediate CAs mainly the PEM files
3. A list of Administrator CAs which can edit/update the MSP mainly the PEM files.
4. A list of Organizational Units [Classified Organization (Manufacturing/Sales etc), Client, Peer etc.]
5. A list of CRLs (Certificate Revocation List)
6. A list of TLS root CA for HTTPS url setup
7. A list of intermediate TLS CAs
Valid Identities:-
1. They are in form of X.509 certificate with a verifiable path and excatly one root CA.
2. Not included in CRL.
3. They list one or more Organizational Unit in the OU section of MSP configuration.
MSP to enable the node on which it is instantiated to sign or authenticate need to supply: -
1. Signing key used for signing by the node.
2. Node certificate i.e. it is a valid identity.
Setup on the Peer & Orderer side: -
To setup a local MSP admin must create a folder $MYPATH/mspconfig under which 6 subfolder needs to be created..
1. admincert include corresponding admin CAs PEM files to that MSP.
2. cacert include corresponding root CAs PEM files.
3. intermediatecert include corresponding intermediate CAs PEM files.
4. config.yaml file which is used for classification of organizational unit and Identity.
5. crl folder to include the list of CRLs
6. keystore contains all private key i.e. the PEM file with node signing key
7. signcert public key corresponding to private key of keystore
8. tlscert & tlsintermediatecert for corresponding PEM files of CAs
Additional Configuration: -
Need to put the path of mspconfig in files (in
mspConfigPath parameter of core.yaml for peer & in LocalMSPDir
parameter of orderer.yaml for orderer ) also need to mention identifier of the node msp(localMspId & LocalMSPID ).Organizational Unit(in config.yaml): -
Certificate refer to the relative path of the certificate which as set up in mspconfig. Also the classification in OrganizationalUnitIdentifier.
OrganizationalUnitIdentifiers: - Certificate: "cacerts/cacert1.pem" OrganizationalUnitIdentifier: "commercial" - Certificate: "cacerts/cacert2.pem" OrganizationalUnitIdentifier: "administrators"
Identity Classification(in config.yaml): -
NodeOUs Enable to true for enabling identity classification by
ClientOUIdentifier or PeerOUIdentifier. NodeOUs: Enable: true ClientOUIdentifier: Certificate: "cacerts/cacert.pem" OrganizationalUnitIdentifier: "client" PeerOUIdentifier: Certificate: "cacerts/cacert.pem" OrganizationalUnitIdentifier: "peer"
There are really two "types" of MSPs:
- An MSP which is used as a signing identity
- An MSP which is used to verify signatures / identities
If the role requires MEMBER, it then uses the "cacerts" / "intermediatecerts" content to verify that the identity was indeed issued by that MSP. It then uses the public key which is also in the creator field to validate the signature.
In the case where an ADMIN role is required, it actually checks to make sure that the creator public key is an exact match for one of the X509 public certs in the "admincerts" folder.
NOTE: There is technically no difference between an "admin" cert and a "member" cert. An identity becomes an "ADMIN" role by simply adding the public certificate to the "admincerts" folder of the MSP.
NOTE: The MSPs for all members of a channel are distributed to all the peers that are part of a channel via config blocks. The orderer also has the MSPs for all members of each channel / consortium as well.
No comments:
Post a Comment