cryptogen
简单的说,cryptogen是用来生产fabric需要的证书的;这个生产过程是静态的。
和cryptogen工具对等的是CA服务,是一种动态的证书生产环境;在开发和测试阶段,在环境中不需要部署CA,因此可以简单的使用cryptogen工具,当然在运行环境中也可以不使用CA服务器,而继续使用cryptogen。
cryptogen使用一个YAML格式的配置文件crypto-config.yaml
OrdererOrgs:
- Name: Orderer
Domain: example.com
Specs:
- Hostname: orderer
PeerOrgs:
- Name: Org1
Domain: org1.example.com
EnableNodeOUs: true
Template:
Count: 2
Users:
Count: 1
- Name: Org2
Domain: org2.example.com
EnableNodeOUs: true
Template:
Count: 2
Users:
Count: 1
根据配置生成网络的证书和私钥,生成的文件会放入crypto-config文件夹中:
../bin/cryptogen generate --config=./crypto-config.yaml
crypto-config
├── ordererOrganizations
│ └── example.com
│ ├── ca
│ │ ├── 0fc8c14303974ca3978cbf145467a525f7c6363bc05d7f4b2c2317579b2fe864_sk
│ │ └── ca.example.com-cert.pem
│ ├── msp
│ │ ├── admincerts
│ │ │ └── Admin@example.com-cert.pem
│ │ ├── cacerts
│ │ │ └── ca.example.com-cert.pem
│ │ └── tlscacerts
│ │ └── tlsca.example.com-cert.pem
│ ├── orderers
│ │ └── orderer.example.com
│ │ ├── msp
│ │ │ ├── admincerts
│ │ │ │ └── Admin@example.com-cert.pem
│ │ │ ├── cacerts
│ │ │ │ └── ca.example.com-cert.pem
│ │ │ ├── keystore
│ │ │ │ └── 13e0f137d6efcd9dcf8d6103c02eb07e2aa42d8ef67398e8592b1d254785cb76_sk
│ │ │ ├── signcerts
│ │ │ │ └── orderer.example.com-cert.pem
│ │ │ └── tlscacerts
│ │ │ └── tlsca.example.com-cert.pem
│ │ └── tls
│ │ ├── ca.crt
│ │ ├── server.crt
│ │ └── server.key
│ ├── tlsca
│ │ ├── 7d1639f88ec22c976c31b9e9c4fc2ac874e2558b3d6e6399ff226170391adc9e_sk
│ │ └── tlsca.example.com-cert.pem
│ └── users
│ └── Admin@example.com
│ ├── msp
│ │ ├── admincerts
│ │ │ └── Admin@example.com-cert.pem
│ │ ├── cacerts
│ │ │ └── ca.example.com-cert.pem
│ │ ├── keystore
│ │ │ └── a7e306d2529a21854d5548f555abf8f1decaba4b0da1ec1d4eb56b687b9effb5_sk
│ │ ├── signcerts
│ │ │ └── Admin@example.com-cert.pem
│ │ └── tlscacerts
│ │ └── tlsca.example.com-cert.pem
│ └── tls
│ ├── ca.crt
│ ├── client.crt
│ └── client.key
└── peerOrganizations
├── org1.example.com
│ ├── ca
│ │ ├── 71a30ca4d8d3c21cd498dd15e55cc0a9b28ddd02f5f329a935f5adf5255e3497_sk
│ │ └── ca.org1.example.com-cert.pem
│ ├── msp
│ │ ├── admincerts
│ │ │ └── Admin@org1.example.com-cert.pem
│ │ ├── cacerts
│ │ │ └── ca.org1.example.com-cert.pem
│ │ ├── config.yaml
│ │ └── tlscacerts
│ │ └── tlsca.org1.example.com-cert.pem
│ ├── peers
│ │ ├── peer0.org1.example.com
│ │ │ ├── msp
│ │ │ │ ├── admincerts
│ │ │ │ │ └── Admin@org1.example.com-cert.pem
│ │ │ │ ├── cacerts
│ │ │ │ │ └── ca.org1.example.com-cert.pem
│ │ │ │ ├── config.yaml
│ │ │ │ ├── keystore
│ │ │ │ │ └── bda9a71d89902e3399eff294ff2c2dc93d9251d1f58f918eface3f6f5afff655_sk
│ │ │ │ ├── signcerts
│ │ │ │ │ └── peer0.org1.example.com-cert.pem
│ │ │ │ └── tlscacerts
│ │ │ │ └── tlsca.org1.example.com-cert.pem
│ │ │ └── tls
│ │ │ ├── ca.crt
│ │ │ ├── server.crt
│ │ │ └── server.key
│ │ └── peer1.org1.example.com
│ │ ├── msp
│ │ │ ├── admincerts
│ │ │ │ └── Admin@org1.example.com-cert.pem
│ │ │ ├── cacerts
│ │ │ │ └── ca.org1.example.com-cert.pem
│ │ │ ├── config.yaml
│ │ │ ├── keystore
│ │ │ │ └── 8609f69aa58fa50e3cc3f1250e174e9dada24a0d34a775f130c0ede8e122f983_sk
│ │ │ ├── signcerts
│ │ │ │ └── peer1.org1.example.com-cert.pem
│ │ │ └── tlscacerts
│ │ │ └── tlsca.org1.example.com-cert.pem
│ │ └── tls
│ │ ├── ca.crt
│ │ ├── server.crt
│ │ └── server.key
│ ├── tlsca
│ │ ├── 8bdd72eb0d3358d002b0c165b29518b9e5c12cd9d74f643695ddb9b537b9e55d_sk
│ │ └── tlsca.org1.example.com-cert.pem
│ └── users
│ ├── Admin@org1.example.com
│ │ ├── msp
│ │ │ ├── admincerts
│ │ │ │ └── Admin@org1.example.com-cert.pem
│ │ │ ├── cacerts
│ │ │ │ └── ca.org1.example.com-cert.pem
│ │ │ ├── keystore
│ │ │ │ └── 6885b4dbb85e1dbf2ee341041784035bf376847a7480b9de566039c189c706ae_sk
│ │ │ ├── signcerts
│ │ │ │ └── Admin@org1.example.com-cert.pem
│ │ │ └── tlscacerts
│ │ │ └── tlsca.org1.example.com-cert.pem
│ │ └── tls
│ │ ├── ca.crt
│ │ ├── client.crt
│ │ └── client.key
│ └── User1@org1.example.com
│ ├── msp
│ │ ├── admincerts
│ │ │ └── User1@org1.example.com-cert.pem
│ │ ├── cacerts
│ │ │ └── ca.org1.example.com-cert.pem
│ │ ├── keystore
│ │ │ └── d2344d7ed625c3112ea634eccc7821fdf163cf8b6448bdceb65c352ea7f85745_sk
│ │ ├── signcerts
│ │ │ └── User1@org1.example.com-cert.pem
│ │ └── tlscacerts
│ │ └── tlsca.org1.example.com-cert.pem
│ └── tls
│ ├── ca.crt
│ ├── client.crt
│ └── client.key
└── org2.example.com
├── ...
docker-compose-e2e.yaml
利用刚才生成的私钥,替换到docker-compose-e2e.yaml文件中:
# Copyright IBM Corp. All Rights Reserved.
#
# SPDX-License-Identifier: Apache-2.0
#
version: '2'
volumes:
orderer.example.com:
peer0.org1.example.com:
peer1.org1.example.com:
peer0.org2.example.com:
peer1.org2.example.com:
networks:
byfn:
services:
ca0:
image: hyperledger/fabric-ca:latest
environment:
- FABRIC_CA_HOME=/etc/hyperledger/fabric-ca-server
- FABRIC_CA_SERVER_CA_NAME=ca-org1
- FABRIC_CA_SERVER_TLS_ENABLED=true
- FABRIC_CA_SERVER_TLS_CERTFILE=/etc/hyperledger/fabric-ca-server-config/ca.org1.example.com-cert.pem
- FABRIC_CA_SERVER_TLS_KEYFILE=/etc/hyperledger/fabric-ca-server-config/71a30ca4d8d3c21cd498dd15e55cc0a9b28ddd02f5f329a935f5adf5255e3497_sk
ports:
- "7054:7054"
command: sh -c 'fabric-ca-server start --ca.certfile /etc/hyperledger/fabric-ca-server-config/ca.org1.example.com-cert.pem --ca.keyfile /etc/hyperledger/fabric-ca-server-config/71a30ca4d8d3c21cd498dd15e55cc0a9b28ddd02f5f329a935f5adf5255e3497_sk -b admin:adminpw -d'
volumes:
- ./crypto-config/peerOrganizations/org1.example.com/ca/:/etc/hyperledger/fabric-ca-server-config
container_name: ca_peerOrg1
networks:
- byfn
ca1:
image: hyperledger/fabric-ca:latest
environment:
- FABRIC_CA_HOME=/etc/hyperledger/fabric-ca-server
- FABRIC_CA_SERVER_CA_NAME=ca-org2
- FABRIC_CA_SERVER_TLS_ENABLED=true
- FABRIC_CA_SERVER_TLS_CERTFILE=/etc/hyperledger/fabric-ca-server-config/ca.org2.example.com-cert.pem
- FABRIC_CA_SERVER_TLS_KEYFILE=/etc/hyperledger/fabric-ca-server-config/d4471b49759a129d18cd270c0ebf57c396b33c1cd3fa2c3b6e4d44e949f1994c_sk
ports:
- "8054:7054"
command: sh -c 'fabric-ca-server start --ca.certfile /etc/hyperledger/fabric-ca-server-config/ca.org2.example.com-cert.pem --ca.keyfile /etc/hyperledger/fabric-ca-server-config/d4471b49759a129d18cd270c0ebf57c396b33c1cd3fa2c3b6e4d44e949f1994c_sk -b admin:adminpw -d'
volumes:
- ./crypto-config/peerOrganizations/org2.example.com/ca/:/etc/hyperledger/fabric-ca-server-config
container_name: ca_peerOrg2
networks:
- byfn
orderer.example.com:
extends:
file: base/docker-compose-base.yaml
service: orderer.example.com
container_name: orderer.example.com
networks:
- byfn
peer0.org1.example.com:
container_name: peer0.org1.example.com
extends:
file: base/docker-compose-base.yaml
service: peer0.org1.example.com
networks:
- byfn
peer1.org1.example.com:
container_name: peer1.org1.example.com
extends:
file: base/docker-compose-base.yaml
service: peer1.org1.example.com
networks:
- byfn
peer0.org2.example.com:
container_name: peer0.org2.example.com
extends:
file: base/docker-compose-base.yaml
service: peer0.org2.example.com
networks:
- byfn
peer1.org2.example.com:
container_name: peer1.org2.example.com
extends:
file: base/docker-compose-base.yaml
service: peer1.org2.example.com
networks:
- byfn
configtxgen
configtxgen用来生成以下配置,生成的配置文件都在channel-artifacts目录下:
- orderer的创世区块(genesis block)
- channel configuration transaction
- 每个组织的anchor peer transaction
configtxgen需要读取configtx.yaml配置文件中的信息,首先生成solo模式的创世区块:
# configtx.yaml在${FABRIC_CFG_PATH}目录下
export FABRIC_CFG_PATH=${PWD}
../bin/configtxgen -profile TwoOrgsOrdererGenesis -channelID byfn-sys-channel -outputBlock ./channel-artifacts/genesis.block
生成channel配置交易:
../bin/configtxgen -profile TwoOrgsChannel -outputCreateChannelTx ./channel-artifacts/channel1.tx -channelID channel1
为Org定义anchor peer:
../bin/configtxgen -profile TwoOrgsChannel -outputAnchorPeersUpdate ./channel-artifacts/Org1MSPanchors.tx -channelID $CHANNEL_NAME -asOrg Org1MSP
../bin/configtxgen -profile TwoOrgsChannel -outputAnchorPeersUpdate ./channel-artifacts/Org2MSPanchors.tx -channelID $CHANNEL_NAME -asOrg Org2MSP