Fabric学习笔记(四) - Fabric CA的简单实用

2019年9月21日 191次阅读 来源: mumubin

前言

本文严重参考官方文档,并去除复杂部分和相应解释,基本只覆盖操作流程

下载fabric-ca

go get -u github.com/hyperledger/fabric-ca/cmd/...

下载fabric-ca镜像

docker pull hyperledger/fabric-ca:x86_64-1.0.5
docker tag  hyperledger/fabric-ca:x86_64-1.0.5        hyperledger/fabric-ca

启动fabric-ca-server

cd /opt/gopath/src/github.com/hyperledger/fabric-ca/docker/server/
docker-compose up -d

进入镜像查询,并启动fabric-ca-server

docker exec -it fabric-ca-server bash
ps -ef

fabric-ca-server 已启动

root@7747fe9b6261:/# ps -ef
UID        PID  PPID  C STIME TTY          TIME CMD
root         1     0  0 03:10 ?        00:00:00 sh -c fabric-ca-server start -b admin:adminpw
root         7     1  4 03:10 ?        00:00:00 fabric-ca-server start -b admin:adminpw
root        12     0  2 03:10 ?        00:00:00 bash
root        22    12  0 03:10 ?        00:00:00 ps -ef

注册admin实体

export FABRIC_CA_CLIENT_HOME=$HOME/fabric-ca/clients/admin
fabric-ca-client enroll -u http://admin:adminpw@localhost:7054

注册user

修改下client的配置文件

vim /root/fabric-ca/clients/admin/fabric-ca-client-config.yaml
id:
  name:
  type: user
  affiliation: org1.department1
  maxenrollments: -1
  attributes:
    - name: hf.Revoker
      value: true
    - name: anotherAttrName
      value: anotherAttrValue

注册新成员admin2

export FABRIC_CA_CLIENT_HOME=$HOME/fabric-ca/clients/admin
fabric-ca-client register --id.name admin2 --id.affiliation org1.department1 --id.attrs 'hf.Revoker=true,admin=true:ecert'
2018/01/29 05:49:36 [INFO] User provided config file: /root/fabric-ca/clients/admin/fabric-ca-client-config.yaml
2018/01/29 05:49:36 [INFO] Configuration file location: /root/fabric-ca/clients/admin/fabric-ca-client-config.yaml
Password: crdNMkqanPyd

 peer实体

注册一个peer实体

export FABRIC_CA_CLIENT_HOME=$HOME/fabric-ca/clients/admin
fabric-ca-client register --id.name peer1 --id.type peer --id.affiliation org1.department1 --id.secret peer1pw

录取(enroll)peer实体

export FABRIC_CA_CLIENT_HOME=$HOME/fabric-ca/clients/peer1
fabric-ca-client enroll -u http://peer1:peer1pw@localhost:7054 -M $FABRIC_CA_CLIENT_HOME/msp

orderer实体

orderer实体通peer实体一样,除了MSP的目录变为orderer.yaml里的LocalMSPDir.

所由fabric-ca-server颁发的录入证书都有组织单元(OUs),OUs的根是其类型type,其它部分由其affiliation指定.

如一个实体的peer,它的affiliation为department1.team1.那么其从叶子节点到根节点的OU关系为team1->department1->peer

从其它Fabric-CA-Server实体获取CA证书链

另启动一个Fabric-CA-Server CA2

export FABRIC_CA_SERVER_HOME=$HOME/ca2
fabric-ca-server start -b admin:ca2pw -p 7055 -n CA2

在peer1的MSP目录安装CA2的证书链

export FABRIC_CA_CLIENT_HOME=$HOME/fabric-ca/clients/peer1
fabric-ca-client getcacert -u http://localhost:7055 -M $FABRIC_CA_CLIENT_HOME/msp

重新录取实体

如果证书失效了,需要重新enroll

export FABRIC_CA_CLIENT_HOME=$HOME/fabric-ca/clients/peer1
fabric-ca-client reenroll

注销(revoke)实体

fabric-ca-client revoke -e <enrollment_id> -r <reason>

reason列表

  • unspecified
  • keycompromise
  • cacompromise
  • affiliationchange
  • superseded
  • cessationofoperation
  • certificatehold
  • removefromcrl
  • privilegewithdrawn

admin实体可注销其叶子节点的peer

export FABRIC_CA_CLIENT_HOME=$HOME/fabric-ca/clients/admin
fabric-ca-client revoke -e peer1
    原文作者:mumubin
    原文地址: https://segmentfault.com/a/1190000013033479
    本文转自网络文章,转载此文章仅为分享知识,如有侵权,请联系博主进行删除。
点赞