Fabric CA集群搭建

作者: 金果儿 | 来源:发表于2020-01-13 10:30 被阅读0次

流程概览

搭建LDPA
设置ca配置文件
创建根CA，中间CA，dockerfile，启动容器
负载均衡

搭建LDAP

下载

wget ftp://ftp.openldap.org/pub/OpenLDAP/openldap-release/openldap-2.4.48.tgz
解压

gunzip -c openldap-2.4.48.tgz | tar xvfB -

初始化、检查配置

./configure

可能会缺少安装包，缺什么安装什么

缺少BerkeleyDB

确定BerkeleyDB版本
下载BerkeleyDB version 6.0.20以下
cd 到build_unix下

../dist/configure -prefix=/usr/local/BerkeleyDB

error: BDB/HDB: BerkeleyDB not available
resolved:
export CPPFLAGS="-I/usr/local/BerkeleyDB/include" && \
export LDFLAGS="-L/usr/local/BerkeleyDB/lib"

error: BerkeleyDB version incompatible with BDB/HDB backends
版本不兼容，换一个更低的版本， openldap-2.4.48只支持6.0版本以下。

make
make install

配置数据库

mkdir /usr/local/etc/openldap/slapd.d
/usr/local/sbin/slapadd -n 0 -F /usr/local/etc/openldap/slapd.d -l /usr/local/etc/openldap/slapd.ldif

启动slapd, slapd是lpad的配置引擎，用于管理lpad的配置

/usr/local/libexec/slapd -f /usr/local/etc/openldap/slapd.ldif -F /usr/local/etc/openldap/slapd.d

查看是否运行成功
```
ldapsearch -x -b '' -s base '(objectclass=*)' namingContexts
ldapsearch -x -LLL

ldapadd -x -D cn=admin,dc=8lab,dc=com
```
ERROR
- slapadd: could not add entry dn="cn=config" (line=1):
  
  删除配置目录内的slapd.d文件
- ldap_bind: Invalid credentials (49)
  
  slap操作-D后的参数必须与olcRootDN一致

启动CA cluster

CA Server 配置文件（只展示暂时用到的部分）

registry:
  # Maximum number of times a password/secret can be reused for enrollment
  # (default: -1, which means there is no limit)
  maxenrollments: -1

  # Contains identity information which is used when LDAP is disabled
  identities:
         #服务器用户名
     - name: admin
         #服务器登录密码
       pass: adminpw
       type: client
       affiliation: ""
       attrs:
             // client可以指定的组织单元OU
          hf.Registrar.Roles: "client,peer,orderer,admin"
          hf.Registrar.DelegateRoles: "client,peer,orderer,admin"
          hf.Revoker: true
          hf.IntermediateCA: true
          hf.GenCRL: true
          hf.Registrar.Attributes: "*"
          hf.AffiliationMgr: true
ldap:
   # Enables or disables the LDAP client (default: false)
   # If this is set to true, the "registry" section is ignored.
   enabled: true
   # The URL of the LDAP server
   url: ldap://cn=admin,dc=8lab,dc=com:secret@192.168.1.227:389/dc=8lab,dc=com
   userfilter: (cn=%s)
   attribute:
      names: ["*"]
csr:
   cn: fabric-ca-server
   keyrequest:
     algo: ecdsa
     size: 256
   names:
      - C: CN
        ST: "BeiJing"
        L: "BeiJing"
        O: Org1
        OU: client
   hosts:
     - ca1.org1.com
     - localhost
   ca:
      expiry: 131400h
      pathlength: 1

启动根CA

docker-compose

version: '2'

services:
    tlsca.org1.example.com:
        container_name: ca.org1.example.com
        image: hyperledger/fabric-ca
        environment:
            - FABRIC_CA_HOME=/etc/hyperledger/fabric-ca-server
            - FABRIC_CA_SERVER_CA_NAME=ca.org1.example.com
            - FABRIC_CA_SERVER_TLS_ENABLED=false
            - FABRIC_CA_SERVER_TLS_CERTFILE=/etc/hyperledger/fabric-ca-server-config/ca.org1.example.com-cert.pem
            - FABRIC_CA_SERVER_TLS_KEYFILE=/etc/hyperledger/fabric-ca-server-config/${CA_PKEY}
            - FABRIC_CA_SERVER_CA_CERTFILE=/etc/hyperledger/fabric-ca-server-config/ca.org1.example.com-cert.pem
            - FABRIC_CA_SERVER_CA_KEYFILE=/etc/hyperledger/fabric-ca-server-config/${CA_PKEY}
        ports:
            - "8054:8054"
        command: sh -c 'fabric-ca-server start --ca.certfile /etc/hyperledger/fabric-ca-server-config/ca.org1.example.com-cert.pem --ca.keyfile /etc/hyperledger/fabric-ca-server-config/${CA_PKEY} -b admin:adminpw -d'
        volumes:
            - ./crypto-config/peerOrganizations/org1.example.com/tlsca/:/etc/hyperledger/fabric-ca-server-config
        networks:
            default:
                aliases:
                    - ca.org1.example.com
        extra_hosts:
            - "ca.org1.example.com:192.168.1.226"

export CA_PKEY=$(cd $PWD/crypto-config/peerOrganizations/org1.example.com/ca && ls *_sk) && echo $CA_PKEY

docker-compose -f docker-caOrg1.yaml up -d

创建中间CA

中间CA的server配置文件中，csr.cn必须为空

docker-fcompose

version: '2'

services:
    ca1.org1.example.com:
        container_name: ca1.org1.example.com
        image: hyperledger/fabric-ca
        environment:
            - FABRIC_CA_HOME=/etc/hyperledger/fabric-ca-server
            - FABRIC_CA_CLIENT_HOME=/root/fabric-ca/clients/admin
            - FABRIC_CA_SERVER_CA_NAME=ca1.org1.example.com
            - FABRIC_CA_SERVER_TLS_ENABLED=false
        ports:
            - "11054:7054"
        command: sh -c 'fabric-ca-server start -b admin:adminpw -u http://admin:adminpw@192.168.1.226:7054'
        volumes:
            - ./ca-config/server/fabric-ca1-server:/etc/hyperledger/fabric-ca-server
            - ./ca-config/client/fabric-ca1-client:/root/fabric-ca/clients/admin
              #- ./crypto-config/peerOrganizations/org1.example.com/ca/:/etc/hyperledger/fabric-ca-server-config
        networks:
            default:
                aliases:
                    - ca1.org1.example.com
        extra_hosts:
            - "ca1.org1.example.com:192.168.1.226"

启动中间CA
```
docker-compose -f [file] up -d
```

安装HAProxy

下载安装包，并cd到包文件内
make clean && make TARGET=generic
make install

编辑 vi /etc/haproxy/haproxy.cfg

    log /dev/log    local0
    log /dev/log    local1 notice
    maxconn 4096
    daemon
defaults
    log global
    mode    http
    maxconn 2000
    timeout connect 5000
    timeout client  50000
    timeout server  50000
listen http-in
      bind *:8054
      balance roundrobin
      server server1 [host]
      server server2 [host]

启动HAProxy

网友评论

本文标题：Fabric CA集群搭建

本文链接：https://www.haomeiwen.com/subject/ghegactx.html

延伸阅读

深度阅读

您也可以注册成为美文阅读网的作者，发表您的原创作品、分享您的心情！

Fabric CA集群搭建

流程概览

搭建LDAP

ERROR

启动CA cluster

安装HAProxy

相关文章

网友评论

延伸阅读

深度阅读

栏目导航

热点阅读