美文网首页Hyperledger Fabric
Hyperledger Fabric CA概念详解

Hyperledger Fabric CA概念详解

作者: Eliza_0512 | 来源:发表于2019-07-17 16:08 被阅读0次

    1 Fabric CA概述

    Fabric CA是超级账本的数字证书认证中心,提供如下功能:

    1. 用户信息的注册(身份认证,或者从 LDAP 中获取注册信息)
    2. 数字证书的发行
      a. 发行担保证书 ECerts (Enrollment Certificates)
      b. 发行交易证书 TCerts (Transaction Certificates),保障 Hyperledger Fabric 区域链交易平台上的信息匿名性和不可追踪性;
    3. 数字证书的延期和吊销

    Fabric CA由服务端 和 客户端组成(c/s架构)。下图描述了Fabric CA组件在整个超级账本架构中的作用


    image
    • root CA不会直接为服务器/客户端签证。它会先生成几个中间CA(intermediate CAS)
    • 中间CA作为root CA的代表为服务器和客户端签证

    2 CA server

    2.1 数据存储

    提供用户登记和注册的数字证书管理功能,数据存储后端可以为Mysql/PostgreSQL/LDAP等

    PostgreSQL / MySQL

    • fabric CA的默认数据库是sqlite,默认数据库文件是 fabric-ca-server.db
    • 如果想要在集群中运行Fabric CA, 则必须使用PostgreSQL或者MySQL
    • 数据库连接可以启动SSL模式,具体数据库SSL模式配置详见 PostgreSQL, MySQL

    配置文件示例

    db:
    ## PostgreSQL
      type: postgres
      datasource: host=localhost port=5432 user=Username password=Password dbname=fabric_ca sslmode=verify-full
    ## MySQL
    #  type: mysql
    #  datasource: root:rootpw@tcp(localhost:3306)/fabric_ca?parseTime=true&tls=custom
    
    ## TLS setting
      tls:
          enabled: true
          certfiles:
            - db-server-cert.pem
          client:
                certfile: db-client-cert.pem
                keyfile: db-client-key.pem
    

    LDAP

    CA server也可以连接到LDAP服务器,进行:

    • 在enroll之前进行身份验证
      • Fabric CA client 或者Fabric client SDK 发送一个enroll请求,请求头部有基本的授权信息
      • CA server收到请求后,从头部解密出需要授权的主体identity name和密码,然后根据user filter规则 用header中的name获取在LDAP中的对应实体记录,用header中的password对这个LDAP对象进行绑定。如果绑定成功则继续进行后面的授权操作
    • 获取授权所必须的identity参数

    2.2 负载均衡

    数据存储和业务逻辑分离,Fabric CA服务能够采用无状态集群部署。通过HAProxy等软件实现“负载均衡”&“服务高可用”

    多集群下的request请求过程:Fabric CA 客户端或 SDK 的请求首先会到达 Fabric CA 集群前端的高可用负载均衡服务端,实际的 CA 服务由后端的某台Fabric CA 服务端提供。

    同一集群中的所有 Fabric CA 服务端共享相同的后端数据库(或 LDAP)集群,以确保证书和身份的一致性。

    2.3 与CA服务端的交互

    与 Fabric CA 服务端交互的方式有如下两种:

    1. 通过 Fabric CA 客户端
    2. 使用某种 Fabric SDK

    与 Fabric CA Server端的所有通信,都是通过 REST API 进行的。详情可查看 fabric-ca/swagger/swagger-fabric-ca.json 处的 swagger 文档中的 REST API 部分。

    2.4 root CA 和intermediate CA

    操作详解

    2.5 server 运维操作

    运维操作的TLS鉴权

    • 运维接口有一套独立的TLS鉴权
    • 当启用tls时必须要有相应的TLS证书才能调用运维类接口
    • TLS内部可以启用client证书验证,只有提供了指定rootCA颁发的client证书才能访问所有的资源(Metrics)

    server数据监控 Metrics

    • 支持Prometheus 和 StatsD两种方式
    • 详细的运维接口API

    附录:完整的config文件参考

    #############################################################################
    #   This is a configuration file for the fabric-ca-server command.
    #
    #   COMMAND LINE ARGUMENTS AND ENVIRONMENT VARIABLES
    #   ------------------------------------------------
    #   Each configuration element can be overridden via command line
    #   arguments or environment variables.  The precedence for determining
    #   the value of each element is as follows:
    #   1) command line argument
    #      Examples:
    #      a) --port 443
    #         To set the listening port
    #      b) --ca.keyfile ../mykey.pem
    #         To set the "keyfile" element in the "ca" section below;
    #         note the '.' separator character.
    #   2) environment variable
    #      Examples:
    #      a) FABRIC_CA_SERVER_PORT=443
    #         To set the listening port
    #      b) FABRIC_CA_SERVER_CA_KEYFILE="../mykey.pem"
    #         To set the "keyfile" element in the "ca" section below;
    #         note the '_' separator character.
    #   3) configuration file
    #   4) default value (if there is one)
    #      All default values are shown beside each element below.
    #
    #   FILE NAME ELEMENTS
    #   ------------------
    #   The value of all fields whose name ends with "file" or "files" are
    #   name or names of other files.
    #   For example, see "tls.certfile" and "tls.clientauth.certfiles".
    #   The value of each of these fields can be a simple filename, a
    #   relative path, or an absolute path.  If the value is not an
    #   absolute path, it is interpretted as being relative to the location
    #   of this configuration file.
    #
    #############################################################################
    
    # Version of config file
    version: <<<VERSION>>>
    
    # Server's listening port (default: 7054)
    port: 7054
    
    # Cross-Origin Resource Sharing (CORS)
    cors:
        enabled: false
        origins:
          - "*"
    
    # Enables debug logging (default: false)
    debug: false
    
    # Size limit of an acceptable CRL in bytes (default: 512000)
    crlsizelimit: 512000
    
    #############################################################################
    #  TLS section for the server's listening port
    #
    #  The following types are supported for client authentication: NoClientCert,
    #  RequestClientCert, RequireAnyClientCert, VerifyClientCertIfGiven,
    #  and RequireAndVerifyClientCert.
    #
    #  Certfiles is a list of root certificate authorities that the server uses
    #  when verifying client certificates.
    #############################################################################
    tls:
      # Enable TLS (default: false)
      enabled: false
      # TLS for the server's listening port
      certfile:
      keyfile:
      clientauth:
        type: noclientcert
        certfiles:
    
    #############################################################################
    #  The CA section contains information related to the Certificate Authority
    #  including the name of the CA, which should be unique for all members
    #  of a blockchain network.  It also includes the key and certificate files
    #  used when issuing enrollment certificates (ECerts) and transaction
    #  certificates (TCerts).
    #  The chainfile (if it exists) contains the certificate chain which
    #  should be trusted for this CA, where the 1st in the chain is always the
    #  root CA certificate.
    #############################################################################
    ca:
      # Name of this CA
      name:
      # Key file (is only used to import a private key into BCCSP)
      keyfile:
      # Certificate file (default: ca-cert.pem)
      certfile:
      # Chain file
      chainfile:
    
    #############################################################################
    #  The gencrl REST endpoint is used to generate a CRL that contains revoked
    #  certificates. This section contains configuration options that are used
    #  during gencrl request processing.
    #############################################################################
    crl:
      # Specifies expiration for the generated CRL. The number of hours
      # specified by this property is added to the UTC time, the resulting time
      # is used to set the 'Next Update' date of the CRL.
      expiry: 24h
    
    #############################################################################
    #  The registry section controls how the fabric-ca-server does two things:
    #  1) authenticates enrollment requests which contain a username and password
    #     (also known as an enrollment ID and secret).
    #  2) once authenticated, retrieves the identity's attribute names and
    #     values which the fabric-ca-server optionally puts into TCerts
    #     which it issues for transacting on the Hyperledger Fabric blockchain.
    #     These attributes are useful for making access control decisions in
    #     chaincode.
    #  There are two main configuration options:
    #  1) The fabric-ca-server is the registry.
    #     This is true if "ldap.enabled" in the ldap section below is false.
    #  2) An LDAP server is the registry, in which case the fabric-ca-server
    #     calls the LDAP server to perform these tasks.
    #     This is true if "ldap.enabled" in the ldap section below is true,
    #     which means this "registry" section is ignored.
    #############################################################################
    registry:
      # Maximum number of times a password/secret can be reused for enrollment
      # (default: -1, which means there is no limit)
      maxenrollments: -1
    
      # Contains identity information which is used when LDAP is disabled
      identities:
         - name: <<<adminUserName>>>
           pass: <<<adminPassword>>>
           type: client
           affiliation: ""
           attrs:
              hf.Registrar.Roles: "*"
              hf.Registrar.DelegateRoles: "*"
              hf.Revoker: true
              hf.IntermediateCA: true
              hf.GenCRL: true
              hf.Registrar.Attributes: "*"
              hf.AffiliationMgr: true
    
    #############################################################################
    #  Database section
    #  Supported types are: "sqlite3", "postgres", and "mysql".
    #  The datasource value depends on the type.
    #  If the type is "sqlite3", the datasource value is a file name to use
    #  as the database store.  Since "sqlite3" is an embedded database, it
    #  may not be used if you want to run the fabric-ca-server in a cluster.
    #  To run the fabric-ca-server in a cluster, you must choose "postgres"
    #  or "mysql".
    #############################################################################
    db:
      type: sqlite3
      datasource: fabric-ca-server.db
      tls:
          enabled: false
          certfiles:
          client:
            certfile:
            keyfile:
    
    #############################################################################
    #  LDAP section
    #  If LDAP is enabled, the fabric-ca-server calls LDAP to:
    #  1) authenticate enrollment ID and secret (i.e. username and password)
    #     for enrollment requests;
    #  2) To retrieve identity attributes
    #############################################################################
    ldap:
       # Enables or disables the LDAP client (default: false)
       # If this is set to true, the "registry" section is ignored.
       enabled: false
       # The URL of the LDAP server
       url: ldap://<adminDN>:<adminPassword>@<host>:<port>/<base>
       # TLS configuration for the client connection to the LDAP server
       tls:
          certfiles:
          client:
             certfile:
             keyfile:
       # Attribute related configuration for mapping from LDAP entries to Fabric CA attributes
       attribute:
          # 'names' is an array of strings containing the LDAP attribute names which are
          # requested from the LDAP server for an LDAP identity's entry
          names: ['uid','member']
          # The 'converters' section is used to convert an LDAP entry to the value of
          # a fabric CA attribute.
          # For example, the following converts an LDAP 'uid' attribute
          # whose value begins with 'revoker' to a fabric CA attribute
          # named "hf.Revoker" with a value of "true" (because the boolean expression
          # evaluates to true).
          #    converters:
          #       - name: hf.Revoker
          #         value: attr("uid") =~ "revoker*"
          converters:
             - name:
               value:
          # The 'maps' section contains named maps which may be referenced by the 'map'
          # function in the 'converters' section to map LDAP responses to arbitrary values.
          # For example, assume a user has an LDAP attribute named 'member' which has multiple
          # values which are each a distinguished name (i.e. a DN). For simplicity, assume the
          # values of the 'member' attribute are 'dn1', 'dn2', and 'dn3'.
          # Further assume the following configuration.
          #    converters:
          #       - name: hf.Registrar.Roles
          #         value: map(attr("member"),"groups")
          #    maps:
          #       groups:
          #          - name: dn1
          #            value: peer
          #          - name: dn2
          #            value: client
          # The value of the user's 'hf.Registrar.Roles' attribute is then computed to be
          # "peer,client,dn3".  This is because the value of 'attr("member")' is
          # "dn1,dn2,dn3", and the call to 'map' with a 2nd argument of
          # "group" replaces "dn1" with "peer" and "dn2" with "client".
          maps:
             groups:
                - name:
                  value:
    
    #############################################################################
    # Affiliations section. Fabric CA server can be bootstrapped with the
    # affiliations specified in this section. Affiliations are specified as maps.
    # For example:
    #   businessunit1:
    #     department1:
    #       - team1
    #   businessunit2:
    #     - department2
    #     - department3
    #
    # Affiliations are hierarchical in nature. In the above example,
    # department1 (used as businessunit1.department1) is the child of businessunit1.
    # team1 (used as businessunit1.department1.team1) is the child of department1.
    # department2 (used as businessunit2.department2) and department3 (businessunit2.department3)
    # are children of businessunit2.
    # Note: Affiliations are case sensitive except for the non-leaf affiliations
    # (like businessunit1, department1, businessunit2) that are specified in the configuration file,
    # which are always stored in lower case.
    #############################################################################
    affiliations:
       org1:
          - department1
          - department2
       org2:
          - department1
    
    #############################################################################
    #  Signing section
    #
    #  The "default" subsection is used to sign enrollment certificates;
    #  the default expiration ("expiry" field) is "8760h", which is 1 year in hours.
    #
    #  The "ca" profile subsection is used to sign intermediate CA certificates;
    #  the default expiration ("expiry" field) is "43800h" which is 5 years in hours.
    #  Note that "isca" is true, meaning that it issues a CA certificate.
    #  A maxpathlen of 0 means that the intermediate CA cannot issue other
    #  intermediate CA certificates, though it can still issue end entity certificates.
    #  (See RFC 5280, section 4.2.1.9)
    #
    #  The "tls" profile subsection is used to sign TLS certificate requests;
    #  the default expiration ("expiry" field) is "8760h", which is 1 year in hours.
    #############################################################################
    signing:
        default:
          usage:
            - digital signature
          expiry: 8760h
        profiles:
          ca:
             usage:
               - cert sign
               - crl sign
             expiry: 43800h
             caconstraint:
               isca: true
               maxpathlen: 0
          tls:
             usage:
                - signing
                - key encipherment
                - server auth
                - client auth
                - key agreement
             expiry: 8760h
    
    ###########################################################################
    #  Certificate Signing Request (CSR) section.
    #  This controls the creation of the root CA certificate.
    #  The expiration for the root CA certificate is configured with the
    #  "ca.expiry" field below, whose default value is "131400h" which is
    #  15 years in hours.
    #  The pathlength field is used to limit CA certificate hierarchy as described
    #  in section 4.2.1.9 of RFC 5280.
    #  Examples:
    #  1) No pathlength value means no limit is requested.
    #  2) pathlength == 1 means a limit of 1 is requested which is the default for
    #     a root CA.  This means the root CA can issue intermediate CA certificates,
    #     but these intermediate CAs may not in turn issue other CA certificates
    #     though they can still issue end entity certificates.
    #  3) pathlength == 0 means a limit of 0 is requested;
    #     this is the default for an intermediate CA, which means it can not issue
    #     CA certificates though it can still issue end entity certificates.
    ###########################################################################
    csr:
       cn: <<<COMMONNAME>>>
       keyrequest:
         algo: ecdsa
         size: 256
       names:
          - C: US
            ST: "North Carolina"
            L:
            O: Hyperledger
            OU: Fabric
       hosts:
         - <<<MYHOST>>>
         - localhost
       ca:
          expiry: 131400h
          pathlength: <<<PATHLENGTH>>>
    
    ###########################################################################
    # Each CA can issue both X509 enrollment certificate as well as Idemix
    # Credential. This section specifies configuration for the issuer component
    # that is responsible for issuing Idemix credentials.
    ###########################################################################
    idemix:
      # Specifies pool size for revocation handles. A revocation handle is an unique identifier of an
      # Idemix credential. The issuer will create a pool revocation handles of this specified size. When
      # a credential is requested, issuer will get handle from the pool and assign it to the credential.
      # Issuer will repopulate the pool with new handles when the last handle in the pool is used.
      # A revocation handle and credential revocation information (CRI) are used to create non revocation proof
      # by the prover to prove to the verifier that her credential is not revoked.
      rhpoolsize: 1000
    
      # The Idemix credential issuance is a two step process. First step is to  get a nonce from the issuer
      # and second step is send credential request that is constructed using the nonce to the isuser to
      # request a credential. This configuration property specifies expiration for the nonces. By default is
      # nonces expire after 15 seconds. The value is expressed in the time.Duration format (see https://golang.org/pkg/time/#ParseDuration).
      nonceexpiration: 15s
    
      # Specifies interval at which expired nonces are removed from datastore. Default value is 15 minutes.
      #  The value is expressed in the time.Duration format (see https://golang.org/pkg/time/#ParseDuration)
      noncesweepinterval: 15m
    
    #############################################################################
    # BCCSP (BlockChain Crypto Service Provider) section is used to select which
    # crypto library implementation to use
    #############################################################################
    bccsp:
        default: SW
        sw:
            hash: SHA2
            security: 256
            filekeystore:
                # The directory used for the software file-based keystore
                keystore: msp/keystore
    
    #############################################################################
    # Multi CA section
    #
    # Each Fabric CA server contains one CA by default.  This section is used
    # to configure multiple CAs in a single server.
    #
    # 1) --cacount <number-of-CAs>
    # Automatically generate <number-of-CAs> non-default CAs.  The names of these
    # additional CAs are "ca1", "ca2", ... "caN", where "N" is <number-of-CAs>
    # This is particularly useful in a development environment to quickly set up
    # multiple CAs. Note that, this config option is not applicable to intermediate CA server
    # i.e., Fabric CA server that is started with intermediate.parentserver.url config
    # option (-u command line option)
    #
    # 2) --cafiles <CA-config-files>
    # For each CA config file in the list, generate a separate signing CA.  Each CA
    # config file in this list MAY contain all of the same elements as are found in
    # the server config file except port, debug, and tls sections.
    #
    # Examples:
    # fabric-ca-server start -b admin:adminpw --cacount 2
    #
    # fabric-ca-server start -b admin:adminpw --cafiles ca/ca1/fabric-ca-server-config.yaml
    # --cafiles ca/ca2/fabric-ca-server-config.yaml
    #
    #############################################################################
    
    cacount:
    
    cafiles:
    
    #############################################################################
    # Intermediate CA section
    #
    # The relationship between servers and CAs is as follows:
    #   1) A single server process may contain or function as one or more CAs.
    #      This is configured by the "Multi CA section" above.
    #   2) Each CA is either a root CA or an intermediate CA.
    #   3) Each intermediate CA has a parent CA which is either a root CA or another intermediate CA.
    #
    # This section pertains to configuration of #2 and #3.
    # If the "intermediate.parentserver.url" property is set,
    # then this is an intermediate CA with the specified parent
    # CA.
    #
    # parentserver section
    #    url - The URL of the parent server
    #    caname - Name of the CA to enroll within the server
    #
    # enrollment section used to enroll intermediate CA with parent CA
    #    profile - Name of the signing profile to use in issuing the certificate
    #    label - Label to use in HSM operations
    #
    # tls section for secure socket connection
    #   certfiles - PEM-encoded list of trusted root certificate files
    #   client:
    #     certfile - PEM-encoded certificate file for when client authentication
    #     is enabled on server
    #     keyfile - PEM-encoded key file for when client authentication
    #     is enabled on server
    #############################################################################
    intermediate:
      parentserver:
        url:
        caname:
    
      enrollment:
        hosts:
        profile:
        label:
    
      tls:
        certfiles:
        client:
          certfile:
          keyfile:
    
    #############################################################################
    # CA configuration section
    #
    # Configure the number of incorrect password attempts are allowed for
    # identities. By default, the value of 'passwordattempts' is 10, which
    # means that 10 incorrect password attempts can be made before an identity get
    # locked out.
    #############################################################################
    cfg:
      identities:
        passwordattempts: 10
    
    ###############################################################################
    #
    #    Operations section
    #
    ###############################################################################
    operations:
        # host and port for the operations server
        listenAddress: 127.0.0.1:9443
    
        # TLS configuration for the operations endpoint
        tls:
            # TLS enabled
            enabled: false
    
            # path to PEM encoded server certificate for the operations server
            cert:
                file:
    
            # path to PEM encoded server key for the operations server
            key:
                file:
    
            # require client certificate authentication to access all resources
            clientAuthRequired: false
    
            # paths to PEM encoded ca certificates to trust for client authentication
            clientRootCAs:
                files: []
    
    ###############################################################################
    #
    #    Metrics section
    #
    ###############################################################################
    metrics:
        # statsd, prometheus, or disabled
        provider: disabled
    
        # statsd configuration
        statsd:
            # network type: tcp or udp
            network: udp
    
            # statsd server address
            address: 127.0.0.1:8125
    
            # the interval at which locally cached counters and gauges are pushsed
            # to statsd; timings are pushed immediately
            writeInterval: 10s
    
            # prefix is prepended to all emitted statsd merics
            prefix: server
    

    证书结构

    fabric-ca-server init后产生的目录结构如下:

    .
    ├── IssuerPublicKey
    ├── IssuerRevocationPublicKey
    ├── ca-cert.pem
    ├── fabric-ca-server-config.yaml
    ├── fabric-ca-server.db
    └── msp
        └── keystore
            ├── 50664a3a04c5a7f354e88bbfdbda52051dc948f49ea5ffa79cf58423efedc52c_sk
            ├── IssuerRevocationPrivateKey
            └── IssuerSecretKey
    
    • ca-cert.pem 是根证书,证书包含用户信息、公钥和签名
    • msp/keystore/*_sk是根证书对应的私钥

    相关文章

      网友评论

        本文标题:Hyperledger Fabric CA概念详解

        本文链接:https://www.haomeiwen.com/subject/iddzkctx.html