Hyperledger Fabric CA User’s Guide——开始(三)
Fabric CA User’s Guide——开始
- 安装Go 1.9+
- 设置正确的GOPATH环境变量
- 安装了libtool和libtdhl-dev包
下面是在Ubuntu上安装libtool依赖命令:
sudo apt install libtool libltdl-dev
下面是在MacOSX上安装libtool依赖命令:
brew install libtool
注意:在MacOSX上没有必要使用libtldl-dev
有关libtool的更多信息,请参见https://www.gnu.org/software/libtool。
有关libltdl-dev的更多信息,请参见https://www.gnu.org/software/libtool/manual/html_node/Using-libltdl.html。
下面的代码将在$GOPATH/bin中安装fabric-ca-server 和fabric-ca-client二进制文件。
go get -u github.com/hyperledger/fabric-ca/cmd/...
注意:如果已经克隆了fabric-ca仓库,请确保在运行“go get”命令之前已经在主分支上了。否则,可能会看到以下错误:
<gopath>/src/github.com/hyperledger/fabric-ca; git pull --ff-only There is no tracking information for the current branch. Please specify which branch you want to merge with. See git-pull(1) for details. git pull <remote> <branch> If you wish to set tracking information for this branch you can do so with: git branch --set-upstream-to=<remote>/<branch> tlsdoc package github.com/hyperledger/fabric-ca/cmd/fabric-ca-client: exit status 1
启动本地服务器
下面将使用缺省设置启动fabric-ca-server。
fabric-ca-server start -b admin:adminpw
-b选项提供了引导管理员的注册ID和密钥;如果LDAP没有启用“ldap.enabled”设置,那么这是必需的。
一个默认名为fabric-ca-ca-config.yaml的配置文件在可以定制的本地目录中被创建。
通过Docker启动服务
Go to: https://hub.docker.com/r/hyperledger/fabric-ca/tags/
找到与想要拉的fabric-ca构造和版本的标记相匹配的内容。
进入$GOPATH/src/github.com/hyperledger/fabric-ca/docker/server并打开编辑docker-compose.yml,更改镜像版本为目前最合适的版本信息,也许是一个类似x86架构的beta版本。
fabric-ca-server: image: hyperledger/fabric-ca:x86_64-1.0.0-beta container_name: fabric-ca-server ports: - "7054:7054" environment: - FABRIC_CA_HOME=/etc/hyperledger/fabric-ca-server volumes: - "./fabric-ca-server:/etc/hyperledger/fabric-ca-server" command: sh -c 'fabric-ca-server start -b admin:adminpw'
在与docker-compose.yml文件相同的目录中打开一个终端,并执行以下操作:
# docker-compose up -d
如果不存在该镜像的话,这将在组合文件中拉取指定的fabric-ca镜像,并启动fabric-ca服务器的实例。
构建自己的Docker镜像
我们可以通过docker-compose构建和启动服务器,如下所示。
cd $GOPATH/src/github.com/hyperledger/fabric-ca make docker cd docker/server docker-compose up -d
hyperledger/fabric-ca docker镜像包含了fabric-ca-server 和fabric-ca-client。
# cd $GOPATH/src/github.com/hyperledger/fabric-ca # FABRIC_CA_DYNAMIC_LINK=true make docker # cd docker/server # docker-compose up -d
本节提供一些简单地Fabric CA服务端和客户端便捷使用消息。下面的小节提供了更多的使用信息。
服务器命令:
Hyperledger Fabric Certificate Authority Server Usage: fabric-ca-server [command] Available Commands: init Initialize the fabric-ca server start Start the fabric-ca server version Prints Fabric CA Server version Flags: --address string Listening address of fabric-ca-server (default "0.0.0.0") -b, --boot string The user:pass for bootstrap admin which is required to build default config file --ca.certfile string PEM-encoded CA certificate file (default "ca-cert.pem") --ca.chainfile string PEM-encoded CA chain file (default "ca-chain.pem") --ca.keyfile string PEM-encoded CA key file -n, --ca.name string Certificate Authority name --cacount int Number of non-default CA instances --cafiles stringSlice A list of comma-separated CA configuration files --cfg.affiliations.allowremove Enables removing of affiliations dynamically --cfg.identities.allowremove Enables removal of identities dynamically --crl.expiry duration Expiration for the CRL generated by the gencrl request (default 24h0m0s) --crlsizelimit int Size limit of an acceptable CRL in bytes (default 512000) --csr.cn string The common name field of the certificate signing request to a parent fabric-ca-server --csr.hosts stringSlice A list of space-separated host names in a certificate signing request to a parent fabric-ca-server --csr.serialnumber string The serial number in a certificate signing request to a parent fabric-ca-server --db.datasource string Data source which is database specific (default "fabric-ca-server.db") --db.tls.certfiles stringSlice A list of comma-separated PEM-encoded trusted certificate files (e.g. root1.pem,root2.pem) --db.tls.client.certfile string PEM-encoded certificate file when mutual authenticate is enabled --db.tls.client.keyfile string PEM-encoded key file when mutual authentication is enabled --db.type string Type of database; one of: sqlite3, postgres, mysql (default "sqlite3") -d, --debug Enable debug level logging -H, --home string Server's home directory (default "/etc/hyperledger/fabric-ca") --intermediate.enrollment.label string Label to use in HSM operations --intermediate.enrollment.profile string Name of the signing profile to use in issuing the certificate --intermediate.parentserver.caname string Name of the CA to connect to on fabric-ca-server -u, --intermediate.parentserver.url string URL of the parent fabric-ca-server (e.g. http://<username>:<password>@<address>:<port) --intermediate.tls.certfiles stringSlice A list of comma-separated PEM-encoded trusted certificate files (e.g. root1.pem,root2.pem) --intermediate.tls.client.certfile string PEM-encoded certificate file when mutual authenticate is enabled --intermediate.tls.client.keyfile string PEM-encoded key file when mutual authentication is enabled --ldap.enabled Enable the LDAP client for authentication and attributes --ldap.groupfilter string The LDAP group filter for a single affiliation group (default "(memberUid=%s)") --ldap.tls.certfiles stringSlice A list of comma-separated PEM-encoded trusted certificate files (e.g. root1.pem,root2.pem) --ldap.tls.client.certfile string PEM-encoded certificate file when mutual authenticate is enabled --ldap.tls.client.keyfile string PEM-encoded key file when mutual authentication is enabled --ldap.url string LDAP client URL of form ldap://adminDN:adminPassword@host[:port]/base --ldap.userfilter string The LDAP user filter to use when searching for users (default "(uid=%s)") -p, --port int Listening port of fabric-ca-server (default 7054) --registry.maxenrollments int Maximum number of enrollments; valid if LDAP not enabled (default -1) --tls.certfile string PEM-encoded TLS certificate file for server's listening port --tls.clientauth.certfiles stringSlice A list of comma-separated PEM-encoded trusted certificate files (e.g. root1.pem,root2.pem) --tls.clientauth.type string Policy the server will follow for TLS Client Authentication. (default "noclientcert") --tls.enabled Enable TLS on the listening port --tls.keyfile string PEM-encoded TLS key for server's listening port Use "fabric-ca-server [command] --help" for more information about a command.
客户端命令:
Hyperledger Fabric Certificate Authority Client Usage: fabric-ca-client [command] Available Commands: affiliation Manage affiliations enroll Enroll an identity gencrl Generate a CRL gencsr Generate a CSR getcacert Get CA certificate chain identity Manage identities reenroll Reenroll an identity register Register an identity revoke Revoke an identity version Prints Fabric CA Client version Flags: --caname string Name of CA --csr.cn string The common name field of the certificate signing request --csr.hosts stringSlice A list of space-separated host names in a certificate signing request --csr.names stringSlice A list of comma-separated CSR names of the form <name>=<value> (e.g. C=CA,O=Org1) --csr.serialnumber string The serial number in a certificate signing request -d, --debug Enable debug level logging --enrollment.attrs stringSlice A list of comma-separated attribute requests of the form <name>[:opt] (e.g. foo,bar:opt) --enrollment.label string Label to use in HSM operations --enrollment.profile string Name of the signing profile to use in issuing the certificate -H, --home string Client's home directory (default "$HOME/.fabric-ca-client") --id.affiliation string The identity's affiliation --id.attrs stringSlice A list of comma-separated attributes of the form <name>=<value> (e.g. foo=foo1,bar=bar1) --id.maxenrollments int The maximum number of times the secret can be reused to enroll. (default -1) --id.name string Unique name of the identity --id.secret string The enrollment secret for the identity being registered --id.type string Type of identity being registered (e.g. 'peer, app, user') (default "client") -M, --mspdir string Membership Service Provider directory (default "msp") -m, --myhost string Hostname to include in the certificate signing request during enrollment (default "$HOSTNAME") -a, --revoke.aki string AKI (Authority Key Identifier) of the certificate to be revoked -e, --revoke.name string Identity whose certificates should be revoked -r, --revoke.reason string Reason for revocation -s, --revoke.serial string Serial number of the certificate to be revoked --tls.certfiles stringSlice A list of comma-separated PEM-encoded trusted certificate files (e.g. root1.pem,root2.pem) --tls.client.certfile string PEM-encoded certificate file when mutual authenticate is enabled --tls.client.keyfile string PEM-encoded key file when mutual authentication is enabled -u, --url string URL of fabric-ca-server (default "http://localhost:7054") Use "fabric-ca-client [command] --help" for more information about a command.
注意,可以通过指定带有逗号分隔的列表元素的选项或多次指定选项来指定命令行选项(列表),每个选项都有一个组成列表的字符串值。例如,为csr.hosts选项指定host1和host2,可以通过--csr 'host1,host2',或者--csr host1 --csr host2。使用前一种格式时,请确保在逗号前后没有空格。
