Spring Boot Fullstack Blockchain Application With Hyperledger Fabric running on Kubernetes (Part 3) — Fabric CA Server
Hello everyone, through this article series we will the Hyperledger Fabric integration with Spring Boot.In this article, we will look into Fabric CA Server and installation of Fabric CA Server on Kubernetes.
Other articles on Hyperledger Fabric integration with Spring Boot can be accessed from the links below.
Part 2— Kubernetes Cluster Setup
Part 4 — Generating Certificates and Artifacts
What is Fabric CA Server?
Fabric CA is a Certificate Authority (CA) for Hyperledger Fabric.
It provides features such as:
- registration of identities, or connects to LDAP as the user registry
- issuance of Enrollment Certificates (ECerts)
- certificate renewal and revocation
The diagram below illustrates how the Hyperledger Fabric CA server fits into the overall Hyperledger Fabric architecture.
There are two ways of interacting with a Hyperledger Fabric CA server: via the Hyperledger Fabric CA client or through one of the Fabric SDKs. All communication to the Hyperledger Fabric CA server is via REST APIs.
The Hyperledger Fabric CA client or SDK may connect to a server in a cluster of Hyperledger Fabric CA servers. This is illustrated in the top right section of the diagram. The client routes to an HA Proxy endpoint which load balances traffic to one of the fabric-ca-server cluster members.
A server may contain multiple CAs. Each CA is either a root CA or an intermediate CA. Each intermediate CA has a parent CA which is either a root CA or another intermediate CA.
Configuration Fabric CA Server
Let’s open the project we downloaded from this link and go to the directory where the ca is located.
$ cd deploy/k8s
Configuration Settings
The Fabric CA provides 3 ways to configure settings on the Fabric CA server and client. The precedence order is:
1. CLI flags
2. Environment variables
3. Configuration file
We will configure the fabric ca server with the configuration file.
We will set up 4 Fabric CAservers for orderer, org1, org2 and org3.It is necessary to define a configuration file for each Fabric CA server.
The Fabric CA configuration file defined in the project for the Orderer is as follows.the configuration file is in the deploy/k8s/fabricfiles/organizations/fabric-ca/ordererOrg folder.
csr:
...
hosts:
- localhost
- example.com
- ca-orderer
Added localhost,example.com,ca-orderer as csr host to the config file.
ca-orderer is the service name of fabric ca server in kubernetes.
ca:
# Name of this CA
name: OrdererCA
OrdererCA is the CA name.
csr:
cn: ca-org1
names:
- C: US
ST: "New York"
L: "New York"
O: ca-org1
OU: ca-org1
All of the fields above pertain to the X.509 signing key and certificate which is generated by the fabric-ca-server init
. This corresponds to the ca.certfile
and ca.keyfile
files in the server’s configuration file. The fields are as follows:
- cn is the Common Name
- O is the organization name
- OU is the organizational unit
- L is the location or city
- ST is the state
- C is the country
registry:
...
identities:
- name: admin
pass: adminpw
type: client
affiliation: ""
it must be configured with at least one pre-registered bootstrap identity to enable you to register and enroll other identities.The -b
option specifies the name and password for a bootstrap identity.
db:
type: sqlite3
datasource: fabric-ca-server.db
The default database is SQLite and the default database file is fabric-ca-server.db
in the Fabric CA server’s home directory. Fabric CA server can also connect to PostgreSQL or MySQL databases.
Fabric CA supports the following database versions in a cluster setup:
- PostgreSQL: 9.5.5 or later
- MySQL: 5.7 or later
affiliations:
org1:
- department1
- department2
org2:
- department1
I think of affiliations as hierarchical tags. Each identity can be tagged (affiliated) to (with) one affiliation in the hierarchy. When an identity is associated with an affiliation, it is affiliated with that and all the child affiliations.Affiliations are currently used during registration and revocation.
The Fabric CA configuration file defined in the project for the Org1 is as follows.The configuration file is in the deploy/k8s/fabricfiles/organizations/fabric-ca/org1 folder.
csr:
...
hosts:
- localhost
- example.com
- ca-org1
Added localhost,example.com,ca-org1 as csr host to the config file.
ca-org1 is the service name of fabric ca server in kubernetes.
ca:
# Name of this CA
name: Org1CA
Org1CA is the CA name.
csr:
cn: ca-org1
names:
- C: US
ST: "New York"
L: "New York"
O: ca-org1
OU: ca-org1
All of the fields above pertain to the X.509 signing key and certificate which is generated by the fabric-ca-server init
.
affiliations:
org1:
- department1
- department2
org2:
- department1
org3:
- department1
The affiliation definitions differ from the CA Orderer configuration file.Affiliation definitions have been added in Org2 and Org3.Database and bootstrap user configurations are the same as ca orderer.
The Fabric CA configuration file defined in the project for the Org2 is as follows.The configuration file is in the deploy/k8s/fabricfiles/organizations/fabric-ca/org2 folder.
Csr settings and CA name are different from CA Org1 configuration. Other configurations are the same as ca org1.
csr:
cn: ca-org2
names:
- C: US
ST: "New York"
L: "New York"
O: ca-org2
OU: ca-org2
hosts:
- localhost
- example.com
- ca-org2
ca-org2 is the service name of fabric ca server in kubernetes.
ca:
# Name of this CA
name: Org2CA
The Fabric CA configuration file defined in the project for the Org3 is as follows.the configuration file is in the deploy/k8s/fabricfiles/organizations/fabric-ca/org3 folder.
Csr settings and CA name are different from CA Org1 configuration. Other configurations are the same as ca org1.
csr:
cn: ca-org3
names:
- C: US
ST: "New York"
L: "New York"
O: ca-org3
OU: ca-org3
hosts:
- localhost
- example.com
- ca-org3
ca-org3 is the service name of fabric ca server in kubernetes.
ca:
# Name of this CA
name: Org3CA
After setting Fabric CA Server configurations for Orderer,Org1,Org2 and Org3, we can deploy CA Servers to kubernetes.
Installation of Fabric CA Server on Kubernetes
Let’s create persistence volume and persistence volume claim to access fabric files from the pod,fabricfiles-pv.yaml and fabricfiles-pvc.yaml.
The fabricfiles-pv.yaml file is in the deploy/k8s/pv folder.
The fabricfiles-pvc.yaml file is in the deploy/k8s/pvc folder.
nfs:
path: /srv/kubedata/fabricfiles
server: 192.168.12.9
192.168.12.9 is the ip of the nfs server.
/srv/kubedata/fabricfiles is the directory where the fabric files are located on the nfs server.
lets create an Fabric Orderer CA server deployment and service, ca-orderer.yaml and ca-orderer-svc.yaml.The yaml files is in the deploy/k8s/ca folder.
kind: Service
metadata:
name: ca-orderer
ca-orderer is the kubernetes service name of the Orderer Fabric CA server.It must be added in the csr host configuration in the Fabric CA Configuration file.
ports:
- protocol: TCP
targetPort: 10054
port: 10054
targetPort is the container internal port.10054
port is the service port.10054
"fabric-ca-server",
"start", "-b", "admin:adminpw", "--port", "10054", "-d"
The -b
(bootstrap identity) option is required for initialization when LDAP is disabled. At least one bootstrap identity is required to start the Fabric CA server; this identity is the server administrator.
admin:adminpw
server admin information.Admin username is admin,Admin password is adminpw.
--port", "10054"
10054 is assigned as the ca server container port.
env:
- name: FABRIC_CA_SERVER_CA_NAME
value: ca-orderer
- name: FABRIC_CA_SERVER_TLS_ENABLED
value: "true"
Tls aws active and ca name ca-orderer is assigned.
volumeMounts:
- name: data
mountPath: /etc/hyperledger/fabric-ca-server
subPath: organizations/fabric-ca/ordererOrg
organizations/fabric-ca/ordererOrg: path of ca server configuration file in fabric files
lets create an Fabric CA Org1 server deployment and service, ca-org1.yaml and ca-org1-svc.yaml.the yaml files are in the deploy/k8s/ca folder.
kind: Service
metadata:
name: ca-org1
ca-org1 is the kubernetes service name of the Org1 Fabric CA server.It must be added in the csr host configuration in the Fabric CA Configuration file.
ports:
- protocol: TCP
targetPort: 7054
port: 7054
targetPort is the container internal port.7054
port is the service port.7054
--port", "7054"
7054 is assigned as the ca server container port.
- name: FABRIC_CA_SERVER_CA_NAME
value: ca-org1
- name: FABRIC_CA_SERVER_TLS_ENABLED
value: "true"
- name: FABRIC_CA_SERVER_CSR_CN
value: "ca-org1"
- name: FABRIC_CA_SERVER_CSR_HOSTS
value: "ca-org1"
Tls was activated, ca name ca-org1 was assigned, and csr host and cn ca-org1 were assigned.
volumeMounts:
- name: data
mountPath: /etc/hyperledger/fabric-ca-server
subPath: organizations/fabric-ca/org1
organizations/fabric-ca/org1: path of ca server configuration file in fabric files
lets create an Fabric CA Org2 server deployment and service, ca-org2.yaml and ca-org2-svc.yaml.the yaml files are in the deploy/k8s/ca folder.
kind: Service
metadata:
name: ca-org2
ca-org2 is the kubernetes service name of the Org2 Fabric CA server.It must be added in the csr host configuration in the Fabric CA Configuration file.
ports:
- protocol: TCP
targetPort: 8054
port: 8054
targetPort is the container internal port.8054
port is the service port.8054
--port", "8054"
8054 is assigned as the ca server container port.
- name: FABRIC_CA_SERVER_CA_NAME
value: ca-org2
- name: FABRIC_CA_SERVER_TLS_ENABLED
value: "true"
- name: FABRIC_CA_SERVER_CSR_CN
value: "ca-org2"
- name: FABRIC_CA_SERVER_CSR_HOSTS
value: "ca-org2"
Tls was activated, ca name ca-org2 was assigned, and csr host and cn ca-org2 were assigned.
volumeMounts:
- name: data
mountPath: /etc/hyperledger/fabric-ca-server
subPath: organizations/fabric-ca/org2
organizations/fabric-ca/org2: path of ca server configuration file in fabric files
lets create an Fabric CA Org3 server deployment and service, ca-org3.yaml and ca-org3-svc.yaml.the yaml files is in the deploy/k8s/ca folder.
kind: Service
metadata:
name: ca-org3
ca-org3 is the kubernetes service name of the Org3 Fabric CA server.It must be added in the csr host configuration in the Fabric CA Configuration file.
ports:
- protocol: TCP
targetPort: 9054
port: 9054
targetPort is the container internal port.9054
port is the service port.9054
--port", "9054"
9054 is assigned as the ca server container port.
- name: FABRIC_CA_SERVER_CA_NAME
value: ca-org3
- name: FABRIC_CA_SERVER_TLS_ENABLED
value: "true"
- name: FABRIC_CA_SERVER_CSR_CN
value: "ca-org3"
- name: FABRIC_CA_SERVER_CSR_HOSTS
value: "ca-org3"
Tls was activated, ca name ca-org3 was assigned, and csr host and cn ca-org3 were assigned.
volumeMounts:
- name: data
mountPath: /etc/hyperledger/fabric-ca-server
subPath: organizations/fabric-ca/org3
organizations/fabric-ca/org3: path of ca server configuration file in fabric files
Let’s define a job that creates the certificates for orderer,org1,org2 and org3.
Let’s connect to the kubernetes master node virtual machine with the vagrant ssh command.
$ vagrant ssh k8smaster
Let’s go to the directory where the kubernetes installation scripts are located.This directory is the same as the deploy/k8s folder in the project. With Vagrant, this directory is synchronized to the virtual machine.
$ cd /vagrant/k8s
Deploying the persistence volume for fabric files
$ kubectl apply -f pv/fabricfiles-pv.yaml
Deploying the persistence volume claim for fabric files
$ kubectl apply -f pvc/fabricfiles-pvc.yaml
Deploying the fabric ca server
$ kubectl apply -f ca/
Fabric ca server creation pending completion
$ kubectl wait --for condition=available --timeout=300s deployment -l "app in (ca-orderer,ca-org1,ca-org2,ca-org3)"
Finally, let’s check whether our pods from the lens ide are running.
All of fabric ca server pods are running.
My article ends here. In general,I explained Fabric CA Server introduction and installation of Fabric CA Server on Kubernetes.
See you in the next articles.
Project Links
Spring Boot Hlf Starter Project details and installation can be accessed via this link.
Asset Transfer Project details and installation can be accessed via this link