Spring Boot Fullstack Blockchain Application With Hyperledger Fabric running on Kubernetes (Part 3) — Fabric CA Server

Şuayb Şimşek
9 min readNov 21, 2021

--

Hello everyone, through this article series we will the Hyperledger Fabric integration with Spring Boot.In this article, we will look into Fabric CA Server and installation of Fabric CA Server on Kubernetes.

Other articles on Hyperledger Fabric integration with Spring Boot can be accessed from the links below.

Part 1 — Introduction

Part 2— Kubernetes Cluster Setup

Part 3— Fabric CA Server

Part 4 — Generating Certificates and Artifacts

Part 5 — Kafka

Part 6 — Orderer

What is Fabric CA Server?

Fabric CA is a Certificate Authority (CA) for Hyperledger Fabric.

It provides features such as:

  • registration of identities, or connects to LDAP as the user registry
  • issuance of Enrollment Certificates (ECerts)
  • certificate renewal and revocation

The diagram below illustrates how the Hyperledger Fabric CA server fits into the overall Hyperledger Fabric architecture.

There are two ways of interacting with a Hyperledger Fabric CA server: via the Hyperledger Fabric CA client or through one of the Fabric SDKs. All communication to the Hyperledger Fabric CA server is via REST APIs.

The Hyperledger Fabric CA client or SDK may connect to a server in a cluster of Hyperledger Fabric CA servers. This is illustrated in the top right section of the diagram. The client routes to an HA Proxy endpoint which load balances traffic to one of the fabric-ca-server cluster members.

A server may contain multiple CAs. Each CA is either a root CA or an intermediate CA. Each intermediate CA has a parent CA which is either a root CA or another intermediate CA.

Configuration Fabric CA Server

Let’s open the project we downloaded from this link and go to the directory where the ca is located.

$ cd deploy/k8s

Configuration Settings

The Fabric CA provides 3 ways to configure settings on the Fabric CA server and client. The precedence order is:

1. CLI flags

2. Environment variables

3. Configuration file

We will configure the fabric ca server with the configuration file.

We will set up 4 Fabric CAservers for orderer, org1, org2 and org3.It is necessary to define a configuration file for each Fabric CA server.

The Fabric CA configuration file defined in the project for the Orderer is as follows.the configuration file is in the deploy/k8s/fabricfiles/organizations/fabric-ca/ordererOrg folder.

csr:
...
hosts:
- localhost
- example.com
- ca-orderer

Added localhost,example.com,ca-orderer as csr host to the config file.

ca-orderer is the service name of fabric ca server in kubernetes.

ca:
# Name of this CA
name: OrdererCA

OrdererCA is the CA name.

csr:
cn: ca-org1
names:
- C: US
ST: "New York"
L: "New York"
O: ca-org1
OU: ca-org1

All of the fields above pertain to the X.509 signing key and certificate which is generated by the fabric-ca-server init. This corresponds to the ca.certfile and ca.keyfile files in the server’s configuration file. The fields are as follows:

  • cn is the Common Name
  • O is the organization name
  • OU is the organizational unit
  • L is the location or city
  • ST is the state
  • C is the country
registry:
...
identities:
- name: admin
pass: adminpw
type: client
affiliation: ""

it must be configured with at least one pre-registered bootstrap identity to enable you to register and enroll other identities.The -b option specifies the name and password for a bootstrap identity.

db:
type: sqlite3
datasource: fabric-ca-server.db

The default database is SQLite and the default database file is fabric-ca-server.db in the Fabric CA server’s home directory. Fabric CA server can also connect to PostgreSQL or MySQL databases.

Fabric CA supports the following database versions in a cluster setup:

  • PostgreSQL: 9.5.5 or later
  • MySQL: 5.7 or later
affiliations:
org1:
- department1
- department2
org2:
- department1

I think of affiliations as hierarchical tags. Each identity can be tagged (affiliated) to (with) one affiliation in the hierarchy. When an identity is associated with an affiliation, it is affiliated with that and all the child affiliations.Affiliations are currently used during registration and revocation.

The Fabric CA configuration file defined in the project for the Org1 is as follows.The configuration file is in the deploy/k8s/fabricfiles/organizations/fabric-ca/org1 folder.

csr:
...
hosts:
- localhost
- example.com
- ca-org1

Added localhost,example.com,ca-org1 as csr host to the config file.

ca-org1 is the service name of fabric ca server in kubernetes.

ca:
# Name of this CA
name: Org1CA

Org1CA is the CA name.

csr:
cn: ca-org1
names:
- C: US
ST: "New York"
L: "New York"
O: ca-org1
OU: ca-org1

All of the fields above pertain to the X.509 signing key and certificate which is generated by the fabric-ca-server init.

affiliations:
org1:
- department1
- department2
org2:
- department1
org3:
- department1

The affiliation definitions differ from the CA Orderer configuration file.Affiliation definitions have been added in Org2 and Org3.Database and bootstrap user configurations are the same as ca orderer.

The Fabric CA configuration file defined in the project for the Org2 is as follows.The configuration file is in the deploy/k8s/fabricfiles/organizations/fabric-ca/org2 folder.

Csr settings and CA name are different from CA Org1 configuration. Other configurations are the same as ca org1.

csr:
cn: ca-org2
names:
- C: US
ST: "New York"
L: "New York"
O: ca-org2
OU: ca-org2
hosts:
- localhost
- example.com
- ca-org2

ca-org2 is the service name of fabric ca server in kubernetes.

ca:
# Name of this CA
name: Org2CA

The Fabric CA configuration file defined in the project for the Org3 is as follows.the configuration file is in the deploy/k8s/fabricfiles/organizations/fabric-ca/org3 folder.

Csr settings and CA name are different from CA Org1 configuration. Other configurations are the same as ca org1.

csr:
cn: ca-org3
names:
- C: US
ST: "New York"
L: "New York"
O: ca-org3
OU: ca-org3
hosts:
- localhost
- example.com
- ca-org3

ca-org3 is the service name of fabric ca server in kubernetes.

ca:
# Name of this CA
name: Org3CA

After setting Fabric CA Server configurations for Orderer,Org1,Org2 and Org3, we can deploy CA Servers to kubernetes.

Installation of Fabric CA Server on Kubernetes

Let’s create persistence volume and persistence volume claim to access fabric files from the pod,fabricfiles-pv.yaml and fabricfiles-pvc.yaml.

The fabricfiles-pv.yaml file is in the deploy/k8s/pv folder.

The fabricfiles-pvc.yaml file is in the deploy/k8s/pvc folder.

nfs:
path: /srv/kubedata/fabricfiles
server: 192.168.12.9

192.168.12.9 is the ip of the nfs server.

/srv/kubedata/fabricfiles is the directory where the fabric files are located on the nfs server.

lets create an Fabric Orderer CA server deployment and service, ca-orderer.yaml and ca-orderer-svc.yaml.The yaml files is in the deploy/k8s/ca folder.

kind: Service
metadata:
name: ca-orderer

ca-orderer is the kubernetes service name of the Orderer Fabric CA server.It must be added in the csr host configuration in the Fabric CA Configuration file.

ports:
- protocol: TCP
targetPort: 10054
port: 10054

targetPort is the container internal port.10054

port is the service port.10054

"fabric-ca-server",
"start", "-b", "admin:adminpw", "--port", "10054", "-d"

The -b (bootstrap identity) option is required for initialization when LDAP is disabled. At least one bootstrap identity is required to start the Fabric CA server; this identity is the server administrator.

admin:adminpw 

server admin information.Admin username is admin,Admin password is adminpw.

--port", "10054"

10054 is assigned as the ca server container port.

env:
- name: FABRIC_CA_SERVER_CA_NAME
value: ca-orderer
- name: FABRIC_CA_SERVER_TLS_ENABLED
value: "true"

Tls aws active and ca name ca-orderer is assigned.

volumeMounts:
- name: data
mountPath: /etc/hyperledger/fabric-ca-server
subPath: organizations/fabric-ca/ordererOrg

organizations/fabric-ca/ordererOrg: path of ca server configuration file in fabric files

lets create an Fabric CA Org1 server deployment and service, ca-org1.yaml and ca-org1-svc.yaml.the yaml files are in the deploy/k8s/ca folder.

kind: Service
metadata:
name: ca-org1

ca-org1 is the kubernetes service name of the Org1 Fabric CA server.It must be added in the csr host configuration in the Fabric CA Configuration file.

ports:
- protocol: TCP
targetPort: 7054
port: 7054

targetPort is the container internal port.7054

port is the service port.7054

--port", "7054"

7054 is assigned as the ca server container port.

- name: FABRIC_CA_SERVER_CA_NAME
value: ca-org1
- name: FABRIC_CA_SERVER_TLS_ENABLED
value: "true"
- name: FABRIC_CA_SERVER_CSR_CN
value: "ca-org1"
- name: FABRIC_CA_SERVER_CSR_HOSTS
value: "ca-org1"

Tls was activated, ca name ca-org1 was assigned, and csr host and cn ca-org1 were assigned.

volumeMounts:
- name: data
mountPath: /etc/hyperledger/fabric-ca-server
subPath: organizations/fabric-ca/org1

organizations/fabric-ca/org1: path of ca server configuration file in fabric files

lets create an Fabric CA Org2 server deployment and service, ca-org2.yaml and ca-org2-svc.yaml.the yaml files are in the deploy/k8s/ca folder.

kind: Service
metadata:
name: ca-org2

ca-org2 is the kubernetes service name of the Org2 Fabric CA server.It must be added in the csr host configuration in the Fabric CA Configuration file.

ports:
- protocol: TCP
targetPort: 8054
port: 8054

targetPort is the container internal port.8054

port is the service port.8054

--port", "8054"

8054 is assigned as the ca server container port.

- name: FABRIC_CA_SERVER_CA_NAME
value: ca-org2
- name: FABRIC_CA_SERVER_TLS_ENABLED
value: "true"
- name: FABRIC_CA_SERVER_CSR_CN
value: "ca-org2"
- name: FABRIC_CA_SERVER_CSR_HOSTS
value: "ca-org2"

Tls was activated, ca name ca-org2 was assigned, and csr host and cn ca-org2 were assigned.

volumeMounts:
- name: data
mountPath: /etc/hyperledger/fabric-ca-server
subPath: organizations/fabric-ca/org2

organizations/fabric-ca/org2: path of ca server configuration file in fabric files

lets create an Fabric CA Org3 server deployment and service, ca-org3.yaml and ca-org3-svc.yaml.the yaml files is in the deploy/k8s/ca folder.

kind: Service
metadata:
name: ca-org3

ca-org3 is the kubernetes service name of the Org3 Fabric CA server.It must be added in the csr host configuration in the Fabric CA Configuration file.

ports:
- protocol: TCP
targetPort: 9054
port: 9054

targetPort is the container internal port.9054

port is the service port.9054

--port", "9054"

9054 is assigned as the ca server container port.

- name: FABRIC_CA_SERVER_CA_NAME
value: ca-org3
- name: FABRIC_CA_SERVER_TLS_ENABLED
value: "true"
- name: FABRIC_CA_SERVER_CSR_CN
value: "ca-org3"
- name: FABRIC_CA_SERVER_CSR_HOSTS
value: "ca-org3"

Tls was activated, ca name ca-org3 was assigned, and csr host and cn ca-org3 were assigned.

volumeMounts:
- name: data
mountPath: /etc/hyperledger/fabric-ca-server
subPath: organizations/fabric-ca/org3

organizations/fabric-ca/org3: path of ca server configuration file in fabric files

Let’s define a job that creates the certificates for orderer,org1,org2 and org3.

Let’s connect to the kubernetes master node virtual machine with the vagrant ssh command.

$ vagrant ssh k8smaster

Let’s go to the directory where the kubernetes installation scripts are located.This directory is the same as the deploy/k8s folder in the project. With Vagrant, this directory is synchronized to the virtual machine.

$ cd /vagrant/k8s

Deploying the persistence volume for fabric files

$ kubectl apply -f pv/fabricfiles-pv.yaml

Deploying the persistence volume claim for fabric files

$ kubectl apply -f pvc/fabricfiles-pvc.yaml

Deploying the fabric ca server

$ kubectl apply -f ca/

Fabric ca server creation pending completion

$ kubectl wait --for condition=available --timeout=300s deployment -l "app in (ca-orderer,ca-org1,ca-org2,ca-org3)"

Finally, let’s check whether our pods from the lens ide are running.

All of fabric ca server pods are running.

My article ends here. In general,I explained Fabric CA Server introduction and installation of Fabric CA Server on Kubernetes.

See you in the next articles.

Project Links

Spring Boot Hlf Starter Project details and installation can be accessed via this link.

Asset Transfer Project details and installation can be accessed via this link

--

--

Şuayb Şimşek
Şuayb Şimşek

Written by Şuayb Şimşek

Software Engineer at Community Gaming . #Java #Kotlin .#Devops . #Blockchain . #SpringBoot . #Echo .#Golang .#React