将具有第三方证书的组织添加到网络
本主题包含有关使用第三方证书将组织加入 Oracle Blockchain Platform 网络的信息。
将具有第三方证书的组织加入 Oracle Blockchain Platform 网络的典型工作流
具有第三方证书颁发机构 (CA) 颁发证书的组织可以作为参与者加入 Oracle Blockchain Platform 网络。
仅客户机组织
这些参与者是仅限客户的组织,没有同行或排序者。他们无法创建渠道、加入对等节点或安装链代码。
加入网络后,以下组织可以使用 SDK 或超级账本架构 CLI 来执行以下操作:
- 如果是客户端组织管理员,则部署、调用和查询链代码。
- 如果是客户组织非管理员,则调用和查询链代码。
- 将链代码安装到对等节点上的链代码所有者可以通过使用超级账本架构
peer chaincode package -i实例化策略命令设置链代码的实例化策略来决定谁可以部署链代码。 - 链代码实例化程序可以使用超级账本架构
peer chaincode instantiate -P背书策略命令来设置背书策略,以控制谁可以调用链代码。 - 渠道所有者可以通过设置渠道建议和查询访问控制列表来决定谁可以调用或查询链代码。请参阅 Hyperledger Fabric Access Control Lists 。
工作流
下面是具有第三方证书的组织以及 Oracle Blockchain Platform 创始人为加入 Oracle Blockchain Platform 网络而需要执行的任务。
| 任务 | 这是谁? | 说明 | 更多信息 |
|---|---|---|---|
| 获取第三方证书 | 第三方证书(参与者)组织 | 转到第三方 CA 服务器并生成所需的证书文件。根据需要格式化文件以导入网络。 | 第三方证书要求 |
| 创建要导入的证书文件 | 第三方证书(参与者)组织 | 查找参与者的管理员和 CA 证书信息,并使用该信息编写 JSON 证书文件。 | 创建组织的第三方证书文件 |
| 上载第三方(参与者)组织的证书文件 | 创始人组织 | 使用控制台上载和导入参与者的证书文件以将参与者添加到网络。 | 导入证书以将组织添加到网络 |
| 将订购服务设置从网络创建者导出,并将其提供给第三方(参与者)组织 | 创始人组织 | 将创始人的排序服务设置输出到 JSON 文件并将文件发送给参与者。
打开订购服务设置文件,查找订购服务的地址和端口,并将其提供给参与者。例如: |
加入参与方或扩展 OSN 到创始人的订购服务 |
| 创建通道 | 建立者 | 创建新渠道并将参与者添加到其中。 | 创建通道 |
| 安装和部署链代码 | 建立者 | 在创建者的实例中,上载、安装和部署链代码。选择要在其上安装链代码的网络对等节点。 | |
| 设置第三方(参与者)组织的环境 | 第三方证书(参与者)组织 | 要查询或调用链代码,参与者必须:
|
准备使用 Oracle Blockchain Platform Network 的第三方环境 |
第三方证书要求
要成功加入网络,组织必须生成所需的第三方证书。这些证书中的信息用于创建组织的证书文件,然后将其导入创始人的实例。
组织需要提供哪些证书?
必须从 CA 服务器生成以下证书:
- 客户端公共证书
- CA 根证书
这些证书有哪些要求?
证书必须满足以下要求:
- 生成私钥时,必须使用椭圆曲线数字签名算法 (Elliptic Curve Digital Signature Algorithm,ECDSA)。此算法是 Fabric MSP 密钥唯一接受的算法。
- 主题密钥标识符 (Subject Key Identifier,SKI) 是必需的,您必须在扩展文件中将其指明为 x509 扩展名。
- 您必须将密钥文件从 .key 转换为 .pem 格式。
- 您必须将证书从 .crt 转换为 .pem 格式。
创建证书
以下演练是如何使用 OpenSSL 或 Hyperledger Fabric cryptogen 实用程序生成证书的示例。有关所用命令的详细信息,请参阅:
要使用 OpenSSL 创建证书,请执行以下操作:
- 创建自签名 CA 证书/密钥:
我们的示例openssl ecparam -name prime256v1 -genkey -out ca.key openssl pkcs8 -topk8 -inform PEM -in ca.key -outform pem -nocrypt -out ca-key.pem openssl req -new -key ca-key.pem -out ca.csr openssl x509 -req -days 365 -in ca.csr -signkey ca-key.pem -out ca.crt -extensions x509_ext -extfile opensslca.conf openssl x509 -in ca.crt -out ca.pem -outform PEMopensslca.conf文件:[ req ] default_bits = 2048 distinguished_name = subject req_extensions = req_ext x509_extensions = x509_ext string_mask = utf8only [ subject ] countryName = CN #countryName_default = US stateOrProvinceName = Beijing #stateOrProvinceName_default = NY localityName = Beijing #localityName_default = New York organizationName = thirdpartyca, LLC #organizationName_default = Example, LLC # Use a friendly name here because its presented to the user. The server's DNS # names are placed in Subject Alternate Names. Plus, DNS names here is deprecated # by both IETF and CA/Browser Forums. If you place a DNS name here, then you # must include the DNS name in the SAN too (otherwise, Chrome and others that # strictly follow the CA/Browser Baseline Requirements will fail). commonName = thirdpartyca #commonName_default = Example Company emailAddress = ca@thirdpartyca.com # Section x509_ext is used when generating a self-signed certificate. I.e., openssl req -x509 ... [ x509_ext ] subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer # You only need digitalSignature below. *If* you don't allow # RSA Key transport (i.e., you use ephemeral cipher suites), then # omit keyEncipherment because that's key transport. basicConstraints = CA:TRUE keyUsage = Certificate Sign, CRL Sign, digitalSignature, keyEncipherment subjectAltName = @alternate_names nsComment = "OpenSSL Generated Certificate" # RFC 5280, Section 4.2.1.12 makes EKU optional # CA/Browser Baseline Requirements, Appendix (B)(3)(G) makes me confused # In either case, you probably only need serverAuth. # extendedKeyUsage = serverAuth, clientAuth # Section req_ext is used when generating a certificate signing request. I.e., openssl req ... [ req_ext ] subjectKeyIdentifier = hash basicConstraints = CA:FALSE keyUsage = digitalSignature, keyEncipherment subjectAltName = @alternate_names nsComment = "OpenSSL Generated Certificate" # RFC 5280, Section 4.2.1.12 makes EKU optional # CA/Browser Baseline Requirements, Appendix (B)(3)(G) makes me confused # In either case, you probably only need serverAuth. # extendedKeyUsage = serverAuth, clientAuth [ alternate_names ] DNS.1 = localhost DNS.2 = thirdpartyca.com #DNS.3 = mail.example.com #DNS.4 = ftp.example.com # Add these if you need them. But usually you don't want them or # need them in production. You may need them for development. # DNS.5 = localhost # DNS.6 = localhost.localdomain # DNS.7 = 127.0.0.1 - 使用上述 CA 密钥创建用户证书/密钥:
我们的示例openssl ecparam -name prime256v1 -genkey -out user.key openssl pkcs8 -topk8 -inform PEM -in user.key -outform pem -nocrypt -out user-key.pem openssl req -new -key user-key.pem -out user.csr openssl x509 -req -days 365 -sha256 -CA ca.pem -CAkey ca-key.pem -CAserial ca.srl -CAcreateserial -in user.csr -out user.crt -extensions x509_ext -extfile openssl.conf openssl x509 -in user.crt -out user.pem -outform PEMopenssl.conf文件:[ req ] default_bits = 2048 default_keyfile = tls-key.pem distinguished_name = subject req_extensions = req_ext x509_extensions = x509_ext string_mask = utf8only # The Subject DN can be formed using X501 or RFC 4514 (see RFC 4519 for a description). # Its sort of a mashup. For example, RFC 4514 does not provide emailAddress. [ subject ] countryName = CN #countryName_default = US stateOrProvinceName = Beijing #stateOrProvinceName_default = NY localityName = Beijing #localityName_default = New York organizationName = thirdpartyca, LLC #organizationName_default = Example, LLC # Use a friendly name here because its presented to the user. The server's DNS # names are placed in Subject Alternate Names. Plus, DNS names here is deprecated # by both IETF and CA/Browser Forums. If you place a DNS name here, then you # must include the DNS name in the SAN too (otherwise, Chrome and others that # strictly follow the CA/Browser Baseline Requirements will fail). commonName = admin@thirdpartyca.com #commonName_default = Example Company emailAddress = admin@thirdpartyca.com #emailAddress_default = test@example.com # Section x509_ext is used when generating a self-signed certificate. I.e., openssl req -x509 ... [ x509_ext ] subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer # You only need digitalSignature below. *If* you don't allow # RSA Key transport (i.e., you use ephemeral cipher suites), then # omit keyEncipherment because that's key transport. basicConstraints = CA:FALSE keyUsage = digitalSignature, keyEncipherment subjectAltName = @alternate_names nsComment = "OpenSSL Generated Certificate" # RFC 5280, Section 4.2.1.12 makes EKU optional # CA/Browser Baseline Requirements, Appendix (B)(3)(G) makes me confused # In either case, you probably only need serverAuth. #extendedKeyUsage = Any Extended Key Usage #extendedKeyUsage = serverAuth, clientAuth # Section req_ext is used when generating a certificate signing request. I.e., openssl req ... [ x509_ca_ext ] subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer # You only need digitalSignature below. *If* you don't allow # RSA Key transport (i.e., you use ephemeral cipher suites), then # omit keyEncipherment because that's key transport. basicConstraints = CA:TRUE keyUsage = Certificate Sign, CRL Sign, digitalSignature, keyEncipherment subjectAltName = @alternate_names nsComment = "OpenSSL Generated Certificate" # RFC 5280, Section 4.2.1.12 makes EKU optional # CA/Browser Baseline Requirements, Appendix (B)(3)(G) makes me confused # In either case, you probably only need serverAuth. #extendedKeyUsage = Any Extended Key Usage extendedKeyUsage = serverAuth, clientAuth # Section req_ext is used when generating a certificate signing request. I.e., openssl req ... [ req_ext ] subjectKeyIdentifier = hash basicConstraints = CA:FALSE keyUsage = digitalSignature, keyEncipherment subjectAltName = @alternate_names nsComment = "OpenSSL Generated Certificate" # RFC 5280, Section 4.2.1.12 makes EKU optional # CA/Browser Baseline Requirements, Appendix (B)(3)(G) makes me confused # In either case, you probably only need serverAuth. #extendedKeyUsage = Any Extended Key Usage #extendedKeyUsage = serverAuth, clientAuth [ alternate_names ] DNS.1 = localhost DNS.3 = 127.0.0.1 DNS.4 = 0.0.0.0 # Add these if you need them. But usually you don't want them or # need them in production. You may need them for development. # DNS.5 = localhost # DNS.6 = localhost.localdomain # DNS.7 = 127.0.0.1 # IPv6 localhost # DNS.8 = ::1
要使用 Hyperledger Fabric cryptogen 实用程序创建证书,请执行以下操作:
- 以下 cryptogen 命令用于创建 Hyperledger Fabric 密钥材料:
我们的示例cryptogen generate --config=./crypto-config.yamlcrypto-config.yaml文件:# Copyright IBM Corp. All Rights Reserved. # # SPDX-License-Identifier: Apache-2.0 # # --------------------------------------------------------------------------- # "PeerOrgs" - Definition of organizations managing peer nodes # --------------------------------------------------------------------------- PeerOrgs: # --------------------------------------------------------------------------- # Org1 # --------------------------------------------------------------------------- - Name: Org1 Domain: org1.example.com EnableNodeOUs: true # --------------------------------------------------------------------------- # "Specs" # --------------------------------------------------------------------------- # Uncomment this section to enable the explicit definition of hosts in your # configuration. Most users will want to use Template, below # # Specs is an array of Spec entries. Each Spec entry consists of two fields: # - Hostname: (Required) The desired hostname, sans the domain. # - CommonName: (Optional) Specifies the template or explicit override for # the CN. By default, this is the template: # # "{{.Hostname}}.{{.Domain}}" # # which obtains its values from the Spec.Hostname and # Org.Domain, respectively. # --------------------------------------------------------------------------- # Specs: # - Hostname: foo # implicitly "foo.org1.example.com" # CommonName: foo27.org5.example.com # overrides Hostname-based FQDN set above # - Hostname: bar # - Hostname: baz # --------------------------------------------------------------------------- # "Template" # --------------------------------------------------------------------------- # Allows for the definition of 1 or more hosts that are created sequentially # from a template. By default, this looks like "peer%d" from 0 to Count-1. # You may override the number of nodes (Count), the starting index (Start) # or the template used to construct the name (Hostname). # # Note: Template and Specs are not mutually exclusive. You may define both # sections and the aggregate nodes will be created for you. Take care with # name collisions # --------------------------------------------------------------------------- Template: Count: 2 # Start: 5 # Hostname: {{.Prefix}}{{.Index}} # default # --------------------------------------------------------------------------- # "Users" # --------------------------------------------------------------------------- # Count: The number of user accounts _in addition_ to Admin # --------------------------------------------------------------------------- Users: Count: 1 # --------------------------------------------------------------------------- # Org2: See "Org1" for full specification # --------------------------------------------------------------------------- - Name: Org2 Domain: org2.example.com EnableNodeOUs: true Template: Count: 2 Users: Count: 1
新增功能?
确认已输出并更新了正确的文件后,您可以创建证书文件以导入到 Oracle Blockchain Platform 网络中。请参见 Create an Organization's Third-Party Certificates File 。
创建组织的第三方证书文件
要加入 Oracle Blockchain Platform 网络,组织必须编写包含其 admincert 和 cacert 信息的证书文件。网络创建者导入此文件以将组织添加到网络。
转到从 CA 服务器生成的证书文件,查找创建证书文件所需的信息。请参见 Third-Party Certificate Requirements 。
证书文件必须以 JSON 格式写入,并且包含以下字段:
- mspid - 指定组织的名称。
- type - 指示组织是网络参与者。此值必须是参与者。
- admincert - 包含组织的 Admin 证书文件的内容。将证书信息复制到 JSON 文件中时,必须将每个新行替换为 \n 。
- cacert - 包含组织的 CA 证书文件的内容。将证书信息复制到 JSON 文件中时,必须将每个新行替换为 \n 。
文件的结构如下所示:
{
"mspID": "examplemspID",
"type": "Participant",
"certs": {
"admincert": "-----BEGIN CERTIFICATE-----\nexample_certificate\nexample_certificate==\n-----END CERTIFICATE-----\n",
"cacert": "-----BEGIN CERTIFICATE-----\nexample_certificate\nexample_certificate==\n-----END CERTIFICATE-----\n"
}
}
准备使用 Oracle Blockchain Platform 网络的第三方环境
您必须先设置第三方组织的环境,然后才能使用 Oracle Blockchain Platform 网络。
确认以下先决条件任务已完成。有关信息,请参阅将具有第三方证书的组织加入到 Oracle Blockchain Platform Network 的典型工作流。
- 第三方组织的证书文件已创建并发送给 Oracle Blockchain Platform 网络创始人。
- 网络创建者上载了证书文件以将第三方组织添加到网络。
- 网络创建者导出排序器服务的设置,并将服务的地址和端口提供给第三方组织,然后组织将它们添加到环境中。
- 网络创始人创建了一个新渠道,并将第三方组织添加到其中。
- 网络创始人安装并实例化了链码。
设置组织的环境
在第三方组织成功使用 Oracle Blockchain Platform 网络之前,必须设置其环境以使用超级账本架构 CLI 或 SDK。请参阅 Hyperledger Fabric 文档。
安装链代码
第三方组织必须在对等节点上安装链代码。然后,必须将这些对等节点连接到通道,以便调用链代码。
部署链代码
如果需要,第三方组织可以在渠道上部署链代码。例如:
export CORE_PEER_TLS_ENABLED=true
export CORE_PEER_TLS_ROOTCERT_FILE=$PWD/tls-ca.pem
export CORE_PEER_MSPCONFIGPATH=$PWD/crypto-config/peerOrganizations/customerorg1.com/users/Admin@customerorg1.com/msp
export CORE_PEER_LOCALMSPID="customerorg1"
### gets channel name from input###
CHANNEL_NAME=$1
echo "######### going to instantiate chaincode on channel ${CHANNEL_NAME} ##########"
CORE_PEER_ADDRESS=${peer_host}:${port} peer chaincode instantiate
-o ${peer_host}:${port} --tls $CORE_PEER_TLS_ENABLED --cafile
./tls-ca.pem -C ${CHANNEL_NAME} -n obcs-example02 -v v0 -c '{"Args":["init","a","100","b","200"]}'调用链代码
第三方组织使用超级账本架构 CLI 或 SDK 调用链代码。例如:
export CORE_PEER_TLS_ENABLED=true
export CORE_PEER_TLS_ROOTCERT_FILE=$PWD/tls-ca.pem
export CORE_PEER_MSPCONFIGPATH=$PWD/crypto-config/peerOrganizations/customerorg1.com/users/User1@customerorg1.com/msp
export CORE_PEER_LOCALMSPID="customerorg1"
### gets channel name from input ###
CHANNEL_NAME=$1
#### do query or invoke on chaincode ####
CORE_PEER_ADDRESS=${peer_host}:${port} peer chaincode query -C
${CHANNEL_NAME} -n $2 -c '{"Args":["query","a"]}'
CORE_PEER_ADDRESS=${peer_host}:${port} peer chaincode invoke -o
${peer_host}:${port} --tls $CORE_PEER_TLS_ENABLED --cafile ./tls-
ca.pem -C ${CHANNEL_NAME} -n $2 -c '{"Args":["invoke","a","b","10"]}'