Fabric CA HSM integration #fabric-ca #hsm


florian.pautot <flpautot@...>
 

Hello,
I am trying to integrate our HSM with the Fabric CA, but I can't seem to make it work.
I am following the configuration I found in several places, including in the HSM documentation, the HSM config is good and working, but not the Fabric CA's.
I could definitely use your help.

I built the image from the CA sources, with the following command, because I read that the default release of the CA docker image does not support PKCSS1 by default : 

GO_TAGS=pkcs11 sudo make docker

For the BCCSP configuration in the fabric-ca-server-config.yaml, I have the following elements :
bccsp:
defaultPKCS11
pkcs11:
Library/usr/local/lib/libcs_pkcs11_R2.so
Pin*********
SensitiveKeystrue
SoftwareVerifytrue
LabelHyperledger Slot
HashSHA2
Security256
If I usee this config, my CA crash with the following error :
9/06/26 05:53:15 [DEBUG] Initializing BCCSP: &{ProviderName:PKCS11 SwOpts:<nil> PluginOpts:<nil>}
2019/06/26 05:53:15 [DEBUG] Closing server DBs
Error: Failed to initialize BCCSP Factories: %!s(<nil>)
Could not find default `PKCS11` BCCSP
If I try to config the CA with the ENV var, I use this:
FABRIC_CA_HOME=/etc/hyperledger/fabric-ca-server
CS_PKCS11_R2_CFG=/etc/ultimaco/cs_pkcs11_R2.cfg
FABRIC_CA_SERVER_BCCSP_DEFAULT=PKCS11
FABRIC_CA_SERVER_BCCSP_PKCS11_LIBRARY=/usr/local/lib/libcs_pkcs11_R2.so
FABRIC_CA_SERVER_BCCSP_PKCS11_LABEL=Hyperledger Slot
FABRIC_CA_SERVER_BCCSP_PKCS11_PIN=*********
FABRIC_CA_SERVER_BCCSP_PKCS11_SENSITIVEKEYS=true
FABRIC_CA_SERVER_BCCSP_PKCS11_SOFTWAREVERIFY=true
FABRIC_CA_SERVER_BCCSP_PKCS11_HASH=SHA2
FABRIC_CA_SERVER_BCCSP_PKCS11_SECURITY=256
But when the CA launches, it still uses the default configuration with the SW config, and does take the env vars into account. On the other hand, after several tests, I can interact with the HSM from the CA container, so it does not come from the HSM config.
Any help would be greatly appreciated.
Thank you.
Kind regards,
Florian

Join fabric@lists.hyperledger.org to automatically receive all group messages.