Re: Fabric CA HSM integration #fabric-ca #hsm


Gari Singh <garis@...>
 

Try setting default to “pkcs11” rather than “PKCS11”

Gari Singh
978-846-7499



On Jun 26, 2019, at 2:08 AM, florian.pautot <flpautot@...> wrote:

Hello,
I am trying to integrate our HSM with the Fabric CA, but I can't seem to make it work.
I am following the configuration I found in several places, including in the HSM documentation, the HSM config is good and working, but not the Fabric CA's.
I could definitely use your help.

I built the image from the CA sources, with the following command, because I read that the default release of the CA docker image does not support PKCSS1 by default : 

GO_TAGS=pkcs11 sudo make docker

For the BCCSP configuration in the fabric-ca-server-config.yaml, I have the following elements :
bccsp:
default: PKCS11
pkcs11:
Library: /usr/local/lib/libcs_pkcs11_R2.so
Pin: 123456789
SensitiveKeys: true
SoftwareVerify: true
Label: Hyperledger Slot
Hash: SHA2
Security: 256
If I usee this config, my CA crash with the following error :
9/06/26 05:53:15 [DEBUG] Initializing BCCSP: &{ProviderName:PKCS11 SwOpts:<nil> PluginOpts:<nil>}
2019/06/26 05:53:15 [DEBUG] Closing server DBs
Error: Failed to initialize BCCSP Factories: %!s(<nil>)
Could not find default `PKCS11` BCCSP
If I try to config the CA with the ENV var, I use this:
- FABRIC_CA_HOME=/etc/hyperledger/fabric-ca-server
- CS_PKCS11_R2_CFG=/etc/ultimaco/cs_pkcs11_R2.cfg
- FABRIC_CA_SERVER_BCCSP_DEFAULT=PKCS11
- FABRIC_CA_SERVER_BCCSP_PKCS11_LIBRARY=/usr/local/lib/libcs_pkcs11_R2.so
- FABRIC_CA_SERVER_BCCSP_PKCS11_LABEL=Hyperledger Slot
- FABRIC_CA_SERVER_BCCSP_PKCS11_PIN=*********
- FABRIC_CA_SERVER_BCCSP_PKCS11_SENSITIVEKEYS=true
- FABRIC_CA_SERVER_BCCSP_PKCS11_SOFTWAREVERIFY=true
- FABRIC_CA_SERVER_BCCSP_PKCS11_HASH=SHA2
- FABRIC_CA_SERVER_BCCSP_PKCS11_SECURITY=256
But when the CA launches, it still uses the default configuration with the SW config, and does take the env vars into account. On the other hand, after several tests, I can interact with the HSM from the CA container, so it does not come from the HSM config.
Any help would be greatly appreciated.
Thank you.
Kind regards,
Florian

 


Join fabric@lists.hyperledger.org to automatically receive all group messages.