Re: Fabric CA HSM integration #fabric-ca #hsm


Hi florian,
What version of fabric-ca source code are you using?
From the following line in the error message you pasted, it indicates that pkcs11 was not actualy enabled when fabric-ca-server was built:
9/06/26 05:53:15 [DEBUG] Initializing BCCSP: &{ProviderName:PKCS11 SwOpts:<nil> PluginOpts:<nil>}
Otherwise it will look like this:
2019/06/27 03:04:29 [DEBUG] Initializing BCCSP: &{ProviderName:SW SwOpts:0xc000078b00 PluginOpts:<nil> Pkcs11Opts:<nil>}
You can see a "Pkcs11Opts" appear here (in my case I didn't specify pkcs11 options in my config yaml so it's nil)
This happened in old version of fabric because the pkcs11 tag you specified in your command was not actualy passed when you build docker image rather than building native binary, but I'm seeing this has been fixed in latest version 2.0.0 code.
Hu Xiang Dong (胡香冬)
IBM Blockchain Platform development
China Systems Lab
Email: huxd@...

----- Original message -----
From: "Gari Singh" <garis@...>
Sent by: fabric@...
To: "florian.pautot" <flpautot@...>
Cc: fabric@...
Subject: [EXTERNAL] Re: [Hyperledger Fabric] Fabric CA HSM integration #fabric-ca
Date: Wed, Jun 26, 2019 6:05 PM
Try setting default to “pkcs11” rather than “PKCS11”
Gari Singh

On Jun 26, 2019, at 2:08 AM, florian.pautot <flpautot@...> wrote:
I am trying to integrate our HSM with the Fabric CA, but I can't seem to make it work.
I am following the configuration I found in several places, including in the HSM documentation, the HSM config is good and working, but not the Fabric CA's.
I could definitely use your help.

I built the image from the CA sources, with the following command, because I read that the default release of the CA docker image does not support PKCSS1 by default : 

GO_TAGS=pkcs11 sudo make docker

For the BCCSP configuration in the fabric-ca-server-config.yaml, I have the following elements :
default: PKCS11
Library: /usr/local/lib/
Pin: 123456789
SensitiveKeys: true
SoftwareVerify: true
Label: Hyperledger Slot
Hash: SHA2
Security: 256
If I usee this config, my CA crash with the following error :
9/06/26 05:53:15 [DEBUG] Initializing BCCSP: &{ProviderName:PKCS11 SwOpts:<nil> PluginOpts:<nil>}
2019/06/26 05:53:15 [DEBUG] Closing server DBs
Error: Failed to initialize BCCSP Factories: %!s(<nil>)
Could not find default `PKCS11` BCCSP
If I try to config the CA with the ENV var, I use this:
- FABRIC_CA_HOME=/etc/hyperledger/fabric-ca-server
- CS_PKCS11_R2_CFG=/etc/ultimaco/cs_pkcs11_R2.cfg
But when the CA launches, it still uses the default configuration with the SW config, and does take the env vars into account. On the other hand, after several tests, I can interact with the HSM from the CA container, so it does not come from the HSM config.
Any help would be greatly appreciated.
Thank you.
Kind regards,



Join to automatically receive all group messages.