Date   
Re: #fabric-ca #fabric-ca

Nick Frunza
 

Another question is, how to generate the client key, and cert., and both key, cert needs to be on fabric-ca server registered?  it is not clear, and what type of tools we can use to generate both.

nik

On Thu, Mar 28, 2019 at 8:33 AM Nick Frunza <nfrunza@...> wrote:
Thank for the prompt reply, we are trying to use a fabric samples that has mutual TLS enabled with HLExplorer as a client, but looks like fabric doesn't provide one, will have to modify the balance transfer client in order to use mutual TLS.

Another question is, how to generate the client key, and cert., and both key, cert needs to be on fabric-ca server registered?  it is not clear, and what type of tools we can use to generate both.

nik


On Thu, Mar 28, 2019 at 3:23 AM Vishal <vishal3152@...> wrote:
Hi Nick,

The error message clearly says that the server (peer) did not receive the correct client certificate.
I assume along with CORE_PEER_TLS_CLIENTAUTHREQUIRED = true, you have set below env variables correctly
  • CORE_PEER_TLS_CLIENTROOTCAS_FILES =  CA certificate
  • CORE_PEER_TLS_CLIENTCERT_FILE = client certificate
  • CORE_PEER_TLS_CLIENTKEY_FILE = client key
You may use the fabric-ca to generate these client certificates. If you wish to use Openssl to generate client certs, keep in mind RSA keys are not supported by fabric.

You have to assign these certificates to client instance as well. I prefer to do it this way. 

 
I would have used curl to verify 2way tls authentication configuration, if it was https.
curl -v --cacert ./ca.crt --key ./client.key --cert ./client.crt https://abc.com


Furthermore, you may check out this blog, could be of some help.

Kind regards
Vishal Yadav



On Thu, Mar 28, 2019 at 1:07 AM Nick Frunza <nfrunza@...> wrote:
Hello,

Are there any fabric samples with Mutual TLS enabled, aka. CORE_PEER_TLS_CLIENTAUTHREQUIRED=true ?
I enabled balance transfer with Mutual TLS, but it fails when running testAPI.sh with error:

2019-03-27T20:57:05.419Z - error: [Remote.js]: Error: Failed to connect before the deadline URL:grpcs://localhost:7051
[2019-03-27 16:57:05.419] [ERROR] Query - Error: Failed to connect before the deadline URL:grpcs://localhost:7051
    at checkState (/home/mn/git/fabric-network/fabric-samples/balance-transfer/node_modules/grpc/src/client.js:720:16)
E0327 16:57:10.541722858    7375 ssl_transport_security.cc:219] ssl_info_callback: error occured.

E0327 16:57:10.541763890    7375 ssl_transport_security.cc:1227] Handshake failed with fatal error SSL_ERROR_SSL: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate.
E0327 16:57:12.156285882    7375 ssl_transport_security.cc:219] ssl_info_callback: error occured.


thank you

Nik



--
Nik Frunza



--
Nik Frunza

Re: #fabric-ca #fabric-ca

Nick Frunza
 

Thank for the prompt reply, we are trying to use a fabric samples that has mutual TLS enabled with HLExplorer as a client, but looks like fabric doesn't provide one, will have to modify the balance transfer client in order to use mutual TLS.

Another question is, how to generate the client key, and cert., and both key, cert needs to be on fabric-ca server registered?  it is not clear, and what type of tools we can use to generate both.

nik


On Thu, Mar 28, 2019 at 3:23 AM Vishal <vishal3152@...> wrote:
Hi Nick,

The error message clearly says that the server (peer) did not receive the correct client certificate.
I assume along with CORE_PEER_TLS_CLIENTAUTHREQUIRED = true, you have set below env variables correctly
  • CORE_PEER_TLS_CLIENTROOTCAS_FILES =  CA certificate
  • CORE_PEER_TLS_CLIENTCERT_FILE = client certificate
  • CORE_PEER_TLS_CLIENTKEY_FILE = client key
You may use the fabric-ca to generate these client certificates. If you wish to use Openssl to generate client certs, keep in mind RSA keys are not supported by fabric.

You have to assign these certificates to client instance as well. I prefer to do it this way. 

 
I would have used curl to verify 2way tls authentication configuration, if it was https.
curl -v --cacert ./ca.crt --key ./client.key --cert ./client.crt https://abc.com


Furthermore, you may check out this blog, could be of some help.

Kind regards
Vishal Yadav



On Thu, Mar 28, 2019 at 1:07 AM Nick Frunza <nfrunza@...> wrote:
Hello,

Are there any fabric samples with Mutual TLS enabled, aka. CORE_PEER_TLS_CLIENTAUTHREQUIRED=true ?
I enabled balance transfer with Mutual TLS, but it fails when running testAPI.sh with error:

2019-03-27T20:57:05.419Z - error: [Remote.js]: Error: Failed to connect before the deadline URL:grpcs://localhost:7051
[2019-03-27 16:57:05.419] [ERROR] Query - Error: Failed to connect before the deadline URL:grpcs://localhost:7051
    at checkState (/home/mn/git/fabric-network/fabric-samples/balance-transfer/node_modules/grpc/src/client.js:720:16)
E0327 16:57:10.541722858    7375 ssl_transport_security.cc:219] ssl_info_callback: error occured.

E0327 16:57:10.541763890    7375 ssl_transport_security.cc:1227] Handshake failed with fatal error SSL_ERROR_SSL: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate.
E0327 16:57:12.156285882    7375 ssl_transport_security.cc:219] ssl_info_callback: error occured.


thank you

Nik



--
Nik Frunza

Re: Error while Install the Fabric CA

Raj Shekhar Bhardwaj
 

Hi,

Please use below repo for better understanding as video reference is also present for it.
Youtube video link for reference- https://www.youtube.com/watch?v=ubrA3W1JMk0&t=1280s

Please let me know if you find any issues.

On Thu, Mar 28, 2019 at 2:57 PM <smitalchaudhari21@...> wrote:
Hello All,

I am new to hyperldger fabrics framework,
My details components are 
Kubernetes v1.11.0+d4cacc0 and OKD v3.11.0+d0c29df-98 (openshift web console)
helm versionClient: {SemVer:"v2.13.0"}Server: {SemVer:"v2.13.0"} with oc v1.5.1+7b451fc on windows 10,
Kubectl tool for fabrics configuration Client Version: {Major:"1", Minor:"11+", GoVersion:"go1.10.3", Compiler:"gc", Platform:"windows/amd64"}
Server Version: {Major:"1", Minor:"11+",GoVersion:"go1.10.3", Compiler:"gc", Platform:"linux/amd64"}
Currently I am using https://github.com/aidtechnology/lf-k8s-hlf-webinar steps for the hyperldger fabrics configuration.
When I Installed the Fabric CA chart (it automatically creates a postgresql database) with command "helm install stable/hlf-ca -n ca --namespace blockchain -f ./helm_values/ca_values.yaml"
 It display error as 
 1)ca-postgresql
 create Pod ca-postgresql-0 in StatefulSet ca-postgresql failed error: pods "ca-postgresql-0" is forbidden:
 unable to validate against any security context constraint: [fsGroup: Invalid value: []int64{1001}: 1001 is not an allowed group spec.initContainers[0].securityContext.securityContext.runAsUser:
 Invalid value: 0: must be in the ranges: [1001380000, 1001389999] spec.containers[0].securityContext.securityContext.runAsUser: Invalid value: 1001: must be in the ranges: [1001380000, 1001389999]]
 
 2)pod ca-hlf-ca
 0/1 nodes are available: 1 node(s) didn't match pod affinity rules, 1 node(s) didn't match pod affinity/anti-affinity.
 
Pods are in pending status.

Regards,
Smita

Re: Does Fabric really need BFT consensus? #fabric

Sergey Fedorov
 

Hi Xiang,

On 3/26/19 9:48 AM, Xiang Wang wrote:
The worst result of Byzantine behavior in non-BFT consensus (such as Kafka/Raft based consensus) seems to be similar to the result of DoS attack.
Apart from DoS, another concern could be that a Byzantine leader (primary) in CFT consensus could make different ordering nodes deliver different series of blocks. This inconsistency might open up possibility to do more harm than purely DoS attack, I guess.

Kind regards,
Sergey

Read and write private data in the same transaction #fabric #fabric-questions

florian.pautot
 

Hi all,
We are currently developing a chaincode where we need to write and read private data at the same time in the same transaction. 
We need to have P2P transactions between two orgs, and for that we defined a single channel with several collections. For now we have a collection between Org1 and Org2.

We have element A:
A = {
 A,
 B
}

and Element B:
B = {
X,
Y
}

The process is the following:
1 - Invoke to set Element A
2 - Before doing the PutPrivateData on A, we need to retrieve B.X to be able to set A.A. So we query B.
3 - After querying B we now can set A.A
4 - We do the PutPrivateData on A

Th problem is that, while doing the PutPrivateData on A, we get the following error: 
2019-03-27 18:35:29.334 UTC [shim] handlePutState -> ERRO 031 [103b05c6] Received ERROR. Payload: PUT_STATE failed: transaction ID: 103b05c644e025e82256d0ca89473b8f8d737bb7d0156710ff425799d644d1a8: txid [103b05c644e025e82256d0ca89473b8f8d737bb7d0156710ff425799d644d1a8]: Transaction has already performed queries on pvt data. Writes are not allowed
2019-03-27 18:35:29.335 UTC [CHAINCODE] Error -> ERRO 032 setA- Error putting history data : PUT_STATE failed: transaction ID: 103b05c644e025e82256d0ca89473b8f8d737bb7d0156710ff425799d644d1a8: txid [103b05c644e025e82256d0ca89473b8f8d737bb7d0156710ff425799d644d1a8]: Transaction has already performed queries on pvt data. Writes are not allowed

Did you guys ever encountered this problem ? And if yes how did you manage this ?
Is this the good way to manage p2p privacy with one channel and several collections ? Or should we do p2p channels with public data ? And in that case, doesn't it induce some privacy issues ?
Thank you for yourr help.
Kind regards,
Florian

Error while Install the Fabric CA

smitalchaudhari21@...
 

Hello All,

I am new to hyperldger fabrics framework,
My details components are 
Kubernetes v1.11.0+d4cacc0 and OKD v3.11.0+d0c29df-98 (openshift web console)
helm versionClient: {SemVer:"v2.13.0"}Server: {SemVer:"v2.13.0"} with oc v1.5.1+7b451fc on windows 10,
Kubectl tool for fabrics configuration Client Version: {Major:"1", Minor:"11+", GoVersion:"go1.10.3", Compiler:"gc", Platform:"windows/amd64"}
Server Version: {Major:"1", Minor:"11+",GoVersion:"go1.10.3", Compiler:"gc", Platform:"linux/amd64"}
Currently I am using https://github.com/aidtechnology/lf-k8s-hlf-webinar steps for the hyperldger fabrics configuration.
When I Installed the Fabric CA chart (it automatically creates a postgresql database) with command "helm install stable/hlf-ca -n ca --namespace blockchain -f ./helm_values/ca_values.yaml"
 It display error as 
 1)ca-postgresql
 create Pod ca-postgresql-0 in StatefulSet ca-postgresql failed error: pods "ca-postgresql-0" is forbidden:
 unable to validate against any security context constraint: [fsGroup: Invalid value: []int64{1001}: 1001 is not an allowed group spec.initContainers[0].securityContext.securityContext.runAsUser:
 Invalid value: 0: must be in the ranges: [1001380000, 1001389999] spec.containers[0].securityContext.securityContext.runAsUser: Invalid value: 1001: must be in the ranges: [1001380000, 1001389999]]
 
 2)pod ca-hlf-ca
 0/1 nodes are available: 1 node(s) didn't match pod affinity rules, 1 node(s) didn't match pod affinity/anti-affinity.
 
Pods are in pending status.

Regards,
Smita

Re: #fabric-ca #fabric-ca

Vishal
 

Hi Nick,

The error message clearly says that the server (peer) did not receive the correct client certificate.
I assume along with CORE_PEER_TLS_CLIENTAUTHREQUIRED = true, you have set below env variables correctly
  • CORE_PEER_TLS_CLIENTROOTCAS_FILES =  CA certificate
  • CORE_PEER_TLS_CLIENTCERT_FILE = client certificate
  • CORE_PEER_TLS_CLIENTKEY_FILE = client key
You may use the fabric-ca to generate these client certificates. If you wish to use Openssl to generate client certs, keep in mind RSA keys are not supported by fabric.

You have to assign these certificates to client instance as well. I prefer to do it this way. 

 
I would have used curl to verify 2way tls authentication configuration, if it was https.
curl -v --cacert ./ca.crt --key ./client.key --cert ./client.crt https://abc.com


Furthermore, you may check out this blog, could be of some help.

Kind regards
Vishal Yadav



On Thu, Mar 28, 2019 at 1:07 AM Nick Frunza <nfrunza@...> wrote:
Hello,

Are there any fabric samples with Mutual TLS enabled, aka. CORE_PEER_TLS_CLIENTAUTHREQUIRED=true ?
I enabled balance transfer with Mutual TLS, but it fails when running testAPI.sh with error:

2019-03-27T20:57:05.419Z - error: [Remote.js]: Error: Failed to connect before the deadline URL:grpcs://localhost:7051
[2019-03-27 16:57:05.419] [ERROR] Query - Error: Failed to connect before the deadline URL:grpcs://localhost:7051
    at checkState (/home/mn/git/fabric-network/fabric-samples/balance-transfer/node_modules/grpc/src/client.js:720:16)
E0327 16:57:10.541722858    7375 ssl_transport_security.cc:219] ssl_info_callback: error occured.

E0327 16:57:10.541763890    7375 ssl_transport_security.cc:1227] Handshake failed with fatal error SSL_ERROR_SSL: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate.
E0327 16:57:12.156285882    7375 ssl_transport_security.cc:219] ssl_info_callback: error occured.


thank you

Nik

Re: adding data to hyperledger fabric in Bulk

Mohammad Ghasletwala
 

Please understand this is immutable DLT. Each transaction or block is linked to each other.
In Fabric chaincode is Smart Contract.
There is no concept or possibility of bulk data loading. This is no RDBMS.
You have to send as many number of transactions if you intend to add previous data as well into ledger.
Otherwise it is just one transaction.
Also understand that you cannot have a temporary chaincode just to load data and then replace it by some other chaincode. You have to properly manage chaincode version.
Even historical data should go through proper endorsement and consensus.

Regards
Mohammad

[Interop]Weekly meeting reminder EDT 9:00am, UTC 3/28/19 13PM due to time change

Tong Li
 

Just a reminder that our weekly meeting is now at 9:00am on Thursday EDT. Which is UTC Thursday 13:00pm and Beijing time Thursday 9:00pm. Thanks.

Tong Li
IBM Open Technology

[Interop]Weekly meeting reminder EDT 9:00am, UTC 3/28/19 13PM

Tong Li
 

Just a reminder that our weekly meeting is now at 9:00am on Thursday EDT. Which is UTC Thursday 13:00pm and Beijing time Thursday 9:00pm. Thanks.

Tong Li
IBM Open Technology

#fabric-ca #fabric-ca

Nick Frunza
 

Hello,

Are there any fabric samples with Mutual TLS enabled, aka. CORE_PEER_TLS_CLIENTAUTHREQUIRED=true ?
I enabled balance transfer with Mutual TLS, but it fails when running testAPI.sh with error:

2019-03-27T20:57:05.419Z - error: [Remote.js]: Error: Failed to connect before the deadline URL:grpcs://localhost:7051
[2019-03-27 16:57:05.419] [ERROR] Query - Error: Failed to connect before the deadline URL:grpcs://localhost:7051
    at checkState (/home/mn/git/fabric-network/fabric-samples/balance-transfer/node_modules/grpc/src/client.js:720:16)
E0327 16:57:10.541722858    7375 ssl_transport_security.cc:219] ssl_info_callback: error occured.

E0327 16:57:10.541763890    7375 ssl_transport_security.cc:1227] Handshake failed with fatal error SSL_ERROR_SSL: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate.
E0327 16:57:12.156285882    7375 ssl_transport_security.cc:219] ssl_info_callback: error occured.


thank you

Nik

Re: adding data to hyperledger fabric in Bulk

Raj Bandhakavi <raj@...>
 

From what I understand, I need to give 1000 key value pairs as 1000 arguments to a single peer invoke command. 
And write a put state for each key value pair in the chainocode.  This is faster as there is only one database interaction.
Thank you for your suggestion

Re: adding data to hyperledger fabric in Bulk

David Enyeart
 

You could for example pass 1000 keys/values to the chaincode invoke and the chaincode does 1000 PutStates() in a single transaction. Repeat until done.
On the endorsing side, it doesn't actually update state database. On the validation/commit side, it will do a single bulk update in one database interaction. Therefore, this will be an efficient batching approach, but will still keep block sizes reasonable.


Dave Enyeart

"Raj Bandhakavi" ---03/27/2019 10:03:18 AM---[Edited Message Follows] Could you please elaborate? 

From: "Raj Bandhakavi" <raj@...>
To: fabric@...
Date: 03/27/2019 10:03 AM
Subject: Re: [Hyperledger Fabric] adding data to hyperledger fabric in Bulk
Sent by: fabric@...





[Edited Message Follows]

Could you please elaborate?
I am writing chaincode in Node JS and I know that put_state can input a key value pair.
How is it possible to add key value pair in bulk or in a single transaction?
Is there some other built function like put_state or am I missing something here?



Re: adding data to hyperledger fabric in Bulk

Raj Bandhakavi <raj@...>
 
Edited

Could you please elaborate? 
I am writing chaincode in Node JS and I know that put_state can input a key value pair. 
How is it possible to add key value pair in bulk or in a single transaction?
Is there some other built function like put_state  or am I missing something here?

ChaincodeInfo.id (ChaincodeDeploymentSpec.code_package) is generated by what? Chaincode fingerprint mismatch ERRO #fabric #fabric-questions

wanggang <wanggang-info@...>
 

Hi, all.


info:
hyperledger/fabric  1.2.1
os: redhat 7.4 & centos7

problem: add a new org, but the installed chaincode cannot be deployed ( chaincode fingerprint mismatch )

personal guess:

the actions of installing chaincode  are not the same day, thus chaincode unique id is different.






My hyperledger/fabric network has a new organization to add.

So, I use fabric-ca server to register and enroll the-new-org's msp for it's peers and clients.
Then,  update channel,  install a new version of chaincode and  update chaincode on one peer of original org.

BUT, on the new org's server, the info of the chaincode installed is different from the original org. AND got "Chaincode fingerprint mismatch ERRO"

I need help about ChaincodeInfo.id . ChaincodeInfo.id is different between the new org and the original.
But, I cannot find the code about how to generate ChaincodeDeploymentSpec.code_package (ChaincodeInfo.id ).

In query.proto, I know that:
// the chaincode unique id.
// computed as: H(
// H(name || version) ||
// H(CodePackage)
// )
And, in chaincode_support_test.go code_package is set by getTarGZ
tr.WriteHeader(&tar.Header{Name: name, Size: size, ModTime: startTime, AccessTime: startTime, ChangeTime: startTime})
 


BUT why  those are not the same in the two orgs' server? What environment can give effect to change the id?

here is the difference (I think):

  • chaincode name
  • chaincode version
  • chaincode path
  • chaincode code folder's owner & group (I tested this,  this can change chaincode unique id, but why??? )
  • I guess, that time of cc directory can change this id???



I will do the test that installing chaincode in the same time with the same mod_time of directory to check the id of cc will be the same or not in the next day.
So,  the detail of generating the id of chaincode is what?
AND why to do this limitation in fabric architecture design?

Re: Hyperledger node SDK example to query\invoke TLS enabled peer

Prasanth Sundaravelu
 

Hi Suhan,

You must only need to make changes in connection.json file if your peers are enables with TLS. (and Mutual TLS is not enabled - "clientAuthRequired = false").
You need to give path to tlsCACert or the cert itself in the connection.json file + you need to change the address protocol from "grpc / http"  to "grpcs / https". The "grpcOptions" field might also be required.
This link has details about defining the connection profile.
https://hyperledger-fabric.readthedocs.io/en/release-1.4/developapps/connectionprofile.html#structure

This link might also help, even though it is for Composer:
https://hyperledger.github.io/composer/v0.19/reference/connectionprofile


Hope this helps.

Hyperledger node SDK example to query\invoke TLS enabled peer

Suhan Sumeet
 

Hello Team,

Is there an example for node SDK that shows how to connect to TLS enabled peer's for query\invoke of chaincode.

Regards,
Sunil Suseelan

Re: adding data to hyperledger fabric in Bulk

Morgan Bauer <mbauer@...>
 

The chaincode has to take multiple inputs and load them all in a single transaction.

On 3/26/19 6:57 PM, Raj Bandhakavi wrote:
 What is the best way to add key value pairs to the hyperledger fabric network in bulk? I have tried adding data from the CLI but using the "peer chaincode invoke" command to add a single key value pair does not seem to be efficient. 

adding data to hyperledger fabric in Bulk

Raj Bandhakavi <raj@...>
 
Edited

What is the best way to add key value pairs to the hyperledger fabric network in bulk? I have tried adding data from the CLI but using the "peer chaincode invoke" command to add a single key value pair and looping over all key value pairs does not seem to be efficient. 

Re: Does Fabric really need BFT consensus? #fabric

Xiang Wang <wangxiang19870507@...>
 

Hi Marko,
Thanks for the repy. 
For example, the current blockchain height is 4, and "client" should generate block5. But a Byzantine client may jump over block5 and generate block6, block7,...
In this case, there will never be a chance for a new block to be committed and hence no transaction can be commited.

I understand the client's Byzantine behavior is out of the BFT's scope. However, in the blockchain scenario, the costs/possibilities of client's and primer's/leader's Byzantine behaviors seems to be equal.
That's why I am thinking whether do we really need BFT consensus in a permissioned blockchain scenario.

Best Regards,
Xiang

Marko Vukolic <mvu@...> 于2019年3月26日周二 下午4:57写道:

Which client side (replacing your "BFT-feeder" with "client") DoS attacks worry you?

BFT protocols go long way to protect against protocol-specific DoS, which are to be used in conjunction with generic, network level DoS protection.

Best,
Marko



From:        "Xiang Wang" <wangxiang19870507@...>
To:        fabric@...
Date:        26/03/2019 09:48
Subject:        [Hyperledger Fabric] Does Fabric really need BFT consensus? #fabric
Sent by:        fabric@...




Dear community,

I am thinking whether BFT consensus is really necessary in the Blockchain scenario.
The worst result of Byzantine behavior in non-BFT consensus (such as Kafka/Raft based consensus) seems to be similar to the result of DoS attack.
It's true that BFT consensus can handle the primer's Byzantine behavior.
However, the BFT-feeder's (which feeds message, in Fabric, it may contain the block) Byzantine behavior can also lead to the result of DoS attack.

In short,
If use Raft, either Raft-feeder's Byzantine behavior or Raft-leader Byzantine behavior can cause the result similar to the DoS attack result.
If use BFT, BFT-feeder's Byzantine behavior can also cause the result similar to the DoS attack result.
And the expenses of causing Raft-feeder's, Raft-leader's, BFT-feeder's Byzantine behavior seem to be the same.
So swithing to BFT makes me feel,
fixing a leaking bucket, we are not fixing the lowest hole. And the xxx-feeder is the "hole" here.

Looking forward to your insights!

Best Regards,
Xiang