Date   

Re: #hsm #raft Raft and HSM in the same network #hsm #raft

Jean-Gaël Dominé <jgdomine@...>
 

Is it planned in some future release to fix this (2.x.x)?


Re: #hsm #raft Raft and HSM in the same network #hsm #raft

Yacov
 

It was not implemented



From:        "Jean-Gaël Dominé" <jgdomine@...>
To:        fabric@...
Date:        12/06/2019 08:53 PM
Subject:        [EXTERNAL] Re: [Hyperledger Fabric] #hsm #raft Raft and HSM in the same network
Sent by:        fabric@...




Thanks for the feedback.

But why is that? Technical limit? Something not implemented yet?
Because from what I understood, the private keys should not be directly on the component's file system and that was the whole point of having a HSM to store the private keys so that it does not get out of it.

But maybe I'm wrong in my comprehension and if so please explain.

Thank you




Re: #hsm #raft Raft and HSM in the same network #hsm #raft

Jean-Gaël Dominé <jgdomine@...>
 

Thanks for the feedback.

But why is that? Technical limit? Something not implemented yet?
Because from what I understood, the private keys should not be directly on the component's file system and that was the whole point of having a HSM to store the private keys so that it does not get out of it.

But maybe I'm wrong in my comprehension and if so please explain.

Thank you


Re: #hsm #raft Raft and HSM in the same network #hsm #raft

Yacov
 

You can't use HSM to store TLS keys.



From:        "Jean-Gaël Dominé" <jgdomine@...>
To:        fabric@...
Date:        12/06/2019 03:55 PM
Subject:        [EXTERNAL] [Hyperledger Fabric] #hsm #raft Raft and HSM in the same network
Sent by:        fabric@...




Hi everyone,

I'm currently trying to set up a network using Raft and HSM. Before adding HSM, everything was correctly working.
But when adding HSM, the private keys are not mounted on the containers anymore (orderers and peers).
The peers seem to be still working but with the orderer I get the following error:
2019-12-06 10:21:03.476 UTC [orderer.common.server] extractSysChanLastConfig -> INFO 003 Bootstrapping because no existing channels
2019-12-06 10:21:03.480 UTC [orderer.common.server] initializeClusterClientConfig -> FATA 004 Failed to load client TLS key file '' (open : no such file or directory)
After a quick test, I managed to confirm that it was the ORDERER_GENERAL_CLUSTER_CLIENTPRIVATEKEYthat was the root cause of the error. I do not set it on purpose since I don't have it anymore but it seems to me that raft keeps looking for the private key.

Is Raft and HSM incompatible in Fabric right now (version 1.4.3 of the orderer)? Or am I missing something in the configuration?

Thank you for your help




#hsm #raft Raft and HSM in the same network #hsm #raft

Jean-Gaël Dominé <jgdomine@...>
 

Hi everyone,

I'm currently trying to set up a network using Raft and HSM. Before adding HSM, everything was correctly working.
But when adding HSM, the private keys are not mounted on the containers anymore (orderers and peers).
The peers seem to be still working but with the orderer I get the following error:
2019-12-06 10:21:03.476 UTC [orderer.common.server] extractSysChanLastConfig -> INFO 003 Bootstrapping because no existing channels
2019-12-06 10:21:03.480 UTC [orderer.common.server] initializeClusterClientConfig -> FATA 004 Failed to load client TLS key file '' (open : no such file or directory)
After a quick test, I managed to confirm that it was the ORDERER_GENERAL_CLUSTER_CLIENTPRIVATEKEY that was the root cause of the error. I do not set it on purpose since I don't have it anymore but it seems to me that raft keeps looking for the private key.

Is Raft and HSM incompatible in Fabric right now (version 1.4.3 of the orderer)? Or am I missing something in the configuration?

Thank you for your help


Re: Enabling channel Capabilities for existing network

Joe Alewine <joe.alewine@...>
 

As it says in the Kafka to Migration doc:
 
While in maintenance mode, normal transactions, config updates unrelated to migration, and Deliver requests from the peers used to retrieve new blocks are rejected. This is done in order to prevent the need to both backup, and if necessary restore, peers during migration, as they only receive updates once migration has successfully completed. In other words, we want to keep the ordering service backup point, which is the next step, ahead of the peer’s ledger, in order to be able to perform rollback if needed. However, ordering node admins can issue Deliver requests (which they need to be able to do in order to continue the migration process).
 
 
Regards,
 
Joe Alewine
IBM Blockchain, Raleigh
 
rocket chat: joe-alewine
slack: joe.alewine
 
 
 

----- Original message -----
From: "Adhav Pavan" <adhavpavan@...>
Sent by: fabric@...
To: fabric@...
Cc:
Subject: [EXTERNAL] [Hyperledger Fabric] Enabling channel Capabilities for existing network
Date: Fri, Dec 6, 2019 12:00 AM
 
Hello There,
 
I have a running network with version(1.4.0),  and Network has no channel capabilities defined.
 
I want to migrate network to RAFT, can I add channel capabilities in configuration block?
 
Tried with state change in configuration block from NORMAL to MAINTENANCE getting following error
 
Error: got unexpected status: BAD_REQUEST -- config update for existing channel did not pass maintenance checks: config transaction inspection failed: next config attempted to change ConsensusType.State to STATE_MAINTENANCE, but capability is disabled
Let me know if additional information required.
 
Thank you.

Heartfelt Regards,
Pavan Adhav

Blockchain Developer
Cell Phone:
+91-8390114357  E-Mail: adhavpavan@...

 


Private data : issues and problems #fabric #fabric-questions #fabric-dstorage

Ivan Ch <acizlan@...>
 

Hi Vipin,

I was on vacation for a few weeks and I am now starting a new topic regarding the private data design since we are no longer talking about the original security issue (unsalted hash).

Hello Ivan,
I have been following this thread for a while.
Thanks for raising some of these issues.
While it is important to question and to challenge the assumptions underlying Hyperledger Fabric, the best way to get attention, answers and influence the design may not be by using language like "Major Security hole...". This raises hackles and creates an atmosphere of defensiveness.
 
First- The issue you raised at first (the salted hash) may be just related to documentation according to all who debated this let us drop that from the list.
So that leaves:
1) hashes on chain cannot be validated by any third party, so they can be used by adversaries to trick honest participants (open)-
The design of private data collections, setup in effect "a covert channel" between the people who exchange that information. I use the term "covert channel" guardedly, before the cryptographers and crypto engineers among us object strenuously to that term. All those who need to know have access to methods to check the hash. Please re-examine this and re-read the private channel documentation. In terms of the veracity of the data (or the claim); this is a problem that has to be solved anyway-in any blockchain; through attestation by the party who put the data on the chain (in other words the issuers of the claim). There are many ways to share these "covert" claims  - Edge architectures with certain proof on the chain and so forth- a la Aries supported by Indy etc.
Chain hash just don't solve any problem. ZKP would be the solution to the problem, hashes are not. Sure, some people would argue that ZKP is slow and premature, I have to disagree since protocols such as bulletproof and many other customized ZKP protocols are fairly efficient. I understand there are plenty of people like to use chain hash because it is easy and comfortable for them. however if we want to to move ahead we have to look for the best technology not what's making people comfortable at the moment.


 
2) private data use gossip to transact data, which would require all participants be connected with any other participant part of a chain. if there are 20 participants in a channel, each participant must open up their firewalls to all other 19 participants of a single channel (open)
 
This may not be as it seems as gossip protocols can transmit information using connections to a limited number of "near peers". Overlay this with the three types of nodes (i.e. endorsing peers, validating peers and orderers- with Anchor peers being special types of peers that can serve as the "gateways" for endorsing and validating peers. As far as the orderers, I am not aware of the exact network that they participate in (i.e. is it gossip driven?). Also this interaction can be over TLS which is a widely used method today to protect communications over the open internet. I believe Fabric has this feature.
the issue is not whether you can use secure protocol such as TLS to securely transmit data, the problem is you have to make pre-arrangements with all peers (open fire wall to each other), which is not possible in practice unless all nodes operate on the same cloud. 

 
You have a point about firewalls, the disposition of the components in a regulated enterprise may need some design modifications to accommodate  firewalls. Since Firewalls, whether  on prem or in the cloud are not monolithic (include multiple layers like the DMZ etc.) currently use reverse proxies (for incoming messages) and Socks compliant protocols for outgoing. In Corda Enterprise, there is a component called the "Float" which functions as a reverse proxy. I was involved in conversations around the design of this component, when I was working in a regulated financial institution. I do not know the status of "the float" since that is available only in Enterprise Corda. There are also multiple architectural patterns written up on the provisioning of the components inside firewalls. We need that thought process in fabric if it does not exist.
this problem actually gets bigger when we have to try to get all participants to do the same. each enterprise seem to have their own little ghost setting behind firewall. this is still doable, but a big husslle.

 
Another feature that is demanded by IT architecture and security teams in Enterprise are the componentization of nodes. By that I mean the breaking up of (say) any endorsing or validating peer into data access and smart contact execution layers with the possibility of scaling and housing in various parts of the enterprise stack.
 
All this points to having community involvement in Architecture best practices for projects and the presence and participation in such exercises so that the Fabric team can take advantage of expertise such as yours that exist in the open source community.
 
We must collaborate, otherwise why be in an open source consortium?
 
Best,
Vipin
I've been trying hard to convince my client to avoid using the private data feature :)  we are able to configure orderers like a shared cluster group so that all org can just make their peer nodes connected to the orderer service running on a cloud to bypass the firewall issue (each org would only need to open their firewall to the central orderer service), and then things got a lot more complicated when the private data feature kicks in. people somehow just assume that a feature is right just because its on fabric documentation


Enabling channel Capabilities for existing network

Adhav Pavan
 

Hello There,

I have a running network with version(1.4.0),  and Network has no channel capabilities defined.

I want to migrate network to RAFT, can I add channel capabilities in configuration block?

Tried with state change in configuration block from NORMAL to MAINTENANCE getting following error

Error: got unexpected status: BAD_REQUEST -- config update for existing channel did not pass maintenance checks: config transaction inspection failed: next config attempted to change ConsensusType.State to STATE_MAINTENANCE, but capability is disabled
Let me know if additional information required.

Thank you.

Heartfelt Regards,
Pavan Adhav

Blockchain Developer
Cell Phone:
+91-8390114357  E-Mail: adhavpavan@...


Re: Migration from Gerrit: Help with JQ and Git needed

Ry Jones
 

All,
The final repo has moved to GitHub and I have extracted the JSON and mirrored all of the repos.
Please take a look.
Ry
--
Ry Jones
Community Architect, Hyperledger


Documentation Workgroup: Agenda for Friday, 06 December

Anthony O'Dowd <a_o-dowd@...>
 

Hello All,

We hold our regular documentation workgroup call this week, both Eastern and Western hemispheres.

As is now usual, you can read the summary minutes for previous calls: https://wiki.hyperledger.org/display/fabric/Meetings
and catch up via recordings page: https://wiki.hyperledger.org/display/fabric/Recordings

You'll see that there are lots of interesting items for this week: https://wiki.hyperledger.org/display/fabric/2019+12+06+DWG+Agenda
Please feel free to contribute using the wiki!

You can also help build next week's agenda: https://wiki.hyperledger.org/display/fabric/2019+12+13+DWG+Agenda

Best regards,

Pam, Anthony,  Joe, Nik

Meeting Details
-------------
Please use the following link to attend the meeting:  https://zoom.us/j/6223336701

The meeting times are as follows: https://wiki.hyperledger.org/display/fabric/Documentation+Working+Group

Meeting 107A: Friday 06 Dec Nov
                   1130 India Standard Time
                   1400 China Standard Time
                   1500 Japan Standard Time
                   1700 Australia Eastern Time
                   1400 Singapore Time
                   1000 Gulf Standard Time
                   0900 Moscow Standard Time
                   0600 Greenwich Mean Time
                   0700 Central European Time    

Meeting 107B: Friday 06 Dec
              1000 Central Daylight Time
                   1100 Eastern Daylight Time
                   0800 Pacific Daylight Time
                   1300 Brasil Time (BRT)
                   1600 Greenwich Mean Time
                   1700 Central European Time
                   1800 Moscow Standard Time
Unless stated otherwise above:
IBM United Kingdom Limited - Registered in England and Wales with number 741598.
Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire PO6 3AU


Re: Relation between no. of. Blocks / Amount of data stored in DB vs Disk writes #fabric #fabric-questions

Senthil Nathan
 

Hi Prasanth,

    This phenomenon might occur due to the leveldb compaction -- https://github.com/google/leveldb/blob/master/doc/impl.md
    If you plot the complete time-series data and compare it against the peer logs, you can pinpoint the root cause.

Regards,
Senthil


On Thu, Dec 5, 2019 at 7:05 PM Prasanth Sundaravelu <prasanths96@...> wrote:

Hi,

I have the following setup: 

Hardware: 

CPU: Intel Xeon E3-1245 v5 - 3.5 GHz - 4 core(s)
RAM: 32GB - DDR3
Hard Drive(s): 3x 256GB (SSD SATA) (RAID 0)
Network Bandwidth: Unmetered @ 1Gbps
OS Ubuntu 18

Hyperledger network:
3 - Peers 
1 - Organization
Go LevelDB
Chaincode in GoLang
SDK in Node.js accessed using node express - http server.

Load generation (via HTTP API) (Generated from inside the same server):
- Load generated continuously at a constant speed of 200RPS. 
- It calls a simple chaincode function that queries if the unique ID already exists in db and modifies / stores the data (JSON data with 3 fields) as composite key.

 

When the test started, I observed Disk I/O using iotop:

- Total and Actual disk write was less than or around ~5M/s

After 24 hours, a 10mil record has been stored and I noticed iotop again, this time:
- Total and Actual disk write was fluctuating from ~50M/s to ~100M/s or more rarely. 

Why does this happen? Is it normal? Is there a way to reduce this as much as possible?


Relation between no. of. Blocks / Amount of data stored in DB vs Disk writes #fabric #fabric-questions

Prasanth Sundaravelu
 

Hi,

I have the following setup: 

Hardware: 

CPU: Intel Xeon E3-1245 v5 - 3.5 GHz - 4 core(s)
RAM: 32GB - DDR3
Hard Drive(s): 3x 256GB (SSD SATA) (RAID 0)
Network Bandwidth: Unmetered @ 1Gbps
OS Ubuntu 18

Hyperledger network:
3 - Peers 
1 - Organization
Go LevelDB
Chaincode in GoLang
SDK in Node.js accessed using node express - http server.

Load generation (via HTTP API) (Generated from inside the same server):
- Load generated continuously at a constant speed of 200RPS. 
- It calls a simple chaincode function that queries if the unique ID already exists in db and modifies / stores the data (JSON data with 3 fields) as composite key.

 

When the test started, I observed Disk I/O using iotop:

- Total and Actual disk write was less than or around ~5M/s

After 24 hours, a 10mil record has been stored and I noticed iotop again, this time:
- Total and Actual disk write was fluctuating from ~50M/s to ~100M/s or more rarely. 

Why does this happen? Is it normal? Is there a way to reduce this as much as possible?


Fail to start orderer #raft

pwong00710@...
 

We have 5 orderers.  We stop one of them and start it again.  We get the following error.  Any idea?

2019-12-05 09:27:01.096 UTC [orderer.consensus.etcdraft] becomeFollower -> INFO 057 1 became follower at term 52 channel=bigfish-wallet node=1
2019-12-05 09:27:01.096 UTC [orderer.consensus.etcdraft] commitTo -> PANI 058 tocommit(23344) is out of range [lastIndex(6593)]. Was the raft log corrupted, truncated, or lost? channel=bigfish-wallet node=1
panic: tocommit(23344) is out of range [lastIndex(6593)]. Was the raft log corrupted, truncated, or lost?goroutine 85 [running]:


Re: identity authentication

Prasanth Sundaravelu
 

Hi, 

If you are going to have different credentials for different users and using those keys to connect to the blockchain network (via SDK), then you can use cid package in chaincode to read the certificate of requester inside chaincode and authenticate / authorize. 

For go:

For node:


On Thu, 5 Dec 2019, 7:51 am qs meng, <qsmeng@...> wrote:
hello Robert,
more specificly,I want to authenticate requestor id in chaincode. this provide more freedom for enduser. 
thank you. 
regards. 
qsmeng




-------- 原始邮件 --------
发件人: Robert Broeckelmann <robert@...>
日期: 2019年12月4日周三 中午12:32
收件人: qs meng <qsmeng@...>
抄送: Nicholas Zanutim <nlzanutim@...>, fabric@...
主 题: Re: [Hyperledger Fabric] identity authentication
Hello. 

I had a similar situation earlier this year.

The Fabric SDKs contain support for maintaining a credential wallet that holds end user's HLF credentials.

If you have an architecture similar to:

Mobile App-> REST API->HLF Peer 

Then, the REST API layer can be used to translate from a security token embedded in API requests to credentials that the blockchain network will understand (ie, PKI an X509 private public key pairs).

See [1] for an example. 

Our requirements eventually shifted to an "application" id being recorded in the blockchain. So, we just issued a "system identity" that the REST API layer's SDK used for all peer interaction. So, that ended up being much simpler.

I honestly don't like the solution where the server-side app has to maintain a credential wallet that contains all registered users HLF credentials, but that does seem cleaner than having every mobile app instance issued a set of HLF credentials and directly communicating with the blockchain network. Note, I haven't seen anyone or anything pitching that architecture, but it would probably be the only alternative.

For authentication of end users on the mobile, app I'd recommend using OpenId Connect's Authorization Code Grant with a Public Client. Use one of the numerous IdaaS (Identity as a Service) Providers available today.  If OIDC is used in this manner, you also get an OAuth2 access token that can be cached in the mobile app (and refreshed as needed) and included with API calls (authorization header) to the REST API layer. An API Gateway can be used to handle authentication, authorization, request validation, and other typical concerns of API Security. All the major cloud hosting platforms offer an API Gateway solution that would do this out-of-the-box, the previous poster mentioned Kong, Apigee is another. There are a bunch of others. 


RCBJ

On Tue, Dec 3, 2019 at 6:24 PM qs meng <qsmeng@...> wrote:


hi Nicholas,
 the identity be authentocated by fabric. if the kong runs outside the fabric, its result of ID authenticate is not accepted by fabric.
  I want  to authenate the requestor in the fabric.
thank you.
best regards. 
qsmeng



-------- 原始邮件 --------
发件人: Nicholas Zanutim <nlzanutim@...>
日期: 2019年12月3日周二 晚上9:31
收件人: fabric@..., qs meng <qsmeng@...>
主 题: Re: [Hyperledger Fabric] identity authentication
You can use Kong Service manager with JWT or any other form of authentication to access the services that submit transactions to the Fabric network. In this case, the user certificate must be present with the services

Em terça-feira, 3 de dezembro de 2019 10:08:44 BRT, qs meng <qsmeng@...> escreveu:


Hi experts, 
      In the current fabric design, the client app is the use of Fabric. Running a client app is a heavy cost  for a mobilephone user. We design a payment system, where a user can sign a payment request with his/her private key, submit it to a client app and then to Fabric.  
A problem exists that how the identity of the user or requestor can be authenticated?  Can anyone give me some suggestions?
 Thank you.
 Best regards,
qsmeng


 



--
Robert C. Broeckelmann Jr | Managing Director |  IyaSec
m: +1 314-494-3398 (SMS or WhatsApp) | fax: +1 (866) 484-1634
email: robert@... | site: iyasec.io

mail: 19215 SE 34th St Ste 106-407 Camas WA 98607-8830



回复:[Hyperledger Fabric] identity authentication

qs meng <qsmeng@...>
 

hello Robert,
more specificly,I want to authenticate requestor id in chaincode. this provide more freedom for enduser. 
thank you. 
regards. 
qsmeng




-------- 原始邮件 --------
发件人: Robert Broeckelmann <robert@...>
日期: 2019年12月4日周三 中午12:32
收件人: qs meng <qsmeng@...>
抄送: Nicholas Zanutim <nlzanutim@...>, fabric@...
主 题: Re: [Hyperledger Fabric] identity authentication

Hello. 

I had a similar situation earlier this year.

The Fabric SDKs contain support for maintaining a credential wallet that holds end user's HLF credentials.

If you have an architecture similar to:

Mobile App-> REST API->HLF Peer 

Then, the REST API layer can be used to translate from a security token embedded in API requests to credentials that the blockchain network will understand (ie, PKI an X509 private public key pairs).

See [1] for an example. 

Our requirements eventually shifted to an "application" id being recorded in the blockchain. So, we just issued a "system identity" that the REST API layer's SDK used for all peer interaction. So, that ended up being much simpler.

I honestly don't like the solution where the server-side app has to maintain a credential wallet that contains all registered users HLF credentials, but that does seem cleaner than having every mobile app instance issued a set of HLF credentials and directly communicating with the blockchain network. Note, I haven't seen anyone or anything pitching that architecture, but it would probably be the only alternative.

For authentication of end users on the mobile, app I'd recommend using OpenId Connect's Authorization Code Grant with a Public Client. Use one of the numerous IdaaS (Identity as a Service) Providers available today.  If OIDC is used in this manner, you also get an OAuth2 access token that can be cached in the mobile app (and refreshed as needed) and included with API calls (authorization header) to the REST API layer. An API Gateway can be used to handle authentication, authorization, request validation, and other typical concerns of API Security. All the major cloud hosting platforms offer an API Gateway solution that would do this out-of-the-box, the previous poster mentioned Kong, Apigee is another. There are a bunch of others. 


RCBJ

On Tue, Dec 3, 2019 at 6:24 PM qs meng <qsmeng@...> wrote:


hi Nicholas,
 the identity be authentocated by fabric. if the kong runs outside the fabric, its result of ID authenticate is not accepted by fabric.
  I want  to authenate the requestor in the fabric.
thank you.
best regards. 
qsmeng



-------- 原始邮件 --------
发件人: Nicholas Zanutim <nlzanutim@...>
日期: 2019年12月3日周二 晚上9:31
收件人: fabric@..., qs meng <qsmeng@...>
主 题: Re: [Hyperledger Fabric] identity authentication
You can use Kong Service manager with JWT or any other form of authentication to access the services that submit transactions to the Fabric network. In this case, the user certificate must be present with the services

Em terça-feira, 3 de dezembro de 2019 10:08:44 BRT, qs meng <qsmeng@...> escreveu:


Hi experts, 
      In the current fabric design, the client app is the use of Fabric. Running a client app is a heavy cost  for a mobilephone user. We design a payment system, where a user can sign a payment request with his/her private key, submit it to a client app and then to Fabric.  
A problem exists that how the identity of the user or requestor can be authenticated?  Can anyone give me some suggestions?
 Thank you.
 Best regards,
qsmeng


 



--
Robert C. Broeckelmann Jr | Managing Director |  IyaSec
m: +1 314-494-3398 (SMS or WhatsApp) | fax: +1 (866) 484-1634
email: robert@... | site: iyasec.io

mail: 19215 SE 34th St Ste 106-407 Camas WA 98607-8830



Re: identity authentication

qs meng <qsmeng@...>
 

Hello Robert,
   Thank you for the reply.  My initial idea is to add an API through which the ID of the requestor is passed to Fabric, and the id is authenticated by Fabric MSP.
  I will read the link you provided and the credential wallet.
  Thank you.
  Best regards,
qsmeng




At 2019-12-04 12:31:54, "Robert Broeckelmann" <robert@...> wrote:
Hello. 

I had a similar situation earlier this year.

The Fabric SDKs contain support for maintaining a credential wallet that holds end user's HLF credentials.

If you have an architecture similar to:

Mobile App-> REST API->HLF Peer 

Then, the REST API layer can be used to translate from a security token embedded in API requests to credentials that the blockchain network will understand (ie, PKI an X509 private public key pairs).

See [1] for an example. 

Our requirements eventually shifted to an "application" id being recorded in the blockchain. So, we just issued a "system identity" that the REST API layer's SDK used for all peer interaction. So, that ended up being much simpler.

I honestly don't like the solution where the server-side app has to maintain a credential wallet that contains all registered users HLF credentials, but that does seem cleaner than having every mobile app instance issued a set of HLF credentials and directly communicating with the blockchain network. Note, I haven't seen anyone or anything pitching that architecture, but it would probably be the only alternative.

For authentication of end users on the mobile, app I'd recommend using OpenId Connect's Authorization Code Grant with a Public Client. Use one of the numerous IdaaS (Identity as a Service) Providers available today.  If OIDC is used in this manner, you also get an OAuth2 access token that can be cached in the mobile app (and refreshed as needed) and included with API calls (authorization header) to the REST API layer. An API Gateway can be used to handle authentication, authorization, request validation, and other typical concerns of API Security. All the major cloud hosting platforms offer an API Gateway solution that would do this out-of-the-box, the previous poster mentioned Kong, Apigee is another. There are a bunch of others. 


RCBJ

On Tue, Dec 3, 2019 at 6:24 PM qs meng <qsmeng@...> wrote:


hi Nicholas,
 the identity be authentocated by fabric. if the kong runs outside the fabric, its result of ID authenticate is not accepted by fabric.
  I want  to authenate the requestor in the fabric.
thank you.
best regards. 
qsmeng



-------- 原始邮件 --------
发件人: Nicholas Zanutim <nlzanutim@...>
日期: 2019年12月3日周二 晚上9:31
收件人: fabric@..., qs meng <qsmeng@...>
主 题: Re: [Hyperledger Fabric] identity authentication
You can use Kong Service manager with JWT or any other form of authentication to access the services that submit transactions to the Fabric network. In this case, the user certificate must be present with the services

Em terça-feira, 3 de dezembro de 2019 10:08:44 BRT, qs meng <qsmeng@...> escreveu:


Hi experts, 
      In the current fabric design, the client app is the use of Fabric. Running a client app is a heavy cost  for a mobilephone user. We design a payment system, where a user can sign a payment request with his/her private key, submit it to a client app and then to Fabric.  
A problem exists that how the identity of the user or requestor can be authenticated?  Can anyone give me some suggestions?
 Thank you.
 Best regards,
qsmeng


 



--
Robert C. Broeckelmann Jr | Managing Director |  IyaSec
m: +1 314-494-3398 (SMS or WhatsApp) | fax: +1 (866) 484-1634
email: robert@... | site: iyasec.io

mail: 19215 SE 34th St Ste 106-407 Camas WA 98607-8830




 


Re: identity authentication

Robert Broeckelmann
 

Hello. 

I had a similar situation earlier this year.

The Fabric SDKs contain support for maintaining a credential wallet that holds end user's HLF credentials.

If you have an architecture similar to:

Mobile App-> REST API->HLF Peer 

Then, the REST API layer can be used to translate from a security token embedded in API requests to credentials that the blockchain network will understand (ie, PKI an X509 private public key pairs).

See [1] for an example. 

Our requirements eventually shifted to an "application" id being recorded in the blockchain. So, we just issued a "system identity" that the REST API layer's SDK used for all peer interaction. So, that ended up being much simpler.

I honestly don't like the solution where the server-side app has to maintain a credential wallet that contains all registered users HLF credentials, but that does seem cleaner than having every mobile app instance issued a set of HLF credentials and directly communicating with the blockchain network. Note, I haven't seen anyone or anything pitching that architecture, but it would probably be the only alternative.

For authentication of end users on the mobile, app I'd recommend using OpenId Connect's Authorization Code Grant with a Public Client. Use one of the numerous IdaaS (Identity as a Service) Providers available today.  If OIDC is used in this manner, you also get an OAuth2 access token that can be cached in the mobile app (and refreshed as needed) and included with API calls (authorization header) to the REST API layer. An API Gateway can be used to handle authentication, authorization, request validation, and other typical concerns of API Security. All the major cloud hosting platforms offer an API Gateway solution that would do this out-of-the-box, the previous poster mentioned Kong, Apigee is another. There are a bunch of others. 


RCBJ

On Tue, Dec 3, 2019 at 6:24 PM qs meng <qsmeng@...> wrote:


hi Nicholas,
 the identity be authentocated by fabric. if the kong runs outside the fabric, its result of ID authenticate is not accepted by fabric.
  I want  to authenate the requestor in the fabric.
thank you.
best regards. 
qsmeng



-------- 原始邮件 --------
发件人: Nicholas Zanutim <nlzanutim@...>
日期: 2019年12月3日周二 晚上9:31
收件人: fabric@..., qs meng <qsmeng@...>
主 题: Re: [Hyperledger Fabric] identity authentication
You can use Kong Service manager with JWT or any other form of authentication to access the services that submit transactions to the Fabric network. In this case, the user certificate must be present with the services

Em terça-feira, 3 de dezembro de 2019 10:08:44 BRT, qs meng <qsmeng@...> escreveu:


Hi experts, 
      In the current fabric design, the client app is the use of Fabric. Running a client app is a heavy cost  for a mobilephone user. We design a payment system, where a user can sign a payment request with his/her private key, submit it to a client app and then to Fabric.  
A problem exists that how the identity of the user or requestor can be authenticated?  Can anyone give me some suggestions?
 Thank you.
 Best regards,
qsmeng


 



--
Robert C. Broeckelmann Jr | Managing Director |  IyaSec
m: +1 314-494-3398 (SMS or WhatsApp) | fax: +1 (866) 484-1634
email: robert@... | site: iyasec.io

mail: 19215 SE 34th St Ste 106-407 Camas WA 98607-8830



回复:[Hyperledger Fabric] identity authentication

qs meng <qsmeng@...>
 



hi Nicholas,
 the identity be authentocated by fabric. if the kong runs outside the fabric, its result of ID authenticate is not accepted by fabric.
  I want  to authenate the requestor in the fabric.
thank you.
best regards. 
qsmeng



-------- 原始邮件 --------
发件人: Nicholas Zanutim <nlzanutim@...>
日期: 2019年12月3日周二 晚上9:31
收件人: fabric@..., qs meng <qsmeng@...>
主 题: Re: [Hyperledger Fabric] identity authentication

You can use Kong Service manager with JWT or any other form of authentication to access the services that submit transactions to the Fabric network. In this case, the user certificate must be present with the services

Em terça-feira, 3 de dezembro de 2019 10:08:44 BRT, qs meng <qsmeng@...> escreveu:


Hi experts, 
      In the current fabric design, the client app is the use of Fabric. Running a client app is a heavy cost  for a mobilephone user. We design a payment system, where a user can sign a payment request with his/her private key, submit it to a client app and then to Fabric.  
A problem exists that how the identity of the user or requestor can be authenticated?  Can anyone give me some suggestions?
 Thank you.
 Best regards,
qsmeng


 


New Fabric Developer Certification - Beta testers needed!

Silona Bonewald <sbonewald@...>
 

The Hyperledger Fabric Developer (CHFD) exam is scheduled to launch in late Q1 2020 and we are now looking for Beta testers. Interested parties should complete the CHFD Beta Sign-up Form by January 15, 2020. The CHFD Beta is FREE for the first 20 who qualify and after that, the Beta will be available at the low discount of $100.

https://training.linuxfoundation.org/certification/certified-hyperledger-fabric-developer/
https://docs.google.com/forms/d/e/1FAIpQLScPxgBt6GvuTcrtjYCkWqW2D6o-2YrNd4vR--KXFGUw-5Ctsw/viewform

Please sign up now!
Silona
--
Silona Bonewald
VP of Community Architecture, Hyperledger
Mobile/Text: 512.750.9220
https://calendly.com/silona
The Linux Foundation
http://hyperledger.org


Re: Where i can find documentation about HL-Fabric protobufs structure and GRPC communications between nodes? #fabric #grpc #network

Yacov
 

Look in http://www.bchainledger.com/2017/04/under-construction-hyperledger-fabric.html 



From:        "Aleksandr Kochetkov" <aleksandr.kochetkov@...>
To:        fabric@...
Date:        12/03/2019 12:46 PM
Subject:        [EXTERNAL] Re: [Hyperledger Fabric] Where i can find documentation about HL-Fabric protobufs structure and GRPC communications between nodes? #fabric #grpc #network
Sent by:        fabric@...




Thanks for bringing this repo into conversion Yacov!
As we can see from repo, there are a lot of protobufs, sometimes one utilizes another as payload/data etc. That exactly the reason why i'm asking for documentation, which would explain how all this protobufs are connected and used in Fabric.
2




4221 - 4240 of 11527