|
Re: Alternative of cryptogen for Prod
Either way, a network is not static. At some point you are going
to have to issue new MSPs, and in order to do that, you have to
have an understanding of both the ca-server and the structure and
purpose of every part of an MSP.
cryptogen both hides this from you, and does not permit easily
adding new credentials and orginizations.
In addition, cryptogen does some other very questionable things
when it fires up a bunch of credentials as well (in the name of
PoC and unit testing) - in particular, the overlap of TLS and
non-transport credentials/CAs which is never recommended.
Do not use it for production networks.
On 11/6/2019 5:47 AM, Hakan Eryargi
wrote:
toggle quoted message
Show quoted text
Hi Jean-Gaël and Joe,
This is not my understanding.
1. Fabric doesnt care about if root certificate is
self-signed or not. Root certificate of an organization is
encoded in the genesis block, Fabric only cares about it.
2. CA doesnt create the root certificate, you need feed
it the root certificate so it can create other certificates.
Peer, user, admin etc.
So either using CA or not, one needs to create the root
certificate. IMHO doesnt really matter if self-signed or
not. After that, it's a matter of choice use CA or
cryptogen to create other certificates.
Please correct me if i am wrong about above.
Otherwise I dont see a real issue about using cryptogen
in production.
In our flow, we create all the initial certificates with
cryptogen, launch the network including CA's, then use CA to
register users. Our intention is using the same flow in
production too unless someone provides a more convenient
tool to create the initial certificates.
Best,
Hakan
Hakan,
Generating certificates using a Certificate
Authority (and not cryptogen) is a fact of life for
Hyperledger Fabric users who are interested in deploying
something in production. Cryptogen is a handy tool for
application developers who only want to deploy a network
they can test smart contracts and apps against and
explicitly not meant (or supported) for production
networks. It's analogous to printing your own
identification card at home and expecting that
government agencies and businesses will accept it as
being valid.
The sooner you get used to creating
certificates and MSPs using a CA, the better off you
will be.
Regards,
Joe Alewine
IBM Blockchain,
Raleigh
rocket chat:
joe-alewine
slack: joe.alewine
-----
Original message -----
From: hakan eryargi <hakan.eryargi@...>
To: Abhijeet Bhowmik <abhijeet@...>
Cc: Joe Alewine <joe.alewine@...>,
fabric@...
Subject: [EXTERNAL] Re: [Hyperledger Fabric] Alternative
of cryptogen for Prod
Date: Wed, Nov 6, 2019 7:29 AM
Hi,
To my knowledge, cryptogen is the most convenient
tool for now to create the initial certificates.
I dont want to create the certificates manually, nor
want to write some scripts for certificate creation.
Maybe cryptogen is not intended for this purpose but
best option for now, especially if you dont need
additional stuff in certificates.
So, if
there is no real issue with it, like a
security threat or whatever, we plan to go
production with cryptogen .
It will
also be nice if cryptogen is even more developed
to cover other needs too :)
Best,
Hakan
On Tue, Nov 5, 2019 at 4:40 AM Abhijeet
Bhowmik < abhijeet@...>
wrote:
Hey,
Thanks to all for the help. I am extremely
grateful to everyone.
Abhijeet Bhowmik
Abhijeet,
Certificate Authorities ---
specifically, the Fabric CA --- should be
used to create all of the certificates in a
production scenario (it is a best practice
tp stand up one CA for each organization and
the organization's related identities, MSP,
and nodes).
Regards,
Joe
Alewine
IBM
Blockchain, Raleigh
rocket
chat: joe-alewine
slack:
joe.alewine
-----
Original message -----
From: "Nye Liu" <nye@...>
Sent by: fabric@...
To: fabric@...
Cc:
Subject: [EXTERNAL] Re: [Hyperledger Fabric]
Alternative of cryptogen for Prod
Date: Sun, Nov 3, 2019 7:43 AM
It is described in the Operations
Guide.
On 11/3/2019 1:11 AM, Abhijeet Bhowmik
wrote:
Hey,
Just to be specific, I was
referring to the certificates that we
set up at peers and place public keys
at orderer. From where do we obtain
that folder structure (MSP and TLS)?
Thanks and Regards
Abhijeet Bhowmik
For prod, you’ll need
to generate certs from CAs.
References:
Cheers,
Mrudav
On Sun, 3 Nov 2019
at 10:22 AM, Abhijeet Bhowmik
< abhijeet@...>
wrote:
Greetings
Everyone,
I am dwelling in the
answer of the question: "If
not cryptogen in Prod, then
what and how?".
Right now, generating org
certificates is a pretty
straightforward task while
getting started with HLF.
But after reading the docs,
the question has been thrown
upon me that how can we
configure certificates in
Prod. I know it's a naive
question to ask but being a
beginner and stepping my
first foot into actually
hosting fabric application,
I am obliged to ask the
community to help me out.
Thanks and Regards
Abhijeet Bhowmik
|
|
|
Re: Alternative of cryptogen for Prod
Hakan Eryargi
Jean-Gaël,
Ah, I wasnt aware CA can create the root certificate, good to know.
Jean-Gaël and Joe,
Fabric is a permissioned network. If other members accept me to join the network, why do they care about my certificate is self-signed or not? They trust me first of all, it's more important than they trust the CA.
To my understanding, trusted CA's exist and required mostly for public domains. This is in contrast with Fabric.
Maybe in some special occurrences, it might make sense, for example peers decide to accept another peer organization based on its certificate.
In our case, we will provide everything as a managed service, that is we will run all the Fabric nodes and also application components to make on-boarding easy for participants. So I guess in our case, the question collapses into if we trust our self :) Also the fact that we need to manage so many certificates, makes using
cryptogen more appealing.
Best, Hakan
toggle quoted message
Show quoted text
Hakan,
Fabric doesn't care if you use certificates you wrote on a cocktail napkin. You could probably, technically speaking, use the same certificate everywhere, for everything. But that does not mean that this would be a "production" deployment.
The need for true Root CAs and Certificate Authorities in general is not something Hyperledger Fabric invented. It's a standard part of Public Key Infrastructure. Other organizations rely on their trust in the Root CA cert to validate certificates. No one in a production environment is going to trust cryptogen.
Regards,
Joe Alewine
IBM Blockchain, Raleigh
rocket chat: joe-alewine
slack: joe.alewine
----- Original message -----
From: "Hakan Eryargi" <hakan.eryargi@...>
Sent by: fabric@...
To: Joe Alewine <joe.alewine@...>, jgdomine@...
Cc: fabric@...
Subject: [EXTERNAL] Re: [Hyperledger Fabric] Alternative of cryptogen for Prod
Date: Wed, Nov 6, 2019 8:47 AM
Hi Jean-Gaël and Joe,
This is not my understanding.
1. Fabric doesnt care about if root certificate is self-signed or not. Root certificate of an organization is encoded in the genesis block, Fabric only cares about it.
2. CA doesnt create the root certificate, you need feed it the root certificate so it can create other certificates. Peer, user, admin etc.
So either using CA or not, one needs to create the root certificate. IMHO doesnt really matter if self-signed or not. After that, it's a matter of choice use CA or cryptogen to create other certificates.
Please correct me if i am wrong about above.
Otherwise I dont see a real issue about using cryptogen in production.
In our flow, we create all the initial certificates with cryptogen, launch the network including CA's, then use CA to register users. Our intention is using the same flow in production too unless someone provides a more convenient tool to create the initial certificates.
Best,
Hakan
Hakan,
Generating certificates using a Certificate Authority (and not cryptogen) is a fact of life for Hyperledger Fabric users who are interested in deploying something in production. Cryptogen is a handy tool for application developers who only want to deploy a network they can test smart contracts and apps against and explicitly not meant (or supported) for production networks. It's analogous to printing your own identification card at home and expecting that government agencies and businesses will accept it as being valid.
The sooner you get used to creating certificates and MSPs using a CA, the better off you will be.
Regards,
Joe Alewine
IBM Blockchain, Raleigh
rocket chat: joe-alewine
slack: joe.alewine
----- Original message -----
From: hakan eryargi <hakan.eryargi@...>
To: Abhijeet Bhowmik <abhijeet@...>
Cc: Joe Alewine <joe.alewine@...>, fabric@...
Subject: [EXTERNAL] Re: [Hyperledger Fabric] Alternative of cryptogen for Prod
Date: Wed, Nov 6, 2019 7:29 AM
Hi,
To my knowledge, cryptogen is the most convenient tool for now to create the initial certificates.
I dont want to create the certificates manually, nor want to write some scripts for certificate creation. Maybe cryptogen is not intended for this purpose but best option for now, especially if you dont need additional stuff in certificates.
So, if there is no real issue with it, like a security threat or whatever, we plan to go production with cryptogen .
It will also be nice if cryptogen is even more developed to cover other needs too :)
Best, Hakan On Tue, Nov 5, 2019 at 4:40 AM Abhijeet Bhowmik < abhijeet@...> wrote: Hey,
Thanks to all for the help. I am extremely grateful to everyone.
Abhijeet Bhowmik
Abhijeet,
Certificate Authorities --- specifically, the Fabric CA --- should be used to create all of the certificates in a production scenario (it is a best practice tp stand up one CA for each organization and the organization's related identities, MSP, and nodes).
Regards,
Joe Alewine
IBM Blockchain, Raleigh
rocket chat: joe-alewine
slack: joe.alewine
----- Original message -----
From: "Nye Liu" <nye@...>
Sent by: fabric@...
To: fabric@...
Cc:
Subject: [EXTERNAL] Re: [Hyperledger Fabric] Alternative of cryptogen for Prod
Date: Sun, Nov 3, 2019 7:43 AM
It is described in the Operations Guide.
On 11/3/2019 1:11 AM, Abhijeet Bhowmik wrote:
Hey,
Just to be specific, I was referring to the certificates that we set up at peers and place public keys at orderer. From where do we obtain that folder structure (MSP and TLS)?
Thanks and Regards
Abhijeet Bhowmik
For prod, you’ll need to generate certs from CAs. References:
Cheers,
Mrudav
On Sun, 3 Nov 2019 at 10:22 AM, Abhijeet Bhowmik < abhijeet@...> wrote: Greetings Everyone,
I am dwelling in the answer of the question: "If not cryptogen in Prod, then what and how?".
Right now, generating org certificates is a pretty straightforward task while getting started with HLF. But after reading the docs, the question has been thrown upon me that how can we configure certificates in Prod. I know it's a naive question to ask but being a beginner and stepping my first foot into actually hosting fabric application, I am obliged to ask the community to help me out.
Thanks and Regards
Abhijeet Bhowmik
|
|
|
Hi to all, Currently, in my setup, I have 2 organizations with 2 peers each. Also have 2 Orderers, one per each organization, and a CA per Organization too. They have a Kafkas and Zookeepers consensus mechanism. Running the `peer channel getinfo -c mychannel` command on all peers I receive the following: Peer 1 org 1 -
Blockchain info: {"height":4120,"currentBlockHash":"rmA39fxfCBU5AcGEOq6gErwtBILcucnhcAbnPQ7y2m0=","previousBlockHash":"toGGvdXZZwiCg2ncC7jcWkbUvfmuohEtT45YSUutZLA="}
Peer 2 org 1 -
Blockchain info: {"height":2875,"currentBlockHash":"mz7qXXPLXNNMY5WMbOiuQdMebURa9NZL9FQsOu6Io3w=","previousBlockHash":"kfM/90uFTho48EXzphOX2ZFhIjgFKNzTjKK/z53hrhc="}
Peer 1 org 2 -
Blockchain info: {"height":4120,"currentBlockHash":"rmA39fxfCBU5AcGEOq6gErwtBILcucnhcAbnPQ7y2m0=","previousBlockHash":"toGGvdXZZwiCg2ncC7jcWkbUvfmuohEtT45YSUutZLA="}
Peer 2 org 2 -
Blockchain info: {"height":4120,"currentBlockHash":"rmA39fxfCBU5AcGEOq6gErwtBILcucnhcAbnPQ7y2m0=","previousBlockHash":"toGGvdXZZwiCg2ncC7jcWkbUvfmuohEtT45YSUutZLA="}
Peer 2 org 1 has a different height. Is there something that we can configure for it to be updated automatically? Is Kafka badly set up? Is something on the peer configs?
Currently running the network on 1.4 version.
|
|
|
Re: Alternative of cryptogen for Prod
Joe Alewine <joe.alewine@...>
Hakan,
Fabric doesn't care if you use certificates you wrote on a cocktail napkin. You could probably, technically speaking, use the same certificate everywhere, for everything. But that does not mean that this would be a "production" deployment.
The need for true Root CAs and Certificate Authorities in general is not something Hyperledger Fabric invented. It's a standard part of Public Key Infrastructure. Other organizations rely on their trust in the Root CA cert to validate certificates. No one in a production environment is going to trust cryptogen.
Regards,
Joe Alewine
IBM Blockchain, Raleigh
rocket chat: joe-alewine
slack: joe.alewine
toggle quoted message
Show quoted text
----- Original message -----
From: "Hakan Eryargi" <hakan.eryargi@...>
Sent by: fabric@...
To: Joe Alewine <joe.alewine@...>, jgdomine@...
Cc: fabric@...
Subject: [EXTERNAL] Re: [Hyperledger Fabric] Alternative of cryptogen for Prod
Date: Wed, Nov 6, 2019 8:47 AM
Hi Jean-Gaël and Joe,
This is not my understanding.
1. Fabric doesnt care about if root certificate is self-signed or not. Root certificate of an organization is encoded in the genesis block, Fabric only cares about it.
2. CA doesnt create the root certificate, you need feed it the root certificate so it can create other certificates. Peer, user, admin etc.
So either using CA or not, one needs to create the root certificate. IMHO doesnt really matter if self-signed or not. After that, it's a matter of choice use CA or cryptogen to create other certificates.
Please correct me if i am wrong about above.
Otherwise I dont see a real issue about using cryptogen in production.
In our flow, we create all the initial certificates with cryptogen, launch the network including CA's, then use CA to register users. Our intention is using the same flow in production too unless someone provides a more convenient tool to create the initial certificates.
Best,
Hakan
Hakan,
Generating certificates using a Certificate Authority (and not cryptogen) is a fact of life for Hyperledger Fabric users who are interested in deploying something in production. Cryptogen is a handy tool for application developers who only want to deploy a network they can test smart contracts and apps against and explicitly not meant (or supported) for production networks. It's analogous to printing your own identification card at home and expecting that government agencies and businesses will accept it as being valid.
The sooner you get used to creating certificates and MSPs using a CA, the better off you will be.
Regards,
Joe Alewine
IBM Blockchain, Raleigh
rocket chat: joe-alewine
slack: joe.alewine
----- Original message -----
From: hakan eryargi <hakan.eryargi@...>
To: Abhijeet Bhowmik <abhijeet@...>
Cc: Joe Alewine <joe.alewine@...>, fabric@...
Subject: [EXTERNAL] Re: [Hyperledger Fabric] Alternative of cryptogen for Prod
Date: Wed, Nov 6, 2019 7:29 AM
Hi,
To my knowledge, cryptogen is the most convenient tool for now to create the initial certificates.
I dont want to create the certificates manually, nor want to write some scripts for certificate creation. Maybe cryptogen is not intended for this purpose but best option for now, especially if you dont need additional stuff in certificates.
So, if there is no real issue with it, like a security threat or whatever, we plan to go production with cryptogen .
It will also be nice if cryptogen is even more developed to cover other needs too :)
Best, Hakan On Tue, Nov 5, 2019 at 4:40 AM Abhijeet Bhowmik < abhijeet@...> wrote: Hey,
Thanks to all for the help. I am extremely grateful to everyone.
Abhijeet Bhowmik
Abhijeet,
Certificate Authorities --- specifically, the Fabric CA --- should be used to create all of the certificates in a production scenario (it is a best practice tp stand up one CA for each organization and the organization's related identities, MSP, and nodes).
Regards,
Joe Alewine
IBM Blockchain, Raleigh
rocket chat: joe-alewine
slack: joe.alewine
----- Original message -----
From: "Nye Liu" <nye@...>
Sent by: fabric@...
To: fabric@...
Cc:
Subject: [EXTERNAL] Re: [Hyperledger Fabric] Alternative of cryptogen for Prod
Date: Sun, Nov 3, 2019 7:43 AM
It is described in the Operations Guide.
On 11/3/2019 1:11 AM, Abhijeet Bhowmik wrote:
Hey,
Just to be specific, I was referring to the certificates that we set up at peers and place public keys at orderer. From where do we obtain that folder structure (MSP and TLS)?
Thanks and Regards
Abhijeet Bhowmik
For prod, you’ll need to generate certs from CAs. References:
Cheers,
Mrudav
On Sun, 3 Nov 2019 at 10:22 AM, Abhijeet Bhowmik < abhijeet@...> wrote: Greetings Everyone,
I am dwelling in the answer of the question: "If not cryptogen in Prod, then what and how?".
Right now, generating org certificates is a pretty straightforward task while getting started with HLF. But after reading the docs, the question has been thrown upon me that how can we configure certificates in Prod. I know it's a naive question to ask but being a beginner and stepping my first foot into actually hosting fabric application, I am obliged to ask the community to help me out.
Thanks and Regards
Abhijeet Bhowmik
|
|
|
Re: Alternative of cryptogen for Prod
Jean-Gaël Dominé <jgdomine@...>
Hi Hakan
For the 2), you have several options:
a) The CA generates self-signed certificate and key
b) you provide them to the CA (manually or HSM)
So the CA does create the root certificate if you want him to.
As for the 1), I agree that it is encoded in the genesis block but how can two organizations trust each other if you use self-signed certificates that you cannot verify by a public certification authority?
To me it is not because the Fabric network runs correctly and trusts everything happening in it that it makes a trustworthy Hyperledger blockchain. You need to be sure that the participants are who they pretend to be and to me this is not possible through the use of cryptogen.
But again this is my understanding of Hyperledger Fabric
Regards,
JG
|
|
|
Re: Alternative of cryptogen for Prod
Hakan Eryargi
Hi Jean-Gaël and Joe,
This is not my understanding.
1. Fabric doesnt care about if root certificate is self-signed or not. Root certificate of an organization is encoded in the genesis block, Fabric only cares about it. 2. CA doesnt create the root certificate, you need feed it the root certificate so it can create other certificates. Peer, user, admin etc.
So either using CA or not, one needs to create the root certificate. IMHO doesnt really matter if self-signed or not. After that, it's a matter of choice use CA or cryptogen to create other certificates.
Please correct me if i am wrong about above.
Otherwise I dont see a real issue about using cryptogen in production.
In our flow, we create all the initial certificates with cryptogen, launch the network including CA's, then use CA to register users. Our intention is using the same flow in production too unless someone provides a more convenient tool to create the initial certificates.
Best, Hakan
toggle quoted message
Show quoted text
Hakan,
Generating certificates using a Certificate Authority (and not cryptogen) is a fact of life for Hyperledger Fabric users who are interested in deploying something in production. Cryptogen is a handy tool for application developers who only want to deploy a network they can test smart contracts and apps against and explicitly not meant (or supported) for production networks. It's analogous to printing your own identification card at home and expecting that government agencies and businesses will accept it as being valid.
The sooner you get used to creating certificates and MSPs using a CA, the better off you will be.
Regards,
Joe Alewine
IBM Blockchain, Raleigh
rocket chat: joe-alewine
slack: joe.alewine
----- Original message -----
From: hakan eryargi <hakan.eryargi@...>
To: Abhijeet Bhowmik <abhijeet@...>
Cc: Joe Alewine <joe.alewine@...>, fabric@...
Subject: [EXTERNAL] Re: [Hyperledger Fabric] Alternative of cryptogen for Prod
Date: Wed, Nov 6, 2019 7:29 AM
Hi,
To my knowledge, cryptogen is the most convenient tool for now to create the initial certificates.
I dont want to create the certificates manually, nor want to write some scripts for certificate creation. Maybe cryptogen is not intended for this purpose but best option for now, especially if you dont need additional stuff in certificates.
So, if there is no real issue with it, like a security threat or whatever, we plan to go production with cryptogen .
It will also be nice if cryptogen is even more developed to cover other needs too :)
Best, Hakan On Tue, Nov 5, 2019 at 4:40 AM Abhijeet Bhowmik < abhijeet@...> wrote: Hey,
Thanks to all for the help. I am extremely grateful to everyone.
Abhijeet Bhowmik
Abhijeet,
Certificate Authorities --- specifically, the Fabric CA --- should be used to create all of the certificates in a production scenario (it is a best practice tp stand up one CA for each organization and the organization's related identities, MSP, and nodes).
Regards,
Joe Alewine
IBM Blockchain, Raleigh
rocket chat: joe-alewine
slack: joe.alewine
----- Original message -----
From: "Nye Liu" <nye@...>
Sent by: fabric@...
To: fabric@...
Cc:
Subject: [EXTERNAL] Re: [Hyperledger Fabric] Alternative of cryptogen for Prod
Date: Sun, Nov 3, 2019 7:43 AM
It is described in the Operations Guide.
On 11/3/2019 1:11 AM, Abhijeet Bhowmik wrote:
Hey,
Just to be specific, I was referring to the certificates that we set up at peers and place public keys at orderer. From where do we obtain that folder structure (MSP and TLS)?
Thanks and Regards
Abhijeet Bhowmik
For prod, you’ll need to generate certs from CAs. References:
Cheers,
Mrudav
On Sun, 3 Nov 2019 at 10:22 AM, Abhijeet Bhowmik < abhijeet@...> wrote: Greetings Everyone,
I am dwelling in the answer of the question: "If not cryptogen in Prod, then what and how?".
Right now, generating org certificates is a pretty straightforward task while getting started with HLF. But after reading the docs, the question has been thrown upon me that how can we configure certificates in Prod. I know it's a naive question to ask but being a beginner and stepping my first foot into actually hosting fabric application, I am obliged to ask the community to help me out.
Thanks and Regards
Abhijeet Bhowmik
|
|
|
Re: Alternative of cryptogen for Prod
Joe Alewine <joe.alewine@...>
Hakan,
Generating certificates using a Certificate Authority (and not cryptogen) is a fact of life for Hyperledger Fabric users who are interested in deploying something in production. Cryptogen is a handy tool for application developers who only want to deploy a network they can test smart contracts and apps against and explicitly not meant (or supported) for production networks. It's analogous to printing your own identification card at home and expecting that government agencies and businesses will accept it as being valid.
The sooner you get used to creating certificates and MSPs using a CA, the better off you will be.
Regards,
Joe Alewine
IBM Blockchain, Raleigh
rocket chat: joe-alewine
slack: joe.alewine
toggle quoted message
Show quoted text
----- Original message -----
From: hakan eryargi <hakan.eryargi@...>
To: Abhijeet Bhowmik <abhijeet@...>
Cc: Joe Alewine <joe.alewine@...>, fabric@...
Subject: [EXTERNAL] Re: [Hyperledger Fabric] Alternative of cryptogen for Prod
Date: Wed, Nov 6, 2019 7:29 AM
Hi,
To my knowledge, cryptogen is the most convenient tool for now to create the initial certificates.
I dont want to create the certificates manually, nor want to write some scripts for certificate creation. Maybe cryptogen is not intended for this purpose but best option for now, especially if you dont need additional stuff in certificates.
So, if there is no real issue with it, like a security threat or whatever, we plan to go production with cryptogen .
It will also be nice if cryptogen is even more developed to cover other needs too :)
Best, Hakan On Tue, Nov 5, 2019 at 4:40 AM Abhijeet Bhowmik < abhijeet@...> wrote: Hey,
Thanks to all for the help. I am extremely grateful to everyone.
Abhijeet Bhowmik
Abhijeet,
Certificate Authorities --- specifically, the Fabric CA --- should be used to create all of the certificates in a production scenario (it is a best practice tp stand up one CA for each organization and the organization's related identities, MSP, and nodes).
Regards,
Joe Alewine
IBM Blockchain, Raleigh
rocket chat: joe-alewine
slack: joe.alewine
----- Original message -----
From: "Nye Liu" <nye@...>
Sent by: fabric@...
To: fabric@...
Cc:
Subject: [EXTERNAL] Re: [Hyperledger Fabric] Alternative of cryptogen for Prod
Date: Sun, Nov 3, 2019 7:43 AM
It is described in the Operations Guide.
On 11/3/2019 1:11 AM, Abhijeet Bhowmik wrote:
Hey,
Just to be specific, I was referring to the certificates that we set up at peers and place public keys at orderer. From where do we obtain that folder structure (MSP and TLS)?
Thanks and Regards
Abhijeet Bhowmik
For prod, you’ll need to generate certs from CAs. References:
Cheers,
Mrudav
On Sun, 3 Nov 2019 at 10:22 AM, Abhijeet Bhowmik < abhijeet@...> wrote: Greetings Everyone,
I am dwelling in the answer of the question: "If not cryptogen in Prod, then what and how?".
Right now, generating org certificates is a pretty straightforward task while getting started with HLF. But after reading the docs, the question has been thrown upon me that how can we configure certificates in Prod. I know it's a naive question to ask but being a beginner and stepping my first foot into actually hosting fabric application, I am obliged to ask the community to help me out.
Thanks and Regards
Abhijeet Bhowmik
|
|
|
Re: Alternative of cryptogen for Prod
Jean-Gaël Dominé <jgdomine@...>
Hi,
cryptogen uses self-signed root certificates to generate all the other certificates and keys.
IMHO one of the purposes of a blockchain is to bring trust between entities that do not necessarily "trust" each other. As the certificates and keys are used by Fabric to ensure that every component participating in the network is who it pretends to be and is also authorized to perform its actions, I don't see how it can work with self-signed certificates.
That is why the CA (or a replacement) is here for because you should use root certificates that can be verified by a certification authority.
To me, cryptogen should never be used beyond development environments.
I'm no expert in this matter but that is my understanding of Fabric on this aspect
Hope this helps
JG
|
|
|
Re: Alternative of cryptogen for Prod
Hakan Eryargi
Hi,
To my knowledge, cryptogen is the most convenient tool for now to create the initial certificates.
I dont want to create the certificates manually, nor want to write some scripts for certificate creation. Maybe cryptogen is not intended for this purpose but best option for now, especially if you dont need additional stuff in certificates. So, if there is no real issue with it, like a security threat or whatever, we plan to go production with
cryptogen
. It will also be nice if cryptogen is even more developed to cover other needs too :)
Best,
Hakan
toggle quoted message
Show quoted text
On Tue, Nov 5, 2019 at 4:40 AM Abhijeet Bhowmik < abhijeet@...> wrote: Hey,
Thanks to all for the help. I am extremely grateful to everyone.
Abhijeet Bhowmik
Abhijeet,
Certificate Authorities --- specifically, the Fabric CA --- should be used to create all of the certificates in a production scenario (it is a best practice tp stand up one CA for each organization and the organization's related identities, MSP, and nodes).
Regards,
Joe Alewine
IBM Blockchain, Raleigh
rocket chat: joe-alewine
slack: joe.alewine
----- Original message -----
From: "Nye Liu" <nye@...>
Sent by: fabric@...
To: fabric@...
Cc:
Subject: [EXTERNAL] Re: [Hyperledger Fabric] Alternative of cryptogen for Prod
Date: Sun, Nov 3, 2019 7:43 AM
It is described in the Operations Guide.
On 11/3/2019 1:11 AM, Abhijeet Bhowmik wrote:
Hey,
Just to be specific, I was referring to the certificates that we set up at peers and place public keys at orderer. From where do we obtain that folder structure (MSP and TLS)?
Thanks and Regards
Abhijeet Bhowmik
For prod, you’ll need to generate certs from CAs. References:
Cheers,
Mrudav
On Sun, 3 Nov 2019 at 10:22 AM, Abhijeet Bhowmik < abhijeet@...> wrote: Greetings Everyone,
I am dwelling in the answer of the question: "If not cryptogen in Prod, then what and how?".
Right now, generating org certificates is a pretty straightforward task while getting started with HLF. But after reading the docs, the question has been thrown upon me that how can we configure certificates in Prod. I know it's a naive question to ask but being a beginner and stepping my first foot into actually hosting fabric application, I am obliged to ask the community to help me out.
Thanks and Regards
Abhijeet Bhowmik
|
|
|
Re: Hyperledger Fabric Scalability
Alok,
I wrote a couple of blog posts earlier this year on Hyperledger Fabric performance and scale.
There have been some more recent improvements that should improve performance even more when 2.0 ships.
I'll have another post up with those results. There are some additional efforts in the community where performance has been pushed even further.
Hope this helps.
Chris
toggle quoted message
Show quoted text
On Wed, Nov 6, 2019 at 3:36 AM alok gupta < metech11@...> wrote: Hello There,
We are conducting a POC for Oil & GAS Retail automation. In which, we are recording all digital/ cash sales onto the Fabric ledger. We monitor the stock levels in the fuel tanks through smart contract. The idea is to replace the current automation system in India which requires massive investment in installation and maintenance. Our app is running successfully on a fuel station at a fuel station in Chandigarh, India.
My query is about the scalability of fabric over no. of channel, organizations, and peers. Can we scale up our solution to connect the fuel companies ( IOCL. HPCL etc.) with India wide fuel stations? I have seen other use cases like Wallmart food safety where there are running a huge network on blockchain. To move forward in our idea, we need a clarity on scalability Please advise.
Thank you
Alok
|
|
|
Hi Suresh,
It must be the exact same folder with the exact same files when you install. But that's not for production, here's what you do: 1. In org1 where you instantiated the chaincode, run the the command "peer chaincode package -n chaincodeName -p /path/to/save -v 1 chaincodeName.pak -l node"
2. Install the chaincodeName.pak in org 2 with the following command "peer chaincode install /path/to/chaincode/chaincodeName.pak"
That's the best way to always have the exact same chaincodes installed
Em quarta-feira, 6 de novembro de 2019 06:55:58 BRT, suresh <tedlasuresh@...> escreveu:
Hi All, Initially, I have Org1 in my fabric network. after that, I added Org2 into the consortium My question is I already install and instantiated the chain code in org1 Now I stall the same chaincode in Org2 peer nodes. But When I am querying the chaincode I am getting error i.e could not get chaincode code: chaincode fingerprint mismatch: data mismatch Can any one help regarding this issue Thanks Suresh 
|
|
|
Hi All, Initially, I have Org1 in my fabric network. after that, I added Org2 into the consortium My question is I already install and instantiated the chain code in org1 Now I stall the same chaincode in Org2 peer nodes. But When I am querying the chaincode I am getting error i.e could not get chaincode code: chaincode fingerprint mismatch: data mismatch Can any one help regarding this issue Thanks Suresh
|
|
|
Hyperledger Fabric Scalability
alok gupta <metech11@...>
Hello There,
We are conducting a POC for Oil & GAS Retail automation. In which, we are recording all digital/ cash sales onto the Fabric ledger. We monitor the stock levels in the fuel tanks through smart contract. The idea is to replace the current automation system in India which requires massive investment in installation and maintenance. Our app is running successfully on a fuel station at a fuel station in Chandigarh, India.
My query is about the scalability of fabric over no. of channel, organizations, and peers. Can we scale up our solution to connect the fuel companies ( IOCL. HPCL etc.) with India wide fuel stations? I have seen other use cases like Wallmart food safety where there are running a huge network on blockchain. To move forward in our idea, we need a clarity on scalability Please advise.
Thank you
Alok
|
|
|
Re: Testing tools for Hyperledger
Trevor,
you can take a look at this tool. https://github.com/litong01/hfrd
Thanks.
Tong Li
IBM Open Technology
 "Trevor Lee Oakley" ---11/05/2019 07:53:49 PM---I need to test a HLF app, and I am seeking testing tools which can test the security, code audits,
From: "Trevor Lee Oakley" <trevor@...>
To: <fabric@...>
Date: 11/05/2019 07:53 PM
Subject: [EXTERNAL] [Hyperledger Fabric] Testing tools for Hyperledger
Sent by: fabric@...
I need to test a HLF app, and I am seeking testing tools which can test the security, code audits, efficiency etc of the systems. Are there any utilities for such testing? ThanksTrevor
|
|
|
Testing tools for Hyperledger
Trevor Lee Oakley <trevor@...>
I need to test a HLF app, and I am seeking testing tools which can test the security, code audits, efficiency etc of the systems.
Are there any utilities for such testing?
Thanks
Trevor
|
|
|
PBFT has an "all to all" message
pattern, so it means that all nodes need to send to all nodes messages.
While it can sustain up to a third faults,
it doesn't mean you'd want to run a deployment of PBFT where you'll have
a third of the nodes disconnected....
From:
"Ivan Ch"
<acizlan@...>
To:
fabric@...
Date:
11/05/2019 05:18 PM
Subject:
[EXTERNAL] Re:
[Hyperledger Fabric] Major security hole in Hyperledger Fabric - Private
Data is not private #fabric #fabric-questions #fabric-dstorage #database
#dstorage #dstorage-fabric #fabric-chaincode #ssl
Sent by:
fabric@...
If you have trouble opening ports between companies, you
shouldn't use a Blockchain at all, since Blockchain is a decentralized
peer to peer protocol.
this statement is so flawed, there is no such requirement
in ALL public blockchains. at most you can say is this is true for
private/consortium blockchains, even that is terribly flawed since even
PBFT does, in theory, allow up to 1/3 disconnected peers.
you can never build a consortium while expecting everyone will open firewalls
to each other, especially for international projects. it just can't be
done, period.
|
|
|
If you have trouble opening ports between companies, you shouldn't use a Blockchain at all, since Blockchain is a decentralized peer to peer protocol.
this statement is so flawed, there is no such requirement in ALL public blockchains. at most you can say is this is true for private/consortium blockchains, even that is terribly flawed since even PBFT does, in theory, allow up to 1/3 disconnected peers. you can never build a consortium while expecting everyone will open firewalls to each other, especially for international projects. it just can't be done, period.
|
|
|
Artem Barger <bartem@...>
toggle quoted message
Show quoted text
----- Original message -----
From: "Battaglia TLC" <antonio@...>
Sent by: fabric@...
To: fabric@...
Cc:
Subject: [EXTERNAL] Re: [Hyperledger Fabric] solo to kafka
Date: Tue, Nov 5, 2019 10:32 AM
Dear Artem,
Seems that migration from solo to kafka is impossible but solo to raft it's possible in v1.4. Have you some documentation about this? Can you give me some links or books?
Change from solo to raft permit me to have
Best regards.
Antonio Battaglia
Il 05/11/2019 09:07, Artem Barger ha scritto:
No, this is not that I've said. I told that there is no way to migrate from Solo to Kafka ordering service and there no one should use Solo for production. Changing orderer type from Solo to Kafka simply not supported, however your Solo ledger will remain as-is.
----- Original message -----
From: "Battaglia TLC" <antonio@...>
Sent by: fabric@...
To: Artem Barger <bartem@...>
Cc: fabric@...
Subject: [EXTERNAL] Re: [Hyperledger Fabric] solo to kafka
Date: Tue, Nov 5, 2019 8:02 AM
Dear Artem Barger,
You say me that if i change orderer i lost all the transaction in my ledger?
There is no way to mantain the transactions?
Thanks for your answer.
Antonio
Il 04/11/2019 23:30, Artem Barger ha scritto:
Migration from solo to kafka is not supported. Solo orderer should be used for development and testing only.
----- Original message -----
From: "Battaglia TLC" <antonio@...>
Sent by: fabric@...
To: fabric@...
Cc:
Subject: [EXTERNAL] [Hyperledger Fabric] solo to kafka
Date: Mon, Nov 4, 2019 8:45 PM
Hello everybody,
i want change orderer from solo to raft. I can switch off the network
but i want to mantain data in the ledger after restart with new orderer.
It's possible? I haven't found documentation.
Best regards.
Antonio
|
|
|
Dear Artem,
Seems that migration from solo to kafka
is impossible but solo to raft it's possible in v1.4. Have you
some documentation about this? Can you give me some links or
books?
Change from solo to raft permit me to
have
Best regards.
Antonio Battaglia
Il 05/11/2019 09:07, Artem Barger ha
scritto:
toggle quoted message
Show quoted text
No, this is not that I've said. I told that there
is no way to migrate from Solo to Kafka ordering service and
there no one should use Solo for production. Changing orderer
type from Solo to Kafka simply not supported, however your
Solo ledger will remain as-is.
-----
Original message -----
From: "Battaglia TLC" <antonio@...>
Sent by: fabric@...
To: Artem Barger <bartem@...>
Cc: fabric@...
Subject: [EXTERNAL] Re: [Hyperledger Fabric] solo to kafka
Date: Tue, Nov 5, 2019 8:02 AM
Dear Artem Barger,
You say me that if i change orderer i lost all the
transaction in my ledger?
There is no way to mantain the transactions?
Thanks for your answer.
Antonio
Il 04/11/2019 23:30, Artem Barger ha scritto:
Migration from solo to kafka is not
supported. Solo orderer should be used for development
and testing only.
-----
Original message -----
From: "Battaglia TLC" <antonio@...>
Sent by: fabric@...
To: fabric@...
Cc:
Subject: [EXTERNAL] [Hyperledger Fabric] solo to kafka
Date: Mon, Nov 4, 2019 8:45 PM
Hello everybody,
i want change orderer from solo to raft. I can
switch off the network
but i want to mantain data in the ledger after
restart with new orderer.
It's possible? I haven't found documentation.
Best regards.
Antonio
|
|
|
Artem Barger <bartem@...>
No, this is not that I've said. I told that there is no way to migrate from Solo to Kafka ordering service and there no one should use Solo for production. Changing orderer type from Solo to Kafka simply not supported, however your Solo ledger will remain as-is.
toggle quoted message
Show quoted text
----- Original message -----
From: "Battaglia TLC" <antonio@...>
Sent by: fabric@...
To: Artem Barger <bartem@...>
Cc: fabric@...
Subject: [EXTERNAL] Re: [Hyperledger Fabric] solo to kafka
Date: Tue, Nov 5, 2019 8:02 AM
Dear Artem Barger,
You say me that if i change orderer i lost all the transaction in my ledger?
There is no way to mantain the transactions?
Thanks for your answer.
Antonio
Il 04/11/2019 23:30, Artem Barger ha scritto:
Migration from solo to kafka is not supported. Solo orderer should be used for development and testing only.
----- Original message -----
From: "Battaglia TLC" <antonio@...>
Sent by: fabric@...
To: fabric@...
Cc:
Subject: [EXTERNAL] [Hyperledger Fabric] solo to kafka
Date: Mon, Nov 4, 2019 8:45 PM
Hello everybody,
i want change orderer from solo to raft. I can switch off the network
but i want to mantain data in the ledger after restart with new orderer.
It's possible? I haven't found documentation.
Best regards.
Antonio
|
|
|
