|
Re: Alternative of cryptogen for Prod
Nothing beats cryptogen when it comes to convenience of creating crypto materials. If the auto generated self signed CA authority is preventing you from using cryptogen, then I would recommend a hack. With a small modification to its source code, cryptogen would start making use of user-supplied CA certificates for generating crypto-material instead of using auto generated CA certificates.
Replace occurrences of : ``` // generate signing CA signCA, err := ca.NewCA(caDir, orgName, orgSpec.CA.CommonN....)
``` with ``` signCA := getCA(caDir, orgSpec, orgSpec.CA.CommonName) ```
After above change, cryptogen signs the crypto-material with user supplied CA instead of creating its own. Do remember to save your CA certificates in caDir i.e. crypto-config --> peerOrganizations -->org1 -->ca before running this tool. Other MSP folders would be populated after crytogen generate run. Also, main.go has very good documentation under comments on various csr attributes.
Best,
This is exactly what I am doing, using 2 CA servers, one for CA, another for TLS, in this utility project: https://github.com/yxuco/fabric-operation
The project shows you how to generate crypto using ca-servers, and how to deploy fabric networks in Kubernetes locally or in cloud, AWS or Azure. You can get a fabric network running and tested in EKS or AKS with only a handful script calls!
I chose to use simple bash scripts in this project, so it does not have any unnecessary dependencies. comments are welcome.
|
|
|
Re: Alternative of cryptogen for Prod
This is exactly what I am doing, using 2 CA servers, one for CA, another for TLS, in this utility project: https://github.com/yxuco/fabric-operation
The project shows you how to generate crypto using ca-servers, and how to deploy fabric networks in Kubernetes locally or in cloud, AWS or Azure. You can get a fabric network running and tested in EKS or AKS with only a handful script calls!
I chose to use simple bash scripts in this project, so it does not have any unnecessary dependencies. comments are welcome.
|
|
|
Re: Alternative of cryptogen for Prod
Abhijeet Bhowmik <abhijeet@...>
Hello Everyone.
I have followed this thorough discussion on crypto operations in HLF. Very enlightening. I would like to have a deep dig into internal working of CA's and significance of each type of certificates/keys/artifacts present in the folder structure of peer's crypto material. It really confuses me how in an ensemble of N organizations, 1 organization proves his authenticity and control over an entity and how other N-1 orgs verify it's signature on txn. I simply take this as how SSL works. Signing the hash with private key to create digitally signed Entity which is verifiable using Public Key. But now I am really confused as while using crypto-gen, I never bothered about placing public keys of different orgs at every orgs and then configure them to use it. It would be very much appreciated if someone points me towards the right direction to learn how HLF pulls off Blockchain magic at atomic level. I don't intend to bring up a HLF architecture as a black box. I need an insight.
Thanks and Regards
Abhijeet Bhowmik
On Wed, Nov 6, 2019 at 9:53 PM Nye Liu < nye@...> wrote:
If this is truly the case, using two instances of ca-server
(one for TLS, one for non-tls) should be trivial, as well as
generating self signed root certs to bootstrap the ca server, as
well as distributing the public root and intermediates to the
various components.
fabric-ca-client enroll can be used for literally everything
else (including TLS generation).
On 11/6/2019 8:18 AM, hakan eryargi
wrote:
Well, being the author of these Helm charts, I
believe I have a quite good understanding of what cryptogen
generates and where to mount them ;)
For extending the network, ”cryptogen extend”
command does a very good job, only creates what is missing,
either new organizations or new peers in the organization.
I still fail to see any real issue for using
cryptogen.
It creates self signed certificates, not an
issue for us.
It doesnt support intermediate certificates: not
a requirement for us.
It puts San Fransisco or sth to some value in
the certificates, not nice but not a real issue.
So, still, it’s the most convenient way as of
now for us.
I also need to say, it’s easy to say “dont use
it in production” without providing a good alternative. As
mentioned earlier, I just dont want to create certificates
manually, neither want to write some scripts for that.
Best,
Hakan
On Wed, 6 Nov 2019 at 16:39,
Nye Liu < nye@...> wrote:
Either way, a network is not static. At some point you
are going to have to issue new MSPs, and in order to do
that, you have to have an understanding of both the
ca-server and the structure and purpose of every part of
an MSP.
cryptogen both hides this from you, and does not permit
easily adding new credentials and orginizations.
In addition, cryptogen does some other very
questionable things when it fires up a bunch of
credentials as well (in the name of PoC and unit
testing) - in particular, the overlap of TLS and
non-transport credentials/CAs which is never
recommended.
Do not use it for production networks.
On 11/6/2019 5:47 AM, Hakan Eryargi wrote:
Hi Jean-Gaël and Joe,
This is not my understanding.
1. Fabric doesnt care about if root certificate
is self-signed or not. Root certificate of an
organization is encoded in the genesis block,
Fabric only cares about it.
2. CA doesnt create the root certificate, you
need feed it the root certificate so it can create
other certificates. Peer, user, admin etc.
So either using CA or not, one needs to create
the root certificate. IMHO doesnt really matter if
self-signed or not. After that, it's a matter of
choice use CA or cryptogen to create
other certificates.
Please correct me if i am wrong about above.
Otherwise I dont see a real issue about using
cryptogen in production.
In our flow, we create all the initial
certificates with cryptogen, launch the network
including CA's, then use CA to register users. Our
intention is using the same flow in production too
unless someone provides a more convenient tool to
create the initial certificates.
Best,
Hakan
Hakan,
Generating certificates using a
Certificate Authority (and not cryptogen) is a
fact of life for Hyperledger Fabric users who
are interested in deploying something in
production. Cryptogen is a handy tool for
application developers who only want to deploy
a network they can test smart contracts and
apps against and explicitly not meant (or
supported) for production networks. It's
analogous to printing your own identification
card at home and expecting that government
agencies and businesses will accept it as
being valid.
The sooner you get used to
creating certificates and MSPs using a CA, the
better off you will be.
Regards,
Joe
Alewine
IBM
Blockchain, Raleigh
rocket
chat: joe-alewine
slack:
joe.alewine
-----
Original message -----
From: hakan eryargi <hakan.eryargi@...>
To: Abhijeet Bhowmik <abhijeet@...>
Cc: Joe Alewine <joe.alewine@...>,
fabric@...
Subject: [EXTERNAL] Re: [Hyperledger Fabric]
Alternative of cryptogen for Prod
Date: Wed, Nov 6, 2019 7:29 AM
Hi,
To my knowledge, cryptogen is the most
convenient tool for now to create the
initial certificates.
I dont want to create the certificates
manually, nor want to write some scripts
for certificate creation. Maybe cryptogen
is not intended for this purpose but best
option for now, especially if you dont
need additional stuff in certificates.
So,
if there is no real issue with
it, like a security threat or whatever,
we plan to go production with cryptogen
.
It
will also be nice if cryptogen is even
more developed to cover other needs too
:)
Best,
Hakan
On Tue, Nov 5, 2019 at 4:40
AM Abhijeet Bhowmik < abhijeet@...>
wrote:
Hey,
Thanks to all for the help. I am
extremely grateful to everyone.
Abhijeet Bhowmik
Abhijeet,
Certificate
Authorities --- specifically, the
Fabric CA --- should be used to
create all of the certificates in
a production scenario (it is a
best practice tp stand up one CA
for each organization and the
organization's related identities,
MSP, and nodes).
Regards,
Joe Alewine
IBM Blockchain, Raleigh
rocket chat: joe-alewine
slack: joe.alewine
-----
Original message -----
From: "Nye Liu" <nye@...>
Sent by: fabric@...
To: fabric@...
Cc:
Subject: [EXTERNAL] Re:
[Hyperledger Fabric] Alternative
of cryptogen for Prod
Date: Sun, Nov 3, 2019 7:43 AM
It is described in the
Operations Guide.
On 11/3/2019 1:11 AM,
Abhijeet Bhowmik wrote:
Hey,
Just to be specific, I
was referring to the
certificates that we set up
at peers and place public
keys at orderer. From where
do we obtain that folder
structure (MSP and TLS)?
Thanks and Regards
Abhijeet Bhowmik
For prod,
you’ll need to generate
certs from CAs.
References:
Cheers,
Mrudav
On Sun, 3
Nov 2019 at 10:22 AM,
Abhijeet Bhowmik < abhijeet@...>
wrote:
Greetings
Everyone,
I am dwelling
in the answer of
the question: "If
not cryptogen in
Prod, then what
and how?".
Right now,
generating org
certificates is a
pretty
straightforward
task while getting
started with HLF.
But after reading
the docs, the
question has been
thrown upon me
that how can we
configure
certificates in
Prod. I know it's
a naive question
to ask but being a
beginner and
stepping my first
foot into actually
hosting fabric
application, I am
obliged to ask the
community to help
me out.
Thanks and
Regards
Abhijeet
Bhowmik
|
|
|
Which cert should be copied for TLS( ca-cert.pem or tls-cert.pem)
#fabric-ca
Jeehoon Lim
Hi all. I' m studying the use of fabric CA. If Fabric CA Server without 'TLS Enabled' option, it generates ca-cert.pem file. If Fabric CA Server with 'TLS Enabled' option, it generates both ca-cert.pem and tls-cert.pem files. I thought the tls-cert.pem file should be copied to the fabric clients for use TLS communication with CA Server . But in the 'Setup TLS Server' section of operation guide , it says like below : you would need to acquire the file located at /tmp/hyperledger/tls/ca/crypto/ca-cert.pem on the machine running the TLS CA server and copy this file over to the host where you will be running the CA client binary. Which cert should be copied for TLS - ca-cert.pem or tls-cert.pem ? Regards, Jeehoon Lim
|
|
|
Meant to say "Restart the two peers in org1"...
Dave Enyeart
 "David Enyeart" ---11/06/2019 08:07:14 PM---Often times issues like this are related to gossip misconfiguration. Restart the two peers in org2 a
From: "David Enyeart" <enyeart@...>
To: "Joao Antunes" <joao.antunes@...>
Cc: fabric@...
Date: 11/06/2019 08:07 PM
Subject: [EXTERNAL] Re: [Hyperledger Fabric] Peers with different heights #fabric #database #consensus
Sent by: fabric@...
Often times issues like this are related to gossip misconfiguration. Restart the two peers in org2 and then look at the peer logs. You should see some messages like this if everything is working well: 2019-11-06 19:30:35.997 EST [gossip.state] NewGossipStateProvider -> INFO 022 Updating metadata information, current ledger sequence is at = 7, next expected block is = 8 2019-11-06 19:30:38.002 EST [gossip.service] func1 -> INFO 032 Elected as a leader, starting delivery service for channel mychannel 2019-11-06 19:30:38.003 EST [deliveryClient] StartDeliverForChannel -> DEBU 033 This peer will pass blocks from orderer service to other peers for mychannel 2019-11-06 19:30:38.006 EST [deliveryClient] RequestBlocks -> DEBU 037 Starting deliver with block [8] for channel mychannel 2019-11-06 19:30:59.423 EST [gossip.channel] reportMembershipChanges -> INFO 047 Membership view has changed. peers went online: [[ 10.79.1.107:7053]] , current view: [[ 10.79.1.107:7053]] In the above example, the peer is acting as the org leader and is disseminating blocks to other peers in the org. If the other peer is not in the 'membership view' (e.g. due to gossip misconfiguration or a network partition) then it won't be able to disseminate the blocks. You may see an error in peer logs explaining the reason. If you are unsure about the gossip configuration, you could also force all peers to retrieve blocks from orderer by using the following config: CORE_PEER_GOSSIP_USELEADERELECTION = false CORE_PEER_GOSSIP_ORGLEADER = true Note, two of the messages above were debug messages, so you'd have to set the logging as follows to see them:
FABRIC_LOGGING_SPEC=info:deliveryClient=debugThese messages should probably be promoted to Info messages so that it is more clear how peers are receiving blocks. I've pushed a change to do just that: https://gerrit.hyperledger.org/r/#/c/fabric/+/34275/. Dave Enyeart "Joao Antunes" ---11/06/2019 09:25:40 AM---Hi to all, Currently, in my setup, I have 2 organizations with 2 peers each. Also have 2 Orderers, o
From: "Joao Antunes" <joao.antunes@...>
To: fabric@...
Date: 11/06/2019 09:25 AM
Subject: [EXTERNAL] [Hyperledger Fabric] Peers with different heights #fabric #database #consensus
Sent by: fabric@...
Hi to all, Currently, in my setup, I have 2 organizations with 2 peers each. Also have 2 Orderers, one per each organization, and a CA per Organization too. They have a Kafkas and Zookeepers consensus mechanism. Running the `peer channel getinfo -c mychannel` command on all peers I receive the following: Peer 1 org 1 -
Blockchain info: {"height":4120,"currentBlockHash":"rmA39fxfCBU5AcGEOq6gErwtBILcucnhcAbnPQ7y2m0=","previousBlockHash":"toGGvdXZZwiCg2ncC7jcWkbUvfmuohEtT45YSUutZLA="}
Peer 2 org 1 - Blockchain info: {"height":2875,"currentBlockHash":"mz7qXXPLXNNMY5WMbOiuQdMebURa9NZL9FQsOu6Io3w=","previousBlockHash":"kfM/90uFTho48EXzphOX2ZFhIjgFKNzTjKK/z53hrhc="}
Peer 1 org 2 - Blockchain info: {"height":4120,"currentBlockHash":"rmA39fxfCBU5AcGEOq6gErwtBILcucnhcAbnPQ7y2m0=","previousBlockHash":"toGGvdXZZwiCg2ncC7jcWkbUvfmuohEtT45YSUutZLA="}
Peer 2 org 2 - Blockchain info: {"height":4120,"currentBlockHash":"rmA39fxfCBU5AcGEOq6gErwtBILcucnhcAbnPQ7y2m0=","previousBlockHash":"toGGvdXZZwiCg2ncC7jcWkbUvfmuohEtT45YSUutZLA="}
Peer 2 org 1 has a different height. Is there something that we can configure for it to be updated automatically? Is Kafka badly set up? Is something on the peer configs? Currently running the network on 1.4 version.
|
|
|
Often times issues like this are related to gossip misconfiguration.
Restart the two peers in org2 and then look at the peer logs. You should see some messages like this if everything is working well:
2019-11-06 19:30:35.997 EST [gossip.state] NewGossipStateProvider -> INFO 022 Updating metadata information, current ledger sequence is at = 7, next expected block is = 8
2019-11-06 19:30:38.002 EST [gossip.service] func1 -> INFO 032 Elected as a leader, starting delivery service for channel mychannel
2019-11-06 19:30:38.003 EST [deliveryClient] StartDeliverForChannel -> DEBU 033 This peer will pass blocks from orderer service to other peers for mychannel
2019-11-06 19:30:38.006 EST [deliveryClient] RequestBlocks -> DEBU 037 Starting deliver with block [8] for channel mychannel
2019-11-06 19:30:59.423 EST [gossip.channel] reportMembershipChanges -> INFO 047 Membership view has changed. peers went online: [[ 10.79.1.107:7053]] , current view: [[ 10.79.1.107:7053]]
In the above example, the peer is acting as the org leader and is disseminating blocks to other peers in the org. If the other peer is not in the 'membership view' (e.g. due to gossip misconfiguration or a network partition) then it won't be able to disseminate the blocks. You may see an error in peer logs explaining the reason.
If you are unsure about the gossip configuration, you could also force all peers to retrieve blocks from orderer by using the following config:
CORE_PEER_GOSSIP_USELEADERELECTION = false
CORE_PEER_GOSSIP_ORGLEADER = true
Note, two of the messages above were debug messages, so you'd have to set the logging as follows to see them:
FABRIC_LOGGING_SPEC=info:deliveryClient=debug
These messages should probably be promoted to Info messages so that it is more clear how peers are receiving blocks. I've pushed a change to do just that: https://gerrit.hyperledger.org/r/#/c/fabric/+/34275/.
Dave Enyeart
 "Joao Antunes" ---11/06/2019 09:25:40 AM---Hi to all, Currently, in my setup, I have 2 organizations with 2 peers each. Also have 2 Orderers, o
From: "Joao Antunes" <joao.antunes@...>
To: fabric@...
Date: 11/06/2019 09:25 AM
Subject: [EXTERNAL] [Hyperledger Fabric] Peers with different heights #fabric #database #consensus
Sent by: fabric@...
Hi to all, Currently, in my setup, I have 2 organizations with 2 peers each. Also have 2 Orderers, one per each organization, and a CA per Organization too. They have a Kafkas and Zookeepers consensus mechanism. Running the `peer channel getinfo -c mychannel` command on all peers I receive the following: Peer 1 org 1 -
Blockchain info: {"height":4120,"currentBlockHash":"rmA39fxfCBU5AcGEOq6gErwtBILcucnhcAbnPQ7y2m0=","previousBlockHash":"toGGvdXZZwiCg2ncC7jcWkbUvfmuohEtT45YSUutZLA="}
Peer 2 org 1 - Blockchain info: {"height":2875,"currentBlockHash":"mz7qXXPLXNNMY5WMbOiuQdMebURa9NZL9FQsOu6Io3w=","previousBlockHash":"kfM/90uFTho48EXzphOX2ZFhIjgFKNzTjKK/z53hrhc="}
Peer 1 org 2 - Blockchain info: {"height":4120,"currentBlockHash":"rmA39fxfCBU5AcGEOq6gErwtBILcucnhcAbnPQ7y2m0=","previousBlockHash":"toGGvdXZZwiCg2ncC7jcWkbUvfmuohEtT45YSUutZLA="}
Peer 2 org 2 - Blockchain info: {"height":4120,"currentBlockHash":"rmA39fxfCBU5AcGEOq6gErwtBILcucnhcAbnPQ7y2m0=","previousBlockHash":"toGGvdXZZwiCg2ncC7jcWkbUvfmuohEtT45YSUutZLA="}
Peer 2 org 1 has a different height. Is there something that we can configure for it to be updated automatically? Is Kafka badly set up? Is something on the peer configs? Currently running the network on 1.4 version.
|
|
|
Re: Alternative of cryptogen for Prod
If this is truly the case, using two instances of ca-server
(one for TLS, one for non-tls) should be trivial, as well as
generating self signed root certs to bootstrap the ca server, as
well as distributing the public root and intermediates to the
various components.
fabric-ca-client enroll can be used for literally everything
else (including TLS generation).
On 11/6/2019 8:18 AM, hakan eryargi
wrote:
toggle quoted message
Show quoted text
Well, being the author of these Helm charts, I
believe I have a quite good understanding of what cryptogen
generates and where to mount them ;)
For extending the network, ”cryptogen extend”
command does a very good job, only creates what is missing,
either new organizations or new peers in the organization.
I still fail to see any real issue for using
cryptogen.
It creates self signed certificates, not an
issue for us.
It doesnt support intermediate certificates: not
a requirement for us.
It puts San Fransisco or sth to some value in
the certificates, not nice but not a real issue.
So, still, it’s the most convenient way as of
now for us.
I also need to say, it’s easy to say “dont use
it in production” without providing a good alternative. As
mentioned earlier, I just dont want to create certificates
manually, neither want to write some scripts for that.
Best,
Hakan
On Wed, 6 Nov 2019 at 16:39,
Nye Liu < nye@...> wrote:
Either way, a network is not static. At some point you
are going to have to issue new MSPs, and in order to do
that, you have to have an understanding of both the
ca-server and the structure and purpose of every part of
an MSP.
cryptogen both hides this from you, and does not permit
easily adding new credentials and orginizations.
In addition, cryptogen does some other very
questionable things when it fires up a bunch of
credentials as well (in the name of PoC and unit
testing) - in particular, the overlap of TLS and
non-transport credentials/CAs which is never
recommended.
Do not use it for production networks.
On 11/6/2019 5:47 AM, Hakan Eryargi wrote:
Hi Jean-Gaël and Joe,
This is not my understanding.
1. Fabric doesnt care about if root certificate
is self-signed or not. Root certificate of an
organization is encoded in the genesis block,
Fabric only cares about it.
2. CA doesnt create the root certificate, you
need feed it the root certificate so it can create
other certificates. Peer, user, admin etc.
So either using CA or not, one needs to create
the root certificate. IMHO doesnt really matter if
self-signed or not. After that, it's a matter of
choice use CA or cryptogen to create
other certificates.
Please correct me if i am wrong about above.
Otherwise I dont see a real issue about using
cryptogen in production.
In our flow, we create all the initial
certificates with cryptogen, launch the network
including CA's, then use CA to register users. Our
intention is using the same flow in production too
unless someone provides a more convenient tool to
create the initial certificates.
Best,
Hakan
Hakan,
Generating certificates using a
Certificate Authority (and not cryptogen) is a
fact of life for Hyperledger Fabric users who
are interested in deploying something in
production. Cryptogen is a handy tool for
application developers who only want to deploy
a network they can test smart contracts and
apps against and explicitly not meant (or
supported) for production networks. It's
analogous to printing your own identification
card at home and expecting that government
agencies and businesses will accept it as
being valid.
The sooner you get used to
creating certificates and MSPs using a CA, the
better off you will be.
Regards,
Joe
Alewine
IBM
Blockchain, Raleigh
rocket
chat: joe-alewine
slack:
joe.alewine
-----
Original message -----
From: hakan eryargi <hakan.eryargi@...>
To: Abhijeet Bhowmik <abhijeet@...>
Cc: Joe Alewine <joe.alewine@...>,
fabric@...
Subject: [EXTERNAL] Re: [Hyperledger Fabric]
Alternative of cryptogen for Prod
Date: Wed, Nov 6, 2019 7:29 AM
Hi,
To my knowledge, cryptogen is the most
convenient tool for now to create the
initial certificates.
I dont want to create the certificates
manually, nor want to write some scripts
for certificate creation. Maybe cryptogen
is not intended for this purpose but best
option for now, especially if you dont
need additional stuff in certificates.
So,
if there is no real issue with
it, like a security threat or whatever,
we plan to go production with cryptogen
.
It
will also be nice if cryptogen is even
more developed to cover other needs too
:)
Best,
Hakan
On Tue, Nov 5, 2019 at 4:40
AM Abhijeet Bhowmik < abhijeet@...>
wrote:
Hey,
Thanks to all for the help. I am
extremely grateful to everyone.
Abhijeet Bhowmik
Abhijeet,
Certificate
Authorities --- specifically, the
Fabric CA --- should be used to
create all of the certificates in
a production scenario (it is a
best practice tp stand up one CA
for each organization and the
organization's related identities,
MSP, and nodes).
Regards,
Joe Alewine
IBM Blockchain, Raleigh
rocket chat: joe-alewine
slack: joe.alewine
-----
Original message -----
From: "Nye Liu" <nye@...>
Sent by: fabric@...
To: fabric@...
Cc:
Subject: [EXTERNAL] Re:
[Hyperledger Fabric] Alternative
of cryptogen for Prod
Date: Sun, Nov 3, 2019 7:43 AM
It is described in the
Operations Guide.
On 11/3/2019 1:11 AM,
Abhijeet Bhowmik wrote:
Hey,
Just to be specific, I
was referring to the
certificates that we set up
at peers and place public
keys at orderer. From where
do we obtain that folder
structure (MSP and TLS)?
Thanks and Regards
Abhijeet Bhowmik
For prod,
you’ll need to generate
certs from CAs.
References:
Cheers,
Mrudav
On Sun, 3
Nov 2019 at 10:22 AM,
Abhijeet Bhowmik < abhijeet@...>
wrote:
Greetings
Everyone,
I am dwelling
in the answer of
the question: "If
not cryptogen in
Prod, then what
and how?".
Right now,
generating org
certificates is a
pretty
straightforward
task while getting
started with HLF.
But after reading
the docs, the
question has been
thrown upon me
that how can we
configure
certificates in
Prod. I know it's
a naive question
to ask but being a
beginner and
stepping my first
foot into actually
hosting fabric
application, I am
obliged to ask the
community to help
me out.
Thanks and
Regards
Abhijeet
Bhowmik
|
|
|
Re: Alternative of cryptogen for Prod
Hakan Eryargi
Well, being the author of these Helm charts, I believe I have a quite good understanding of what cryptogen generates and where to mount them ;)
For extending the network, ”cryptogen extend” command does a very good job, only creates what is missing, either new organizations or new peers in the organization.
I still fail to see any real issue for using cryptogen.
It creates self signed certificates, not an issue for us. It doesnt support intermediate certificates: not a requirement for us. It puts San Fransisco or sth to some value in the certificates, not nice but not a real issue.
So, still, it’s the most convenient way as of now for us.
I also need to say, it’s easy to say “dont use it in production” without providing a good alternative. As mentioned earlier, I just dont want to create certificates manually, neither want to write some scripts for that.
Best, Hakan
On Wed, 6 Nov 2019 at 16:39, Nye Liu < nye@...> wrote:
Either way, a network is not static. At some point you are going
to have to issue new MSPs, and in order to do that, you have to
have an understanding of both the ca-server and the structure and
purpose of every part of an MSP.
cryptogen both hides this from you, and does not permit easily
adding new credentials and orginizations.
In addition, cryptogen does some other very questionable things
when it fires up a bunch of credentials as well (in the name of
PoC and unit testing) - in particular, the overlap of TLS and
non-transport credentials/CAs which is never recommended.
Do not use it for production networks.
On 11/6/2019 5:47 AM, Hakan Eryargi
wrote:
Hi Jean-Gaël and Joe,
This is not my understanding.
1. Fabric doesnt care about if root certificate is
self-signed or not. Root certificate of an organization is
encoded in the genesis block, Fabric only cares about it.
2. CA doesnt create the root certificate, you need feed
it the root certificate so it can create other certificates.
Peer, user, admin etc.
So either using CA or not, one needs to create the root
certificate. IMHO doesnt really matter if self-signed or
not. After that, it's a matter of choice use CA or
cryptogen to create other certificates.
Please correct me if i am wrong about above.
Otherwise I dont see a real issue about using cryptogen
in production.
In our flow, we create all the initial certificates with
cryptogen, launch the network including CA's, then use CA to
register users. Our intention is using the same flow in
production too unless someone provides a more convenient
tool to create the initial certificates.
Best,
Hakan
Hakan,
Generating certificates using a Certificate
Authority (and not cryptogen) is a fact of life for
Hyperledger Fabric users who are interested in deploying
something in production. Cryptogen is a handy tool for
application developers who only want to deploy a network
they can test smart contracts and apps against and
explicitly not meant (or supported) for production
networks. It's analogous to printing your own
identification card at home and expecting that
government agencies and businesses will accept it as
being valid.
The sooner you get used to creating
certificates and MSPs using a CA, the better off you
will be.
Regards,
Joe Alewine
IBM Blockchain,
Raleigh
rocket chat:
joe-alewine
slack: joe.alewine
-----
Original message -----
From: hakan eryargi <hakan.eryargi@...>
To: Abhijeet Bhowmik <abhijeet@...>
Cc: Joe Alewine <joe.alewine@...>,
fabric@...
Subject: [EXTERNAL] Re: [Hyperledger Fabric] Alternative
of cryptogen for Prod
Date: Wed, Nov 6, 2019 7:29 AM
Hi,
To my knowledge, cryptogen is the most convenient
tool for now to create the initial certificates.
I dont want to create the certificates manually, nor
want to write some scripts for certificate creation.
Maybe cryptogen is not intended for this purpose but
best option for now, especially if you dont need
additional stuff in certificates.
So, if
there is no real issue with it, like a
security threat or whatever, we plan to go
production with cryptogen .
It will
also be nice if cryptogen is even more developed
to cover other needs too :)
Best,
Hakan
On Tue, Nov 5, 2019 at 4:40 AM Abhijeet
Bhowmik < abhijeet@...>
wrote:
Hey,
Thanks to all for the help. I am extremely
grateful to everyone.
Abhijeet Bhowmik
Abhijeet,
Certificate Authorities ---
specifically, the Fabric CA --- should be
used to create all of the certificates in a
production scenario (it is a best practice
tp stand up one CA for each organization and
the organization's related identities, MSP,
and nodes).
Regards,
Joe
Alewine
IBM
Blockchain, Raleigh
rocket
chat: joe-alewine
slack:
joe.alewine
-----
Original message -----
From: "Nye Liu" <nye@...>
Sent by: fabric@...
To: fabric@...
Cc:
Subject: [EXTERNAL] Re: [Hyperledger Fabric]
Alternative of cryptogen for Prod
Date: Sun, Nov 3, 2019 7:43 AM
It is described in the Operations
Guide.
On 11/3/2019 1:11 AM, Abhijeet Bhowmik
wrote:
Hey,
Just to be specific, I was
referring to the certificates that we
set up at peers and place public keys
at orderer. From where do we obtain
that folder structure (MSP and TLS)?
Thanks and Regards
Abhijeet Bhowmik
For prod, you’ll need
to generate certs from CAs.
References:
Cheers,
Mrudav
On Sun, 3 Nov 2019
at 10:22 AM, Abhijeet Bhowmik
< abhijeet@...>
wrote:
Greetings
Everyone,
I am dwelling in the
answer of the question: "If
not cryptogen in Prod, then
what and how?".
Right now, generating org
certificates is a pretty
straightforward task while
getting started with HLF.
But after reading the docs,
the question has been thrown
upon me that how can we
configure certificates in
Prod. I know it's a naive
question to ask but being a
beginner and stepping my
first foot into actually
hosting fabric application,
I am obliged to ask the
community to help me out.
Thanks and Regards
Abhijeet Bhowmik
|
|
|
Re: Alternative of cryptogen for Prod
To digress a bit:
I think the biggest confusion with the ca-server is issuing TLS
certs (which end up in an MSP, and not in a way a TLS server can
use them), and having to manually copy various things around (in
particular, managing the contents of admincerts/ in an MSP by
hand)
The operations process could definitely be streamlined and
documented better, but ultimately i think the biggest challenge in
any architecture that has a complex security model is education.
There simply isn't a way to manage such a system w/o a ton of
security knowledge and experience. You can't just write a simple
user friendly tool that does everything you.
So when somebody encounters a tool like cryptogen, and sees that
it does everything for them magically, of course they're going to
gravitate towards that instead of doing the really hard work of
learning all the obscure bits and pieces of a complex security
architecture, let alone designing one.
On 11/6/2019 8:01 AM, thomas wrote:
toggle quoted message
Show quoted text
In my view, the issue isn’t whether you’re
using cryptogen or a ca, but one needs to understand the
security architecture that must be supported. Yes,
cryptogen does not support the root of trust problem, and may
not be appropriate in that context. I’ve also seen people
take secret material from a CA-based processed and openly
share that (not understanding how PKI actually works).
Understand the requirements, security
architecture, define the processes, and THEN select the proper
set of tools.
Tom
Generating
certificates using a Certificate Authority (and not
cryptogen) is a fact of life for Hyperledger Fabric
users who are interested in deploying something in
production. Cryptogen is a handy tool for application
developers who only want to deploy a network they can
test smart contracts and apps against and explicitly not
meant (or supported) for production networks. It's
analogous to printing your own identification card at
home and expecting that government agencies and
businesses will accept it as being valid.
The
sooner you get used to creating certificates and MSPs
using a CA, the better off you will be.
-----
Original message -----
From: hakan eryargi <hakan.eryargi@...>
To: Abhijeet Bhowmik <abhijeet@...>
Cc: Joe Alewine <joe.alewine@...>,
fabric@...
Subject: [EXTERNAL] Re: [Hyperledger Fabric] Alternative
of cryptogen for Prod
Date: Wed, Nov 6, 2019 7:29 AM
Hi,
To
my knowledge, cryptogen is the most convenient tool
for now to create the initial certificates.
I dont want to create the certificates manually, nor
want to write some scripts for certificate creation.
Maybe cryptogen is not intended for this purpose but
best option for now, especially if you dont need
additional stuff in certificates.
So, if
there is no
real issue with it, like a security threat or
whatever, we plan to go production with cryptogen .
It
will also be nice if cryptogen is even more
developed to cover other needs too :)
Best,
On
Tue, Nov 5, 2019 at 4:40 AM Abhijeet Bhowmik <abhijeet@...>
wrote:
Hey,
Thanks
to all for the help. I am extremely grateful to
everyone.
Certificate
Authorities --- specifically, the Fabric CA
--- should be used to create all of the
certificates in a production scenario (it is
a best practice tp stand up one CA for each
organization and the organization's related
identities, MSP, and nodes).
-----
Original message -----
From: "Nye Liu" <nye@...>
Sent by: fabric@...
To: fabric@...
Cc:
Subject: [EXTERNAL] Re: [Hyperledger Fabric]
Alternative of cryptogen for Prod
Date: Sun, Nov 3, 2019 7:43 AM
It is
described in the Operations Guide.
On
11/3/2019 1:11 AM, Abhijeet Bhowmik wrote:
Hey,
Just
to be specific, I was referring to the
certificates that we set up at peers
and place public keys at orderer. From
where do we obtain that folder
structure (MSP and TLS)?
For
prod, you’ll need to generate certs
from CAs. References:
On
Sun, 3 Nov 2019 at 10:22 AM,
Abhijeet Bhowmik <abhijeet@...>
wrote:
Greetings
Everyone,
I
am dwelling in the answer of
the question: "If not
cryptogen in Prod, then what
and how?".
Right
now, generating org
certificates is a pretty
straightforward task while
getting started with HLF.
But after reading the docs,
the question has been thrown
upon me that how can we
configure certificates in
Prod. I know it's a naive
question to ask but being a
beginner and stepping my
first foot into actually
hosting fabric application,
I am obliged to ask the
community to help me out.
|
|
|
Re: Alternative of cryptogen for Prod
In my view, the issue isn’t whether you’re using cryptogen or a ca, but one needs to understand the security architecture that must be supported. Yes, cryptogen does not support the root of trust problem, and may not be appropriate in
that context. I’ve also seen people take secret material from a CA-based processed and openly share that (not understanding how PKI actually works).
Understand the requirements, security architecture, define the processes, and THEN select the proper set of tools.
Tom
From: "fabric@..." <fabric@...> on behalf of Joe Alewine <joe.alewine@...>
Date: Wednesday, November 6, 2019 at 6:36 AM
To: "fabric@..." <fabric@...>
Subject: Re: [Hyperledger Fabric] Alternative of cryptogen for Prod
Generating certificates using a Certificate Authority (and not cryptogen) is a fact of life for Hyperledger Fabric users who are interested in deploying something in production.
Cryptogen is a handy tool for application developers who only want to deploy a network they can test smart contracts and apps against and explicitly not meant (or supported) for production networks. It's analogous to printing your own identification card at
home and expecting that government agencies and businesses will accept it as being valid.
The sooner you get used to creating certificates and MSPs using a CA, the better off you will be.
toggle quoted message
Show quoted text
----- Original message -----
From: hakan eryargi <hakan.eryargi@...>
To: Abhijeet Bhowmik <abhijeet@...>
Cc: Joe Alewine <joe.alewine@...>, fabric@...
Subject: [EXTERNAL] Re: [Hyperledger Fabric] Alternative of cryptogen for Prod
Date: Wed, Nov 6, 2019 7:29 AM
Hi,
To my knowledge, cryptogen is the most convenient tool for now to create the initial certificates.
I dont want to create the certificates manually, nor want to write some scripts for certificate creation. Maybe cryptogen is not intended for this purpose but best option for now, especially if you dont need additional stuff in certificates.
So, if there is no
real issue with it, like a security threat or whatever, we plan to go production with cryptogen .
It will also be nice if cryptogen is even more developed to cover other needs too :)
Best,
On Tue, Nov 5, 2019 at 4:40 AM Abhijeet Bhowmik <abhijeet@...> wrote:
Hey,
Thanks to all for the help. I am extremely grateful to everyone.
Certificate Authorities --- specifically, the Fabric CA --- should be used to create all of the certificates in a production scenario (it is a best practice tp stand up one CA
for each organization and the organization's related identities, MSP, and nodes).
----- Original message -----
From: "Nye Liu" <nye@...>
Sent by: fabric@...
To: fabric@...
Cc:
Subject: [EXTERNAL] Re: [Hyperledger Fabric] Alternative of cryptogen for Prod
Date: Sun, Nov 3, 2019 7:43 AM
It is described in the Operations Guide.
On 11/3/2019 1:11 AM, Abhijeet Bhowmik wrote:
Hey,
Just to be specific, I was referring to the certificates that we set up at peers and place public keys at orderer. From where do we obtain that folder structure (MSP and TLS)?
For prod, you’ll need to generate certs from CAs. References:
On Sun, 3 Nov 2019 at 10:22 AM, Abhijeet Bhowmik <abhijeet@...> wrote:
Greetings Everyone,
I am dwelling in the answer of the question: "If not cryptogen in Prod, then what and how?".
Right now, generating org certificates is a pretty straightforward task while getting started with HLF. But after reading the docs, the question has been thrown upon me that
how can we configure certificates in Prod. I know it's a naive question to ask but being a beginner and stepping my first foot into actually hosting fabric application, I am obliged to ask the community to help me out.
|
|
|
Re: Alternative of cryptogen for Prod
1) you should not be using the ca-server to create root
certificates either, IMO.
You should have enough understanding of ssl to know how to
create your own.
In addition, ideally your TLS architecture should be separate
from your non-transport credentials. One is for encryption, the
other is for authentication. They're two separate things.
2) You will run into a ton of issues trying to create new
credentials with cryptogen and adding them to an existing
network.
On 11/6/2019 6:28 AM, Hakan Eryargi
wrote:
toggle quoted message
Show quoted text
Jean-Gaël,
Ah, I wasnt aware CA can create the root certificate,
good to know.
Jean-Gaël and Joe,
Fabric is a permissioned network. If other members accept
me to join the network, why do they care about my
certificate is self-signed or not? They trust me first of
all, it's more important than they trust the CA.
To my understanding, trusted CA's exist and required
mostly for public domains. This is in contrast with Fabric.
Maybe in some special occurrences, it might make sense,
for example peers decide to accept another peer organization
based on its certificate.
In our case, we will provide everything as a managed
service, that is we will run all the Fabric nodes and also
application components to make on-boarding easy for
participants. So I guess in our case, the question collapses
into if we trust our self :) Also the fact that we need to
manage so many certificates, makes using
cryptogen more appealing.
Best,
Hakan
Hakan,
Fabric doesn't care if you use certificates
you wrote on a cocktail napkin. You could probably,
technically speaking, use the same certificate
everywhere, for everything. But that does not mean that
this would be a "production" deployment.
The need for true Root CAs and Certificate
Authorities in general is not something Hyperledger
Fabric invented. It's a standard part of Public Key
Infrastructure. Other organizations rely on their trust
in the Root CA cert to validate certificates. No one in
a production environment is going to trust cryptogen.
Regards,
Joe Alewine
IBM Blockchain,
Raleigh
rocket chat:
joe-alewine
slack: joe.alewine
-----
Original message -----
From: "Hakan Eryargi" <hakan.eryargi@...>
Sent by: fabric@...
To: Joe Alewine <joe.alewine@...>,
jgdomine@...
Cc: fabric@...
Subject: [EXTERNAL] Re: [Hyperledger Fabric] Alternative
of cryptogen for Prod
Date: Wed, Nov 6, 2019 8:47 AM
Hi Jean-Gaël and Joe,
This is not my understanding.
1. Fabric doesnt care about if root certificate
is self-signed or not. Root certificate of an
organization is encoded in the genesis block,
Fabric only cares about it.
2. CA doesnt create the root certificate, you
need feed it the root certificate so it can create
other certificates. Peer, user, admin etc.
So either using CA or not, one needs to create
the root certificate. IMHO doesnt really matter if
self-signed or not. After that, it's a matter of
choice use CA or cryptogen to create
other certificates.
Please correct me if i am wrong about above.
Otherwise I dont see a real issue about using
cryptogen in production.
In our flow, we create all the initial
certificates with cryptogen, launch the network
including CA's, then use CA to register users. Our
intention is using the same flow in production too
unless someone provides a more convenient tool to
create the initial certificates.
Best,
Hakan
Hakan,
Generating certificates using a
Certificate Authority (and not cryptogen) is a
fact of life for Hyperledger Fabric users who
are interested in deploying something in
production. Cryptogen is a handy tool for
application developers who only want to deploy
a network they can test smart contracts and
apps against and explicitly not meant (or
supported) for production networks. It's
analogous to printing your own identification
card at home and expecting that government
agencies and businesses will accept it as
being valid.
The sooner you get used to
creating certificates and MSPs using a CA, the
better off you will be.
Regards,
Joe
Alewine
IBM
Blockchain, Raleigh
rocket
chat: joe-alewine
slack:
joe.alewine
-----
Original message -----
From: hakan eryargi <hakan.eryargi@...>
To: Abhijeet Bhowmik <abhijeet@...>
Cc: Joe Alewine <joe.alewine@...>,
fabric@...
Subject: [EXTERNAL] Re: [Hyperledger Fabric]
Alternative of cryptogen for Prod
Date: Wed, Nov 6, 2019 7:29 AM
Hi,
To my knowledge, cryptogen is the most
convenient tool for now to create the
initial certificates.
I dont want to create the certificates
manually, nor want to write some scripts
for certificate creation. Maybe cryptogen
is not intended for this purpose but best
option for now, especially if you dont
need additional stuff in certificates.
So,
if there is no real issue with
it, like a security threat or whatever,
we plan to go production with cryptogen
.
It
will also be nice if cryptogen is even
more developed to cover other needs too
:)
Best,
Hakan
On Tue, Nov 5, 2019 at 4:40
AM Abhijeet Bhowmik < abhijeet@...>
wrote:
Hey,
Thanks to all for the help. I am
extremely grateful to everyone.
Abhijeet Bhowmik
Abhijeet,
Certificate
Authorities --- specifically, the
Fabric CA --- should be used to
create all of the certificates in
a production scenario (it is a
best practice tp stand up one CA
for each organization and the
organization's related identities,
MSP, and nodes).
Regards,
Joe Alewine
IBM Blockchain, Raleigh
rocket chat: joe-alewine
slack: joe.alewine
-----
Original message -----
From: "Nye Liu" <nye@...>
Sent by: fabric@...
To: fabric@...
Cc:
Subject: [EXTERNAL] Re:
[Hyperledger Fabric] Alternative
of cryptogen for Prod
Date: Sun, Nov 3, 2019 7:43 AM
It is described in the
Operations Guide.
On 11/3/2019 1:11 AM,
Abhijeet Bhowmik wrote:
Hey,
Just to be specific, I
was referring to the
certificates that we set up
at peers and place public
keys at orderer. From where
do we obtain that folder
structure (MSP and TLS)?
Thanks and Regards
Abhijeet Bhowmik
For prod,
you’ll need to generate
certs from CAs.
References:
Cheers,
Mrudav
On Sun, 3
Nov 2019 at 10:22 AM,
Abhijeet Bhowmik < abhijeet@...>
wrote:
Greetings
Everyone,
I am dwelling
in the answer of
the question: "If
not cryptogen in
Prod, then what
and how?".
Right now,
generating org
certificates is a
pretty
straightforward
task while getting
started with HLF.
But after reading
the docs, the
question has been
thrown upon me
that how can we
configure
certificates in
Prod. I know it's
a naive question
to ask but being a
beginner and
stepping my first
foot into actually
hosting fabric
application, I am
obliged to ask the
community to help
me out.
Thanks and
Regards
Abhijeet
Bhowmik
|
|
|
Re: Alternative of cryptogen for Prod
Either way, a network is not static. At some point you are going
to have to issue new MSPs, and in order to do that, you have to
have an understanding of both the ca-server and the structure and
purpose of every part of an MSP.
cryptogen both hides this from you, and does not permit easily
adding new credentials and orginizations.
In addition, cryptogen does some other very questionable things
when it fires up a bunch of credentials as well (in the name of
PoC and unit testing) - in particular, the overlap of TLS and
non-transport credentials/CAs which is never recommended.
Do not use it for production networks.
On 11/6/2019 5:47 AM, Hakan Eryargi
wrote:
toggle quoted message
Show quoted text
Hi Jean-Gaël and Joe,
This is not my understanding.
1. Fabric doesnt care about if root certificate is
self-signed or not. Root certificate of an organization is
encoded in the genesis block, Fabric only cares about it.
2. CA doesnt create the root certificate, you need feed
it the root certificate so it can create other certificates.
Peer, user, admin etc.
So either using CA or not, one needs to create the root
certificate. IMHO doesnt really matter if self-signed or
not. After that, it's a matter of choice use CA or
cryptogen to create other certificates.
Please correct me if i am wrong about above.
Otherwise I dont see a real issue about using cryptogen
in production.
In our flow, we create all the initial certificates with
cryptogen, launch the network including CA's, then use CA to
register users. Our intention is using the same flow in
production too unless someone provides a more convenient
tool to create the initial certificates.
Best,
Hakan
Hakan,
Generating certificates using a Certificate
Authority (and not cryptogen) is a fact of life for
Hyperledger Fabric users who are interested in deploying
something in production. Cryptogen is a handy tool for
application developers who only want to deploy a network
they can test smart contracts and apps against and
explicitly not meant (or supported) for production
networks. It's analogous to printing your own
identification card at home and expecting that
government agencies and businesses will accept it as
being valid.
The sooner you get used to creating
certificates and MSPs using a CA, the better off you
will be.
Regards,
Joe Alewine
IBM Blockchain,
Raleigh
rocket chat:
joe-alewine
slack: joe.alewine
-----
Original message -----
From: hakan eryargi <hakan.eryargi@...>
To: Abhijeet Bhowmik <abhijeet@...>
Cc: Joe Alewine <joe.alewine@...>,
fabric@...
Subject: [EXTERNAL] Re: [Hyperledger Fabric] Alternative
of cryptogen for Prod
Date: Wed, Nov 6, 2019 7:29 AM
Hi,
To my knowledge, cryptogen is the most convenient
tool for now to create the initial certificates.
I dont want to create the certificates manually, nor
want to write some scripts for certificate creation.
Maybe cryptogen is not intended for this purpose but
best option for now, especially if you dont need
additional stuff in certificates.
So, if
there is no real issue with it, like a
security threat or whatever, we plan to go
production with cryptogen .
It will
also be nice if cryptogen is even more developed
to cover other needs too :)
Best,
Hakan
On Tue, Nov 5, 2019 at 4:40 AM Abhijeet
Bhowmik < abhijeet@...>
wrote:
Hey,
Thanks to all for the help. I am extremely
grateful to everyone.
Abhijeet Bhowmik
Abhijeet,
Certificate Authorities ---
specifically, the Fabric CA --- should be
used to create all of the certificates in a
production scenario (it is a best practice
tp stand up one CA for each organization and
the organization's related identities, MSP,
and nodes).
Regards,
Joe
Alewine
IBM
Blockchain, Raleigh
rocket
chat: joe-alewine
slack:
joe.alewine
-----
Original message -----
From: "Nye Liu" <nye@...>
Sent by: fabric@...
To: fabric@...
Cc:
Subject: [EXTERNAL] Re: [Hyperledger Fabric]
Alternative of cryptogen for Prod
Date: Sun, Nov 3, 2019 7:43 AM
It is described in the Operations
Guide.
On 11/3/2019 1:11 AM, Abhijeet Bhowmik
wrote:
Hey,
Just to be specific, I was
referring to the certificates that we
set up at peers and place public keys
at orderer. From where do we obtain
that folder structure (MSP and TLS)?
Thanks and Regards
Abhijeet Bhowmik
For prod, you’ll need
to generate certs from CAs.
References:
Cheers,
Mrudav
On Sun, 3 Nov 2019
at 10:22 AM, Abhijeet Bhowmik
< abhijeet@...>
wrote:
Greetings
Everyone,
I am dwelling in the
answer of the question: "If
not cryptogen in Prod, then
what and how?".
Right now, generating org
certificates is a pretty
straightforward task while
getting started with HLF.
But after reading the docs,
the question has been thrown
upon me that how can we
configure certificates in
Prod. I know it's a naive
question to ask but being a
beginner and stepping my
first foot into actually
hosting fabric application,
I am obliged to ask the
community to help me out.
Thanks and Regards
Abhijeet Bhowmik
|
|
|
Re: Alternative of cryptogen for Prod
Hakan Eryargi
Jean-Gaël,
Ah, I wasnt aware CA can create the root certificate, good to know.
Jean-Gaël and Joe,
Fabric is a permissioned network. If other members accept me to join the network, why do they care about my certificate is self-signed or not? They trust me first of all, it's more important than they trust the CA.
To my understanding, trusted CA's exist and required mostly for public domains. This is in contrast with Fabric.
Maybe in some special occurrences, it might make sense, for example peers decide to accept another peer organization based on its certificate.
In our case, we will provide everything as a managed service, that is we will run all the Fabric nodes and also application components to make on-boarding easy for participants. So I guess in our case, the question collapses into if we trust our self :) Also the fact that we need to manage so many certificates, makes using
cryptogen more appealing.
Best, Hakan
Hakan,
Fabric doesn't care if you use certificates you wrote on a cocktail napkin. You could probably, technically speaking, use the same certificate everywhere, for everything. But that does not mean that this would be a "production" deployment.
The need for true Root CAs and Certificate Authorities in general is not something Hyperledger Fabric invented. It's a standard part of Public Key Infrastructure. Other organizations rely on their trust in the Root CA cert to validate certificates. No one in a production environment is going to trust cryptogen.
Regards,
Joe Alewine
IBM Blockchain, Raleigh
rocket chat: joe-alewine
slack: joe.alewine
----- Original message -----
From: "Hakan Eryargi" <hakan.eryargi@...>
Sent by: fabric@...
To: Joe Alewine <joe.alewine@...>, jgdomine@...
Cc: fabric@...
Subject: [EXTERNAL] Re: [Hyperledger Fabric] Alternative of cryptogen for Prod
Date: Wed, Nov 6, 2019 8:47 AM
Hi Jean-Gaël and Joe,
This is not my understanding.
1. Fabric doesnt care about if root certificate is self-signed or not. Root certificate of an organization is encoded in the genesis block, Fabric only cares about it.
2. CA doesnt create the root certificate, you need feed it the root certificate so it can create other certificates. Peer, user, admin etc.
So either using CA or not, one needs to create the root certificate. IMHO doesnt really matter if self-signed or not. After that, it's a matter of choice use CA or cryptogen to create other certificates.
Please correct me if i am wrong about above.
Otherwise I dont see a real issue about using cryptogen in production.
In our flow, we create all the initial certificates with cryptogen, launch the network including CA's, then use CA to register users. Our intention is using the same flow in production too unless someone provides a more convenient tool to create the initial certificates.
Best,
Hakan
Hakan,
Generating certificates using a Certificate Authority (and not cryptogen) is a fact of life for Hyperledger Fabric users who are interested in deploying something in production. Cryptogen is a handy tool for application developers who only want to deploy a network they can test smart contracts and apps against and explicitly not meant (or supported) for production networks. It's analogous to printing your own identification card at home and expecting that government agencies and businesses will accept it as being valid.
The sooner you get used to creating certificates and MSPs using a CA, the better off you will be.
Regards,
Joe Alewine
IBM Blockchain, Raleigh
rocket chat: joe-alewine
slack: joe.alewine
----- Original message -----
From: hakan eryargi <hakan.eryargi@...>
To: Abhijeet Bhowmik <abhijeet@...>
Cc: Joe Alewine <joe.alewine@...>, fabric@...
Subject: [EXTERNAL] Re: [Hyperledger Fabric] Alternative of cryptogen for Prod
Date: Wed, Nov 6, 2019 7:29 AM
Hi,
To my knowledge, cryptogen is the most convenient tool for now to create the initial certificates.
I dont want to create the certificates manually, nor want to write some scripts for certificate creation. Maybe cryptogen is not intended for this purpose but best option for now, especially if you dont need additional stuff in certificates.
So, if there is no real issue with it, like a security threat or whatever, we plan to go production with cryptogen .
It will also be nice if cryptogen is even more developed to cover other needs too :)
Best, Hakan On Tue, Nov 5, 2019 at 4:40 AM Abhijeet Bhowmik < abhijeet@...> wrote: Hey,
Thanks to all for the help. I am extremely grateful to everyone.
Abhijeet Bhowmik
Abhijeet,
Certificate Authorities --- specifically, the Fabric CA --- should be used to create all of the certificates in a production scenario (it is a best practice tp stand up one CA for each organization and the organization's related identities, MSP, and nodes).
Regards,
Joe Alewine
IBM Blockchain, Raleigh
rocket chat: joe-alewine
slack: joe.alewine
----- Original message -----
From: "Nye Liu" <nye@...>
Sent by: fabric@...
To: fabric@...
Cc:
Subject: [EXTERNAL] Re: [Hyperledger Fabric] Alternative of cryptogen for Prod
Date: Sun, Nov 3, 2019 7:43 AM
It is described in the Operations Guide.
On 11/3/2019 1:11 AM, Abhijeet Bhowmik wrote:
Hey,
Just to be specific, I was referring to the certificates that we set up at peers and place public keys at orderer. From where do we obtain that folder structure (MSP and TLS)?
Thanks and Regards
Abhijeet Bhowmik
For prod, you’ll need to generate certs from CAs. References:
Cheers,
Mrudav
On Sun, 3 Nov 2019 at 10:22 AM, Abhijeet Bhowmik < abhijeet@...> wrote: Greetings Everyone,
I am dwelling in the answer of the question: "If not cryptogen in Prod, then what and how?".
Right now, generating org certificates is a pretty straightforward task while getting started with HLF. But after reading the docs, the question has been thrown upon me that how can we configure certificates in Prod. I know it's a naive question to ask but being a beginner and stepping my first foot into actually hosting fabric application, I am obliged to ask the community to help me out.
Thanks and Regards
Abhijeet Bhowmik
|
|
|
Hi to all, Currently, in my setup, I have 2 organizations with 2 peers each. Also have 2 Orderers, one per each organization, and a CA per Organization too. They have a Kafkas and Zookeepers consensus mechanism. Running the `peer channel getinfo -c mychannel` command on all peers I receive the following: Peer 1 org 1 -
Blockchain info: {"height":4120,"currentBlockHash":"rmA39fxfCBU5AcGEOq6gErwtBILcucnhcAbnPQ7y2m0=","previousBlockHash":"toGGvdXZZwiCg2ncC7jcWkbUvfmuohEtT45YSUutZLA="}
Peer 2 org 1 -
Blockchain info: {"height":2875,"currentBlockHash":"mz7qXXPLXNNMY5WMbOiuQdMebURa9NZL9FQsOu6Io3w=","previousBlockHash":"kfM/90uFTho48EXzphOX2ZFhIjgFKNzTjKK/z53hrhc="}
Peer 1 org 2 -
Blockchain info: {"height":4120,"currentBlockHash":"rmA39fxfCBU5AcGEOq6gErwtBILcucnhcAbnPQ7y2m0=","previousBlockHash":"toGGvdXZZwiCg2ncC7jcWkbUvfmuohEtT45YSUutZLA="}
Peer 2 org 2 -
Blockchain info: {"height":4120,"currentBlockHash":"rmA39fxfCBU5AcGEOq6gErwtBILcucnhcAbnPQ7y2m0=","previousBlockHash":"toGGvdXZZwiCg2ncC7jcWkbUvfmuohEtT45YSUutZLA="}
Peer 2 org 1 has a different height. Is there something that we can configure for it to be updated automatically? Is Kafka badly set up? Is something on the peer configs?
Currently running the network on 1.4 version.
|
|
|
Re: Alternative of cryptogen for Prod
Joe Alewine <joe.alewine@...>
Hakan,
Fabric doesn't care if you use certificates you wrote on a cocktail napkin. You could probably, technically speaking, use the same certificate everywhere, for everything. But that does not mean that this would be a "production" deployment.
The need for true Root CAs and Certificate Authorities in general is not something Hyperledger Fabric invented. It's a standard part of Public Key Infrastructure. Other organizations rely on their trust in the Root CA cert to validate certificates. No one in a production environment is going to trust cryptogen.
Regards,
Joe Alewine
IBM Blockchain, Raleigh
rocket chat: joe-alewine
slack: joe.alewine
----- Original message -----
From: "Hakan Eryargi" <hakan.eryargi@...>
Sent by: fabric@...
To: Joe Alewine <joe.alewine@...>, jgdomine@...
Cc: fabric@...
Subject: [EXTERNAL] Re: [Hyperledger Fabric] Alternative of cryptogen for Prod
Date: Wed, Nov 6, 2019 8:47 AM
Hi Jean-Gaël and Joe,
This is not my understanding.
1. Fabric doesnt care about if root certificate is self-signed or not. Root certificate of an organization is encoded in the genesis block, Fabric only cares about it.
2. CA doesnt create the root certificate, you need feed it the root certificate so it can create other certificates. Peer, user, admin etc.
So either using CA or not, one needs to create the root certificate. IMHO doesnt really matter if self-signed or not. After that, it's a matter of choice use CA or cryptogen to create other certificates.
Please correct me if i am wrong about above.
Otherwise I dont see a real issue about using cryptogen in production.
In our flow, we create all the initial certificates with cryptogen, launch the network including CA's, then use CA to register users. Our intention is using the same flow in production too unless someone provides a more convenient tool to create the initial certificates.
Best,
Hakan
Hakan,
Generating certificates using a Certificate Authority (and not cryptogen) is a fact of life for Hyperledger Fabric users who are interested in deploying something in production. Cryptogen is a handy tool for application developers who only want to deploy a network they can test smart contracts and apps against and explicitly not meant (or supported) for production networks. It's analogous to printing your own identification card at home and expecting that government agencies and businesses will accept it as being valid.
The sooner you get used to creating certificates and MSPs using a CA, the better off you will be.
Regards,
Joe Alewine
IBM Blockchain, Raleigh
rocket chat: joe-alewine
slack: joe.alewine
----- Original message -----
From: hakan eryargi <hakan.eryargi@...>
To: Abhijeet Bhowmik <abhijeet@...>
Cc: Joe Alewine <joe.alewine@...>, fabric@...
Subject: [EXTERNAL] Re: [Hyperledger Fabric] Alternative of cryptogen for Prod
Date: Wed, Nov 6, 2019 7:29 AM
Hi,
To my knowledge, cryptogen is the most convenient tool for now to create the initial certificates.
I dont want to create the certificates manually, nor want to write some scripts for certificate creation. Maybe cryptogen is not intended for this purpose but best option for now, especially if you dont need additional stuff in certificates.
So, if there is no real issue with it, like a security threat or whatever, we plan to go production with cryptogen .
It will also be nice if cryptogen is even more developed to cover other needs too :)
Best, Hakan On Tue, Nov 5, 2019 at 4:40 AM Abhijeet Bhowmik < abhijeet@...> wrote: Hey,
Thanks to all for the help. I am extremely grateful to everyone.
Abhijeet Bhowmik
Abhijeet,
Certificate Authorities --- specifically, the Fabric CA --- should be used to create all of the certificates in a production scenario (it is a best practice tp stand up one CA for each organization and the organization's related identities, MSP, and nodes).
Regards,
Joe Alewine
IBM Blockchain, Raleigh
rocket chat: joe-alewine
slack: joe.alewine
----- Original message -----
From: "Nye Liu" <nye@...>
Sent by: fabric@...
To: fabric@...
Cc:
Subject: [EXTERNAL] Re: [Hyperledger Fabric] Alternative of cryptogen for Prod
Date: Sun, Nov 3, 2019 7:43 AM
It is described in the Operations Guide.
On 11/3/2019 1:11 AM, Abhijeet Bhowmik wrote:
Hey,
Just to be specific, I was referring to the certificates that we set up at peers and place public keys at orderer. From where do we obtain that folder structure (MSP and TLS)?
Thanks and Regards
Abhijeet Bhowmik
For prod, you’ll need to generate certs from CAs. References:
Cheers,
Mrudav
On Sun, 3 Nov 2019 at 10:22 AM, Abhijeet Bhowmik < abhijeet@...> wrote: Greetings Everyone,
I am dwelling in the answer of the question: "If not cryptogen in Prod, then what and how?".
Right now, generating org certificates is a pretty straightforward task while getting started with HLF. But after reading the docs, the question has been thrown upon me that how can we configure certificates in Prod. I know it's a naive question to ask but being a beginner and stepping my first foot into actually hosting fabric application, I am obliged to ask the community to help me out.
Thanks and Regards
Abhijeet Bhowmik
|
|
|
Re: Alternative of cryptogen for Prod
Jean-Gaël Dominé <jgdomine@...>
Hi Hakan
For the 2), you have several options:
a) The CA generates self-signed certificate and key
b) you provide them to the CA (manually or HSM)
So the CA does create the root certificate if you want him to.
As for the 1), I agree that it is encoded in the genesis block but how can two organizations trust each other if you use self-signed certificates that you cannot verify by a public certification authority?
To me it is not because the Fabric network runs correctly and trusts everything happening in it that it makes a trustworthy Hyperledger blockchain. You need to be sure that the participants are who they pretend to be and to me this is not possible through the use of cryptogen.
But again this is my understanding of Hyperledger Fabric
Regards,
JG
|
|
|
Re: Alternative of cryptogen for Prod
Hakan Eryargi
Hi Jean-Gaël and Joe,
This is not my understanding.
1. Fabric doesnt care about if root certificate is self-signed or not. Root certificate of an organization is encoded in the genesis block, Fabric only cares about it. 2. CA doesnt create the root certificate, you need feed it the root certificate so it can create other certificates. Peer, user, admin etc.
So either using CA or not, one needs to create the root certificate. IMHO doesnt really matter if self-signed or not. After that, it's a matter of choice use CA or cryptogen to create other certificates.
Please correct me if i am wrong about above.
Otherwise I dont see a real issue about using cryptogen in production.
In our flow, we create all the initial certificates with cryptogen, launch the network including CA's, then use CA to register users. Our intention is using the same flow in production too unless someone provides a more convenient tool to create the initial certificates.
Best, Hakan
Hakan,
Generating certificates using a Certificate Authority (and not cryptogen) is a fact of life for Hyperledger Fabric users who are interested in deploying something in production. Cryptogen is a handy tool for application developers who only want to deploy a network they can test smart contracts and apps against and explicitly not meant (or supported) for production networks. It's analogous to printing your own identification card at home and expecting that government agencies and businesses will accept it as being valid.
The sooner you get used to creating certificates and MSPs using a CA, the better off you will be.
Regards,
Joe Alewine
IBM Blockchain, Raleigh
rocket chat: joe-alewine
slack: joe.alewine
----- Original message -----
From: hakan eryargi <hakan.eryargi@...>
To: Abhijeet Bhowmik <abhijeet@...>
Cc: Joe Alewine <joe.alewine@...>, fabric@...
Subject: [EXTERNAL] Re: [Hyperledger Fabric] Alternative of cryptogen for Prod
Date: Wed, Nov 6, 2019 7:29 AM
Hi,
To my knowledge, cryptogen is the most convenient tool for now to create the initial certificates.
I dont want to create the certificates manually, nor want to write some scripts for certificate creation. Maybe cryptogen is not intended for this purpose but best option for now, especially if you dont need additional stuff in certificates.
So, if there is no real issue with it, like a security threat or whatever, we plan to go production with cryptogen .
It will also be nice if cryptogen is even more developed to cover other needs too :)
Best, Hakan On Tue, Nov 5, 2019 at 4:40 AM Abhijeet Bhowmik < abhijeet@...> wrote: Hey,
Thanks to all for the help. I am extremely grateful to everyone.
Abhijeet Bhowmik
Abhijeet,
Certificate Authorities --- specifically, the Fabric CA --- should be used to create all of the certificates in a production scenario (it is a best practice tp stand up one CA for each organization and the organization's related identities, MSP, and nodes).
Regards,
Joe Alewine
IBM Blockchain, Raleigh
rocket chat: joe-alewine
slack: joe.alewine
----- Original message -----
From: "Nye Liu" <nye@...>
Sent by: fabric@...
To: fabric@...
Cc:
Subject: [EXTERNAL] Re: [Hyperledger Fabric] Alternative of cryptogen for Prod
Date: Sun, Nov 3, 2019 7:43 AM
It is described in the Operations Guide.
On 11/3/2019 1:11 AM, Abhijeet Bhowmik wrote:
Hey,
Just to be specific, I was referring to the certificates that we set up at peers and place public keys at orderer. From where do we obtain that folder structure (MSP and TLS)?
Thanks and Regards
Abhijeet Bhowmik
For prod, you’ll need to generate certs from CAs. References:
Cheers,
Mrudav
On Sun, 3 Nov 2019 at 10:22 AM, Abhijeet Bhowmik < abhijeet@...> wrote: Greetings Everyone,
I am dwelling in the answer of the question: "If not cryptogen in Prod, then what and how?".
Right now, generating org certificates is a pretty straightforward task while getting started with HLF. But after reading the docs, the question has been thrown upon me that how can we configure certificates in Prod. I know it's a naive question to ask but being a beginner and stepping my first foot into actually hosting fabric application, I am obliged to ask the community to help me out.
Thanks and Regards
Abhijeet Bhowmik
|
|
|
Re: Alternative of cryptogen for Prod
Joe Alewine <joe.alewine@...>
Hakan,
Generating certificates using a Certificate Authority (and not cryptogen) is a fact of life for Hyperledger Fabric users who are interested in deploying something in production. Cryptogen is a handy tool for application developers who only want to deploy a network they can test smart contracts and apps against and explicitly not meant (or supported) for production networks. It's analogous to printing your own identification card at home and expecting that government agencies and businesses will accept it as being valid.
The sooner you get used to creating certificates and MSPs using a CA, the better off you will be.
Regards,
Joe Alewine
IBM Blockchain, Raleigh
rocket chat: joe-alewine
slack: joe.alewine
----- Original message -----
From: hakan eryargi <hakan.eryargi@...>
To: Abhijeet Bhowmik <abhijeet@...>
Cc: Joe Alewine <joe.alewine@...>, fabric@...
Subject: [EXTERNAL] Re: [Hyperledger Fabric] Alternative of cryptogen for Prod
Date: Wed, Nov 6, 2019 7:29 AM
Hi,
To my knowledge, cryptogen is the most convenient tool for now to create the initial certificates.
I dont want to create the certificates manually, nor want to write some scripts for certificate creation. Maybe cryptogen is not intended for this purpose but best option for now, especially if you dont need additional stuff in certificates.
So, if there is no real issue with it, like a security threat or whatever, we plan to go production with cryptogen .
It will also be nice if cryptogen is even more developed to cover other needs too :)
Best, Hakan On Tue, Nov 5, 2019 at 4:40 AM Abhijeet Bhowmik < abhijeet@...> wrote: Hey,
Thanks to all for the help. I am extremely grateful to everyone.
Abhijeet Bhowmik
Abhijeet,
Certificate Authorities --- specifically, the Fabric CA --- should be used to create all of the certificates in a production scenario (it is a best practice tp stand up one CA for each organization and the organization's related identities, MSP, and nodes).
Regards,
Joe Alewine
IBM Blockchain, Raleigh
rocket chat: joe-alewine
slack: joe.alewine
----- Original message -----
From: "Nye Liu" <nye@...>
Sent by: fabric@...
To: fabric@...
Cc:
Subject: [EXTERNAL] Re: [Hyperledger Fabric] Alternative of cryptogen for Prod
Date: Sun, Nov 3, 2019 7:43 AM
It is described in the Operations Guide.
On 11/3/2019 1:11 AM, Abhijeet Bhowmik wrote:
Hey,
Just to be specific, I was referring to the certificates that we set up at peers and place public keys at orderer. From where do we obtain that folder structure (MSP and TLS)?
Thanks and Regards
Abhijeet Bhowmik
For prod, you’ll need to generate certs from CAs. References:
Cheers,
Mrudav
On Sun, 3 Nov 2019 at 10:22 AM, Abhijeet Bhowmik < abhijeet@...> wrote: Greetings Everyone,
I am dwelling in the answer of the question: "If not cryptogen in Prod, then what and how?".
Right now, generating org certificates is a pretty straightforward task while getting started with HLF. But after reading the docs, the question has been thrown upon me that how can we configure certificates in Prod. I know it's a naive question to ask but being a beginner and stepping my first foot into actually hosting fabric application, I am obliged to ask the community to help me out.
Thanks and Regards
Abhijeet Bhowmik
|
|
|
Re: Alternative of cryptogen for Prod
Jean-Gaël Dominé <jgdomine@...>
Hi,
cryptogen uses self-signed root certificates to generate all the other certificates and keys.
IMHO one of the purposes of a blockchain is to bring trust between entities that do not necessarily "trust" each other. As the certificates and keys are used by Fabric to ensure that every component participating in the network is who it pretends to be and is also authorized to perform its actions, I don't see how it can work with self-signed certificates.
That is why the CA (or a replacement) is here for because you should use root certificates that can be verified by a certification authority.
To me, cryptogen should never be used beyond development environments.
I'm no expert in this matter but that is my understanding of Fabric on this aspect
Hope this helps
JG
|
|
|
Re: Alternative of cryptogen for Prod
Hakan Eryargi
Hi,
To my knowledge, cryptogen is the most convenient tool for now to create the initial certificates.
I dont want to create the certificates manually, nor want to write some scripts for certificate creation. Maybe cryptogen is not intended for this purpose but best option for now, especially if you dont need additional stuff in certificates. So, if there is no real issue with it, like a security threat or whatever, we plan to go production with
cryptogen
. It will also be nice if cryptogen is even more developed to cover other needs too :)
Best,
Hakan
On Tue, Nov 5, 2019 at 4:40 AM Abhijeet Bhowmik < abhijeet@...> wrote: Hey,
Thanks to all for the help. I am extremely grateful to everyone.
Abhijeet Bhowmik
Abhijeet,
Certificate Authorities --- specifically, the Fabric CA --- should be used to create all of the certificates in a production scenario (it is a best practice tp stand up one CA for each organization and the organization's related identities, MSP, and nodes).
Regards,
Joe Alewine
IBM Blockchain, Raleigh
rocket chat: joe-alewine
slack: joe.alewine
----- Original message -----
From: "Nye Liu" <nye@...>
Sent by: fabric@...
To: fabric@...
Cc:
Subject: [EXTERNAL] Re: [Hyperledger Fabric] Alternative of cryptogen for Prod
Date: Sun, Nov 3, 2019 7:43 AM
It is described in the Operations Guide.
On 11/3/2019 1:11 AM, Abhijeet Bhowmik wrote:
Hey,
Just to be specific, I was referring to the certificates that we set up at peers and place public keys at orderer. From where do we obtain that folder structure (MSP and TLS)?
Thanks and Regards
Abhijeet Bhowmik
For prod, you’ll need to generate certs from CAs. References:
Cheers,
Mrudav
On Sun, 3 Nov 2019 at 10:22 AM, Abhijeet Bhowmik < abhijeet@...> wrote: Greetings Everyone,
I am dwelling in the answer of the question: "If not cryptogen in Prod, then what and how?".
Right now, generating org certificates is a pretty straightforward task while getting started with HLF. But after reading the docs, the question has been thrown upon me that how can we configure certificates in Prod. I know it's a naive question to ask but being a beginner and stepping my first foot into actually hosting fabric application, I am obliged to ask the community to help me out.
Thanks and Regards
Abhijeet Bhowmik
|
|
|
