Fabric CA HSM integration #fabric-ca #hsm


florian.pautot <flpautot@...>
 

Hello,
I am trying to integrate our HSM with the Fabric CA, but I can't seem to make it work.
I am following the configuration I found in several places, including in the HSM documentation, the HSM config is good and working, but not the Fabric CA's.
I could definitely use your help.

I built the image from the CA sources, with the following command, because I read that the default release of the CA docker image does not support PKCSS1 by default : 

GO_TAGS=pkcs11 sudo make docker

For the BCCSP configuration in the fabric-ca-server-config.yaml, I have the following elements :
bccsp:
defaultPKCS11
pkcs11:
Library/usr/local/lib/libcs_pkcs11_R2.so
Pin*********
SensitiveKeystrue
SoftwareVerifytrue
LabelHyperledger Slot
HashSHA2
Security256
If I usee this config, my CA crash with the following error :
9/06/26 05:53:15 [DEBUG] Initializing BCCSP: &{ProviderName:PKCS11 SwOpts:<nil> PluginOpts:<nil>}
2019/06/26 05:53:15 [DEBUG] Closing server DBs
Error: Failed to initialize BCCSP Factories: %!s(<nil>)
Could not find default `PKCS11` BCCSP
If I try to config the CA with the ENV var, I use this:
FABRIC_CA_HOME=/etc/hyperledger/fabric-ca-server
CS_PKCS11_R2_CFG=/etc/ultimaco/cs_pkcs11_R2.cfg
FABRIC_CA_SERVER_BCCSP_DEFAULT=PKCS11
FABRIC_CA_SERVER_BCCSP_PKCS11_LIBRARY=/usr/local/lib/libcs_pkcs11_R2.so
FABRIC_CA_SERVER_BCCSP_PKCS11_LABEL=Hyperledger Slot
FABRIC_CA_SERVER_BCCSP_PKCS11_PIN=*********
FABRIC_CA_SERVER_BCCSP_PKCS11_SENSITIVEKEYS=true
FABRIC_CA_SERVER_BCCSP_PKCS11_SOFTWAREVERIFY=true
FABRIC_CA_SERVER_BCCSP_PKCS11_HASH=SHA2
FABRIC_CA_SERVER_BCCSP_PKCS11_SECURITY=256
But when the CA launches, it still uses the default configuration with the SW config, and does take the env vars into account. On the other hand, after several tests, I can interact with the HSM from the CA container, so it does not come from the HSM config.
Any help would be greatly appreciated.
Thank you.
Kind regards,
Florian


Gari Singh <garis@...>
 

Try setting default to “pkcs11” rather than “PKCS11”

Gari Singh
978-846-7499



On Jun 26, 2019, at 2:08 AM, florian.pautot <flpautot@...> wrote:

Hello,
I am trying to integrate our HSM with the Fabric CA, but I can't seem to make it work.
I am following the configuration I found in several places, including in the HSM documentation, the HSM config is good and working, but not the Fabric CA's.
I could definitely use your help.

I built the image from the CA sources, with the following command, because I read that the default release of the CA docker image does not support PKCSS1 by default : 

GO_TAGS=pkcs11 sudo make docker

For the BCCSP configuration in the fabric-ca-server-config.yaml, I have the following elements :
bccsp:
default: PKCS11
pkcs11:
Library: /usr/local/lib/libcs_pkcs11_R2.so
Pin: 123456789
SensitiveKeys: true
SoftwareVerify: true
Label: Hyperledger Slot
Hash: SHA2
Security: 256
If I usee this config, my CA crash with the following error :
9/06/26 05:53:15 [DEBUG] Initializing BCCSP: &{ProviderName:PKCS11 SwOpts:<nil> PluginOpts:<nil>}
2019/06/26 05:53:15 [DEBUG] Closing server DBs
Error: Failed to initialize BCCSP Factories: %!s(<nil>)
Could not find default `PKCS11` BCCSP
If I try to config the CA with the ENV var, I use this:
- FABRIC_CA_HOME=/etc/hyperledger/fabric-ca-server
- CS_PKCS11_R2_CFG=/etc/ultimaco/cs_pkcs11_R2.cfg
- FABRIC_CA_SERVER_BCCSP_DEFAULT=PKCS11
- FABRIC_CA_SERVER_BCCSP_PKCS11_LIBRARY=/usr/local/lib/libcs_pkcs11_R2.so
- FABRIC_CA_SERVER_BCCSP_PKCS11_LABEL=Hyperledger Slot
- FABRIC_CA_SERVER_BCCSP_PKCS11_PIN=*********
- FABRIC_CA_SERVER_BCCSP_PKCS11_SENSITIVEKEYS=true
- FABRIC_CA_SERVER_BCCSP_PKCS11_SOFTWAREVERIFY=true
- FABRIC_CA_SERVER_BCCSP_PKCS11_HASH=SHA2
- FABRIC_CA_SERVER_BCCSP_PKCS11_SECURITY=256
But when the CA launches, it still uses the default configuration with the SW config, and does take the env vars into account. On the other hand, after several tests, I can interact with the HSM from the CA container, so it does not come from the HSM config.
Any help would be greatly appreciated.
Thank you.
Kind regards,
Florian

 



huxd@...
 

Hi florian,
 
What version of fabric-ca source code are you using?
 
From the following line in the error message you pasted, it indicates that pkcs11 was not actualy enabled when fabric-ca-server was built:
9/06/26 05:53:15 [DEBUG] Initializing BCCSP: &{ProviderName:PKCS11 SwOpts:<nil> PluginOpts:<nil>}
 
Otherwise it will look like this:
2019/06/27 03:04:29 [DEBUG] Initializing BCCSP: &{ProviderName:SW SwOpts:0xc000078b00 PluginOpts:<nil> Pkcs11Opts:<nil>}
You can see a "Pkcs11Opts" appear here (in my case I didn't specify pkcs11 options in my config yaml so it's nil)
 
This happened in old version of fabric because the pkcs11 tag you specified in your command was not actualy passed when you build docker image rather than building native binary, but I'm seeing this has been fixed in latest version 2.0.0 code.
 
Hu Xiang Dong (胡香冬)
IBM Blockchain Platform development
China Systems Lab
Email: huxd@...
 
 

----- Original message -----
From: "Gari Singh" <garis@...>
Sent by: fabric@...
To: "florian.pautot" <flpautot@...>
Cc: fabric@...
Subject: [EXTERNAL] Re: [Hyperledger Fabric] Fabric CA HSM integration #fabric-ca
Date: Wed, Jun 26, 2019 6:05 PM
 
Try setting default to “pkcs11” rather than “PKCS11”
 
Gari Singh
978-846-7499
 
 

On Jun 26, 2019, at 2:08 AM, florian.pautot <flpautot@...> wrote:
 
Hello,
I am trying to integrate our HSM with the Fabric CA, but I can't seem to make it work.
I am following the configuration I found in several places, including in the HSM documentation, the HSM config is good and working, but not the Fabric CA's.
I could definitely use your help.

I built the image from the CA sources, with the following command, because I read that the default release of the CA docker image does not support PKCSS1 by default : 

GO_TAGS=pkcs11 sudo make docker

For the BCCSP configuration in the fabric-ca-server-config.yaml, I have the following elements :
bccsp:
default: PKCS11
pkcs11:
Library: /usr/local/lib/libcs_pkcs11_R2.so
Pin: 123456789
SensitiveKeys: true
SoftwareVerify: true
Label: Hyperledger Slot
Hash: SHA2
Security: 256
If I usee this config, my CA crash with the following error :
9/06/26 05:53:15 [DEBUG] Initializing BCCSP: &{ProviderName:PKCS11 SwOpts:<nil> PluginOpts:<nil>}
2019/06/26 05:53:15 [DEBUG] Closing server DBs
Error: Failed to initialize BCCSP Factories: %!s(<nil>)
Could not find default `PKCS11` BCCSP
If I try to config the CA with the ENV var, I use this:
- FABRIC_CA_HOME=/etc/hyperledger/fabric-ca-server
- CS_PKCS11_R2_CFG=/etc/ultimaco/cs_pkcs11_R2.cfg
- FABRIC_CA_SERVER_BCCSP_DEFAULT=PKCS11
- FABRIC_CA_SERVER_BCCSP_PKCS11_LIBRARY=/usr/local/lib/libcs_pkcs11_R2.so
- FABRIC_CA_SERVER_BCCSP_PKCS11_LABEL=Hyperledger Slot
- FABRIC_CA_SERVER_BCCSP_PKCS11_PIN=*********
- FABRIC_CA_SERVER_BCCSP_PKCS11_SENSITIVEKEYS=true
- FABRIC_CA_SERVER_BCCSP_PKCS11_SOFTWAREVERIFY=true
- FABRIC_CA_SERVER_BCCSP_PKCS11_HASH=SHA2
- FABRIC_CA_SERVER_BCCSP_PKCS11_SECURITY=256
But when the CA launches, it still uses the default configuration with the SW config, and does take the env vars into account. On the other hand, after several tests, I can interact with the HSM from the CA container, so it does not come from the HSM config.
Any help would be greatly appreciated.
Thank you.
Kind regards,
Florian