#hsm #raft Raft and HSM in the same network #hsm #raft


Jean-Gaël Dominé <jgdomine@...>
 

Hi everyone,

I'm currently trying to set up a network using Raft and HSM. Before adding HSM, everything was correctly working.
But when adding HSM, the private keys are not mounted on the containers anymore (orderers and peers).
The peers seem to be still working but with the orderer I get the following error:
2019-12-06 10:21:03.476 UTC [orderer.common.server] extractSysChanLastConfig -> INFO 003 Bootstrapping because no existing channels
2019-12-06 10:21:03.480 UTC [orderer.common.server] initializeClusterClientConfig -> FATA 004 Failed to load client TLS key file '' (open : no such file or directory)
After a quick test, I managed to confirm that it was the ORDERER_GENERAL_CLUSTER_CLIENTPRIVATEKEY that was the root cause of the error. I do not set it on purpose since I don't have it anymore but it seems to me that raft keeps looking for the private key.

Is Raft and HSM incompatible in Fabric right now (version 1.4.3 of the orderer)? Or am I missing something in the configuration?

Thank you for your help


Yacov
 

You can't use HSM to store TLS keys.



From:        "Jean-Gaël Dominé" <jgdomine@...>
To:        fabric@...
Date:        12/06/2019 03:55 PM
Subject:        [EXTERNAL] [Hyperledger Fabric] #hsm #raft Raft and HSM in the same network
Sent by:        fabric@...




Hi everyone,

I'm currently trying to set up a network using Raft and HSM. Before adding HSM, everything was correctly working.
But when adding HSM, the private keys are not mounted on the containers anymore (orderers and peers).
The peers seem to be still working but with the orderer I get the following error:
2019-12-06 10:21:03.476 UTC [orderer.common.server] extractSysChanLastConfig -> INFO 003 Bootstrapping because no existing channels
2019-12-06 10:21:03.480 UTC [orderer.common.server] initializeClusterClientConfig -> FATA 004 Failed to load client TLS key file '' (open : no such file or directory)
After a quick test, I managed to confirm that it was the ORDERER_GENERAL_CLUSTER_CLIENTPRIVATEKEYthat was the root cause of the error. I do not set it on purpose since I don't have it anymore but it seems to me that raft keeps looking for the private key.

Is Raft and HSM incompatible in Fabric right now (version 1.4.3 of the orderer)? Or am I missing something in the configuration?

Thank you for your help




Jean-Gaël Dominé <jgdomine@...>
 

Thanks for the feedback.

But why is that? Technical limit? Something not implemented yet?
Because from what I understood, the private keys should not be directly on the component's file system and that was the whole point of having a HSM to store the private keys so that it does not get out of it.

But maybe I'm wrong in my comprehension and if so please explain.

Thank you


Yacov
 

It was not implemented



From:        "Jean-Gaël Dominé" <jgdomine@...>
To:        fabric@...
Date:        12/06/2019 08:53 PM
Subject:        [EXTERNAL] Re: [Hyperledger Fabric] #hsm #raft Raft and HSM in the same network
Sent by:        fabric@...




Thanks for the feedback.

But why is that? Technical limit? Something not implemented yet?
Because from what I understood, the private keys should not be directly on the component's file system and that was the whole point of having a HSM to store the private keys so that it does not get out of it.

But maybe I'm wrong in my comprehension and if so please explain.

Thank you




Jean-Gaël Dominé <jgdomine@...>
 

Is it planned in some future release to fix this (2.x.x)?


vtech
 

I have created product feature some time back ( https://jira.hyperledger.org/browse/FAB-16102 ), currently it resides in Backlog. You can probably up vote it :) .

Thanks.

On Sun, Dec 8, 2019 at 6:59 PM Jean-Gaël Dominé <jgdomine@...> wrote:
Is it planned in some future release to fix this (2.x.x)?


Jean-Gaël Dominé <jgdomine@...>
 

Done :)

Though I don't expect it to be solved anytime soon :(

Thanks anyway, glad to see I'm not the only one in need of this