My current network has no TLS, deployed on Kubernetes. Currently, we are migrating from Kafka (1.4.0) to RAFT(1.4.4). TLS is not necessary for Kubernetes.

1. Is it compulsory to have TLS enabled for the RAFT ordering node?
2. If yes, Can I enable on the fly while migrating to RAFT?

Currently, I am getting the following error when I change the consensus in the configuration block and send it to the orderer.

Heartfelt Regards,
Pavan Adhav

Blockchain Developer
Cell Phone:+91-8390114357  E-Mail: adhavpavan@...

Hi Adhav,

yes, it is required to enable TLS to use Raft, because intra-orderer
communication relies on Certificate Pinning to authenticate each
other.

However, it *is* possible to turn on tls ONLY FOR orderer-to-orderer
communication. Please consult "Cluster parameter" section in [1]

Also, migration is covered pretty comprehensively in [2]. Let us know
if you have specific questions


[1] https://hyperledger-fabric.readthedocs.io/en/latest/raft_configuration.html#local-configuration
[2] https://hyperledger-fabric.readthedocs.io/en/latest/kafka_raft_migration.html


On Tue, Dec 10, 2019 at 1:00 PM Adhav Pavan <adhavpavan@...> wrote:
>
> Hello Team,
>
> is it possible to configure Orderers to use TLS only for Raft communication?
>
> Thank you.
>
> Heartfelt Regards,
> Pavan Adhav
>
> Blockchain Developer
> Cell Phone:+91-8390114357  E-Mail: adhavpavan@...
>
>
>
> On Tue, Dec 10, 2019 at 10:23 AM Adhav Pavan <adhavpavan@...> wrote:
>>
>> My current network has no TLS, deployed on Kubernetes. Currently, we are migrating from Kafka (1.4.0) to RAFT(1.4.4). TLS is not necessary for Kubernetes.
>>
>> Is it compulsory to have TLS enabled for the RAFT ordering node?
>> If yes, Can I enable on the fly while migrating to RAFT?
>>
>> Currently, I am getting the following error when I change the consensus in the configuration block and send it to the orderer.
>>
>> Heartfelt Regards,
>> Pavan Adhav
>>
>> Blockchain Developer
>> Cell Phone:+91-8390114357  E-Mail: adhavpavan@...
>

Hi Jay, 

Went through the instructions. Defined these set of environment variables for the ordering node. I have explicitly disabled the Orderer General TLS and enabled Orderer Cluster TLS as shown below.

However, I am getting this error while restarting the ordering service. 

Again, here we are just trying to enable TLS for communication within RAFT nodes and not between other fabric components. Can you tell me if we are missing out on something?

Let us know if additional information is needed.

Heartfelt Regards,
Pavan Adhav

Blockchain Developer
Cell Phone:+91-8390114357  E-Mail: adhavpavan@...

On Tue, Dec 10, 2019 at 12:22 PM Jay G <guojiannan1101@...> wrote:

Hi Adhav,

yes, it is required to enable TLS to use Raft, because intra-orderer
communication relies on Certificate Pinning to authenticate each
other.

However, it *is* possible to turn on tls ONLY FOR orderer-to-orderer
communication. Please consult "Cluster parameter" section in [1]

Also, migration is covered pretty comprehensively in [2]. Let us know
if you have specific questions


[1] https://hyperledger-fabric.readthedocs.io/en/latest/raft_configuration.html#local-configuration
[2] https://hyperledger-fabric.readthedocs.io/en/latest/kafka_raft_migration.html


On Tue, Dec 10, 2019 at 1:00 PM Adhav Pavan <adhavpavan@...> wrote:
>
> Hello Team,
>
> is it possible to configure Orderers to use TLS only for Raft communication?
>
> Thank you.
>
> Heartfelt Regards,
> Pavan Adhav
>
> Blockchain Developer
> Cell Phone:+91-8390114357  E-Mail: adhavpavan@...
>
>
>
> On Tue, Dec 10, 2019 at 10:23 AM Adhav Pavan <adhavpavan@...> wrote:
>>
>> My current network has no TLS, deployed on Kubernetes. Currently, we are migrating from Kafka (1.4.0) to RAFT(1.4.4). TLS is not necessary for Kubernetes.
>>
>> Is it compulsory to have TLS enabled for the RAFT ordering node?
>> If yes, Can I enable on the fly while migrating to RAFT?
>>
>> Currently, I am getting the following error when I change the consensus in the configuration block and send it to the orderer.
>>
>> Heartfelt Regards,
>> Pavan Adhav
>>
>> Blockchain Developer
>> Cell Phone:+91-8390114357  E-Mail: adhavpavan@...
>

Adhav, could you attach full log of orderer? (from the top where configs are printed)

- J

On Tue, Dec 10, 2019 at 7:47 PM Adhav Pavan <adhavpavan@...> wrote:

Hi Jay, 

Went through the instructions. Defined these set of environment variables for the ordering node. I have explicitly disabled the Orderer General TLS and enabled Orderer Cluster TLS as shown below.

However, I am getting this error while restarting the ordering service. 

Again, here we are just trying to enable TLS for communication within RAFT nodes and not between other fabric components. Can you tell me if we are missing out on something?

Let us know if additional information is needed.

Heartfelt Regards,
Pavan Adhav

Blockchain Developer
Cell Phone:+91-8390114357  E-Mail: adhavpavan@...

On Tue, Dec 10, 2019 at 12:22 PM Jay G <guojiannan1101@...> wrote:

Hi Adhav,

yes, it is required to enable TLS to use Raft, because intra-orderer
communication relies on Certificate Pinning to authenticate each
other.

However, it *is* possible to turn on tls ONLY FOR orderer-to-orderer
communication. Please consult "Cluster parameter" section in [1]

Also, migration is covered pretty comprehensively in [2]. Let us know
if you have specific questions


[1] https://hyperledger-fabric.readthedocs.io/en/latest/raft_configuration.html#local-configuration
[2] https://hyperledger-fabric.readthedocs.io/en/latest/kafka_raft_migration.html


On Tue, Dec 10, 2019 at 1:00 PM Adhav Pavan <adhavpavan@...> wrote:
>
> Hello Team,
>
> is it possible to configure Orderers to use TLS only for Raft communication?
>
> Thank you.
>
> Heartfelt Regards,
> Pavan Adhav
>
> Blockchain Developer
> Cell Phone:+91-8390114357  E-Mail: adhavpavan@...
>
>
>
> On Tue, Dec 10, 2019 at 10:23 AM Adhav Pavan <adhavpavan@...> wrote:
>>
>> My current network has no TLS, deployed on Kubernetes. Currently, we are migrating from Kafka (1.4.0) to RAFT(1.4.4). TLS is not necessary for Kubernetes.
>>
>> Is it compulsory to have TLS enabled for the RAFT ordering node?
>> If yes, Can I enable on the fly while migrating to RAFT?
>>
>> Currently, I am getting the following error when I change the consensus in the configuration block and send it to the orderer.
>>
>> Heartfelt Regards,
>> Pavan Adhav
>>
>> Blockchain Developer
>> Cell Phone:+91-8390114357  E-Mail: adhavpavan@...
>

Hello Jay,

Please find the log full log file for the orderer in the attachment.

Thank you.

Heartfelt Regards,
Pavan Adhav

Blockchain Developer
Cell Phone:+91-8390114357  E-Mail: adhavpavan@...

On Tue, Dec 10, 2019 at 6:54 PM Jay Guo <guojiannan1101@...> wrote:

Adhav, could you attach full log of orderer? (from the top where configs are printed)

- J

On Tue, Dec 10, 2019 at 7:47 PM Adhav Pavan <adhavpavan@...> wrote:

Hi Jay, 

Went through the instructions. Defined these set of environment variables for the ordering node. I have explicitly disabled the Orderer General TLS and enabled Orderer Cluster TLS as shown below.

However, I am getting this error while restarting the ordering service. 

Again, here we are just trying to enable TLS for communication within RAFT nodes and not between other fabric components. Can you tell me if we are missing out on something?

Let us know if additional information is needed.

Heartfelt Regards,
Pavan Adhav

Blockchain Developer
Cell Phone:+91-8390114357  E-Mail: adhavpavan@...

On Tue, Dec 10, 2019 at 12:22 PM Jay G <guojiannan1101@...> wrote:

Hi Adhav,

yes, it is required to enable TLS to use Raft, because intra-orderer
communication relies on Certificate Pinning to authenticate each
other.

However, it *is* possible to turn on tls ONLY FOR orderer-to-orderer
communication. Please consult "Cluster parameter" section in [1]

Also, migration is covered pretty comprehensively in [2]. Let us know
if you have specific questions


[1] https://hyperledger-fabric.readthedocs.io/en/latest/raft_configuration.html#local-configuration
[2] https://hyperledger-fabric.readthedocs.io/en/latest/kafka_raft_migration.html


On Tue, Dec 10, 2019 at 1:00 PM Adhav Pavan <adhavpavan@...> wrote:
>
> Hello Team,
>
> is it possible to configure Orderers to use TLS only for Raft communication?
>
> Thank you.
>
> Heartfelt Regards,
> Pavan Adhav
>
> Blockchain Developer
> Cell Phone:+91-8390114357  E-Mail: adhavpavan@...
>
>
>
> On Tue, Dec 10, 2019 at 10:23 AM Adhav Pavan <adhavpavan@...> wrote:
>>
>> My current network has no TLS, deployed on Kubernetes. Currently, we are migrating from Kafka (1.4.0) to RAFT(1.4.4). TLS is not necessary for Kubernetes.
>>
>> Is it compulsory to have TLS enabled for the RAFT ordering node?
>> If yes, Can I enable on the fly while migrating to RAFT?
>>
>> Currently, I am getting the following error when I change the consensus in the configuration block and send it to the orderer.
>>
>> Heartfelt Regards,
>> Pavan Adhav
>>
>> Blockchain Developer
>> Cell Phone:+91-8390114357  E-Mail: adhavpavan@...
>

oh.... that support to configure tls separately is only merged in master for now... probably worth cherry-picking to 1.4.x

sorry for the confusion, i should've looked closely to the version you tried... my apologies

- J

On Tue, Dec 10, 2019 at 9:37 PM Adhav Pavan <adhavpavan@...> wrote:

Hello Jay,

Please find the log full log file for the orderer in the attachment.

Thank you.

Heartfelt Regards,
Pavan Adhav

Blockchain Developer
Cell Phone:+91-8390114357  E-Mail: adhavpavan@...

On Tue, Dec 10, 2019 at 6:54 PM Jay Guo <guojiannan1101@...> wrote:

Adhav, could you attach full log of orderer? (from the top where configs are printed)

- J

On Tue, Dec 10, 2019 at 7:47 PM Adhav Pavan <adhavpavan@...> wrote:

Hi Jay, 

Went through the instructions. Defined these set of environment variables for the ordering node. I have explicitly disabled the Orderer General TLS and enabled Orderer Cluster TLS as shown below.

However, I am getting this error while restarting the ordering service. 

Again, here we are just trying to enable TLS for communication within RAFT nodes and not between other fabric components. Can you tell me if we are missing out on something?

Let us know if additional information is needed.

Heartfelt Regards,
Pavan Adhav

Blockchain Developer
Cell Phone:+91-8390114357  E-Mail: adhavpavan@...

On Tue, Dec 10, 2019 at 12:22 PM Jay G <guojiannan1101@...> wrote:

Hi Adhav,

yes, it is required to enable TLS to use Raft, because intra-orderer
communication relies on Certificate Pinning to authenticate each
other.

However, it *is* possible to turn on tls ONLY FOR orderer-to-orderer
communication. Please consult "Cluster parameter" section in [1]

Also, migration is covered pretty comprehensively in [2]. Let us know
if you have specific questions


[1] https://hyperledger-fabric.readthedocs.io/en/latest/raft_configuration.html#local-configuration
[2] https://hyperledger-fabric.readthedocs.io/en/latest/kafka_raft_migration.html


On Tue, Dec 10, 2019 at 1:00 PM Adhav Pavan <adhavpavan@...> wrote:
>
> Hello Team,
>
> is it possible to configure Orderers to use TLS only for Raft communication?
>
> Thank you.
>
> Heartfelt Regards,
> Pavan Adhav
>
> Blockchain Developer
> Cell Phone:+91-8390114357  E-Mail: adhavpavan@...
>
>
>
> On Tue, Dec 10, 2019 at 10:23 AM Adhav Pavan <adhavpavan@...> wrote:
>>
>> My current network has no TLS, deployed on Kubernetes. Currently, we are migrating from Kafka (1.4.0) to RAFT(1.4.4). TLS is not necessary for Kubernetes.
>>
>> Is it compulsory to have TLS enabled for the RAFT ordering node?
>> If yes, Can I enable on the fly while migrating to RAFT?
>>
>> Currently, I am getting the following error when I change the consensus in the configuration block and send it to the orderer.
>>
>> Heartfelt Regards,
>> Pavan Adhav
>>
>> Blockchain Developer
>> Cell Phone:+91-8390114357  E-Mail: adhavpavan@...
>