#hsm #fabric-sdk-node #fabric Admin user and HSM #hsm #fabric-sdk-node #fabric


Jean-Gaël Dominé <jgdomine@...>
 

Hi all,

I've been trying to plug fabric to an HSM to avoid having the private keys stored in the file system of the components (except the TLS ones since it is currently not possible to do the same for them).

My question is that in order to create the channel, join the peers, ... I need the admin user private key to sign the transaction but how am I suppose to provide to the peer CLI command or SDK (Node in my case)?
Is it possible to plug them on the HSM too so that they ask the HSM to sign the transaction? I saw it was possible to plug the SDK to the HSM because I tried it to enroll the components using the HSM but I'm not sure it could serve this purpose as well. I don't know at all for the CLI though

Thanks for your help


Gari Singh <garis@...>
 

The peer CLI currently uses the same config as the peer.
If you point the peer CLI at a core.yaml file which uses PKCS11 for the BCCSP (same as you would do for the peer), then things should work.
If you want to enroll an ID using the fabric-ca-client, same basic concept ... in the fabric-ca-client config file you can set the BCCSP to use PKCS11 as well.

-----------------------------------------
Gari Singh
Distinguished Engineer, CTO - IBM Blockchain
IBM Middleware
550 King St
Littleton, MA 01460
Cell: 978-846-7499
garis@...
-----------------------------------------

-----fabric@... wrote: -----
To: fabric@...
From: "Jean-Gaël Dominé"
Sent by: fabric@...
Date: 12/12/2019 07:32AM
Subject: [EXTERNAL] [Hyperledger Fabric] #hsm #fabric-sdk-node #fabric Admin user and HSM

Hi all,

I've been trying to plug fabric to an HSM to avoid having the private keys stored in the file system of the components (except the TLS ones since it is currently not possible to do the same for them).

My question is that in order to create the channel, join the peers, ... I need the admin user private key to sign the transaction but how am I suppose to provide to the peer CLI command or SDK (Node in my case)?
Is it possible to plug them on the HSM too so that they ask the HSM to sign the transaction? I saw it was possible to plug the SDK to the HSM because I tried it to enroll the components using the HSM but I'm not sure it could serve this purpose as well. I don't know at all for the CLI though

Thanks for your help


Jean-Gaël Dominé <jgdomine@...>
 

Thank you Gari for your quick reply.

So from what I understand, since I created my admin user using the fabric-ca-client plugged to the HSM. If I configure the peer CLI command so that it uses the same PKCS11 configuration, it should be able to retrieve the private key in it in order to do the actions.
Argh that means I need a docker image of the CLI with the HSM libs...

Ok I'll test that

Do you know if a similar thing is possible with the SDK? Because as far as I know, the SDK needs the admin user private key on the file system?



Gari Singh <garis@...>
 

The Node, Java and Go SDKs all have the ability to use HSMs.

The Go SDK uses a similar config to the peer as it basically embeds the bccsp code.

The Node SDK allows you to pass in a PKCS11 crypto suite: https://fabric-sdk-node.github.io/release-1.4/CryptoSuite_PKCS11.html

The Java SDK definitely supports PKCS11 (I know people who use it with an HSM) but I don't really use Java so don't have the info handy.

Hope this helps

-----------------------------------------
Gari Singh
Distinguished Engineer, CTO - IBM Blockchain
IBM Middleware
550 King St
Littleton, MA 01460
Cell: 978-846-7499
garis@...
-----------------------------------------

-----fabric@... wrote: -----
To: fabric@...
From: "Jean-Gaël Dominé"
Sent by: fabric@...
Date: 12/12/2019 08:24AM
Subject: [EXTERNAL] Re: [Hyperledger Fabric] #hsm #fabric-sdk-node #fabric Admin user and HSM

Thank you Gari for your quick reply.

So from what I understand, since I created my admin user using the fabric-ca-client plugged to the HSM. If I configure the peer CLI command so that it uses the same PKCS11 configuration, it should be able to retrieve the private key in it in order to do the actions.
Argh that means I need a docker image of the CLI with the HSM libs...

Ok I'll test that

Do you know if a similar thing is possible with the SDK? Because as far as I know, the SDK needs the admin user private key on the file system?