Hyperleger Fabric 1.4.4 : unable to configure HSM with fabric ca #hsm #fabric-ca #fabric


Kumari Shweta
 

Hi Team,

We are trying to configure pkcs11 HSM key with fabric-ca client but getting following error.

"Error: Failed to get BCCSP with opts: Could not find BCCSP, no 'pkcs11' provider"

We have executed following steps:

1. We have cloned fabric-ca 1.4.7 git repo

2. from /opts/fabric-ca directory run below commands
    make clean
    make docker GO_TAGS=pkcs11

3 Used first network and did following environment changes in docker-compose-ca.yaml file  and restart ca container

   ca0:
    image: hyperledger/fabric-ca:amd64-1.4.7
    environment:
      - FABRIC_CA_HOME=/etc/hyperledger/fabric-ca-server
      - FABRIC_CA_SERVER_CA_NAME=ca-org1
      - FABRIC_CA_SERVER_TLS_ENABLED=true
      - FABRIC_CA_SERVER_TLS_CERTFILE=/etc/hyperledger/fabric-ca-server-config/ca.org1.example.com-cert.pem
      #- FABRIC_CA_SERVER_TLS_KEYFILE=/etc/hyperledger/fabric-ca-server-config/${BYFN_CA1_PRIVATE_KEY}
      - FABRIC_CA_SERVER_TLS_KEYFILE=/etc/hyperledger/fabric-ca-server-config/07777242bfa0a52d88d8ed5887d92c774e54886bcb8b41ce1a17ff42095c8363_sk
      - FABRIC_CA_SERVER_PORT=7054
      - FABRIC_CA_SERVER_BCCSP_LIBRARY=/etc/hyperledger/libsofthsm2.so
      - FABRIC_CA_SERVER_BCCSP_PIN=12345
      - FABRIC_CA_SERVER_BCCSP_LABEL=fabric
      - FABRIC_CA_SERVER_BCCSP_KEYSTORE=msp/keystore
      - FABRIC_CA_SERVER_BCCSP_DEFAULT=pkcs11
      - SOFT_HSM_2_CONF=/etc/hyperledger/config.file
      - FABRIC_LOGGING_SPEC=DEBUG
 
    ports:
      - "7054:7054"
    command: sh -c 'fabric-ca-server start --ca.certfile /etc/hyperledger/fabric-ca-server-config/ca.org1.example.com-cert.pem --ca.keyfile /etc/hyperledger/fabric-ca-server-config/${BYFN_CA1_PRIVATE_KEY} -b admin:adminpw -d'
    volumes:
      - ./crypto-config/peerOrganizations/org1.example.com/ca/:/etc/hyperledger/fabric-ca-server-config
      - /usr/local/lib/softhsm/libsofthsm2.so:/etc/hyperledger/libsofthsm2.so
      - /home/ubuntu/config.file:/etc/hyperledger/config.file
    container_name: ca_peerOrg1
    networks:
      byfn:
        aliases:
          - ca.org1.example.com
 
Kindly suggest.


Gari Singh <garis@...>
 

With bccsp, you cannot used environment variable overrides unless you actually have the keys/fields defined in the configuration file (fabric-ca-server-config.yaml).
The default fabric-ca-server-config.yaml generated by fabric-ca on startup does not include these fields so you will need to provide a config file which contains them.

-----------------------------------------
Gari Singh
Distinguished Engineer, CTO - IBM Blockchain
IBM Middleware
550 King St
Littleton, MA 01460
Cell: 978-846-7499
garis@...
-----------------------------------------

-----fabric@... wrote: -----
To: fabric@...
From: "Kumari Shweta"
Sent by: fabric@...
Date: 09/28/2020 09:35AM
Subject: [EXTERNAL] [Hyperledger Fabric] Hyperleger Fabric 1.4.4 : unable to configure HSM with fabric ca #hsm #fabric-ca #fabric

Hi Team,

We are trying to configure pkcs11 HSM key with fabric-ca client but getting following error.

"Error: Failed to get BCCSP with opts: Could not find BCCSP, no 'pkcs11' provider"

We have executed following steps:

1. We have cloned fabric-ca 1.4.7 git repo

2. from /opts/fabric-ca directory run below commands
make clean
make docker GO_TAGS=pkcs11

3 Used first network and did following environment changes in docker-compose-ca.yaml file and restart ca container

ca0:
image: hyperledger/fabric-ca:amd64-1.4.7
environment:
- FABRIC_CA_HOME=/etc/hyperledger/fabric-ca-server
- FABRIC_CA_SERVER_CA_NAME=ca-org1
- FABRIC_CA_SERVER_TLS_ENABLED=true
- FABRIC_CA_SERVER_TLS_CERTFILE=/etc/hyperledger/fabric-ca-server-config/ca.org1.example.com-cert.pem
#- FABRIC_CA_SERVER_TLS_KEYFILE=/etc/hyperledger/fabric-ca-server-config/${BYFN_CA1_PRIVATE_KEY}
- FABRIC_CA_SERVER_TLS_KEYFILE=/etc/hyperledger/fabric-ca-server-config/07777242bfa0a52d88d8ed5887d92c774e54886bcb8b41ce1a17ff42095c8363_sk
- FABRIC_CA_SERVER_PORT=7054
- FABRIC_CA_SERVER_BCCSP_LIBRARY=/etc/hyperledger/libsofthsm2.so
- FABRIC_CA_SERVER_BCCSP_PIN=12345
- FABRIC_CA_SERVER_BCCSP_LABEL=fabric
- FABRIC_CA_SERVER_BCCSP_KEYSTORE=msp/keystore
- FABRIC_CA_SERVER_BCCSP_DEFAULT=pkcs11
- SOFT_HSM_2_CONF=/etc/hyperledger/config.file
- FABRIC_LOGGING_SPEC=DEBUG

ports:
- "7054:7054"
command: sh -c 'fabric-ca-server start --ca.certfile /etc/hyperledger/fabric-ca-server-config/ca.org1.example.com-cert.pem --ca.keyfile /etc/hyperledger/fabric-ca-server-config/${BYFN_CA1_PRIVATE_KEY} -b admin:adminpw -d'
volumes:
- ./crypto-config/peerOrganizations/org1.example.com/ca/:/etc/hyperledger/fabric-ca-server-config
- /usr/local/lib/softhsm/libsofthsm2.so:/etc/hyperledger/libsofthsm2.so
- /home/ubuntu/config.file:/etc/hyperledger/config.file
container_name: ca_peerOrg1
networks:
byfn:
aliases:
- ca.org1.example.com
Kindly suggest.


Brett T Logan <brett.t.logan@...>
 

Have you updated the fabric-ca config file to also include the config block for PKCS11? In order for you to be able to over a config property with an environment variable, the keys have to at least exist in the config file. The default config file for the CA does not include the PKCS11 block
 
Brett Logan
Software Engineer, IBM Blockchain
Phone: 1-984-242-6890
 
 
 

----- Original message -----
From: "Kumari Shweta" <kumari.shweta@...>
Sent by: fabric@...
To: fabric@...
Cc:
Subject: [EXTERNAL] [Hyperledger Fabric] Hyperleger Fabric 1.4.4 : unable to configure HSM with fabric ca #hsm #fabric-ca #fabric
Date: Mon, Sep 28, 2020 9:33 AM
 
Hi Team,

We are trying to configure pkcs11 HSM key with fabric-ca client but getting following error.

"Error: Failed to get BCCSP with opts: Could not find BCCSP, no 'pkcs11' provider"

We have executed following steps:

1. We have cloned fabric-ca 1.4.7 git repo

2. from /opts/fabric-ca directory run below commands
    make clean
    make docker GO_TAGS=pkcs11

3 Used first network and did following environment changes in docker-compose-ca.yaml file  and restart ca container

   ca0:
    image: hyperledger/fabric-ca:amd64-1.4.7
    environment:
      - FABRIC_CA_HOME=/etc/hyperledger/fabric-ca-server
      - FABRIC_CA_SERVER_CA_NAME=ca-org1
      - FABRIC_CA_SERVER_TLS_ENABLED=true
      - FABRIC_CA_SERVER_TLS_CERTFILE=/etc/hyperledger/fabric-ca-server-config/ca.org1.example.com-cert.pem
      #- FABRIC_CA_SERVER_TLS_KEYFILE=/etc/hyperledger/fabric-ca-server-config/${BYFN_CA1_PRIVATE_KEY}
      - FABRIC_CA_SERVER_TLS_KEYFILE=/etc/hyperledger/fabric-ca-server-config/07777242bfa0a52d88d8ed5887d92c774e54886bcb8b41ce1a17ff42095c8363_sk
      - FABRIC_CA_SERVER_PORT=7054
      - FABRIC_CA_SERVER_BCCSP_LIBRARY=/etc/hyperledger/libsofthsm2.so
      - FABRIC_CA_SERVER_BCCSP_PIN=12345
      - FABRIC_CA_SERVER_BCCSP_LABEL=fabric
      - FABRIC_CA_SERVER_BCCSP_KEYSTORE=msp/keystore
      - FABRIC_CA_SERVER_BCCSP_DEFAULT=pkcs11
      - SOFT_HSM_2_CONF=/etc/hyperledger/config.file
      - FABRIC_LOGGING_SPEC=DEBUG
 
    ports:
      - "7054:7054"
    command: sh -c 'fabric-ca-server start --ca.certfile /etc/hyperledger/fabric-ca-server-config/ca.org1.example.com-cert.pem --ca.keyfile /etc/hyperledger/fabric-ca-server-config/${BYFN_CA1_PRIVATE_KEY} -b admin:adminpw -d'
    volumes:
      - ./crypto-config/peerOrganizations/org1.example.com/ca/:/etc/hyperledger/fabric-ca-server-config
      - /usr/local/lib/softhsm/libsofthsm2.so:/etc/hyperledger/libsofthsm2.so
      - /home/ubuntu/config.file:/etc/hyperledger/config.file
    container_name: ca_peerOrg1
    networks:
      byfn:
        aliases:
          - ca.org1.example.com
 
Kindly suggest.