AWS cloud HSM with hyperledger #hyperledger-fabric


Kumar Shantanu
 

Hello Team,

Do we have any documentation around how to use AWS cloud HSM with hyperledger fabric. 

Thanks
Shantanu


Chris Gabriel
 

Hello Shantanu,

The documentation purposefully leaves out any mention of vendor-specific platforms or technologies and leaves that part to the user.  There are some who have posted articles on Medium and YouTube for the type of material you are looking for.  Hope this helps.

Chris


On Apr 12, 2021, at 8:02 AM, km.shantanu@... wrote:

Hello Team,

Do we have any documentation around how to use AWS cloud HSM with hyperledger fabric. 

Thanks
Shantanu



Kumar Shantanu
 

Thanks, Chris, 

I will try and google :) 

Would you be able to share some of those links if you have them handy, it might be beneficial for others as well searching through this mailing list.

Thanks
Shantanu

On Mon, Apr 12, 2021 at 2:18 PM Chris G <alaskadd@...> wrote:
Hello Shantanu,

The documentation purposefully leaves out any mention of vendor-specific platforms or technologies and leaves that part to the user.  There are some who have posted articles on Medium and YouTube for the type of material you are looking for.  Hope this helps.

Chris


On Apr 12, 2021, at 8:02 AM, km.shantanu@... wrote:

Hello Team,

Do we have any documentation around how to use AWS cloud HSM with hyperledger fabric. 

Thanks
Shantanu



Brian Behlendorf
 

BTW, I see nothing wrong with the official docs containing these kinds of links. Being helpful to new users should take precedence over concerns about the appearance of favoring one vendor over another, and the latter can be mitigated by providing multiple such links and adding to them when asked.

Brian

On 4/12/21 6:49 AM, Kumar Shantanu wrote:
Thanks, Chris, 

I will try and google :) 

Would you be able to share some of those links if you have them handy, it might be beneficial for others as well searching through this mailing list.

Thanks
Shantanu

On Mon, Apr 12, 2021 at 2:18 PM Chris G <alaskadd@...> wrote:
Hello Shantanu,

The documentation purposefully leaves out any mention of vendor-specific platforms or technologies and leaves that part to the user.  There are some who have posted articles on Medium and YouTube for the type of material you are looking for.  Hope this helps.

Chris


On Apr 12, 2021, at 8:02 AM, km.shantanu@... wrote:

Hello Team,

Do we have any documentation around how to use AWS cloud HSM with hyperledger fabric. 

Thanks
Shantanu



-- 
Brian Behlendorf
General Manager for Blockchain, Healthcare and Identity
bbehlendorf@...
Twitter: @brianbehlendorf


Kumar Shantanu
 

I didn't find any blog around fabric using AWS cloudshm, however, I understand that I need to run aws hsm client on the same machine fabric component would run. Can someone suggest what the PKCS11 section would look like? This is how it currently looks if I use softhsm. 
bccsp:
  default: PKCS11
  pkcs11:
    Library: /usr/lib/softhsm/libsofthsm2.so
    Pin: XX
    Label: fabric
    hash: SHA2
    security: 256
    filekeystore:
      keystore: msp/keystore
 
Thanks
Shantanu

On Mon, Apr 12, 2021 at 5:55 PM Brian Behlendorf <bbehlendorf@...> wrote:
BTW, I see nothing wrong with the official docs containing these kinds of links. Being helpful to new users should take precedence over concerns about the appearance of favoring one vendor over another, and the latter can be mitigated by providing multiple such links and adding to them when asked.

Brian

On 4/12/21 6:49 AM, Kumar Shantanu wrote:
Thanks, Chris, 

I will try and google :) 

Would you be able to share some of those links if you have them handy, it might be beneficial for others as well searching through this mailing list.

Thanks
Shantanu

On Mon, Apr 12, 2021 at 2:18 PM Chris G <alaskadd@...> wrote:
Hello Shantanu,

The documentation purposefully leaves out any mention of vendor-specific platforms or technologies and leaves that part to the user.  There are some who have posted articles on Medium and YouTube for the type of material you are looking for.  Hope this helps.

Chris


On Apr 12, 2021, at 8:02 AM, km.shantanu@... wrote:

Hello Team,

Do we have any documentation around how to use AWS cloud HSM with hyperledger fabric. 

Thanks
Shantanu



-- 
Brian Behlendorf
General Manager for Blockchain, Healthcare and Identity
bbehlendorf@...
Twitter: @brianbehlendorf


Chris Gabriel
 

You can follow the configuration instructions in the fabric docs here: https://hyperledger-fabric.readthedocs.io/en/release-2.2/hsm.html
Just make sure you match the docs version to the Fabric version you are using.
Best,
Chris


On Apr 13, 2021, at 7:58 AM, Kumar Shantanu <km.shantanu@...> wrote:


I didn't find any blog around fabric using AWS cloudshm, however, I understand that I need to run aws hsm client on the same machine fabric component would run. Can someone suggest what the PKCS11 section would look like? This is how it currently looks if I use softhsm. 
bccsp:
  default: PKCS11
  pkcs11:
    Library: /usr/lib/softhsm/libsofthsm2.so
    Pin: XX
    Label: fabric
    hash: SHA2
    security: 256
    filekeystore:
      keystore: msp/keystore
 
Thanks
Shantanu

On Mon, Apr 12, 2021 at 5:55 PM Brian Behlendorf <bbehlendorf@...> wrote:
BTW, I see nothing wrong with the official docs containing these kinds of links. Being helpful to new users should take precedence over concerns about the appearance of favoring one vendor over another, and the latter can be mitigated by providing multiple such links and adding to them when asked.

Brian

On 4/12/21 6:49 AM, Kumar Shantanu wrote:
Thanks, Chris, 

I will try and google :) 

Would you be able to share some of those links if you have them handy, it might be beneficial for others as well searching through this mailing list.

Thanks
Shantanu

On Mon, Apr 12, 2021 at 2:18 PM Chris G <alaskadd@...> wrote:
Hello Shantanu,

The documentation purposefully leaves out any mention of vendor-specific platforms or technologies and leaves that part to the user.  There are some who have posted articles on Medium and YouTube for the type of material you are looking for.  Hope this helps.

Chris


On Apr 12, 2021, at 8:02 AM, km.shantanu@... wrote:

Hello Team,

Do we have any documentation around how to use AWS cloud HSM with hyperledger fabric. 

Thanks
Shantanu



-- 
Brian Behlendorf
General Manager for Blockchain, Healthcare and Identity
bbehlendorf@...
Twitter: @brianbehlendorf


Kumar Shantanu
 

Thank again, guys. When I configure fabric CA to use AWS HSM it crashes with the below error, 

sh-4.2# ./fabric-ca-server start -b admin:adminpw
2021/04/19 20:57:18 [INFO] Configuration file location: /root/go/bin/fabric-ca-server-config.yaml
2021/04/19 20:57:18 [INFO] Starting server in home directory: /root/go/bin
2021/04/19 20:57:18 [INFO] Server Version: 1.5.0-snapshot-70634d4d
2021/04/19 20:57:18 [INFO] Server Levels: &{Identity:2 Affiliation:1 Certificate:1 Credential:1 RAInfo:1 Nonce:1}
2021/04/19 20:57:19 [WARNING] &{69 The specified CA certificate file /root/go/bin/ca-cert.pem does not exist}
2021/04/19 20:57:19 [INFO] generating key: &{A:ecdsa S:256}
C_GenerateKeyPair failed with error CKR_ATTRIBUTE_VALUE_INVALID : 0x00000013
C_GenerateKeyPair failed with error CKR_ATTRIBUTE_VALUE_INVALID : 0x00000013
Error: Failed generating ECDSA P256 key: P11: keypair generate failed [pkcs11: 0x13: CKR_ATTRIBUTE_VALUE_INVALID]

 My BCCSP configuration looks like this, 

bccsp:
  default: PKCS11
  pkcs11:
    Library: /opt/cloudhsm/lib/libcloudhsm_pkcs11.so
    Pin: 'user:password'
    Label: cavium
    hash: SHA2
    security: 256

Any pointer would be really helpful.

Thanks
Shantanu


On Tue, Apr 13, 2021 at 2:28 PM Gmail <alaskadd@...> wrote:
You can follow the configuration instructions in the fabric docs here: https://hyperledger-fabric.readthedocs.io/en/release-2.2/hsm.html
Just make sure you match the docs version to the Fabric version you are using.
Best,
Chris


On Apr 13, 2021, at 7:58 AM, Kumar Shantanu <km.shantanu@...> wrote:


I didn't find any blog around fabric using AWS cloudshm, however, I understand that I need to run aws hsm client on the same machine fabric component would run. Can someone suggest what the PKCS11 section would look like? This is how it currently looks if I use softhsm. 
bccsp:
  default: PKCS11
  pkcs11:
    Library: /usr/lib/softhsm/libsofthsm2.so
    Pin: XX
    Label: fabric
    hash: SHA2
    security: 256
    filekeystore:
      keystore: msp/keystore
 
Thanks
Shantanu

On Mon, Apr 12, 2021 at 5:55 PM Brian Behlendorf <bbehlendorf@...> wrote:
BTW, I see nothing wrong with the official docs containing these kinds of links. Being helpful to new users should take precedence over concerns about the appearance of favoring one vendor over another, and the latter can be mitigated by providing multiple such links and adding to them when asked.

Brian

On 4/12/21 6:49 AM, Kumar Shantanu wrote:
Thanks, Chris, 

I will try and google :) 

Would you be able to share some of those links if you have them handy, it might be beneficial for others as well searching through this mailing list.

Thanks
Shantanu

On Mon, Apr 12, 2021 at 2:18 PM Chris G <alaskadd@...> wrote:
Hello Shantanu,

The documentation purposefully leaves out any mention of vendor-specific platforms or technologies and leaves that part to the user.  There are some who have posted articles on Medium and YouTube for the type of material you are looking for.  Hope this helps.

Chris


On Apr 12, 2021, at 8:02 AM, km.shantanu@... wrote:

Hello Team,

Do we have any documentation around how to use AWS cloud HSM with hyperledger fabric. 

Thanks
Shantanu



-- 
Brian Behlendorf
General Manager for Blockchain, Healthcare and Identity
bbehlendorf@...
Twitter: @brianbehlendorf


Gari Singh
 

Make sure you are using the latest version of Fabric CA.
With the AWS HSM, you need to add "AltId" to your bccsp configuration:

bccsp:
  default: PKCS11
  pkcs11:
    Library: /opt/cloudhsm/lib/libcloudhsm_pkcs11.so
    Pin: 'user:password'
    AltId: $STRING
    Label: cavium
    hash: SHA2
    security: 256

AltId can be any string label you want to use.  If the label does not exist on the HSM, a new key will be generated.


On Mon, Apr 19, 2021 at 5:15 PM Kumar Shantanu <km.shantanu@...> wrote:
Thank again, guys. When I configure fabric CA to use AWS HSM it crashes with the below error, 

sh-4.2# ./fabric-ca-server start -b admin:adminpw
2021/04/19 20:57:18 [INFO] Configuration file location: /root/go/bin/fabric-ca-server-config.yaml
2021/04/19 20:57:18 [INFO] Starting server in home directory: /root/go/bin
2021/04/19 20:57:18 [INFO] Server Version: 1.5.0-snapshot-70634d4d
2021/04/19 20:57:18 [INFO] Server Levels: &{Identity:2 Affiliation:1 Certificate:1 Credential:1 RAInfo:1 Nonce:1}
2021/04/19 20:57:19 [WARNING] &{69 The specified CA certificate file /root/go/bin/ca-cert.pem does not exist}
2021/04/19 20:57:19 [INFO] generating key: &{A:ecdsa S:256}
C_GenerateKeyPair failed with error CKR_ATTRIBUTE_VALUE_INVALID : 0x00000013
C_GenerateKeyPair failed with error CKR_ATTRIBUTE_VALUE_INVALID : 0x00000013
Error: Failed generating ECDSA P256 key: P11: keypair generate failed [pkcs11: 0x13: CKR_ATTRIBUTE_VALUE_INVALID]

 My BCCSP configuration looks like this, 

bccsp:
  default: PKCS11
  pkcs11:
    Library: /opt/cloudhsm/lib/libcloudhsm_pkcs11.so
    Pin: 'user:password'
    Label: cavium
    hash: SHA2
    security: 256

Any pointer would be really helpful.

Thanks
Shantanu


On Tue, Apr 13, 2021 at 2:28 PM Gmail <alaskadd@...> wrote:
You can follow the configuration instructions in the fabric docs here: https://hyperledger-fabric.readthedocs.io/en/release-2.2/hsm.html
Just make sure you match the docs version to the Fabric version you are using.
Best,
Chris


On Apr 13, 2021, at 7:58 AM, Kumar Shantanu <km.shantanu@...> wrote:


I didn't find any blog around fabric using AWS cloudshm, however, I understand that I need to run aws hsm client on the same machine fabric component would run. Can someone suggest what the PKCS11 section would look like? This is how it currently looks if I use softhsm. 
bccsp:
  default: PKCS11
  pkcs11:
    Library: /usr/lib/softhsm/libsofthsm2.so
    Pin: XX
    Label: fabric
    hash: SHA2
    security: 256
    filekeystore:
      keystore: msp/keystore
 
Thanks
Shantanu

On Mon, Apr 12, 2021 at 5:55 PM Brian Behlendorf <bbehlendorf@...> wrote:
BTW, I see nothing wrong with the official docs containing these kinds of links. Being helpful to new users should take precedence over concerns about the appearance of favoring one vendor over another, and the latter can be mitigated by providing multiple such links and adding to them when asked.

Brian

On 4/12/21 6:49 AM, Kumar Shantanu wrote:
Thanks, Chris, 

I will try and google :) 

Would you be able to share some of those links if you have them handy, it might be beneficial for others as well searching through this mailing list.

Thanks
Shantanu

On Mon, Apr 12, 2021 at 2:18 PM Chris G <alaskadd@...> wrote:
Hello Shantanu,

The documentation purposefully leaves out any mention of vendor-specific platforms or technologies and leaves that part to the user.  There are some who have posted articles on Medium and YouTube for the type of material you are looking for.  Hope this helps.

Chris


On Apr 12, 2021, at 8:02 AM, km.shantanu@... wrote:

Hello Team,

Do we have any documentation around how to use AWS cloud HSM with hyperledger fabric. 

Thanks
Shantanu



-- 
Brian Behlendorf
General Manager for Blockchain, Healthcare and Identity
bbehlendorf@...
Twitter: @brianbehlendorf


Kumar Shantanu
 

Thanks Gary, 

This seems to be working now :) I will probably write a blog around how to integrate AWS Cloudhsm with hyperledger components. 

On Tue, Apr 20, 2021 at 10:59 AM Gari Singh <gari.r.singh@...> wrote:
Make sure you are using the latest version of Fabric CA.
With the AWS HSM, you need to add "AltId" to your bccsp configuration:

bccsp:
  default: PKCS11
  pkcs11:
    Library: /opt/cloudhsm/lib/libcloudhsm_pkcs11.so
    Pin: 'user:password'
    AltId: $STRING
    Label: cavium
    hash: SHA2
    security: 256

AltId can be any string label you want to use.  If the label does not exist on the HSM, a new key will be generated.

On Mon, Apr 19, 2021 at 5:15 PM Kumar Shantanu <km.shantanu@...> wrote:
Thank again, guys. When I configure fabric CA to use AWS HSM it crashes with the below error, 

sh-4.2# ./fabric-ca-server start -b admin:adminpw
2021/04/19 20:57:18 [INFO] Configuration file location: /root/go/bin/fabric-ca-server-config.yaml
2021/04/19 20:57:18 [INFO] Starting server in home directory: /root/go/bin
2021/04/19 20:57:18 [INFO] Server Version: 1.5.0-snapshot-70634d4d
2021/04/19 20:57:18 [INFO] Server Levels: &{Identity:2 Affiliation:1 Certificate:1 Credential:1 RAInfo:1 Nonce:1}
2021/04/19 20:57:19 [WARNING] &{69 The specified CA certificate file /root/go/bin/ca-cert.pem does not exist}
2021/04/19 20:57:19 [INFO] generating key: &{A:ecdsa S:256}
C_GenerateKeyPair failed with error CKR_ATTRIBUTE_VALUE_INVALID : 0x00000013
C_GenerateKeyPair failed with error CKR_ATTRIBUTE_VALUE_INVALID : 0x00000013
Error: Failed generating ECDSA P256 key: P11: keypair generate failed [pkcs11: 0x13: CKR_ATTRIBUTE_VALUE_INVALID]

 My BCCSP configuration looks like this, 

bccsp:
  default: PKCS11
  pkcs11:
    Library: /opt/cloudhsm/lib/libcloudhsm_pkcs11.so
    Pin: 'user:password'
    Label: cavium
    hash: SHA2
    security: 256

Any pointer would be really helpful.

Thanks
Shantanu


On Tue, Apr 13, 2021 at 2:28 PM Gmail <alaskadd@...> wrote:
You can follow the configuration instructions in the fabric docs here: https://hyperledger-fabric.readthedocs.io/en/release-2.2/hsm.html
Just make sure you match the docs version to the Fabric version you are using.
Best,
Chris


On Apr 13, 2021, at 7:58 AM, Kumar Shantanu <km.shantanu@...> wrote:


I didn't find any blog around fabric using AWS cloudshm, however, I understand that I need to run aws hsm client on the same machine fabric component would run. Can someone suggest what the PKCS11 section would look like? This is how it currently looks if I use softhsm. 
bccsp:
  default: PKCS11
  pkcs11:
    Library: /usr/lib/softhsm/libsofthsm2.so
    Pin: XX
    Label: fabric
    hash: SHA2
    security: 256
    filekeystore:
      keystore: msp/keystore
 
Thanks
Shantanu

On Mon, Apr 12, 2021 at 5:55 PM Brian Behlendorf <bbehlendorf@...> wrote:
BTW, I see nothing wrong with the official docs containing these kinds of links. Being helpful to new users should take precedence over concerns about the appearance of favoring one vendor over another, and the latter can be mitigated by providing multiple such links and adding to them when asked.

Brian

On 4/12/21 6:49 AM, Kumar Shantanu wrote:
Thanks, Chris, 

I will try and google :) 

Would you be able to share some of those links if you have them handy, it might be beneficial for others as well searching through this mailing list.

Thanks
Shantanu

On Mon, Apr 12, 2021 at 2:18 PM Chris G <alaskadd@...> wrote:
Hello Shantanu,

The documentation purposefully leaves out any mention of vendor-specific platforms or technologies and leaves that part to the user.  There are some who have posted articles on Medium and YouTube for the type of material you are looking for.  Hope this helps.

Chris


On Apr 12, 2021, at 8:02 AM, km.shantanu@... wrote:

Hello Team,

Do we have any documentation around how to use AWS cloud HSM with hyperledger fabric. 

Thanks
Shantanu



-- 
Brian Behlendorf
General Manager for Blockchain, Healthcare and Identity
bbehlendorf@...
Twitter: @brianbehlendorf