{"id":20018573,"url":"https://github.com/rupeshtr78/fabric","last_synced_at":"2025-06-17T01:03:19.448Z","repository":{"id":156959830,"uuid":"195115262","full_name":"rupeshtr78/fabric","owner":"rupeshtr78","description":"Blockchain Certificates and cryptographic materials Docker","archived":false,"fork":false,"pushed_at":"2019-07-16T01:44:49.000Z","size":1034,"stargazers_count":12,"open_issues_count":0,"forks_count":12,"subscribers_count":0,"default_branch":"master","last_synced_at":"2025-06-17T01:02:45.241Z","etag":null,"topics":["blockchain","blockchain-technology","certificate","certificate-authority","certificateauthority","cryptographic-materials","crytpo-authentication","docker","docker-compose","fabric","fabric-ca","fabric-network","hyperledger","hyperledger-fabric","tls","tls-certificate"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/rupeshtr78.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2019-07-03T19:28:54.000Z","updated_at":"2024-07-19T09:12:18.000Z","dependencies_parsed_at":null,"dependency_job_id":"6f4758c0-6903-42f3-b312-536097105ca4","html_url":"https://github.com/rupeshtr78/fabric","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/rupeshtr78/fabric","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rupeshtr78%2Ffabric","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rupeshtr78%2Ffabric/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rupeshtr78%2Ffabric/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rupeshtr78%2Ffabric/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/rupeshtr78","download_url":"https://codeload.github.com/rupeshtr78/fabric/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rupeshtr78%2Ffabric/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":260269419,"owners_count":22983642,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["blockchain","blockchain-technology","certificate","certificate-authority","certificateauthority","cryptographic-materials","crytpo-authentication","docker","docker-compose","fabric","fabric-ca","fabric-network","hyperledger","hyperledger-fabric","tls","tls-certificate"],"created_at":"2024-11-13T08:23:16.242Z","updated_at":"2025-06-17T01:03:19.382Z","avatar_url":"https://github.com/rupeshtr78.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"Hyperledger -Using Fabric CA to generate cryptographic materials \n================================================================\nThis article will illustrate how to use Fabric CA to setup a basic Fabric network without using cryptogen to generate certificates.\nThe indent is to get an insight into the generation of cryptographic\nmaterials associated with the fabric identities.For this purpose we will\nbe executing relevant\n[commands](ht\u003cspan\u003etps://github.com/rupeshtr78/fabric/blob/master/Fabric-Steps-ReadMe.txt) for each step without any scripts.\n\nAll identities that participate on a Hyperledger Fabric network must be\nauthorized. This authorization is provided in the form of cryptographic\nmaterial that is verified against trusted certificate authorities.\n\nWe will see the process for setting up a basic fabric network that\nincludes one organization, with two peers and one orderer.Two TLS CA\nservers and two CA Servers one CA each for peer org and orderer org. We\nwill generate cryptographic material for orderers, peers,\nadministrators, and end users with TLS enabled in a single host\nenvironment.\n\n\u003e Topology of this deployment can be seen in the image below:\n\n![](images/model.png)\n\nWe will generate the model as shown below using Fabric CA.\n\n![](images/blocktree.png)\n\n-   **admincerts** to include PEM files each corresponding to an\n    administrator certificate (signcerts of admin user)\n-   **cacerts** to include PEM files each corresponding to a root CA's\n    certificate (ca-cert.pem)\n-   **keystore** to include a PEM file with the node's signing key;\n    private key.currently RSA keys are not supported\n-   **signcerts** to include a PEM file with the node's X.509\n    certificate public key.\n-   **tlscacerts** (optional) a folder to include PEM files each\n    corresponding to a TLS root CA's certificate\n    \n**These are the main steps that are required to generate the cryptograhic materials for each identity.**\n\u003e (1)  **Setup TLS CA Server**\n\u003e (2)  **Setup CA Server**\n\n\u003e **After configuring and starting the TLS and CA servers it is mainly two steps**\n\u003e \n\u003e \\(1) **Register** identities (orderers, peers ,admins,users) with TLS and\n\u003e CA servers\n\u003e \n\u003e \\(2) **Enroll** those identities by pointing to their relevant msp\n\u003e directory for generating CA certificates and to the **tls** directory for generating TLS certificates\n\u003e as per your model.These two steps creates all the cryptographic material\n\u003e for each identity in the network.\n\u003e \n\n**Step : Setting up the Fabric CA**\n\nWe will need the binaries for both Fabric and Fabric CA for this\nexercise and make the relevant fabric-ca-servers ,fabric-ca-client\nbinaries and also make the docker images.User guides and other\n[contributors](ht\u003cspan\u003etps://gist.github.com/AkshayCHD/f7c96175dca1e5ab8d5785a3af0d5692) has very good notes on the required steps for\nsetting up fabric and fabric ca binaries. Select and set the path to\nlatest binary for your machine.Or you could point to the samples\nbinaries.\n\nThis exercise uses version 1.4.2 of fabric-ca-client\n\n**Step :Setup TLS CA**\n\nMake the directory structure needed for TLS CA , Fabric CA client and\nServer for our model.\n\n![CA server\nDirectory](images/fabca-tree.png)\n\nmkdir -p fabca/fabric.\u003cspan\u003ecom/{ca-admin,ca-server,tlsca-admin,tlsca-server}\n\nmkdir -p\nfabca/po1.fabric.\u003cspan\u003ecom/{ca-admin,ca-server,tlsca-admin,tlsca-server}\n\n**Start the TLS enabled Fabric CA container**.First run the container\nwith *fabric-ca-server init* command .Refer\n[docker-compose-tlsca.yaml](ht\u003cspan\u003etps://github.com/rupeshtr78/fabric/blob/master/scripts/docker-compose-tlsca.yaml)\n\nCopy the fabca/fabric.\u003cspan\u003ecom/tlsca-server/tls-ca-cert.pem to\n/crypto-config/ordererOrganizations/fabric.\u003cspan\u003ecom/tlsca directory.\n\nCopy the key file from fabca/fabric.\u003cspan\u003ecom/tlsca-server/msp/keystore to\n./crypto-config/ordererOrganizations/fabric.\u003cspan\u003ecom/tlsca/tlsca.fabric.\u003cspan\u003ecom-key.pem.\n\nAfter copy run the TLS CA container this time use the *fabric-ca-server*\n*start* command.Check the logs to verify the server start and its\nlistening to your the port 7150 in this case.\n\nAt this point the TLA CA server is listening on a secure socket, and can\nstart issuing TLS certificates.\n\nIf on different host machines the trusted root certificate for the TLS\nCA has to be copied to other host machines that will communicate with\nthis CA .\n\n**Orderer org TLS :***Enroll the TLS CA server admin and then register\norg identities with orderer org's TLS CA server*\n\n```\nRegister orderer org identities with the tls-ca\n\nexport FABRIC_CA_CLIENT_TLS_CERTFILES=$FABRIC_CFG_PATH/crypto- \tconfig/ordererOrganizations/fabric.com/tlsca/tlsca.fabric.com-cert.pem\nexport FABRIC_CA_CLIENT_HOME=$FABRIC_CFG_PATH/fabca/fabric.com/tlsca-admin\n\nfabric-ca-client enroll -d -u https://tls-ord-admin:tls-ord-adminpw@0.0.0.0:7150\n\nfabric-ca-client register -d — id.name orderer1.fabric.com — id.secret ordererPW — id.type orderer -u https://0.0.0.0:7150\n\nfabric-ca-client register -d — id.name Admin@fabric.com — id.secret ordereradminpw — id.type admin -u https://0.0.0.0:7150\n\nUse command fabric-ca-client identity list or Gui DB Browser for SQLite to verify the generated identities.\n```\n\n\n\n![DB Browser\nSQLite](images/sqlite.png)\n\nGoing forward you will notice we extensively use the\nFABRIC\\_CA\\_CLIENT\\_TLS\\_CERTFILES,FABRIC\\_CA\\_CLIENT\\_HOME environment\nvariables to point to the relevant server and client.\n\n**Peer org TLS:** *Enroll the TLS CA admin and then register identities\nwith perr org's TLS CA server*\n\nFollow the steps simialr to above to get the TLS CA for peer org\npo1.fabric.\u003cspan\u003ecom up and running.Refer\n[docker-compose-tlsca.yaml](ht\u003cspan\u003etps://github.com/rupeshtr78/fabric/blob/master/scripts/docker-compose-tlsca.yaml) from repo.After the fabric server is up and running\nexecute below scripts to register peer org identities\n\n```bash\nexport FABRIC_CA_CLIENT_TLS_CERTFILES=$FABRIC_CFG_PATH/crypto-config/peerOrganizations/po1.fabric.com/tlsca/tlsca.po1.fabric.com-cert.pem\nexport FABRIC_CA_CLIENT_HOME=$FABRIC_CFG_PATH/fabca/po1.fabric.com/tlsca-admin\n\nfabric-ca-client enroll -d -u https://tls-peer-admin:tls-peer-adminpw@0.0.0.0:7151\nfabric-ca-client register -d — id.name peer0.po1.fabric.com — id.secret peer0PW — id.type peer -u https://0.0.0.0:7151\n\nfabric-ca-client register -d — id.name peer1.po1.fabric.com — id.secret peer0PW — id.type peer -u https://0.0.0.0:7151\n\nfabric-ca-client register -d — id.name Admin@po1.fabric.com — id.secret po1AdminPW — id.type admin -u https://0.0.0.0:7151\n```\n\n\n\n**Certificate Authority (CA)**\\\nEach organization must have it's own Certificate Authority (CA) for\nissuing enrollment certificates.Follow the same set of steps that we\nfollowed for TLS CA for starting CA . Initiate and Start both the CA\nservers using\\\n[***docker-compose-rca.yaml***](ht\u003cspan\u003etps://github.com/rupeshtr78/fabric/blob/master/scripts/docker-compose-rca.yaml) ***up*** refer repo.At this point the CA server is\nlistening on a secure socket, and can start issuing cryptographic\nmaterial.\n\n**Orderer org CA:** *Enroll admin for the CA Server and register the\nOrderer and Admin user with the orderer org CA*\n\n```bash\nOrderer org :fabric\n\nexport FABRIC_CA_CLIENT_TLS_CERTFILES=$FABRIC_CFG_PATH/crypto-config/ordererOrganizations/fabric.com/ca/ca.fabric.com-cert.pem\nexport FABRIC_CA_CLIENT_HOME=$FABRIC_CFG_PATH/fabca/fabric.com/ca-admin\n\nfabric-ca-client enroll -d -u https://rca-orderer-admin:rca-orderer-adminpw@0.0.0.0:7152\n\nfabric-ca-client register -d — id.name orderer1.fabric.com — id.secret ordererpw — id.type orderer -u https://0.0.0.0:7152\n\nfabric-ca-client register -d — id.name Admin@fabric.com — id.secret ordereradminpw — id.type admin — id.attrs hf.Registrar.Roles=client,hf.Registrar.Attributes=*,hf.Revoker=true,hf.GenCRL=true,admin=true:ecert,abac.init=true:ecert” -u https://0.0.0.0:7152\n```\n\n\n\n**Peer org CA:** *Enroll admin for the CA Server and register the peer0\n,peer1 and Admin user with the peer org CA*\n\n```bash\nPeer org :po1.fabric.com\n\nexport FABRIC_CA_CLIENT_TLS_CERTFILES=$FABRIC_CFG_PATH/crypto-config/peerOrganizations/po1.fabric.com/ca/ca.po1.fabric.com-cert.pem\nexport FABRIC_CA_CLIENT_HOME=$FABRIC_CFG_PATH/fabca/po1.fabric.com/ca-admin\n\nfabric-ca-client enroll -d -u https://rca-po1-admin:rca-po1-adminpw@0.0.0.0:7153\n\nfabric-ca-client register -d — id.name peer0.po1.fabric.com — id.secret peer1PW — id.type peer -u https://0.0.0.0:7153\n\nfabric-ca-client register -d — id.name peer1.po1.fabric.com — id.secret peer2PW — id.type peer -u https://0.0.0.0:7153\n\nfabric-ca-client register -d — id.name Admin@po1.fabric.com — id.secret po1AdminPW — id.type admin — id.attrs “hf.Registrar.Roles=client,hf.Registrar.Attributes=*,hf.Revoker=true,hf.GenCRL=true,admin=true:ecert,abac.init=true:ecert” -u https://0.0.0.0:7153\nfabric-ca-client register -d — id.name User1@po1.fabric.com — id.secret po1UserPW — id.type user -u https://0.0.0.0:7153\n\nUse command fabric-ca-client identity list or Gui DB Browser for SQLite to verify the generated identities.\n```\n\n\n\n**Enroll Peers**\n\nAdministrator for peer org po1.fabric.\u003cspan\u003ecom will enroll the peers with\nit's CA.If the machine running Peer is separate host the trusted root\ncertificate has to be copied to Peer's host machine. Acquiring of these\nsigning certificate is an out of band process.2 Enrollments are required\nas we are TLS enabled.One againt TLS CA and one with Root CA.\n\n**Enroll Peers with CA.**\n\nMake sure the MSP directory of the peer points to the right directory of\nyour model.As we are following cryptogen **template** model we are\npointing to the\npeerOrganizations/po1.fabric.\u003cspan\u003ecom/peers/peer0.po1.fabric.\u003cspan\u003ecom/msp. Change\nthe env variable FABRIC\\_CA\\_CLIENT\\_MSPDIR for each peers **MSP**\ndirectory and then enroll.You can pass **-M** in command for msp dir as\nwell.\n\n```bash\nexport FABRIC_CA_CLIENT_TLS_CERTFILES=$FABRIC_CFG_PATH/crypto-config/peerOrganizations/po1.fabric.com/ca/ca.po1.fabric.com-cert.pem\nexport FABRIC_CA_CLIENT_HOME=$FABRIC_CFG_PATH/fabca/po1.fabric.com/ca-admin\n\n#Peer0:\nexport FABRIC_CA_CLIENT_MSPDIR=$FABRIC_CFG_PATH/crypto-config/peerOrganizations/po1.fabric.com/peers/peer0.po1.fabric.com/msp\nfabric-ca-client enroll -d -u https://peer0.po1.fabric.com:peer1PW@0.0.0.0:7153 — csr.hosts peer0.po1.fabric.com\n\n#Peer1\n\nexport FABRIC_CA_CLIENT_MSPDIR=$FABRIC_CFG_PATH/crypto-config/peerOrganizations/po1.fabric.com/peers/peer1.po1.fabric.com/msp\nfabric-ca-client enroll -d -u https://peer1.po1.fabric.com:peer2PW@0.0.0.0:7153 — csr.hosts peer1.po1.fabric.com\n\nVerify the generation of certificates in msp/cacerts , keystore , signcerts for each peer’s MSP directory.We just generated the local peer MSP.\n```\n\n\n\n![Peer Local\nMSP](images/localmsp.png)\n\n**Enroll and Get the TLS cryptographic material for the peers**.\n\nWe will point to the TLS CA cert and TLS Client Home for getting tls\ncerts.MSP directory here will be the peers **tls** directory.\n\ncrypto-config/peerOrganizations/po1.fabric.\u003cspan\u003ecom/peers/peer0.po1.fabric.\u003cspan\u003ecom/**tls**\n\n```bash\nexport FABRIC_CA_CLIENT_TLS_CERTFILES=$FABRIC_CFG_PATH/crypto-config/peerOrganizations/po1.fabric.com/tlsca/tlsca.po1.fabric.com-cert.pem\nexport FABRIC_CA_CLIENT_HOME=$FABRIC_CFG_PATH/fabca/po1.fabric.com/tlsca-admin\nexport FABRIC_CA_CLIENT_MSPDIR=$FABRIC_CFG_PATH/crypto-config/peerOrganizations/po1.fabric.com/peers/peer0.po1.fabric.com/tls\n\nfabric-ca-client enroll -d -u https://peer0.po1.fabric.com:peer0PW@0.0.0.0:7151 — enrollment.profile tls — csr.hosts peer0.po1.fabric.com\n\nexport FABRIC_CA_CLIENT_MSPDIR=$FABRIC_CFG_PATH/crypto-config/peerOrganizations/po1.fabric.com/peers/peer1.po1.fabric.com/tls\n\n# peer1\nfabric-ca-client enroll -d -u https://peer1.po1.fabric.com:peer0PW@0.0.0.0:7151 — enrollment.profile tls — csr.hosts peer1.po1.fabric.com\n```\n\n\n\n**Verify certificates** are generated in the peers **tls** directory\ntls/keystore , signcerts ,tlscacerts.Rename keystore private key to\nkey.pem for ease of reference later on.\n\n![Peer\nTLS](images/peertls.png)\n\n**Enroll peer org Admin User with CA**\\\nThe admin identity is responsible for activities such as installing and\ninstantiating chaincode. The commands below has to be executed on Peer's\nhost machine if on seperate host.Admin user's MSP directory in our model\nis peerOrganizations/po1.fabric.\u003cspan\u003ecom/user/Admin\\@po1.fabric.\u003cspan\u003ecom/msp\n\n```bash\nexport FABRIC_CA_CLIENT_TLS_CERTFILES=$FABRIC_CFG_PATH/crypto-config/peerOrganizations/po1.fabric.com/ca/ca.po1.fabric.com-cert.pem\nexport FABRIC_CA_CLIENT_HOME=$FABRIC_CFG_PATH/fabca/po1.fabric.com/ca-admin\nexport FABRIC_CA_CLIENT_MSPDIR=$FABRIC_CFG_PATH/crypto-config/peerOrganizations/po1.fabric.com/users/Admin@po1.fabric.com/msp\n\nfabric-ca-client enroll -d -u https://Admin@po1.fabric.com:po1AdminPW@0.0.0.0:7153\n```\n\n\n\n**AdminCerts**: As per user guide An identity becomes an \"ADMIN\" role by\n**adding the public certificate to the \"admincerts\" folder of the\nMSP**.You can manually copy signcerts to admin certs or run below store\ncommand.\n\n```bash\nfabric-ca-client certificate list — id Admin@po1.fabric.com — store $FABRIC_CFG_PATH/crypto-config/peerOrganizations/po1.fabric.com/users/Admin@po1.fabric.com/msp/admincerts\n```\n\n\n\nAfter enrollment, we should have an admin MSP.\\\nCopy the **admincerts** certificate ***Admin\\@po1.fabric.\u003cspan\u003ecom.pem*** from this\nAdmin user MSP and move it to the Peer's MSP in the 'admincerts'\ndirectory. Copy this admin certificate to other peers in the org , use\nidentity command above or copy to the 'admincerts' directory in each\npeers' MSP.\n\n**Enroll and Get the TLS cryptographic material for the Admin User**\\\nEnroll against the TLS CA using Tls cert and home.\\\n\n```bash\nexport FABRIC_CA_CLIENT_TLS_CERTFILES=$FABRIC_CFG_PATH/crypto-config/peerOrganizations/po1.fabric.com/tlsca/tlsca.po1.fabric.com-cert.pem\nexport FABRIC_CA_CLIENT_HOME=$FABRIC_CFG_PATH/fabca/po1.fabric.com/tlsca-admin\nexport FABRIC_CA_CLIENT_MSPDIR=$FABRIC_CFG_PATH/crypto-config/peerOrganizations/po1.fabric.com/users/Admin@po1.fabric.com/tls\n\nfabric-ca-client enroll -d -u https://Admin@po1.fabric.com:po1AdminPW@0.0.0.0:7151 — enrollment.profile tls\n\nAt this point we can test run our peers : docker-compose -f docker-compose-cli.yaml up peer0.po1.fabric.com\n```\n\n\n\n**Enroll Orderer with CA :** Enroll orderer1.fabric.\u003cspan\u003ecom and\nAdmin\\@fabric.\u003cspan\u003ecom with the CA\n\n```bash\nexport FABRIC_CA_CLIENT_TLS_CERTFILES=$FABRIC_CFG_PATH/crypto-config/ordererOrganizations/fabric.com/ca/ca.fabric.com-cert.pem\nexport FABRIC_CA_CLIENT_HOME=$FABRIC_CFG_PATH/fabca/fabric.com/ca-admin\nexport FABRIC_CA_CLIENT_MSPDIR=$FABRIC_CFG_PATH/crypto-config/ordererOrganizations/fabric.com/orderers/orderer1.fabric.com/msp\n\nfabric-ca-client enroll -d -u https://orderer1.fabric.com:ordererpw@0.0.0.0:7152\n\n# Enroll Orderer’s Admin User\nexport FABRIC_CA_CLIENT_MSPDIR=$FABRIC_CFG_PATH/crypto-config/ordererOrganizations/fabric.com/users/Admin@fabric.com/msp\n\nfabric-ca-client enroll -d -u https://Admin@fabric.com:ordereradminpw@0.0.0.0:7152\n\n# Generate AdminCerts\nfabric-ca-client identity list\nfabric-ca-client certificate list — id Admin@fabric.com — store $FABRIC_CFG_PATH/crypto-config/ordererOrganizations/fabric.com/users/Admin@fabric.com/msp/admincerts\n\n# Copy Users AdminCerts to Orderer MSP AdminCerts Directory\ncp $FABRIC_CFG_PATH/crypto-config/ordererOrganizations/fabric.com/users/Admin@fabric.com/msp/admincerts/*.pem $FABRIC_CFG_PATH/crypto-config/ordererOrganizations/fabric.com/orderers/orderer1.fabric.com/msp/admincerts\n\n# rename keystore = key.pem\n```\n\n\n\n**Enroll Orderer with TLS CA**\n\n```bash\nexport FABRIC_CA_CLIENT_TLS_CERTFILES=$FABRIC_CFG_PATH/crypto-config/ordererOrganizations/fabric.com/tlsca/tlsca.fabric.com-cert.pem\nexport FABRIC_CA_CLIENT_HOME=$FABRIC_CFG_PATH/fabca/fabric.com/tlsca-admin\nexport FABRIC_CA_CLIENT_MSPDIR=$FABRIC_CFG_PATH/crypto-config/ordererOrganizations/fabric.com/orderers/orderer1.fabric.com/tls\n\nfabric-ca-client enroll -d -u https://orderer1.fabric.com:ordererPW@0.0.0.0:7150 — enrollment.profile tls — csr.hosts orderer1.fabric.com\n\n# Enroll Orderer’s Admin User\n\nexport FABRIC_CA_CLIENT_MSPDIR=$FABRIC_CFG_PATH/crypto-config/ordererOrganizations/fabric.com/users/Admin@fabric.com/tls\n\nfabric-ca-client enroll -d -u https://Admin@fabric.com:ordereradminpw@0.0.0.0:7150 — enrollment.profile tls — csr.hosts orderer1.fabric.com\n\n# rename keystore -sk= key.pem\n```\n\n\n\n**Create Genesis Block and Channel Transaction artifacts**\n\nBefore generating genesis block we need the MSP directories of all the\norgs on the orderer host machine.Each org should have MSP directory in\nthe following structure:\n\n![MSP](images/msp-str.png)\n\n\u003e The MSP for an Org will contain\\\n\u003e 1. admincerts : The certificate of the Org's admin identity\n\u003e 2. cacerts: The trusted root certificate of Org's CA\\\n\u003e 3. tlscacerts: The trusted root certificate of the Org's TLS CA.\n\u003e\n\u003e On the Orderer's host machine, we need to collect the MSPs for each of\n\u003e the organizations based on the above structure\n\n**Generate Orderer Org MSP**\n\n```\n# cacerts — orderer\nexport FABRIC_CA_CLIENT_TLS_CERTFILES=$FABRIC_CFG_PATH/crypto-config/ordererOrganizations/fabric.com/ca/ca.fabric.com-cert.pem\nexport FABRIC_CA_CLIENT_HOME=$FABRIC_CFG_PATH/fabca/fabric.com/ca-admin\nfabric-ca-client getcacert -u https://0.0.0.0:7152 -M $FABRIC_CFG_PATH/crypto-config/ordererOrganizations/fabric.com/msp\n\n# AdminCerts — orderer\nfabric-ca-client identity list\nfabric-ca-client certificate list — id Admin@fabric.com — store $FABRIC_CFG_PATH/crypto-config/ordererOrganizations/fabric.com/msp/admincerts\n\n# tlscacerts — orderer\nexport FABRIC_CA_CLIENT_TLS_CERTFILES=$FABRIC_CFG_PATH/crypto-config/ordererOrganizations/fabric.com/tlsca/tlsca.fabric.com-cert.pem\nexport FABRIC_CA_CLIENT_HOME=$FABRIC_CFG_PATH/fabca/fabric.com/tlsca-admin\nfabric-ca-client getcacert -u https://0.0.0.0:7150 -M $FABRIC_CFG_PATH/crypto-config/ordererOrganizations/fabric.com/msp — enrollment.profile tls\n```\n\n\n\n**Generate Peer Org MSP**\n\n```bash\n# cacerts — peer org\nexport FABRIC_CA_CLIENT_TLS_CERTFILES=$FABRIC_CFG_PATH/crypto-config/peerOrganizations/po1.fabric.com/ca/ca.po1.fabric.com-cert.pem\nexport FABRIC_CA_CLIENT_HOME=$FABRIC_CFG_PATH/fabca/po1.fabric.com/ca-admin\nfabric-ca-client getcainfo -u https://0.0.0.0:7153 -M $FABRIC_CFG_PATH/crypto-config/peerOrganizations/po1.fabric.com/msp\n\n# AdminCerts — peer org\nfabric-ca-client identity list\nfabric-ca-client certificate list — id Admin@po1.fabric.com — store $FABRIC_CFG_PATH/crypto-config/peerOrganizations/po1.fabric.com/msp/admincerts\n\n# tlscacerts — peer org\nexport FABRIC_CA_CLIENT_TLS_CERTFILES=$FABRIC_CFG_PATH/crypto-config/peerOrganizations/po1.fabric.com/tlsca/tlsca.po1.fabric.com-cert.pem\nexport FABRIC_CA_CLIENT_HOME=$FABRIC_CFG_PATH/fabca/po1.fabric.com/tlsca-admin\nfabric-ca-client getcacert -u https://0.0.0.0:7151 -M $FABRIC_CFG_PATH/crypto-config/peerOrganizations/po1.fabric.com/msp — enrollment.profile tls\n```\n\n\n\nThe above steps should generate the model similar to the [**directory\ntree**](ht\u003cspan\u003etps://github.com/rupeshtr78/fabric/blob/master/logs/tree-crypto-config.txt) in repo.\n\n**Generate Orderer Genesis block and channel artifacts**: \n---------------------------------------------------------\n\nCreate\n[configtx.yaml](ht\u003cspan\u003etps://github.com/rupeshtr78/fabric/blob/master/configtx.yaml) file as per your model.\n\n```bash\ncd $FABRIC_CFG_PATH\n# Create the orderer genesis.block\nconfigtxgen -profile OneOrgsOrdererGenesis -channelID rtr-sys-channel -outputBlock $FABRIC_CFG_PATH/channel-artifacts/genesis.block\nconfigtxgen -inspectBlock ./channel-artifacts/genesis.block \u003e logs/genesisblock.txt\n\n# Create channel.tx\nexport CHANNEL_NAME=fabchannel01\nconfigtxgen -profile OneOrgsChannel -outputCreateChannelTx ./channel-artifacts/channel.tx -channelID $CHANNEL_NAME\nconfigtxgen -inspectChannelCreateTx ./channel-artifacts/channel.tx \u003e logs/channel.txt\n# Update anchor peers\nconfigtxgen -profile OneOrgsChannel -outputAnchorPeersUpdate ./channel-artifacts/po1MSPanchors.tx -channelID $CHANNEL_NAME -asOrg po1MSP\n```\n\n\n\n**Start the services**\n\nLets start services one by one :- Start the Orderer : [docker-compose -f\ndocker-compose-cli.yaml up orderer1.fabric.\u003cspan\u003ecom](ht\u003cspan\u003etps://github.com/rupeshtr78/fabric/blob/master/docker-compose-cli.yaml)\n\n\n\n![](images/orderer-starts.png)\n\n​                                                                          *Orderer Start*\n\n![Peer Start Gossip Protocol\nWorking](images/peer-start.png)\n\n​\t                                                                            *Peer Start*\n\n​                                   \n\n**Create and join Channel**\n\n```bash\nexport CHANNEL_NAME=fabchannel01\n\npeer channel create -c $CHANNEL_NAME -f /opt/gopath/src/github.com/hyperledger/fabric/peer/channel-artifacts/channel.tx -o orderer1.fabric.com:7050 — outputBlock /opt/gopath/src/github.com/hyperledger/fabric/peer/channel-artifacts/fabchannel01.block — tls — cafile /opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/ordererOrganizations/fabric.com/users/Admin@fabric.com/tls/tlscacerts/tls-0–0–0–0–7150.pem 60s\n\npeer channel join -b /opt/gopath/src/github.com/hyperledger/fabric/peer/channel-artifacts/fabchannel01.block 30s\n```\n\n\n\n![Peer Join](images/peer-join.png)\n\n​\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t*ChainCode Install*\n\n```\nInstall and Instantiate Chaincode\n\npeer chaincode install -n mycc -v 1.0 -p github.com/chaincode/abac/go\n\npeer chaincode instantiate -C $CHANNEL_NAME -n mycc -v 1.0 -c ‘{“Args”:[“init”,”a”, “100”, “b”,”200\"]}’ -o orderer1.fabric.com:7050 — tls — cafile /opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/ordererOrganizations/fabric.com/users/Admin@fabric.com/tls/tlscacerts/tls-0–0–0–0–7150.pem 60s\n```\n\n\n\n![Chaincode\nInstantiate](images/cacc-Instantiate.png)\n\n​                                                                             *ChainCode Instantiate*\n\n![Chaincode\nInvoke](images/cacc-invoke.png)\n\n​\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t *ChainCode Invoke*\n\n![Chaincode\nQuery](images/ca-cc-query.png)\n\n​\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t*ChainCode Query*\n\n![peer channel fetch newest \n](images/peer-fetch-png.png)\n\nThis post simulated the deployment using docker containers.\nFor deployment on different hosts , you will need to get the signing\ncertificate on each of those hosts through an out-of-band process.\n\nThe network configuration for this project assumes that all containers\nare running in the same network. If your deployment uses different\nnetworks, make relevant adjustments to work with your network configurations.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frupeshtr78%2Ffabric","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Frupeshtr78%2Ffabric","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frupeshtr78%2Ffabric/lists"}