BioSense_BlockChain

Hyperledger Fabric for KI-BioSense

Description

The BioSense_BlockChain is the Hyperledger Fabric solution for KI-BioSense.

TLS

Since v2.x Hyperledger Fabric uses Raft as consensus algorithm, Kafka and solo are deprecated ¹. Raft nodes identify through TLS pinning, thus it's not possible to run a Raft node without a valid TLS configuration ².

Installation

Clone the repo.

Linux

To make this repo runnable, one has to write the hostnames such as peer1.fishsupplier1.kibiosense.com into the /etc/hosts.

127.0.0.1 localhost orderernode1.orderer1.kibiosense.com orderernode2.orderer1.kibiosense.com orderernode3.orderer1.kibiosense.com peer1.fishsupplier1.kibiosense.com peer2.fishsupplier1.kibiosense.com orderer1.kibiosense.com fishsupplier1.kibiosense.com supermarket1.kibiosense.com peer1.supermarket1.kibiosense.com peer2.supermarket1.kibiosense.com

Usage

Adding a new CA

Recommended per organization

1x TLS CA
1x Organization CA

TLS CA / Orga CA

Create folder structure for organization CAs in fabric-ca
1. mkdir orga
2. cd orga
3. mkdir tls-ca
4. mkdir orga-ca
5. mkdir tls-root-cert
Copy fabric-ca-server into CA folders
1. cd tls-ca
2. mkdir fabric-ca-server-tls
3. cp fabric-ca-server fabric-ca-server-tls
4. cd orga-ca
5. mkdir fabric-ca-server-orga
6. cp fabric-ca-server fabric-ca-server-orga

TLS CA

Initiate server with bootstrap admin

./fabric-ca-server init -b <NAME_OF_ADMIN>:<PASSWORD>
./fabric-ca-server init -b fishsupplier1-tls:PASSWORD
./fabric-ca-server init -b supermarket1-tls:PASSWORD
./fabric-ca-server init -b orderer1-tls:PASSWORD

Edit config TLS_CA change port, if required tls: true set ca.name remove signing.profiles.ca For a TLS CA you can delete the ca signing profile in the config step, because it should use TLS. Add hostname like tls.ca.fishsupplier1.kibiosense.com to csr.hosts

Start server by

./fabric-ca-server start

Copy TLS CA root cert ca-cert.pem into CAs tls-root-cert folder

export FABRIC_CA_CLIENT_HOME=$PWD

Enroll TLS CA Bootstrap identity

./fabric-ca-client enroll -d -u https://<NAME_OF_ADMIN>:<PASSWORD>@localhost:7054 --tls.certfiles tls-root-cert/tls-ca-cert.pem --mspdir tls-ca/<NAME_OF_ADMIN>/msp

./fabric-ca-client enroll -d -u https://fishsupplier1-tls:PASSWORD@tls.ca.fishsupplier1.kibiosense.com:7054 --tls.certfiles fishsupplier1/tls-root-cert/tls-ca-cert.pem --enrollment.profile tls --mspdir fishsupplier1/tls-ca/fishsupplier1-tls/msp

./fabric-ca-client enroll -d -u https://supermarket1-tls:PASSWORD@tls.ca.supermarket1.kibiosense.com:7056 --tls.certfiles supermarket1/tls-root-cert/tls-ca-cert.pem --enrollment.profile tls --mspdir supermarket1/tls-ca/supermarket1-tls/msp

./fabric-ca-client enroll -d -u https://orderer1-tls:PASSWORD@tls.ca.orderer1.kibiosense.com:7058 --tls.certfiles orderer1/tls-root-cert/tls-ca-cert.pem --enrollment.profile tls --mspdir orderer1/tls-ca/orderer1-tls/msp

Register & Enroll Organization CA Bootstrap

./fabric-ca-client register -d --id.name rcaadmin --id.secret rcaadminpw -u https://my-machine.example.com:7054  --tls.certfiles tls-root-cert/tls-ca-cert.pem --mspdir tls-ca/tlsadmin/msp

./fabric-ca-client register -d --id.name fishsupplier1-rcaadmin --id.secret PASSWORD -u https://tls.ca.fishsupplier1.kibiosense.com:7054  --tls.certfiles fishsupplier1/tls-root-cert/tls-ca-cert.pem --mspdir fishsupplier1/tls-ca/fishsupplier1-tls/msp

./fabric-ca-client register -d --id.name supermarket1-rcaadmin --id.secret PASSWORD -u https://tls.ca.supermarket1.kibiosense.com:7056  --tls.certfiles supermarket1/tls-root-cert/tls-ca-cert.pem --mspdir supermarket1/tls-ca/supermarket1-tls/msp

./fabric-ca-client register -d --id.name orderer1-rcaadmin --id.secret PASSWORD -u https://tls.ca.orderer1.kibiosense.com:7058  --tls.certfiles orderer1/tls-root-cert/tls-ca-cert.pem --mspdir orderer1/tls-ca/orderer1-tls/msp

./fabric-ca-client enroll -d -u https://rcaadmin:rcaadminpw@my-machine.example.com:7054 --tls.certfiles tls-root-cert/tls-ca-cert.pem --enrollment.profile tls --csr.hosts 'localhost' --mspdir tls-ca/rcaadmin/msp`

./fabric-ca-client_mac enroll -d -u https://fishsupplier1-rcaadmin:PASSWORD@tls.ca.fishsupplier1.kibiosense.com:7054  --tls.certfiles fishsupplier1/tls-root-cert/tls-ca-cert.pem --mspdir fishsupplier1/tls-ca/fishsupplier1-rcaadmin/msp --csr.hosts 'ca.fishsupplier1.kibiosense.com'

./fabric-ca-client enroll -d -u https://fishsupplier1-rcaadmin:PASSWORD@tls.ca.fishsupplier1.kibiosense.com:7054  --tls.certfiles fishsupplier1/tls-root-cert/tls-ca-cert.pem --mspdir fishsupplier1/tls-ca/fishsupplier1-rcaadmin/msp --csr.hosts 'ca.fishsupplier1.kibiosense.com'

./fabric-ca-client enroll -d -u https://supermarket1-rcaadmin:PASSWORD@tls.ca.supermarket1.kibiosense.com:7056  --tls.certfiles supermarket1/tls-root-cert/tls-ca-cert.pem --mspdir supermarket1/tls-ca/supermarket1-rcaadmin/msp --csr.hosts 'ca.supermarket1.kibiosense.com'

./fabric-ca-client enroll -d -u https://orderer1-rcaadmin:PASSWORD@tls.ca.orderer1.kibiosense.com:7058  --tls.certfiles orderer1/tls-root-cert/tls-ca-cert.pem --mspdir orderer1/tls-ca/orderrer1-rcaadmin/msp --csr.hosts 'ca.orderer1.kibiosense.com'

See https://hyperledger-fabric-ca.readthedocs.io/en/latest/deployguide/cadeploy.html

Orga CA / RCA

Copy tls-ca/rcaadmin/msp/signcert & tls-ca/rcaadmin/msp/keystore to orga-ca/tls/signcerts orga-ca/tls/keystore

You can rename the private key in keystore to key.pem.

Reference to them in orga-ca/fabric-ca-server-config.yaml tls section

Add host to csr.hosts e.g. ca.fishsupplier1.kibiosense.com

Initialize CA Server

./fabric-ca-server init -b fishsupplier1-rcaadmin:PASSWORD
./fabric-ca-server init -b supermarket1-rcaadmin:PASSWORD
./fabric-ca-server init -b orderer1-rcaadmin:PASSWORD

Modify config

Set Port
Enable TLS
Refer tls.keystore and tls.certfile to tls/keystore/key.pem and tls/signcerts/cert.pem

Add ca.fishsupplier1.kibiosense.com to /etc/hosts, add 127.0.0.1 ca.fishsupplier1.kibiosense.com as a line. Add ca.supermarket1.kibiosense.com to /etc/hosts, add 127.0.0.1 ca.supermarket1.kibiosense.com as a line.

Start server

./fabric-ca-server start

Enroll CA Admin

export FABRIC_CA_CLIENT_HOME=$PWD

./fabric-ca-client enroll -d -u https://fishsupplier1-rcaadmin:PASSWORDe@ca.fishsupplier1.kibiosense.com:7055 --tls.certfiles fishsupplier1/tls-root-cert/tls-ca-cert.pem --mspdir fishsupplier1/fishsupplier1-ca/fishsupplier1-rcaadmin/msp

./fabric-ca-client enroll -d -u https://supermarket1-rcaadmin:PASSWORD@ca.supermarket1.kibiosense.com:7057 --tls.certfiles supermarket1/tls-root-cert/tls-ca-cert.pem --mspdir supermarket1/supermarket1-ca/supermarket1-rcaadmin/msp

./fabric-ca-client enroll -d -u https://orderer1-rcaadmin:PASSWORD@ca.orderer1.kibiosense.com:7059 --tls.certfiles orderer1/tls-root-cert/tls-ca-cert.pem --mspdir orderer1/orderer1-ca/orderer1-rcaadmin/msp

Identities

Add new identites

export FABRIC_CA_CLIENT_HOME=$PWD

Admins register identities

./fabric-ca-client register -d --id.name org1admin --id.secret org1adminpw -u https://example.com:7054 --mspdir ./org1-ca/msp --id.type admin --tls.certfiles ../tls/tls-ca-cert.pem --csr.hosts 'host1,*.example.com

./fabric-ca-client register -d --id.name fishsupplier1-admin --id.secret PASSWORD -u https://ca.fishsupplier1.kibiosense.com:7055 --id.type admin --tls.certfiles fishsupplier1/tls-root-cert/tls-ca-cert.pem --csr.hosts 'fishsupplier1.kibiosense.com' --mspdir fishsupplier1/fishsupplier1-ca/fishsupplier1-rcaadmin/msp

./fabric-ca-client register -d --id.name supermarket1-admin --id.secret PASSWORD -u https://ca.supermarket1.kibiosense.com:7057 --id.type admin --tls.certfiles supermarket1/tls-root-cert/tls-ca-cert.pem --csr.hosts 'supermarket1.kibiosense.com' --mspdir supermarket1/supermarket1-ca/supermarket1-rcaadmin/msp

./fabric-ca-client register -d --id.name orderer1-admin --id.secret PASSWORD -u https://ca.orderer1.kibiosense.com:7059 --id.type admin --tls.certfiles orderer1/tls-root-cert/tls-ca-cert.pem --csr.hosts 'orderer1.kibiosense.com' --mspdir orderer1/orderer1-ca/orderer1-rcaadmin/msp

Owner of identity enroll identity by provided login information

./fabric-ca-client enroll -u https://<ENROLL_ID>:<ENROLL_SECRET><@CA_URL>:<PORT> --mspdir <MSP_FOLDER> --csr.hosts <CSR_HOSTNAME> --tls.certfiles $TLS_CERT

./fabric-ca-client enroll -u https://fishsupplier1-admin:PASSWORD@ca.fishsupplier1.kibiosense.com:7055 --csr.hosts 'fishsupplier1.kibiosense.com' --tls.certfiles fishsupplier1/tls-root-cert/tls-ca-cert.pem --mspdir ../peerOrganizations/fishsupplier1.kibiosense.com/msp

./fabric-ca-client enroll -u https://supermarket1-admin:PASSWORD@ca.supermarket1.kibiosense.com:7057 --csr.hosts 'supermarket1.kibiosense.com' --tls.certfiles supermarket1/tls-root-cert/tls-ca-cert.pem --mspdir ../peerOrganizations/supermarket1.kibiosense.com/msp

./fabric-ca-client enroll -u https://orderer1-admin:PASSWORD@ca.orderer1.kibiosense.com:7059 --csr.hosts 'orderer1.kibiosense.com' --tls.certfiles orderer1/tls-root-cert/tls-ca-cert.pem --mspdir ../ordererOrganizations/orderer1.kibiosense.com/msp

See https://hyperledger-fabric-ca.readthedocs.io/en/latest/deployguide/use_CA.html

Add identities

TLS binds hostnames to the tls certificates. A hostname like peer1.fish

Correct enrollment for TLS: Hostname instead of IP, this hostname is bind to the cert

Write the hostnames such as peer1.fishsupplier1.kibiosense.com into your /etc/hosts.

127.0.0.1 localhost orderernode1.orderer1.kibiosense.com orderernode2.orderer1.kibiosense.com orderernode3.orderer1.kibiosense.com peer1.fishsupplier1.kibiosense.com peer2.fishsupplier1.kibiosense.com orderer1.kibiosense.com fishsupplier1.kibiosense.com supermarket1.kibiosense.com peer1.supermarket1.kibiosense.com peer2.supermarket1.kibiosense.com

Then add for each TLS CA's fabric-ca-server-config.yaml corresponding hostnames into the csr.hosts section.

To change CSR.Hosts edit fabric-ca-server-config.yaml CSR section and regenerate tls-cert.pem, this updated tls-cert can than be used as tls-root-cert.

TLS-CA

Registrations

Fishsupplier1 Peers

./fabric-ca-client register -d --id.name peer1-fishsupplier1 --id.secret PASSWORD -u https://tls.ca.fishsupplier1.kibiosense.com:7054 --mspdir fishsupplier1/tls-ca/fishsupplier1-tls/msp --id.type peer --tls.certfiles fishsupplier1/tls-root-cert/tls-ca-cert.pem --csr.hosts 'peer1.fishsupplier1.kibiosense.com'

./fabric-ca-client register -d --id.name peer2-fishsupplier1 --id.secret PASSWORD -u https://tls.ca.fishsupplier1.kibiosense.com:7054 --mspdir fishsupplier1/tls-ca/fishsupplier1-tls/msp --id.type peer --tls.certfiles fishsupplier1/tls-root-cert/tls-ca-cert.pem --csr.hosts 'peer2.fishsupplier1.kibiosense.com'

Supermarket1 Peers

./fabric-ca-client register -d --id.name peer1-supermarket1 --id.secret PASSWORD -u https://tls.ca.supermarket1.kibiosense.com:7056 --mspdir supermarket1/tls-ca/supermarket1-tls/msp --id.type peer --tls.certfiles supermarket1/tls-root-cert/tls-ca-cert.pem --csr.hosts 'peer1.supermarket1.kibiosense.com'

./fabric-ca-client register -d --id.name peer2-supermarket1 --id.secret PASSWORD -u https://tls.ca.supermarket1.kibiosense.com:7056 --mspdir supermarket1/tls-ca/supermarket1-tls/msp --id.type peer --tls.certfiles supermarket1/tls-root-cert/tls-ca-cert.pem --csr.hosts 'peer2.supermarket1.kibiosense.com'

Orderer1 orderers

./fabric-ca-client register -d --id.name orderernode1-orderer1 --id.secret kibiosense -u https://tls.ca.orderer1.kibiosense.com:7058 --mspdir orderer1/tls-ca/orderer1-tls/msp --id.type orderer --tls.certfiles orderer1/tls-root-cert/tls-ca-cert.pem

./fabric-ca-client register -d --id.name orderernode2-orderer1 --id.secret kibiosense -u https://tls.ca.orderer1.kibiosense.com:7058 --mspdir orderer1/tls-ca/orderer1-tls/msp --id.type orderer --tls.certfiles orderer1/tls-root-cert/tls-ca-cert.pem

./fabric-ca-client register -d --id.name orderernode3-orderer1 --id.secret kibiosense -u https://tls.ca.orderer1.kibiosense.com:7058 --mspdir orderer1/tls-ca/orderer1-tls/msp --id.type orderer --tls.certfiles orderer1/tls-root-cert/tls-ca-cert.pem

Enrollments Fishsupplier1 Peers

./fabric-ca-client enroll -d --enrollment.profile tls -u https://peer1-fishsupplier1:kibiosense@tls.ca.fishsupplier1.kibiosense.com:7054 --csr.hosts 'peer1.fishsupplier1.kibiosense.com' --mspdir ../peerOrganizations/fishsupplier1.kibiosense.com/peers/peer1.fishsupplier1.kibiosense.com/tls --tls.certfiles fishsupplier1/tls-root-cert/tls-ca-cert.pem

 ./fabric-ca-client enroll -d --enrollment.profile tls -u https://peer2-fishsupplier1:kibiosense@tls.ca.fishsupplier1.kibiosense.com:7054 --csr.hosts 'peer2.fishsupplier1.kibiosense.com' --mspdir ../peerOrganizations/fishsupplier1.kibiosense.com/peers/peer2.fishsupplier1.kibiosense.com/tls --tls.certfiles fishsupplier1/tls-root-cert/tls-ca-cert.pem

Supermarket1 Peers

./fabric-ca-client enroll -d --enrollment.profile tls -u https://peer1-supermarket1:PASSWORD@tls.ca.supermarket1.kibiosense.com:7056 --csr.hosts 'peer1.supermarket1.kibiosense.com' --mspdir ../peerOrganizations/supermarket1.kibiosense.com/peers/peer1.supermarket1.kibiosense.com/tls --tls.certfiles supermarket1/tls-root-cert/tls-ca-cert.pem

 ./fabric-ca-client enroll -d --enrollment.profile tls -u https://peer2-supermarket1:kibiosense@tls.ca.supermarket1.kibiosense.com:7056 --csr.hosts 'peer2.supermarket1.kibiosense.com' --mspdir ../peerOrganizations/supermarket1.kibiosense.com/peers/peer2.supermarket1.kibiosense.com/tls --tls.certfiles supermarket1/tls-root-cert/tls-ca-cert.pem

Orderer1 orderernodes

./fabric-ca-client enroll -d --enrollment.profile tls -u https://orderernode1-orderer1:PASSWORD@tls.ca.orderer1.kibiosense.com:7058 --csr.hosts 'orderernode1.orderer1.kibiosense.com' --mspdir ../ordererOrganizations/orderer1.kibiosense.com/orderers/orderernode1.orderer1.kibiosense.com/tls --tls.certfiles orderer1/tls-root-cert/tls-ca-cert.pem

./fabric-ca-client enroll -d --enrollment.profile tls -u https://orderernode2-orderer1:PASSWORD@tls.ca.orderer1.kibiosense.com:7058 --csr.hosts 'orderernode2.orderer1.kibiosense.com' --mspdir ../ordererOrganizations/orderer1.kibiosense.com/orderers/orderernode2.orderer1.kibiosense.com/tls --tls.certfiles orderer1/tls-root-cert/tls-ca-cert.pem

./fabric-ca-client enroll -d --enrollment.profile tls -u https://orderernode3-orderer1:PASSWORD@tls.ca.orderer1.kibiosense.com:7058 --csr.hosts 'orderernode3.orderer1.kibiosense.com' --mspdir ../ordererOrganizations/orderer1.kibiosense.com/orderers/orderernode3.orderer1.kibiosense.com/tls --tls.certfiles orderer1/tls-root-cert/tls-ca-cert.pem

Orga-CA

Register Fishsupplier1 Peers

./fabric-ca-client register -d --id.name peer1-fishsupplier1 --id.secret PASSWORD -u https://ca.fishsupplier1.kibiosense.com:7055 --mspdir fishsupplier1/fishsupplier1-ca/fishsupplier1-rcaadmin/msp --id.type peer --tls.certfiles fishsupplier1/tls-root-cert/tls-ca-cert.pem

./fabric-ca-client register -d --id.name peer2-fishsupplier1 --id.secret PASSWORD -u https://ca.fishsupplier1.kibiosense.com:7055 --mspdir fishsupplier1/fishsupplier1-ca/fishsupplier1-rcaadmin/msp --id.type peer --tls.certfiles fishsupplier1/tls-root-cert/tls-ca-cert.pem

Register Supermarket1 Peers

./fabric-ca-client register -d --id.name peer1-supermarket1 --id.secret PASSWORD -u https://ca.supermarket1.kibiosense.com:7057 --mspdir supermarket1/supermarket1-ca/supermarket1-rcaadmin/msp --id.type peer --tls.certfiles supermarket1/tls-root-cert/tls-ca-cert.pem

./fabric-ca-client register -d --id.name peer2-supermarket1 --id.secret PASSWORD -u https://ca.supermarket1.kibiosense.com:7057 --mspdir supermarket1/supermarket1-ca/supermarket1-rcaadmin/msp --id.type peer --tls.certfiles supermarket1/tls-root-cert/tls-ca-cert.pem

Orderer1 orderers

./fabric-ca-client register -d --id.name orderernode1-orderer1 --id.secret kibiosense -u https://ca.orderer1.kibiosense.com:7059 --mspdir orderer1/orderer1-ca/orderer1-rcaadmin/msp --id.type orderer --tls.certfiles orderer1/tls-root-cert/tls-ca-cert.pem

./fabric-ca-client register -d --id.name orderernode2-orderer1 --id.secret kibiosense -u https://ca.orderer1.kibiosense.com:7059 --mspdir orderer1/orderer1-ca/orderer1-rcaadmin/msp --id.type orderer --tls.certfiles orderer1/tls-root-cert/tls-ca-cert.pem

./fabric-ca-client register -d --id.name orderernode3-orderer1 --id.secret kibiosense -u https://ca.orderer1.kibiosense.com:7059 --mspdir orderer1/orderer1-ca/orderer1-rcaadmin/msp --id.type orderer --tls.certfiles orderer1/tls-root-cert/tls-ca-cert.pem

Enroll Fishsupplier1 Peers

./fabric-ca-client enroll -d -u https://peer1-fishsupplier1:PASSWORD@ca.fishsupplier1.kibiosense.com:7055 --csr.hosts 'peer1.fishsupplier1.kibiosense.com' --mspdir ../peerOrganizations/fishsupplier1.kibiosense.com/peers/peer1.fishsupplier1.kibiosense.com/msp --tls.certfiles fishsupplier1/tls-root-cert/tls-ca-cert.pem

 ./fabric-ca-client enroll -d -u https://peer2-fishsupplier1:@ca.fishsupplier1.kibiosense.com:7055 --csr.hosts 'peer2.fishsupplier1.kibiosense.com' --mspdir ../peerOrganizations/fishsupplier1.kibiosense.com/peers/peer2.fishsupplier1.kibiosense.com/msp --tls.certfiles fishsupplier1/tls-root-cert/tls-ca-cert.pem

Enroll Supermarket1 Peers

./fabric-ca-client enroll -d -u https://peer1-supermarket1:PASSWORD@ca.supermarket1.kibiosense.com:7057 --csr.hosts 'peer1.supermarket1.kibiosense.com' --mspdir ../peerOrganizations/supermarket1.kibiosense.com/peers/peer1.supermarket1.kibiosense.com/msp --tls.certfiles supermarket1/tls-root-cert/tls-ca-cert.pem

./fabric-ca-client enroll -d -u https://peer2-supermarket1:PASSWORD@ca.supermarket1.kibiosense.com:7057 --csr.hosts 'peer2.supermarket1.kibiosense.com' --mspdir ../peerOrganizations/supermarket1.kibiosense.com/peers/peer2.supermarket1.kibiosense.com/msp --tls.certfiles supermarket1/tls-root-cert/tls-ca-cert.pem

Enroll Orderer1 orderernodes

./fabric-ca-client enroll -d -u https://orderernode1-orderer1:PASSWORD@ca.orderer1.kibiosense.com:7059 --csr.hosts 'orderernode1.orderer1.kibiosense.com' --mspdir ../ordererOrganizations/orderer1.kibiosense.com/orderers/orderernode1.orderer1.kibiosense.com/msp --tls.certfiles orderer1/tls-root-cert/tls-ca-cert.pem

./fabric-ca-client enroll -d -u https://orderernode2-orderer1:PASSWORD@ca.orderer1.kibiosense.com:7059 --csr.hosts 'orderernode2.orderer1.kibiosense.com' --mspdir ../ordererOrganizations/orderer1.kibiosense.com/orderers/orderernode2.orderer1.kibiosense.com/msp --tls.certfiles orderer1/tls-root-cert/tls-ca-cert.pem

./fabric-ca-client enroll -d -u https://orderernode3-orderer1:PASSWORD@ca.orderer1.kibiosense.com:7059 --csr.hosts 'orderernode3.orderer1.kibiosense.com' --mspdir ../ordererOrganizations/orderer1.kibiosense.com/orderers/orderernode3.orderer1.kibiosense.com/msp --tls.certfiles orderer1/tls-root-cert/tls-ca-cert.pem

List Identities

./fabric-ca-client identity -u https://supermarket1-admin:kibiosense@localhost:7056 --tls.certfiles supermarket1/tls-ca/fabric-ca-server-tls/ca-cert.pem --mspdir supermarket1/tls-ca/supermarket1-tls/msp list

Remove Identities

./fabric-ca-server start --cfg.identities.allowremove

export FABRIC_CA_CLIENT_HOME=$PWD

For Supermarket1

./fabric-ca-client identity remove supermarket1-orderer1 -u https://localhost:7057 --tls.certfiles supermarket1/tls-root-cert/tls-ca-cert.pem --mspdir supermarket1/supermarket1-ca/supermarket1-rcaadmin/msp

For Supermarket1 TLS CA

./fabric-ca-client identity remove supermarket1-orderer1 -u https://localhost:7056 --tls.certfiles supermarket1/tls-root-cert/tls-ca-cert.pem --mspdir supermarket1/tls-ca/supermarket1-tls/msp

For Fishsupplier1 CA

./fabric-ca-client identity remove fishsupplier1-orderer1 -u https://localhost:7055 --tls.certfiles fishsupplier1/tls-root-cert/tls-ca-cert.pem --mspdir fishsupplier1/fishsupplier1-ca/fishsupplier1-rcaadmin/msp

For Fishsupplier1 TLS CA

./fabric-ca-client identity remove fishsupplier1-orderer1 -u https://localhost:7054 --tls.certfiles fishsupplier1/tls-root-cert/tls-ca-cert.pem --mspdir fishsupplier1/tls-ca/fishsupplier1-tls/msp`

Deploy Orderer

Minimum 3 Orderers

For a production deployment, it is recommended that the peer and ordering nodes belong to separate organizations ³.

Place config.yaml & orderer.sh into orderer node's msp folder

Change config.yaml according to

https://hyperledger-fabric.readthedocs.io/en/latest/deployorderer/ordererdeploy.html

Admin.ListenAddress has to be unique socket.

ChannelParticipation.Enabled - Set to true. This allows the orderer to be joined to an application channel without joining a system channel first.

Orderers: ListenAdresses

orderenode1.orderer1.kibiosense.com: 127.0.0.1:9443 7052 orderenode2.orderer1.kibiosense.com: 127.0.0.1:9444 endpoint 7050 orderenode3.orderer1.kibiosense.com: 127.0.0.1:9445 7051

Create Channel

One Peer as Channel Admin who can add other organizations.

By specifying the digital certificates of CA's on which identities are registered those identities are assigned roles in Node OU config.yaml.

Copy digital certificate (Public Key) of an CA in it. Register Admin against this CA. Now this Admin inherits the cacert which is the same as the one specified in config.yaml of Node OU. Thus having admin permissions.

./fabric-ca-client register -d --id.name orderernode1-admin --id.secret kibiosense -u https://ca.orderer1.kibiosense.com:7059 --mspdir orderer1/orderer1-ca/orderer1-rcaadmin/msp --id.type admin --tls.certfiles orderer1/tls-root-cert/tls-ca-cert.pem --csr.hosts 'orderer1.kibiosense.com, localhost, 127.0.0.1'

./fabric-ca-client enroll -d -u https://orderernode1-admin:kibiosense@localhost:7058 --tls.certfiles orderer1/tls-root-cert/tls-ca-cert.pem --enrollment.profile tls --csr.hosts 'localhost' --mspdir orderer1/tls-ca/orderernode1-admin/msp

https://hyperledger-fabric.readthedocs.io/en/latest/create_channel/create_channel_participation.html

mspid of fishsupplier1 fishsupplier1.kibiosense.com

Set listenAddress of each orderer node to 0.0.0.0:Port set CLI address to e.g. peer1.fishsupplier1.kibiosense.com:PORT

Create Genesis Block

./configtxgen -profile SampleAppChannelEtcdRaft -outputBlock genesis_block.pb -channelID channel1

Start the Node Server

./orderer start

Join Orderers

export TLS_CA=tls/tlscacerts/tls-orderernode1-orderer1-kibiosense-com-7058.pem
export TLS_SIGN=tls/signcerts/cert.pem
export TLS_KEY=tls/keystore/key.pem


./osnadmin channel join --channelID channel1 --config-block genesis_block.pb -o localhost:9443 --ca-file $TLS_CA --client-cert $TLS_SIGN --client-key $TLS_KEY

./osnadmin channel join --channelID channel1 --config-block genesis_block.pb -o localhost:9444 --ca-file $TLS_CA --client-cert $TLS_SIGN --client-key $TLS_KEY

./osnadmin channel join --channelID channel1 --config-block genesis_block.pb -o localhost:9445 --ca-file $TLS_CA --client-cert $TLS_SIGN --client-key $TLS_KEY

When TLS Admin operation isn't enabled, as indicated by http response:

./osnadmin channel join --channelID channel1 --config-block genesis_block.pb -o orderernode1.orderer1.kibiosense.com:9442
./osnadmin channel join --channelID channel1 --config-block genesis_block.pb -o orderernode1.orderer1.kibiosense.com:9444
./osnadmin channel join --channelID channel1 --config-block genesis_block.pb -o orderernode1.orderer1.kibiosense.com:9445

If you get

Status: 400
{
	"error": "cannot join: failed to determine cluster membership from join-block: failed to validate config metadata of ordering config: consenter orderernode1.orderer1.kibiosense.com:7050 has invalid certificate: verifying tls client cert with serial number 633551473471934332009358762748868656050442650196: x509: certificate signed by unknown authority"
}

Create tlscacerts folder in orderer1.kibiosense.com/msp and place tlscacert 'tls-tls-ca-orderer1-kibiosense-com-7058.pem' there.

Join Organizations Peers to Channel

Due to [[Mutual TLS]] the [[Client]] has to register an [[identity]] to the [[Transport Layer Security|TLS]] [[Server]].

Start TLS Server

./fabric-ca-server start

Register

./fabric-ca-client register -d -u https://localhost:Port --id.name Peer1 --id.key kibiosense --id.type peer

Enroll

Join [[Peer]] to [[Channel]] First the [[Peer]] has to fetch the [[Block]]

set listenAddress to 0.0.0.0:PORT

export FABRIC_CFG_PATH=../config

./peer channel fetch newest channel1.block -o localhost:7051 -c channel1 --tls --cafile ../../peer1.fishsupplier1.kibiosense.com/peer1-orderer-tls/msp/tlscacerts/tls-localhost-7058.pem --certfile ../tls/signcerts/cert.pem --keyfile ../tls/keystore/key.pem --clientauth

./peer channel fetch newest channel1.block -o localhost:7051 -c channel1 --tls --cafile ../../peer1.supermarket1.kibiosense.com/orderer1-tls/msp/tlscacerts/tls-localhost-7058.pem --certfile ../tls/signcerts/cert.pem --keyfile ../tls/keystore/key.pem --clientauth

User this one

./peer channel fetch newest channel1.block -o orderernode1.orderer1.kibiosense.com:7050 -c channel1 --cafile ../../../../../ordererOrganizations/orderer1.kibiosense.com/msp/tlscacerts/tls-tls-ca-orderer1-kibiosense-com-7058.pem --tls

peer node start in bin and export FABRIC_CFG_PATH=../config

You have to use an admin identity to join the channel.

 ./fabric-ca-client register -d -u https://localhost:7054 --id.name admin-fishsupplier1 --id.secret kibiosense --id.type admin --mspdir fishsupplier1/tls-ca/fishsupplier1-tls/msp --csr.hosts 'localhost' --tls.certfiles fishsupplier1/tls-root-cert/tls-ca-cert.pem

./fabric-ca-client enroll -d -u https://admin-fishsupplier1:kibiosense@localhost:7054 --tls.certfiles fishsupplier1/tls-root-cert/tls-ca-cert.pem --enrollment.profile tls --csr.hosts 'localhpost' --mspdir ../peerOrganizations/fishsupplier1.kibiosense.com/admins/admin1.fishsupplier1.kibiosense.com/tls

 ./fabric-ca-client register -d -u https://localhost:7055 --id.name admin-fishsupplier1 --id.secret kibiosense --id.type admin --mspdir fishsupplier1/fishsupplier1-ca/fishsupplier1-rcaadmin//msp --csr.hosts 'localhost' --tls.certfiles fishsupplier1/tls-root-cert/tls-ca-cert.pem

./fabric-ca-client enroll -d -u https://admin-fishsupplier1:kibiosense@localhost:7055 --tls.certfiles fishsupplier1/tls-root-cert/tls-ca-cert.pem --csr.hosts 'localhpost' --mspdir ../peerOrganizations/fishsupplier1.kibiosense.com/admins/admin1.fishsupplier1.kibiosense.com/msp

export CORE_PEER_MSPCONFIGPATH=../../../admins/admin1.fishsupplier1.kibiosense.com/msp
export FABRIC_CFG_PATH=../config
export CORE_PEER_MSPCONFIGPATH=../../../admins/admin1.supermarket1.kibiosense.com/msp
export FABRIC_CFG_PATH=../config

or use the organization msp

export CORE_PEER_MSPCONFIGPATH=../../../msp
./peer channel join -b channel1.block --tls --cafile ../../../../../ordererOrganizations/orderer1.kibiosense.com/msp/tlscacerts/tls-tls-ca-orderer1-kibiosense-com-7058.pem

o```bash ./peer channel join -b channel1.block --tls --cafile ../peer1-orderer-tls/msp/tlscacerts/tls-localhost-7058.pem --certfile ../tls/signcerts/cert.pem --keyfile ../tls/keystore/key.pem --clientauth

./peer channel join -b channel1.block --tls --cafile ../peer1-orderer-tls/msp/tlscacerts/tls-localhost-7058.pem --certfile ../tls/signcerts/cert.pem --keyfile ../tls/keystore/key.pem --clientauth


peer channel join works without mutual TLS but not with mutual TLS.


### Chaincode

In Hyperledger Fabric the smart contracts are inside chaincodes.
They are either Go, Node.js or Java programs.
A chaincode manages the state of a ledger by transactions.


#### Program Chaincode
Program in GOPATH.


#### Package Chaincode
To integrate a chaincode it has to be packaged, 
which can be done with
```bash
export CORE_PEER_MSPCONFIGPATH=../../../admins/admin1.fishsupplier1.kibiosense.com/msp
./peer chaincode package atcc.out -p ../../../../../../chaincode/atcc --name atcc -v 1 -s -S

or

suggested:

export CORE_PEER_MSPCONFIGPATH=../../../admins/admin1.fishsupplier1.kibiosense.com/msp

./peer lifecycle chaincode package atcc.tar.gz --path /home/archlinux/go/src/gitlab.isp.uni-luebeck.de/MKhodaygani/biosense_blockchain/atcc --lang golang --label atcc_1.0

./peer lifecycle chaincode package fishcc.tar.gz --path /home/archlinux/go/src/gitlab.isp.uni-luebeck.de/MKhodaygani/biosense_blockchain/fishcc --lang golang --label fishcc_1.0

export CORE_PEER_MSPCONFIGPATH=../../../admins/admin1.supermarket1.kibiosense.com/msp

Install Chaincode

Start peers with correct MSP and with sudo --preserve-env=FABRIC_CFG_PATH,CORE_PEER_MSPCONFIGPATH (because of docker)

export CORE_PEER_MSPCONFIGPATH=../msp
sudo --preserve-env=FABRIC_CFG_PATH,CORE_PEER_MSPCONFIGPATH ./peer node start

An Admin identity can be used to install the chaincode on a peer

export CORE_PEER_MSPCONFIGPATH=../../../admins/admin1.fishsupplier1.kibiosense.com/msp
export CORE_PEER_MSPCONFIGPATH=../../../admins/admin1.supermarket11.kibiosense.com/msp
./peer chaincode install atcc.out

Correct:

export CORE_PEER_MSPCONFIGPATH=../../../admins/admin1.fishsupplier1.kibiosense.com/msp
export CORE_PEER_MSPCONFIGPATH=../../../admins/admin1.supermarket1.kibiosense.com/msp
./peer lifecycle chaincode install atcc.tar.gz
./peer lifecycle chaincode install fishcc.tar.gz

x This outputs a package ID that has to be referenced in the approvals. package identifier: atcc_1.0:ec01afcd9105e63e6076375be82ca0be8f1ced3abe0acd4e10ff8e4238275e16

export CC_PACKAGE_ID=atcc_1.0:ec01afcd9105e63e6076375be82ca0be8f1ced3abe0acd4e10ff8e4238275e16
export CC_PACKAGE_ID=fishcc_1.0:903592e57dba913ff1c1a082cd3571bed892407950f57eee38fb86751f86f5ec

./peer chaincode list --installed
./peer lifecycle chaincode checkcommitreadiness --channelID channel1 --name atcc --version 1 --sequence 1

./peer lifecycle chaincode checkcommitreadiness -o orderernode2.orderer1.kibiosense.com:7051 --tls --cafile $CA_FILE --certfile ../tls/signcerts/cert.pem --keyfile ../tls/keystore/key.pem  --clientauth --channelID channel1 --name fishcc --version 1 --sequence 1

export CORE_PEER_MSPCONFIGPATH=../../../admins/admin1.fishsupplier1.kibiosense.com/msp

export CORE_PEER_MSPCONFIGPATH=../../../admins/admin1.supermarket1.kibiosense.com/msp

Approve Chaincode

./peer lifecycle chaincode approveformyorg -o orderernode2.orderer1.kibiosense.com:7051 --tls --cafile ../peer1-orderer-tls/msp/tlscacerts/tls-localhost-7058.pem --certfile ../tls/signcerts/cert.pem --keyfile ../tls/keystore/key.pem --clientauth --channelID channel1 --name atcc --version 1 --sequence 1 --package-id $CC_PACKAGE_ID
./peer lifecycle chaincode approveformyorg -o orderernode2.orderer1.kibiosense.com:7051 --tls --cafile ../orderer1-tls/msp/tlscacerts/tls-localhost-7058.pem --certfile ../tls/signcerts/cert.pem --keyfile ../tls/keystore/key.pem --clientauth --channelID channel1 --name atcc --version 1 --sequence 1 --package-id $CC_PACKAGE_ID

./peer lifecycle chaincode approveformyorg -o orderernode2.orderer1.kibiosense.com:7051 --tls --cafile ../peer1-orderer-tls/msp/tlscacerts/tls-localhost-7058.pem --certfile ../tls/signcerts/cert.pem --keyfile ../tls/keystore/key.pem --clientauth --channelID channel1 --name fishcc --version 1 --sequence 1 --package-id $CC_PACKAGE_ID

more convenient:

export CA_FILE=../../../../../ordererOrganizations/orderer1.kibiosense.com/msp/tlscacerts/tls-tls-ca-orderer1-kibiosense-com-7058.pem

./peer lifecycle chaincode approveformyorg -o orderernode2.orderer1.kibiosense.com:7051 --tls --cafile $CA_FILE --certfile ../tls/signcerts/cert.pem --keyfile ../tls/keystore/key.pem --clientauth --channelID channel1 --name fishcc --version 1 --sequence 1 --package-id $CC_PACKAGE_ID

Commit Chaincode

./peer lifecycle chaincode commit -o localhost:7051 --channelID channel1 --name atcc --version 1 --sequence 1 --tls --cafile ../orderer1-tls/msp/tlscacerts/tls-localhost-7058.pem --peerAddresses peer1.fishsupplier1.kibiosense.com:7061 --tlsRootCertFiles ../../../../fishsupplier1.kibiosense.com/peers/peer1.fishsupplier1.kibiosense.com/tls/tlscacerts/tls-peer1-fishsupplier1-kibiosense-com-7054.pem  --peerAddresses peer1.supermarket1.kibiosense.com:7081 --tlsRootCertFiles ../tls/tlscacerts/tls-peer1-supermarket1-kibiosense-com-7056.pem

./peer lifecycle chaincode commit -o localhost:7051 --channelID channel1 --name fishcc --version 1 --sequence 1 --tls --cafile ../orderer1-tls/msp/tlscacerts/tls-localhost-7058.pem --peerAddresses peer1.fishsupplier1.kibiosense.com:7061 --tlsRootCertFiles ../../../../fishsupplier1.kibiosense.com/peers/peer1.fishsupplier1.kibiosense.com/tls/tlscacerts/tls-peer1-fishsupplier1-kibiosense-com-7054.pem  --peerAddresses peer1.supermarket1.kibiosense.com:7081 --tlsRootCertFiles ../tls/tlscacerts/tls-peer1-supermarket1-kibiosense-com-7056.pem

cd into peer1.supermarket1.kibiosense.com/bin

./peer lifecycle chaincode commit -o localhost:7051 --channelID channel1 --name fishcc --version 1 --sequence 1 --tls --cafile ../orderer1-tls/msp/tlscacerts/tls-localhost-7058.pem --peerAddresses peer1.fishsupplier1.kibiosense.com:7061 --tlsRootCertFiles ../../../../fishsupplier1.kibiosense.com/peers/peer1.fishsupplier1.kibiosense.com/tls/tlscacerts/tls-peer1-fishsupplier1-kibiosense-com-7054.pem  --peerAddresses peer1.supermarket1.kibiosense.com:7081 --tlsRootCertFiles ../tls/tlscacerts/tls-peer1-supermarket1-kibiosense-com-7056.pem

from peer1.fishsupplier1.kibiosense.com/bin

./peer lifecycle chaincode commit -o orderernode2.orderer1.kibiosense.com:7051 --channelID channel1 --name fishcc --version 1 --sequence 1 --tls --cafile $CA_FILE --peerAddresses peer1.fishsupplier1.kibiosense.com:7061 --tlsRootCertFiles ../tls/tlscacerts/tls-tls-ca-fishsupplier1-kibiosense-com-7054.pem  --peerAddresses peer1.supermarket1.kibiosense.com:7081 --tlsRootCertFiles ../../../../supermarket1.kibiosense.com/peers/peer1.supermarket1.kibiosense.com/tls/tlscacerts/tls-tls-ca-supermarket1-kibiosense-com-7056.pem

./peer_mac_arm64 lifecycle chaincode commit -o orderernode1.orderer1.kibiosense.com:7050 --channelID channel1 --name fishcc --version 1 --sequence 1 --tls --cafile $CA_FILE --peerAddresses peer1.fishsupplier1.kibiosense.com:7061 --tlsRootCertFiles ../tls/tlscacerts/tls-tls-ca-fishsupplier1-kibiosense-com-7054.pem --peerAddresses peer2.fishsupplier1.kibiosense.com:7071 --tlsRootCertFiles ../tls/tlscacerts/tls-tls-ca-fishsupplier1-kibiosense-com-7054.pem  --peerAddresses peer1.supermarket1.kibiosense.com:7081 --tlsRootCertFiles ../../../../supermarket1.kibiosense.com/peers/peer1.supermarket1.kibiosense.com/tls/tlscacerts/tls-tls-ca-supermarket1-kibiosense-com-7056.pem --peerAddresses peer2.supermarket1.kibiosense.com:7091 --tlsRootCertFiles ../../../../supermarket1.kibiosense.com/peers/peer1.supermarket1.kibiosense.com/tls/tlscacerts/tls-tls-ca-supermarket1-kibiosense-com-7056.pem

./peer lifecycle chaincode commit -o orderernode1.orderer1.kibiosense.com:7050 --channelID channel1 --name fishcc --version 1 --sequence 1 --tls --cafile $CA_FILE --peerAddresses peer1.fishsupplier1.kibiosense.com:7081 --tlsRootCertFiles ../tls/tlscacerts/tls-tls-ca-fishsupplier1-kibiosense-com-7054.pem --peerAddresses peer2.fishsupplier1.kibiosense.com:7081 --tlsRootCertFiles ../tls/tlscacerts/tls-tls-ca-fishsupplier1-kibiosense-com-7054.pem --peerAddresses peer1.supermarket1.kibiosense.com:7081 --tlsRootCertFiles ../../../../supermarket1.kibiosense.com/peers/peer1.supermarket1.kibiosense.com/tls/tlscacerts/tls-tls-ca-supermarket1-kibiosense-com-7056.pem --peerAddresses peer2.supermarket1.kibiosense.com:7091 --tlsRootCertFiles ../../../../supermarket1.kibiosense.com/peers/peer1.supermarket1.kibiosense.com/tls/tlscacerts/tls-tls-ca-supermarket1-kibiosense-com-7056.pem

Invoke Chaincode

./peer chaincode invoke -o localhost:7050 --channelID channel1 --name atcc --tls --cafile ../orderer1-tls/msp/tlscacerts/tls-localhost-7058.pem --peerAddresses peer1.fishsupplier1.kibiosense.com:7061 --tlsRootCertFiles ../../../../fishsupplier1.kibiosense.com/peers/peer1.fishsupplier1.kibiosense.com/tls/tlscacerts/tls-peer1-fishsupplier1-kibiosense-com-7054.pem  --peerAddresses peer1.supermarket1.kibiosense.com:7081 --tlsRootCertFiles ../tls/tlscacerts/tls-peer1-supermarket1-kibiosense-com-7056.pem -c '{"function":"InitLedger", "Args":[]}'
 
./peer chaincode invoke -o orderernode1.orderer1.kibiosense.com:7050 --channelID channel1 --name fishcc --tls --cafile $CA_FILE --peerAddresses peer1.fishsupplier1.kibiosense.com:7061 --tlsRootCertFiles ../../../../fishsupplier1.kibiosense.com/peers/peer1.fishsupplier1.kibiosense.com/tls/tlscacerts/tls-tls-ca-fishsupplier1-kibiosense-com-7054.pem  --peerAddresses peer1.supermarket1.kibiosense.com:7081 --tlsRootCertFiles ../tls/tlscacerts/tls-tls-ca-supermarket1-kibiosense-com-7056.pem -c '{"function":"InitLedger", "Args":[]}'

./peer chaincode invoke -o orderernode1.orderer1.kibiosense.com:7050 --channelID channel1 --name fishcc --tls --cafile $CA_FILE --peerAddresses peer1.fishsupplier1.kibiosense.com:7081 --tlsRootCertFiles ../tls/tlscacerts/tls-tls-ca-fishsupplier1-kibiosense-com-7054.pem --peerAddresses peer1.supermarket1.kibiosense.com:7081 --tlsRootCertFiles ../../../../supermarket1.kibiosense.com/peers/peer1.supermarket1.kibiosense.com/tls/tlscacerts/tls-tls-ca-supermarket1-kibiosense-com-7056.pem -c '{"function":"InitLedger", "Args":[]}'
 
./peer chaincode query -C channel1 -n fishcc -c '{"Args":["GetAllAssets"]}'

Support

For support send a mail to MartinStuwe@ProtonMail.com

Roadmap

If you have ideas for releases in the future, it is a good idea to list them in the README.

Contributing

State if you are open to contributions and what your requirements are for accepting them.

For people who want to make changes to your project, it's helpful to have some documentation on how to get started. Perhaps there is a script that they should run or some environment variables that they need to set. Make these steps explicit. These instructions could also be useful to your future self.

You can also document commands to lint the code or run tests. These steps help to ensure high code quality and reduce the likelihood that the changes inadvertently break something. Having instructions for running tests is especially helpful if it requires external setup, such as starting a Selenium server for testing in a browser.

Authors and acknowledgment

Show your appreciation to those who have contributed to the project.

Thanks to makeareadme.com & Mohammad for the markdown template.

License

For open source projects, say how it is licensed.

Project status

If you have run out of energy or time for your project, put a note at the top of the README saying that development has slowed down or stopped completely. Someone may choose to fork your project or volunteer to step in as a maintainer or owner, allowing your project to keep going. You can also make an explicit request for maintainers.

Name		Name	Last commit message	Last commit date
Latest commit History 86 Commits
bin		bin
chaincode		chaincode
config		config
fabric-sdk-go		fabric-sdk-go
ledger		ledger
organizations		organizations
var/hyperledger/production/orderer/etcdraft/wal		var/hyperledger/production/orderer/etcdraft/wal
README.md		README.md

MartinStuwe/blockchain_KI-BioSense

Folders and files

Latest commit

History

Repository files navigation