如何配置fabric-ca-server和fabric-ca-client之间的TLS连接。

配置fabric-ca-server端

fabric-ca-server-config.yaml文件里面配置TLS。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20

#############################################################################
#  TLS section for the server's listening port
#
#  The following types are supported for client authentication: NoClientCert,
#  RequestClientCert, RequireAnyClientCert, VerfiyClientCertIfGiven,
#  and RequireAndVerifyClientCert.
#
#  Certfiles is a list of root certificate authorities that the server uses
#  when verifying client certificates.
#############################################################################
tls:
  # Enable TLS (default: false)
  enabled: false
  # TLS for the server's listening port
  certfile: ca-cert.pem
  keyfile: ca-key.pem
  clientauth:
    type: noclientcert
    certfiles:
  • enabled: true必须配置成true
  • 配置certfile/keyfile;就这个地方,这份证书必须从别的CA签出来。
  • clientauth如果选择noclientcert,表示server不验证client,也就是通常所说的单向验证,即client端验证server端,而server端不验证client的;其他选项是双向验证,即server端和client端相互验证。
  • 单向验证:server端提供证书(cert和key),不需要配置certfiles即CA根证书,而在客户端必须提供CA根证书,用来验证server端的证书是否有效。另外client端也不需要自己的证书,因为它不需要想server端提供验证。
  • 双向验证:server端提供证书(cert和key),还必须配置cerfiles即CA根证书,因为需要验证client端提供的证书。另外client也端必须提供一样的内容,即client端的证书(cert/key)以供server端验证,并且提供CA根证书验证server端提供的证书。

配置fabric-ca-client端

fabric-ca-client-config.yaml

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17

#############################################################################
#    TLS section for secure socket connection
#
#  certfiles - PEM-encoded list of trusted root certificate files
#  client:
#    certfile - PEM-encoded certificate file for when client authentication
#    is enabled on server
#    keyfile - PEM-encoded key file for when client authentication
#    is enabled on server
#############################################################################
tls:
  # TLS section for secure socket connection
  certfiles:
  client:
    certfile:
    keyfile:

包含

  • CA根证书
  • client自己的证书(cert和key),如果启动双向认证。
  • 命令行方式配置
    除了使用yaml文件配置,server和client也可以在命令行配置TLS信息:
    1
    2
    3
    4
    5
    6
    7
    Server:

    --tls.certfile string                       PEM-encoded TLS certificate file for server's listening port (default "tls-cert.pem")
    --tls.clientauth.certfiles stringSlice      A list of comma-separated PEM-encoded trusted certificate files (e.g. root1.pem,root2.pem)
    --tls.clientauth.type string                Policy the server will follow for TLS Client Authentication. (default "noclientcert")
    --tls.enabled                               Enable TLS on the listening port
    --tls.keyfile string                        PEM-encoded TLS key for server's listening port
Client:

--tls.certfiles stringSlice      A list of comma-separated PEM-encoded trusted certificate files (e.g. root1.pem,root2.pem)
--tls.client.certfile string     PEM-encoded certificate file when mutual authenticate is enabled
--tls.client.keyfile string      PEM-encoded key file when mutual authentication is enabled