[FAB-7342] Enable client auth in fabric-ca sample

Currently client authentication is not enabled on any peers and orderer in the fabric-ca sample. This change set will enable client authentication on all the peers and orderer. Change-Id: If3c6a5dc6d1dc3a38096608617971945bde359c0 Signed-off-by: Anil Ambati <[email protected]>
hyperledger · Feb 2, 2018 · 652f074 · 652f074
1 parent bbee1b2
commit 652f074
Show file tree

Hide file tree

Showing 3 changed files with 40 additions and 5 deletions.
diff --git a/fabric-ca/makeDocker.sh b/fabric-ca/makeDocker.sh
@@ -187,6 +187,8 @@ function writeOrderer {
       - ORDERER_GENERAL_TLS_PRIVATEKEY=$MYHOME/tls/server.key
       - ORDERER_GENERAL_TLS_CERTIFICATE=$MYHOME/tls/server.crt
       - ORDERER_GENERAL_TLS_ROOTCAS=[$CA_CHAINFILE]
+      - ORDERER_GENERAL_TLS_CLIENTAUTHREQUIRED=true
+      - ORDERER_GENERAL_TLS_CLIENTROOTCAS=[$CA_CHAINFILE]
       - ORDERER_GENERAL_LOGLEVEL=debug
       - ORDERER_DEBUG_BROADCASTTRACEDIR=$LOGDIR
       - ORG=$ORG
@@ -211,6 +213,7 @@ function writePeer {
       - FABRIC_CA_CLIENT_HOME=$MYHOME
       - FABRIC_CA_CLIENT_TLS_CERTFILES=$CA_CHAINFILE
       - ENROLLMENT_URL=https://$PEER_NAME_PASS@$CA_HOST:7054
+      - PEER_NAME=$PEER_NAME
       - PEER_HOME=$MYHOME
       - PEER_HOST=$PEER_HOST
       - PEER_NAME_PASS=$PEER_NAME_PASS
@@ -222,10 +225,13 @@ function writePeer {
       - CORE_VM_DOCKER_HOSTCONFIG_NETWORKMODE=net_${NETWORK}
       - CORE_LOGGING_LEVEL=DEBUG
       - CORE_PEER_TLS_ENABLED=true
-      - CORE_PEER_PROFILE_ENABLED=true
       - CORE_PEER_TLS_CERT_FILE=$MYHOME/tls/server.crt
       - CORE_PEER_TLS_KEY_FILE=$MYHOME/tls/server.key
       - CORE_PEER_TLS_ROOTCERT_FILE=$CA_CHAINFILE
+      - CORE_PEER_TLS_CLIENTAUTHREQUIRED=true
+      - CORE_PEER_TLS_CLIENTROOTCAS_FILES=$CA_CHAINFILE
+      - CORE_PEER_TLS_CLIENTCERT_FILE=/$DATA/tls/$PEER_NAME-client.crt
+      - CORE_PEER_TLS_CLIENTKEY_FILE=/$DATA/tls/$PEER_NAME-client.key
       - CORE_PEER_GOSSIP_USELEADERELECTION=true
       - CORE_PEER_GOSSIP_ORGLEADER=false
       - CORE_PEER_GOSSIP_EXTERNALENDPOINT=$PEER_HOST:7051

diff --git a/fabric-ca/scripts/env.sh b/fabric-ca/scripts/env.sh
@@ -172,6 +172,25 @@ function initOrdererVars {
    export ORDERER_GENERAL_TLS_ROOTCAS=[$INT_CA_CHAINFILE]
 }
 
+function genClientTLSCert {
+   if [ $# -ne 3 ]; then
+      echo "Usage: genClientTLSCert <host name> <cert file> <key file>: $*"
+      exit 1
+   fi
+
+   HOST_NAME=$1
+   CERT_FILE=$2
+   KEY_FILE=$3
+
+   # Get a client cert
+   fabric-ca-client enroll -d --enrollment.profile tls -u $ENROLLMENT_URL -M /tmp/tls --csr.hosts $HOST_NAME
+
+   mkdir /$DATA/tls || true
+   cp /tmp/tls/signcerts/* $CERT_FILE
+   cp /tmp/tls/keystore/* $KEY_FILE
+   rm -rf /tmp/tls
+}
+
 # initPeerVars <ORG> <NUM>
 function initPeerVars {
    if [ $# -ne 2 ]; then
@@ -201,10 +220,11 @@ function initPeerVars {
    # export CORE_LOGGING_LEVEL=ERROR
    export CORE_LOGGING_LEVEL=DEBUG
    export CORE_PEER_TLS_ENABLED=true
-   export CORE_PEER_PROFILE_ENABLED=true
-   export CORE_PEER_TLS_CERT_FILE=$TLSDIR/server.crt
-   export CORE_PEER_TLS_KEY_FILE=$TLSDIR/server.key
+   export CORE_PEER_TLS_CLIENTAUTHREQUIRED=true
    export CORE_PEER_TLS_ROOTCERT_FILE=$INT_CA_CHAINFILE
+   export CORE_PEER_TLS_CLIENTCERT_FILE=/$DATA/tls/$PEER_NAME-cli-client.crt
+   export CORE_PEER_TLS_CLIENTKEY_FILE=/$DATA/tls/$PEER_NAME-cli-client.key
+   export CORE_PEER_PROFILE_ENABLED=true
    # gossip variables
    export CORE_PEER_GOSSIP_USELEADERELECTION=true
    export CORE_PEER_GOSSIP_ORGLEADER=false

diff --git a/fabric-ca/scripts/start-peer.sh b/fabric-ca/scripts/start-peer.sh
@@ -11,7 +11,10 @@ source $(dirname "$0")/env.sh
 
 awaitSetup
 
-# Enroll the peer to get a TLS cert
+# Although a peer may use the same TLS key and certificate file for both inbound and outbound TLS,
+# we generate a different key and certificate for inbound and outbound TLS simply to show that it is permissible
+
+# Generate server TLS cert and key pair for the peer
 fabric-ca-client enroll -d --enrollment.profile tls -u $ENROLLMENT_URL -M /tmp/tls --csr.hosts $PEER_HOST
 
 # Copy the TLS key and cert to the appropriate place
@@ -21,6 +24,12 @@ cp /tmp/tls/signcerts/* $CORE_PEER_TLS_CERT_FILE
 cp /tmp/tls/keystore/* $CORE_PEER_TLS_KEY_FILE
 rm -rf /tmp/tls
 
+# Generate client TLS cert and key pair for the peer
+genClientTLSCert $PEER_NAME $CORE_PEER_TLS_CLIENTCERT_FILE $CORE_PEER_TLS_CLIENTKEY_FILE
+
+# Generate client TLS cert and key pair for the peer CLI
+genClientTLSCert $PEER_NAME /$DATA/tls/$PEER_NAME-cli-client.crt /$DATA/tls/$PEER_NAME-cli-client.key
+
 # Enroll the peer to get an enrollment certificate and set up the core's local MSP directory
 fabric-ca-client enroll -d -u $ENROLLMENT_URL -M $CORE_PEER_MSPCONFIGPATH
 finishMSPSetup $CORE_PEER_MSPCONFIGPATH