前面我们提到了如何使用openssl工具命令行生成测试用kafka服务端和客户端证书;在这里我们使用另一种方式,即fabric-ca来搭建一个CA服务器,为kafka集群提供证书服务。
- 定义fabric-ca-server-config.yaml文件
为了简化,因为我们只是需要生成TLS证书,而不需要fabric内部使用的特性,所以忽略了fabric ca关于fabric网络属性的配置信息。
# Server's listening port (default: 7054)
port: 7054
# Enables debug logging (default: false)
debug: false
#############################################################################
# TLS section for the server's listening port
#
# The following types are supported for client authentication: NoClientCert,
# RequestClientCert, RequireAnyClientCert, VerifyClientCertIfGiven,
# and RequireAndVerifyClientCert.
#
# Certfiles is a list of root certificate authorities that the server uses
# when verifying client certificates.
#############################################################################
tls:
# Enable TLS (default: false)
enabled: false
# TLS for the server's listening port
certfile: tls-ca-cert.pem
keyfile: tls-ca-key.pem
clientauth:
type: noclientcert
certfiles:
#############################################################################
# The CA section contains information related to the Certificate Authority
# including the name of the CA, which should be unique for all members
# of a blockchain network. It also includes the key and certificate files
# used when issuing enrollment certificates (ECerts) and transaction
# certificates (TCerts).
# The chainfile (if it exists) contains the certificate chain which
# should be trusted for this CA, where the 1st in the chain is always the
# root CA certificate.
#############################################################################
ca:
# Name of this CA
name: ca
# Key file (default: ca-key.pem)
keyfile: ca-key.pem
# Certificate file (default: ca-cert.pem)
certfile: ca-cert.pem
# Chain file (default: chain-cert.pem)
chainfile: ca-chain.pem
#############################################################################
# The registry section controls how the fabric-ca-server does two things:
# 1) authenticates enrollment requests which contain a username and password
# (also known as an enrollment ID and secret).
# 2) once authenticated, retrieves the identity's attribute names and
# values which the fabric-ca-server optionally puts into TCerts
# which it issues for transacting on the Hyperledger Fabric blockchain.
# These attributes are useful for making access control decisions in
# chaincode.
# There are two main configuration options:
# 1) The fabric-ca-server is the registry.
# This is true if "ldap.enabled" in the ldap section below is false.
# 2) An LDAP server is the registry, in which case the fabric-ca-server
# calls the LDAP server to perform these tasks.
# This is true if "ldap.enabled" in the ldap section below is true,
# which means this "registry" section is ignored.
#############################################################################
registry:
# Maximum number of times a password/secret can be reused for enrollment
# (default: -1, which means there is no limit)
maxenrollments: -1
# Contains identity information which is used when LDAP is disabled
identities:
- name: admin
pass: 123456
type: client
affiliation: ""
maxenrollments: -1
attrs:
hf.Registrar.Roles: "client"
hf.Registrar.DelegateRoles: "client"
hf.Registrar.Attributes: "*"
hf.Revoker: true
hf.IntermediateCA: true
#############################################################################
# Database section
# Supported types are: "sqlite3", "postgres", and "mysql".
# The datasource value depends on the type.
# If the type is "sqlite3", the datasource value is a file name to use
# as the database store. Since "sqlite3" is an embedded database, it
# may not be used if you want to run the fabric-ca-server in a cluster.
# To run the fabric-ca-server in a cluster, you must choose "postgres"
# or "mysql".
#############################################################################
db:
type: sqlite3
datasource: fabric-ca-server.db
tls:
enabled: false
certfiles:
- db-server-cert.pem
client:
certfile: db-client-cert.pem
keyfile: db-client-key.pem
#############################################################################
# LDAP section
# If LDAP is enabled, the fabric-ca-server calls LDAP to:
# 1) authenticate enrollment ID and secret (i.e. username and password)
# for enrollment requests;
# 2) To retrieve identity attributes
#############################################################################
ldap:
# Enables or disables the LDAP client (default: false)
# If this is set to true, the "registry" section is ignored.
enabled: false
# The URL of the LDAP server
url: ldap://<adminDN>:<adminPassword>@<host>:<port>/<base>
tls:
certfiles:
- ldap-server-cert.pem
client:
certfile: ldap-client-cert.pem
keyfile: ldap-client-key.pem
#############################################################################
# Affiliation section
#############################################################################
affiliations:
org1:
- department1
- department2
org2:
- department1
#############################################################################
# Signing section
#
# The "default" subsection is used to sign enrollment certificates;
# the default expiration ("expiry" field) is "8760h", which is 1 year in hours.
#
# The "ca" profile subsection is used to sign intermediate CA certificates;
# the default expiration ("expiry" field) is "43800h" which is 5 years in hours.
# Note that "isca" is true, meaning that it issues a CA certificate.
# A maxpathlen of 0 means that the intermediate CA cannot issue other
# intermediate CA certificates, though it can still issue end entity certificates.
# (See RFC 5280, section 4.2.1.9)
#############################################################################
signing:
default:
usage:
- digital signature
expiry: 8760h
profiles:
ca:
usage:
- cert sign
expiry: 43800h
caconstraint:
isca: true
maxpathlen: 0
###########################################################################
# Certificate Signing Request (CSR) section.
# This controls the creation of the root CA certificate.
# The expiration for the root CA certificate is configured with the
# "ca.expiry" field below, whose default value is "131400h" which is
# 15 years in hours.
# The pathlength field is used to limit CA certificate hierarchy as described
# in section 4.2.1.9 of RFC 5280.
# Examples:
# 1) No pathlength value means no limit is requested.
# 2) pathlength == 1 means a limit of 1 is requested which is the default for
# a root CA. This means the root CA can issue intermediate CA certificates,
# but these intermediate CAs may not in turn issue other CA certificates
# though they can still issue end entity certificates.
# 3) pathlength == 0 means a limit of 0 is requested;
# this is the default for an intermediate CA, which means it can not issue
# CA certificates though it can still issue end entity certificates.
###########################################################################
csr:
cn: kafkaca
names:
- C: US
O: example
OU: oneorg
ca:
expiry: 131400h
pathlength: 1
#############################################################################
# BCCSP (BlockChain Crypto Service Provider) section is used to select which
# crypto library implementation to use
#############################################################################
bccsp:
default: SW
sw:
hash: SHA2
security: 256
filekeystore:
# The directory used for the software file-based keystore
keystore: msp/keystore
#############################################################################
# Multi CA section
#
# Each Fabric CA server contains one CA by default. This section is used
# to configure multiple CAs in a single server.
#
# 1) --cacount <number-of-CAs>
# Automatically generate <number-of-CAs> non-default CAs. The names of these
# additional CAs are "ca1", "ca2", ... "caN", where "N" is <number-of-CAs>
# This is particularly useful in a development environment to quickly set up
# multiple CAs.
#
# 2) --cafiles <CA-config-files>
# For each CA config file in the list, generate a separate signing CA. Each CA
# config file in this list MAY contain all of the same elements as are found in
# the server config file except port, debug, and tls sections.
#
# Examples:
# fabric-ca-server start -b admin:adminpw --cacount 2
#
# fabric-ca-server start -b admin:adminpw --cafiles ca/ca1/fabric-ca-server-config.yaml
# --cafiles ca/ca2/fabric-ca-server-config.yaml
#
#############################################################################
cacount:
cafiles:
#############################################################################
# Intermediate CA section
#
# The relationship between servers and CAs is as follows:
# 1) A single server process may contain or function as one or more CAs.
# This is configured by the "Multi CA section" above.
# 2) Each CA is either a root CA or an intermediate CA.
# 3) Each intermediate CA has a parent CA which is either a root CA or another intermediate CA.
#
# This section pertains to configuration of #2 and #3.
# If the "intermediate.parentserver.url" property is set,
# then this is an intermediate CA with the specified parent
# CA.
#
# parentserver section
# url - The URL of the parent server
# caname - Name of the CA to enroll within the server
#
# enrollment section used to enroll intermediate CA with parent CA
# profile - Name of the signing profile to use in issuing the certificate
# label - Label to use in HSM operations
#
# tls section for secure socket connection
# certfiles - PEM-encoded list of trusted root certificate files
# client:
# certfile - PEM-encoded certificate file for when client authentication
# is enabled on server
# keyfile - PEM-encoded key file for when client authentication
# is enabled on server
#############################################################################
intermediate:
parentserver:
url:
caname:
enrollment:
hosts:
profile:
label:
tls:
certfiles:
client:
certfile:
keyfile:
在上述yaml文件中:
- 定义bootstrap用户admin/123456
- 定义hf.Registrar.Roles只有一个值"client"。
- 定义docker-compose.yaml文件
# Copyright IBM Corp. All Rights Reserved.
#
# SPDX-License-Identifier: Apache-2.0
#
version: '2'
networks:
byfn:
services:
kafkaca.oneorg.example.com:
container_name: kafkaca.oneorg.example.com
image: hyperledger/fabric-ca
working_dir: /work
environment:
- FABRIC_CA_SERVER_HOME=/work
ports:
- "7054"
command: sh -c 'fabric-ca-server start -c /work/fabric-ca-server-config.yaml'
volumes:
- ./kafkaca:/work
networks:
- byfn
- 启动fabric CA
$ docker-compose -f docker-compose-ca.yaml up
- Enrolling the bootstrap identity
fabric-ca-client enroll \
-M /work/msp \
-u http://admin:123456@kafkaca.oneorg.example.com:7054 \
--home /work
admin是内置的bootstrap账号,必须先enroll得到msp证书,才能执行后面的新identity注册register操作。运行结果是:
- 会在/work目录下产生fabric-ca-client.yaml文件。
- 会在/work/msp目录下面生成一份admin的证书。
- Registering a new identity
fabric-ca-client register \
--id.name kafka \
--id.secret "123456" \
-u http://admin:123456@kafkaca.oneorg.example.com:7054 \
--home /work
注册一个kafka的identity。
- Enrolling a kafka identity
fabric-ca-client enroll \
--enrollment.profile tls \
--csr.names "C=US,O=example,OU=oneorg" \
--csr.hosts "*.oneorg.example.com" \
-M /work/kafka \
-u http://kafka:123456@kafkaca.oneorg.example.com:7054 \
--home /work
签出前面注册的kafka的TLS证书,放在目录/work/kafka下面;我们验证签出的kafka的证书信息:
$ openssl x509 -text -noout -in kafka/signcerts/cert.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
28:66:dc:e0:2a:8e:1a:75:9d:4f:90:36:f4:51:5c:3c:9b:d6:8a:5f
Signature Algorithm: ecdsa-with-SHA256
Issuer: C=US, O=example, OU=oneorg, CN=kafkaca
...
Subject: C=US, O=example, OU=client, CN=kafka
...
X509v3 extensions:
...
X509v3 Subject Alternative Name:
DNS:*.oneorg.example.com
1.2.3.4.5.6.7.8.1:
{"attrs":{"hf.Affiliation":"","hf.EnrollmentID":"kafka","hf.Type":"client"}}
...
- 接下来就可为多个kafka实例签出多份TLS证书
- 也可以为kafka的客户端注册并且签出TLS证书
类似如下:
# register kafka client identity
fabric-ca-client register \
--id.name kafkaclient \
--id.secret "123456" \
-u http://admin:123456@kafkaca.oneorg.example.com:7054 \
--home /work
# enroll kafka client identity
fabric-ca-client enroll \
--enrollment.profile tls \
--csr.names "C=US,O=example,OU=oneorg" \
--csr.hosts "*.oneorg.example.com" \
-M /work/kafkaclient \
-u http://kafkaclient:123456@kafkaca.oneorg.example.com:7054 \
--home /work
你可以调整其中的参数。
