github.com/IBM-Blockchain/fabric-operator@v1.0.4/defaultconfig/ca/ca.yaml (about) 1 # 2 # Copyright contributors to the Hyperledger Fabric Operator project 3 # 4 # SPDX-License-Identifier: Apache-2.0 5 # 6 # Licensed under the Apache License, Version 2.0 (the "License"); 7 # you may not use this file except in compliance with the License. 8 # You may obtain a copy of the License at: 9 # 10 # http://www.apache.org/licenses/LICENSE-2.0 11 # 12 # Unless required by applicable law or agreed to in writing, software 13 # distributed under the License is distributed on an "AS IS" BASIS, 14 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 15 # See the License for the specific language governing permissions and 16 # limitations under the License. 17 # 18 19 ############################################################################# 20 # This is a configuration file for the fabric-ca-server command. 21 # 22 # COMMAND LINE ARGUMENTS AND ENVIRONMENT VARIABLES 23 # ------------------------------------------------ 24 # Each configuration element can be overridden via command line 25 # arguments or environment variables. The precedence for determining 26 # the value of each element is as follows: 27 # 1) command line argument 28 # Examples: 29 # a) --port 443 30 # To set the listening port 31 # b) --ca.keyfile ../mykey.pem 32 # To set the "keyfile" element in the "ca" section below; 33 # note the '.' separator character. 34 # 2) environment variable 35 # Examples: 36 # a) FABRIC_CA_SERVER_PORT=443 37 # To set the listening port 38 # b) FABRIC_CA_SERVER_CA_KEYFILE="../mykey.pem" 39 # To set the "keyfile" element in the "ca" section below; 40 # note the '_' separator character. 41 # 3) configuration file 42 # 4) default value (if there is one) 43 # All default values are shown beside each element below. 44 # 45 # FILE NAME ELEMENTS 46 # ------------------ 47 # The value of all fields whose name ends with "file" or "files" are 48 # name or names of other files. 49 # For example, see "tls.certfile" and "tls.clientauth.certfiles". 50 # The value of each of these fields can be a simple filename, a 51 # relative path, or an absolute path. If the value is not an 52 # absolute path, it is interpretted as being relative to the location 53 # of this configuration file. 54 # 55 ############################################################################# 56 57 # Server's listening port (default: 7054) 58 port: 7054 59 60 # Cross-Origin Resource Sharing (CORS) 61 cors: 62 enabled: false 63 origins: 64 - "*" 65 66 # Enables debug logging (default: false) 67 debug: false 68 69 # Size limit of an acceptable CRL in bytes (default: 512000) 70 crlsizelimit: 512000 71 72 ############################################################################# 73 # TLS section for the server's listening port 74 # 75 # The following types are supported for client authentication: NoClientCert, 76 # RequestClientCert, RequireAnyClientCert, VerifyClientCertIfGiven, 77 # and RequireAndVerifyClientCert. 78 # 79 # Certfiles is a list of root certificate authorities that the server uses 80 # when verifying client certificates. 81 ############################################################################# 82 tls: 83 # Enable TLS (default: false) 84 enabled: true 85 # TLS for the server's listening port 86 certfile: 87 keyfile: 88 clientauth: 89 type: noclientcert 90 certfiles: 91 92 ############################################################################# 93 # The CA section contains information related to the Certificate Authority 94 # including the name of the CA, which should be unique for all members 95 # of a blockchain network. It also includes the key and certificate files 96 # used when issuing enrollment certificates (ECerts) and transaction 97 # certificates (TCerts). 98 # The chainfile (if it exists) contains the certificate chain which 99 # should be trusted for this CA, where the 1st in the chain is always the 100 # root CA certificate. 101 ############################################################################# 102 ca: 103 # Name of this CA 104 name: ca 105 # Key file (is only used to import a private key into BCCSP) 106 keyfile: 107 # Certificate file (default: ca-cert.pem) 108 certfile: 109 # Chain file 110 chainfile: 111 # Ignore Certificate Expiration in the case of re-enroll 112 reenrollIgnoreCertExpiry: true 113 114 ############################################################################# 115 # The gencrl REST endpoint is used to generate a CRL that contains revoked 116 # certificates. This section contains configuration options that are used 117 # during gencrl request processing. 118 ############################################################################# 119 crl: 120 # Specifies expiration for the generated CRL. The number of hours 121 # specified by this property is added to the UTC time, the resulting time 122 # is used to set the 'Next Update' date of the CRL. 123 expiry: 24h 124 125 ############################################################################# 126 # The registry section controls how the fabric-ca-server does two things: 127 # 1) authenticates enrollment requests which contain a username and password 128 # (also known as an enrollment ID and secret). 129 # 2) once authenticated, retrieves the identity's attribute names and 130 # values which the fabric-ca-server optionally puts into TCerts 131 # which it issues for transacting on the Hyperledger Fabric blockchain. 132 # These attributes are useful for making access control decisions in 133 # chaincode. 134 # There are two main configuration options: 135 # 1) The fabric-ca-server is the registry. 136 # This is true if "ldap.enabled" in the ldap section below is false. 137 # 2) An LDAP server is the registry, in which case the fabric-ca-server 138 # calls the LDAP server to perform these tasks. 139 # This is true if "ldap.enabled" in the ldap section below is true, 140 # which means this "registry" section is ignored. 141 ############################################################################# 142 registry: 143 # Maximum number of times a password/secret can be reused for enrollment 144 # (default: -1, which means there is no limit) 145 maxenrollments: -1 146 147 # Contains identity information which is used when LDAP is disabled 148 identities: 149 - name: admin 150 pass: adminpw 151 type: client 152 affiliation: "" 153 attrs: 154 hf.Registrar.Roles: "*" 155 hf.Registrar.DelegateRoles: "*" 156 hf.Revoker: true 157 hf.IntermediateCA: true 158 hf.GenCRL: true 159 hf.Registrar.Attributes: "*" 160 hf.AffiliationMgr: true 161 162 ############################################################################# 163 # Database section 164 # Supported types are: "sqlite3", "postgres", and "mysql". 165 # The datasource value depends on the type. 166 # If the type is "sqlite3", the datasource value is a file name to use 167 # as the database store. Since "sqlite3" is an embedded database, it 168 # may not be used if you want to run the fabric-ca-server in a cluster. 169 # To run the fabric-ca-server in a cluster, you must choose "postgres" 170 # or "mysql". 171 ############################################################################# 172 db: 173 type: sqlite3 174 datasource: fabric-ca-server.db 175 tls: 176 enabled: false 177 certfiles: 178 client: 179 certfile: 180 keyfile: 181 182 ############################################################################# 183 # LDAP section 184 # If LDAP is enabled, the fabric-ca-server calls LDAP to: 185 # 1) authenticate enrollment ID and secret (i.e. username and password) 186 # for enrollment requests; 187 # 2) To retrieve identity attributes 188 ############################################################################# 189 ldap: 190 # Enables or disables the LDAP client (default: false) 191 # If this is set to true, the "registry" section is ignored. 192 enabled: false 193 # The URL of the LDAP server 194 url: ldap://<adminDN>:<adminPassword>@<host>:<port>/<base> 195 # TLS configuration for the client connection to the LDAP server 196 tls: 197 certfiles: 198 client: 199 certfile: 200 keyfile: 201 # Attribute related configuration for mapping from LDAP entries to Fabric CA attributes 202 attribute: 203 # 'names' is an array of strings containing the LDAP attribute names which are 204 # requested from the LDAP server for an LDAP identity's entry 205 names: ['uid','member'] 206 # The 'converters' section is used to convert an LDAP entry to the value of 207 # a fabric CA attribute. 208 # For example, the following converts an LDAP 'uid' attribute 209 # whose value begins with 'revoker' to a fabric CA attribute 210 # named "hf.Revoker" with a value of "true" (because the boolean expression 211 # evaluates to true). 212 # converters: 213 # - name: hf.Revoker 214 # value: attr("uid") =~ "revoker*" 215 converters: 216 - name: 217 value: 218 # The 'maps' section contains named maps which may be referenced by the 'map' 219 # function in the 'converters' section to map LDAP responses to arbitrary values. 220 # For example, assume a user has an LDAP attribute named 'member' which has multiple 221 # values which are each a distinguished name (i.e. a DN). For simplicity, assume the 222 # values of the 'member' attribute are 'dn1', 'dn2', and 'dn3'. 223 # Further assume the following configuration. 224 # converters: 225 # - name: hf.Registrar.Roles 226 # value: map(attr("member"),"groups") 227 # maps: 228 # groups: 229 # - name: dn1 230 # value: peer 231 # - name: dn2 232 # value: client 233 # The value of the user's 'hf.Registrar.Roles' attribute is then computed to be 234 # "peer,client,dn3". This is because the value of 'attr("member")' is 235 # "dn1,dn2,dn3", and the call to 'map' with a 2nd argument of 236 # "group" replaces "dn1" with "peer" and "dn2" with "client". 237 maps: 238 groups: 239 - name: 240 value: 241 242 ############################################################################# 243 # Affiliations section. Fabric CA server can be bootstrapped with the 244 # affiliations specified in this section. Affiliations are specified as maps. 245 # For example: 246 # businessunit1: 247 # department1: 248 # - team1 249 # businessunit2: 250 # - department2 251 # - department3 252 # 253 # Affiliations are hierarchical in nature. In the above example, 254 # department1 (used as businessunit1.department1) is the child of businessunit1. 255 # team1 (used as businessunit1.department1.team1) is the child of department1. 256 # department2 (used as businessunit2.department2) and department3 (businessunit2.department3) 257 # are children of businessunit2. 258 # Note: Affiliations are case sensitive except for the non-leaf affiliations 259 # (like businessunit1, department1, businessunit2) that are specified in the configuration file, 260 # which are always stored in lower case. 261 ############################################################################# 262 affiliations: 263 264 ############################################################################# 265 # Signing section 266 # 267 # The "default" subsection is used to sign enrollment certificates; 268 # the default expiration ("expiry" field) is "8760h", which is 1 year in hours. 269 # 270 # The "ca" profile subsection is used to sign intermediate CA certificates; 271 # the default expiration ("expiry" field) is "43800h" which is 5 years in hours. 272 # Note that "isca" is true, meaning that it issues a CA certificate. 273 # A maxpathlen of 0 means that the intermediate CA cannot issue other 274 # intermediate CA certificates, though it can still issue end entity certificates. 275 # (See RFC 5280, section 4.2.1.9) 276 # 277 # The "tls" profile subsection is used to sign TLS certificate requests; 278 # the default expiration ("expiry" field) is "8760h", which is 1 year in hours. 279 ############################################################################# 280 signing: 281 default: 282 usage: 283 - digital signature 284 expiry: 8760h 285 profiles: 286 ca: 287 usage: 288 - cert sign 289 - crl sign 290 expiry: 43800h 291 caconstraint: 292 isca: true 293 maxpathlen: 0 294 tls: 295 usage: 296 - signing 297 - key encipherment 298 - server auth 299 - client auth 300 - key agreement 301 expiry: 87600h 302 303 ########################################################################### 304 # Certificate Signing Request (CSR) section. 305 # This controls the creation of the root CA certificate. 306 # The expiration for the root CA certificate is configured with the 307 # "ca.expiry" field below, whose default value is "131400h" which is 308 # 15 years in hours. 309 # The pathlength field is used to limit CA certificate hierarchy as described 310 # in section 4.2.1.9 of RFC 5280. 311 # Examples: 312 # 1) No pathlength value means no limit is requested. 313 # 2) pathlength == 1 means a limit of 1 is requested which is the default for 314 # a root CA. This means the root CA can issue intermediate CA certificates, 315 # but these intermediate CAs may not in turn issue other CA certificates 316 # though they can still issue end entity certificates. 317 # 3) pathlength == 0 means a limit of 0 is requested; 318 # this is the default for an intermediate CA, which means it can not issue 319 # CA certificates though it can still issue end entity certificates. 320 ########################################################################### 321 csr: 322 cn: ca 323 keyrequest: 324 algo: ecdsa 325 size: 256 326 names: 327 - C: US 328 ST: "North Carolina" 329 L: 330 O: Hyperledger 331 OU: Fabric 332 hosts: 333 - localhost 334 - 127.0.0.1 335 ca: 336 expiry: 131400h 337 pathlength: 1 338 339 ########################################################################### 340 # Each CA can issue both X509 enrollment certificate as well as Idemix 341 # Credential. This section specifies configuration for the issuer component 342 # that is responsible for issuing Idemix credentials. 343 ########################################################################### 344 idemix: 345 # Specifies pool size for revocation handles. A revocation handle is an unique identifier of an 346 # Idemix credential. The issuer will create a pool revocation handles of this specified size. When 347 # a credential is requested, issuer will get handle from the pool and assign it to the credential. 348 # Issuer will repopulate the pool with new handles when the last handle in the pool is used. 349 # A revocation handle and credential revocation information (CRI) are used to create non revocation proof 350 # by the prover to prove to the verifier that her credential is not revoked. 351 rhpoolsize: 1000 352 353 # The Idemix credential issuance is a two step process. First step is to get a nonce from the issuer 354 # and second step is send credential request that is constructed using the nonce to the isuser to 355 # request a credential. This configuration property specifies expiration for the nonces. By default is 356 # nonces expire after 15 seconds. The value is expressed in the time.Duration format (see https://golang.org/pkg/time/#ParseDuration). 357 nonceexpiration: 15s 358 359 # Specifies interval at which expired nonces are removed from datastore. Default value is 15 minutes. 360 # The value is expressed in the time.Duration format (see https://golang.org/pkg/time/#ParseDuration) 361 noncesweepinterval: 15m 362 363 ############################################################################# 364 # BCCSP (BlockChain Crypto Service Provider) section is used to select which 365 # crypto library implementation to use 366 ############################################################################# 367 bccsp: 368 default: SW 369 sw: 370 hash: SHA2 371 security: 256 372 filekeystore: 373 # The directory used for the software file-based keystore 374 keystore: msp/keystore 375 376 ############################################################################# 377 # Multi CA section 378 # 379 # Each Fabric CA server contains one CA by default. This section is used 380 # to configure multiple CAs in a single server. 381 # 382 # 1) --cacount <number-of-CAs> 383 # Automatically generate <number-of-CAs> non-default CAs. The names of these 384 # additional CAs are "ca1", "ca2", ... "caN", where "N" is <number-of-CAs> 385 # This is particularly useful in a development environment to quickly set up 386 # multiple CAs. Note that, this config option is not applicable to intermediate CA server 387 # i.e., Fabric CA server that is started with intermediate.parentserver.url config 388 # option (-u command line option) 389 # 390 # 2) --cafiles <CA-config-files> 391 # For each CA config file in the list, generate a separate signing CA. Each CA 392 # config file in this list MAY contain all of the same elements as are found in 393 # the server config file except port, debug, and tls sections. 394 # 395 # Examples: 396 # fabric-ca-server start -b admin:adminpw --cacount 2 397 # 398 # fabric-ca-server start -b admin:adminpw --cafiles ca/ca1/fabric-ca-server-config.yaml 399 # --cafiles ca/ca2/fabric-ca-server-config.yaml 400 # 401 ############################################################################# 402 403 cacount: 404 405 cafiles: 406 407 ############################################################################# 408 # Intermediate CA section 409 # 410 # The relationship between servers and CAs is as follows: 411 # 1) A single server process may contain or function as one or more CAs. 412 # This is configured by the "Multi CA section" above. 413 # 2) Each CA is either a root CA or an intermediate CA. 414 # 3) Each intermediate CA has a parent CA which is either a root CA or another intermediate CA. 415 # 416 # This section pertains to configuration of #2 and #3. 417 # If the "intermediate.parentserver.url" property is set, 418 # then this is an intermediate CA with the specified parent 419 # CA. 420 # 421 # parentserver section 422 # url - The URL of the parent server 423 # caname - Name of the CA to enroll within the server 424 # 425 # enrollment section used to enroll intermediate CA with parent CA 426 # profile - Name of the signing profile to use in issuing the certificate 427 # label - Label to use in HSM operations 428 # 429 # tls section for secure socket connection 430 # certfiles - PEM-encoded list of trusted root certificate files 431 # client: 432 # certfile - PEM-encoded certificate file for when client authentication 433 # is enabled on server 434 # keyfile - PEM-encoded key file for when client authentication 435 # is enabled on server 436 ############################################################################# 437 intermediate: 438 parentserver: 439 url: 440 caname: 441 442 enrollment: 443 hosts: 444 profile: 445 label: 446 447 tls: 448 certfiles: 449 client: 450 certfile: 451 keyfile: 452 453 ############################################################################# 454 # CA configuration section 455 # 456 # Configure the number of incorrect password attempts are allowed for 457 # identities. By default, the value of 'passwordattempts' is 10, which 458 # means that 10 incorrect password attempts can be made before an identity get 459 # locked out. 460 ############################################################################# 461 cfg: 462 identities: 463 passwordattempts: 10 464 465 ############################################################################### 466 # 467 # Operations section 468 # 469 ############################################################################### 470 operations: 471 # host and port for the operations server 472 listenAddress: 0.0.0.0:9443 473 474 # TLS configuration for the operations endpoint 475 tls: 476 # TLS enabled 477 enabled: true 478 479 # path to PEM encoded server certificate for the operations server 480 cert: 481 file: 482 483 # path to PEM encoded server key for the operations server 484 key: 485 file: 486 487 # require client certificate authentication to access all resources 488 clientAuthRequired: false 489 490 # paths to PEM encoded ca certificates to trust for client authentication 491 clientRootCAs: 492 files: [] 493 494 ############################################################################### 495 # 496 # Metrics section 497 # 498 ############################################################################### 499 metrics: 500 # statsd, prometheus, or disabled 501 provider: prometheus 502 503 # statsd configuration 504 statsd: 505 # network type: tcp or udp 506 network: udp 507 508 # statsd server address 509 address: 127.0.0.1:8125 510 511 # the interval at which locally cached counters and gauges are pushsed 512 # to statsd; timings are pushed immediately 513 writeInterval: 10s 514 515 # prefix is prepended to all emitted statsd merics 516 prefix: server