github.com/adecaro/fabric-ca@v2.0.0-alpha+incompatible/docs/source/serverconfig.rst (about) 1 Fabric-CA Server's Configuration File 2 ====================================== 3 4 :: 5 6 ############################################################################# 7 # This is a configuration file for the fabric-ca-server command. 8 # 9 # COMMAND LINE ARGUMENTS AND ENVIRONMENT VARIABLES 10 # ------------------------------------------------ 11 # Each configuration element can be overridden via command line 12 # arguments or environment variables. The precedence for determining 13 # the value of each element is as follows: 14 # 1) command line argument 15 # Examples: 16 # a) --port 443 17 # To set the listening port 18 # b) --ca.keyfile ../mykey.pem 19 # To set the "keyfile" element in the "ca" section below; 20 # note the '.' separator character. 21 # 2) environment variable 22 # Examples: 23 # a) FABRIC_CA_SERVER_PORT=443 24 # To set the listening port 25 # b) FABRIC_CA_SERVER_CA_KEYFILE="../mykey.pem" 26 # To set the "keyfile" element in the "ca" section below; 27 # note the '_' separator character. 28 # 3) configuration file 29 # 4) default value (if there is one) 30 # All default values are shown beside each element below. 31 # 32 # FILE NAME ELEMENTS 33 # ------------------ 34 # The value of all fields whose name ends with "file" or "files" are 35 # name or names of other files. 36 # For example, see "tls.certfile" and "tls.clientauth.certfiles". 37 # The value of each of these fields can be a simple filename, a 38 # relative path, or an absolute path. If the value is not an 39 # absolute path, it is interpretted as being relative to the location 40 # of this configuration file. 41 # 42 ############################################################################# 43 44 # Version of config file 45 version: <<<VERSION>>> 46 47 # Server's listening port (default: 7054) 48 port: 7054 49 50 # Cross-Origin Resource Sharing (CORS) 51 cors: 52 enabled: false 53 origins: 54 - "*" 55 56 # Enables debug logging (default: false) 57 debug: false 58 59 # Size limit of an acceptable CRL in bytes (default: 512000) 60 crlsizelimit: 512000 61 62 ############################################################################# 63 # TLS section for the server's listening port 64 # 65 # The following types are supported for client authentication: NoClientCert, 66 # RequestClientCert, RequireAnyClientCert, VerifyClientCertIfGiven, 67 # and RequireAndVerifyClientCert. 68 # 69 # Certfiles is a list of root certificate authorities that the server uses 70 # when verifying client certificates. 71 ############################################################################# 72 tls: 73 # Enable TLS (default: false) 74 enabled: false 75 # TLS for the server's listening port 76 certfile: 77 keyfile: 78 clientauth: 79 type: noclientcert 80 certfiles: 81 82 ############################################################################# 83 # The CA section contains information related to the Certificate Authority 84 # including the name of the CA, which should be unique for all members 85 # of a blockchain network. It also includes the key and certificate files 86 # used when issuing enrollment certificates (ECerts) and transaction 87 # certificates (TCerts). 88 # The chainfile (if it exists) contains the certificate chain which 89 # should be trusted for this CA, where the 1st in the chain is always the 90 # root CA certificate. 91 ############################################################################# 92 ca: 93 # Name of this CA 94 name: 95 # Key file (is only used to import a private key into BCCSP) 96 keyfile: 97 # Certificate file (default: ca-cert.pem) 98 certfile: 99 # Chain file 100 chainfile: 101 102 ############################################################################# 103 # The gencrl REST endpoint is used to generate a CRL that contains revoked 104 # certificates. This section contains configuration options that are used 105 # during gencrl request processing. 106 ############################################################################# 107 crl: 108 # Specifies expiration for the generated CRL. The number of hours 109 # specified by this property is added to the UTC time, the resulting time 110 # is used to set the 'Next Update' date of the CRL. 111 expiry: 24h 112 113 ############################################################################# 114 # The registry section controls how the fabric-ca-server does two things: 115 # 1) authenticates enrollment requests which contain a username and password 116 # (also known as an enrollment ID and secret). 117 # 2) once authenticated, retrieves the identity's attribute names and 118 # values which the fabric-ca-server optionally puts into TCerts 119 # which it issues for transacting on the Hyperledger Fabric blockchain. 120 # These attributes are useful for making access control decisions in 121 # chaincode. 122 # There are two main configuration options: 123 # 1) The fabric-ca-server is the registry. 124 # This is true if "ldap.enabled" in the ldap section below is false. 125 # 2) An LDAP server is the registry, in which case the fabric-ca-server 126 # calls the LDAP server to perform these tasks. 127 # This is true if "ldap.enabled" in the ldap section below is true, 128 # which means this "registry" section is ignored. 129 ############################################################################# 130 registry: 131 # Maximum number of times a password/secret can be reused for enrollment 132 # (default: -1, which means there is no limit) 133 maxenrollments: -1 134 135 # Contains identity information which is used when LDAP is disabled 136 identities: 137 - name: <<<adminUserName>>> 138 pass: <<<adminPassword>>> 139 type: client 140 affiliation: "" 141 attrs: 142 hf.Registrar.Roles: "*" 143 hf.Registrar.DelegateRoles: "*" 144 hf.Revoker: true 145 hf.IntermediateCA: true 146 hf.GenCRL: true 147 hf.Registrar.Attributes: "*" 148 hf.AffiliationMgr: true 149 150 ############################################################################# 151 # Database section 152 # Supported types are: "sqlite3", "postgres", and "mysql". 153 # The datasource value depends on the type. 154 # If the type is "sqlite3", the datasource value is a file name to use 155 # as the database store. Since "sqlite3" is an embedded database, it 156 # may not be used if you want to run the fabric-ca-server in a cluster. 157 # To run the fabric-ca-server in a cluster, you must choose "postgres" 158 # or "mysql". 159 ############################################################################# 160 db: 161 type: sqlite3 162 datasource: fabric-ca-server.db 163 tls: 164 enabled: false 165 certfiles: 166 client: 167 certfile: 168 keyfile: 169 170 ############################################################################# 171 # LDAP section 172 # If LDAP is enabled, the fabric-ca-server calls LDAP to: 173 # 1) authenticate enrollment ID and secret (i.e. username and password) 174 # for enrollment requests; 175 # 2) To retrieve identity attributes 176 ############################################################################# 177 ldap: 178 # Enables or disables the LDAP client (default: false) 179 # If this is set to true, the "registry" section is ignored. 180 enabled: false 181 # The URL of the LDAP server 182 url: ldap://<adminDN>:<adminPassword>@<host>:<port>/<base> 183 # TLS configuration for the client connection to the LDAP server 184 tls: 185 certfiles: 186 client: 187 certfile: 188 keyfile: 189 # Attribute related configuration for mapping from LDAP entries to Fabric CA attributes 190 attribute: 191 # 'names' is an array of strings containing the LDAP attribute names which are 192 # requested from the LDAP server for an LDAP identity's entry 193 names: ['uid','member'] 194 # The 'converters' section is used to convert an LDAP entry to the value of 195 # a fabric CA attribute. 196 # For example, the following converts an LDAP 'uid' attribute 197 # whose value begins with 'revoker' to a fabric CA attribute 198 # named "hf.Revoker" with a value of "true" (because the boolean expression 199 # evaluates to true). 200 # converters: 201 # - name: hf.Revoker 202 # value: attr("uid") =~ "revoker*" 203 converters: 204 - name: 205 value: 206 # The 'maps' section contains named maps which may be referenced by the 'map' 207 # function in the 'converters' section to map LDAP responses to arbitrary values. 208 # For example, assume a user has an LDAP attribute named 'member' which has multiple 209 # values which are each a distinguished name (i.e. a DN). For simplicity, assume the 210 # values of the 'member' attribute are 'dn1', 'dn2', and 'dn3'. 211 # Further assume the following configuration. 212 # converters: 213 # - name: hf.Registrar.Roles 214 # value: map(attr("member"),"groups") 215 # maps: 216 # groups: 217 # - name: dn1 218 # value: peer 219 # - name: dn2 220 # value: client 221 # The value of the user's 'hf.Registrar.Roles' attribute is then computed to be 222 # "peer,client,dn3". This is because the value of 'attr("member")' is 223 # "dn1,dn2,dn3", and the call to 'map' with a 2nd argument of 224 # "group" replaces "dn1" with "peer" and "dn2" with "client". 225 maps: 226 groups: 227 - name: 228 value: 229 230 ############################################################################# 231 # Affiliations section. Fabric CA server can be bootstrapped with the 232 # affiliations specified in this section. Affiliations are specified as maps. 233 # For example: 234 # businessunit1: 235 # department1: 236 # - team1 237 # businessunit2: 238 # - department2 239 # - department3 240 # 241 # Affiliations are hierarchical in nature. In the above example, 242 # department1 (used as businessunit1.department1) is the child of businessunit1. 243 # team1 (used as businessunit1.department1.team1) is the child of department1. 244 # department2 (used as businessunit2.department2) and department3 (businessunit2.department3) 245 # are children of businessunit2. 246 # Note: Affiliations are case sensitive except for the non-leaf affiliations 247 # (like businessunit1, department1, businessunit2) that are specified in the configuration file, 248 # which are always stored in lower case. 249 ############################################################################# 250 affiliations: 251 org1: 252 - department1 253 - department2 254 org2: 255 - department1 256 257 ############################################################################# 258 # Signing section 259 # 260 # The "default" subsection is used to sign enrollment certificates; 261 # the default expiration ("expiry" field) is "8760h", which is 1 year in hours. 262 # 263 # The "ca" profile subsection is used to sign intermediate CA certificates; 264 # the default expiration ("expiry" field) is "43800h" which is 5 years in hours. 265 # Note that "isca" is true, meaning that it issues a CA certificate. 266 # A maxpathlen of 0 means that the intermediate CA cannot issue other 267 # intermediate CA certificates, though it can still issue end entity certificates. 268 # (See RFC 5280, section 4.2.1.9) 269 # 270 # The "tls" profile subsection is used to sign TLS certificate requests; 271 # the default expiration ("expiry" field) is "8760h", which is 1 year in hours. 272 ############################################################################# 273 signing: 274 default: 275 usage: 276 - digital signature 277 expiry: 8760h 278 profiles: 279 ca: 280 usage: 281 - cert sign 282 - crl sign 283 expiry: 43800h 284 caconstraint: 285 isca: true 286 maxpathlen: 0 287 tls: 288 usage: 289 - signing 290 - key encipherment 291 - server auth 292 - client auth 293 - key agreement 294 expiry: 8760h 295 296 ########################################################################### 297 # Certificate Signing Request (CSR) section. 298 # This controls the creation of the root CA certificate. 299 # The expiration for the root CA certificate is configured with the 300 # "ca.expiry" field below, whose default value is "131400h" which is 301 # 15 years in hours. 302 # The pathlength field is used to limit CA certificate hierarchy as described 303 # in section 4.2.1.9 of RFC 5280. 304 # Examples: 305 # 1) No pathlength value means no limit is requested. 306 # 2) pathlength == 1 means a limit of 1 is requested which is the default for 307 # a root CA. This means the root CA can issue intermediate CA certificates, 308 # but these intermediate CAs may not in turn issue other CA certificates 309 # though they can still issue end entity certificates. 310 # 3) pathlength == 0 means a limit of 0 is requested; 311 # this is the default for an intermediate CA, which means it can not issue 312 # CA certificates though it can still issue end entity certificates. 313 ########################################################################### 314 csr: 315 cn: <<<COMMONNAME>>> 316 keyrequest: 317 algo: ecdsa 318 size: 256 319 names: 320 - C: US 321 ST: "North Carolina" 322 L: 323 O: Hyperledger 324 OU: Fabric 325 hosts: 326 - <<<MYHOST>>> 327 - localhost 328 ca: 329 expiry: 131400h 330 pathlength: <<<PATHLENGTH>>> 331 332 ########################################################################### 333 # Each CA can issue both X509 enrollment certificate as well as Idemix 334 # Credential. This section specifies configuration for the issuer component 335 # that is responsible for issuing Idemix credentials. 336 ########################################################################### 337 idemix: 338 # Specifies pool size for revocation handles. A revocation handle is an unique identifier of an 339 # Idemix credential. The issuer will create a pool revocation handles of this specified size. When 340 # a credential is requested, issuer will get handle from the pool and assign it to the credential. 341 # Issuer will repopulate the pool with new handles when the last handle in the pool is used. 342 # A revocation handle and credential revocation information (CRI) are used to create non revocation proof 343 # by the prover to prove to the verifier that her credential is not revoked. 344 rhpoolsize: 1000 345 346 # The Idemix credential issuance is a two step process. First step is to get a nonce from the issuer 347 # and second step is send credential request that is constructed using the nonce to the isuser to 348 # request a credential. This configuration property specifies expiration for the nonces. By default is 349 # nonces expire after 15 seconds. The value is expressed in the time.Duration format (see https://golang.org/pkg/time/#ParseDuration). 350 nonceexpiration: 15s 351 352 # Specifies interval at which expired nonces are removed from datastore. Default value is 15 minutes. 353 # The value is expressed in the time.Duration format (see https://golang.org/pkg/time/#ParseDuration) 354 noncesweepinterval: 15m 355 356 ############################################################################# 357 # BCCSP (BlockChain Crypto Service Provider) section is used to select which 358 # crypto library implementation to use 359 ############################################################################# 360 bccsp: 361 default: SW 362 sw: 363 hash: SHA2 364 security: 256 365 filekeystore: 366 # The directory used for the software file-based keystore 367 keystore: msp/keystore 368 369 ############################################################################# 370 # Multi CA section 371 # 372 # Each Fabric CA server contains one CA by default. This section is used 373 # to configure multiple CAs in a single server. 374 # 375 # 1) --cacount <number-of-CAs> 376 # Automatically generate <number-of-CAs> non-default CAs. The names of these 377 # additional CAs are "ca1", "ca2", ... "caN", where "N" is <number-of-CAs> 378 # This is particularly useful in a development environment to quickly set up 379 # multiple CAs. Note that, this config option is not applicable to intermediate CA server 380 # i.e., Fabric CA server that is started with intermediate.parentserver.url config 381 # option (-u command line option) 382 # 383 # 2) --cafiles <CA-config-files> 384 # For each CA config file in the list, generate a separate signing CA. Each CA 385 # config file in this list MAY contain all of the same elements as are found in 386 # the server config file except port, debug, and tls sections. 387 # 388 # Examples: 389 # fabric-ca-server start -b admin:adminpw --cacount 2 390 # 391 # fabric-ca-server start -b admin:adminpw --cafiles ca/ca1/fabric-ca-server-config.yaml 392 # --cafiles ca/ca2/fabric-ca-server-config.yaml 393 # 394 ############################################################################# 395 396 cacount: 397 398 cafiles: 399 400 ############################################################################# 401 # Intermediate CA section 402 # 403 # The relationship between servers and CAs is as follows: 404 # 1) A single server process may contain or function as one or more CAs. 405 # This is configured by the "Multi CA section" above. 406 # 2) Each CA is either a root CA or an intermediate CA. 407 # 3) Each intermediate CA has a parent CA which is either a root CA or another intermediate CA. 408 # 409 # This section pertains to configuration of #2 and #3. 410 # If the "intermediate.parentserver.url" property is set, 411 # then this is an intermediate CA with the specified parent 412 # CA. 413 # 414 # parentserver section 415 # url - The URL of the parent server 416 # caname - Name of the CA to enroll within the server 417 # 418 # enrollment section used to enroll intermediate CA with parent CA 419 # profile - Name of the signing profile to use in issuing the certificate 420 # label - Label to use in HSM operations 421 # 422 # tls section for secure socket connection 423 # certfiles - PEM-encoded list of trusted root certificate files 424 # client: 425 # certfile - PEM-encoded certificate file for when client authentication 426 # is enabled on server 427 # keyfile - PEM-encoded key file for when client authentication 428 # is enabled on server 429 ############################################################################# 430 intermediate: 431 parentserver: 432 url: 433 caname: 434 435 enrollment: 436 hosts: 437 profile: 438 label: 439 440 tls: 441 certfiles: 442 client: 443 certfile: 444 keyfile: 445 446 ############################################################################# 447 # CA configuration section 448 # 449 # Configure the number of incorrect password attempts are allowed for 450 # identities. By default, the value of 'passwordattempts' is 10, which 451 # means that 10 incorrect password attempts can be made before an identity get 452 # locked out. 453 ############################################################################# 454 cfg: 455 identities: 456 passwordattempts: 10 457 458 ############################################################################### 459 # 460 # Operations section 461 # 462 ############################################################################### 463 operations: 464 # host and port for the operations server 465 listenAddress: 127.0.0.1:9443 466 467 # TLS configuration for the operations endpoint 468 tls: 469 # TLS enabled 470 enabled: false 471 472 # path to PEM encoded server certificate for the operations server 473 cert: 474 file: 475 476 # path to PEM encoded server key for the operations server 477 key: 478 file: 479 480 # require client certificate authentication to access all resources 481 clientAuthRequired: false 482 483 # paths to PEM encoded ca certificates to trust for client authentication 484 clientRootCAs: 485 files: [] 486 487 ############################################################################### 488 # 489 # Metrics section 490 # 491 ############################################################################### 492 metrics: 493 # statsd, prometheus, or disabled 494 provider: disabled 495 496 # statsd configuration 497 statsd: 498 # network type: tcp or udp 499 network: udp 500 501 # statsd server address 502 address: 127.0.0.1:8125 503 504 # the interval at which locally cached counters and gauges are pushsed 505 # to statsd; timings are pushed immediately 506 writeInterval: 10s 507 508 # prefix is prepended to all emitted statsd merics 509 prefix: server