github.com/adnan-c/fabric_e2e_couchdb@v0.6.1-preview.0.20170228180935-21ce6b23cf91/docs/Setup/TLSSetup.md

github.com/adnan-c/fabric_e2e_couchdb@v0.6.1-preview.0.20170228180935-21ce6b23cf91/docs/Setup/TLSSetup.md (about)

     1  ### Steps to enable TLS for all sever (ECA , ACA , TLSCA , TCA) and between ACA client to server communications. 
     2  
     3  1. Go to **memebersrvc.yaml** file under the fabric/membersrvc directory and edit security section, that is: 
     4  ```
     5   security:
     6     serverhostoverride:
     7     tls_enabled: false
     8     client:
     9       cert:  
    10        file:
    11  ```
    12  To enable TLS between the ACA client and the rest of the CA Services set the `tls_enbabled` flag to `true`.
    13  
    14  2. Next, set **serverhostoverride** field to match **CN** (Common Name) of TLS Server certificate. To extract the Common Name from TLS Server's certificate, for example using OpenSSL, you can use the following command:
    15  
    16  ```
    17  openssl x509 -in <<certificate.crt -text -noout
    18  ```
    19  where `certficate.crt` is the Server Certificate. If you have openssl installed on the machine and everything went well, you should expect an output of the form:
    20  
    21  ```
    22  Certificate:
    23      Data:
    24          Version: 3 (0x2)
    25          Serial Number:
    26              4f:39:0f:ac:7b:ce:2b:9f:28:57:52:4a:bb:94:a6:e5:9c:69:99:56
    27          Signature Algorithm: ecdsa-with-SHA256
    28          Issuer: C=US, ST=California, L=San Francisco, O=Internet Widgets, Inc., OU=WWW
    29          Validity
    30              Not Before: Aug 24 16:27:00 2016 GMT
    31              Not After : Aug 24 16:27:00 2017 GMT
    32          **Subject**: C=US, ST=California, L=San Francisco, O=example.com, **CN=www.example.com**
    33          Subject Public Key Info:
    34              Public Key Algorithm: id-ecPublicKey
    35              EC Public Key:
    36                  pub: 
    37                      04:38:d2:62:75:4a:18:d9:f7:fe:6a:e7:df:32:e2:
    38                      15:0f:01:9c:1b:4f:dc:ff:22:97:5c:2a:d9:5c:c3:
    39                      a3:ef:e3:90:3b:3c:8a:d2:45:b1:60:11:94:5e:a7:
    40                      51:e8:e5:5d:be:38:39:da:66:e1:99:46:0c:d3:45:
    41                      3d:76:7e:b7:8c
    42                  ASN1 OID: prime256v1
    43          X509v3 extensions:
    44              X509v3 Key Usage: critical
    45                  Digital Signature, Key Encipherment
    46              X509v3 Extended Key Usage: 
    47                  TLS Web Server Authentication
    48              X509v3 Basic Constraints: critical
    49                  CA:FALSE
    50              X509v3 Subject Key Identifier: 
    51                  E8:9C:86:81:59:D4:D7:76:43:C7:2E:92:88:30:1B:30:A5:B3:A4:5C
    52              X509v3 Authority Key Identifier: 
    53                  keyid:5E:33:AC:E0:9D:B9:F9:71:5F:1F:96:B5:84:85:35:BE:89:8C:35:C2
    54  
    55              X509v3 Subject Alternative Name: 
    56                  DNS:www.example.com
    57      Signature Algorithm: ecdsa-with-SHA256
    58          30:45:02:21:00:9f:7e:93:93:af:3d:cf:7b:77:f0:55:2d:57:
    59          9d:a9:bf:b0:8c:9c:2e:cf:b2:b4:d8:de:f3:79:c7:66:7c:e7:
    60          4d:02:20:7e:9b:36:d1:3a:df:e4:d2:d7:3b:9d:73:c7:61:a8:
    61          2e:a5:b1:23:10:65:81:96:b1:3b:79:d4:a6:12:fe:f2:69
    62  ```
    63  
    64  Now you can use that CN value (**www.example.com** above, for example) from the output and use it in the **serverhostoverride** field (under the security section of the membersrvc.yaml file)
    65  
    66  3. Last, make sure that path to the corresponding TLS Server Certificate is specified under `security.client.cert.file`