github.com/hechain20/hechain@v0.0.0-20220316014945-b544036ba106/docs/source/enable_tls.rst (about) 1 Securing Communication With Transport Layer Security (TLS) 2 ========================================================== 3 4 Fabric supports for secure communication between nodes using TLS. TLS communication 5 can use both one-way (server only) and two-way (server and client) authentication. 6 7 Configuring TLS for peers nodes 8 ------------------------------- 9 10 A peer node is both a TLS server and a TLS client. It is the former when another peer 11 node, application, or the CLI makes a connection to it and the latter when it makes 12 a connection to another peer node or orderer. 13 14 To enable TLS on a peer node set the following peer configuration properties: 15 16 * ``peer.tls.enabled`` = ``true`` 17 * ``peer.tls.cert.file`` = fully qualified path of the file that contains the TLS server 18 certificate 19 * ``peer.tls.key.file`` = fully qualified path of the file that contains the TLS server 20 private key 21 22 By default, TLS client authentication is turned off when TLS is enabled on a peer node. 23 This means that the peer node will not verify the certificate of a client (another peer 24 node, application, or the CLI) during a TLS handshake. To enable TLS client authentication 25 on a peer node, set the peer configuration property ``peer.tls.clientAuthRequired`` to 26 ``true`` and set the ``peer.tls.clientRootCAs.files`` property to the CA chain file(s) that 27 contain(s) the CA certificate chain(s) that issued TLS certificates for your organization's 28 clients. 29 30 By default, a peer node will use the same certificate and private key pair when acting as a 31 TLS server and client. To use a different certificate and private key pair for the client 32 side, set the ``peer.tls.clientCert.file`` and ``peer.tls.clientKey.file`` configuration 33 properties to the fully qualified path of the client certificate and key file, 34 respectively. 35 36 TLS with client authentication can also be enabled by setting the following environment 37 variables: 38 39 * ``CORE_PEER_TLS_ENABLED`` = ``true`` 40 * ``CORE_PEER_TLS_CERT_FILE`` = fully qualified path of the server certificate 41 * ``CORE_PEER_TLS_KEY_FILE`` = fully qualified path of the server private key 42 * ``CORE_PEER_TLS_CLIENTAUTHREQUIRED`` = ``true`` 43 * ``CORE_PEER_TLS_CLIENTROOTCAS_FILES`` = fully qualified path of the CA chain file 44 * ``CORE_PEER_TLS_CLIENTCERT_FILE`` = fully qualified path of the client certificate 45 * ``CORE_PEER_TLS_CLIENTKEY_FILE`` = fully qualified path of the client key 46 47 When client authentication is enabled on a peer node, a client is required to send its 48 certificate during a TLS handshake. If the client does not send its certificate, the 49 handshake will fail and the peer will close the connection. 50 51 When a peer joins a channel, root CA certificate chains of the channel members are 52 read from the config block of the channel and are added to the TLS server and client 53 root CAs data structure. So, peer to peer communication, peer to orderer communication 54 should work seamlessly. However, if needed, you can add additional root CA certificates 55 by setting ``peer.tls.rootcert.file`` and ``peer.tls.clientRootCAs.files``. 56 57 Configuring TLS for orderer nodes 58 --------------------------------- 59 60 To enable TLS on an orderer node, set the following orderer configuration properties: 61 62 * ``General.TLS.Enabled`` = ``true`` 63 * ``General.TLS.PrivateKey`` = fully qualified path of the file that contains the server 64 private key 65 * ``General.TLS.Certificate`` = fully qualified path of the file that contains the server 66 certificate 67 68 By default, TLS client authentication is turned off on orderer, as is the case with peer. 69 To enable TLS client authentication, set the following config property: 70 71 * ``General.TLS.ClientAuthRequired`` = ``true`` 72 73 TLS with client authentication can also be enabled by setting the following environment 74 variables: 75 76 * ``ORDERER_GENERAL_TLS_ENABLED`` = ``true`` 77 * ``ORDERER_GENERAL_TLS_PRIVATEKEY`` = fully qualified path of the file that contains the 78 server private key 79 * ``ORDERER_GENERAL_TLS_CERTIFICATE`` = fully qualified path of the file that contains the 80 server certificate 81 * ``ORDERER_GENERAL_TLS_CLIENTAUTHREQUIRED`` = ``true`` 82 83 When an orderer participates in a channel, root CA certificate chains of the channel members are 84 read from the config block of the channel and are added to the TLS server and client 85 root CAs data structure. So, orderer to orderer communication 86 should work seamlessly. However, if needed, you can add additional root CA certificates 87 by setting ``General.TLS.RootCAs`` and ``General.TLS.ClientRootCAs``. 88 89 Configuring TLS for the peer CLI 90 -------------------------------- 91 92 The following environment variables must be set when running peer CLI commands against a 93 TLS enabled peer node: 94 95 * ``CORE_PEER_TLS_ENABLED`` = ``true`` 96 * ``CORE_PEER_TLS_ROOTCERT_FILE`` = fully qualified path of the file that contains cert chain 97 of the CA that issued the TLS server cert 98 99 If TLS client authentication is also enabled on the remote server, the following variables 100 must to be set in addition to those above: 101 102 * ``CORE_PEER_TLS_CLIENTAUTHREQUIRED`` = ``true`` 103 * ``CORE_PEER_TLS_CLIENTCERT_FILE`` = fully qualified path of the client certificate 104 * ``CORE_PEER_TLS_CLIENTKEY_FILE`` = fully qualified path of the client private key 105 106 When running a command that connects to orderer service, like `peer channel <create|update|fetch>` 107 or `peer chaincode <invoke>`, following command line arguments must also be specified 108 if TLS is enabled on the orderer: 109 110 * --tls 111 * --cafile <fully qualified path of the file that contains cert chain of the orderer CA> 112 113 If TLS client authentication is enabled on the orderer, the following arguments must be specified 114 as well: 115 116 * --clientauth 117 * --keyfile <fully qualified path of the file that contains the client private key> 118 * --certfile <fully qualified path of the file that contains the client certificate> 119 120 121 Debugging TLS issues 122 -------------------- 123 124 Before debugging TLS issues, it is advisable to enable ``GRPC debug`` on both the TLS client 125 and the server side to get additional information. To enable ``GRPC debug``, set the 126 environment variable ``FABRIC_LOGGING_SPEC`` to include ``grpc=debug``. For example, to 127 set the default logging level to ``INFO`` and the GRPC logging level to ``DEBUG``, set 128 the logging specification to ``grpc=debug:info``. 129 130 If you see the error message ``remote error: tls: bad certificate`` on the client side, it 131 usually means that the TLS server has enabled client authentication and the server either did 132 not receive the correct client certificate or it received a client certificate that it does 133 not trust. Make sure the client is sending its certificate and that it has been signed by one 134 of the CA certificates trusted by the peer or orderer node. 135 136 If you see the error message ``remote error: tls: bad certificate`` in your chaincode logs, 137 ensure that your chaincode has been built using the chaincode shim provided with Fabric v1.1 138 or newer. 139 140 .. Licensed under Creative Commons Attribution 4.0 International License 141 https://creativecommons.org/licenses/by/4.0/