github.com/silveraid/fabric-ca@v1.1.0-preview.0.20180127000700-71974f53ab08/docs/source/serverconfig.rst (about)

     1  Fabric-CA Server's Configuration File
     2  ======================================
     3  
     4  ::
     5  
     6      #############################################################################
     7      #   This is a configuration file for the fabric-ca-server command.
     8      #
     9      #   COMMAND LINE ARGUMENTS AND ENVIRONMENT VARIABLES
    10      #   ------------------------------------------------
    11      #   Each configuration element can be overridden via command line
    12      #   arguments or environment variables.  The precedence for determining
    13      #   the value of each element is as follows:
    14      #   1) command line argument
    15      #      Examples:
    16      #      a) --port 443
    17      #         To set the listening port
    18      #      b) --ca-keyfile ../mykey.pem
    19      #         To set the "keyfile" element in the "ca" section below;
    20      #         note the '-' separator character.
    21      #   2) environment variable
    22      #      Examples:
    23      #      a) FABRIC_CA_SERVER_PORT=443
    24      #         To set the listening port
    25      #      b) FABRIC_CA_SERVER_CA_KEYFILE="../mykey.pem"
    26      #         To set the "keyfile" element in the "ca" section below;
    27      #         note the '_' separator character.
    28      #   3) configuration file
    29      #   4) default value (if there is one)
    30      #      All default values are shown beside each element below.
    31      #
    32      #   FILE NAME ELEMENTS
    33      #   ------------------
    34      #   The value of all fields whose name ends with "file" or "files" are
    35      #   name or names of other files.
    36      #   For example, see "tls.certfile" and "tls.clientauth.certfiles".
    37      #   The value of each of these fields can be a simple filename, a
    38      #   relative path, or an absolute path.  If the value is not an
    39      #   absolute path, it is interpretted as being relative to the location
    40      #   of this configuration file.
    41      #
    42      #############################################################################
    43      
    44      # Version of config file
    45      version: <<<VERSION>>>
    46      
    47      # Server's listening port (default: 7054)
    48      port: 7054
    49      
    50      # Enables debug logging (default: false)
    51      debug: false
    52      
    53      # Size limit of an acceptable CRL in bytes (default: 512000)
    54      crlsizelimit: 512000
    55      
    56      #############################################################################
    57      #  TLS section for the server's listening port
    58      #
    59      #  The following types are supported for client authentication: NoClientCert,
    60      #  RequestClientCert, RequireAnyClientCert, VerifyClientCertIfGiven,
    61      #  and RequireAndVerifyClientCert.
    62      #
    63      #  Certfiles is a list of root certificate authorities that the server uses
    64      #  when verifying client certificates.
    65      #############################################################################
    66      tls:
    67        # Enable TLS (default: false)
    68        enabled: false
    69        # TLS for the server's listening port
    70        certfile: tls-cert.pem
    71        keyfile:
    72        clientauth:
    73          type: noclientcert
    74          certfiles:
    75      
    76      #############################################################################
    77      #  The CA section contains information related to the Certificate Authority
    78      #  including the name of the CA, which should be unique for all members
    79      #  of a blockchain network.  It also includes the key and certificate files
    80      #  used when issuing enrollment certificates (ECerts) and transaction
    81      #  certificates (TCerts).
    82      #  The chainfile (if it exists) contains the certificate chain which
    83      #  should be trusted for this CA, where the 1st in the chain is always the
    84      #  root CA certificate.
    85      #############################################################################
    86      ca:
    87        # Name of this CA
    88        name:
    89        # Key file (default: ca-key.pem)
    90        keyfile: ca-key.pem
    91        # Certificate file (default: ca-cert.pem)
    92        certfile: ca-cert.pem
    93        # Chain file (default: chain-cert.pem)
    94        chainfile: ca-chain.pem
    95      
    96      #############################################################################
    97      #  The gencrl REST endpoint is used to generate a CRL that contains revoked
    98      #  certificates. This section contains configuration options that are used
    99      #  during gencrl request processing.
   100      #############################################################################
   101      crl:
   102        # Specifies expiration for the generated CRL. The number of hours
   103        # specified by this property is added to the UTC time, the resulting time
   104        # is used to set the 'Next Update' date of the CRL.
   105        expiry: 24h
   106      
   107      #############################################################################
   108      #  The registry section controls how the fabric-ca-server does two things:
   109      #  1) authenticates enrollment requests which contain a username and password
   110      #     (also known as an enrollment ID and secret).
   111      #  2) once authenticated, retrieves the identity's attribute names and
   112      #     values which the fabric-ca-server optionally puts into TCerts
   113      #     which it issues for transacting on the Hyperledger Fabric blockchain.
   114      #     These attributes are useful for making access control decisions in
   115      #     chaincode.
   116      #  There are two main configuration options:
   117      #  1) The fabric-ca-server is the registry.
   118      #     This is true if "ldap.enabled" in the ldap section below is false.
   119      #  2) An LDAP server is the registry, in which case the fabric-ca-server
   120      #     calls the LDAP server to perform these tasks.
   121      #     This is true if "ldap.enabled" in the ldap section below is true,
   122      #     which means this "registry" section is ignored.
   123      #############################################################################
   124      registry:
   125        # Maximum number of times a password/secret can be reused for enrollment
   126        # (default: -1, which means there is no limit)
   127        maxenrollments: -1
   128      
   129        # Contains identity information which is used when LDAP is disabled
   130        identities:
   131           - name: <<<adminUserName>>>
   132             pass: <<<adminPassword>>>
   133             type: client
   134             affiliation: ""
   135             attrs:
   136                hf.Registrar.Roles: "peer,orderer,client,user"
   137                hf.Registrar.DelegateRoles: "peer,orderer,client,user"
   138                hf.Revoker: true
   139                hf.IntermediateCA: true
   140                hf.GenCRL: true
   141                hf.Registrar.Attributes: "*"
   142                hf.AffiliationMgr: true
   143      
   144      #############################################################################
   145      #  Database section
   146      #  Supported types are: "sqlite3", "postgres", and "mysql".
   147      #  The datasource value depends on the type.
   148      #  If the type is "sqlite3", the datasource value is a file name to use
   149      #  as the database store.  Since "sqlite3" is an embedded database, it
   150      #  may not be used if you want to run the fabric-ca-server in a cluster.
   151      #  To run the fabric-ca-server in a cluster, you must choose "postgres"
   152      #  or "mysql".
   153      #############################################################################
   154      db:
   155        type: sqlite3
   156        datasource: fabric-ca-server.db
   157        tls:
   158            enabled: false
   159            certfiles:
   160              - db-server-cert.pem
   161            client:
   162              certfile: db-client-cert.pem
   163              keyfile: db-client-key.pem
   164      
   165      #############################################################################
   166      #  LDAP section
   167      #  If LDAP is enabled, the fabric-ca-server calls LDAP to:
   168      #  1) authenticate enrollment ID and secret (i.e. username and password)
   169      #     for enrollment requests;
   170      #  2) To retrieve identity attributes
   171      #############################################################################
   172      ldap:
   173         # Enables or disables the LDAP client (default: false)
   174         # If this is set to true, the "registry" section is ignored.
   175         enabled: false
   176         # The URL of the LDAP server
   177         url: ldap://<adminDN>:<adminPassword>@<host>:<port>/<base>
   178         tls:
   179            certfiles:
   180              - ldap-server-cert.pem
   181            client:
   182               certfile: ldap-client-cert.pem
   183               keyfile: ldap-client-key.pem
   184      
   185      #############################################################################
   186      #  Affiliation section
   187      #############################################################################
   188      affiliations:
   189         org1:
   190            - department1
   191            - department2
   192         org2:
   193            - department1
   194      
   195      #############################################################################
   196      #  Signing section
   197      #
   198      #  The "default" subsection is used to sign enrollment certificates;
   199      #  the default expiration ("expiry" field) is "8760h", which is 1 year in hours.
   200      #
   201      #  The "ca" profile subsection is used to sign intermediate CA certificates;
   202      #  the default expiration ("expiry" field) is "43800h" which is 5 years in hours.
   203      #  Note that "isca" is true, meaning that it issues a CA certificate.
   204      #  A maxpathlen of 0 means that the intermediate CA cannot issue other
   205      #  intermediate CA certificates, though it can still issue end entity certificates.
   206      #  (See RFC 5280, section 4.2.1.9)
   207      #
   208      #  The "tls" profile subsection is used to sign TLS certificate requests;
   209      #  the default expiration ("expiry" field) is "8760h", which is 1 year in hours.
   210      #############################################################################
   211      signing:
   212          default:
   213            usage:
   214              - digital signature
   215            expiry: 8760h
   216          profiles:
   217            ca:
   218               usage:
   219                 - cert sign
   220                 - crl sign
   221               expiry: 43800h
   222               caconstraint:
   223                 isca: true
   224                 maxpathlen: 0
   225            tls:
   226               usage:
   227                  - signing
   228                  - key encipherment
   229                  - server auth
   230                  - client auth
   231                  - key agreement
   232               expiry: 8760h
   233      
   234      ###########################################################################
   235      #  Certificate Signing Request (CSR) section.
   236      #  This controls the creation of the root CA certificate.
   237      #  The expiration for the root CA certificate is configured with the
   238      #  "ca.expiry" field below, whose default value is "131400h" which is
   239      #  15 years in hours.
   240      #  The pathlength field is used to limit CA certificate hierarchy as described
   241      #  in section 4.2.1.9 of RFC 5280.
   242      #  Examples:
   243      #  1) No pathlength value means no limit is requested.
   244      #  2) pathlength == 1 means a limit of 1 is requested which is the default for
   245      #     a root CA.  This means the root CA can issue intermediate CA certificates,
   246      #     but these intermediate CAs may not in turn issue other CA certificates
   247      #     though they can still issue end entity certificates.
   248      #  3) pathlength == 0 means a limit of 0 is requested;
   249      #     this is the default for an intermediate CA, which means it can not issue
   250      #     CA certificates though it can still issue end entity certificates.
   251      ###########################################################################
   252      csr:
   253         cn: <<<COMMONNAME>>>
   254         names:
   255            - C: US
   256              ST: "North Carolina"
   257              L:
   258              O: Hyperledger
   259              OU: Fabric
   260         hosts:
   261           - <<<MYHOST>>>
   262           - localhost
   263         ca:
   264            expiry: 131400h
   265            pathlength: <<<PATHLENGTH>>>
   266      
   267      #############################################################################
   268      # BCCSP (BlockChain Crypto Service Provider) section is used to select which
   269      # crypto library implementation to use
   270      #############################################################################
   271      bccsp:
   272          default: SW
   273          sw:
   274              hash: SHA2
   275              security: 256
   276              filekeystore:
   277                  # The directory used for the software file-based keystore
   278                  keystore: msp/keystore
   279      
   280      #############################################################################
   281      # Multi CA section
   282      #
   283      # Each Fabric CA server contains one CA by default.  This section is used
   284      # to configure multiple CAs in a single server.
   285      #
   286      # 1) --cacount <number-of-CAs>
   287      # Automatically generate <number-of-CAs> non-default CAs.  The names of these
   288      # additional CAs are "ca1", "ca2", ... "caN", where "N" is <number-of-CAs>
   289      # This is particularly useful in a development environment to quickly set up
   290      # multiple CAs.
   291      #
   292      # 2) --cafiles <CA-config-files>
   293      # For each CA config file in the list, generate a separate signing CA.  Each CA
   294      # config file in this list MAY contain all of the same elements as are found in
   295      # the server config file except port, debug, and tls sections.
   296      #
   297      # Examples:
   298      # fabric-ca-server start -b admin:adminpw --cacount 2
   299      #
   300      # fabric-ca-server start -b admin:adminpw --cafiles ca/ca1/fabric-ca-server-config.yaml
   301      # --cafiles ca/ca2/fabric-ca-server-config.yaml
   302      #
   303      #############################################################################
   304      
   305      cacount:
   306      
   307      cafiles:
   308      
   309      #############################################################################
   310      # Intermediate CA section
   311      #
   312      # The relationship between servers and CAs is as follows:
   313      #   1) A single server process may contain or function as one or more CAs.
   314      #      This is configured by the "Multi CA section" above.
   315      #   2) Each CA is either a root CA or an intermediate CA.
   316      #   3) Each intermediate CA has a parent CA which is either a root CA or another intermediate CA.
   317      #
   318      # This section pertains to configuration of #2 and #3.
   319      # If the "intermediate.parentserver.url" property is set,
   320      # then this is an intermediate CA with the specified parent
   321      # CA.
   322      #
   323      # parentserver section
   324      #    url - The URL of the parent server
   325      #    caname - Name of the CA to enroll within the server
   326      #
   327      # enrollment section used to enroll intermediate CA with parent CA
   328      #    profile - Name of the signing profile to use in issuing the certificate
   329      #    label - Label to use in HSM operations
   330      #
   331      # tls section for secure socket connection
   332      #   certfiles - PEM-encoded list of trusted root certificate files
   333      #   client:
   334      #     certfile - PEM-encoded certificate file for when client authentication
   335      #     is enabled on server
   336      #     keyfile - PEM-encoded key file for when client authentication
   337      #     is enabled on server
   338      #############################################################################
   339      intermediate:
   340        parentserver:
   341          url:
   342          caname:
   343      
   344        enrollment:
   345          hosts:
   346          profile:
   347          label:
   348      
   349        tls:
   350          certfiles:
   351          client:
   352            certfile:
   353            keyfile: