github.com/silveraid/fabric-ca@v1.1.0-preview.0.20180127000700-71974f53ab08/docs/source/serverconfig.rst (about) 1 Fabric-CA Server's Configuration File 2 ====================================== 3 4 :: 5 6 ############################################################################# 7 # This is a configuration file for the fabric-ca-server command. 8 # 9 # COMMAND LINE ARGUMENTS AND ENVIRONMENT VARIABLES 10 # ------------------------------------------------ 11 # Each configuration element can be overridden via command line 12 # arguments or environment variables. The precedence for determining 13 # the value of each element is as follows: 14 # 1) command line argument 15 # Examples: 16 # a) --port 443 17 # To set the listening port 18 # b) --ca-keyfile ../mykey.pem 19 # To set the "keyfile" element in the "ca" section below; 20 # note the '-' separator character. 21 # 2) environment variable 22 # Examples: 23 # a) FABRIC_CA_SERVER_PORT=443 24 # To set the listening port 25 # b) FABRIC_CA_SERVER_CA_KEYFILE="../mykey.pem" 26 # To set the "keyfile" element in the "ca" section below; 27 # note the '_' separator character. 28 # 3) configuration file 29 # 4) default value (if there is one) 30 # All default values are shown beside each element below. 31 # 32 # FILE NAME ELEMENTS 33 # ------------------ 34 # The value of all fields whose name ends with "file" or "files" are 35 # name or names of other files. 36 # For example, see "tls.certfile" and "tls.clientauth.certfiles". 37 # The value of each of these fields can be a simple filename, a 38 # relative path, or an absolute path. If the value is not an 39 # absolute path, it is interpretted as being relative to the location 40 # of this configuration file. 41 # 42 ############################################################################# 43 44 # Version of config file 45 version: <<<VERSION>>> 46 47 # Server's listening port (default: 7054) 48 port: 7054 49 50 # Enables debug logging (default: false) 51 debug: false 52 53 # Size limit of an acceptable CRL in bytes (default: 512000) 54 crlsizelimit: 512000 55 56 ############################################################################# 57 # TLS section for the server's listening port 58 # 59 # The following types are supported for client authentication: NoClientCert, 60 # RequestClientCert, RequireAnyClientCert, VerifyClientCertIfGiven, 61 # and RequireAndVerifyClientCert. 62 # 63 # Certfiles is a list of root certificate authorities that the server uses 64 # when verifying client certificates. 65 ############################################################################# 66 tls: 67 # Enable TLS (default: false) 68 enabled: false 69 # TLS for the server's listening port 70 certfile: tls-cert.pem 71 keyfile: 72 clientauth: 73 type: noclientcert 74 certfiles: 75 76 ############################################################################# 77 # The CA section contains information related to the Certificate Authority 78 # including the name of the CA, which should be unique for all members 79 # of a blockchain network. It also includes the key and certificate files 80 # used when issuing enrollment certificates (ECerts) and transaction 81 # certificates (TCerts). 82 # The chainfile (if it exists) contains the certificate chain which 83 # should be trusted for this CA, where the 1st in the chain is always the 84 # root CA certificate. 85 ############################################################################# 86 ca: 87 # Name of this CA 88 name: 89 # Key file (default: ca-key.pem) 90 keyfile: ca-key.pem 91 # Certificate file (default: ca-cert.pem) 92 certfile: ca-cert.pem 93 # Chain file (default: chain-cert.pem) 94 chainfile: ca-chain.pem 95 96 ############################################################################# 97 # The gencrl REST endpoint is used to generate a CRL that contains revoked 98 # certificates. This section contains configuration options that are used 99 # during gencrl request processing. 100 ############################################################################# 101 crl: 102 # Specifies expiration for the generated CRL. The number of hours 103 # specified by this property is added to the UTC time, the resulting time 104 # is used to set the 'Next Update' date of the CRL. 105 expiry: 24h 106 107 ############################################################################# 108 # The registry section controls how the fabric-ca-server does two things: 109 # 1) authenticates enrollment requests which contain a username and password 110 # (also known as an enrollment ID and secret). 111 # 2) once authenticated, retrieves the identity's attribute names and 112 # values which the fabric-ca-server optionally puts into TCerts 113 # which it issues for transacting on the Hyperledger Fabric blockchain. 114 # These attributes are useful for making access control decisions in 115 # chaincode. 116 # There are two main configuration options: 117 # 1) The fabric-ca-server is the registry. 118 # This is true if "ldap.enabled" in the ldap section below is false. 119 # 2) An LDAP server is the registry, in which case the fabric-ca-server 120 # calls the LDAP server to perform these tasks. 121 # This is true if "ldap.enabled" in the ldap section below is true, 122 # which means this "registry" section is ignored. 123 ############################################################################# 124 registry: 125 # Maximum number of times a password/secret can be reused for enrollment 126 # (default: -1, which means there is no limit) 127 maxenrollments: -1 128 129 # Contains identity information which is used when LDAP is disabled 130 identities: 131 - name: <<<adminUserName>>> 132 pass: <<<adminPassword>>> 133 type: client 134 affiliation: "" 135 attrs: 136 hf.Registrar.Roles: "peer,orderer,client,user" 137 hf.Registrar.DelegateRoles: "peer,orderer,client,user" 138 hf.Revoker: true 139 hf.IntermediateCA: true 140 hf.GenCRL: true 141 hf.Registrar.Attributes: "*" 142 hf.AffiliationMgr: true 143 144 ############################################################################# 145 # Database section 146 # Supported types are: "sqlite3", "postgres", and "mysql". 147 # The datasource value depends on the type. 148 # If the type is "sqlite3", the datasource value is a file name to use 149 # as the database store. Since "sqlite3" is an embedded database, it 150 # may not be used if you want to run the fabric-ca-server in a cluster. 151 # To run the fabric-ca-server in a cluster, you must choose "postgres" 152 # or "mysql". 153 ############################################################################# 154 db: 155 type: sqlite3 156 datasource: fabric-ca-server.db 157 tls: 158 enabled: false 159 certfiles: 160 - db-server-cert.pem 161 client: 162 certfile: db-client-cert.pem 163 keyfile: db-client-key.pem 164 165 ############################################################################# 166 # LDAP section 167 # If LDAP is enabled, the fabric-ca-server calls LDAP to: 168 # 1) authenticate enrollment ID and secret (i.e. username and password) 169 # for enrollment requests; 170 # 2) To retrieve identity attributes 171 ############################################################################# 172 ldap: 173 # Enables or disables the LDAP client (default: false) 174 # If this is set to true, the "registry" section is ignored. 175 enabled: false 176 # The URL of the LDAP server 177 url: ldap://<adminDN>:<adminPassword>@<host>:<port>/<base> 178 tls: 179 certfiles: 180 - ldap-server-cert.pem 181 client: 182 certfile: ldap-client-cert.pem 183 keyfile: ldap-client-key.pem 184 185 ############################################################################# 186 # Affiliation section 187 ############################################################################# 188 affiliations: 189 org1: 190 - department1 191 - department2 192 org2: 193 - department1 194 195 ############################################################################# 196 # Signing section 197 # 198 # The "default" subsection is used to sign enrollment certificates; 199 # the default expiration ("expiry" field) is "8760h", which is 1 year in hours. 200 # 201 # The "ca" profile subsection is used to sign intermediate CA certificates; 202 # the default expiration ("expiry" field) is "43800h" which is 5 years in hours. 203 # Note that "isca" is true, meaning that it issues a CA certificate. 204 # A maxpathlen of 0 means that the intermediate CA cannot issue other 205 # intermediate CA certificates, though it can still issue end entity certificates. 206 # (See RFC 5280, section 4.2.1.9) 207 # 208 # The "tls" profile subsection is used to sign TLS certificate requests; 209 # the default expiration ("expiry" field) is "8760h", which is 1 year in hours. 210 ############################################################################# 211 signing: 212 default: 213 usage: 214 - digital signature 215 expiry: 8760h 216 profiles: 217 ca: 218 usage: 219 - cert sign 220 - crl sign 221 expiry: 43800h 222 caconstraint: 223 isca: true 224 maxpathlen: 0 225 tls: 226 usage: 227 - signing 228 - key encipherment 229 - server auth 230 - client auth 231 - key agreement 232 expiry: 8760h 233 234 ########################################################################### 235 # Certificate Signing Request (CSR) section. 236 # This controls the creation of the root CA certificate. 237 # The expiration for the root CA certificate is configured with the 238 # "ca.expiry" field below, whose default value is "131400h" which is 239 # 15 years in hours. 240 # The pathlength field is used to limit CA certificate hierarchy as described 241 # in section 4.2.1.9 of RFC 5280. 242 # Examples: 243 # 1) No pathlength value means no limit is requested. 244 # 2) pathlength == 1 means a limit of 1 is requested which is the default for 245 # a root CA. This means the root CA can issue intermediate CA certificates, 246 # but these intermediate CAs may not in turn issue other CA certificates 247 # though they can still issue end entity certificates. 248 # 3) pathlength == 0 means a limit of 0 is requested; 249 # this is the default for an intermediate CA, which means it can not issue 250 # CA certificates though it can still issue end entity certificates. 251 ########################################################################### 252 csr: 253 cn: <<<COMMONNAME>>> 254 names: 255 - C: US 256 ST: "North Carolina" 257 L: 258 O: Hyperledger 259 OU: Fabric 260 hosts: 261 - <<<MYHOST>>> 262 - localhost 263 ca: 264 expiry: 131400h 265 pathlength: <<<PATHLENGTH>>> 266 267 ############################################################################# 268 # BCCSP (BlockChain Crypto Service Provider) section is used to select which 269 # crypto library implementation to use 270 ############################################################################# 271 bccsp: 272 default: SW 273 sw: 274 hash: SHA2 275 security: 256 276 filekeystore: 277 # The directory used for the software file-based keystore 278 keystore: msp/keystore 279 280 ############################################################################# 281 # Multi CA section 282 # 283 # Each Fabric CA server contains one CA by default. This section is used 284 # to configure multiple CAs in a single server. 285 # 286 # 1) --cacount <number-of-CAs> 287 # Automatically generate <number-of-CAs> non-default CAs. The names of these 288 # additional CAs are "ca1", "ca2", ... "caN", where "N" is <number-of-CAs> 289 # This is particularly useful in a development environment to quickly set up 290 # multiple CAs. 291 # 292 # 2) --cafiles <CA-config-files> 293 # For each CA config file in the list, generate a separate signing CA. Each CA 294 # config file in this list MAY contain all of the same elements as are found in 295 # the server config file except port, debug, and tls sections. 296 # 297 # Examples: 298 # fabric-ca-server start -b admin:adminpw --cacount 2 299 # 300 # fabric-ca-server start -b admin:adminpw --cafiles ca/ca1/fabric-ca-server-config.yaml 301 # --cafiles ca/ca2/fabric-ca-server-config.yaml 302 # 303 ############################################################################# 304 305 cacount: 306 307 cafiles: 308 309 ############################################################################# 310 # Intermediate CA section 311 # 312 # The relationship between servers and CAs is as follows: 313 # 1) A single server process may contain or function as one or more CAs. 314 # This is configured by the "Multi CA section" above. 315 # 2) Each CA is either a root CA or an intermediate CA. 316 # 3) Each intermediate CA has a parent CA which is either a root CA or another intermediate CA. 317 # 318 # This section pertains to configuration of #2 and #3. 319 # If the "intermediate.parentserver.url" property is set, 320 # then this is an intermediate CA with the specified parent 321 # CA. 322 # 323 # parentserver section 324 # url - The URL of the parent server 325 # caname - Name of the CA to enroll within the server 326 # 327 # enrollment section used to enroll intermediate CA with parent CA 328 # profile - Name of the signing profile to use in issuing the certificate 329 # label - Label to use in HSM operations 330 # 331 # tls section for secure socket connection 332 # certfiles - PEM-encoded list of trusted root certificate files 333 # client: 334 # certfile - PEM-encoded certificate file for when client authentication 335 # is enabled on server 336 # keyfile - PEM-encoded key file for when client authentication 337 # is enabled on server 338 ############################################################################# 339 intermediate: 340 parentserver: 341 url: 342 caname: 343 344 enrollment: 345 hosts: 346 profile: 347 label: 348 349 tls: 350 certfiles: 351 client: 352 certfile: 353 keyfile: