github.com/simranvc/fabric-ca@v0.0.0-20191030094829-acc364294dde/docker/server/fabric-ca-server/fabric-ca-server-config.yaml (about) 1 ############################################################################# 2 # This is a configuration file for the fabric-ca-server command. 3 # 4 # COMMAND LINE ARGUMENTS AND ENVIRONMENT VARIABLES 5 # ------------------------------------------------ 6 # Each configuration element can be overridden via command line 7 # arguments or environment variables. The precedence for determining 8 # the value of each element is as follows: 9 # 1) command line argument 10 # Examples: 11 # a) --port 443 12 # To set the listening port 13 # b) --ca.keyfile ../mykey.pem 14 # To set the "keyfile" element in the "ca" section below; 15 # note the '.' separator character. 16 # 2) environment variable 17 # Examples: 18 # a) FABRIC_CA_SERVER_PORT=443 19 # To set the listening port 20 # b) FABRIC_CA_SERVER_CA_KEYFILE="../mykey.pem" 21 # To set the "keyfile" element in the "ca" section below; 22 # note the '_' separator character. 23 # 3) configuration file 24 # 4) default value (if there is one) 25 # All default values are shown beside each element below. 26 # 27 # FILE NAME ELEMENTS 28 # ------------------ 29 # The value of all fields whose name ends with "file" or "files" are 30 # name or names of other files. 31 # For example, see "tls.certfile" and "tls.clientauth.certfiles". 32 # The value of each of these fields can be a simple filename, a 33 # relative path, or an absolute path. If the value is not an 34 # absolute path, it is interpretted as being relative to the location 35 # of this configuration file. 36 # 37 ############################################################################# 38 39 # Version of config file 40 version: 1.4.2 41 42 # Server's listening port (default: 7054) 43 port: 7054 44 45 # Cross-Origin Resource Sharing (CORS) 46 cors: 47 enabled: false 48 origins: 49 - "*" 50 51 # Enables debug logging (default: false) 52 debug: false 53 54 # Size limit of an acceptable CRL in bytes (default: 512000) 55 crlsizelimit: 512000 56 57 ############################################################################# 58 # TLS section for the server's listening port 59 # 60 # The following types are supported for client authentication: NoClientCert, 61 # RequestClientCert, RequireAnyClientCert, VerifyClientCertIfGiven, 62 # and RequireAndVerifyClientCert. 63 # 64 # Certfiles is a list of root certificate authorities that the server uses 65 # when verifying client certificates. 66 ############################################################################# 67 tls: 68 # Enable TLS (default: false) 69 enabled: false 70 # TLS for the server's listening port 71 certfile: 72 keyfile: 73 clientauth: 74 type: noclientcert 75 certfiles: 76 77 ############################################################################# 78 # The CA section contains information related to the Certificate Authority 79 # including the name of the CA, which should be unique for all members 80 # of a blockchain network. It also includes the key and certificate files 81 # used when issuing enrollment certificates (ECerts) and transaction 82 # certificates (TCerts). 83 # The chainfile (if it exists) contains the certificate chain which 84 # should be trusted for this CA, where the 1st in the chain is always the 85 # root CA certificate. 86 ############################################################################# 87 ca: 88 # Name of this CA 89 name: 90 # Key file (is only used to import a private key into BCCSP) 91 keyfile: 92 # Certificate file (default: ca-cert.pem) 93 certfile: 94 # Chain file 95 chainfile: 96 97 ############################################################################# 98 # The gencrl REST endpoint is used to generate a CRL that contains revoked 99 # certificates. This section contains configuration options that are used 100 # during gencrl request processing. 101 ############################################################################# 102 crl: 103 # Specifies expiration for the generated CRL. The number of hours 104 # specified by this property is added to the UTC time, the resulting time 105 # is used to set the 'Next Update' date of the CRL. 106 expiry: 24h 107 108 ############################################################################# 109 # The registry section controls how the fabric-ca-server does two things: 110 # 1) authenticates enrollment requests which contain a username and password 111 # (also known as an enrollment ID and secret). 112 # 2) once authenticated, retrieves the identity's attribute names and 113 # values which the fabric-ca-server optionally puts into TCerts 114 # which it issues for transacting on the Hyperledger Fabric blockchain. 115 # These attributes are useful for making access control decisions in 116 # chaincode. 117 # There are two main configuration options: 118 # 1) The fabric-ca-server is the registry. 119 # This is true if "ldap.enabled" in the ldap section below is false. 120 # 2) An LDAP server is the registry, in which case the fabric-ca-server 121 # calls the LDAP server to perform these tasks. 122 # This is true if "ldap.enabled" in the ldap section below is true, 123 # which means this "registry" section is ignored. 124 ############################################################################# 125 registry: 126 # Maximum number of times a password/secret can be reused for enrollment 127 # (default: -1, which means there is no limit) 128 maxenrollments: -1 129 130 # Contains identity information which is used when LDAP is disabled 131 identities: 132 - name: admin 133 pass: adminpw 134 type: client 135 affiliation: "" 136 attrs: 137 hf.Registrar.Roles: "*" 138 hf.Registrar.DelegateRoles: "*" 139 hf.Revoker: true 140 hf.IntermediateCA: true 141 hf.GenCRL: true 142 hf.Registrar.Attributes: "*" 143 hf.AffiliationMgr: true 144 145 ############################################################################# 146 # Database section 147 # Supported types are: "sqlite3", "postgres", and "mysql". 148 # The datasource value depends on the type. 149 # If the type is "sqlite3", the datasource value is a file name to use 150 # as the database store. Since "sqlite3" is an embedded database, it 151 # may not be used if you want to run the fabric-ca-server in a cluster. 152 # To run the fabric-ca-server in a cluster, you must choose "postgres" 153 # or "mysql". 154 ############################################################################# 155 db: 156 type: sqlite3 157 datasource: fabric-ca-server.db 158 tls: 159 enabled: false 160 certfiles: 161 client: 162 certfile: 163 keyfile: 164 165 ############################################################################# 166 # LDAP section 167 # If LDAP is enabled, the fabric-ca-server calls LDAP to: 168 # 1) authenticate enrollment ID and secret (i.e. username and password) 169 # for enrollment requests; 170 # 2) To retrieve identity attributes 171 ############################################################################# 172 ldap: 173 # Enables or disables the LDAP client (default: false) 174 # If this is set to true, the "registry" section is ignored. 175 enabled: false 176 # The URL of the LDAP server 177 url: ldap://<adminDN>:<adminPassword>@<host>:<port>/<base> 178 # TLS configuration for the client connection to the LDAP server 179 tls: 180 certfiles: 181 client: 182 certfile: 183 keyfile: 184 # Attribute related configuration for mapping from LDAP entries to Fabric CA attributes 185 attribute: 186 # 'names' is an array of strings containing the LDAP attribute names which are 187 # requested from the LDAP server for an LDAP identity's entry 188 names: ['uid','member'] 189 # The 'converters' section is used to convert an LDAP entry to the value of 190 # a fabric CA attribute. 191 # For example, the following converts an LDAP 'uid' attribute 192 # whose value begins with 'revoker' to a fabric CA attribute 193 # named "hf.Revoker" with a value of "true" (because the boolean expression 194 # evaluates to true). 195 # converters: 196 # - name: hf.Revoker 197 # value: attr("uid") =~ "revoker*" 198 converters: 199 - name: 200 value: 201 # The 'maps' section contains named maps which may be referenced by the 'map' 202 # function in the 'converters' section to map LDAP responses to arbitrary values. 203 # For example, assume a user has an LDAP attribute named 'member' which has multiple 204 # values which are each a distinguished name (i.e. a DN). For simplicity, assume the 205 # values of the 'member' attribute are 'dn1', 'dn2', and 'dn3'. 206 # Further assume the following configuration. 207 # converters: 208 # - name: hf.Registrar.Roles 209 # value: map(attr("member"),"groups") 210 # maps: 211 # groups: 212 # - name: dn1 213 # value: peer 214 # - name: dn2 215 # value: client 216 # The value of the user's 'hf.Registrar.Roles' attribute is then computed to be 217 # "peer,client,dn3". This is because the value of 'attr("member")' is 218 # "dn1,dn2,dn3", and the call to 'map' with a 2nd argument of 219 # "group" replaces "dn1" with "peer" and "dn2" with "client". 220 maps: 221 groups: 222 - name: 223 value: 224 225 ############################################################################# 226 # Affiliations section. Fabric CA server can be bootstrapped with the 227 # affiliations specified in this section. Affiliations are specified as maps. 228 # For example: 229 # businessunit1: 230 # department1: 231 # - team1 232 # businessunit2: 233 # - department2 234 # - department3 235 # 236 # Affiliations are hierarchical in nature. In the above example, 237 # department1 (used as businessunit1.department1) is the child of businessunit1. 238 # team1 (used as businessunit1.department1.team1) is the child of department1. 239 # department2 (used as businessunit2.department2) and department3 (businessunit2.department3) 240 # are children of businessunit2. 241 # Note: Affiliations are case sensitive except for the non-leaf affiliations 242 # (like businessunit1, department1, businessunit2) that are specified in the configuration file, 243 # which are always stored in lower case. 244 ############################################################################# 245 affiliations: 246 org1: 247 - department1 248 - department2 249 org2: 250 - department1 251 252 ############################################################################# 253 # Signing section 254 # 255 # The "default" subsection is used to sign enrollment certificates; 256 # the default expiration ("expiry" field) is "8760h", which is 1 year in hours. 257 # 258 # The "ca" profile subsection is used to sign intermediate CA certificates; 259 # the default expiration ("expiry" field) is "43800h" which is 5 years in hours. 260 # Note that "isca" is true, meaning that it issues a CA certificate. 261 # A maxpathlen of 0 means that the intermediate CA cannot issue other 262 # intermediate CA certificates, though it can still issue end entity certificates. 263 # (See RFC 5280, section 4.2.1.9) 264 # 265 # The "tls" profile subsection is used to sign TLS certificate requests; 266 # the default expiration ("expiry" field) is "8760h", which is 1 year in hours. 267 ############################################################################# 268 signing: 269 default: 270 usage: 271 - digital signature 272 expiry: 8760h 273 profiles: 274 ca: 275 usage: 276 - cert sign 277 - crl sign 278 expiry: 43800h 279 caconstraint: 280 isca: true 281 maxpathlen: 0 282 tls: 283 usage: 284 - signing 285 - key encipherment 286 - server auth 287 - client auth 288 - key agreement 289 expiry: 8760h 290 291 ########################################################################### 292 # Certificate Signing Request (CSR) section. 293 # This controls the creation of the root CA certificate. 294 # The expiration for the root CA certificate is configured with the 295 # "ca.expiry" field below, whose default value is "131400h" which is 296 # 15 years in hours. 297 # The pathlength field is used to limit CA certificate hierarchy as described 298 # in section 4.2.1.9 of RFC 5280. 299 # Examples: 300 # 1) No pathlength value means no limit is requested. 301 # 2) pathlength == 1 means a limit of 1 is requested which is the default for 302 # a root CA. This means the root CA can issue intermediate CA certificates, 303 # but these intermediate CAs may not in turn issue other CA certificates 304 # though they can still issue end entity certificates. 305 # 3) pathlength == 0 means a limit of 0 is requested; 306 # this is the default for an intermediate CA, which means it can not issue 307 # CA certificates though it can still issue end entity certificates. 308 ########################################################################### 309 csr: 310 cn: fabric-ca-server 311 keyrequest: 312 algo: ecdsa 313 size: 256 314 names: 315 - C: US 316 ST: "North Carolina" 317 L: 318 O: Hyperledger 319 OU: Fabric 320 hosts: 321 - f034b20ba613 322 - localhost 323 ca: 324 expiry: 131400h 325 pathlength: 1 326 327 ########################################################################### 328 # Each CA can issue both X509 enrollment certificate as well as Idemix 329 # Credential. This section specifies configuration for the issuer component 330 # that is responsible for issuing Idemix credentials. 331 ########################################################################### 332 idemix: 333 # Specifies pool size for revocation handles. A revocation handle is an unique identifier of an 334 # Idemix credential. The issuer will create a pool revocation handles of this specified size. When 335 # a credential is requested, issuer will get handle from the pool and assign it to the credential. 336 # Issuer will repopulate the pool with new handles when the last handle in the pool is used. 337 # A revocation handle and credential revocation information (CRI) are used to create non revocation proof 338 # by the prover to prove to the verifier that her credential is not revoked. 339 rhpoolsize: 1000 340 341 # The Idemix credential issuance is a two step process. First step is to get a nonce from the issuer 342 # and second step is send credential request that is constructed using the nonce to the isuser to 343 # request a credential. This configuration property specifies expiration for the nonces. By default is 344 # nonces expire after 15 seconds. The value is expressed in the time.Duration format (see https://golang.org/pkg/time/#ParseDuration). 345 nonceexpiration: 15s 346 347 # Specifies interval at which expired nonces are removed from datastore. Default value is 15 minutes. 348 # The value is expressed in the time.Duration format (see https://golang.org/pkg/time/#ParseDuration) 349 noncesweepinterval: 15m 350 351 ############################################################################# 352 # BCCSP (BlockChain Crypto Service Provider) section is used to select which 353 # crypto library implementation to use 354 ############################################################################# 355 bccsp: 356 default: SW 357 sw: 358 hash: SHA2 359 security: 256 360 filekeystore: 361 # The directory used for the software file-based keystore 362 keystore: msp/keystore 363 364 ############################################################################# 365 # Multi CA section 366 # 367 # Each Fabric CA server contains one CA by default. This section is used 368 # to configure multiple CAs in a single server. 369 # 370 # 1) --cacount <number-of-CAs> 371 # Automatically generate <number-of-CAs> non-default CAs. The names of these 372 # additional CAs are "ca1", "ca2", ... "caN", where "N" is <number-of-CAs> 373 # This is particularly useful in a development environment to quickly set up 374 # multiple CAs. Note that, this config option is not applicable to intermediate CA server 375 # i.e., Fabric CA server that is started with intermediate.parentserver.url config 376 # option (-u command line option) 377 # 378 # 2) --cafiles <CA-config-files> 379 # For each CA config file in the list, generate a separate signing CA. Each CA 380 # config file in this list MAY contain all of the same elements as are found in 381 # the server config file except port, debug, and tls sections. 382 # 383 # Examples: 384 # fabric-ca-server start -b admin:adminpw --cacount 2 385 # 386 # fabric-ca-server start -b admin:adminpw --cafiles ca/ca1/fabric-ca-server-config.yaml 387 # --cafiles ca/ca2/fabric-ca-server-config.yaml 388 # 389 ############################################################################# 390 391 cacount: 392 393 cafiles: 394 395 ############################################################################# 396 # Intermediate CA section 397 # 398 # The relationship between servers and CAs is as follows: 399 # 1) A single server process may contain or function as one or more CAs. 400 # This is configured by the "Multi CA section" above. 401 # 2) Each CA is either a root CA or an intermediate CA. 402 # 3) Each intermediate CA has a parent CA which is either a root CA or another intermediate CA. 403 # 404 # This section pertains to configuration of #2 and #3. 405 # If the "intermediate.parentserver.url" property is set, 406 # then this is an intermediate CA with the specified parent 407 # CA. 408 # 409 # parentserver section 410 # url - The URL of the parent server 411 # caname - Name of the CA to enroll within the server 412 # 413 # enrollment section used to enroll intermediate CA with parent CA 414 # profile - Name of the signing profile to use in issuing the certificate 415 # label - Label to use in HSM operations 416 # 417 # tls section for secure socket connection 418 # certfiles - PEM-encoded list of trusted root certificate files 419 # client: 420 # certfile - PEM-encoded certificate file for when client authentication 421 # is enabled on server 422 # keyfile - PEM-encoded key file for when client authentication 423 # is enabled on server 424 ############################################################################# 425 intermediate: 426 parentserver: 427 url: 428 caname: 429 430 enrollment: 431 hosts: 432 profile: 433 label: 434 435 tls: 436 certfiles: 437 client: 438 certfile: 439 keyfile: 440 441 ############################################################################# 442 # CA configuration section 443 # 444 # Configure the number of incorrect password attempts are allowed for 445 # identities. By default, the value of 'passwordattempts' is 10, which 446 # means that 10 incorrect password attempts can be made before an identity get 447 # locked out. 448 ############################################################################# 449 cfg: 450 identities: 451 passwordattempts: 10 452 453 ############################################################################### 454 # 455 # Operations section 456 # 457 ############################################################################### 458 operations: 459 # host and port for the operations server 460 listenAddress: 127.0.0.1:9443 461 462 # TLS configuration for the operations endpoint 463 tls: 464 # TLS enabled 465 enabled: false 466 467 # path to PEM encoded server certificate for the operations server 468 cert: 469 file: 470 471 # path to PEM encoded server key for the operations server 472 key: 473 file: 474 475 # require client certificate authentication to access all resources 476 clientAuthRequired: false 477 478 # paths to PEM encoded ca certificates to trust for client authentication 479 clientRootCAs: 480 files: [] 481 482 ############################################################################### 483 # 484 # Metrics section 485 # 486 ############################################################################### 487 metrics: 488 # statsd, prometheus, or disabled 489 provider: disabled 490 491 # statsd configuration 492 statsd: 493 # network type: tcp or udp 494 network: udp 495 496 # statsd server address 497 address: 127.0.0.1:8125 498 499 # the interval at which locally cached counters and gauges are pushsed 500 # to statsd; timings are pushed immediately 501 writeInterval: 10s 502 503 # prefix is prepended to all emitted statsd merics 504 prefix: server