github.com/zcqzcg/fabric-ca@v2.0.0-alpha.0.20200416163940-d878ee6db75a+incompatible/docs/source/serverconfig.rst (about) 1 Fabric-CA Server's Configuration File 2 ====================================== 3 4 :: 5 6 ############################################################################# 7 # This is a configuration file for the fabric-ca-server command. 8 # 9 # COMMAND LINE ARGUMENTS AND ENVIRONMENT VARIABLES 10 # ------------------------------------------------ 11 # Each configuration element can be overridden via command line 12 # arguments or environment variables. The precedence for determining 13 # the value of each element is as follows: 14 # 1) command line argument 15 # Examples: 16 # a) --port 443 17 # To set the listening port 18 # b) --ca.keyfile ../mykey.pem 19 # To set the "keyfile" element in the "ca" section below; 20 # note the '.' separator character. 21 # 2) environment variable 22 # Examples: 23 # a) FABRIC_CA_SERVER_PORT=443 24 # To set the listening port 25 # b) FABRIC_CA_SERVER_CA_KEYFILE="../mykey.pem" 26 # To set the "keyfile" element in the "ca" section below; 27 # note the '_' separator character. 28 # 3) configuration file 29 # 4) default value (if there is one) 30 # All default values are shown beside each element below. 31 # 32 # FILE NAME ELEMENTS 33 # ------------------ 34 # The value of all fields whose name ends with "file" or "files" are 35 # name or names of other files. 36 # For example, see "tls.certfile" and "tls.clientauth.certfiles". 37 # The value of each of these fields can be a simple filename, a 38 # relative path, or an absolute path. If the value is not an 39 # absolute path, it is interpretted as being relative to the location 40 # of this configuration file. 41 # 42 ############################################################################# 43 44 # Version of config file 45 version: <<<VERSION>>> 46 47 # Server's listening port (default: 7054) 48 port: 7054 49 50 # Cross-Origin Resource Sharing (CORS) 51 cors: 52 enabled: false 53 origins: 54 - "*" 55 56 # Enables debug logging (default: false) 57 debug: false 58 59 # Size limit of an acceptable CRL in bytes (default: 512000) 60 crlsizelimit: 512000 61 62 ############################################################################# 63 # TLS section for the server's listening port 64 # 65 # The following types are supported for client authentication: NoClientCert, 66 # RequestClientCert, RequireAnyClientCert, VerifyClientCertIfGiven, 67 # and RequireAndVerifyClientCert. 68 # 69 # Certfiles is a list of root certificate authorities that the server uses 70 # when verifying client certificates. 71 ############################################################################# 72 tls: 73 # Enable TLS (default: false) 74 enabled: false 75 # TLS for the server's listening port 76 certfile: 77 keyfile: 78 clientauth: 79 type: noclientcert 80 certfiles: 81 82 ############################################################################# 83 # The CA section contains information related to the Certificate Authority 84 # including the name of the CA, which should be unique for all members 85 # of a blockchain network. It also includes the key and certificate files 86 # used when issuing enrollment certificates (ECerts). 87 # The chainfile (if it exists) contains the certificate chain which 88 # should be trusted for this CA, where the 1st in the chain is always the 89 # root CA certificate. 90 ############################################################################# 91 ca: 92 # Name of this CA 93 name: 94 # Key file (is only used to import a private key into BCCSP) 95 keyfile: 96 # Certificate file (default: ca-cert.pem) 97 certfile: 98 # Chain file 99 chainfile: 100 101 ############################################################################# 102 # The gencrl REST endpoint is used to generate a CRL that contains revoked 103 # certificates. This section contains configuration options that are used 104 # during gencrl request processing. 105 ############################################################################# 106 crl: 107 # Specifies expiration for the generated CRL. The number of hours 108 # specified by this property is added to the UTC time, the resulting time 109 # is used to set the 'Next Update' date of the CRL. 110 expiry: 24h 111 112 ############################################################################# 113 # The registry section controls how the fabric-ca-server does two things: 114 # 1) authenticates enrollment requests which contain a username and password 115 # (also known as an enrollment ID and secret). 116 # 2) once authenticated, retrieves the identity's attribute names and values. 117 # These attributes are useful for making access control decisions in 118 # chaincode. 119 # There are two main configuration options: 120 # 1) The fabric-ca-server is the registry. 121 # This is true if "ldap.enabled" in the ldap section below is false. 122 # 2) An LDAP server is the registry, in which case the fabric-ca-server 123 # calls the LDAP server to perform these tasks. 124 # This is true if "ldap.enabled" in the ldap section below is true, 125 # which means this "registry" section is ignored. 126 ############################################################################# 127 registry: 128 # Maximum number of times a password/secret can be reused for enrollment 129 # (default: -1, which means there is no limit) 130 maxenrollments: -1 131 132 # Contains identity information which is used when LDAP is disabled 133 identities: 134 - name: <<<adminUserName>>> 135 pass: <<<adminPassword>>> 136 type: client 137 affiliation: "" 138 attrs: 139 hf.Registrar.Roles: "*" 140 hf.Registrar.DelegateRoles: "*" 141 hf.Revoker: true 142 hf.IntermediateCA: true 143 hf.GenCRL: true 144 hf.Registrar.Attributes: "*" 145 hf.AffiliationMgr: true 146 147 ############################################################################# 148 # Database section 149 # Supported types are: "sqlite3", "postgres", and "mysql". 150 # The datasource value depends on the type. 151 # If the type is "sqlite3", the datasource value is a file name to use 152 # as the database store. Since "sqlite3" is an embedded database, it 153 # may not be used if you want to run the fabric-ca-server in a cluster. 154 # To run the fabric-ca-server in a cluster, you must choose "postgres" 155 # or "mysql". 156 ############################################################################# 157 db: 158 type: sqlite3 159 datasource: fabric-ca-server.db 160 tls: 161 enabled: false 162 certfiles: 163 client: 164 certfile: 165 keyfile: 166 167 ############################################################################# 168 # LDAP section 169 # If LDAP is enabled, the fabric-ca-server calls LDAP to: 170 # 1) authenticate enrollment ID and secret (i.e. username and password) 171 # for enrollment requests; 172 # 2) To retrieve identity attributes 173 ############################################################################# 174 ldap: 175 # Enables or disables the LDAP client (default: false) 176 # If this is set to true, the "registry" section is ignored. 177 enabled: false 178 # The URL of the LDAP server 179 url: ldap://<adminDN>:<adminPassword>@<host>:<port>/<base> 180 # TLS configuration for the client connection to the LDAP server 181 tls: 182 certfiles: 183 client: 184 certfile: 185 keyfile: 186 # Attribute related configuration for mapping from LDAP entries to Fabric CA attributes 187 attribute: 188 # 'names' is an array of strings containing the LDAP attribute names which are 189 # requested from the LDAP server for an LDAP identity's entry 190 names: ['uid','member'] 191 # The 'converters' section is used to convert an LDAP entry to the value of 192 # a fabric CA attribute. 193 # For example, the following converts an LDAP 'uid' attribute 194 # whose value begins with 'revoker' to a fabric CA attribute 195 # named "hf.Revoker" with a value of "true" (because the boolean expression 196 # evaluates to true). 197 # converters: 198 # - name: hf.Revoker 199 # value: attr("uid") =~ "revoker*" 200 converters: 201 - name: 202 value: 203 # The 'maps' section contains named maps which may be referenced by the 'map' 204 # function in the 'converters' section to map LDAP responses to arbitrary values. 205 # For example, assume a user has an LDAP attribute named 'member' which has multiple 206 # values which are each a distinguished name (i.e. a DN). For simplicity, assume the 207 # values of the 'member' attribute are 'dn1', 'dn2', and 'dn3'. 208 # Further assume the following configuration. 209 # converters: 210 # - name: hf.Registrar.Roles 211 # value: map(attr("member"),"groups") 212 # maps: 213 # groups: 214 # - name: dn1 215 # value: peer 216 # - name: dn2 217 # value: client 218 # The value of the user's 'hf.Registrar.Roles' attribute is then computed to be 219 # "peer,client,dn3". This is because the value of 'attr("member")' is 220 # "dn1,dn2,dn3", and the call to 'map' with a 2nd argument of 221 # "group" replaces "dn1" with "peer" and "dn2" with "client". 222 maps: 223 groups: 224 - name: 225 value: 226 227 ############################################################################# 228 # Affiliations section. Fabric CA server can be bootstrapped with the 229 # affiliations specified in this section. Affiliations are specified as maps. 230 # For example: 231 # businessunit1: 232 # department1: 233 # - team1 234 # businessunit2: 235 # - department2 236 # - department3 237 # 238 # Affiliations are hierarchical in nature. In the above example, 239 # department1 (used as businessunit1.department1) is the child of businessunit1. 240 # team1 (used as businessunit1.department1.team1) is the child of department1. 241 # department2 (used as businessunit2.department2) and department3 (businessunit2.department3) 242 # are children of businessunit2. 243 # Note: Affiliations are case sensitive except for the non-leaf affiliations 244 # (like businessunit1, department1, businessunit2) that are specified in the configuration file, 245 # which are always stored in lower case. 246 ############################################################################# 247 affiliations: 248 org1: 249 - department1 250 - department2 251 org2: 252 - department1 253 254 ############################################################################# 255 # Signing section 256 # 257 # The "default" subsection is used to sign enrollment certificates; 258 # the default expiration ("expiry" field) is "8760h", which is 1 year in hours. 259 # 260 # The "ca" profile subsection is used to sign intermediate CA certificates; 261 # the default expiration ("expiry" field) is "43800h" which is 5 years in hours. 262 # Note that "isca" is true, meaning that it issues a CA certificate. 263 # A maxpathlen of 0 means that the intermediate CA cannot issue other 264 # intermediate CA certificates, though it can still issue end entity certificates. 265 # (See RFC 5280, section 4.2.1.9) 266 # 267 # The "tls" profile subsection is used to sign TLS certificate requests; 268 # the default expiration ("expiry" field) is "8760h", which is 1 year in hours. 269 ############################################################################# 270 signing: 271 default: 272 usage: 273 - digital signature 274 expiry: 8760h 275 profiles: 276 ca: 277 usage: 278 - cert sign 279 - crl sign 280 expiry: 43800h 281 caconstraint: 282 isca: true 283 maxpathlen: 0 284 tls: 285 usage: 286 - signing 287 - key encipherment 288 - server auth 289 - client auth 290 - key agreement 291 expiry: 8760h 292 293 ########################################################################### 294 # Certificate Signing Request (CSR) section. 295 # This controls the creation of the root CA certificate. 296 # The expiration for the root CA certificate is configured with the 297 # "ca.expiry" field below, whose default value is "131400h" which is 298 # 15 years in hours. 299 # The pathlength field is used to limit CA certificate hierarchy as described 300 # in section 4.2.1.9 of RFC 5280. 301 # Examples: 302 # 1) No pathlength value means no limit is requested. 303 # 2) pathlength == 1 means a limit of 1 is requested which is the default for 304 # a root CA. This means the root CA can issue intermediate CA certificates, 305 # but these intermediate CAs may not in turn issue other CA certificates 306 # though they can still issue end entity certificates. 307 # 3) pathlength == 0 means a limit of 0 is requested; 308 # this is the default for an intermediate CA, which means it can not issue 309 # CA certificates though it can still issue end entity certificates. 310 ########################################################################### 311 csr: 312 cn: <<<COMMONNAME>>> 313 keyrequest: 314 algo: ecdsa 315 size: 256 316 names: 317 - C: US 318 ST: "North Carolina" 319 L: 320 O: Hyperledger 321 OU: Fabric 322 hosts: 323 - <<<MYHOST>>> 324 - localhost 325 ca: 326 expiry: 131400h 327 pathlength: <<<PATHLENGTH>>> 328 329 ########################################################################### 330 # Each CA can issue both X509 enrollment certificate as well as Idemix 331 # Credential. This section specifies configuration for the issuer component 332 # that is responsible for issuing Idemix credentials. 333 ########################################################################### 334 idemix: 335 # Specifies pool size for revocation handles. A revocation handle is an unique identifier of an 336 # Idemix credential. The issuer will create a pool revocation handles of this specified size. When 337 # a credential is requested, issuer will get handle from the pool and assign it to the credential. 338 # Issuer will repopulate the pool with new handles when the last handle in the pool is used. 339 # A revocation handle and credential revocation information (CRI) are used to create non revocation proof 340 # by the prover to prove to the verifier that her credential is not revoked. 341 rhpoolsize: 1000 342 343 # The Idemix credential issuance is a two step process. First step is to get a nonce from the issuer 344 # and second step is send credential request that is constructed using the nonce to the isuser to 345 # request a credential. This configuration property specifies expiration for the nonces. By default is 346 # nonces expire after 15 seconds. The value is expressed in the time.Duration format (see https://golang.org/pkg/time/#ParseDuration). 347 nonceexpiration: 15s 348 349 # Specifies interval at which expired nonces are removed from datastore. Default value is 15 minutes. 350 # The value is expressed in the time.Duration format (see https://golang.org/pkg/time/#ParseDuration) 351 noncesweepinterval: 15m 352 353 ############################################################################# 354 # BCCSP (BlockChain Crypto Service Provider) section is used to select which 355 # crypto library implementation to use 356 ############################################################################# 357 bccsp: 358 default: SW 359 sw: 360 hash: SHA2 361 security: 256 362 filekeystore: 363 # The directory used for the software file-based keystore 364 keystore: msp/keystore 365 366 ############################################################################# 367 # Multi CA section 368 # 369 # Each Fabric CA server contains one CA by default. This section is used 370 # to configure multiple CAs in a single server. 371 # 372 # 1) --cacount <number-of-CAs> 373 # Automatically generate <number-of-CAs> non-default CAs. The names of these 374 # additional CAs are "ca1", "ca2", ... "caN", where "N" is <number-of-CAs> 375 # This is particularly useful in a development environment to quickly set up 376 # multiple CAs. Note that, this config option is not applicable to intermediate CA server 377 # i.e., Fabric CA server that is started with intermediate.parentserver.url config 378 # option (-u command line option) 379 # 380 # 2) --cafiles <CA-config-files> 381 # For each CA config file in the list, generate a separate signing CA. Each CA 382 # config file in this list MAY contain all of the same elements as are found in 383 # the server config file except port, debug, and tls sections. 384 # 385 # Examples: 386 # fabric-ca-server start -b admin:adminpw --cacount 2 387 # 388 # fabric-ca-server start -b admin:adminpw --cafiles ca/ca1/fabric-ca-server-config.yaml 389 # --cafiles ca/ca2/fabric-ca-server-config.yaml 390 # 391 ############################################################################# 392 393 cacount: 394 395 cafiles: 396 397 ############################################################################# 398 # Intermediate CA section 399 # 400 # The relationship between servers and CAs is as follows: 401 # 1) A single server process may contain or function as one or more CAs. 402 # This is configured by the "Multi CA section" above. 403 # 2) Each CA is either a root CA or an intermediate CA. 404 # 3) Each intermediate CA has a parent CA which is either a root CA or another intermediate CA. 405 # 406 # This section pertains to configuration of #2 and #3. 407 # If the "intermediate.parentserver.url" property is set, 408 # then this is an intermediate CA with the specified parent 409 # CA. 410 # 411 # parentserver section 412 # url - The URL of the parent server 413 # caname - Name of the CA to enroll within the server 414 # 415 # enrollment section used to enroll intermediate CA with parent CA 416 # profile - Name of the signing profile to use in issuing the certificate 417 # label - Label to use in HSM operations 418 # 419 # tls section for secure socket connection 420 # certfiles - PEM-encoded list of trusted root certificate files 421 # client: 422 # certfile - PEM-encoded certificate file for when client authentication 423 # is enabled on server 424 # keyfile - PEM-encoded key file for when client authentication 425 # is enabled on server 426 ############################################################################# 427 intermediate: 428 parentserver: 429 url: 430 caname: 431 432 enrollment: 433 hosts: 434 profile: 435 label: 436 437 tls: 438 certfiles: 439 client: 440 certfile: 441 keyfile: 442 443 ############################################################################# 444 # CA configuration section 445 # 446 # Configure the number of incorrect password attempts are allowed for 447 # identities. By default, the value of 'passwordattempts' is 10, which 448 # means that 10 incorrect password attempts can be made before an identity get 449 # locked out. 450 ############################################################################# 451 cfg: 452 identities: 453 passwordattempts: 10 454 455 ############################################################################### 456 # 457 # Operations section 458 # 459 ############################################################################### 460 operations: 461 # host and port for the operations server 462 listenAddress: 127.0.0.1:9443 463 464 # TLS configuration for the operations endpoint 465 tls: 466 # TLS enabled 467 enabled: false 468 469 # path to PEM encoded server certificate for the operations server 470 cert: 471 file: 472 473 # path to PEM encoded server key for the operations server 474 key: 475 file: 476 477 # require client certificate authentication to access all resources 478 clientAuthRequired: false 479 480 # paths to PEM encoded ca certificates to trust for client authentication 481 clientRootCAs: 482 files: [] 483 484 ############################################################################### 485 # 486 # Metrics section 487 # 488 ############################################################################### 489 metrics: 490 # statsd, prometheus, or disabled 491 provider: disabled 492 493 # statsd configuration 494 statsd: 495 # network type: tcp or udp 496 network: udp 497 498 # statsd server address 499 address: 127.0.0.1:8125 500 501 # the interval at which locally cached counters and gauges are pushsed 502 # to statsd; timings are pushed immediately 503 writeInterval: 10s 504 505 # prefix is prepended to all emitted statsd merics 506 prefix: server