Certified Hyperledger Fabric Administrator（CHFA）备考笔记

CHFA 介绍

CHFA （Certified Hyperledger Fabric Administrator）是 Linux 基金会发放的认证证书，按照官方的说法，获得此证书的人，具备搭建一个安全的可商用的 Hyperledger Fabric 网络的能力，其中包括对网络的节点进行安装、配置、操作、管理和排错的能力。

证书有效期为 2 年，考试费 300 美刀，报名有效期为 12 个月，考试形式为在线考，考试时长2小时，我考试时的版本 1.4.1

考试结束后 36小 时可以官网 My Portal 看到成绩

备考笔记

Application Lifecycle Management – 20%

Install and Instantiate chaincode package

peer chaincode install -n mycc -v ${VERSION} -l ${LANGUAGE} -p ${CC_SRC_PATH}
# go env
peer chaincode  install -n mycc -v 1.0 -p github.com/chaincode/chaincode_example02/go/
peer chaincode instantiate -o orderer.example.com:7050 --tls --cafile /opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/ordererOrganizations/example.com/orderers/orderer.example.com/msp/tlscacerts/tlsca.example.com-cert.pem -C $CHANNEL_NAME -n mycc -v 1.0 -c '{"Args":["init","a", "100", "b","200"]}' -P "AND ('Org1MSP.peer','Org2MSP.peer')"
# node
peer chaincode install -n nodecc -v 1.0 -l node -p /opt/gopath/src/github.com/chaincode/chaincode_example02/node/
peer chaincode instantiate -o orderer.example.com:7050 --tls --cafile /opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/ordererOrganizations/example.com/orderers/orderer.example.com/msp/tlscacerts/tlsca.example.com-cert.pem -C $CHANNEL_NAME -n mycc -l node -v 1.0 -c '{"Args":["init","a", "100", "b","200"]}' -P "AND ('Org1MSP.peer','Org2MSP.peer')"
# java
peer chaincode install -n javacc -v 1.0 -l java -p /opt/gopath/src/github.com/chaincode/chaincode_example02/java/
peer chaincode instantiate -o orderer.example.com:7050 --tls --cafile /opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/ordererOrganizations/example.com/orderers/orderer.example.com/msp/tlscacerts/tlsca.example.com-cert.pem -C $CHANNEL_NAME -n mycc -l java -v 1.0 -c '{"Args":["init","a", "100", "b","200"]}' -P "AND ('Org1MSP.peer','Org2MSP.peer')"

peer chaincode package -n mycc -p github.com/chaincode/chaincode_example02/go -v 1.1 mycc-1.1.out

Configure endorsement policy

参上

Define collection policy for private data

• Docs » Tutorials » Using Private Data in Fabric

  [
   {
      "name": "collectionMarbles",
      "policy": "OR('Org1MSP.member', 'Org2MSP.member')",
      "requiredPeerCount": 0,
      "maxPeerCount": 3,
      "blockToLive":1000000,
      "memberOnlyRead": true,
      "memberOnlyWrite": true
   },
   {
      "name": "collectionMarblePrivateDetails",
      "policy": "OR('Org1MSP.member')",
      "requiredPeerCount": 0,
      "maxPeerCount": 3,
      "blockToLive":3,
      "memberOnlyRead": true,
      "memberOnlyWrite":true,
      "endorsementPolicy": {
        "signaturePolicy": "OR('Org1MSP.member')"
      }
   }
  ]

  peer chaincode instantiate -o orderer.example.com:7050 --tls --cafile $ORDERER_CA -C mychannel -n marblesp -v 1.0 -c '{"Args":["init"]}' -P "OR('Org1MSP.member','Org2MSP.member')" --collections-config  $GOPATH/src/github.com/chaincode/marbles02_private/collections_config.json

  Modify or upgrade chaincode

  peer chaincode upgrade -o orderer.example.com:7050 --tls $CORE_PEER_TLS_ENABLED --cafile $ORDERER_CA -C $CHANNEL_NAME -n mycc -v 2.0 -c '{"Args":["init","a","90","b","210"]}' -P "OR ('Org1MSP.peer','Org2MSP.peer','Org3MSP.peer')"

  Install and Configure Network – 25%

Modify the world state database configuration

• Docs » Tutorials » Using CouchDB
• Docs » Architecture Reference » CouchDB as the State Database

1. Enable CouchDB in Hyperledger Fabric

#	COUCHDB_USER COUCHDB_PASSWORD 管理员用户名和密码，不填的话couchDB会采用"Admin Party"模式，即所有人做任何事
services:
  couchdb0:
    container_name: couchdb0
    image: hyperledger/fabric-couchdb
    environment:
      - COUCHDB_USER=
      - COUCHDB_PASSWORD=
    ports:
      - "5984:5984"
    networks:
      - byfn

  peer0.org1.example.com:
    environment:
      - CORE_LEDGER_STATE_STATEDATABASE=CouchDB
      - CORE_LEDGER_STATE_COUCHDBCONFIG_COUCHDBADDRESS=couchdb0:5984
      - CORE_LEDGER_STATE_COUCHDBCONFIG_USERNAME=
      - CORE_LEDGER_STATE_COUCHDBCONFIG_PASSWORD=
    depends_on:
      - couchdb0

couchdb页面访问 http://ip:5984/_utils/

2. Create an index

   {
       "index": {
           "fields": ["foo"]  // these are the frequently queried fields
       },
       "name" : "foo-index",  // name of the index
       "type" : "json"  // always json in this context
   }

Marbles sample:

{
  "index":{
      "fields":["docType","owner"] // Names of the fields to be queried
  },
  "ddoc":"indexOwnerDoc", // (optional) Name of the design document in which the index will be created.
  "name":"indexOwner",
  "type":"json"
}

index files must be located under the path META-INF/statedb/couchdb/indexes which is located inside the directory where the chaincode resides

{"index":{"fields":["docType","owner"]},"ddoc":"indexOwnerDoc", "name":"indexOwner","type":"json"}

Define initial multi-org configuration policy

Organizations:
    - &OrdererOrg
        Name: OrdererOrg
        ID: OrdererMSP
        MSPDir: crypto-config/ordererOrganizations/example.com/msp
        Policies:
            Readers:
                Type: Signature
                Rule: "OR('OrdererMSP.member')"
            Writers:
                Type: Signature
                Rule: "OR('OrdererMSP.member')"
            Admins:
                Type: Signature
                Rule: "OR('OrdererMSP.admin')"
    - &Org1
        Name: Org1MSP
        ID: Org1MSP
        MSPDir: crypto-config/peerOrganizations/org1.example.com/msp
        Policies:
            Readers:
                Type: Signature
                Rule: "OR('Org1MSP.admin', 'Org1MSP.peer', 'Org1MSP.client')"
            Writers:
                Type: Signature
                Rule: "OR('Org1MSP.admin', 'Org1MSP.client')"
            Admins:
                Type: Signature
                Rule: "OR('Org1MSP.admin')"
        AnchorPeers:
            - Host: peer0.org1.example.com
              Port: 7051
    - &Org2
        Name: Org2MSP
        ID: Org2MSP
        MSPDir: crypto-config/peerOrganizations/org2.example.com/msp
        Policies:
            Readers:
                Type: Signature
                Rule: "OR('Org2MSP.admin', 'Org2MSP.peer', 'Org2MSP.client')"
            Writers:
                Type: Signature
                Rule: "OR('Org2MSP.admin', 'Org2MSP.client')"
            Admins:
                Type: Signature
                Rule: "OR('Org2MSP.admin')"
        AnchorPeers:
            - Host: peer0.org2.example.com
              Port: 9051
...
Profiles:
    TwoOrgsOrdererGenesis:
        <<: *ChannelDefaults
        Orderer:
            <<: *OrdererDefaults
            Organizations:
                - *OrdererOrg
            Capabilities:
                <<: *OrdererCapabilities
        Consortiums:
            SampleConsortium:
                Organizations:
                    - *Org1
                    - *Org2
    TwoOrgsChannel:
        Consortium: SampleConsortium
        <<: *ChannelDefaults
        Application:
            <<: *ApplicationDefaults
            Organizations:
                - *Org1
                - *Org2
            Capabilities:
                <<: *ApplicationCapabilities

    SampleDevModeKafka:
        <<: *ChannelDefaults
        Capabilities:
            <<: *ChannelCapabilities
        Orderer:
            <<: *OrdererDefaults
            OrdererType: kafka
            Kafka:
                Brokers:
                - kafka.example.com:9092

            Organizations:
            - *OrdererOrg
            Capabilities:
                <<: *OrdererCapabilities
        Application:
            <<: *ApplicationDefaults
            Organizations:
            - <<: *OrdererOrg
        Consortiums:
            SampleConsortium:
                Organizations:
                - *Org1
                - *Org2

    SampleMultiNodeEtcdRaft:
        <<: *ChannelDefaults
        Capabilities:
            <<: *ChannelCapabilities
        Orderer:
            <<: *OrdererDefaults
            OrdererType: etcdraft
            EtcdRaft:
                Consenters:
                - Host: orderer.example.com
                  Port: 7050
                  ClientTLSCert: crypto-config/ordererOrganizations/example.com/orderers/orderer.example.com/tls/server.crt
                  ServerTLSCert: crypto-config/ordererOrganizations/example.com/orderers/orderer.example.com/tls/server.crt
                - Host: orderer2.example.com
                  Port: 7050
                  ClientTLSCert: crypto-config/ordererOrganizations/example.com/orderers/orderer2.example.com/tls/server.crt
                  ServerTLSCert: crypto-config/ordererOrganizations/example.com/orderers/orderer2.example.com/tls/server.crt
                - Host: orderer3.example.com
                  Port: 7050
                  ClientTLSCert: crypto-config/ordererOrganizations/example.com/orderers/orderer3.example.com/tls/server.crt
                  ServerTLSCert: crypto-config/ordererOrganizations/example.com/orderers/orderer3.example.com/tls/server.crt
                - Host: orderer4.example.com
                  Port: 7050
                  ClientTLSCert: crypto-config/ordererOrganizations/example.com/orderers/orderer4.example.com/tls/server.crt
                  ServerTLSCert: crypto-config/ordererOrganizations/example.com/orderers/orderer4.example.com/tls/server.crt
                - Host: orderer5.example.com
                  Port: 7050
                  ClientTLSCert: crypto-config/ordererOrganizations/example.com/orderers/orderer5.example.com/tls/server.crt
                  ServerTLSCert: crypto-config/ordererOrganizations/example.com/orderers/orderer5.example.com/tls/server.crt
            Addresses:
                - orderer.example.com:7050
                - orderer2.example.com:7050
                - orderer3.example.com:7050
                - orderer4.example.com:7050
                - orderer5.example.com:7050

            Organizations:
            - *OrdererOrg
            Capabilities:
                <<: *OrdererCapabilities
        Application:
            <<: *ApplicationDefaults
            Organizations:
            - <<: *OrdererOrg
        Consortiums:
            SampleConsortium:
                Organizations:
                - *Org1
                - *Org2

Configure Ordering service (Kafka)

• Orderer.OrdererType is set to kafka
• Orderer.Kafka.Brokers
• Orderer.AbsoluteMaxBytes

kafka

- KAFKA_UNCLEAN_LEADER_ELECTION_ENABLE=false
- KAFKA_MIN_INSYNC_REPLICAS=1
- KAFKA_DEFAULT_REPLICATION_FACTOR=1
- KAFKA_MESSAGE_MAX_BYTES=1048576 # 1 * 1024 * 1024 B
- KAFKA_REPLICA_FETCH_MAX_BYTES=1048576 # 1 * 1024 * 1024 B
- KAFKA_LOG_RETENTION_MS=-1

orderer

- ORDERER_KAFKA_TOPIC_REPLICATIONFACTOR=1
- ORDERER_KAFKA_VERBOSE=true
- ORDERER_KAFKA_TLS_ENABLED=true
- ORDERER_KAFKA_TLS_PRIVATEKEY_FILE=/var/hyperledger/orderer/kafka/tls/client.key
- ORDERER_KAFKA_TLS_CERTIFICATE_FILE=/var/hyperledger/orderer/kafka/tls/client.crt
- ORDERER_KAFKA_TLS_ROOTCAS_FILE=/var/hyperledger/orderer/kafka/tls/ca.crt

Configure Hyperledger Fabric containers

services:
  peer-base:
    image: hyperledger/fabric-peer:$IMAGE_TAG
    environment:
      - CORE_VM_ENDPOINT=unix:///host/var/run/docker.sock
      # the following setting starts chaincode containers on the same
      # bridge network as the peers
      # https://docs.docker.com/compose/networking/
      - CORE_VM_DOCKER_HOSTCONFIG_NETWORKMODE=${COMPOSE_PROJECT_NAME}_byfn
      - FABRIC_LOGGING_SPEC=INFO
      #- FABRIC_LOGGING_SPEC=DEBUG
      - CORE_PEER_TLS_ENABLED=true
      - CORE_PEER_GOSSIP_USELEADERELECTION=true
      - CORE_PEER_GOSSIP_ORGLEADER=false
      - CORE_PEER_PROFILE_ENABLED=true
      - CORE_PEER_TLS_CERT_FILE=/etc/hyperledger/fabric/tls/server.crt
      - CORE_PEER_TLS_KEY_FILE=/etc/hyperledger/fabric/tls/server.key
      - CORE_PEER_TLS_ROOTCERT_FILE=/etc/hyperledger/fabric/tls/ca.crt

      - CORE_PEER_ID=peer0.org1.example.com
      - CORE_PEER_ADDRESS=peer0.org1.example.com:7051
      - CORE_PEER_LISTENADDRESS=0.0.0.0:7051
      - CORE_PEER_CHAINCODEADDRESS=peer0.org1.example.com:7052
      - CORE_PEER_CHAINCODELISTENADDRESS=0.0.0.0:7052
      - CORE_PEER_GOSSIP_BOOTSTRAP=peer1.org1.example.com:8051
      - CORE_PEER_GOSSIP_EXTERNALENDPOINT=peer0.org1.example.com:7051
      - CORE_PEER_LOCALMSPID=Org1MSP
    working_dir: /opt/gopath/src/github.com/hyperledger/fabric/peer
    command: peer node start

  orderer-base:
    image: hyperledger/fabric-orderer:$IMAGE_TAG
    environment:
      - FABRIC_LOGGING_SPEC=DEBUG
      - ORDERER_GENERAL_LISTENADDRESS=0.0.0.0
      - ORDERER_GENERAL_GENESISMETHOD=file
      - ORDERER_GENERAL_GENESISFILE=/var/hyperledger/orderer/orderer.genesis.block
      - ORDERER_GENERAL_LOCALMSPID=OrdererMSP
      - ORDERER_GENERAL_LOCALMSPDIR=/var/hyperledger/orderer/msp
      # enabled TLS
      - ORDERER_GENERAL_TLS_ENABLED=true
      - ORDERER_GENERAL_TLS_PRIVATEKEY=/var/hyperledger/orderer/tls/server.key
      - ORDERER_GENERAL_TLS_CERTIFICATE=/var/hyperledger/orderer/tls/server.crt
      - ORDERER_GENERAL_TLS_ROOTCAS=[/var/hyperledger/orderer/tls/ca.crt]
      - ORDERER_KAFKA_TOPIC_REPLICATIONFACTOR=1
      - ORDERER_KAFKA_VERBOSE=true
      - ORDERER_GENERAL_CLUSTER_CLIENTCERTIFICATE=/var/hyperledger/orderer/tls/server.crt
      - ORDERER_GENERAL_CLUSTER_CLIENTPRIVATEKEY=/var/hyperledger/orderer/tls/server.key
      - ORDERER_GENERAL_CLUSTER_ROOTCAS=[/var/hyperledger/orderer/tls/ca.crt]
    working_dir: /opt/gopath/src/github.com/hyperledger/fabric
    command: orderer

Define network config options (block creation options, etc)

• Docs » Operations Guides » Updating a Channel Configuration
• Docs » Tutorials » Adding an Org to a Channel

configtx.yaml

{
  "Orderer.BatchSize.absolute_max_bytes": 102760448,
  "Orderer.BatchSize.max_message_count": 10,
  "Orderer.BatchSize.preferred_max_bytes": 524288,
  "Orderer.BatchTimeout": "2s",
  "Orderer.MaxChannels": "1000", // defautl set 0 , this implies no maximum number of channels
}

Enable TLS for communication

• Docs » Operations Guides » Securing Communication With Transport Layer Security (TLS)

# orderer 
# enabled TLS
- ORDERER_GENERAL_TLS_ENABLED=true
- ORDERER_GENERAL_TLS_PRIVATEKEY=/var/hyperledger/orderer/tls/server.key
- ORDERER_GENERAL_TLS_CERTIFICATE=/var/hyperledger/orderer/tls/server.crt
- ORDERER_GENERAL_TLS_ROOTCAS=[/var/hyperledger/orderer/tls/ca.crt]
# TLS client
- ORDERER_GENERAL_TLS_CLIENTAUTHREQUIRED=true
- ORDERER_GENERAL_TLS_CLIENTROOTCAS=[/var/hyperledger/orderer/tls/ca.crt]

# enabled kafka client TLS
- ORDERER_KAFKA_SERVER=kafkaserver
- ORDERER_KAFKA_VERBOSE=true
- ORDERER_KAFKA_TLS_ENABLED=true
- ORDERER_KAFKA_TLS_PRIVATEKEY_FILE=/var/hyperledger/orderer/kafka/tls/client.key
- ORDERER_KAFKA_TLS_CERTIFICATE_FILE=/var/hyperledger/orderer/kafka/tls/client.crt
- ORDERER_KAFKA_TLS_ROOTCAS_FILE=/var/hyperledger/orderer/kafka/tls/ca.crt

# peer
- CORE_PEER_TLS_ENABLED=true
- CORE_PEER_TLS_CERT_FILE=/etc/hyperledger/fabric/tls/server.crt
- CORE_PEER_TLS_KEY_FILE=/etc/hyperledger/fabric/tls/server.key
- CORE_PEER_TLS_ROOTCERT_FILE=/etc/hyperledger/fabric/tls/ca.crt
# TLS client
- CORE_PEER_TLS_CLIENTAUTHREQUIRED=true
- CORE_PEER_TLS_CLIENTROOTCAS_FILES=
- CORE_PEER_TLS_CLIENTCERT_FILE=
- CORE_PEER_TLS_CLIENTKEY_FILE=

# CLI
CORE_PEER_TLS_ENABLED = true
CORE_PEER_TLS_ROOTCERT_FILE=
# TLS client
CORE_PEER_TLS_CLIENTAUTHREQUIRED = true
CORE_PEER_TLS_CLIENTCERT_FILE = 
CORE_PEER_TLS_CLIENTKEY_FILE =

Generate genesis block

cryptogen	generate	--config=./crypto-config.yaml
export	FABRIC_CFG_PATH=$PWD
configtxgen -profile TwoOrgsOrdererGenesis -channelID byfn-sys-channel -outputBlock ./channel-artifacts/genesis.block
configtxgen -profile SampleDevModeKafka -channelID byfn-sys-channel -outputBlock ./channel-artifacts/genesis.block

Configure service discovery node (e.g. peer and orderer addresses)

Docs » Commands Reference » Service Discovery CLI

CORE_PEER_GOSSIP_EXTERNALENDPOINT=peer1.org1.example.com:8051

discover --configFile conf.yaml --peerTLSCA tls/ca.crt --userKey msp/keystore/ea4f6a38ac7057b6fa9502c2f5f39f182e320f71f667749100fe7dd94c23ce43_sk --userCert msp/signcerts/User1\@org1.example.com-cert.pem  --MSP Org1MSP saveConfig

# Peer membership query
discover --configFile conf.yaml peers --channel mychannel  --server peer0.org1.example.com:7051

# Configuration query
discover --configFile conf.yaml config --channel mychannel  --server peer0.org1.example.com:7051
# certificates base64 decoded
discover --configFile conf.yaml config --channel mychannel  --server peer0.org1.example.com:7051 | jq .msps.OrdererOrg.root_certs[0] | sed "s/\"//g" | base64 --decode | openssl x509 -text -noout

# Endorsers query
discover --configFile conf.yaml endorsers --channel mychannel  --server peer0.org1.example.com:7051 --chaincode mycc

Membership Service Provider – 20%

Configure ACL

• https://hyperledger-fabric.readthedocs.io/en/release-1.4/access_control.html
• https://github.com/hyperledger/fabric/blob/release-1.2/sampleconfig/configtx.yaml

Application: &ApplicationDefaults
    ACLs: &ACLsDefault
        # This section provides defaults for policies for various resources
        # in the system. These "resources" could be functions on system chaincodes
        # (e.g., "GetBlockByNumber" on the "qscc" system chaincode) or other resources
        # (e.g.,who can receive Block events). This section does NOT specify the resource's
        # definition or API, but just the ACL policy for it.
        #
        # User's can override these defaults with their own policy mapping by defining the
        # mapping under ACLs in their channel definition
        #---Lifecycle System Chaincode (lscc) function to policy mapping for access control---#
        # ACL policy for lscc's "getid" function
        lscc/ChaincodeExists: /Channel/Application/Readers
        # ACL policy for lscc's "getdepspec" function
        lscc/GetDeploymentSpec: /Channel/Application/Readers
        # ACL policy for lscc's "getccdata" function
        lscc/GetChaincodeData: /Channel/Application/Readers
        # ACL Policy for lscc's "getchaincodes" function
        lscc/GetInstantiatedChaincodes: /Channel/Application/Readers
        #---Query System Chaincode (qscc) function to policy mapping for access control---#
        # ACL policy for qscc's "GetChainInfo" function
        qscc/GetChainInfo: /Channel/Application/Readers
        # ACL policy for qscc's "GetBlockByNumber" function
        qscc/GetBlockByNumber: /Channel/Application/Readers
        # ACL policy for qscc's  "GetBlockByHash" function
        qscc/GetBlockByHash: /Channel/Application/Readers
        # ACL policy for qscc's "GetTransactionByID" function
        qscc/GetTransactionByID: /Channel/Application/Readers
        # ACL policy for qscc's "GetBlockByTxID" function
        qscc/GetBlockByTxID: /Channel/Application/Readers
        #---Configuration System Chaincode (cscc) function to policy mapping for access control---#
        # ACL policy for cscc's "GetConfigBlock" function
        cscc/GetConfigBlock: /Channel/Application/Readers
        # ACL policy for cscc's "GetConfigTree" function
        cscc/GetConfigTree: /Channel/Application/Readers
        # ACL policy for cscc's "SimulateConfigTreeUpdate" function
        cscc/SimulateConfigTreeUpdate: /Channel/Application/Readers
        #---Miscellanesous peer function to policy mapping for access control---#
        # ACL policy for invoking chaincodes on peer
        peer/Propose: /Channel/Application/Writers
        # ACL policy for chaincode to chaincode invocation
        peer/ChaincodeToChaincode: /Channel/Application/Readers
        #---Events resource to policy mapping for access control###---#
        # ACL policy for sending block events
        event/Block: /Channel/Application/Readers
        # ACL policy for sending filtered block events
        event/FilteredBlock: /Channel/Application/Readers
    # Organizations lists the orgs participating on the application side of the
    # network.
    Organizations:
    # Policies defines the set of policies at this level of the config tree
    # For Application policies, their canonical path is
    #   /Channel/Application/<PolicyName>
    Policies: &ApplicationDefaultPolicies
        Readers:
            Type: ImplicitMeta
            Rule: "ANY Readers"
        Writers:
            Type: ImplicitMeta
            Rule: "ANY Writers"
        Admins:
            Type: ImplicitMeta
            Rule: "MAJORITY Admins"

Create end user identity

export FABRIC_CA_CLIENT_HOME=$HOME/fabric-ca/clients/admin
fabric-ca-client enroll -u http://admin:adminpw@localhost:7054

export FABRIC_CA_CLIENT_HOME=$HOME/fabric-ca/clients/admin
fabric-ca-client register --id.name admin2 --id.affiliation org1.department1 --id.attrs 'hf.Revoker=true,admin=true:ecert'

fabric-ca-client register -d --id.name admin2 --id.affiliation org1.department1 --id.attrs '"hf.Registrar.Roles=peer,client",hf.Revoker=true'
fabric-ca-client register -d --id.name admin2 --id.affiliation org1.department1 --id.attrs '"hf.Registrar.Roles=peer,client"' --id.attrs hf.Revoker=true

export FABRIC_CA_CLIENT_HOME=$HOME/fabric-ca/clients/admin
fabric-ca-client register --id.name peer1 --id.type peer --id.affiliation org1.department1 --id.secret peer1pw
fabric-ca-client register --id.name client1 --id.type client --id.affiliation bu1.department1.Team1

export FABRIC_CA_CLIENT_HOME=$HOME/fabric-ca/clients/peer1
fabric-ca-client enroll -u http://peer1:peer1pw@localhost:7054 -M $FABRIC_CA_CLIENT_HOME/msp

Revoke an identity

fabric-ca-client revoke -e <enrollment_id> -r <reason>

export FABRIC_CA_CLIENT_HOME=$HOME/fabric-ca/clients/admin
fabric-ca-client revoke -e peer1

serial=$(openssl x509 -in userecert.pem -serial -noout | cut -d "=" -f 2)
aki=$(openssl x509 -in userecert.pem -text | awk '/keyid/ {gsub(/ *keyid:|:/,"",$1);print tolower($0)}')
fabric-ca-client revoke -s $serial -a $aki -r affiliationchange

# Generating a CRL (Certificate Revocation List)
export FABRIC_CA_CLIENT_HOME=~/clientconfig
fabric-ca-client gencrl -M ~/msp

export FABRIC_CA_CLIENT_HOME=~/clientconfig
fabric-ca-client gencrl --caname "" --revokedafter 2017-09-13T16:39:57-08:00 --revokedbefore 2017-09-21T16:39:57-08:00 -M ~/msp

export FABRIC_CA_CLIENT_HOME=~/clientconfig
fabric-ca-client gencrl --caname "" --expireafter 2017-09-13T16:39:57-08:00 --expirebefore 2018-09-13T16:39:57-08:00  --revokedafter 2017-09-13T16:39:57-08:00 --revokedbefore 2017-09-21T16:39:57-08:00 -M ~/msp

Attribute-Based Access Control

fabric-ca-client register --id.name user1 --id.secret user1pw --id.type client --id.affiliation org1 --id.attrs 'app1Admin=true:ecert,email=user1@gmail.com'

fabric-ca-client enroll -u http://user1:user1pw@localhost:7054 --enrollment.attrs "email,phone:opt"

fabric-ca-client register --id.name user1 --id.secret user1pw --id.type client --id.affiliation org1 --id.attrs 'hf.Affiliation=org1:ecert'

Configure and start Hyperledger Fabric CA

• https://hyperledger-fabric-ca.readthedocs.io/en/release-1.4/serverconfig.html
• https://hyperledger-fabric-ca.readthedocs.io/en/release-1.4/clientconfig.html

  version: 1.4.1
  port: 7054
  cors:
      enabled: false
      origins:
        - "*"
  debug: false
  crlsizelimit: 512000
  tls:
    enabled: false
    certfile:
    keyfile:
    clientauth:
      type: noclientcert
      certfiles:
  ca:
    name:
    keyfile:
    certfile:
    chainfile:
  crl:
    expiry: 24h
  registry:
    maxenrollments: -1
    identities:
       - name: admin
         pass: adminpw
         type: client
         affiliation: ""
         attrs:
            hf.Registrar.Roles: "*"
            hf.Registrar.DelegateRoles: "*"
            hf.Revoker: true
            hf.IntermediateCA: true
            hf.GenCRL: true
            hf.Registrar.Attributes: "*"
            hf.AffiliationMgr: true
  db:
    type: sqlite3
    datasource: fabric-ca-server.db
    tls:
        enabled: false
        certfiles:
        client:
          certfile:
          keyfile:
  ldap:
     enabled: false
     url: ldap://<adminDN>:<adminPassword>@<host>:<port>/<base>
     tls:
        certfiles:
        client:
           certfile:
           keyfile:
     attribute:
        names: ['uid','member']
        converters:
           - name:
             value:
        maps:
           groups:
              - name:
                value:
  affiliations:
     org1:
        - department1
        - department2
     org2:
        - department1
  signing:
      default:
        usage:
          - digital signature
        expiry: 8760h
      profiles:
        ca:
           usage:
             - cert sign
             - crl sign
           expiry: 43800h
           caconstraint:
             isca: true
             maxpathlen: 0
        tls:
           usage:
              - signing
              - key encipherment
              - server auth
              - client auth
              - key agreement
           expiry: 8760h
  csr:
     cn: fabric-ca-server
     keyrequest:
       algo: ecdsa
       size: 256
     names:
        - C: US
          ST: "North Carolina"
          L:
          O: Hyperledger
          OU: Fabric
     hosts:
       - db1216d39a1d
       - localhost
     ca:
        expiry: 131400h
        pathlength: 1
  idemix:
    rhpoolsize: 1000
    nonceexpiration: 15s
    noncesweepinterval: 15m
  bccsp:
      default: SW
      sw:
          hash: SHA2
          security: 256
          filekeystore:
              keystore: msp/keystore
  cacount:
  cafiles:
  intermediate:
    parentserver:
      url:
      caname:
    enrollment:
      hosts:
      profile:
      label:
    tls:
      certfiles:
      client:
        certfile:
        keyfile:
  cfg:
    identities:
      passwordattempts: 10
  operations:
      listenAddress: 127.0.0.1:9443
      tls:
          enabled: false
          cert:
              file:
          key:
              file:
          clientAuthRequired: false
          clientRootCAs:
              files: []
  metrics:
      provider: disabled
      statsd:
          network: udp
          address: 127.0.0.1:8125
          writeInterval: 10s
          prefix: server

  cn: fabric-ca-server
  names:
     - C: US
       ST: "North Carolina"
       L:
       O: Hyperledger
       OU: Fabric
  hosts:
    - host1.example.com
    - localhost
  ca:
     expiry: 131400h
     pathlength: 1

fabric-ca-server init -b admin:adminpw
fabric-ca-server start -b <admin>:<adminpw>
fabric-ca-server start -b admin:adminpw --cfg.affiliations.allowremove --cfg.identities.allowremove

Configure Hyperledger Fabric for hardware security module

#############################################################################
# BCCSP (BlockChain Crypto Service Provider) section is used to select which
# crypto library implementation to use
#############################################################################
bccsp:
  default: PKCS11
  pkcs11:
    Library: /usr/local/Cellar/softhsm/2.1.0/lib/softhsm/libsofthsm2.so
    Pin: 98765432
    Label: ForFabric
    hash: SHA2
    security: 256
    filekeystore:
      # The directory used for the software file-based keystore
      keystore: msp/keystore

Network Maintenance and Operations – 20%

Add a peer to existing organization

export ORDERER_CA=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/ordererOrganizations/example.com/orderers/orderer.example.com/msp/tlscacerts/tlsca.example.com-cert.pem && export CHANNEL_NAME=mychannel
peer channel fetch 0 mychannel.block -o orderer.example.com:7050 -c $CHANNEL_NAME --tls --cafile $ORDERER_CA
peer channel join -b $CHANNEL_NAME.block

Create a channel

• Docs » Tutorials » Building Your First Network

CORE_PEER_MSPCONFIGPATH=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org1.example.com/users/Admin@org1.example.com/msp
CORE_PEER_ADDRESS=peer0.org1.example.com:7051
CORE_PEER_LOCALMSPID="Org1MSP"
CORE_PEER_TLS_ROOTCERT_FILE=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/ca.crt

peer channel create -o orderer.example.com:7050 -c $CHANNEL_NAME -f ./channel-artifacts/channel.tx
peer channel create -o orderer.example.com:7050 -c $CHANNEL_NAME -f ./channel-artifacts/channel.tx --tls $CORE_PEER_TLS_ENABLED --cafile
peer channel join -b $CHANNEL_NAME.block
peer channel list &>channel-list.txt

Add an org to a channel

Docs » Tutorials » Adding an Org to a Channel

cd org3-artifacts
../../bin/cryptogen generate --config=./org3-crypto.yaml
export FABRIC_CFG_PATH=$PWD && ../../bin/configtxgen -printOrg Org3MSP > ../channel-artifacts/org3.json
cd ../ && cp -r crypto-config/ordererOrganizations org3-artifacts/crypto-config/

docker exec -it cli bash
export ORDERER_CA=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/ordererOrganizations/example.com/orderers/orderer.example.com/msp/tlscacerts/tlsca.example.com-cert.pem  && export CHANNEL_NAME=mychannel
peer channel fetch config config_block.pb -o orderer.example.com:7050 -c $CHANNEL_NAME --tls --cafile $ORDERER_CA

configtxlator proto_decode --input config_block.pb --type common.Block | jq .data.data[0].payload.data.config > config.json

jq -s '.[0] * {"channel_group":{"groups":{"Application":{"groups": {"Org3MSP":.[1]}}}}}' config.json ./channel-artifacts/org3.json > modified_config.json
configtxlator proto_encode --input config.json --type common.Config --output config.pb
configtxlator proto_encode --input modified_config.json --type common.Config --output modified_config.pb
configtxlator compute_update --channel_id $CHANNEL_NAME --original config.pb --updated modified_config.pb --output org3_update.pb
configtxlator proto_decode --input org3_update.pb --type common.ConfigUpdate | jq . > org3_update.json
echo '{"payload":{"header":{"channel_header":{"channel_id":"'$CHANNEL_NAME'", "type":2}},"data":{"config_update":'$(cat org3_update.json)'}}}' | jq . > org3_update_in_envelope.json
configtxlator proto_encode --input org3_update_in_envelope.json --type common.Envelope --output org3_update_in_envelope.pb

peer channel signconfigtx -f org3_update_in_envelope.pb

# you can issue all of these commands at once
export CORE_PEER_LOCALMSPID="Org2MSP"
export CORE_PEER_TLS_ROOTCERT_FILE=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org2.example.com/peers/peer0.org2.example.com/tls/ca.crt
export CORE_PEER_MSPCONFIGPATH=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org2.example.com/users/Admin@org2.example.com/msp
export CORE_PEER_ADDRESS=peer0.org2.example.com:9051

peer channel update -f org3_update_in_envelope.pb -c $CHANNEL_NAME -o orderer.example.com:7050 --tls --cafile $ORDERER_CA

docker-compose -f docker-compose-org3.yaml up -d
docker exec -it Org3cli bash
export ORDERER_CA=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/ordererOrganizations/example.com/orderers/orderer.example.com/msp/tlscacerts/tlsca.example.com-cert.pem && export CHANNEL_NAME=mychannel
peer channel fetch 0 mychannel.block -o orderer.example.com:7050 -c $CHANNEL_NAME --tls --cafile $ORDERER_CA
peer channel join -b mychannel.block
# switch peer1.org3
export CORE_PEER_TLS_ROOTCERT_FILE=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org3.example.com/peers/peer1.org3.example.com/tls/ca.crt && export CORE_PEER_ADDRESS=peer1.org3.example.com:12051
peer channel join -b mychannel.block

Update channel configuration

• Docs » Operations Guides » Updating a Channel Configuration

  export MAXBATCHSIZEPATH=".channel_group.groups.Orderer.values.BatchSize.value.max_message_count"
  jq "$MAXBATCHSIZEPATH" config.json
  jq "$MAXBATCHSIZEPATH = 20" config.json > modified_config.json
  jq "$MAXBATCHSIZEPATH" modified_config.json
  
  # Get the Necessary Signatures
  export CORE_PEER_LOCALMSPID="OrdererMSP"
  export CORE_PEER_TLS_ROOTCERT_FILE=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/ordererOrganizations/example.com/orderers/orderer.example.com/tls/ca.crt
  export CORE_PEER_MSPCONFIGPATH=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/ordererOrganizations/example.com/users/Admin@example.com/msp/
  
  
  peer channel signconfigtx -f

Update a Hyperledger Fabric Instance

Docs » Tutorials » Upgrading Your Network Components

1. Clean up

   ./byfn.sh down

2. Generate the crypto and bring up the network

   git fetch origin
   
   git checkout v1.3.0
   
   ./byfn.sh generate
   
   ./byfn.sh up -t 3000 -i 1.3.0

3. Get the newest samples

   git checkout v1.4.1

4. Upgrade the orderer containers

   export CH_NAME=testchainid
   
   docker stop orderer.example.com
   
   export LEDGERS_BACKUP=./ledgers-backup
   export IMAGE_TAG=$(go env GOARCH)-1.4.1
   
   mkdir -p $LEDGERS_BACKUP
   
   docker cp orderer.example.com:/var/hyperledger/production/orderer/ ./$LEDGERS_BACKUP/orderer.example.com
   
   docker-compose -f docker-compose-cli.yaml up -d --no-deps orderer.example.com

5. Upgrade the peer containers

   docker stop peer0.org1.example.com
   mkdir -p $LEDGERS_BACKUP
   
   docker cp $PEER:/var/hyperledger/production ./$LEDGERS_BACKUP/$PEER
   
   CC_CONTAINERS=$(docker ps | grep dev-$PEER | awk '{print $1}')
   if [ -n "$CC_CONTAINERS" ] ; then docker rm -f $CC_CONTAINERS ; fi
   CC_IMAGES=$(docker images | grep dev-$PEER | awk '{print $1}')
   if [ -n "$CC_IMAGES" ] ; then docker rmi -f $CC_IMAGES ; fi
   
   docker-compose -f docker-compose-cli.yaml up -d --no-deps $PEER

6. Verify peer upgrade completion

   docker-compose -f docker-compose-cli.yaml stop cli
   
   docker-compose -f docker-compose-cli.yaml up -d --no-deps cli
   
   CH_NAME=mychannel
   ORDERER_CA=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/ordererOrganizations/example.com/orderers/orderer.example.com/msp/tlscacerts/tlsca.example.com-cert.pem
   
   peer chaincode invoke -o orderer.example.com:7050 --peerAddresses peer0.org1.example.com:7051 --tlsRootCertFiles /opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/ca.crt --peerAddresses peer0.org2.example.com:9051 --tlsRootCertFiles /opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org2.example.com/peers/peer0.org2.example.com/tls/ca.crt --tls --cafile $ORDERER_CA -C $CH_NAME -n mycc -c '{"Args":["invoke","a","b","10"]}'
   
   peer chaincode query -C mychannel -n mycc -c '{"Args":["query","a"]}'

Diagnostics and Troubleshooting – 15%

Query and analyse peer logs

Query and analyse CA logs

Query and analyse Orderer logs

Query and analyse chaincode logs

CHFA Environment

• Each task on this exam must be completed on a designated Fabric node, most of which run
  Fabric under ​docker/docker-compose​.
• Most​ of the networks are based off of ​byfn​ with configuration files located under /srv/fabric-samples​, unless otherwise noted in the instructions.
• For most tasks, you can connect to the CLI node with a command such as:

  docker exec -it cli bash

• At the start of each task, you will be directed to which Fabric node you should ​ssh​ to in order to complete the task.
• You can ssh to a Fabric node with a command such as:

  ssh fabadm@<nodename>

• The ​fabadm​ user should be used for all tasks, unless otherwise indicated.
• You can assume elevated privileges on any node by issuing the following command:

  sudo -i

• You can also use ​sudo​ to execute commands with elevated privileges at any time.
• You must return to the base node (hostname ​node-1​) after completing each task.
• The exam is based on Fabric v1.4

Reference

• 官网： https://training.linuxfoundation.org/certification/certified-hyperledger-fabric-administrator-chfa/
• fabric 文档： https://hyperledger-fabric.readthedocs.io/en/release-1.4/tutorials.html
• fabric-ca 文档： https://hyperledger-fabric-ca.readthedocs.io/en/release-1.4/users-guide.html