[FAB-3710] /examples/cluster: configure CA

We need to ensure we configure the CA with the MSP artifacts
or it will be unable to generate usable ECerts.

Change-Id: Iec5f1bf033d92a9d11ab7feca2aaf3e78eac8d78
Signed-off-by: Greg Haskins <[email protected]>

Author: ghaskins

examples/cluster/Makefile

@@ -95,10 +95,10 @@ build/nodes/orderer: build/nodes/orderer/orderer.yaml
 build/nodes/orderer: build/nodes/orderer/genesis.block
 build/nodes/cli: $(CHANNEL_TXNS)
 
-build/nodes/ca:
-	@mkdir -p $@/tls
-	cp $(CA_PATH)/*_sk $@/tls/ca.key
-	cp $(CA_PATH)/*.pem $@/tls/ca.crt
+build/nodes/ca: build/nodes/ca/fabric-ca-server-config.yaml
+	@mkdir -p $@
+	cp $(CA_PATH)/*_sk $@/ca.key
+	cp $(CA_PATH)/*.pem $@/ca.crt
 
 build/nodes/%: build/nodes/%/msp build/nodes/%/configtx.yaml build/nodes/%/core.yaml
 	@echo "Built $@"

examples/cluster/compose/docker-compose.yaml

@@ -8,15 +8,13 @@ services:
     dns_search: .
     environment:
       - FABRIC_CA_SERVER_TLS_ENABLED=${TLS_ENABLED}
-      - FABRIC_CA_SERVER_TLS_CERTFILE=/etc/hyperledger/fabric-ca-server/tls/ca.crt
-      - FABRIC_CA_SERVER_TLS_KEYFILE=/etc/hyperledger/fabric-ca-server/tls/ca.key
     logging: &logging
       driver: json-file
       options:
         max-size: "25m"
         max-file: "2"
     volumes:
-      - ../build/nodes/ca/tls:/etc/hyperledger/fabric-ca-server/tls
+      - ../build/nodes/ca:/etc/hyperledger/fabric-ca-server
 
   orderer:
     container_name: orderer

examples/cluster/config/fabric-ca-server-config.yaml

@@ -0,0 +1,239 @@
+#############################################################################
+#   This is a configuration file for the fabric-ca-server command.
+#
+#   COMMAND LINE ARGUMENTS AND ENVIRONMENT VARIABLES
+#   ------------------------------------------------
+#   Each configuration element can be overridden via command line
+#   arguments or environment variables.  The precedence for determining
+#   the value of each element is as follows:
+#   1) command line argument
+#      Examples:
+#      a) --port 443
+#         To set the listening port
+#      b) --ca-keyfile ../mykey.pem
+#         To set the "keyfile" element in the "ca" section below;
+#         note the '-' separator character.
+#   2) environment variable
+#      Examples:
+#      a) FABRIC_CA_SERVER_PORT=443
+#         To set the listening port
+#      b) FABRIC_CA_SERVER_CA_KEYFILE="../mykey.pem"
+#         To set the "keyfile" element in the "ca" section below;
+#         note the '_' separator character.
+#   3) configuration file
+#   4) default value (if there is one)
+#      All default values are shown beside each element below.
+#
+#   FILE NAME ELEMENTS
+#   ------------------
+#   All filename elements below end with the word "file".
+#   For example, see "certfile" and "keyfile" in the "ca" section.
+#   The value of each filename element can be a simple filename, a
+#   relative path, or an absolute path.  If the value is not an
+#   absolute path, it is interpretted as being relative to the location
+#   of this configuration file.
+#
+#############################################################################
+
+# Server's listening port (default: 7054)
+port: 7054
+
+# Enables debug logging (default: false)
+debug: false
+
+#############################################################################
+#  TLS section for the server's listening port
+#
+#  The following types are supported for client authentication: NoClientCert,
+#  RequestClientCert, RequireAnyClientCert, VerfiyClientCertIfGiven,
+#  and RequireAndVerifyClientCert.
+#
+#  Certfiles is a list of root certificate authorities that the server uses
+#  when verifying client certificates.
+#############################################################################
+tls:
+  # Enable TLS (default: false)
+  enabled: false
+  # TLS for the server's listening port
+  certfile: ca.crt
+  keyfile: ca.key
+  clientauth:
+    type: noclientcert
+    certfiles:
+
+#############################################################################
+#  The CA section contains information related to the Certificate Authority
+#  including the name of the CA, which should be unique for all members
+#  of a blockchain network.  It also includes the key and certificate files
+#  used when issuing enrollment certificates (ECerts) and transaction
+#  certificates (TCerts).
+#  The chainfile (if it exists) contains the certificate chain which
+#  should be trusted for this CA, where the 1st in the chain is always the
+#  root CA certificate.
+#############################################################################
+ca:
+  # Name of this CA
+  name:
+  certfile: ca.crt
+  keyfile: ca.key
+  # Chain file (default: chain-cert.pem)
+  chainfile: ca-chain.pem
+
+#############################################################################
+#  The registry section controls how the fabric-ca-server does two things:
+#  1) authenticates enrollment requests which contain a username and password
+#     (also known as an enrollment ID and secret).
+#  2) once authenticated, retrieves the identity's attribute names and
+#     values which the fabric-ca-server optionally puts into TCerts
+#     which it issues for transacting on the Hyperledger Fabric blockchain.
+#     These attributes are useful for making access control decisions in
+#     chaincode.
+#  There are two main configuration options:
+#  1) The fabric-ca-server is the registry
+#  2) An LDAP server is the registry, in which case the fabric-ca-server
+#     calls the LDAP server to perform these tasks.
+#############################################################################
+registry:
+  # Maximum number of times a password/secret can be reused for enrollment
+  # (default: 0, which means there is no limit)
+  maxEnrollments: 0
+
+  # Contains identity information which is used when LDAP is disabled
+  identities:
+     - name: admin
+       pass: adminpw
+       type: client
+       affiliation: ""
+       attrs:
+          hf.Registrar.Roles: "client,user,peer,validator,auditor,ca"
+          hf.Registrar.DelegateRoles: "client,user,validator,auditor"
+          hf.Revoker: true
+          hf.IntermediateCA: true
+
+#############################################################################
+#  Database section
+#  Supported types are: "sqlite3", "postgres", and "mysql".
+#  The datasource value depends on the type.
+#  If the type is "sqlite3", the datasource value is a file name to use
+#  as the database store.  Since "sqlite3" is an embedded database, it
+#  may not be used if you want to run the fabric-ca-server in a cluster.
+#  To run the fabric-ca-server in a cluster, you must choose "postgres"
+#  or "mysql".
+#############################################################################
+db:
+  type: sqlite3
+  datasource: /var/hyperledger/fabric-ca-server.db
+  tls:
+      enabled: false
+      certfiles:
+        - db-server-cert.pem
+      client:
+        certfile: db-client-cert.pem
+        keyfile: db-client-key.pem
+
+#############################################################################
+#  LDAP section
+#  If LDAP is enabled, the fabric-ca-server calls LDAP to:
+#  1) authenticate enrollment ID and secret (i.e. username and password)
+#     for enrollment requests;
+#  2) To retrieve identity attributes
+#############################################################################
+ldap:
+   # Enables or disables the LDAP client (default: false)
+   enabled: false
+   # The URL of the LDAP server
+   url: ldap://<adminDN>:<adminPassword>@<host>:<port>/<base>
+   tls:
+      certfiles:
+        - ldap-server-cert.pem
+      client:
+         certfile: ldap-client-cert.pem
+         keyfile: ldap-client-key.pem
+
+#############################################################################
+#  Affiliation section
+#############################################################################
+affiliations:
+   org1:
+      - department1
+      - department2
+   org2:
+      - department1
+
+#############################################################################
+#  Signing section
+#############################################################################
+signing:
+    profiles:
+      ca:
+         usage:
+           - cert sign
+         expiry: 8000h
+         caconstraint:
+           isca: true
+    default:
+      usage:
+        - cert sign
+      expiry: 8000h
+
+###########################################################################
+#  Certificate Signing Request section for generating the CA certificate
+###########################################################################
+csr:
+   cn: fabric-ca-server
+   names:
+      - C: US
+        ST: "North Carolina"
+        L:
+        O: Hyperledger
+        OU: Fabric
+   hosts:
+     - 2008f00aff38
+   ca:
+      pathlen:
+      pathlenzero:
+      expiry:
+
+#############################################################################
+# BCCSP (BlockChain Crypto Service Provider) section is used to select which
+# crypto library implementation to use
+#############################################################################
+
+bccsp:
+    default: SW
+    sw:
+        hash: SHA2
+        security: 256
+        filekeystore:
+            # The directory used for the software file-based keystore
+            keystore: keystore
+
+#############################################################################
+# The fabric-ca-server init and start commands support the following two
+# additional mutually exclusive options:
+#
+# 1) --cacount <number-of-CAs>
+# Automatically generate multiple default CA instances.
+# This is particularly useful in a development environment to quickly set up
+# multiple CAs.
+# For example,
+#     fabric-ca-server start -b admin:adminpw --cacount 2
+# starts a server with a default CA and two non-default CA's with names
+# 'ca1' and 'ca2'.
+#
+# 2) --cafiles <CA-config-files>
+# For each CA config file in the list, generate a separate signing CA.  Each CA
+# config file in this list MAY contain all of the same elements as are found in
+# the server config file except port, debug, and tls sections.
+# For example,
+#    fabric-ca-server start -b admin:adminpw                \
+#          --cafiles ca/ca1/fabric-ca-server-config.yaml    \
+#          --cafiles ca/ca2/fabric-ca-server-config.yaml
+# is equivalent to the previous example, except the files CA config files
+# must already exist and can be customized.
+#
+#############################################################################
+
+cacount:
+
+cafiles: