|
| 1 | +Membership Service Providers (MSPs): Setup & Best Practices |
| 2 | +=========================================================== |
| 3 | + |
| 4 | +Membership service provider (MSP) is a component that aims to offer an |
| 5 | +abstraction of a membership operation architecture. |
| 6 | + |
| 7 | +In particular, MSP abstracts away all cryptographic mechanisms and protocols |
| 8 | +behind issuing and validating certificates, and user authentication. An |
| 9 | +MSP may define their own notion of identity, and the rules by which those |
| 10 | +identities are governed (identity validation) and authenticated (signature |
| 11 | +generation and verification). |
| 12 | + |
| 13 | +Fabric Blockchain network can be governed by one or more MSPs. In this |
| 14 | +way Fabric offers modularity of membership operations, and interoperability |
| 15 | +across different membership standards and architectures. |
| 16 | + |
| 17 | +In the rest of this document we elaborate on the setup of the MSP |
| 18 | +implementation supported by Fabric, and discuss best practices concerning |
| 19 | +its use. |
| 20 | + |
| 21 | +MSP Configuration |
| 22 | +----------------- |
| 23 | + |
| 24 | +To setup an instance of the MSP, its configuration needs to be specified |
| 25 | +locally at each peer and orderer (to enable peer, and orderer signing), |
| 26 | +and on the channels to enable peer, orderer, client identity validation, and |
| 27 | +respective signature verification (authentication) by and for all channel |
| 28 | +members. |
| 29 | + |
| 30 | +First of all, for each MSP a name needs to be specified to reference that MSP |
| 31 | +in the network, e.g., “org1”, “msp2”, and “org3.divA”. This is the name under |
| 32 | +which membership rules of an MSP representing a consortium, organisation or |
| 33 | +organisation division is to be referenced in a channel. This is also referred |
| 34 | +to as *MSP Identifier*. MSP Identifiers are important to be unique per MSP |
| 35 | +instance. For example, shall two MSP instances with the same identifier are |
| 36 | +detected at the system channel genesis, orderer setup will fail. |
| 37 | + |
| 38 | +In the case of default implementation of MSP, a set of parameters need to be |
| 39 | +specified to allow for identity (certificate) validation and signature |
| 40 | +verification. These parameters are deduced by |
| 41 | +`RFC5280 <http://www.ietf.org/rfc/rfc5280.txt>`_, and include: |
| 42 | + |
| 43 | + - A list of self-signed (X.509) certificates to constitute the *root of |
| 44 | + trust* |
| 45 | + - A list of X.509 certificates to represent intermediate CAs this provider |
| 46 | + considers for certificate validation; these certificates ought to be |
| 47 | + certified by exactly one of the certificates in the root of trust; |
| 48 | + intermediate CAs are optional parameters |
| 49 | + - A list of X.509 certificates with a verifiable certificate path to |
| 50 | + exactly one of the certificates of the root of trust to represent the |
| 51 | + administrators of this MSP; owners of these |
| 52 | + certificates are authorized to request changes to this MSP configuration |
| 53 | + (e.g., root CAs, intermediate CAs) |
| 54 | + - A list of Organizational Units, that valid members of this MSP should |
| 55 | + include in their X.509 certificate; this is an optional configuration |
| 56 | + parameter, used when, e.g., multiple organisations leverage the same |
| 57 | + root of trust, and intermediate CAs, and have reserved an OU field for |
| 58 | + their members |
| 59 | + - A list of certificate revocation lists (CRLs) each corresponding to |
| 60 | + exactly one of the listed (intermediate or root) MSP Certificate |
| 61 | + Authorities; this is an optional parameter |
| 62 | + |
| 63 | +*Valid* identities for this MSP instance have the form of X.509 certificates |
| 64 | +with a verifiable certificate path to exactly one of the root of trust |
| 65 | +certificates, are not included in any CRL, and *list* one or more of the |
| 66 | +Organizational Units of the MSP configuration in the ``OU`` field of |
| 67 | +their X.509 certificate structure. |
| 68 | + |
| 69 | +In addition to verification related parameters, for the MSP to enable |
| 70 | +the node on which it is instantiated to sign or authenticate, one needs to |
| 71 | +specify: |
| 72 | + - The signing key used for signing by the node, and |
| 73 | + - The node' s X.509 certificate, that is a valid identity under the |
| 74 | + verification parameters of this MSP. |
| 75 | + |
| 76 | + |
| 77 | +How to generate MSP certificates and their signing keys? |
| 78 | +-------------------------------------------------------- |
| 79 | +To generate X.509 certificates to feed its MSP configuration, the application |
| 80 | +can use `Openssl <https://www.openssl.org/>`_. |
| 81 | + |
| 82 | +Alternatively one can use ``cryptogen`` tool, whose operation is explained in |
| 83 | +another document. |
| 84 | + |
| 85 | +For fabric-ca related certificate generation, we refer the reader to the |
| 86 | +fabric-ca related documentation (./Setup/ca-setup.rst). |
| 87 | + |
| 88 | + |
| 89 | +MSP setup on the peer & orderer side |
| 90 | +------------------------------------ |
| 91 | + |
| 92 | +To set up a local MSP (for either a peer or an orderer), the administrator |
| 93 | +should create a folder e.g., $MY_PATH/mspconfig, which contains six subfolders |
| 94 | +and a file: |
| 95 | + 1. a folder `admincerts` to include PEM files each corresponding to an |
| 96 | + administrator certificate |
| 97 | + 2. a folder `cacerts` to include PEM files each corresponding to a root |
| 98 | + CAs certificate |
| 99 | + 3. (optional) a folder `intermediatecerts` to include PEM files each |
| 100 | + corresponding to an intermediate CAs certificate |
| 101 | + 4. (optional) a file `config.yaml` to include information on the |
| 102 | + considered OUs; the latter are defined as pairs of |
| 103 | + ``<Certificate, OrganizationalUnitIdentifier>`` entries of a yaml array |
| 104 | + called `OrganizationalUnitIdentifiers`, where `Certificate` represents |
| 105 | + the relative path to the certificate of the certificate authority (root or |
| 106 | + intermediate) that should be considered for certifying members of this |
| 107 | + organizational unit (e.g., ./cacerts/cacert.pem), and |
| 108 | + `OrganizationalUnitIdentifier` represents the actual string as |
| 109 | + expected to appear in X.509 certificate OU-field (e.g., "COP") |
| 110 | + 5. (optional) a folder `crls` to include the considered CRLs |
| 111 | + 6. a folder `keystore` to include a PEM file with the node's signing key |
| 112 | + 7. a folder `signcerts` to include a PEM file with the node's X.509 |
| 113 | + certificate |
| 114 | + |
| 115 | + |
| 116 | +In the configuration file of the node (core.yaml file for the peer, and |
| 117 | +orderer.yaml for the orderer) file, one needs to specify the path to the |
| 118 | +mspconfig folder, and the msp identifier of the node' s MSP. The path to the |
| 119 | +mspconfig folder is expected to be relative to FABRIC_CFG_PATH and is provided |
| 120 | +as the value of parameter ``mspConfigPath`` for the peer, and ``LocalMSPDir`` |
| 121 | +for the orderer. The identifier of the node's MSP is provided as value of |
| 122 | +parameter ``localMspId`` for the peer and ``LocalMSPID`` for the orderer. |
| 123 | +These variables can be overriden via the environment using the CORE prefix for |
| 124 | +peer (e.g. CORE_PEER_LOCALMSPID) and the ORDERER prefix for the orderer (e.g. |
| 125 | +ORDERER_GENERAL_LOCALMSPID). Notice that for the orderer setup, one needs to |
| 126 | +generate, and provide to the orderer the genesis block of the system channel. |
| 127 | +The MSP configuration needs of this block are detailed in the next section. |
| 128 | + |
| 129 | + |
| 130 | +*Reconfiguration* of a "local" MSP is only possible manually, and requires that |
| 131 | +the peer or orderer process is restarted. In subsequent releases we aim to |
| 132 | +offer online/dynamic reconfiguration, i.e., without requiring to stop the node |
| 133 | +by using a node managed system chaincode. |
| 134 | + |
| 135 | + |
| 136 | +Channel MSP setup |
| 137 | +----------------- |
| 138 | +At the genesis of the system, verification parameters of all the MSPs that |
| 139 | +appear in the network need to be specified, and included in the system |
| 140 | +channel's genesis block. Recall that MSP verification parameters consist of |
| 141 | +the MSP identifier, the root of trust certificates, intermediate CA and admin |
| 142 | +certificates as well as OU specifications and CRLs. |
| 143 | +The system genesis block is provided to the orderers at their setup phase, |
| 144 | +and allows them to authenticate channel creation requests. Orderers would |
| 145 | +reject the system genesis block, if the latter includes two MSPs with the same |
| 146 | +identifier, and consequently the bootstrapping of the network would fail. |
| 147 | + |
| 148 | +For application channels, the verification components of only the MSPs that |
| 149 | +governs a channel need to reside in the channel's genesis block. We emphasise |
| 150 | +that it is **the responsibility of the application** to ensure that correct |
| 151 | +MSP configuration information is included in the genesis blocks (or the |
| 152 | +most recent configuration block) of a channel prior to instructing one or |
| 153 | +more peers of theirs to join the channel. |
| 154 | + |
| 155 | +When bootstrapping a channel with the help of configtxgen tool, one can |
| 156 | +configure the channel MSPs by including the verification parameters of MSP |
| 157 | +in the mspconfig folder, and setting that path in the relevant section in |
| 158 | +`configtx.yaml`. |
| 159 | + |
| 160 | +*Reconfiguration* of an MSP on the channel, including announcements of the |
| 161 | +certificate revocation lists associated to the CAs of that MSP is achieved |
| 162 | +through the creation of a config_update object by the owner of one of the |
| 163 | +administrator certificates of the MSP. The client application managed by the |
| 164 | +admin would then announce this update o the channels in which this MSP appears. |
| 165 | + |
| 166 | + |
| 167 | + |
| 168 | +Best Practices |
| 169 | +-------------- |
| 170 | + |
| 171 | +In this section we elaborate on best practices for MSPs |
| 172 | +configuration in commonly met scenarios. |
| 173 | + |
| 174 | +**1) Mapping between organizations/corporations and MSPs** |
| 175 | + |
| 176 | +We recommend that there is a one-to-one mapping between organizations and MSPs. |
| 177 | +If a different mapping type of mapping is chosen the following needs to be to |
| 178 | +considered: |
| 179 | + |
| 180 | + - **One organization employing various MSPs.** This corresponds to the |
| 181 | + case of an organization including a variety of divisions each represented |
| 182 | + by its MSP, either for management independence |
| 183 | + reasons, or for privacy reasons. In this case a peer can only be owned by |
| 184 | + a single MSP, and will not recognize peers with identities from other MSPs |
| 185 | + as peers of the same organization. The implication of this is that peers |
| 186 | + may share through gossip organization-scoped data with a set of peers that |
| 187 | + are members of the same subdivision, and not with the full set of providers |
| 188 | + constituting the actual organization. |
| 189 | + - **Multiple organizations using a single MSP.** This corresponds to a |
| 190 | + case of a consortium of organisations, that are governed by similar |
| 191 | + membership architecture. One needs to know here that peers would propagate |
| 192 | + organization-scoped messages to the peers that have identity under the |
| 193 | + same MSP regardless of whether they belong to the same actual organization. |
| 194 | + This is a limitation of granularity of MSP definition, and/or of peer’s |
| 195 | + configuration. In future versions of Fabric, this can change as we move |
| 196 | + towards (i) an identity channel that contains all membership related |
| 197 | + information of the network, (ii) peer notion of “trust-zone” being |
| 198 | + configurable, a peer’s administrator specifying at peer setup time whose |
| 199 | + MSP members should be treated by peers as authorized to receive |
| 200 | + “organization”-scoped messages. |
| 201 | + |
| 202 | +**2) On organization has different divisions (say organizational units), to** |
| 203 | +**which it wants to grant access to different channels.** |
| 204 | + |
| 205 | +Two ways to handle this: |
| 206 | + - Define one MSP to accommodate membership for all organization’s |
| 207 | + members. Configuration of that MSP would consist of a list of root CAs, |
| 208 | + intermediate CAs and admin certificates, and membership identities would |
| 209 | + include the organizational unit (OU) a member belongs to. Policies can then |
| 210 | + be defined to capture members of a specific OU, and these policies may |
| 211 | + constitute the read/write policies of a channel or endorsement policies of |
| 212 | + a chaincode. A limitation of this approach, is that gossip peers would |
| 213 | + consider peers with membership identities under their local MSP as |
| 214 | + members of the same organization, and would consequently gossip |
| 215 | + with them organisation-scoped data (e.g., their status). |
| 216 | + - Defining one MSP to represent each division, i.e., specify for each |
| 217 | + division a set of certificates, for root CAs, intermediate CAs, and admin |
| 218 | + Certs, such that there is no overlapping certification path across MSPs. |
| 219 | + This would mean that, e.g., a different intermediate CA per subdivision |
| 220 | + is employed. Here the disadvantage is the management of more than one |
| 221 | + MSPs instead of one, but this circumvents the issue present in approach |
| 222 | + (1). |
| 223 | + - Define one MSP for each division by leveraging an OU extension of the |
| 224 | + MSP configuration. |
| 225 | + |
| 226 | +**3) Separating clients from peers of the same organization.** |
| 227 | + |
| 228 | +In many cases it is required that the “type” of an identity is retrievable |
| 229 | +from the identity itself, e.g., it may be needed that endorsements are |
| 230 | +guaranteed to have derived by peers, and not clients or nodes acting solely |
| 231 | +as orderers. |
| 232 | + |
| 233 | +There is limited support for such requirements. |
| 234 | + |
| 235 | +One way to allow for this separation is to to create a separate intermediate |
| 236 | +CA for each node type, one for clients and one for peers/orderers, and |
| 237 | +configure two different MSPs one for clients, and one for peers/orderers. |
| 238 | +Channels this organization should be accessing, would need to include |
| 239 | +both MSPs, while endorsement policies will leverage only the MSP that |
| 240 | +refers to the peers. This would ultimately result into the organization |
| 241 | +being mapped to two MSP instances, and would have certain consequences |
| 242 | +into the way peers and clients interact. |
| 243 | + |
| 244 | +Gossip would not be drastically impacted as all peers of the same organization |
| 245 | +would still belong to one MSP. Peers restrict the execution of certain |
| 246 | +system chaincodes to, e.g., local MSP based policies. For |
| 247 | +example, peers would only execute “JoinChannel” request if the request is |
| 248 | +signed by the admin of their local MSP who can only be a client (end-user |
| 249 | +should be sitting at the origin of that request). We can go around this |
| 250 | +inconsistency if we accept that the only clients to be members of a |
| 251 | +peer/orderer MSP would be the administrators of that MSP. |
| 252 | + |
| 253 | +Another point to be considered with this approach is that peers |
| 254 | +authorize event registration requests based on membership of request |
| 255 | +originator within their local MSP. Clearly, since the originator of the |
| 256 | +request is a client, the request originator is always doomed to belong |
| 257 | +to a different MSP than the requested peer and the peer would reject the |
| 258 | +request. |
| 259 | + |
| 260 | + |
| 261 | +**4) Admin and CA certificates.** It is important to set MSP admin certificates |
| 262 | +to be different than any of the certificates considered by the MSP for ``root |
| 263 | +of trust``, or intermediate CAs. This is a common (security) practice to |
| 264 | +separate the duties of management of membership components from the issuing of |
| 265 | +new certificates, and/or validation of existing ones. |
| 266 | + |
| 267 | +**5) Blacklisting an intermediate CA.** As mentioned in previous sections, |
| 268 | +reconfiguration of an MSP is achieved by reconfiguration mechanisms (manual |
| 269 | +reconfiguration for the local MSP instances, and via properly constructed |
| 270 | +``config_update`` messages for MSP instances of a channel). Clearly, there are |
| 271 | +two ways to ensure an intermediate CA considered in an MSP is no longer |
| 272 | +considered for that MSP's identity validation: |
| 273 | + 1. Reconfigure the MSP to no longer include the certificate of that |
| 274 | + intermediate CA in the list of trusted intermediate CA certs. For the |
| 275 | + locally configured MSP, this would mean that the certificate of this CA is |
| 276 | + removed from the ``intermediatecerts`` folder. |
| 277 | + 2. Reconfigure the MSP to include a CRL produced by the root of trust |
| 278 | + which denounces the mentioned intermediate CA's certificate. |
| 279 | +In the current MSP implementation we only support method (1) as it is simpler |
| 280 | +and does not require that the no longer considered intermediate CA is |
| 281 | +blacklisted. |
0 commit comments