123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195 |
- #############################################################################
- # This is a configuration file for the fabric-ca-server command.
- #
- # COMMAND LINE ARGUMENTS AND ENVIRONMENT VARIABLES
- # ------------------------------------------------
- # Each configuration element can be overridden via command line
- # arguments or environment variables. The precedence for determining
- # the value of each element is as follows:
- # 1) command line argument
- # Examples:
- # a) --port 443
- # To set the listening port
- # b) --ca-keyfile ../mykey.pem
- # To set the "keyfile" element in the "ca" section below;
- # note the '-' separator character.
- # 2) environment variable
- # Examples:
- # a) FABRIC_CA_SERVER_PORT=443
- # To set the listening port
- # b) FABRIC_CA_SERVER_CA_KEYFILE="../mykey.pem"
- # To set the "keyfile" element in the "ca" section below;
- # note the '_' separator character.
- # 3) configuration file
- # 4) default value (if there is one)
- # All default values are shown beside each element below.
- #
- # FILE NAME ELEMENTS
- # ------------------
- # All filename elements below end with the word "file".
- # For example, see "certfile" and "keyfile" in the "ca" section.
- # The value of each filename element can be a simple filename, a
- # relative path, or an absolute path. If the value is not an
- # absolute path, it is interpretted as being relative to the location
- # of this configuration file.
- #
- #############################################################################
- # Server's listening port (default: 7054)
- port: 7054
- # Enables debug logging (default: false)
- debug: false
- #############################################################################
- # TLS section for the server's listening port
- #############################################################################
- tls:
- # Enable TLS (default: false)
- enabled: true
- # TLS for the server's listening port
- certfile: peerOrg1-cert.pem
- keyfile: 331cc9c5fc570a5f0f88537ca49196a0158618a9411d051dc67e8ac9fcee03a2_sk
- #############################################################################
- # The CA section contains information related to the Certificate Authority
- # including the name of the CA, which should be unique for all members
- # of a blockchain network. It also includes the key and certificate files
- # used when issuing enrollment certificates (ECerts) and transaction
- # certificates (TCerts).
- # The chainfile (if it exists) contains the certificate chain which
- # should be trusted for this CA, where the 1st in the chain is always the
- # root CA certificate.
- #############################################################################
- ca:
- # Name of this CA
- name:
- # Key file (default: ca-key.pem)
- keyfile: ca-key.pem
- # Certificate file (default: ca-cert.pem)
- certfile: ca-cert.pem
- # Chain file (default: chain-cert.pem)
- chainfile: ca-chain.pem
- #############################################################################
- # The registry section controls how the fabric-ca-server does two things:
- # 1) authenticates enrollment requests which contain a username and password
- # (also known as an enrollment ID and secret).
- # 2) once authenticated, retrieves the identity's attribute names and
- # values which the fabric-ca-server optionally puts into TCerts
- # which it issues for transacting on the Hyperledger Fabric blockchain.
- # These attributes are useful for making access control decisions in
- # chaincode.
- # There are two main configuration options:
- # 1) The fabric-ca-server is the registry
- # 2) An LDAP server is the registry, in which case the fabric-ca-server
- # calls the LDAP server to perform these tasks.
- #############################################################################
- registry:
- # Maximum number of times a password/secret can be reused for enrollment
- # (default: 0, which means there is no limit)
- maxEnrollments: 0
- # Contains user information which is used when LDAP is disabled
- identities:
- - name: admin
- pass: adminpw
- type: client
- affiliation: ""
- attrs:
- hf.Registrar.Roles: "client,user,peer,validator,auditor,ca"
- hf.Registrar.DelegateRoles: "client,user,validator,auditor"
- hf.Revoker: true
- hf.IntermediateCA: true
- #############################################################################
- # Database section
- # Supported types are: "sqlite3", "postgres", and "mysql".
- # The datasource value depends on the type.
- # If the type is "sqlite3", the datasource value is a file name to use
- # as the database store. Since "sqlite3" is an embedded database, it
- # may not be used if you want to run the fabric-ca-server in a cluster.
- # To run the fabric-ca-server in a cluster, you must choose "postgres"
- # or "mysql".
- #############################################################################
- db:
- type: sqlite3
- datasource: fabric-ca-server.db
- tls:
- enabled: false
- certfiles: db-server-cert.pem # Comma Separated (e.g. root.pem, root2.pem)
- client:
- certfile: db-client-cert.pem
- keyfile: db-client-key.pem
- #############################################################################
- # LDAP section
- # If LDAP is enabled, the fabric-ca-server calls LDAP to:
- # 1) authenticate enrollment ID and secret (i.e. username and password)
- # for enrollment requests;
- # 2) To retrieve identity attributes
- #############################################################################
- ldap:
- # Enables or disables the LDAP client (default: false)
- enabled: false
- # The URL of the LDAP server
- url: ldap://<adminDN>:<adminPassword>@<host>:<port>/<base>
- tls:
- certfiles: ldap-server-cert.pem # Comma Separated (e.g. root.pem, root2.pem)
- client:
- certfile: ldap-client-cert.pem
- keyfile: ldap-client-key.pem
- #############################################################################
- # Affiliation section
- #############################################################################
- affiliations:
- org1:
- - department1
- - department2
- org2:
- - department1
- #############################################################################
- # Signing section
- #############################################################################
- signing:
- profiles:
- ca:
- usage:
- - cert sign
- expiry: 8000h
- caconstraint:
- isca: true
- default:
- usage:
- - cert sign
- expiry: 8000h
- ###########################################################################
- # Certificate Signing Request section for generating the CA certificate
- ###########################################################################
- csr:
- cn: fabric-ca-server
- names:
- - C: US
- ST: "North Carolina"
- L:
- O: Hyperledger
- OU: Fabric
- hosts:
- - d49dbadd50a8
- ca:
- pathlen:
- pathlenzero:
- expiry:
- #############################################################################
- # Crypto section configures the crypto primitives used for all
- #############################################################################
- crypto:
- software:
- hash_family: SHA2
- security_level: 256
- ephemeral: false
- key_store_dir: keys
|