3. CA证书服务使用详解
CA证书服务设计链接:CA证书服务设计
3.1. 功能介绍
根据提供的信息生成公私钥和签发单个证书,并保存证书和密钥(root密钥不作保存,只生成文件)。
通过CSR文件签发单个证书,并保存证书。
可以延期某个具体证书的有效期。
可以通过证书链上的CA证书撤销某个证书。
能够生成CA证书的最新的撤销列表文件(CRL文件)。
root证书可以选择配置或者自签生成。
可以配置不同的启动方式,用来区分tls和sign证书的签发。
可以签发单独使用的tls加密或者签名证书(国密标准,tls双证书)。
可以配置中间证书启动,保护root证书。
提供开启密钥文件加密功能。
3.2. 安装部署
3.2.1. 环境依赖
golang
版本为1.16或以上
下载地址:https://golang.org/dl/
3.2.2. 代码下载
$ git clone --depth=1 https://git.chainmaker.org.cn/chainmaker/chainmaker-ca.git
3.2.3. 运行启动
3.2.3.1. 修改mysql数据库连接配置
$ cd src/conf/
$ vi config.yaml # 配置mysql数据库,打开config.yaml,修改db_config
3.2.3.2. 部署启动
方式一:
准备并启动mysql数据库
mysql
版本8.0及以上
下载地址:https://dev.mysql.com/downloads/installer/
编译chainmaker-ca程序
$ cd src/ $ go build -o chainmaker-ca
启动程序
$ cd src/ $ ./chainmaker-ca -config ./conf/config.yaml
方式二:
准备docker基础镜像
mysql: 8.0, golang:1.16.2, centos:7.6.1810
启动docker容器脚本
$ sh deploy.sh
3.3. 配置文件详解
目录:src/conf/config.yaml
配置文件主要是以下几部分构成:
3.3.1. base config
CA服务的基础配置
# Base config
base_config:
server_port: 8090 #服务端口
ca_type: single_root #启动模式:double_root/single_root/tls/sign
expire_year: 2 #签发有效年限
expire_month: 6 #签发有效月份(优先级高于年限)
hash_type: SHA256 #使用哈希类型:SHA256/SHA3_256/SM3
key_type: ECC_NISTP256 #使用密钥类型:ECC_NISTP256/SM2/RSA2048
can_issue_ca: true #是否能继续签发CA证书
provide_service_for: [org1,org2] #提供服务的组织列表(若不配置,则不限制组织)
key_encrypt: false #密钥是否加密
access_control: true #是否开启访问控制
default_domain: chainmaker.org #证书里的域名(如果不开启配置,则不会填写)
*注
SM2和SM3必须要搭配使用
ca_type:
CA启动模式,可以将tls和sign证书签发服务分离部署。
tls,该服务只提供为tls证书的签发服务。
sign,该服务只提供sign证书的签发服务。
single_root,可以为tls和sign证书同时提供签发服务,使用一个root CA证书。
double_root,可以为tls和sign证书同时提供签发服务,使用两个root CA证书。
can_issue_ca:
在所提供服务的组织内,是否能够签发中间CA证书。
provide_service_for:
对列表中的组织提供签发服务。可以仅配置一个组织,只为单个提供服务。也可以配置多个,向多个组织提供签发服务。如果不配置,则为任何组织服务。
key_encrypt:
提供密钥文件加密的开关。如果开启,密钥会采用PEMCipherAES256加密方式,加密密钥文件。(root密钥不存储,也不加密)
access_control:
访问控制开关,如果开启,访问将服务的所有接口需要携带token访问。
3.3.2. root config
root 证书的路径和CSR配置
# Root CA config
root_config:
cert:
-
cert_type: tls #root证书的类型:tls/sign
cert_path: ../crypto-config/rootCA/tls/root-tls.crt #证书的路径
private_key_path: ../crypto-config/rootCA/tls/root-tls.key #密钥的路径
key_id: SM2TlsKey261 #密码机pkcs11 key id
-
cert_type: sign
cert_path: ../crypto-config/rootCA/sign/root-sign.crt
private_key_path: ../crypto-config/rootCA/sign/root-sign.key
key_id: SM2SignKey262
csr:
CN: root.org-wx #证书的信息的CN字段
O: org-wx #证书的信息的O字段
OU: root #证书的信息的OU字段
country: CN #证书的信息的country字段
locality: Beijing #证书的信息的locality字段
province: Beijing #证书的信息的province字段
cert_type:
证书的路径类型,如果CA的启动方式是double_root,需要同时配置tls和sign两种类型的证书路径。如果CA启动方式是single_root,需要配置sign类型的证书路径。
csr(选填):
不填:读取cert目录下的root证书启动服务。
填写:以CSR配置自签root证书启动服务。
其中,OU字段需要符合chainmaker的证书校验规范,否则链上会校验失败。需要填写root。
3.3.3. intermediate_config
可选配置
中间CA的生成配置
# intermediate config
intermediate_config:
-
csr:
CN: ca.org1
O: org1
OU: ca
country: CN
locality: Beijing
province: Beijing
key_id: SM2TlsKey261
-
csr:
CN: ca.org2
O: org2
OU: ca
country: CN
locality: Beijing
province: Beijing
key_id: SM2TlsKey262
3.3.4. access_control_config
可选配置
访问控制账号配置
access_control_config:
-
app_role: admin #角色
app_id: admin #账户ID
app_key: passw0rd #账户口令
-
app_role: user
app_id: user1
app_key: passw0rd
app_role
admin : 所有权限
user :不能进行吊销、延期证书。只能申请,查询证书。
3.3.5. database config(MySQL)
数据库信息配置
db_config:
user: root #用户名
password: 123456 #密码
ip: 127.0.0.1 #数据库服务器的IP地址
port: 3306 #数据库服务器的端口号
dbname: chainmaker_ca #建立的数据库的名称
3.3.6. log config
日志相关配置
log_config:
level: error #日志等级
filename: ../log/ca.log #日志存取路径
max_size: 1 #在进行切割之前,日志文件的最大大小(以MB为单位)
max_age: 30 #保留旧文件的最大天数
max_backups: 5 #保留旧文件的最大个数
3.3.7. pkcs11 config
硬件机密机相关配置
pkcs11_config:
enabled: false # pkcs11硬件加密开关。
library: /usr/local/lib64/pkcs11/libupkcs11.so # pkcs11连接库地址。
label: HSM # slot 标签
password: 11111111 # HSM token登录密码
session_cache_size: 10 # session 缓存大小
hash: "SHA256" # 哈希算法
3.4. 可部署方式
3.4.1. 配置文件的使用
集中式1:
属于集中式部署,为多个组织提供服务,base_config.provide_service_for需要配置多个组织。
启用多个中间CA,intermediate_config需要配置多个。
不允许继续签发中间CA证书,base_config.can_issue_ca为false。
集中式2:
属于集中式部署,为多个组织提供服务,base_config.provide_service_for需要配置多个组织。
启用单个中间CA证书,intermediate_config需要配置一个。
不允许继续签发中间CA证书,base_config.can_issue_ca为false。
分布式1:
属于分布式和集中混合部署方式
集中式部分
为多个组织提供服务,base_config.provide_service_for需要配置多个组织。
没有启用配置中间CA证书,intermediate_config不需要配置。
允许继续签发中间CA证书,base_config.can_issue_ca为ture。
分布式部分:
为一个组织提供服务,base_config.provide_service_for需要配置单个组织。
root证书选择配置启动,root_config.csr部分不需要配置。
没有启用配置中间CA证书,intermediate_config不需要配置。
不允许继续签发中间CA证书,base_config.can_issue_ca为false。
分布式2:
属于分布式部署,为单个组织提供服务,base_config.provide_service_for只需要配置一个组织。
启用配置一个中间CA证书,intermediate_config需要配置一个。
不允许继续签发中间CA证书,base_config.can_issue_ca为false。
3.5. 服务接口
3.5.1. Code与Msg
| Code | Msg | 含义 |
|---|---|---|
| 200 | The request service returned successfully | 成功 |
| 202 | Missing required parameters | 输入参数缺失 |
| 204 | There is an error in the input parameter | 输入参数非法 |
| 500 | An error occurred with the internal service | 执行服务失败 |
3.5.2. 传参方式
统一为request body JSON的形式。
3.5.3. 登录获取token接口
请求地址:http://localhost:8090/api/ca/login
请求方式:POST
请求参数:
| 字段 | 类型 | 含义 | 备注 |
|---|---|---|---|
| appId | string | 登录id | 必填 |
| appKey | string | 登录口令 | 必填 |
返回数据:
{
"code": 200,
"msg": "The request service returned successfully",
"data": {
"accessToken": "1111111",
"expiressIn": 7200
}
}
| 字段 | 类型 | 含义 |
|---|---|---|
| accessToken | string | token值 |
| expiressIn | number | 过期时间(秒) |
3.5.4. 申请证书
从创建密钥对到证书,一步完成。
请求URL:http://localhost:8090/api/ca/gencert
请求方式:POST
请求参数:
| 字段 | 类型 | 含义 | 备注 |
|---|---|---|---|
| orgId | string | 组织ID | 必填 |
| userId | string | 用户ID | *选填 |
| userType | string | 用户类型 | 必填 |
| certUsage | string | 证书用途 | 必填 |
| privateKeyPwd | string | 密钥密码 | 选填 |
| country | string | 证书字段(国家) | 必填 |
| locality | string | 证书字段(城市) | 必填 |
| province | string | 证书字段(省份) | 必填 |
| token | string | token | 选填 |
userType: 1.root , 2.ca , 3.admin , 4.client , 5.consensus , 6.common
certUsage: 1.sign , 2.tls , 3.tls-sign , 4.tls-enc
*注:
userId 只有在申请的用户类型是ca的类型时,可以填写为空。在申请节点证书时,需要保证链上节点ID唯一。
返回数据:
{
"code": 200,
"msg": "The request service returned successfully",
"data": {
"certSn": 4523845175273844671,
"issueCertSn": 1146073575643658842,
"cert": "-----BEGIN CERTIFICATE-----\nMIIChjCCAiugAwIBAgIIPsftN/MP778wCgYIKoZIzj0EAwIwgYMxCzAJBgNVBAYT\nAkNOMRAwDgYDVQQIEwdCZWlqaW5nMRAwDgYDVQQHEwdCZWlqaW5nMR8wHQYDVQQK\nExZ3eC1vcmcxLmNoYWlubWFrZXIub3JnMQswCQYDVQQLEwJjYTEiMCAGA1UEAxMZ\nY2Etd3gtb3JnMS5jaGFpbm1ha2VyLm9yZzAeFw0yMjAzMTgwOTI0MjdaFw0yMjA5\nMTQwOTI0MjdaMGkxCzAJBgNVBAYTAkNOMRAwDgYDVQQIEwdCZWlKaW5nMRAwDgYD\nVQQHEwdCZWlKaW5nMQ0wCwYDVQQKEwRvcmcxMRIwEAYDVQQLEwljb25zZW5zdXMx\nEzARBgNVBAMTCmNvbnNlbnN1czEwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQ6\nRB+oQkJscRI1emYcYGMHx1AU/f9bkMOuqSdNspv6LjvdEftlBOVO7mazi5J4Ve8l\nHb65jLfnG6fBMZ7a0v5Vo4GhMIGeMA4GA1UdDwEB/wQEAwID+DAdBgNVHSUEFjAU\nBggrBgEFBQcDAgYIKwYBBQUHAwEwKQYDVR0OBCIEIGUw1TBs0Tw0Ud3HH/80neNM\nBhFcJ4u2vlzMd59943M6MCsGA1UdIwQkMCKAIFtql8AWsUPDhPN5EOpjhLf1Jrev\nUez0a7h0I3J3OrBgMBUGA1UdEQQOMAyCCmNvbnNlbnN1czEwCgYIKoZIzj0EAwID\nSQAwRgIhAPs+jzEu9H177kgyb3iFYM/LuIHNUaIsLnUAKZq9jW3NAiEA9iGP1sg3\nUXWIFW7mpRwzzakdJPkz8l+4ZPzV2nzEOjI=\n-----END CERTIFICATE-----\n",
"privateKey": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIL2vmKiNl3hymnVvjkD3f9xrGAmvJCZEkGD4VwueObaPoAoGCCqGSM49\nAwEHoUQDQgAEOkQfqEJCbHESNXpmHGBjB8dQFP3/W5DDrqknTbKb+i473RH7ZQTl\nTu5ms4uSeFXvJR2+uYy35xunwTGe2tL+VQ==\n-----END EC PRIVATE KEY-----\n"
}
}
| 字段 | 类型 | 含义 | 备注 |
|---|---|---|---|
| cert | string | 证书内容 | |
| privateKey | string | 密钥内容 | |
| certSn | number | 证书序列号 | |
| issueCertSn | number | CA证书序列号 |
3.5.5. 申请CSR
请求URL: http://localhost:8090/api/ca/gencsr
请求方式:POST
请求参数:
| 字段 | 类型 | 含义 | 备注 |
|---|---|---|---|
| orgId | string | 组织ID | 必填 |
| userId | string | 用户ID | *选填 |
| userType | string | 用户类型 | 必填 |
| privateKeyPwd | string | 密钥密码 | 选填 |
| country | string | 证书字段(国家) | 必填 |
| locality | string | 证书字段(城市) | 必填 |
| province | string | 证书字段(省份) | 必填 |
| token | string | token | *选填 |
userType: 1.root , 2.ca , 3.admin , 4.client , 5.consensus , 6.common
*注:
userId 只有在申请的用户类型是ca的类型时,可以填写为空。在申请节点证书时,需要保证链上节点ID唯一。
返回数据:
{
"code": 200,
"msg": "The request service returned successfully",
"data": "-----BEGIN CERTIFICATE REQUEST-----\nMIIBHjCBxQIBADBjMQ4wDAYDVQQGEwVjaGluYTEQMA4GA1UECBMHYmVpamluZzEQ\nMA4GA1UEBxMHaGFpZGlhbjENMAsGA1UEChMEb3JnNzEOMAwGA1UECxMFYWRtaW4x\nDjAMBgNVBAMTBXVzZXIyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEaRv9OA2Z\nm/GcJibe/77u8lpABOLOVGgHzAzOd/h+9+Kq4+46CjXaISxEeTrqEMhLKCjcM1Bb\nm8jF5rWiQCFKFaAAMAoGCCqGSM49BAMCA0gAMEUCIFYjsphgIcInLjdhyYtILnFR\nJH7T/vahNbut8OvEgQ9tAiEAsNxL8xw+hGfhd9NgrxEx3Fv9Vj6wv1X3jaHvljME\n76U=\n-----END CERTIFICATE REQUEST-----\n"
}
3.5.6. 通过CSR申请证书
请求URL:http://localhost:8090/api/ca/gencertbycsr
请求方式:POST
请求参数:
| 字段 | 类型 | 含义 | 备注 |
|---|---|---|---|
| orgId | string | 组织ID | 必填 |
| userId | string | 用户ID | *选填 |
| userType | string | 用户类型 | 必填 |
| certUsage | string | 证书用途 | 必填 |
| csr | string | csr文件流 | 必填 |
| token | string | token | 选填 |
userType: 1.root , 2.ca , 3.admin , 4.client , 5.consensus , 6.common
certUsage: 1.sign , 2.tls , 3.tls-sign , 4.tls-enc
*注:
userId 只有在申请的用户类型是ca的类型时,可以填写为空。在申请节点证书时,需要保证链上节点ID唯一。
返回数据:
{
"code": 200,
"msg": "The request service returned successfully",
"data": {
"certSn": 1752004958408437983,
"issueCertSn": 1146073575643658842,
"cert": "-----BEGIN CERTIFICATE-----\nMIIChDCCAiugAwIBAgIIGFBfOiaocN8wCgYIKoZIzj0EAwIwgYMxCzAJBgNVBAYT\nAkNOMRAwDgYDVQQIEwdCZWlqaW5nMRAwDgYDVQQHEwdCZWlqaW5nMR8wHQYDVQQK\nExZ3eC1vcmcxLmNoYWlubWFrZXIub3JnMQswCQYDVQQLEwJjYTEiMCAGA1UEAxMZ\nY2Etd3gtb3JnMS5jaGFpbm1ha2VyLm9yZzAeFw0yMjAzMTgwOTMzNDZaFw0yMjA5\nMTQwOTMzNDZaMGkxCzAJBgNVBAYTAkNOMRAwDgYDVQQIEwdCZWlKaW5nMRAwDgYD\nVQQHEwdCZWlKaW5nMQ0wCwYDVQQKEwRvcmcyMRIwEAYDVQQLEwljb25zZW5zdXMx\nEzARBgNVBAMTCmNvbnNlbnN1czIwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASi\ntzITs9l/4UpGCXzEbdlC+PhvxY/vjE/7HpGR7fdFshFEZM2sk4xVTA+b2LsIv0sf\nkverCTMdZVG3SwymTMlFo4GhMIGeMA4GA1UdDwEB/wQEAwID+DAdBgNVHSUEFjAU\nBggrBgEFBQcDAgYIKwYBBQUHAwEwKQYDVR0OBCIEIHJE5sXl09uw/aXHEm94uNt/\nf9/uJ6yWQv06UWioE0bMMCsGA1UdIwQkMCKAIFtql8AWsUPDhPN5EOpjhLf1Jrev\nUez0a7h0I3J3OrBgMBUGA1UdEQQOMAyCCmNvbnNlbnN1czIwCgYIKoZIzj0EAwID\nRwAwRAIgQyvmQDV4WYUnDRmI8vkm5pXwxvACscJ5pCqjT60SFsUCIDkEK+uURJBJ\ndnzPNSF8HWcMBiNKbWeSZtZ3EtPWlyHp\n-----END CERTIFICATE-----\n"
}
}
| 字段 | 类型 | 含义 | 备注 |
|---|---|---|---|
| cert | string | 证书内容 | |
| certSn | number | 证书序列号 | |
| issueCertSn | number | CA证书序列号 |
3.5.7. 多条件查询证书
请求URL:http://localhost:8090/api/ca/querycerts
请求方式:POST
请求参数:
| 字段 | 类型 | 含义 | 备注 |
|---|---|---|---|
| orgId | string | 组织ID | 选填 |
| userId | string | 用户ID | 选填 |
| userType | string | 用户类型 | 选填 |
| certUsage | string | 证书用途 | 选填 |
| certSn | number | 证书序列号 | 选填 |
| token | string | token | 选填 |
userType: 1.root , 2.ca , 3.admin , 4.client , 5.consensus , 6.common
certUsage: 1.sign , 2.tls , 3.tls-sign , 4.tls-enc
返回数据:
{
"code": 200,
"msg": "The request service returned successfully",
"data": [
{
"userId": "consensus1",
"orgId": "org1",
"userType": "consensus",
"certUsage": "tls",
"certSn": 4523845175273844671,
"issuerSn": 1146073575643658842,
"certContent": "-----BEGIN CERTIFICATE-----\nMIIChjCCAiugAwIBAgIIPsftN/MP778wCgYIKoZIzj0EAwIwgYMxCzAJBgNVBAYT\nAkNOMRAwDgYDVQQIEwdCZWlqaW5nMRAwDgYDVQQHEwdCZWlqaW5nMR8wHQYDVQQK\nExZ3eC1vcmcxLmNoYWlubWFrZXIub3JnMQswCQYDVQQLEwJjYTEiMCAGA1UEAxMZ\nY2Etd3gtb3JnMS5jaGFpbm1ha2VyLm9yZzAeFw0yMjAzMTgwOTI0MjdaFw0yMjA5\nMTQwOTI0MjdaMGkxCzAJBgNVBAYTAkNOMRAwDgYDVQQIEwdCZWlKaW5nMRAwDgYD\nVQQHEwdCZWlKaW5nMQ0wCwYDVQQKEwRvcmcxMRIwEAYDVQQLEwljb25zZW5zdXMx\nEzARBgNVBAMTCmNvbnNlbnN1czEwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQ6\nRB+oQkJscRI1emYcYGMHx1AU/f9bkMOuqSdNspv6LjvdEftlBOVO7mazi5J4Ve8l\nHb65jLfnG6fBMZ7a0v5Vo4GhMIGeMA4GA1UdDwEB/wQEAwID+DAdBgNVHSUEFjAU\nBggrBgEFBQcDAgYIKwYBBQUHAwEwKQYDVR0OBCIEIGUw1TBs0Tw0Ud3HH/80neNM\nBhFcJ4u2vlzMd59943M6MCsGA1UdIwQkMCKAIFtql8AWsUPDhPN5EOpjhLf1Jrev\nUez0a7h0I3J3OrBgMBUGA1UdEQQOMAyCCmNvbnNlbnN1czEwCgYIKoZIzj0EAwID\nSQAwRgIhAPs+jzEu9H177kgyb3iFYM/LuIHNUaIsLnUAKZq9jW3NAiEA9iGP1sg3\nUXWIFW7mpRwzzakdJPkz8l+4ZPzV2nzEOjI=\n-----END CERTIFICATE-----\n",
"expirationDate": 1663147467,
"isRevoked": false
},
{
"userId": "consensus2",
"orgId": "org2",
"userType": "consensus",
"certUsage": "tls",
"certSn": 1752004958408437983,
"issuerSn": 1146073575643658842,
"certContent": "-----BEGIN CERTIFICATE-----\nMIIChDCCAiugAwIBAgIIGFBfOiaocN8wCgYIKoZIzj0EAwIwgYMxCzAJBgNVBAYT\nAkNOMRAwDgYDVQQIEwdCZWlqaW5nMRAwDgYDVQQHEwdCZWlqaW5nMR8wHQYDVQQK\nExZ3eC1vcmcxLmNoYWlubWFrZXIub3JnMQswCQYDVQQLEwJjYTEiMCAGA1UEAxMZ\nY2Etd3gtb3JnMS5jaGFpbm1ha2VyLm9yZzAeFw0yMjAzMTgwOTMzNDZaFw0yMjA5\nMTQwOTMzNDZaMGkxCzAJBgNVBAYTAkNOMRAwDgYDVQQIEwdCZWlKaW5nMRAwDgYD\nVQQHEwdCZWlKaW5nMQ0wCwYDVQQKEwRvcmcyMRIwEAYDVQQLEwljb25zZW5zdXMx\nEzARBgNVBAMTCmNvbnNlbnN1czIwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASi\ntzITs9l/4UpGCXzEbdlC+PhvxY/vjE/7HpGR7fdFshFEZM2sk4xVTA+b2LsIv0sf\nkverCTMdZVG3SwymTMlFo4GhMIGeMA4GA1UdDwEB/wQEAwID+DAdBgNVHSUEFjAU\nBggrBgEFBQcDAgYIKwYBBQUHAwEwKQYDVR0OBCIEIHJE5sXl09uw/aXHEm94uNt/\nf9/uJ6yWQv06UWioE0bMMCsGA1UdIwQkMCKAIFtql8AWsUPDhPN5EOpjhLf1Jrev\nUez0a7h0I3J3OrBgMBUGA1UdEQQOMAyCCmNvbnNlbnN1czIwCgYIKoZIzj0EAwID\nRwAwRAIgQyvmQDV4WYUnDRmI8vkm5pXwxvACscJ5pCqjT60SFsUCIDkEK+uURJBJ\ndnzPNSF8HWcMBiNKbWeSZtZ3EtPWlyHp\n-----END CERTIFICATE-----\n",
"expirationDate": 1663148026,
"isRevoked": false
}
]
}
| 字段 | 类型 | 含义 | 备注 |
|---|---|---|---|
| certSn | number | 证书序列号 | |
| issuerSn | number | 签发者证书序列号 | |
| certContent | string | 证书内容 | |
| userId | string | 用户ID | |
| orgId | string | 组织ID | |
| userType | string | 用户类型 | |
| certUsage | string | 证书用途 | |
| expirationDate | number | 到期时间 | unix时间戳 |
| isRevoked | boolean | 是否被撤销 |
3.5.8. 延期证书
请求URL:http://localhost:8090/api/ca/renewcert
请求方式:POST
请求参数:
| 字段 | 类型 | 含义 | 备注 |
|---|---|---|---|
| certSn | number | 证书序列号 | 必填 |
| token | string | token | 选填 |
返回数据:
{
"code": 200,
"msg": "The request service returned successfully",
"data": {
"certSn": 1752004958408437983,
"issueCertSn": 1146073575643658842,
"cert": "-----BEGIN CERTIFICATE-----\nMIIChTCCAiugAwIBAgIIGFBfOiaocN8wCgYIKoZIzj0EAwIwgYMxCzAJBgNVBAYT\nAkNOMRAwDgYDVQQIEwdCZWlqaW5nMRAwDgYDVQQHEwdCZWlqaW5nMR8wHQYDVQQK\nExZ3eC1vcmcxLmNoYWlubWFrZXIub3JnMQswCQYDVQQLEwJjYTEiMCAGA1UEAxMZ\nY2Etd3gtb3JnMS5jaGFpbm1ha2VyLm9yZzAeFw0yMjAzMTgwOTMzNDZaFw0yMzAz\nMTMwOTMzNDZaMGkxCzAJBgNVBAYTAkNOMRAwDgYDVQQIEwdCZWlKaW5nMRAwDgYD\nVQQHEwdCZWlKaW5nMQ0wCwYDVQQKEwRvcmcyMRIwEAYDVQQLEwljb25zZW5zdXMx\nEzARBgNVBAMTCmNvbnNlbnN1czIwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASi\ntzITs9l/4UpGCXzEbdlC+PhvxY/vjE/7HpGR7fdFshFEZM2sk4xVTA+b2LsIv0sf\nkverCTMdZVG3SwymTMlFo4GhMIGeMA4GA1UdDwEB/wQEAwID+DAdBgNVHSUEFjAU\nBggrBgEFBQcDAgYIKwYBBQUHAwEwKQYDVR0OBCIEIHJE5sXl09uw/aXHEm94uNt/\nf9/uJ6yWQv06UWioE0bMMCsGA1UdIwQkMCKAIFtql8AWsUPDhPN5EOpjhLf1Jrev\nUez0a7h0I3J3OrBgMBUGA1UdEQQOMAyCCmNvbnNlbnN1czIwCgYIKoZIzj0EAwID\nSAAwRQIhAOdDmyl0xI3cAxahOXc5pe8RYvl4OquK8jco0E+eqU+LAiBlxgWg1CqW\nk4a1oJF+LK/e1cUXnctf/6NqJLycIElwkA==\n-----END CERTIFICATE-----\n"
}
}
3.5.9. 撤销证书
请求URL:http://localhost:8090/api/ca/revokecert
请求方式:POST
请求参数:
| 字段 | 类型 | 含义 | 备注 |
|---|---|---|---|
| revokedCertSn | number | 证书序列号 | 必填 |
| issuerCertSn | number | 撤销者(ca)证书序列号 | 必填 |
| reason | string | 撤销原因 | 选填 |
| token | string | token | 选填 |
返回数据:
{
"code": 200,
"msg": "The request service returned successfully",
"data": "-----BEGIN CRL-----\nMIIBNTCB3AIBATAKBggqhkjOPQQDAjBfMQswCQYDVQQGEwJDTjEQMA4GA1UECBMH\nQmVpamluZzEQMA4GA1UEBxMHQmVpamluZzENMAsGA1UEChMEb3JnMTELMAkGA1UE\nCxMCY2ExEDAOBgNVBAMTB2NhLm9yZzgXDTIxMDYxMTA5NTQ0M1oXDTIxMDYxMTEw\nNTQ0M1owGzAZAggdEyilMlypBhcNMjMwNjExMDkxODA2WqAvMC0wKwYDVR0jBCQw\nIoAgyQvrO7BQev3fQxYIUIroQcF7HbmWFM/A7Ko2Etu9hCMwCgYIKoZIzj0EAwID\nSAAwRQIgFslGwq9Bb9a4wrOSatqRwRu9E0QMmCavrgr6GQRn5fcCIQDCV8mAepI9\nDLEbHtDHqzJ/CrGcRMJWL3gYzBNhWE/yLQ==\n-----END CRL-----\n"
}
3.5.10. 获取某个CA的最新的撤销列表
请求URL:http://localhost:8090/api/ca/gencrl
请求方式:POST
请求参数:
| 字段 | 类型 | 含义 | 备注 |
|---|---|---|---|
| issuerCertSn | number | CA证书序列号 | 必填 |
| token | string | token | 选填 |
返回数据:
{
"code": 200,
"msg": "The request service returned successfully",
"data": "-----BEGIN CRL-----\nMIIBNTCB3AIBATAKBggqhkjOPQQDAjBfMQswCQYDVQQGEwJDTjEQMA4GA1UECBMH\nQmVpamluZzEQMA4GA1UEBxMHQmVpamluZzENMAsGA1UEChMEb3JnMTELMAkGA1UE\nCxMCY2ExEDAOBgNVBAMTB2NhLm9yZzgXDTIxMDYxMTA5NTQ0M1oXDTIxMDYxMTEw\nNTQ0M1owGzAZAggdEyilMlypBhcNMjMwNjExMDkxODA2WqAvMC0wKwYDVR0jBCQw\nIoAgyQvrO7BQev3fQxYIUIroQcF7HbmWFM/A7Ko2Etu9hCMwCgYIKoZIzj0EAwID\nSAAwRQIgFslGwq9Bb9a4wrOSatqRwRu9E0QMmCavrgr6GQRn5fcCIQDCV8mAepI9\nDLEbHtDHqzJ/CrGcRMJWL3gYzBNhWE/yLQ==\n-----END CRL-----\n"
}
3.5.11. 获取节点TLS证书的NodeID
请求URL:http://localhost:8090/api/ca/getnodeid
请求方式:POST
请求参数:
条件查找方式:
| 字段 | 类型 | 含义 | 备注 |
|---|---|---|---|
| orgId | string | 组织ID | 必填 |
| userId | string | 用户ID | 必填 |
| userType | string | 用户类型 | 必填 |
| certUsage | string | 证书用途 | 必填 |
| token | string | token | 选填 |
序列号查找方式:
| 字段 | 类似 | 含义 | 备注 |
|---|---|---|---|
| certSn | number | 证书序列号 | 必填 |
| token | string | token | 选填 |
返回数据:
{
"code": 200,
"msg": "The request service returned successfully",
"data": "QmcQHCuAXaFkbcsPUj7e37hXXfZ9DdN7bozseo5oX4qiC4"
}
3.6. 使用案例
3.6.1. 案例一:使用已有组织的CA证书,颁发节点和用户证书
3.6.1.1. 环境准备
已经成功启动的长安链
详情启动流程见快速入门
CA服务的配置文件(示例)
# log config
log_config:
level: info # The log level
filename: ../log/ca.log # The path to the log file
max_size: 1 # The maximum size of the log file before cutting (MB)
max_age: 30 # The maximum number of days to retain old log files
max_backups: 5 # Maximum number of old log files to keep
# db config
db_config:
user: root
password: 123456
ip: 127.0.0.1
port: 13306
dbname: chainmaker_ca
# Base config
base_config:
server_port: 8090 # Server port configuration
ca_type: single_root # Ca server type : double_root/single_root/tls/sign
# expire_year: 2 # The expiration time of the certificate (year)
expire_month: 6 # The expiration time of the certificate (month)(high level)
# cert_valid_time : 2m # cert valid time (for testing use only)
hash_type: SHA256 # SHA256/SHA3_256/SM3
key_type: ECC_NISTP256 # ECC_NISTP256/SM2
can_issue_ca: false # Whether can continue to issue CA cert
# provide_service_for: [wx-org1.chainmaker.org,wx-org2.chainmaker.org,wx-org3.chainmaker.org,wx-org4.chainmaker.org]
# A list of organizations that provide services
key_encrypt: false # Whether the key is stored in encryption
access_control: false # Whether to enable permission control
# default_domain: chainmaker.org # the default value for sans in the certificate
pkcs11_config:
enabled: false
library: /usr/local/lib64/pkcs11/libupkcs11.so
label: HSM
password: 11111111
session_cache_size: 10
hash: "SHA256"
# Root CA config
root_config:
cert:
- cert_type: sign # Certificate path type : tls/sign (if ca_type is 'single_root',should be sign)
cert_path: ../crypto-config/rootCA/root.crt # Certificate file path
private_key_path: ../crypto-config/rootCA/root.key # private key file path
key_id: SM2SignKey261 # pkcs11 key id
# csr:
# CN: root
# O: org-root
# OU: root
# country: CN
# locality: Beijing
# province: Beijing
# access control config
access_control_config:
- app_role: admin
app_id: admin1
app_key: passw0rd
- app_role: user
app_id: user1
app_key: passw0rd
修改配置
# Root CA config
root_config:
cert:
- cert_type: sign # Certificate path type : tls/sign (if ca_type is 'single_root',should be sign)
cert_path: ../crypto-config/rootCA/root.crt # Certificate file path
private_key_path: ../crypto-config/rootCA/root.key # private key file path
key_id: SM2SignKey261 # pkcs11 key id
# csr:
# CN: root
# O: org-root
# OU: root
# country: CN
# locality: Beijing
# province: Beijing
需要修改:
cert_path: 需将该路径下的证书文件替换成在链上已有组织的
CA证书文件。也可直接替换路径,但是要注意的是,如果采用docker方式启动的话,需要修改docker容器文件的映射路径,修改deploy.sh文件:
-v $path/crypto-config:/crypto-config \将
$path/crypto-config目录替换private_key_path: 需将该路径下的密钥文件替换成在链上已有组织的
CA密钥文件。也可直接替换路径,但是要注意的是,如果采用docker方式启动的话,需要修改docker容器文件的映射路径,修改deploy.sh文件:
-v $path/crypto-config:/crypto-config \将
$path/crypto-config目录替换csr: 需要注释掉,不再配置。(由于root CA是配置启动,不需要该部分信息去生成)
intermediate_config:需要注释掉,不再配置。
已经启动的CA服务
详情启动流程见上文安装部署
3.6.1.2. 生成证书
调用上文中申请证书的接口
参数填写(以BodyJSON为例)
共识节点(consensus node)Sign证书
注:生成共识节点证书时,userId需要保证链上唯一;同一节点的Sign和Tls证书,userId需要保持一致。
{
"orgId": "wx-org1.chainmaker.org",
"userId": "org1.consensus1.com",
"userType": "consensus",
"certUsage": "sign",
"country": "CN",
"locality": "BeiJing",
"province": "BeiJing"
}
共识节点(consensus node)Tls证书
注:生成共识节点证书时,userId需要保证链上唯一;同一节点的Sign和Tls证书,userId需要保持一致。
{
"orgId": "wx-org1.chainmaker.org",
"userId": "org1.consensus1.com",
"userType": "consensus",
"certUsage": "tls",
"country": "CN",
"locality": "BeiJing",
"province": "BeiJing"
}
同步节点(common node)Sign证书
注:生成同步节点证书时,userId需要保证链上唯一;同一节点的Sign和Tls证书,userId需要保持一致。
{
"orgId": "wx-org1.chainmaker.org",
"userId": "org1.common1.com",
"userType": "common",
"certUsage": "sign",
"country": "CN",
"locality": "BeiJing",
"province": "BeiJing"
}
同步节点(common node)Tls证书
注:生成同步节点证书时,userId需要保证链上唯一;同一节点的Sign和Tls证书,userId需要保持一致。
{
"orgId": "wx-org1.chainmaker.org",
"userId": "org1.common1.com",
"userType": "common",
"certUsage": "tls",
"country": "CN",
"locality": "BeiJing",
"province": "BeiJing"
}
用户管理员(admin)Sign证书
{
"orgId": "wx-org1.chainmaker.org",
"userId": "admin1",
"userType": "admin",
"certUsage": "sign",
"country": "CN",
"locality": "BeiJing",
"province": "BeiJing"
}
用户管理员(admin)Tls证书
{
"orgId": "wx-org1.chainmaker.org",
"userId": "admin1",
"userType": "admin",
"certUsage": "tls",
"country": "CN",
"locality": "BeiJing",
"province": "BeiJing"
}
用户客户端(client)Sign证书
{
"orgId": "wx-org1.chainmaker.org",
"userId": "client1",
"userType": "client",
"certUsage": "sign",
"country": "CN",
"locality": "BeiJing",
"province": "BeiJing"
}
用户客户端(client)Tls证书
{
"orgId": "wx-org1.chainmaker.org",
"userId": "client1",
"userType": "client",
"certUsage": "tls",
"country": "CN",
"locality": "BeiJing",
"province": "BeiJing"
}
注:使用CA颁发的节点和用户证书时,需要将sdk配置文件中的tls_host_name,改成节点tls证书的userId
以组织1的共识节点为例:
nodes:
- # 节点地址,格式为:IP:端口:连接数
node_addr: "127.0.0.1:12301"
# 节点连接数
conn_cnt: 10
# RPC连接是否启用双向TLS认证
enable_tls: true
# 信任证书池路径
trust_root_paths:
- "./testdata/crypto-config/wx-org1.chainmaker.org/ca"
# TLS hostname
# tls_host_name: "chainmaker.org"
#########################################
tls_host_name: "org1.consensus1.com"
#########################################
3.6.1.3. 获取节点TLS证书的NodeId
调用上文中获取节点TLS证书的NodeID的接口
参数填写(以BodyJSON为例)
获取共识节点(consensus node)Tls证书的NodeId
{
"orgId": "wx-org1.chainmaker.org",
"userId": "org1.consensus1.com",
"userType": "consensus",
"certUsage": "tls"
}
获取共识节点(common node)Tls证书的NodeId
{
"orgId": "wx-org1.chainmaker.org",
"userId": "org1.common1.com",
"userType": "common",
"certUsage": "tls"
}
将bc1.yml和chainmaker.yml中的nodeId替换,配置文件修改位置如下:
bc1.yml
#共识配置
consensus:
# 共识类型(0-SOLO,1-TBFT,2-MBFT,3-MAXBFT,4-RAFT,10-POW)
type: 1
# 共识节点列表,组织必须出现在trust_roots的org_id中,每个组织可配置多个共识节点,节点地址采用libp2p格式
nodes:
- org_id: "wx-org1.chainmaker.org"
node_id:
- "QmcQHCuAXaFkbcsPUj7e37hXXfZ9DdN7bozseo5oX4qiC4"
- org_id: "wx-org2.chainmaker.org"
node_id:
- "QmeyNRs2DwWjcHTpcVHoUSaDAAif4VQZ2wQDQAUNDP33gH"
- org_id: "wx-org3.chainmaker.org"
node_id:
- "QmXf6mnQDBR9aHauRmViKzSuZgpumkn7x6rNxw1oqqRr45"
- org_id: "wx-org4.chainmaker.org"
node_id:
- "QmRRWXJpAVdhFsFtd9ah5F4LDQWFFBDVKpECAF8hssqj6H"
chainmaker.yml
# Network Settings
net:
# Network provider, can be libp2p or liquid.
# libp2p: using libp2p components to build the p2p module.
# liquid: a new p2p module we build from 0 to 1.
# This item must be consistent across the blockchain network.
provider: LibP2P
# The address and port the node listens on.
# By default, it uses 0.0.0.0 to listen on all network interfaces.
listen_addr: /ip4/0.0.0.0/tcp/11301
# Max stream of a connection.
# peer_stream_pool_size: 100
# Max number of peers the node can connect.
# max_peer_count_allow: 20
# The strategy for eliminating node when the count of connecting peers reach the max value.
# It could be: 1 Random, 2 FIFO, 3 LIFO. The default strategy is LIFO.
# peer_elimination_strategy: 3
# The seeds peer list used to join in the network when starting.
# The connection supervisor will try to dial seed peer whenever the connection is broken.
# Example ip format: "/ip4/127.0.0.1/tcp/11301/p2p/"+nodeid
# Example dns format:"/dns/cm-node1.org/tcp/11301/p2p/"+nodeid
seeds:
- "/ip4/127.0.0.1/tcp/11301/p2p/QmcQHCuAXaFkbcsPUj7e37hXXfZ9DdN7bozseo5oX4qiC4"
- "/ip4/127.0.0.1/tcp/11302/p2p/QmeyNRs2DwWjcHTpcVHoUSaDAAif4VQZ2wQDQAUNDP33gH"
- "/ip4/127.0.0.1/tcp/11303/p2p/QmXf6mnQDBR9aHauRmViKzSuZgpumkn7x6rNxw1oqqRr45"
- "/ip4/127.0.0.1/tcp/11304/p2p/QmRRWXJpAVdhFsFtd9ah5F4LDQWFFBDVKpECAF8hssqj6H"
3.6.2. 案例二:使用CA生成全套的ChainMaker证书
3.6.2.1. 环境准备
已经成功启动的长安链
详情启动流程见快速入门
CA服务的配置文件(示例)
# log config log_config: level: info # The log level filename: ../log/ca.log # The path to the log file max_size: 1 # The maximum size of the log file before cutting (MB) max_age: 30 # The maximum number of days to retain old log files max_backups: 5 # Maximum number of old log files to keep # db config db_config: user: root password: 123456 ip: 127.0.0.1 port: 13306 dbname: chainmaker_ca # Base config base_config: server_port: 8090 # Server port configuration ca_type: single_root # Ca server type : double_root/single_root/tls/sign # expire_year: 2 # The expiration time of the certificate (year) expire_month: 6 # The expiration time of the certificate (month)(high level) # cert_valid_time : 2m # cert valid time (for testing use only) hash_type: SHA256 # SHA256/SHA3_256/SM3 key_type: ECC_NISTP256 # ECC_NISTP256/SM2 can_issue_ca: false # Whether can continue to issue CA cert # provide_service_for: [wx-org1.chainmaker.org,wx-org2.chainmaker.org,wx-org3.chainmaker.org,wx-org4.chainmaker.org] # A list of organizations that provide services key_encrypt: false # Whether the key is stored in encryption access_control: false # Whether to enable permission control # default_domain: chainmaker.org # the default value for sans in the certificate pkcs11_config: enabled: false library: /usr/local/lib64/pkcs11/libupkcs11.so label: HSM password: 11111111 session_cache_size: 10 hash: "SHA256" # Root CA config root_config: cert: - cert_type: sign # Certificate path type : tls/sign (if ca_type is 'single_root',should be sign) cert_path: ../crypto-config/rootCA/root.crt # Certificate file path private_key_path: ../crypto-config/rootCA/root.key # private key file path key_id: SM2SignKey261 # pkcs11 key id csr: CN: root O: org-root OU: root country: CN locality: Beijing province: Beijing # intermediate config intermediate_config: - csr: CN: ca-wx-org1.chainmaker.org O: wx-org1.chainmaker.org OU: ca country: CN locality: Beijing province: Beijing key_id: SM2SignKey6 - csr: CN: ca-wx-org2.chainmaker.org O: wx-org2.chainmaker.org OU: ca country: CN locality: Beijing province: Beijing key_id: SM2SignKey249 - csr: CN: ca-wx-org3.chainmaker.org O: wx-org3.chainmaker.org OU: ca country: CN locality: Beijing province: Beijing key_id: SM2SignKey257 - csr: CN: ca-wx-org4.chainmaker.org O: wx-org4.chainmaker.org OU: ca country: CN locality: Beijing province: Beijing key_id: SM2SignKey260 # access control config access_control_config: - app_role: admin app_id: admin1 app_key: passw0rd - app_role: user app_id: user1 app_key: passw0rd
已经启动的CA服务
详情启动流程见上文安装部署
3.6.2.2. 获取CA证书
由于以下配置部分,CA服务在启动时,就会生成相应的组织CA证书
intermediate_config:
- csr:
CN: ca-wx-org1.chainmaker.org
O: wx-org1.chainmaker.org
OU: ca
country: CN
locality: Beijing
province: Beijing
key_id: SM2SignKey6
- csr:
CN: ca-wx-org2.chainmaker.org
O: wx-org2.chainmaker.org
OU: ca
country: CN
locality: Beijing
province: Beijing
key_id: SM2SignKey249
- csr:
CN: ca-wx-org3.chainmaker.org
O: wx-org3.chainmaker.org
OU: ca
country: CN
locality: Beijing
province: Beijing
key_id: SM2SignKey257
- csr:
CN: ca-wx-org4.chainmaker.org
O: wx-org4.chainmaker.org
OU: ca
country: CN
locality: Beijing
province: Beijing
key_id: SM2SignKey260
CA服务启动后,直接调用多条件查询证书,获取CA证书
参数填写(以BodyJSON为例)
获取org1的CA证书:
{
"orgId": "wx-org1.chainmaker.org",
"userType": "ca",
"certUsage": "sign"
}
获取org2的CA证书:
{
"orgId": "wx-org2.chainmaker.org",
"userType": "ca",
"certUsage": "sign"
}
获取org3的CA证书:
{
"orgId": "wx-org3.chainmaker.org",
"userType": "ca",
"certUsage": "sign"
}
获取org4的CA证书:
{
"orgId": "wx-org4.chainmaker.org",
"userType": "ca",
"certUsage": "sign"
}
注:获取的CA证书,需要在启动链时,将他们配置到链配置文件bc1.yml的trust_roots里
3.6.2.3. 生成证书
调用上文中申请证书的接口userId
参数填写(以org1为例)
共识节点(consensus node)Sign证书
注:生成共识节点证书时,userId需要保证链上唯一;同一节点的Sign和Tls证书,userId需要保持一致。
{
"orgId": "wx-org1.chainmaker.org",
"userId": "org1.consensus1.com",
"userType": "consensus",
"certUsage": "sign",
"country": "CN",
"locality": "BeiJing",
"province": "BeiJing"
}
共识节点(consensus node)Tls证书
注:生成共识节点证书时,userId需要保证链上唯一;同一节点的Sign和Tls证书,userId需要保持一致。
{
"orgId": "wx-org1.chainmaker.org",
"userId": "org1.consensus1.com",
"userType": "consensus",
"certUsage": "tls",
"country": "CN",
"locality": "BeiJing",
"province": "BeiJing"
}
同步节点(common node)Sign证书
注:生成同步节点证书时,userId需要保证链上唯一;同一节点的Sign和Tls证书,userId需要保持一致。
{
"orgId": "wx-org1.chainmaker.org",
"userId": "org1.common1.com",
"userType": "common",
"certUsage": "sign",
"country": "CN",
"locality": "BeiJing",
"province": "BeiJing"
}
同步节点(common node)Tls证书
注:生成同步节点证书时,userId需要保证链上唯一;同一节点的Sign和Tls证书,userId需要保持一致。
{
"orgId": "wx-org1.chainmaker.org",
"userId": "org1.common1.com",
"userType": "common",
"certUsage": "tls",
"country": "CN",
"locality": "BeiJing",
"province": "BeiJing"
}
用户管理员(admin)Sign证书
{
"orgId": "wx-org1.chainmaker.org",
"userId": "admin1",
"userType": "admin",
"certUsage": "sign",
"country": "CN",
"locality": "BeiJing",
"province": "BeiJing"
}
用户管理员(admin)Tls证书
{
"orgId": "wx-org1.chainmaker.org",
"userId": "admin1",
"userType": "admin",
"certUsage": "tls",
"country": "CN",
"locality": "BeiJing",
"province": "BeiJing"
}
用户客户端(client)Sign证书
{
"orgId": "wx-org1.chainmaker.org",
"userId": "client1",
"userType": "client",
"certUsage": "sign",
"country": "CN",
"locality": "BeiJing",
"province": "BeiJing"
}
用户客户端(client)Tls证书
{
"orgId": "wx-org1.chainmaker.org",
"userId": "client1",
"userType": "client",
"certUsage": "tls",
"country": "CN",
"locality": "BeiJing",
"province": "BeiJing"
}
注:使用CA颁发的节点和用户证书时,需要将sdk配置文件中的tls_host_name,改成节点tls证书的userId
以组织1的共识节点为例:
nodes:
- # 节点地址,格式为:IP:端口:连接数
node_addr: "127.0.0.1:12301"
# 节点连接数
conn_cnt: 10
# RPC连接是否启用双向TLS认证
enable_tls: true
# 信任证书池路径
trust_root_paths:
- "./testdata/crypto-config/wx-org1.chainmaker.org/ca"
# TLS hostname
# tls_host_name: "chainmaker.org"
#########################################
tls_host_name: "org1.consensus1.com"
#########################################
3.6.2.4. 获取节点TLS证书的NodeId
调用上文中获取节点TLS证书的NodeID的接口
参数填写(以BodyJSON为例)
获取共识节点(consensus node)Tls证书的NodeId
{
"orgId": "wx-org1.chainmaker.org",
"userId": "org1.consensus1.com",
"userType": "consensus",
"certUsage": "tls"
}
获取同步节点(common node)Tls证书的NodeId
{
"orgId": "wx-org1.chainmaker.org",
"userId": "org1.common1.com",
"userType": "common",
"certUsage": "tls"
}
将bc1.yml和chainmaker.yml中的nodeId替换,配置文件修改位置如下:
bc1.yml
#共识配置
consensus:
# 共识类型(0-SOLO,1-TBFT,2-MBFT,3-MAXBFT,4-RAFT,10-POW)
type: 1
# 共识节点列表,组织必须出现在trust_roots的org_id中,每个组织可配置多个共识节点,节点地址采用libp2p格式
nodes:
- org_id: "wx-org1.chainmaker.org"
node_id:
- "QmcQHCuAXaFkbcsPUj7e37hXXfZ9DdN7bozseo5oX4qiC4"
- org_id: "wx-org2.chainmaker.org"
node_id:
- "QmeyNRs2DwWjcHTpcVHoUSaDAAif4VQZ2wQDQAUNDP33gH"
- org_id: "wx-org3.chainmaker.org"
node_id:
- "QmXf6mnQDBR9aHauRmViKzSuZgpumkn7x6rNxw1oqqRr45"
- org_id: "wx-org4.chainmaker.org"
node_id:
- "QmRRWXJpAVdhFsFtd9ah5F4LDQWFFBDVKpECAF8hssqj6H"
chainmaker.yml
# Network Settings
net:
# Network provider, can be libp2p or liquid.
# libp2p: using libp2p components to build the p2p module.
# liquid: a new p2p module we build from 0 to 1.
# This item must be consistent across the blockchain network.
provider: LibP2P
# The address and port the node listens on.
# By default, it uses 0.0.0.0 to listen on all network interfaces.
listen_addr: /ip4/0.0.0.0/tcp/11301
# Max stream of a connection.
# peer_stream_pool_size: 100
# Max number of peers the node can connect.
# max_peer_count_allow: 20
# The strategy for eliminating node when the count of connecting peers reach the max value.
# It could be: 1 Random, 2 FIFO, 3 LIFO. The default strategy is LIFO.
# peer_elimination_strategy: 3
# The seeds peer list used to join in the network when starting.
# The connection supervisor will try to dial seed peer whenever the connection is broken.
# Example ip format: "/ip4/127.0.0.1/tcp/11301/p2p/"+nodeid
# Example dns format:"/dns/cm-node1.org/tcp/11301/p2p/"+nodeid
seeds:
- "/ip4/127.0.0.1/tcp/11301/p2p/QmcQHCuAXaFkbcsPUj7e37hXXfZ9DdN7bozseo5oX4qiC4"
- "/ip4/127.0.0.1/tcp/11302/p2p/QmeyNRs2DwWjcHTpcVHoUSaDAAif4VQZ2wQDQAUNDP33gH"
- "/ip4/127.0.0.1/tcp/11303/p2p/QmXf6mnQDBR9aHauRmViKzSuZgpumkn7x6rNxw1oqqRr45"
- "/ip4/127.0.0.1/tcp/11304/p2p/QmRRWXJpAVdhFsFtd9ah5F4LDQWFFBDVKpECAF8hssqj6H"
重复以上步骤,依次生成org2,org3,org4的全部证书即可在链上使用。
3.7. 外部证书兼容配置手册
3.7.1. 证书准备
外部证书
如果需要使用第三方外部证书,即不是长安链CA(chainmaker-ca)和长安链证书生成工具(chainmaker-cryptogen)生成的X.509标准的数字证书,例如,由BJCA签发的证书,需要准备好第三方外部证书。
内部证书
需要准备由长安链CA或者长安链证书生成工具生成的节点TLS通讯证书。
使用长安链CA参考:CA证书服务使用手册
使用长安链证书生成工具参考:证书生成工具
3.7.2. 配置方法
主要支持两种配置方式
通过链配置文件写入genesis block。
通过发送配置更新交易,更新到链上。
链配置文件方式
该方式需要两步,首先更改链配置文件,其次更新节点或用户的证书配置。
在bc.yml链配置文件中添加下面配置
trust_members: - member_info: "../BJCA/consensus.sign.crt" org_id: "wx-org1.chainmaker.org" role: "consensus" node_id: "QmcQHCuAXaFkbcsPUj7e37hXXfZ9DdN7bozseo5oX4qiC4" - member_info: "../BJCA/admin.sign.crt" org_id: "wx-org1.chainmaker.org" role: "admin" node_id: ""
member_info
外部证书文件的路径
org_id
外部证书在链上的组织ID
role
外部证书在链上的角色。可填:admin/client/consensus
node_id
当使用的外部证书为consensus角色的签名证书时,需要将共识配置中的node_id(即该节点TLS证书的node_id)填写到此处。(其它情况可忽略该配置项)
共识配置如下:
#共识配置 consensus: # 共识类型(0-SOLO,1-TBFT,2-MBFT,3-HOTSTUFF,4-RAFT,10-POW) type: 1 # 共识节点列表,组织必须出现在trust_roots的org_id中,每个组织可配置多个共识节点,节点地址采用libp2p格式 nodes: - org_id: "wx-org1.chainmaker.org" node_id: - "QmcQHCuAXaFkbcsPUj7e37hXXfZ9DdN7bozseo5oX4qiC4" - org_id: "wx-org2.chainmaker.org" node_id: - "QmeyNRs2DwWjcHTpcVHoUSaDAAif4VQZ2wQDQAUNDP33gH"
节点证书替换为外部证书的方法
打开节点配置文件chainmaker.yml的node部分
node: # 节点类型:full type: full org_id: {org_id} priv_key_file: ../config/{org_path}/certs/{node_cert_path}.key cert_file: ../config/{org_path}/certs/{node_cert_path}.crt signer_cache_size: 1000 cert_cache_size: 1000 pkcs11: enabled: false library: # path to the so file of pkcs11 interface label: # label for the slot to be used password: # password to logon the HSM session_cache_size: 10 # size of HSM session cache, default to 10 hash: "SHA256" # hash algorithm used to compute SKI
priv_key_file 替换成外部证书的私钥文件路径
cert_file 替换成外部证书的证书文件路径
发送配置更新交易方式
例如,使用cmc命令行工具操作
增加外部信任成员信息
./cmc client chainconfig trustmember add \ --sdk-conf-path=./testdata/sdk_config.yml \ --org-id=wx-org1.chainmaker.org \ --admin-crt-file-paths=./testdata/crypto-config/wx-org1.chainmaker.org/user/admin1/admin1.sign.crt,./testdata/crypto-config/wx-org2.chainmaker.org/user/admin1/admin1.sign.crt,./testdata/crypto-config/wx-org3.chainmaker.org/user/admin1/admin1.sign.crt \ --admin-key-file-paths=./testdata/crypto-config/wx-org1.chainmaker.org/user/admin1/admin1.sign.key,./testdata/crypto-config/wx-org2.chainmaker.org/user/admin1/admin1.sign.key,./testdata/crypto-config/wx-org3.chainmaker.org/user/admin1/admin1.sign.key \ --trust-member-org-id=wx-org2.chainmaker.org \ --trust-member-path=./testdata/trust-member-demo/node1-sign.pem \ --trust-member-role=consensus \ --trust-member-node-id=QmYcfSHGiXjHKkHo65YfxWLT6G7B81Zct7F7ep8GWFtuUK
参数说明
trust-member-org-id 外部证书在链上的组织ID
trust-member-path 外部证书文件的路径
trust-member-role 外部证书在链上的角色
trust-member-node-id 当使用的外部证书为consensus角色的签名证书时,需要将共识配置中的node_id配置到该位置。
删除外部信任成员信息
./cmc client chainconfig trustmember remove \ --sdk-conf-path=./testdata/sdk_config.yml \ --org-id=wx-org1.chainmaker.org \ --admin-crt-file-paths=./testdata/crypto-config/wx-org1.chainmaker.org/user/admin1/admin1.sign.crt,./testdata/crypto-config/wx-org2.chainmaker.org/user/admin1/admin1.sign.crt,./testdata/crypto-config/wx-org3.chainmaker.org/user/admin1/admin1.sign.crt \ --admin-key-file-paths=./testdata/crypto-config/wx-org1.chainmaker.org/user/admin1/admin1.sign.key,./testdata/crypto-config/wx-org2.chainmaker.org/user/admin1/admin1.sign.key,./testdata/crypto-config/wx-org3.chainmaker.org/user/admin1/admin1.sign.key \ --trust-member-path=./testdata/trust-member-demo/node1-sign.pem \
参数说明
trust-member-path 外部证书文件的路径
3.7.3. 示例
本示例基于链环境搭建的通过命令行工具启动链部分,来配置node1的签名证书为第三方外部证书。
配置准备
首先进入chainmaker-go目录
将外部证书目录trust-member放到node1节点证书目录下
$ cd build/config/node1/certs $ tree
├── ca │ ├── wx-org1.chainmaker.org │ │ └── ca.crt │ ├── wx-org2.chainmaker.org │ │ └── ca.crt │ ├── wx-org3.chainmaker.org │ │ └── ca.crt │ └── wx-org4.chainmaker.org │ └── ca.crt ├── node │ ├── common1 │ │ ├── common1.nodeid │ │ ├── common1.sign.crt │ │ ├── common1.sign.key │ │ ├── common1.tls.crt │ │ └── common1.tls.key │ └── consensus1 │ ├── consensus1.nodeid │ ├── consensus1.sign.crt │ ├── consensus1.sign.key │ ├── consensus1.tls.crt │ └── consensus1.tls.key ├── trust-member │ ├── trust-member.node1-sign.key │ └── trust-member.node1-sign.pem └── user ├── admin1 │ ├── admin1.sign.crt │ ├── admin1.sign.key │ ├── admin1.tls.crt │ └── admin1.tls.key └── client1 ├── client1.addr ├── client1.sign.crt ├── client1.sign.key ├── client1.tls.crt └── client1.tls.key
然后其它节点需要将第三方证书放入证书目录。
$ cd build/config $ tree
├── node1 │ ├── certs │ │ ├── ca │ │ │ ├── wx-org1.chainmaker.org │ │ │ │ └── ca.crt │ │ │ ├── wx-org2.chainmaker.org │ │ │ │ └── ca.crt │ │ │ ├── wx-org3.chainmaker.org │ │ │ │ └── ca.crt │ │ │ └── wx-org4.chainmaker.org │ │ │ └── ca.crt │ │ ├── node │ │ │ ├── common1 │ │ │ │ ├── common1.nodeid │ │ │ │ ├── common1.sign.crt │ │ │ │ ├── common1.sign.key │ │ │ │ ├── common1.tls.crt │ │ │ │ └── common1.tls.key │ │ │ └── consensus1 │ │ │ ├── consensus1.nodeid │ │ │ ├── consensus1.sign.crt │ │ │ ├── consensus1.sign.key │ │ │ ├── consensus1.tls.crt │ │ │ └── consensus1.tls.key │ │ ├── trust-member │ │ │ ├── trust-member.node1-sign.key │ │ │ └── trust-member.node1-sign.pem │ │ └── user │ │ ├── admin1 │ │ │ ├── admin1.sign.crt │ │ │ ├── admin1.sign.key │ │ │ ├── admin1.tls.crt │ │ │ └── admin1.tls.key │ │ └── client1 │ │ ├── client1.addr │ │ ├── client1.sign.crt │ │ ├── client1.sign.key │ │ ├── client1.tls.crt │ │ └── client1.tls.key │ ├── chainconfig │ │ └── bc1.yml │ ├── chainmaker.yml │ └── log.yml ├── node2 │ ├── certs │ │ ├── ca │ │ │ ├── wx-org1.chainmaker.org │ │ │ │ └── ca.crt │ │ │ ├── wx-org2.chainmaker.org │ │ │ │ └── ca.crt │ │ │ ├── wx-org3.chainmaker.org │ │ │ │ └── ca.crt │ │ │ └── wx-org4.chainmaker.org │ │ │ └── ca.crt │ │ ├── node │ │ │ ├── common1 │ │ │ │ ├── common1.nodeid │ │ │ │ ├── common1.sign.crt │ │ │ │ ├── common1.sign.key │ │ │ │ ├── common1.tls.crt │ │ │ │ └── common1.tls.key │ │ │ └── consensus1 │ │ │ ├── consensus1.nodeid │ │ │ ├── consensus1.sign.crt │ │ │ ├── consensus1.sign.key │ │ │ ├── consensus1.tls.crt │ │ │ └── consensus1.tls.key │ │ ├── trust-member │ │ │ └── trust-member.node1-sign.pem │ │ └── user │ │ ├── admin1 │ │ │ ├── admin1.sign.crt │ │ │ ├── admin1.sign.key │ │ │ ├── admin1.tls.crt │ │ │ └── admin1.tls.key │ │ └── client1 │ │ ├── client1.addr │ │ ├── client1.sign.crt │ │ ├── client1.sign.key │ │ ├── client1.tls.crt │ │ └── client1.tls.key │ ├── chainconfig │ │ └── bc1.yml │ ├── chainmaker.yml │ └── log.yml ├── node3 │ ├── certs │ │ ├── ca │ │ │ ├── wx-org1.chainmaker.org │ │ │ │ └── ca.crt │ │ │ ├── wx-org2.chainmaker.org │ │ │ │ └── ca.crt │ │ │ ├── wx-org3.chainmaker.org │ │ │ │ └── ca.crt │ │ │ └── wx-org4.chainmaker.org │ │ │ └── ca.crt │ │ ├── node │ │ │ ├── common1 │ │ │ │ ├── common1.nodeid │ │ │ │ ├── common1.sign.crt │ │ │ │ ├── common1.sign.key │ │ │ │ ├── common1.tls.crt │ │ │ │ └── common1.tls.key │ │ │ └── consensus1 │ │ │ ├── consensus1.nodeid │ │ │ ├── consensus1.sign.crt │ │ │ ├── consensus1.sign.key │ │ │ ├── consensus1.tls.crt │ │ │ └── consensus1.tls.key │ │ ├── trust-member │ │ │ └── trust-member.node1-sign.pem │ │ └── user │ │ ├── admin1 │ │ │ ├── admin1.sign.crt │ │ │ ├── admin1.sign.key │ │ │ ├── admin1.tls.crt │ │ │ └── admin1.tls.key │ │ └── client1 │ │ ├── client1.addr │ │ ├── client1.sign.crt │ │ ├── client1.sign.key │ │ ├── client1.tls.crt │ │ └── client1.tls.key │ ├── chainconfig │ │ └── bc1.yml │ ├── chainmaker.yml │ └── log.yml └── node4 ├── certs │ ├── ca │ │ ├── wx-org1.chainmaker.org │ │ │ └── ca.crt │ │ ├── wx-org2.chainmaker.org │ │ │ └── ca.crt │ │ ├── wx-org3.chainmaker.org │ │ │ └── ca.crt │ │ └── wx-org4.chainmaker.org │ │ └── ca.crt │ ├── node │ │ ├── common1 │ │ │ ├── common1.nodeid │ │ │ ├── common1.sign.crt │ │ │ ├── common1.sign.key │ │ │ ├── common1.tls.crt │ │ │ └── common1.tls.key │ │ └── consensus1 │ │ ├── consensus1.nodeid │ │ ├── consensus1.sign.crt │ │ ├── consensus1.sign.key │ │ ├── consensus1.tls.crt │ │ └── consensus1.tls.key │ ├── trust-member │ │ └── trust-member.node1-sign.pem │ └── user │ ├── admin1 │ │ ├── admin1.sign.crt │ │ ├── admin1.sign.key │ │ ├── admin1.tls.crt │ │ └── admin1.tls.key │ └── client1 │ ├── client1.addr │ ├── client1.sign.crt │ ├── client1.sign.key │ ├── client1.tls.crt │ └── client1.tls.key ├── chainconfig │ └── bc1.yml ├── chainmaker.yml └── log.yml
node1链配置bc1.yml
chain_id: chain1 # 链标识 version: v2.0.0 # 链版本 sequence: 1 # 配置版本 auth_type: "identity" # 认证类型 crypto: hash: SHA256 # 合约支持类型的配置 contract: enable_sql_support: false # 合约是否支持sql,此处若为true,则chainmaker.yml中则需配置storage.statedb_config.provider=sql,否则无法启动 # 交易、区块相关配置 block: tx_timestamp_verify: true # 是否需要开启交易时间戳校验 tx_timeout: 600 # 交易时间戳的过期时间(秒) block_tx_capacity: 100 # 区块中最大交易数 block_size: 10 # 区块最大限制,单位MB block_interval: 2000 # 出块间隔,单位:ms # core模块 core: tx_scheduler_timeout: 10 # [0, 60] 交易调度器从交易池拿到交易后, 进行调度的时间 tx_scheduler_validate_timeout: 10 # [0, 60] 交易调度器从区块中拿到交易后, 进行验证的超时时间 # snapshot module snapshot: enable_evidence: false # enable the evidence support # scheduler module scheduler: enable_evidence: false # enable the evidence support #共识配置 consensus: # 共识类型(0-SOLO,1-TBFT,2-MBFT,3-HOTSTUFF,4-RAFT,5-DPOS,10-POW) type: 1 # 共识节点列表,组织必须出现在trust_roots的org_id中,每个组织可配置多个共识节点,节点地址采用libp2p格式 # 其中node_id为chainmaker.yml中 node.cert_file证书对应的nodeid nodes: - org_id: "wx-org1.chainmaker.org" node_id: - "QmTfgpaCgZUGHmgzzJ6AhyU7WnDmNt9xHk9acSkaa5KJdp" - org_id: "wx-org2.chainmaker.org" node_id: - "QmTrbCNfbMcQHJhPrrbjfnAmh29HEGhYc2MoKNR5xPrdkS" - org_id: "wx-org3.chainmaker.org" node_id: - "QmRALrNH4ZXwxCGLH5mEvcoqdLF6C7umfFNNpyo9hRaVWW" - org_id: "wx-org4.chainmaker.org" node_id: - "QmUp3jyBxcDERaf5vcnJsTpqSNTkRLu9bMRQzjjynzRjZZ" ext_config: # 扩展字段,记录难度、奖励等其他类共识算法配置 - key: aa value: chain01_ext11 dpos_config: # DPoS #ERC20合约配置 - key: erc20.total value: "{erc20_total}" - key: erc20.owner value: "{org1_peeraddr}" - key: erc20.decimals value: "18" - key: erc20.account:DPOS_STAKE value: "{erc20_total}" #Stake合约配置 - key: stake.minSelfDelegation value: "2500000" - key: stake.epochValidatorNum value: "{epochValidatorNum}" - key: stake.epochBlockNum value: "10" - key: stake.completionUnbondingEpochNum value: "1" - key: stake.candidate:{org1_peeraddr} value: "2500000" - key: stake.candidate:{org2_peeraddr} value: "2500000" - key: stake.candidate:{org3_peeraddr} value: "2500000" - key: stake.candidate:{org4_peeraddr} value: "2500000" - key: stake.nodeID:{org1_peeraddr} value: "QmTfgpaCgZUGHmgzzJ6AhyU7WnDmNt9xHk9acSkaa5KJdp" - key: stake.nodeID:{org2_peeraddr} value: "QmTrbCNfbMcQHJhPrrbjfnAmh29HEGhYc2MoKNR5xPrdkS" - key: stake.nodeID:{org3_peeraddr} value: "QmRALrNH4ZXwxCGLH5mEvcoqdLF6C7umfFNNpyo9hRaVWW" - key: stake.nodeID:{org4_peeraddr} value: "QmUp3jyBxcDERaf5vcnJsTpqSNTkRLu9bMRQzjjynzRjZZ" # 信任组织和根证书 trust_roots: - org_id: "wx-org1.chainmaker.org" root: - "../config/wx-org1.chainmaker.org/certs/ca/wx-org1.chainmaker.org/ca.crt" - org_id: "wx-org2.chainmaker.org" root: - "../config/wx-org1.chainmaker.org/certs/ca/wx-org2.chainmaker.org/ca.crt" - org_id: "wx-org3.chainmaker.org" root: - "../config/wx-org1.chainmaker.org/certs/ca/wx-org3.chainmaker.org/ca.crt" - org_id: "wx-org4.chainmaker.org" root: - "../config/wx-org1.chainmaker.org/certs/ca/wx-org4.chainmaker.org/ca.crt" # 证书库 trust_members: - member_info: "../config/wx-org1.chainmaker.org/certs/trust-member/trust-member.node1-sign.pem" org_id: "wx-org1.chainmaker.org" role: "consensus" node_id: "QmTfgpaCgZUGHmgzzJ6AhyU7WnDmNt9xHk9acSkaa5KJdp" # 权限配置(只能整体添加、修改、删除) resource_policies: - resource_name: CHAIN_CONFIG-NODE_ID_UPDATE policy: rule: SELF # 规则(ANY,MAJORITY...,全部大写,自动转大写) org_list: # 组织名称(组织名称,区分大小写) role_list: # 角色名称(role,自动转大写) - admin - resource_name: CHAIN_CONFIG-TRUST_ROOT_ADD policy: rule: MAJORITY org_list: role_list: - admin - resource_name: CHAIN_CONFIG-CERTS_FREEZE policy: rule: ANY org_list: role_list: - admin
node2的链配置bc1.yml (仅显示trust_member部分,其它部分不变)
trust_members: - member_info: "../config/wx-org2.chainmaker.org/certs/trust-member/trust-member.node1-sign.pem" org_id: "wx-org1.chainmaker.org" role: "consensus" node_id: "QmTfgpaCgZUGHmgzzJ6AhyU7WnDmNt9xHk9acSkaa5KJdp"
node3的链配置bc1.yml (仅显示trust_member部分,其它部分不变)
trust_members: - member_info: "../config/wx-org3.chainmaker.org/certs/trust-member/trust-member.node1-sign.pem" org_id: "wx-org1.chainmaker.org" role: "consensus" node_id: "QmTfgpaCgZUGHmgzzJ6AhyU7WnDmNt9xHk9acSkaa5KJdp"
node4的链配置bc1.yml (仅显示trust_member部分,其它部分不变)
trust_members: - member_info: "../config/wx-org4.chainmaker.org/certs/trust-member/trust-member.node1-sign.pem" org_id: "wx-org1.chainmaker.org" role: "consensus" node_id: "QmTfgpaCgZUGHmgzzJ6AhyU7WnDmNt9xHk9acSkaa5KJdp"
node1的节点配置文件chainmaker.yml
log: config_file: ../config/wx-org1.chainmaker.org/log.yml # config file of logger configuration. blockchain: - chainId: chain1 genesis: ../config/wx-org1.chainmaker.org/chainconfig/bc1.yml node: # 节点类型:full type: full org_id: wx-org1.chainmaker.org # priv_key_file: ../config/wx-org1.chainmaker.org/certs/node/consensus1/consensus1.sign.key # cert_file: ../config/wx-org1.chainmaker.org/certs/node/consensus1/consensus1.sign.crt priv_key_file: ../config/wx-org1.chainmaker.org/certs/trust-member/trust-member.node1-sign.key cert_file: ../config/wx-org1.chainmaker.org/certs/trust-member/trust-member.node1-sign.pem signer_cache_size: 1000 cert_cache_size: 1000 pkcs11: enabled: false library: # path to the so file of pkcs11 interface label: # label for the slot to be used password: # password to logon the HSM session_cache_size: 10 # size of HSM session cache, default to 10 hash: "SHA256" # hash algorithm used to compute SKI net: provider: LibP2P listen_addr: /ip4/0.0.0.0/tcp/11301 seeds: - "/ip4/127.0.0.1/tcp/11301/p2p/QmTfgpaCgZUGHmgzzJ6AhyU7WnDmNt9xHk9acSkaa5KJdp" - "/ip4/127.0.0.1/tcp/11302/p2p/QmTrbCNfbMcQHJhPrrbjfnAmh29HEGhYc2MoKNR5xPrdkS" - "/ip4/127.0.0.1/tcp/11303/p2p/QmRALrNH4ZXwxCGLH5mEvcoqdLF6C7umfFNNpyo9hRaVWW" - "/ip4/127.0.0.1/tcp/11304/p2p/QmUp3jyBxcDERaf5vcnJsTpqSNTkRLu9bMRQzjjynzRjZZ" tls: enabled: true priv_key_file: ../config/wx-org1.chainmaker.org/certs/node/consensus1/consensus1.tls.key cert_file: ../config/wx-org1.chainmaker.org/certs/node/consensus1/consensus1.tls.crt txpool: max_txpool_size: 50000 # 普通交易池上限 max_config_txpool_size: 10 # config交易池的上限 full_notify_again_time: 30 # 交易池溢出后,再次通知的时间间隔(秒) # pool_type: "batch" # single/batch:single实时进入交易池,batch批量进入交易池 # batch_max_size: 30000 # 批次最大大小 # batch_create_timeout: 200 # 创建批次超时时间,单位毫秒 rpc: provider: grpc port: 12301 # 检查链配置TrustRoots证书变化时间间隔,单位:s,最小值为10s check_chain_conf_trust_roots_change_interval: 60 ratelimit: # 每秒补充令牌数,取值:-1-不受限;0-默认值(10000) token_per_second: -1 # 令牌桶大小,取值:-1-不受限;0-默认值(10000) token_bucket_size: -1 subscriber: # 历史消息订阅流控,实时消息订阅不会进行流控 ratelimit: # 每秒补充令牌数,取值:-1-不受限;0-默认值(1000) token_per_second: 100 # 令牌桶大小,取值:-1-不受限;0-默认值(1000) token_bucket_size: 100 tls: # TLS模式: # disable - 不启用TLS # oneway - 单向认证 # twoway - 双向认证 #mode: disable #mode: oneway mode: twoway priv_key_file: ../config/wx-org1.chainmaker.org/certs/node/consensus1/consensus1.tls.key cert_file: ../config/wx-org1.chainmaker.org/certs/node/consensus1/consensus1.tls.crt monitor: enabled: true port: 14321 pprof: enabled: false port: 24321 storage: store_path: ../data/wx-org1.chainmaker.org/ledgerData1 # 最小的不允许归档的区块高度 unarchive_block_height: 300000 blockdb_config: provider: leveldb leveldb_config: store_path: ../data/wx-org1.chainmaker.org/blocks statedb_config: provider: leveldb # leveldb/sql 二选一 leveldb_config: # leveldb config store_path: ../data/wx-org1.chainmaker.org/state # sqldb_config: # sql config,只有provider为sql的时候才需要配置和启用这个配置 # sqldb_type: mysql #具体的sql db类型,目前支持mysql,sqlite # dsn: root:password@tcp(127.0.0.1:3306)/ #mysql的连接信息,包括用户名、密码、ip、port等,示例:root:admin@tcp(127.0.0.1:3306)/ historydb_config: provider: leveldb leveldb_config: store_path: ../data/wx-org1.chainmaker.org/history resultdb_config: provider: leveldb leveldb_config: store_path: ../data/wx-org1.chainmaker.org/result disable_contract_eventdb: true #是否禁止合约事件存储功能,默认为true,如果设置为false,需要配置mysql contract_eventdb_config: provider: sql #如果开启contract event db 功能,需要指定provider为sql sqldb_config: sqldb_type: mysql #contract event db 只支持mysql dsn: root:password@tcp(127.0.0.1:3306)/ #mysql的连接信息,包括用户名、密码、ip、port等,示例:root:admin@tcp(127.0.0.1:3306)/ core: evidence: false scheduler: rwset_log: false #whether log the txRWSet map in the debug mode
链启动
$ cd scripts $ ./build_release.sh $ ./cluster_quick_start.sh normal
查看进程是否存在
$ ps -ef|grep chainmaker | grep -v grep lxf 20816 1 8 15:34 pts/0 00:00:01 ./chainmaker start -c ../config/wx-org1.chainmaker.org/chainmaker.yml lxf 20835 1 8 15:34 pts/0 00:00:00 ./chainmaker start -c ../config/wx-org2.chainmaker.org/chainmaker.yml lxf 20855 1 9 15:34 pts/0 00:00:00 ./chainmaker start -c ../config/wx-org3.chainmaker.org/chainmaker.yml lxf 20874 1 10 15:34 pts/0 00:00:00 ./chainmaker start -c ../config/wx-org4.chainmaker.org/chainmaker.yml
查看端口是否监听
$ netstat -lptn | grep 1230 tcp6 0 0 :::12301 :::* LISTEN 20816/./chainmaker tcp6 0 0 :::12302 :::* LISTEN 20835/./chainmaker tcp6 0 0 :::12303 :::* LISTEN 20855/./chainmaker tcp6 0 0 :::12304 :::* LISTEN 20874/./chainmaker