1

I am trying to run Hyperledger fabric peer with SoftHSM enabled. Fabric-ca-server is already running with SoftHSM enabled and all the certificates are generated with HSM enabled.

Initially, when I was trying to run fabric-ca-server it was throwing the same error Could not find defaultPKCS11BCCSP.

Then I found some people suggesting to make build from source code and it fixed that error.

Now I am facing the same error when I run peer node start command to bootstrap peer.

The BCCSP content on core.yaml is below:

# BCCSP (Blockchain crypto provider): Select which crypto implementation or
    # library to use
    BCCSP:
        Default: PKCS11
        # Settings for the SW crypto provider (i.e. when DEFAULT: SW)
        SW:
            # TODO: The default Hash and Security level needs refactoring to be
            # fully configurable. Changing these defaults requires coordination
            # SHA2 is hardcoded in several places, not only BCCSP
            Hash: SHA2
            Security: 256
            # Location of Key Store
            FileKeyStore:
                # If "", defaults to 'mspConfigPath'/keystore
                KeyStore:
        # Settings for the PKCS#11 crypto provider (i.e. when DEFAULT: PKCS11)
        PKCS11:
            # Location of the PKCS11 module library
            Library: /usr/local/lib/softhsm/libsofthsm2.so
            # Token Label
            Label: ForFabric
            # User PIN
            Pin: 98765432
            Hash: SHA2
            Security: 256
            FileKeyStore:
                KeyStore: /home/akshay/dev/fabric-ca/fabric-ca-client/peerOrg/msp/keystore

The error when I run peer node start:

$ peer node start
2018-12-28 14:48:50.508 IST [main] InitCmd -> ERRO 001 Cannot run peer because error when setting up MSP of type bccsp from directory /home/akshay/dev/fabric-ca/fabric-ca-client/peerOrg/msp: could not initialize BCCSP Factories: Failed initializing BCCSP.: Could not initialize BCCSP SW [Failed to initialize software key store: An invalid KeyStore path provided. Path cannot be an empty string.]
Could not find default `PKCS11` BCCSP

I am using the following peer version:

$ peer version
peer:
 Version: 1.4.0
 Commit SHA: 9cd9fce
 Go version: go1.11.2
 OS/Arch: linux/amd64
 Chaincode:
  Base Image Version: 0.4.14
  Base Docker Namespace: hyperledger
  Base Docker Label: org.hyperledger.fabric
  Docker Namespace: hyperledger
Akshay Sood
  • 6,366
  • 10
  • 36
  • 59
  • Did you build the peer binary yourself? – Gari Singh Dec 28 '18 at 12:42
  • You should also remove the `SW:` section from core.yaml as well – Gari Singh Dec 28 '18 at 12:55
  • yes remove the `SW:` (silly code), and also check that an environment variable is not being set to override your default BCCSP – gbolo Dec 28 '18 at 16:24
  • @GariSingh I first tried the binaries that comes with fabric-samples.. then I build the peer binary which result is same error.. then I removed SW: same error – Akshay Sood Dec 28 '18 at 16:39
  • You also need to set the pkcs11 build tag: `GO_TAGS=pkcs11 make peer` – Gari Singh Dec 29 '18 at 13:06
  • @GariSingh Thanks.. I will make peer with GO_TAG and let you know – Akshay Sood Dec 29 '18 at 13:11
  • did you set the KeyStore path? – Neli Dec 30 '18 at 00:14
  • @Neli yes.. `KeyStore: /home/akshay/dev/fabric-ca/fabric-ca-client/peerOrg/msp/keystore` – Akshay Sood Dec 30 '18 at 05:36
  • @GariSingh now I am getting the following error `$ peer node start 2018-12-31 14:18:28.888 IST [main] InitCmd -> ERRO 001 Cannot run peer because error when setting up MSP of type bccsp from directory /home/akshay/dev/fabric-ca/client/peerOrg/peer0.org1.example.com: KeyMaterial not found in SigningIdentityInfo` after building peer binary using `GO_TAGS=pkcs11 make peer` – Akshay Sood Dec 31 '18 at 08:51
  • Did you actually register and enroll with the fabric-ca using fabric-ca-client? – Gari Singh Dec 31 '18 at 10:02
  • every identity is registered and enrolled with fabric-ca.. – Akshay Sood Dec 31 '18 at 10:15
  • is there any other step? I did: `fabric-ca-server init -b admin:admin` then: registered peer, orderer and enrolled them – Akshay Sood Dec 31 '18 at 10:16
  • @GariSingh without softHSM enabled, it was working perfectly fine – Akshay Sood Dec 31 '18 at 10:43
  • Are you sure that all of the map folders are populated? Especially the `signcerts` folder – Gari Singh Dec 31 '18 at 14:20
  • Yes. I have matched the directory structure with crypto-config.. The keystore dir is empty and as per my understanding when HSM is implemented private keys will be stores in HSM so keystore won't have any key.. Is that an issue?? – Akshay Sood Dec 31 '18 at 14:29
  • Hi @AkshaySood can you please guide me how did you set up the CA Server with HSM. I cannot figure out a proper tutorial to do it. – Faisal Jun 26 '19 at 07:45

1 Answers1

1

There were two issues:

1) Make sure to delete the SW: section under BCCSP in core.yaml 2) By default, the peer binary and Docker image are both built without support for PCKS11. You can build the peer binary yourself using GO_TAGS=pkcs11 make peer

Gari Singh
  • 11,418
  • 2
  • 18
  • 41
  • I have one doubt regarding fabric-ca server, suppose if I am running fabric-ca server natively (without docker) then still I need to set GO_TAGS=pkcs11 and create fabric-ca binary again. – kamlesh nagware Mar 20 '20 at 05:08
  • `make fabric-ca-server` and `make fabric-ca-client` both already have `-tags "pkcs11"` included: https://github.com/hyperledger/fabric-ca/blob/release-1.4/Makefile#L116 – Gari Singh Mar 20 '20 at 09:06