1

In Hperledger caliper for benchmarking of fabric network, I have provided the connection profile with detail of CA. The transaction is successfully submitted to the network which is in the remote machine. I have checked the logs on peers, orderers, and CA. Only CA didn't have a log of requests to the CA server. In my assumption, while submitting the transaction using fabric gateway the invoker identity must be verified by the CA. But this is not happing as a result of my configuration.

In which case CA server does not need to be enabled while submitting the transactions?

Edit: The question is edited to make the question specific to the involvement of CA while submitting the secure transaction on TLS enabled system.
Thank you!

Gopal Ojha
  • 37
  • 7

1 Answers1

0

It seems necessary to study the PKI and certificate(X.509) structure. Fabric-CA acts as an organization's CA and manages the identifiers of the each organization's member(orderer, peer, client...).

The authentication/authorization process for an identifier can be performed based on a certificate issued to a CA, but it does not need to be associated with a CA during the process.

In other words, during the P2P verification process, the CA is independent.

Taking the legacy system as an example, Facebook has issued a certificate from digicert, and the browser can verify the identifier through that certificate. (For Root CA verification, it is provided whitelisted at your browser or OS level level.)

It's like asking why you don't use digicert (Fabric-CA) when you say you do a transaction throughput benchmark for Facebook (peer/orderer).

Fabric-CA does not have a ledger and is not support for reading or storing transactions in the blockchain. it is just CA in Fabric Network, independent of the transaction processing benchmark.

  • If authentication/authorization for a resource has to be performed in the form of a live stream to a CA, it will have dependencies and cause big problems
    (e.g. if digicert's system is paralyzed, Facebook will be paralyzed too)

in process, Fabric-CA issues an identifier on the network at the bootstrap stage before performing the benchmark, rather than verifying in the transaction processing process (if it has been created in advance through cryptogen, issuance. It can be seen as being.)

myeongkil kim
  • 2,465
  • 4
  • 16
  • 22
  • Please explain more about When CA is needed while performing transactions in the TLS enabled system. I assume CA is needed for every request that is communicating between two systems (or subsystem) to verify who is requesting. Please make this clear, it will be helpful to apply on any system. – Gopal Ojha Feb 01 '21 at 15:52
  • If you ask need CA in TLS-supported system, I'll answer as always. This is because server-client TLS requires a means to authenticate the server, that is, a certificate, and the certificate is issued by a CA. However, the point here is that there is no need to communicate with the CA in the process of verifying the certificate. For TLS communication between two systems, a certificate issued by CA is required on the server side (in case of one-way TLS). However, communication with CA is not required for TLS communication between the two systems. – myeongkil kim Feb 02 '21 at 06:26
  • If you don't understand the above process, do study. first, understand the PKI structure, second, understand the process of certificate is created/verified and last, analyze TLS. – myeongkil kim Feb 02 '21 at 06:28