Using softHSM : why is my orderer still looking for private key on Orderer.General.TLS.Privatekey path?

Question

I got some error when I tried to use softHSM to store private keys.

Please tell me what's the problem

Hyperledger Fabric Version : v2.3
Orderer Binary :

git clone -b release-2.3 https://github.com/hyperledger/fabric.git
GO_TAGS=pkcs11 make orderer

.yaml files :

fabric-ca-client-config.yaml, fabric-ca-server-config.yaml

bccsp:
    default: PKCS11
    pkcs11:
        Library: /usr/local/lib/softhsm/libsofthsm2.so
        Pin: "123"
        Label: fabric
        hash: SHA2
        security: 256
        Immutable: false

core.yaml, orderer.yaml

    BCCSP:
        Default: "PKCS11"
        # Settings for the SW crypto provider (i.e. when DEFAULT: SW)
        SW:
            # TODO: The default Hash and Security level needs refactoring to be
            # fully configurable. Changing these defaults requires coordination
            # SHA2 is hardcoded in several places, not only BCCSP
            Hash: SHA2
            Security: 256
            # Location of Key Store
            FileKeyStore:
                # If "", defaults to 'mspConfigPath'/keystore
                KeyStore:
        # Settings for the PKCS#11 crypto provider (i.e. when DEFAULT: PKCS11)
        PKCS11:
            # Location of the PKCS11 module library
            Library: /usr/local/lib/softhsm/libsofthsm2.so
            # Token Label
            Label: fabric
            # User PIN
            Pin: "123"
            Hash: SHA2
            Security: 256

score 0 · Answer 1 · answered Jun 02 '21 at 09:09

more details :

commands :

export FABRIC_CFG_PATH=/root/fabric-softHSM
export FABRIC_CFG_CLIENT_HOME=/root/fabric-softHSM/ca2admin

fabric-ca-server start -b ca2admin:ca2pw --cfg.affiliations.allowremove --cfg.identities.allowremove \
--csr.hosts ca2.server --home $FABRIC_CFG_PATH/ca2server -n ca2

## ca admin
fabric-ca-client enroll -u http://ca2admin:ca2pw@ca2.server:7054 --home $FABRIC_CFG_PATH/ca2admin \
--csr.hosts ca2.server,admin.ordorg2,ord0.ordorg2,ord1.ordorg2,ord2.ordorg2

mv $FABRIC_CFG_CLIENT_HOME/msp/cacerts/*-7054.pem $FABRIC_CFG_CLIENT_HOME/msp/cacerts/ca.crt

## orderer
fabric-ca-client affiliation --home $FABRIC_CFG_CLIENT_HOME add ordorg2

### admin register & enroll
fabric-ca-client register -u http://ca.server:7054 --id.name admin.ordorg2 --id.secret admin.ordorg2pw --id.affiliation ordorg2 --id.type admin \
--id.attrs '"hf.Registrar.Roles=client,orderer,peer,user,admin","hf.Registrar.DelegateRoles=client,orderer,peer,user,admin",hf.Registrar.Attributes=*,hf.GenCRL=true,hf.Revoker=true,hf.AffiliationMgr=true,hf.IntermediateCA=true,role=admin:ecert' \
--home $FABRIC_CFG_PATH/ca2admin

fabric-ca-client getcainfo -u http://ca.server:7054 -m ca.server --enrollment.profile tls \
--csr.hosts ca2.server,admin.ordorg2,ord0.ordorg2,ord1.ordorg2,ord2.ordorg2 -M $FABRIC_CFG_PATH/orgs/ordorgs/ordorg2/msp

mkdir -p $FABRIC_CFG_PATH/orgs/ordorgs/ordorg2/users/admin.ordorg2
cp ~/config-softHSM/fabric-ca-client-config.yaml $FABRIC_CFG_PATH/orgs/ordorgs/ordorg2/users/admin.ordorg2/.

fabric-ca-client enroll -u http://admin.ordorg2:admin.ordorg2pw@ca.server:7054 -m admin.ordorg2 --enrollment.profile tls \
--csr.hosts ca2.server,admin.ordorg2,ord0.ordorg2,ord1.ordorg2,ord2.ordorg2 -H $FABRIC_CFG_PATH/orgs/ordorgs/ordorg2/users/admin.ordorg2

mv $FABRIC_CFG_PATH/orgs/ordorgs/ordorg2/users/admin.ordorg2/msp/tlscacerts/*.pem  $FABRIC_CFG_PATH/orgs/ordorgs/ordorg2/users/admin.ordorg2/msp/tlscacerts/ca.crt
cp $FABRIC_CFG_PATH/orgs/ordorgs/ordorg2/users/admin.ordorg2/msp/tlscacerts/ca.crt $FABRIC_CFG_PATH/orgs/ordorgs/ordorg2/users/admin.ordorg2/msp/cacerts/ca.crt
mkdir $FABRIC_CFG_PATH/orgs/ordorgs/ordorg2/users/admin.ordorg2/msp/admincerts
cp $FABRIC_CFG_PATH/orgs/ordorgs/ordorg2/users/admin.ordorg2/msp/signcerts/cert.pem $FABRIC_CFG_PATH/orgs/ordorgs/ordorg2/users/admin.ordorg2/msp/admincerts/admin.ordorg2-cert.pem

### orderer register & enroll

fabric-ca-client register  --id.name ord0.ordorg2  --id.secret=ord0.ordorg2pw  --id.type orderer  --id.affiliation ordorg2  --id.attrs 'hf.Registrar.Roles=orderer:ecert'  \
--home $FABRIC_CFG_PATH/orgs/ordorgs/ordorg2/users/admin.ordorg2
 
mkdir -p orgs/ordorgs/ordorg2/orderers/ord0.ordorg2
cp ~/config-softHSM/fabric-ca-client-config.yaml orgs/ordorgs/ordorg2/orderers/ord0.ordorg2/.

fabric-ca-client enroll -u http://ord0.ordorg2:ord0.ordorg2pw@ca.server:7054 -m ord0.ordorg2  --enrollment.profile tls \
--csr.hosts ca2.server,admin.ordorg2,ord0.ordorg2,ord1.ordorg2,ord2.ordorg2 -H $FABRIC_CFG_PATH/orgs/ordorgs/ordorg2/orderers/ord0.ordorg2

mv $FABRIC_CFG_PATH/orgs/ordorgs/ordorg2/orderers/ord0.ordorg2/msp/tlscacerts/*-7054.pem $FABRIC_CFG_PATH/orgs/ordorgs/ordorg2/orderers/ord0.ordorg2/msp/tlscacerts/ca.crt
cp $FABRIC_CFG_PATH/orgs/ordorgs/ordorg2/orderers/ord0.ordorg2/msp/tlscacerts/ca.crt $FABRIC_CFG_PATH/orgs/ordorgs/ordorg2/orderers/ord0.ordorg2/msp/cacerts/ca.crt
mkdir $FABRIC_CFG_PATH/orgs/ordorgs/ordorg2/orderers/ord0.ordorg2/msp/admincerts
cp $FABRIC_CFG_PATH/orgs/ordorgs/ordorg2/users/admin.ordorg2/msp/admincerts/admin.ordorg2-cert.pem $FABRIC_CFG_PATH/orgs/ordorgs/ordorg2/orderers/ord0.ordorg2/msp/admincerts/admin.ordorg2-cert.pem 

### orderer start

export ORDERER_GENERAL_TLS_CERTIFICATE=$FABRIC_CFG_PATH/orgs/ordorgs/ordorg2/orderers/ord0.ordorg2/msp/signcerts/cert.pem
export ORDERER_GENERAL_TLS_CLIENTROOTCAS=[$FABRIC_CFG_PATH/orgs/ordorgs/ordorg2/orderers/ord0.ordorg2/msp/tlscacerts/ca.crt]
export ORDERER_GENERAL_TLS_ROOTCAS=[$FABRIC_CFG_PATH/orgs/ordorgs/ordorg2/orderers/ord0.ordorg2/msp/tlscacerts/ca.crt]
export ORDERER_GENERAL_BOOTSTRAPMETHOD=none
export ORDERER_GENERAL_LOCALMSPID=ordorg2MSP
export ORDERER_GENERAL_LOCALMSPDIR=$FABRIC_CFG_PATH/orgs/ordorgs/ordorg2/orderers/ord0.ordorg2/msp

export ORDERER_GENERAL_CLUSTER_CLIENTCERTIFICATE=$FABRIC_CFG_PATH/orgs/ordorgs/ordorg2/orderers/ord0.ordorg2/msp/signcerts/cert.pem
export ORDERER_GENERAL_CLUSTER_ROOTCAS=[$FABRIC_CFG_PATH/orgs/ordorgs/ordorg2/orderers/ord0.ordorg2/msp/tlscacerts/ca.crt]
export ORDERER_CHANNELPARTICIPATION_ENABLED=true
export ORDERER_ADMIN_LISTENADDRESS=ord0.ordorg2:7078
export ORDERER_ADMIN_TLS_ENABLED=true
export ORDERER_ADMIN_TLS_CLIENTAUTHREQUIRED=true

export ORDERER_ADMIN_TLS_CERTIFICATE=$FABRIC_CFG_PATH/orgs/ordorgs/ordorg2/orderers/ord0.ordorg2/msp/signcerts/cert.pem
export ORDERER_GENERAL_LISTENADDRESS=ord0.ordorg2
export ORDERER_OPERATIONS_LISTENADDRESS=ord0.ordorg2:8445
export ORDERER_FILELEDGER_LOCATION=/root/ordorgs/ordorg2/ord0.ordorg2
export ORDERER_ADMIN_TLS_CLIENTROOTCAS=[$FABRIC_CFG_PATH/orgs/ordorgs/ordorg2/users/admin.ordorg2/msp/tlscacerts/ca.crt]
export ORDERER_CONSENSUS_WALDIR=/var/hyperledger/production/orderer/etcdraft/wal/ord0.ordorg2
export ORDERER_CONSENSUS_SNAPDIR=/var/hyperledger/production/orderer/etcdraft/snapshot/ord0.ordorg2

orderer start

5. ERROR :

2021-06-02 18:02:08.195 KST [msp] Validate -> DEBU 03e MSP ordorg2MSP validating identity
2021-06-02 18:02:08.195 KST [msp] GetDefaultSigningIdentity -> DEBU 03f Obtaining default signing identity
2021-06-02 18:02:08.196 KST [orderer.common.server] initializeServerConfig -> FATA 040 Failed to load PrivateKey file '/root/fabric-softHSM' (read /root/fabric-softHSM: is a directory)

I don't think TLS certificates in fabric are HSM managed as the handling of TLS certs is not managed by the fabric code base, but dependencies such as grpc — david_k, Jun 02 '21 at 11:15
@david_k Oh.. then what should I do? Should I use MSP file based TLS certificates? If so, what's the rule of HSM when I try this? : https://hyperledger-fabric.readthedocs.io/en/release-2.3/hsm.html Is it only for organization certificates? — Han, Jun 03 '21 at 01:00
TLS does not use bccsp and does not support PKCS11. You just need to point to the private key and X509 cert in your config for TLS. — Gari Singh, Jun 03 '21 at 11:49
Thanks guys. I fixed it. Do you know how to involve HSM in connection profile ? I added "hsm" section with reference to https://hyperledger.github.io/composer/v0.16/reference/connectionprofile , and got `Not found adminPrivateKey configuration` error — Han, Jun 04 '21 at 00:39
Composer supported client HSM in it's own way. The node sdks for fabric support HSMs via the wallet implementation — david_k, Jun 26 '21 at 08:27

Using softHSM : why is my orderer still looking for private key on Orderer.General.TLS.Privatekey path?

1 Answers1