fabric之使用传输层安全性(TLS)保护通信安全

Fabric支持使用TLS在节点之间进行安全通信。 TLS通信可以使用单向(仅服务器)和双向(服务器和客户端)身份验证。

一、为peer节点配置TLS

peer节点既是TLS服务器又是TLS客户端。 当另一个peer节点,应用程序或CLI与其建立连接时,它是前者, 在与另一个peer节点或orderer建立连接时他是后者。

在peer节点上启用TLS,需要 设置以下属性:

peer.tls.enabled = true
peer.tls.cert.file = fully qualified path of the file that contains the TLS server certificate
peer.tls.key.file = fully qualified path of the file that contains the TLS server private key
peer.tls.rootcert.file = fully qualified path of the file that contains the certificate chain of the certificate authority(CA) that issued TLS server certificate

默认情况下,peer点上启用TLS时,将关闭TLS客户端身份验证。 这意味着peer节点在TLS握手期间不会验证客户端(另一个peer节点,应用程序或CLI)的证书。 要在peer节点上启用TLS客户端身份验证,请将peer配置属性peer.tls.clientAuthRequired设置为true,并将peer.tls.clientRootCAs.files属性设置为包含CA证书链的CA链文件 为你的组织的客户颁发TLS证书。

通过设置以下环境变量,也可以启用具有客户端身份验证的TLS:

CORE_PEER_TLS_ENABLED = true
CORE_PEER_TLS_CERT_FILE = fully qualified path of the server certificate
CORE_PEER_TLS_KEY_FILE = fully qualified path of the server private key
CORE_PEER_TLS_ROOTCERT_FILE = fully qualified path of the CA chain file
CORE_PEER_TLS_CLIENTAUTHREQUIRED = true
CORE_PEER_TLS_CLIENTROOTCAS_FILES = fully qualified path of the CA chain file
CORE_PEER_TLS_CLIENTCERT_FILE = fully qualified path of the client certificate
CORE_PEER_TLS_CLIENTKEY_FILE = fully qualified path of the client key

在peer节点上启用客户端身份验证时,客户端需要在TLS握手期间发送其证书。 如果客户端未发送其证书,则握手将失败,并且peer将关闭连接。

当peer加入通道时,从通道的配置块读取通道成员的根CA证书链,并将其添加到TLS客户端和服务器根CA数据结构中。 因此,peer对peer通信,peer对orderer通信应该无缝地工作。

二、为orderer节点配置TLS

要在orderer节点上启用TLS,请设置以下orderer配置属性:

General.TLS.Enabled = true
General.TLS.PrivateKey = fully qualified path of the file that contains the server private key
General.TLS.Certificate = fully qualified path of the file that contains the server certificate
General.TLS.RootCAs = fully qualified path of the file that contains the certificate chain of the CA that issued TLS server certificate


默认情况下,在orderer上关闭TLS客户端身份验证,就像peer一样。 要启用TLS客户端身份验证,请设置以下配置属性:

General.TLS.ClientAuthRequired = true
General.TLS.ClientRootCAs = fully qualified path of the file that contains the certificate chain of the CA that issued the TLS server certificate

通过设置以下环境变量,也可以启用具有客户端身份验证的TLS:



ORDERER_GENERAL_TLS_ENABLED = true
ORDERER_GENERAL_TLS_PRIVATEKEY = fully qualified path of the file that contains the server private key
ORDERER_GENERAL_TLS_CERTIFICATE = fully qualified path of the file that contains the server certificate
ORDERER_GENERAL_TLS_ROOTCAS = fully qualified path of the file that contains the certificate chain of the CA that issued TLS server certificate
ORDERER_GENERAL_TLS_CLIENTAUTHREQUIRED = true
ORDERER_GENERAL_TLS_CLIENTROOTCAS = fully qualified path of the file that contains the certificate chain of the CA that issued TLS server certificate


三、为CLI配置TLS

对启用TLS的peer节点运行peer CLI 命令时,必须设置以下环境变量:

CORE_PEER_TLS_ENABLED = true
CORE_PEER_TLS_ROOTCERT_FILE = fully qualified path of the file that contains cert chain of the CA that issued the TLS server cert

如果在远程服务器上也启用了TLS客户端身份验证,则除上述变量外,还必须设置以下变量:

CORE_PEER_TLS_CLIENTAUTHREQUIRED = true
CORE_PEER_TLS_CLIENTCERT_FILE = fully qualified path of the client certificate
CORE_PEER_TLS_CLIENTKEY_FILE = fully qualified path of the client private key

你可能感兴趣的:(fabric之使用传输层安全性(TLS)保护通信安全)