在 fabric-ca-server 上使用软件模拟的 HSM(密码卡) 功能
安装 SoftHSMv2
教程 SoftHSMv2
- 默认的配置文件
/etc/softhsm2.conf - 默认的token目录
/var/lib/softhsm/tokens/
初始化和启动fabric-ca-server,需要设置一个管理员用户的名称和密码
初始化令牌
# 初始化一个即可
softhsm2-util --init-token --slot 0 --label "fabric"
=== SO PIN (4-255 characters) ===
Please enter SO PIN: 71811222
Please reenter SO PIN: 71811222
=== User PIN (4-255 characters) ===
Please enter user PIN: 71811222
Please reenter user PIN: 71811222
The token has been initialized and is reassigned to slot 423405613
softhsm2-util --init-token --slot 1 --label "fabric"
=== SO PIN (4-255 characters) ===
Please enter SO PIN: 111111
Please reenter SO PIN: 111111
=== User PIN (4-255 characters) ===
Please enter user PIN: 222222
Please reenter user PIN: 222222
The token has been initialized and is reassigned to slot 121977387
#查看
softhsm2-util --show-slots
配置fabric-ca-server的配置文件fabric-ca-server-config.yaml
bccsp:
default: PKCS11
sw:
hash: SHA2
security: 256
filekeystore:
keystore: msp/keystore
pkcs11:
Library: /usr/local/lib/softhsm/libsofthsm2.so
Pin: "222222"
Label: fabric
hash: SHA2
security: 256
Immutable: false
启动 fabric-ca-server
#模式一: 新创建证书, 再启动 (私钥会保管在HSM中)
rm ./config-hsm/ca-cert.pem
fabric-ca-server init -b admin:adminpw -H config-hsm
fabric-ca-server start -b admin:adminpw -H config-hsm
#模式二: 指定已事先生成好的证书目录
fabric-ca-server start -b admin:adminpw -H /etc/hyperledger/fabric-ca-server-config
查看 fabric-ca-server.db
sudo apt-get install sqlite3
sqlite3 config-hsm\fabric-ca-server.db
sqlite> .tables
# 查用户表 (用户admin已经在数据库里。这是Fabric CA启动时生成的)
sqlite> select * from users;
# 使用 enroll 命令登记admin后,才会生成证书
sqlite> select * from certificates;