如何在Hyperledger Fabric中实现Fabric-CA或第三方CA [英] How to implement Fabric-CA or third party CA in hyperledger fabric

问题描述

我浏览了关于fabric-ca的文档 http://hyperledger-fabric-ca.readthedocs.io/zh/latest/users-guide.html

I went through documentation on fabric-ca http://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html

我有以下问题

1.fabric-ca何时会出现在超级账本中以进行用户身份验证或生成msp证书，或同时出现在这两者中

1.When will be fabric-ca come into picture in hyperperledger for user authentication or in msp certs generation or in both

1. 我们可以使用其他第三方CA代替fabric-ca

1. Can we use some other third party CA in place of fabric-ca

如果我们使用某些第三方CA，应该牢记什么.

What should be the things to be kept in mind if we use some third party CA.

有没有更多的样本可以理解(已经通过余额转移)

Is there any sample to understand it more(already went through balance-transfer)

推荐答案

1. fabric-ca可以用于身份验证和MSP证书生成. /enroll API需要基本身份验证，并且假设成功，将颁发一个注册证书并填充相应的MSP目录.

1. fabric-ca comes into the picture for both authentication and MSP certs generation. The /enroll API requires basic authentication, and assuming success, will issue an enrollment certificate and populate the appropriate MSP directories.

在将CA与结构一起使用时，您有以下选择: a)使用结构CA充当根CA和/或中间CA. b)使用您需要的中间签名证书启动结构CA 从外部CA获得. c)完全不要使用结构CA，而要完全使用外部CA. 与& b，结构CA服务器可以充当其自己的用户注册表， 或者它可以作为用户注册表与LDAP服务器通信.

You have the following choices when it comes to using a CA with fabric: a) Use fabric CA to function as a root CA and/or intermediate CA. b) Start fabric CA with an intermediate signing certificate which you get from an external CA. c) Don't use fabric CA at all and use an external CA completely. With a & b, the fabric CA server can function as its own user registry, or it can talk to an LDAP server as the user registry.

3)使用第三方CA(上面的#c)时，您需要考虑一下 您想如何在链码中进行访问控制.一种选择是基于 在用户证书具有的OU(组织单位)上， 表示第三方CA将需要能够限制哪个OU 值发布给哪些用户.使用结构CA服务器时 颁发证书，您可以使用基于属性的访问控制 (ABAC)对链码执行访问控制.

3) When using a 3rd party CA (#c above), you will need to think about how you want to do access control in chaincode. One option is based on the OU (Organizational Units) that a user's certificate has, which means the 3rd party CA will need to be able to restrict which OU values are issued to which users. When using the fabric CA server to issue certificates, you can use Attribute-Based Access Control (ABAC) to perform access control for chaincode.

4)在 https://上尚未合并的示例gerrit.hyperledger.org/r/#/c/13213/. 请参阅README.md，以获取有关如何运行示例和 概述.

4) There is a sample which is not merged yet at https://gerrit.hyperledger.org/r/#/c/13213/. See the README.md for a description of how to run the sample and an overview of how it works.

这篇关于如何在Hyperledger Fabric中实现Fabric-CA或第三方CA的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！