hyperledger-fabrichyperledger-fabric-caorganizational-unit

Adding custom Node OUs with Hyperledger Fabric


I am trying to add custom Node OU in policy definition inside the configtx.yaml file. The policy definition is present in Application section of configtx.yaml file as follows:

Application: &ApplicationDefaults

# Organizations is the list of orgs which are defined as participants on
# the application side of the network
ACLs: &ACLsDefault
    peer/Propose: /Channel/Application/Checkous

Organizations:

# Policies defines the set of policies at this level of the config tree
# For Application policies, their canonical path is
#   /Channel/Application/<PolicyName>
Policies:
    Readers:
        Type: ImplicitMeta
        Rule: "ANY Readers"
    Writers:
        Type: ImplicitMeta
        Rule: "ANY Writers"
    Admins:
        Type: ImplicitMeta
        Rule: "MAJORITY Admins"
    Checkous:
        Type: Signature
        Rule: "OR('Org1MSP.admin', 'Org1MSP.client', 'Org1MSP.dept')"

Capabilities:
    <<: *ApplicationCapabilities

I already generated the crypto-material using cryptogen tool. As you can see I am also using the custom policy inside one of the ACLs.

Next, I created the orderer genesis block.

##########################################################
#########  Generating Orderer Genesis block ##############
##########################################################
CONSENSUS_TYPE=solo
+ '[' solo == solo ']'
+ configtxgen -profile TwoOrgsOrdererGenesis -channelID byfn-sys-channel -outputBlock ./channel-artifacts/genesis.block
2020-02-17 05:17:01.991 UTC [common.tools.configtxgen] main -> INFO 001 Loading configuration
2020-02-17 05:17:02.150 UTC [common.tools.configtxgen.localconfig] completeInitialization -> INFO 002 orderer type: solo
2020-02-17 05:17:02.150 UTC [common.tools.configtxgen.localconfig] Load -> INFO 003 Loaded configuration: /home/chintanr11/fabric-samples/first-network/configtx.yaml
2020-02-17 05:17:02.309 UTC [common.tools.configtxgen.localconfig] completeInitialization -> INFO 004 orderer type: solo
2020-02-17 05:17:02.309 UTC [common.tools.configtxgen.localconfig] LoadTopLevel -> INFO 005 Loaded configuration: /home/chintanr11/fabric-samples/first-network/configtx.yaml
2020-02-17 05:17:02.311 UTC [common.tools.configtxgen] doOutputBlock -> INFO 006 Generating genesis block
2020-02-17 05:17:02.311 UTC [common.tools.configtxgen] doOutputBlock -> INFO 007 Writing genesis block
+ res=0
+ set +x

Followed by which, when I try to create channel configuration block, I receive the following error:

#################################################################
### Generating channel configuration transaction 'channel.tx' ###
#################################################################
+ configtxgen -profile TwoOrgsChannel -outputCreateChannelTx ./channel-artifacts/channel.tx -channelID mychannel
2020-02-17 05:17:02.346 UTC [common.tools.configtxgen] main -> INFO 001 Loading configuration
2020-02-17 05:17:02.518 UTC [common.tools.configtxgen.localconfig] Load -> INFO 002 Loaded configuration: /home/chintanr11/fabric-samples/first-network/configtx.yaml
2020-02-17 05:17:02.680 UTC [common.tools.configtxgen.localconfig] completeInitialization -> INFO 003 orderer type: solo
2020-02-17 05:17:02.680 UTC [common.tools.configtxgen.localconfig] LoadTopLevel -> INFO 004 Loaded configuration: /home/chintanr11/fabric-samples/first-network/configtx.yaml
2020-02-17 05:17:02.680 UTC [common.tools.configtxgen] doOutputChannelCreateTx -> INFO 005 Generating new channel configtx
2020-02-17 05:17:02.680 UTC [common.tools.configtxgen] main -> FATA 006 Error on outputChannelCreateTx: could not generate default config template: error parsing configuration: could not create application group: error adding policies to application group: invalid signature policy rule 'OR('Org1MSP.admin', 'Org1MSP.client', 'Org1MSP.dept')': Unable to parse numeric value '.' to float64
+ res=1
+ set +x
Failed to generate channel configuration transaction...

NOTE: I have added the definition for this OU in my config.yaml file located at: ~/fabric-samples/first-network/crypto-config/peerOrganizations/org1.example.com/msp. The file looks as follows:

NodeOUs:
  Enable: true
  ClientOUIdentifier:
    Certificate: cacerts/ca.org1.example.com-cert.pem
    OrganizationalUnitIdentifier: client
  PeerOUIdentifier:
    Certificate: cacerts/ca.org1.example.com-cert.pem
    OrganizationalUnitIdentifier: peer
  AdminOUIdentifier:
    Certificate: cacerts/ca.org1.example.com-cert.pem
    OrganizationalUnitIdentifier: admin
  OrdererOUIdentifier:
    Certificate: cacerts/ca.org1.example.com-cert.pem
    OrganizationalUnitIdentifier: orderer
  DeptOUIdentifier:
    Certificate: cacerts/ca.org1.example.com-cert.pem
    OrganizationalUnitIdentifier: dept
  1. What does the above error in channel block creation mean and any solution to resolve it?
  2. How to possibly use custom Node OUs in the network using Fabric CA (and not cryptogen)?

Solution

  • You cannot use "custom" NodeOU identifiers. Fabric policies only support the following roles:

    This means you can only use the built-in Node OU identifiers: