node.jsblockchainhyperledger-fabric

Best way to store Hyperledger Fabric user credentials with fabric-gateway SDK


i have just started using hyperledger fabric and i am using the @hyperledger/fabric-gateway SDK (replacing the deprecated fabric-network) and need a secure way to store/retrieve Fabric user identities (keystore,cacerts,signcerts). I am wondering what's the common way as an alternative for Wallets from fabric network


Solution

  • The Fabric Gateway client API does not mandate any mechanism for storing the credentials needed to connect to Fabric. You are free to store the client certificate and private key however is convenient for you.

    If you want to continue using the wallets from the legacy SDKs, you can continue to use the legacy SDKs to access them. The data retrieved from the wallet can then be used with the Fabric Gateway client API. Just be careful that the wallet API in the legacy Node SDK exposes the certificate and private key PEM data as strings, whereas the Fabric Gateway client API expects the certificate as a Uint8Array, so you will need to do some conversion.

    If you only need to access wallet data, the fabric-wallet-migration npm package provides a lighter weight alternative to the legacy SDK. Its Wallet implementation is designed for use with the Fabric Gateway client API and exposes wallet entries in a form suitable for that API. The package README contains a usage example. Full discolsure: I am the author of the fabric-wallet-migration package.

    If you are looking for a really secure mechanism for private key storage, you might consider using a Hardware Security Module (HSM). These store the private key where it cannot be accessed even by the client. Instead, the client uses the HSM to sign messages on its behalf. There is a Fabric sample that demonstrates the use of an HSM with the Fabric Gateway client API.