基于fabric 2.3 #
客户端使用sdk与fabric网络交互,需要告诉sdk两类信息:
- 我是谁:即当前客户端的信息,包含所属组织、密钥和证书文件的路径等, 这是每个客户端专用的信息。
- 对方是谁:即fabric网络结构的信息,channel、org、orderer和peer等 的怎么组合起当前fabric网络的,这些结构信息应当与
configytx.yaml中是一致的。这是通用配置,每个客户端都可以拿来使用。另外,这部分信息并不需要是完整fabric网络信息,如果当前客户端只和部分节点交互,那配置文件中只需要包含所使用到的网络信息。
原文件 #
我们复制官方的config_e2e_multiorg_bootstrap.yaml文件
文件位置:https://github.com/hyperledger/fabric-sdk-go/blob/main/test/fixtures/config/config_e2e_multiorg_bootstrap.yaml
######################## 声明部分 ###############################
# Copyright SecureKey Technologies Inc. All Rights Reserved.
# 版权所有 SecureKey Technologies Inc. 保留所有权利。
# SPDX-License-Identifier: Apache-2.0
#
# The network connection profile provides client applications the information about the target blockchain network that are necessary #for the applications to interact with it. These are all knowledge #that must be acquired from out-of-band sources. This file provides #such a source.
#网络连接配置文件为客户端应用程序提供有关目标区块链网络的信息, 这些信息是应用程序与#其交互所必需的。这些都是必须从带外资源中获取的知识。该文件提供了这样的来源。
#
# Schema version of the content. Used by the SDK to apply the #corresponding parsing rules.
#内容的架构版本。 SDK 用于应用相应的解析规则。
version: 1.0.0
######################## 客户端部分 ###############################
#
# The client section used by GO SDK.
#
client:
organization: org1
# 这个应用程序实例属于哪个组织?这个值必须是定义在"organizations"下的一个组织的名称。
logging:
level: info
# Root of the MSP directories with keys and certs.
# 带有密钥和证书的 MSP 目录的根。
cryptoconfig:
path: ${FABRIC_SDK_GO_PROJECT_PATH}/${CRYPTOCONFIG_FIXTURES_PATH}
# Some SDKs support pluggable KV stores, the properties under "credentialStore"
# are implementation specific
# 一些SDK支持可插拔的KV存储,"credentialStore"下的属性是具体实现
credentialStore:
# [Optional]. Used by user store. Not needed if all credentials are embedded in configuration
# and enrollments are performed elswhere.
# [可选的] 用于用户存储。如果所有凭证都嵌入到配置中,并且在其他地方执行登记,则不需要。
path: "/tmp/state-store"
# [Optional]. Specific to the CryptoSuite implementation used by GO SDK. Software-based implementations
# requiring a key store. PKCS#11 based implementations does not.
# [可选的] 特定于GO SDK使用的CryptoSuite实现。基于软件的实现需要密钥存储区。基于PKCS#11的实现则不用。
cryptoStore:
# Specific to the underlying KeyValueStore that backs the crypto key store.
# 特定于支持加密密钥存储的基础KeyValueStore。
path: /tmp/msp
# [Optional] BCCSP config for the client. Used by GO SDK.
# [可选的] 客户端的BCCSP配置。用于GO SDK
BCCSP:
security:
enabled: true
default:
provider: "SW"
hashAlgorithm: "SHA2"
softVerify: true
level: 256
tlsCerts:
# [Optional]. Use system certificate pool when connecting to peers, orderers (for negotiating TLS) Default: false
# [可选的] 当连接到对等节点、排序节点(用于协商TLS)时使用系统证书池。默认值:false
systemCertPool: true
# [Optional]. Client key and cert for TLS handshake with peers and orderers
# [可选的] 与对等节点和排序节点进行TLS握手的客户端密钥和证书
client:
key:
path: ${FABRIC_SDK_GO_PROJECT_PATH}/${CRYPTOCONFIG_FIXTURES_PATH}/peerOrganizations/tls.example.com/users/User1@tls.example.com/tls/client.key
cert:
path: ${FABRIC_SDK_GO_PROJECT_PATH}/${CRYPTOCONFIG_FIXTURES_PATH}/peerOrganizations/tls.example.com/users/User1@tls.example.com/tls/client.crt
######################## 通道部分 ###############################
channels:
# multi-org test channel
orgchannel:
# anchor peers only for the bootstrap config is required, other org's peers will be discovered
# 仅用于引导配置的锚点对等点是必需的,将发现其他组织的对等点
peers:
peer0.org1.example.com:
endorsingPeer: true //是否为背书节点
# 这个对等节点是否会被发送交易建议以供背书?对等端必须安装了chaincode。
# 应用程序也可以使用这个属性来决定哪个对等节点发送chaincode安装请求。默认值:true
chaincodeQuery: true //是否接受链码查询
# 这个对等节点会被发送查询建议吗?对等端必须安装了chaincode。
# 应用程序也可以使用这个属性来决定哪个对等节点发送chaincode安装请求。默认值:true
ledgerQuery: true //是否接受不需要链码的查询
# queryBlock(), queryTransaction(), etc. Default: true
# 这个对等节点是否会被发送不需要链码的查询建议,如queryBlock(), queryTransaction()等。默认值:true
eventSource: true //是否为SDK侦听器注册的目标
# 这个对等节点会成为SDK侦听器注册的目标吗?所有对等节点都可以产生事件,但应用程序通常只需要连接到一个对等节点就可以监听事件。
# 默认:真
peer0.org2.example.com:
endorsingPeer: true
chaincodeQuery: true
ledgerQuery: true
eventSource: true
policies:
queryChannelConfig: # 检索通道配置块的选项
minResponses: 1 # 最小成功响应数(来自目标/对等节点)
maxTargets: 1 # 通道配置将为这些数量的随机目标检索
retryOpts: # 查询配置块的重试选项
attempts: 5 # 重试次数
initialBackoff: 500ms # 第一次重试尝试的后退间隔
maxBackoff: 5s # 任何重试尝试的最大回退间隔
backoffFactor: 2.0 # 它使初始的回退周期以指数形式增加
######################## 组织部分 ###############################
#
# list of participating organizations in this network
# 此网络中的参与组织列表
organizations:
org1:
mspid: Org1MSP
# This org's MSP store (absolute path or relative to client.cryptoconfig)
# 这个组织的 MSP 存储(绝对路径或相对于 client.cryptoconfig)
cryptoPath: peerOrganizations/org1.example.com/users/{username}@org1.example.com/msp
peers:
- peer0.org1.example.com
org2:
mspid: Org2MSP
cryptoPath: peerOrganizations/org2.example.com/users/{username}@org2.example.com/msp
peers:
- peer0.org2.example.com
# Orderer Org name
ordererorg:
# Membership Service Provider ID for this organization
# 此组织的会员服务提供商 ID
mspID: OrdererMSP
# Needed to load users crypto keys and certs for this org (absolute path or relative to global crypto path, DEV mode)
# 需要为此组织加载用户加密密钥和证书(绝对路径或相对于全局加密路径,DEV 模式)
cryptoPath: ordererOrganizations/example.com/users/{username}@example.com/msp
######################## 对等节点部分 ###############################
# List of peers to send various requests to, including endorsement, query
# and event listener registration.
# 发送各种请求的节点列表,包括背书、查询和事件监听器注册。
#
peers:
# defining bootstrap peers only
# 只定义引导节点
peer0.org1.example.com:
# [Optional] Default: Infer from hostname
# [可选] 默认值:从主机名推断
url: peer0.org1.example.com:7051 # 此URL用于发送背书和查询请求
grpcOptions:
# 这些参数的设置应该与服务器上的keepalive策略相协调,因为不兼容的设置可能导致连接关闭。
# 当“keep-alive-time”的持续时间设置为0或更小时,保持活跃的客户端参数将被禁用
ssl-target-name-override: peer0.org1.example.com
keep-alive-time: 0s
keep-alive-timeout: 20s
keep-alive-permit: false
fail-fast: false
# 如果address没有定义协议,Allow-insecure将被考虑,如果address为true则GRPC或GRPCS
allow-insecure: false
tlsCACerts: # 证书本地绝对路径
path: ${FABRIC_SDK_GO_PROJECT_PATH}/${CRYPTOCONFIG_FIXTURES_PATH}/peerOrganizations/org1.example.com/tlsca/tlsca.org1.example.com-cert.pem
peer0.org2.example.com:
url: peer0.org2.example.com:8051
grpcOptions:
ssl-target-name-override: peer0.org2.example.com
keep-alive-time: 0s
keep-alive-timeout: 20s
keep-alive-permit: false
fail-fast: false
allow-insecure: false
tlsCACerts:
path: ${FABRIC_SDK_GO_PROJECT_PATH}/${CRYPTOCONFIG_FIXTURES_PATH}/peerOrganizations/org2.example.com/tlsca/tlsca.org2.example.com-cert.pem
######################## 排序节点部分 ###############################
# List of orderers to send transaction and channel create/update requests to. For the time
# being only one orderer is needed. If more than one is defined, which one get used by the
# SDK is implementation specific. Consult each SDK's documentation for its handling of orderers.
# 要发送事务和通道创建/更新请求的订购者列表。目前只需要一份订单。如果定义了多个,那么SDK将使用哪个是特定于实现的。
# 请查阅每个SDK的文档,了解它对排序的处理。
orderers:
# needed to fetch the ordrerer config for create channel
# 需要为创建通道获取 orderrerer 配置
orderer.example.com:
# [Optional] Default: Infer from hostname
# [可选] 默认值:从主机名推断
url: orderer.example.com:7050
grpcOptions: # 这些是gRPC库定义的标准属性,它们将原样传递给gRPC客户端构造函数
ssl-target-name-override: orderer.example.com
keep-alive-time: 0s
keep-alive-timeout: 20s
keep-alive-permit: false
fail-fast: false
allow-insecure: false
tlsCACerts:
path: ${FABRIC_SDK_GO_PROJECT_PATH}/${CRYPTOCONFIG_FIXTURES_PATH}/ordererOrganizations/example.com/tlsca/tlsca.example.com-cert.pem
# EntityMatchers enable substitution of network hostnames with static configurations
# so that properties can be mapped. Regex can be used for this purpose
# UrlSubstitutionExp can be empty which means the same network hostname will be used
# UrlSubstitutionExp can be given same as mapped peer url, so that mapped peer url can be used
# UrlSubstitutionExp can have golang regex matchers like ${1}.local.example.${2}:${3} for pattern
# like peer0.org1.example.com:1234 which converts peer0.org1.example.com to peer0.org1.local.example.com:1234
# sslTargetOverrideUrlSubstitutionExp follow in the same lines as
# SubstitutionExp for the fields gprcOptions.ssl-target-name-override respectively
# In any case mappedHost's config will be used, so mapped host cannot be empty, if entityMatchers are used
# EntityMatchers支持使用静态配置替换网络主机名,以便可以映射属性。
# 正则表达式可以用于此目的
# UrlSubstitutionExp可以为空,这意味着将使用相同的网络主机名
# UrlSubstitutionExp可以与映射的对等节点url相同,这样就可以使用映射的对等url
entityMatchers:
peer:
# the below matcher will allow dynamic discovery to use the anchor peer (peer0.org1.example.com)下面的匹配器将允许动态发现使用锚点对等点
# as a template for all org1 discovered peers config 作为所有 org1 发现的对等配置的模板
- pattern: (\w+).org1.example.com:(\d+)
urlSubstitutionExp: ${1}.org1.example.com:${2}
sslTargetOverrideUrlSubstitutionExp: ${1}.org1.example.com
mappedHost: peer0.org1.example.com
- pattern: (\w+).org2.example.com:(\d+)
urlSubstitutionExp: ${1}.org2.example.com:${2}
sslTargetOverrideUrlSubstitutionExp: ${1}.org2.example.com
mappedHost: peer0.org2.example.com
修改后文件 #
version: 1.0.0
client: //SDK使用的客户端部分 意思就是换客户端 从这里换
organization: org1 //应用程序所属的Org组织名
logging: //日志级别
level: info
cryptoconfig: //指定存储证书所在目录
path: /home/tianzhiwei/go/src/education/conf/crypto-config
//这种方式就是把用户名和密码直接存储在本地的一个文件中,而用户和密码对通过一个别名来引用,这样可以避免密码铭文格式可能会存在的安全问题
credentialStore: //指定密钥存储库
path: "/tmp/state-store"
cryptoStore:
path: /tmp/msp
BCCSP: //为客户端配置BCCSP 密码算法模块 基本都这样写
security:
enabled: true
default:
provider: "SW"
hashAlgorithm: "SHA2"
softVerify: true
level: 256
tlsCerts:
systemCertPool: true //证书池策略,默认为false,提高身份认证速率
client:
key: //客户端密钥路径
path: /home/tianzhiwei/go/src/education/conf/crypto-config/peerOrganizations/org1.example.com/users/User1@org1.example.com/tls/client.key
cert: //证书路径
path: /home/tianzhiwei/go/src/education/conf/crypto-config/peerOrganizations/org1.example.com/users/User1@org1.example.com/tls/client.crt
channels: //指定通道信息
mychannel:
orderers:
- orderer.example.com
peers:
peer0.org1.example.com:
endorsingPeer: true //是否为背书节点,默认为true
chaincodeQuery: true //是否接受链码查询,默认为true
ledgerQuery: true //是否接受不需要链码的查询,默认为true
eventSource: true //是否为SDK侦听器注册的目标,默认为true
peer1.org1.example.com:
endorsingPeer: true
chaincodeQuery: true
ledgerQuery: true
eventSource: true
policies:
queryChannelConfig: //检索通道配置块选项
minResponses: 1 //从目标/peers的最小响应数
maxTargets: 1 //通道配置随机检索目标数量
retryOpts: //查询区块配置的重试选项
attempts: 5 //重试次数
initialBackoff: 500ms //第一次重试的间隔时间
maxBackoff: 5s //重试的最大间隔时间
backoffFactor: 2.0
organizations: //指定网络环境中的组织信息
org1:
mspid: Org1MSP
cryptoPath: peerOrganizations/org1.example.com/users/{username}@org1.example.com/msp
peers:
- peer0.org1.example.com
- peer1.org1.example.com
ordererorg:
mspID: OrdererMSP
cryptoPath: ordererOrganizations/example.com/users/{username}@example.com/msp
orderers:
orderer.example.com:
url: orderer.example.com:7050
grpcOptions:
ssl-target-name-override: orderer.example.com
keep-alive-time: 0s
keep-alive-timeout: 20s
keep-alive-permit: false
fail-fast: false
allow-insecure: false
tlsCACerts: //指定orderer列表信息
path: /home/tianzhiwei/go/src/education/conf/crypto-config/ordererOrganizations/example.com/tlsca/tlsca.example.com-cert.pem
peers: //不同的请求发送到的peers列表,包括背书、查询、事件监听器注册
peer0.org1.example.com:
url: peer0.org1.example.com:7051
grpcOptions:
ssl-target-name-override: peer0.org1.example.com
keep-alive-time: 0s
keep-alive-timeout: 20s
keep-alive-permit: false
fail-fast: false
allow-insecure: false
tlsCACerts: //证书位置的绝对路径
path: /home/tianzhiwei/go/src/education/conf/crypto-config/peerOrganizations/org1.example.com/tlsca/tlsca.org1.example.com-cert.pem
peer1.org1.example.com:
url: peer1.org1.example.com:9051
grpcOptions:
ssl-target-name-override: peer1.org1.example.com
keep-alive-time: 0s
keep-alive-timeout: 20s
keep-alive-permit: false
fail-fast: false
allow-insecure: false
tlsCACerts:
path: /home/tianzhiwei/go/src/education/conf/crypto-config/peerOrganizations/org1.example.com/tlsca/tlsca.org1.example.com-cert.pem
#certificateAuthorities: //指定标准证书颁发机构 具体这段咋用还在摸索中
# ca.org1.example.com:
# url: https://ca.org1.example.com:7054
# grpcOptions:
# ssl-target-name-override: ca.org1.example.com
# tlsCACerts:
# path: path/to/tls/cert/for/ca-org1
# registrar:
# enrollId: usually-it-is_admin
# enrollSecret: adminpasswd
# caName: ca.org1.example.com
entityMatchers:
peer:
- pattern: (\w+).org1.example.com:(\d+)
urlSubstitutionExp: ${1}.org1.example.com:${2}
sslTargetOverrideUrlSubstitutionExp: ${1}.org1.example.com
mappedHost: peer0.org1.example.com