Hyperledger Fabric

Set up Luna HSM

Set up Hyperledger Fabric, Fabric CA, and Fabric-Samples

Ensure that the HSM is set up, initialized, provisioned, and ready for deployment. For more information, refer to Luna HSM documentation.

Create a partition that will be later on used by Hyperledger.

Create and exchange certificate between the Luna Network HSM and client system. Register client and assign partition to create an NTLS connection.

Initialize Crypto Officer and Crypto User roles for the registered partition.

Run the following command to verify that the partition has been successfully registered and configured:

C:\Program Files\SafeNet\LunaClient>lunacm.exe

Upon successful execution, you should observe an output similar to the example provided below:

lunacm.exe (64-bit) v10.5.0-470. Copyright (c) 2022 SafeNet. All rights reserved.
Available HSMs:
Slot Id ->                           0
Label ->                             sql1
Serial Number ->                     1312109862216
Model ->                             LunaSA 7.7.1
Firmware Version ->                  7.7.1
Bootloader Version ->                1.1.2
Configuration ->                     Luna User Partition With SO (PW) Signing With Cloning Mode
Slot Description ->                  Net Token Slot

Refer to Luna HSM documentation for detailed steps on creating NTLS connection, initializing the partitions, and assigning various user roles.

Create separate partitions for each peer and orderer organization within Hyperledger. Label these partitions as follows:

• org1.example.com

• org2.example.com

• orderer.example.com

For illustrative purposes, a single client has been registered across all partitions, utilizing userpin as the crypto officer password for different organizations. In a production environment where each identity (peer, orderer, and user) operates on separate systems, it is strongly recommended to register each client identity with its own dedicated HSM partition.

Verify the successful registration and configuration of partitions using the following command:

/usr/safenet/lunaclient/bin/lunacm

The output should display information for each registered partition, including Slot Id, Label, Serial Number, Model, Firmware Version, Configuration, Slot Description, and FM HW Status. Here's the sample output:

Slot Id ->              0
Label ->                org1.example.com
Serial Number ->        1238696044924
Model ->                LunaSA 7.4.0
Firmware Version ->     7.4.0
Configuration ->        Luna User Partition With SO (PW) Signing With Cloning Mode
Slot Description ->     Net Token Slot
FM HW Status ->         Non-FM

Slot Id ->              1
Label ->                org2.example.com
Serial Number ->        1238696044925
Model ->                LunaSA 7.4.0
Firmware Version ->     7.4.0
Configuration ->        Luna User Partition With SO (PW) Signing With Cloning Mode
Slot Description ->     Net Token Slot
FM HW Status ->         Non-FM

Slot Id ->              2
Label ->                orderer.example.com
Serial Number ->        1238696044926
Model ->                LunaSA 7.4.0
Firmware Version ->     7.4.0
Configuration ->        Luna User Partition With SO (PW) Signing With Cloning Mode
Slot Description ->     Net Token Slot
FM HW Status ->         Non-FM

Generate a dedicated partition on the HSM intended for use by the Hyperledger Fabric Client.

Confirm the successful registration and configuration of the partition using the following command:

/usr/safenet/lunaclient/bin/lunacm

The output should provide information on the registered partitions, including Slot Id, Label, Serial Number, Model, Firmware Version, Configuration, Slot Description, and Current Slot Id. Here's the sample output:

Slot Id ->              0
Label ->                fabric-sdk
Serial Number ->        1280780175900
Model ->                LunaSA 7.3.0
Firmware Version ->     7.3.0
Configuration ->        Luna User Partition With SO (PW) Key Export With Cloning Mode
Slot Description ->     Net Token Slot
Current Slot Id: 0

The example demonstrates the use of the label fabric-sdk and the password userpin for end-to-end execution. In a production environment, it is advisable to set the password in accordance with your organization's security policies.

Transfer the downloaded .zip file to your client workstation using pscp, scp, or other secure means

This integration has been certified on the RHEL platform.

Extract the .zip file into a directory on your client workstation.

Extract or untar the appropriate client package for your operating system. Do not extract to a new subdirectory; place the files in the client install directory.

tar -xvf cvclient-min.tar

Run the setenv script to create a new configuration file containing information required by the Luna Cloud HSM service.

source ./setenv

To add the configuration to an already installed UC client, use the –addcloudhsm option when running the setenv script.

Run the LunaCM utility and verify that the Cloud HSM service is listed.

If your organization requires non-FIPS algorithms for your operations, ensure that the Allow non-FIPS approved algorithms check box is checked. For more information, refer to Supported Mechanisms.

Create the following Luna Cloud services in Luna Cloud HSM:

• org1.example.com

• org2.example.com

• orderer.example.com

It is advisable to use a minimal client package if you are deploying three partitions on the same host.

For each service, generate a Linux service client and download the zip file to the host system.

Make the following directories on the client machine:

mkdir -p /etc/hyperledger/fabric/dpod/org1.example.com
mkdir -p /etc/hyperledger/fabric/dpod/org2.example.com
mkdir -p /etc/hyperledger/fabric/dpod/orderer.example.com

Unzip the client zip files for org1.example.com, org2.example.com, and orderer.example.com into their respective directories.

Complete the following processes:

• Initialize the partition, Crypto Officer, and Crypto User roles.

• Set the ChrystokiConfigurationPath environment variable to point to the Chrystoki.conf file.

• Using LunaCM, set the partition password to userpin for partition labels org1.example.com, org2.example.com, and orderer.example.com.

It is recommended to use separate partitions for all peers, orderers, and users. For this example, ensure that all partitions are initialized with the provided label, and userpin is used as the partition password to successfully complete the demo using byfn. In a production environment, set the partition password according to your organization's security policy.

Create the Luna Cloud service for fabric-sdk in Luna Cloud HSM.

Upon service creation, generate a Linux service client and download the zip file to the host system.

Create directory on the client machine:

mkdir -p /usr/safenet/dpod

Unzip the client zip files for fabric-sdk into the designated directory.

Refer to the Application Owner Quick Start Guide and perform the following tasks:

• Initialize the partition, Security Officer, Crypto Officer, and Crypto User roles.

• Set the ChrystokiConfigurationPath environment variable or create the soft link /etc/Chrystoki.conf to point to the Chrystoki.conf file.

• Using LunaCM, set the partition password to userpin for the partition labeled fabric-sdk.

This execution example utilizes the label fabric-sdk and the password userpin. For optimal security in a production environment, we strongly advise configuring the password in alignment with your organization's security policy. This ensures the implementation adheres to the highest standards of security and compliance.

Install Hyperledger Fabric and Fabric CA prerequisite libraries:

• Ubuntu:

sudo apt-get install git curl alien python-pip libltdl-dev

• RHEL/CentOS:

sudo yum install git curl alien python-pip libtool-ltdl-devel

Install and set up Golang:

• Install Golang: Golang Installation

• Download Golang binaries: Golang Download

Install and set up Docker and Docker Compose:

• Install Docker: Docker Installation

• Install Docker Compose: Docker Compose Installation

• Configure Docker so that sudo is not required to run further commands:

sudo gpasswd -a $USER docker
newgrp docker

• Ensure that the go executable is in the PATH:

export PATH=/usr/local/go/bin:$PATH

Install and configure Hyperledger Fabric and Fabric CA:

• Set the GOPATH:

export GOPATH=/opt/gopath
mkdir -p $GOPATH/src/github.com/hyperledger
cd $GOPATH/src/github.com/hyperledger

• Create the Hyperledger Fabric repository:

git clone https://github.com/hyperledger/fabric
cd fabric
git checkout -b release-1.4 origin/release-1.4

• For Client SDK, run:

git checkout -b v1.4.0 v1.4.0

• Build the docker images and executables:

GO_TAGS=pkcs11 make peer orderer cryptogen configtxgen configtxlator

• Clone the fabric-ca project and build the fabric-ca-client binary:

cd $GOPATH/src/github.com/hyperledger
git clone https://github.com/hyperledger/fabric-ca
cd fabric-ca
git checkout -b release-1.4 origin/release-1.4
make fabric-ca-client

• For Client SDK, run:

git checkout -b v1.4.0 v1.4.0

Install and Configure Hyperledger Fabric-Samples:

• Clone the fabric-samples project:

cd $GOPATH/src/github.com/hyperledger
git clone https://github.com/hyperledger/fabric-samples/
cd fabric-samples/
git checkout -b release-1.4 origin/release-1.4
``
`
- Create directories:

mkdir $GOPATH/src/github.com/hyperledger/fabric-samples/bin
mkdir $GOPATH/src/github.com/hyperledger/fabric-samples/first-network/bin


- Copy the executables to the bin directory:

cp $GOPATH/src/github.com/hyperledger/fabric-ca/bin/* $GOPATH/src/github.com/hyperledger/fabric-samples/bin/
cp $GOPATH/src/github.com/hyperledger/fabric/.build/bin/* $GOPATH/src/github.com/hyperledger/fabric-samples/bin


- Copy the executables to the first-network/bin directory:

cp $GOPATH/src/github.com/hyperledger/fabric/.build/bin/* $GOPATH/src/github.com/hyperledger/fabric-samples/first-network/bin
cp $GOPATH/src/github.com/hyperledger/fabric-ca/bin/* $GOPATH/src/github.com/hyperledger/fabric-samples/first-network/bin

Generate CSR

Configure peer nodes

Configure orderer nodes

Build your first network

Configure BCCSP to utilize the Luna PKCS#11 API

Generate cryptographic keys using the gencsr command

Modify the BCCSP section in ~/.fabric-ca-client/fabric-ca-client-config.yaml:

bccsp:
default: PKCS11
sw:
hash: SHA2
security: 256
filekeystore:
keystore: msp/keystore
pkcs11:
hash: SHA2
security: 384
library: /usr/safenet/lunaclient/lib/libCryptoki2_64.so
label: org1.example.com
pin: userpin
filekeystore:
keystore: msp/keystore

If the ~/.fabric-ca-client/fabric-ca-client-config.yaml file is not present, run the following command to generate it: # fabric-ca-client gencsr

Add a keyrequest setting to the csr section of ~/.fabric-ca-client/fabric-ca-client-config.yaml file:

csr:
cn:
keyrequest:
algo: ecdsa
size: 384

This setting specifies the key size for the certificate signing request (CSR).

Configure PKCS11 values in fabric-ca-client-config.yaml. You can leave PKCS11 values in the file blank and specify them using environment variables. Alternatively, override values in the file using the following environment variables:

export FABRIC_CA_CLIENT_BCCSP_DEFAULT=PKCS11
export FABRIC_CA_CLIENT_BCCSP_PKCS11_LABEL=[HSM Partition Label]
export FABRIC_CA_CLIENT_BCCSP_PKCS11_PIN=[Partition Password]
export FABRIC_CA_CLIENT_BCCSP_PKCS11_LIBRARY=[HSM PKCS11 Library]

Generate CSRs using the command:

./fabric-ca-client gencsr [options]

Specify the following options:

• csr.cn string: Sets the common name field of the certificate signing request.

• mspdir string: Specifies the directory for the Membership Service Provider (MSP), with the default value being msp.

• csr.names stringSlice: Offers a list of CSR names formatted as <name>=<value>, where each name-value pair is separated by commas. For example, C=CA,OU=peer.

Make sure to accurately configure the PKCS11 BCCSP settings or assign the values to the respective environment variables for both peer and orderer. Additionally, specify the correct Common Name (CN), MSP directory, and Names, especially the Organizational Unit (OU) for peer, orderer, or client, within the fabric-ca-client options.

Generate key for orderer.example.com:

./fabric-ca-client gencsr --csr.cn orderer.example.com --mspdir ordererOrganizations/orderer.example.com/orderers/orderer.example.com/msp --csr.names "C=US,ST=California,L=San Francisco,OU=orderer"

Customize options and variables for specific CSR generation. Adjust options and exported variables as per requirements for generating the particular certificate signing request.

Generate CSR for peer0 of org1.example.com:

export FABRIC_CA_CLIENT_BCCSP_DEFAULT=PKCS11
export FABRIC_CA_CLIENT_BCCSP_PKCS11_LABEL=org1.example.com
export FABRIC_CA_CLIENT_BCCSP_PKCS11_PIN=userpin
export FABRIC_CA_CLIENT_BCCSP_PKCS11_LIBRARY=/usr/safenet/lunaclient/lib/libCryptoki2_64.so
./fabric-ca-client gencsr --csr.cn peer0.org1.example.com --mspdir ./crypto-config/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/msp --csr.names "C=US,ST=California,L=San Francisco,OU=peer"

Generate the key pair for peer0.org1.example.com on the HSM partition org1.example.com, creating the CSR at:
./crypto-config/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/msp/signcerts/peer0.org1.example.com.csr

Copy the CSR, send it to your CA for a signed certificate, and place the certificate in the same directory.

Generate certificate request for Admin User:

./fabric-ca-client gencsr --csr.cn Admin@org1.example.com --mspdir ./crypto-config/peerOrganizations/org1.example.com/users/Admin@org1.example.com/msp --csr.names "C=US,ST=California,L=San Francisco,OU=client"

Modify the core.yaml file. In the BCCSP section, set PKCS11 as the default as shown below:

BCCSP:
Default: PKCS11
PKCS11:
Library: /usr/safenet/lunaclient/lib/libCryptoki2_64.so
Label: org1.example.com
Pin: userpin
Hash: SHA2
Security: 384

Alternatively, you can leave the PKCS11 values in the core.yaml file blank and specify them using environment variables. To override values in the file, use the following environment variables:

export CORE_PEER_BCCSP_DEFAULT=PKCS11
export CORE_PEER_BCCSP_PKCS11_LABEL=[HSM Partition Label]
export CORE_PEER_BCCSP_PKCS11_PIN=[Partition Password]
export CORE_PEER_BCCSP_PKCS11_LIBRARY=[HSM PKCS11 Library]

Adjust these environment variables to modify the configuration settings of the core.yaml BCCSP according to your requirements.

Modify the orderer.yaml file. In the BCCSP section, set PKCS11 as the default with the following parameters:

BCCSP:
Default: PKCS11
PKCS11:
Library: /usr/safenet/lunaclient/lib/libCryptoki2_64.so
Label: orderer.example.com
Pin: userpin
Hash: SHA2
Security: 384

Alternatively, you can leave the PKCS11 values in the orderer.yaml file blank and specify them using environment variables. To override values in the file, use the following environment variables:

export ORDERER_GENERAL_BCCSP_DEFAULT=PKCS11
export ORDERER_GENERAL_BCCSP_PKCS11_LABEL=[HSM Partition Label]
export ORDERER_GENERAL_BCCSP_PKCS11_PIN=[Partition Password]
export ORDERER_GENERAL_BCCSP_PKCS11_LIBRARY=[HSM PKCS11 Library]

The integration process is complete, and all necessary components are installed for developing blockchain applications or operating Hyperledger Fabric. Key materials have been generated on a Luna HSM using the PKCS11 BCCSP. Configuration settings for the core.yaml and orderer.yaml files have been adjusted to use the PKCS11 BCCSP, and these files have been mounted as volumes in Peer and Orderer configuration files.

Initialize blockchain network:

• Start the Fabric CA, orderer, and peers to initiate the creation of channel artifacts and the running of the channel.

• Join the nodes in the channel, establishing a permissioned blockchain network.

• Assign identity certificates to member organizations and their nodes, enabling them to uniquely identify themselves and conduct secure transactions within the network.

• Utilizing the PKCS11 BCCSP with the Thales Luna HSM, generate a library of X509 certificates (cryptographic material) for associated Peer/Orderer nodes, ensuring that all key pairs are created securely on the Thales Luna HSM.

Update the ~/.fabric-ca-client/fabric-ca-client-config.yaml file:

bccsp:
default: PKCS11
sw:
hash: SHA2
security: 256
filekeystore:
keystore: msp/keystore
pkcs11:
hash: SHA2
security: 384
library: /usr/safenet/lunaclient/lib/libCryptoki2_64.so
label:
pin:

Configure keyrequest in csr section of ~/.fabric-ca-client/fabric-ca-client-config.yaml file:

csr:
cn:
keyrequest:
algo: ecdsa
size: 384

Navigate to the first-network directory:

cd $GOPATH/src/github.com/hyperledger/fabric-samples/first-network

Generate secure cryptographic material. Start by saving the provided script as gencerts.sh. Ensure that the necessary environment variables are configured. Execute the script to initiate the generation of cryptographic keys, leveraging the advanced security features of the Luna HSM throughout the process.

The script seamlessly integrates with the cryptogen tool, generating Membership Service Providers (MSPs) for peer, orderer, and admin user entities through the fabric-ca-client gencsr command. Utilizing OpenSSL, the script ensures the generation of certificates, with the CAs sourced from cryptogen. The entire process is encapsulated within the script, enhancing the efficiency and security of cryptographic material generation.

!/bin/bash
##########################################################################
# This script generates certificates and keys to work with the cryptogen util
# to be used with the hyperledger fabric BYFN example.
# This allows the keys for the certificate to be generated with the
# PKCS11 BCCSP which in turn allows keys to be generated in an HSM.
##########################################################################

CA_CLIENT=./bin/fabric-ca-client
CRYPTO_CONFIG=$PWD/crypto-config
ROOT=$PWD
BCCSP_DEFAULT=PKCS11
PIN=userpin
check_error() {
  if [ $? -ne 0 ]; then
    echo "ERROR: Something went wrong!"
    exit 1
  fi
}

signcsr() {
  MSP=$1
  CN=$2
  CA_DIR=$3
  CA_NAME=$4
  CA_CERT=$(find $CA_DIR -name "*.pem")
  CA_KEY=$(find $CA_DIR -name "*_sk")
  CSR=$MSP/signcerts/$CN.csr
  CERT=$MSP/signcerts/$CN-cert.pem
  openssl x509 -req -sha256 -days 3650 -in $CSR -CA $CA_CERT -CAkey $CA_KEY -CAcreateserial -out $CERT
  check_error
}

genmsp() {
  ORG_DIR=$1
  ORG_NAME=$2
  NODE_DIR=$3
  NODE_NAME=$4
  NODE_OU=$6
  CN=${NODE_NAME}${ORG_NAME}
  CA_PATH=$CRYPTO_CONFIG/$ORG_DIR/$ORG_NAME
  NODE_PATH=$CA_PATH/$NODE_DIR/$CN
  MSP=$NODE_PATH/msp
  TLS=$NODE_PATH/tls
  LABEL=$5
  rm -rf $MSP/keystore/*
  rm -rf $MSP/signcerts/*
  echo $LABEL
  export FABRIC_CA_CLIENT_BCCSP_DEFAULT=$BCCSP_DEFAULT
  export FABRIC_CA_CLIENT_BCCSP_PKCS11_LABEL=$LABEL
  export FABRIC_CA_CLIENT_BCCSP_PKCS11_PIN=$PIN
  $CA_CLIENT gencsr --csr.cn $CN --mspdir $MSP --csr.names "C=US,ST=California,L=San Francisco,OU=$NODE_OU"
  check_error
  signcsr $MSP $CN $CA_PATH/ca $ORG_NAME
}

copy_admin_cert_node() {
  ORG_DIR=$1
  ORG_NAME=$2
  NODE_DIR=$3
  NODE_NAME=$4
  CN=$NODE_NAME.$ORG_NAME
  CA_PATH=$CRYPTO_CONFIG/$ORG_DIR/$ORG_NAME
  NODE_PATH=$CA_PATH/$NODE_DIR/$CN
  MSP=$NODE_PATH/msp
  ADMIN_CN=Admin@$ORG_NAME
  ADMIN_CERT=$CA_PATH/users/$ADMIN_CN/msp/signcerts/$ADMIN_CN-cert.pem
  cp $ADMIN_CERT $NODE_PATH/msp/admincerts
  check_error
}

copy_admin_cert_ca() {
  ORG_DIR=$1
  ORG_NAME=$2
  CA_PATH=$CRYPTO_CONFIG/$ORG_DIR/$ORG_NAME
  ADMIN_CN=Admin@$ORG_NAME
  ADMIN_CERT=$CA_PATH/users/$ADMIN_CN/msp/signcerts/$ADMIN_CN-cert.pem
  cp $ADMIN_CERT $CA_PATH/msp/admincerts
  check_error
  cp $ADMIN_CERT $CA_PATH/users/$ADMIN_CN/msp/admincerts
  check_error
}

for org in 1 2; do
  for peer in 0 1; do
    genmsp peerOrganizations org${org}.example.com peers peer${peer}. org${org}.example.com peer
  done
  genmsp peerOrganizations org${org}.example.com users Admin@ org${org}.example.com client
  for peer in 0 1; do
    copy_admin_cert_node peerOrganizations org${org}.example.com peers peer${peer}
  done
  copy_admin_cert_ca peerOrganizations org${org}.example.com
done

genmsp ordererOrganizations example.com orderers orderer. orderer.example.com orderer
genmsp ordererOrganizations example.com users Admin@ orderer.example.com client
copy_admin_cert_node ordererOrganizations example.com orderers orderer orderer.example.com
copy_admin_cert_ca ordererOrganizations example.com
##########################################################################
# End of generate.sh script
##########################################################################

Duplicate the orderer.yaml file from $GOPATH/src/github.com/hyperledger/fabric/sampleconfig/ to $GOPATH/src/github.com/hyperledger/fabric-samples/first-network/orderer.yaml using the following command:

cp $GOPATH/src/github.com/hyperledger/fabric/sampleconfig/orderer.yaml $GOPATH/src/github.com/hyperledger/fabric-samples/first-network/orderer.yaml

Duplicate the core.yaml file from $GOPATH/src/github.com/hyperledger/fabric/sampleconfig/ to $GOPATH/src/github.com/hyperledger/fabric-samples/first-network/core.yaml using the following command:

cp $GOPATH/src/github.com/hyperledger/fabric/sampleconfig/core.yaml $GOPATH/src/github.com/hyperledger/fabric-samples/first-network/core.yaml

Open the $GOPATH/src/github.com/hyperledger/fabric-samples/first-network/orderer.yaml file and modify the bccsp section as follows:

BCCSP:
    Default: PKCS11
    PKCS11:
        Library:
        Label:
        Pin:
        Hash: SHA2
        Security: 384  

Open the $GOPATH/src/github.com/hyperledger/fabric-samples/first-network/core.yaml file and add or modify the bccsp and system sections as shown below:

BCCSP:
    Default: PKCS11
    PKCS11:
        Library:
        Label:
        Pin:
        Hash: SHA2
        Security: 384
system:
    escc: enable
    vscc: enable

In the $GOPATH/src/github.com/hyperledger/fabric-samples/first-network/base/peer-base.yaml file, perform the following steps:

i. Add or modify the following text in the service peer-base section:

image: fabric-peer-pkcs11:${IMAGE_TAG}
build:
context: ..
dockerfile: ../docker-files/Dockerfile.peer
args:
- IMAGE_TAG=${IMAGE_TAG}

ii. Add the following text to the service peer-base section:

- CORE_PEER_BCCSP_PKCS11_LIBRARY=/usr/safenet/lunaclient/lib/libCryptoki2_64.so
- CORE_PEER_BCCSP_PKCS11_PIN=userpin

iii. Add the volumes section to the service peer-base section:

volumes:
- /usr/safenet/lunaclient:/usr/safenet/lunaclient
- /etc/Chrystoki.conf:/etc/Chrystoki.conf
- ../core.yaml:/etc/hyperledger/fabric/core.yaml

iv. In the service orderer-base section, add or modify the following:

image: fabric-orderer-pkcs11:${IMAGE_TAG}
build:
context: ..
dockerfile: ../docker-files/Dockerfile.orderer
args:
- IMAGE_TAG=${IMAGE_TAG}

Open the docker-compose-base.yaml file located at $GOPATH/src/github.com/hyperledger/fabric-samples/first-network/base/ and perform the following tasks:

i. In the service orderer.example.com under the volume section, add:

- /usr/safenet/lunaclient:/usr/safenet/lunaclient
- /etc/Chrystoki.conf:/etc/Chrystoki.conf
- ../orderer.yaml:/etc/hyperledger/fabric/orderer.yaml

ii. Add the environment section in service orderer.example.com:

environment:
- ORDERER_GENERAL_BCCSP_PKCS11_LABEL=orderer.example.com
- ORDERER_GENERAL_BCCSP_PKCS11_LIBRARY=/usr/safenet/lunaclient/lib/libCryptoki2_64.so
- ORDERER_GENERAL_BCCSP_PKCS11_PIN=userpin

iii. In service peer0.org1.example.com, under the environment section, add:

- CORE_PEER_BCCSP_PKCS11_LABEL=org1.example.com

iv. In service peer1.org1.example.com, under the environment section, add:

- CORE_PEER_BCCSP_PKCS11_LABEL=org1.example.com

v. In service peer0.org2.example.com, under the environment section, add:

- CORE_PEER_BCCSP_PKCS11_LABEL=org2.example.com

vi. In service peer1.org2.example.com, under the environment section, add:

- CORE_PEER_BCCSP_PKCS11_LABEL=org2.example.com

Open the docker-compose-cli.yaml file located at $GOPATH/src/github.com/hyperledger/fabric-samples/first-network/ and make the following changes in the cli section:

i. Add or modify the following text:

image: fabric-tools-pkcs11:${IMAGE_TAG}
build:
context: .
dockerfile: ../docker-files/Dockerfile.tools
args:
- IMAGE_TAG=${IMAGE_TAG}

ii. Add the following under the environment section:

- CORE_PEER_BCCSP_PKCS11_LIBRARY=/usr/safenet/lunaclient/lib/libCryptoki2_64.so
- CORE_PEER_BCCSP_PKCS11_PIN=userpin

iii. Add the following under the volumes section:

- /usr/safenet/lunaclient:/usr/safenet/lunaclient
- /etc/Chrystoki.conf:/etc/Chrystoki.conf
- ./core.yaml:/etc/hyperledger/fabric/core.yaml

Open the utils.sh file located at $GOPATH/src/github.com/hyperledger/fabric-samples/first-network/scripts/ and make the following changes to the setGlobals function:

i. After the line if [ $ORG -eq 1 ], add the following code:

export CORE_PEER_BCCSP_PKCS11_LABEL=org1.example.com

ii. After the line elif [ $ORG -eq 2 ], add the following code:

export CORE_PEER_BCCSP_PKCS11_LABEL=org2.example.com

Create a directory named docker-files at $GOPATH/src/github.com/hyperledger/fabric-samples/ using the following command:

mkdir $GOPATH/src/github.com/hyperledger/fabric-samples/docker-files

Create a file named Dockerfile.orderer at $GOPATH/src/github.com/hyperledger/fabric-samples/docker-files/ and add the following code:

ARG IMAGE_TAG
FROM hyperledger/fabric-orderer:$IMAGE_TAG
RUN apt-get update && apt-get install -y libtool
COPY ./bin/orderer /usr/local/bin

Create a file named Dockerfile.peer at $GOPATH/src/github.com/hyperledger/fabric-samples/docker-files/ and add the following code:

ARG IMAGE_TAG
FROM hyperledger/fabric-peer:$IMAGE_TAG
RUN apt-get update && apt-get install -y libtool
COPY ./bin/peer /usr/local/bin

Create a file named Dockerfile.tools at $GOPATH/src/github.com/hyperledger/fabric-samples/docker-files/ and add the following code:

ARG IMAGE_TAG
FROM hyperledger/fabric-tools:$IMAGE_TAG
RUN apt-get update && apt-get install -y libtool
COPY ./bin/peer /usr/local/bin
COPY ./bin/fabric-ca-client /usr/local/bin

Open the $GOPATH/src/github.com/hyperledger/fabric-samples/first-network/byfn.sh file and make the following changes:

i. Comment the following code in the networkDown function:

rm -rf channel-artifacts/*.block channel-artifacts/*.tx crypto-config ./org3-artifacts/crypto-config/ channel-artifacts/org3.json

ii. Add ./gencerts.sh between replacePrivateKey and generateChannelArtifacts in the main function after line no. 599:

elif [ "${MODE}" == "generate" ]; then 
generateCerts
replacePrivateKey
./gencerts.sh
generateChannelArtifacts

Change the directory to $GOPATH/src/github.com/hyperledger/fabric-samples/first-network using the following command:

cd $GOPATH/src/github.com/hyperledger/fabric-samples/first-network

Generate the cryptographic material in the HSM partitions, create Certificate Signing Requests (CSRs), and issue certificates using the command:

./byfn.sh generate

Execute the first-network example using the following command:

./byfn.sh up -i 1.4.8

Ensure successful completion by confirming the presence of the BYFN execution completed message.

Generate CSR

Configure peer nodes

Configure orderer nodes

Build your first network

Configure BCCSP to utilize the Luna PKCS#11 API

Generate cryptographic keys using the gencsr command

Modify the BCCSP section in ~/.fabric-ca-client/fabric-ca-client-config.yaml:

bccsp:
default: PKCS11
sw:
hash: SHA2
security: 256
filekeystore:
keystore: msp/keystore
pkcs11:
hash: SHA2
security: 384
library: /etc/hyperledger/fabric/dpod/org1.example.com/libs/64/libCryptoki2.so
label: org1.example.com
pin: userpin
filekeystore:
keystore: msp/keystore

If the ~/.fabric-ca-client/fabric-ca-client-config.yaml file is not present, run the following command to generate it: # fabric-ca-client gencsr

Add a keyrequest setting to the csr section of ~/.fabric-ca-client/fabric-ca-client-config.yaml file:

csr:
cn:
keyrequest:
algo: ecdsa
size: 384

This setting specifies the key size for the certificate signing request (CSR).

Configure PKCS11 values in fabric-ca-client-config.yaml. You can leave PKCS11 values in the file blank and specify them using environment variables. Alternatively, override values in the file using the following environment variables:

export FABRIC_CA_CLIENT_BCCSP_DEFAULT=PKCS11
export FABRIC_CA_CLIENT_BCCSP_PKCS11_LABEL=[HSM Partition Label]
export FABRIC_CA_CLIENT_BCCSP_PKCS11_PIN=[Partition Password]
export FABRIC_CA_CLIENT_BCCSP_PKCS11_LIBRARY=[HSM PKCS11 Library]

Generate CSRs using the command:

./fabric-ca-client gencsr [options]

Specify the following options:

• csr.cn string: Sets the common name field of the certificate signing request.

• mspdir string: Specifies the directory for the Membership Service Provider (MSP), with the default value being msp.

• csr.names stringSlice: Offers a list of CSR names formatted as [name]=[value], where each name-value pair is separated by commas. For example, C=CA,OU=peer.

Make sure to accurately configure the PKCS11 BCCSP settings or assign the values to the respective environment variables for both peer and orderer. Additionally, specify the correct Common Name (CN), MSP directory, and Names, especially the Organizational Unit (OU) for peer, orderer, or client, within the fabric-ca-client options.

Generate key for orderer.example.com:

./fabric-ca-client gencsr --csr.cn orderer.example.com --mspdir ordererOrganizations/orderer.example.com/orderers/orderer.example.com/msp --csr.names "C=US,ST=California,L=San Francisco,OU=orderer"

Customize options and variables for specific CSR generation. Adjust options and exported variables as per requirements for generating the particular certificate signing request.

Generate CSR for peer0 of org1.example.com:

export FABRIC_CA_CLIENT_BCCSP_DEFAULT=PKCS11
export FABRIC_CA_CLIENT_BCCSP_PKCS11_LABEL=org1.example.com
export FABRIC_CA_CLIENT_BCCSP_PKCS11_PIN=userpin
export FABRIC_CA_CLIENT_BCCSP_PKCS11_LIBRARY=/usr/safenet/lunaclient/lib/libCryptoki2_64.so
./fabric-ca-client gencsr --csr.cn peer0.org1.example.com --mspdir ./crypto-config/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/msp --csr.names "C=US,ST=California,L=San Francisco,OU=peer"

Generate the key pair for peer0.org1.example.com on the HSM partition org1.example.com, creating the CSR at:
./crypto-config/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/msp/signcerts/peer0.org1.example.com.csr

Copy the CSR, send it to your CA for a signed certificate, and place the certificate in the same directory.

Generate certificate request for Admin User:

./fabric-ca-client gencsr --csr.cn Admin@org1.example.com --mspdir ./crypto-config/peerOrganizations/org1.example.com/users/Admin@org1.example.com/msp --csr.names "C=US,ST=California,L=San Francisco,OU=client"

Modify the core.yaml file. In the BCCSP section, set PKCS11 as the default as shown below:

BCCSP:
Default: PKCS11
PKCS11:
Library: /usr/safenet/lunaclient/lib/libCryptoki2_64.so
Label: org1.example.com
Pin: userpin
Hash: SHA2
Security: 384

Alternatively, you can leave the PKCS11 values in the core.yaml file blank and specify them using environment variables. To override values in the file, use the following environment variables:

export CORE_PEER_BCCSP_DEFAULT=PKCS11
export CORE_PEER_BCCSP_PKCS11_LABEL=[HSM Partition Label]
export CORE_PEER_BCCSP_PKCS11_PIN=[Partition Password]
export CORE_PEER_BCCSP_PKCS11_LIBRARY=[HSM PKCS11 Library]

Adjust these environment variables to modify the configuration settings of the core.yaml BCCSP according to your requirements.

Modify the orderer.yaml file. In the BCCSP section, set PKCS11 as the default with the following parameters:

BCCSP:
Default: PKCS11
PKCS11:
Library: /usr/safenet/lunaclient/lib/libCryptoki2_64.so
Label: orderer.example.com
Pin: userpin
Hash: SHA2
Security: 384

Alternatively, you can leave the PKCS11 values in the orderer.yaml file blank and specify them using environment variables. To override values in the file, use the following environment variables:

export ORDERER_GENERAL_BCCSP_DEFAULT=PKCS11
export ORDERER_GENERAL_BCCSP_PKCS11_LABEL=[HSM Partition Label]
export ORDERER_GENERAL_BCCSP_PKCS11_PIN=[Partition Password]
export ORDERER_GENERAL_BCCSP_PKCS11_LIBRARY=[HSM PKCS11 Library]

The integration process is complete, and all necessary components are installed for developing blockchain applications or operating Hyperledger Fabric. Key materials have been generated on a Luna HSM using the PKCS11 BCCSP. Configuration settings for the core.yaml and orderer.yaml files have been adjusted to use the PKCS11 BCCSP, and these files have been mounted as volumes in Peer and Orderer configuration files.

Initialize blockchain network:

• Start the Fabric CA, orderer, and peers to initiate the creation of channel artifacts and the running of the channel.

• Join the nodes in the channel, establishing a permissioned blockchain network.

• Assign identity certificates to member organizations and their nodes, enabling them to uniquely identify themselves and conduct secure transactions within the network.

• Utilizing the PKCS11 BCCSP with the Thales Luna HSM, generate a library of X509 certificates (cryptographic material) for associated Peer/Orderer nodes, ensuring that all key pairs are created securely on the Thales Luna HSM.

Update the ~/.fabric-ca-client/fabric-ca-client-config.yaml file:

bccsp:
default: PKCS11
sw:
hash: SHA2
security: 256
filekeystore:
keystore: msp/keystore
pkcs11:
hash: SHA2
security: 384
library: /etc/hyperledger/fabric/dpod/org1.example.com/libs/64/libCryptoki2.so
label:
pin:

Configure keyrequest in csr section of ~/.fabric-ca-client/fabric-ca-client-config.yaml file:

csr:
cn:
keyrequest:
algo: ecdsa
size: 384

Navigate to the first-network directory:

cd $GOPATH/src/github.com/hyperledger/fabric-samples/first-network

Generate secure cryptographic material. Start by saving the provided script as gencerts.sh. Ensure that the necessary environment variables are configured. Execute the script to initiate the generation of cryptographic keys, leveraging the advanced security features of the Luna HSM throughout the process.

The script seamlessly integrates with the cryptogen tool, generating Membership Service Providers (MSPs) for peer, orderer, and admin user entities through the fabric-ca-client gencsr command. Utilizing OpenSSL, the script ensures the generation of certificates, with the CAs sourced from cryptogen. The entire process is encapsulated within the script, enhancing the efficiency and security of cryptographic material generation.

!/bin/bash
##########################################################################
# This script generates certificates and keys to work with the cryptogen util
# to be used with the hyperledger fabric BYFN example.
# This allows the keys for the certificate to be generated with the
# PKCS11 BCCSP which in turn allows keys to be generated in an HSM.
##########################################################################

CA_CLIENT=./bin/fabric-ca-client
CRYPTO_CONFIG=$PWD/crypto-config
ROOT=$PWD
BCCSP_DEFAULT=PKCS11
PIN=userpin

check_error() {
  if [ $? -ne 0 ]; then
    echo "ERROR: Something went wrong!"
    exit 1
  fi
}

signcsr() {
  MSP=$1
  CN=$2
  CA_DIR=$3
  CA_NAME=$4
  CA_CERT=$(find $CA_DIR -name "*.pem")
  CA_KEY=$(find $CA_DIR -name "*_sk")
  CSR=$MSP/signcerts/$CN.csr
  CERT=$MSP/signcerts/$CN-cert.pem

  openssl x509 -req -sha256 -days 3650 -in $CSR -CA $CA_CERT -CAkey $CA_KEY -CAcreateserial -out $CERT
  check_error
}

genmsp() {
  ORG_DIR=$1
  ORG_NAME=$2
  NODE_DIR=$3
  NODE_NAME=$4
  NODE_OU=$6
  CN=${NODE_NAME}${ORG_NAME}
  CA_PATH=$CRYPTO_CONFIG/$ORG_DIR/$ORG_NAME
  NODE_PATH=$CA_PATH/$NODE_DIR/$CN
  MSP=$NODE_PATH/msp
  TLS=$NODE_PATH/tls
  LABEL=$5

  rm -rf $MSP/keystore/*
  rm -rf $MSP/signcerts/*
  echo $LABEL

  export FABRIC_CA_CLIENT_BCCSP_DEFAULT=$BCCSP_DEFAULT
  export FABRIC_CA_CLIENT_BCCSP_PKCS11_LABEL=$LABEL
  export FABRIC_CA_CLIENT_BCCSP_PKCS11_PIN=$PIN
  export ChrystokiConfigurationPath=/etc/hyperledger/fabric/dpod/$LABEL
  export FABRIC_CA_CLIENT_BCCSP_PKCS11_LIBRARY=/etc/hyperledger/fabric/dpod/$LABEL/libs/64/libCryptoki2.so

  $CA_CLIENT gencsr --csr.cn $CN --mspdir $MSP --csr.names "C=US,ST=California,L=San Francisco,OU=$NODE_OU"
  check_error
  signcsr $MSP $CN $CA_PATH/ca $ORG_NAME
}

copy_admin_cert_node() {
  ORG_DIR=$1
  ORG_NAME=$2
  NODE_DIR=$3
  NODE_NAME=$4
  CN=$NODE_NAME.$ORG_NAME
  CA_PATH=$CRYPTO_CONFIG/$ORG_DIR/$ORG_NAME
  NODE_PATH=$CA_PATH/$NODE_DIR/$CN
  MSP=$NODE_PATH/msp
  ADMIN_CN=Admin@$ORG_NAME
  ADMIN_CERT=$CA_PATH/users/$ADMIN_CN/msp/signcerts/$ADMIN_CN-cert.pem

  cp $ADMIN_CERT $NODE_PATH/msp/admincerts
  check_error
}

copy_admin_cert_ca() {
  ORG_DIR=$1
  ORG_NAME=$2
  CA_PATH=$CRYPTO_CONFIG/$ORG_DIR/$ORG_NAME
  ADMIN_CN=Admin@$ORG_NAME
  ADMIN_CERT=$CA_PATH/users/$ADMIN_CN/msp/signcerts/$ADMIN_CN-cert.pem

  cp $ADMIN_CERT $CA_PATH/msp/admincerts
  check_error
  cp $ADMIN_CERT $CA_PATH/users/$ADMIN_CN/msp/admincerts
  check_error
}

for org in 1 2; do
  for peer in 0 1; do
    genmsp peerOrganizations org${org}.example.com peers peer${peer}. org${org}.example.com peer
  done
  genmsp peerOrganizations org${org}.example.com users Admin@ org${org}.example.com client
  for peer in 0 1; do
    copy_admin_cert_node peerOrganizations org${org}.example.com peers peer${peer}
  done
  copy_admin_cert_ca peerOrganizations org${org}.example.com
done

genmsp ordererOrganizations example.com orderers orderer. orderer.example.com orderer
genmsp ordererOrganizations example.com users Admin@ orderer.example.com client
copy_admin_cert_node ordererOrganizations example.com orderers orderer orderer.example.com
copy_admin_cert_ca ordererOrganizations example.com

##########################################################################
# End of generate.sh script
##########################################################################

Duplicate the orderer.yaml file from $GOPATH/src/github.com/hyperledger/fabric/sampleconfig/ to $GOPATH/src/github.com/hyperledger/fabric-samples/first-network/orderer.yaml using the following command:

cp $GOPATH/src/github.com/hyperledger/fabric/sampleconfig/orderer.yaml $GOPATH/src/github.com/hyperledger/fabric-samples/first-network/orderer.yaml

Duplicate the core.yaml file from $GOPATH/src/github.com/hyperledger/fabric/sampleconfig/ to $GOPATH/src/github.com/hyperledger/fabric-samples/first-network/core.yaml using the following command:

cp $GOPATH/src/github.com/hyperledger/fabric/sampleconfig/core.yaml $GOPATH/src/github.com/hyperledger/fabric-samples/first-network/core.yaml

Open the $GOPATH/src/github.com/hyperledger/fabric-samples/first-network/orderer.yaml file and modify the bccsp section as follows:

BCCSP:
    Default: PKCS11
    PKCS11:
        Library:
        Label:
        Pin:
        Hash: SHA2
        Security: 384  

Open the $GOPATH/src/github.com/hyperledger/fabric-samples/first-network/core.yaml file and add or modify the bccsp and system sections as shown below:

BCCSP:
    Default: PKCS11
    PKCS11:
        Library:
        Label:
        Pin:
        Hash: SHA2
        Security: 384
system:
    escc: enable
    vscc: enable

In the $GOPATH/src/github.com/hyperledger/fabric-samples/first-network/base/peer-base.yaml file, perform the following steps:

i. Add or modify the following text in the service peer-base section:

image: fabric-peer-pkcs11:${IMAGE_TAG}
build:
context: ..
dockerfile: ../docker-files/Dockerfile.peer
args:
- IMAGE_TAG=${IMAGE_TAG}

ii. Add the following text to the service peer-base section:

- CORE_PEER_BCCSP_PKCS11_PIN=userpin

iii. Add the volumes section to the service peer-base section:

volumes:
- ../core.yaml:/etc/hyperledger/fabric/core.yaml

iv. In the service orderer-base section, add or modify the following:

image: fabric-orderer-pkcs11:${IMAGE_TAG}
build:
context: ..
dockerfile: ../docker-files/Dockerfile.orderer
args:
- IMAGE_TAG=${IMAGE_TAG}

Open the docker-compose-base.yaml file located at $GOPATH/src/github.com/hyperledger/fabric-samples/first-network/base/ and perform the following tasks:

i. In the service orderer.example.com under the volume section, add:

- ../orderer.yaml:/etc/hyperledger/fabric/orderer.yaml
- /etc/hyperledger/fabric/dpod/orderer.example.com:/etc/hyperledger/fabric/dpod/orderer.example.com

ii. Add the environment section in service orderer.example.com:

environment:
- ORDERER_GENERAL_BCCSP_PKCS11_LABEL=orderer.example.com
- ORDERER_GENERAL_BCCSP_PKCS11_LIBRARY=/etc/hyperledger/fabric/dpod/orderer.example.com/libs/64/libCryptoki2.so
- ChrystokiConfigurationPath=/etc/hyperledger/fabric/dpod/orderer.example.com
- ORDERER_GENERAL_BCCSP_PKCS11_PIN=userpin

iii. In service peer0.org1.example.com, under the environment section, add:

- CORE_PEER_BCCSP_PKCS11_LABEL=org1.example.com
- CORE_PEER_BCCSP_PKCS11_LIBRARY=/etc/hyperledger/fabric/dpod/org1.example.com/libs/64/libCryptoki2.so
- ChrystokiConfigurationPath=/etc/hyperledger/fabric/dpod/org1.example.com

iv. In service peer0.org1.example.com, under the volumes section, add:

–/etc/hyperledger/fabric/dpod/org1.example.com:/etc/hyperledger/fabric/dpod/org1.example.com

v. In service peer1.org1.example.com, under the environment section, add:

- CORE_PEER_BCCSP_PKCS11_LABEL=org1.example.com
- CORE_PEER_BCCSP_PKCS11_LIBRARY=/etc/hyperledger/fabric/dpod/org1.example.com/libs/64/libCryptoki2.so
- ChrystokiConfigurationPath=/etc/hyperledger/fabric/dpod/org1.example.com

vi. In service peer1.org1.example.com, under the volumes section, add:

- /etc/hyperledger/fabric/dpod/org1.example.com:/etc/hyperledger/fabric/dpod/org1.example.com

vii. In service peer0.org2.example.com, under the environment section, add:

- CORE_PEER_BCCSP_PKCS11_LABEL=org2.example.com
- CORE_PEER_BCCSP_PKCS11_LIBRARY=/etc/hyperledger/fabric/dpod/org2.example.com/libs/64/libCryptoki2.so
- ChrystokiConfigurationPath=/etc/hyperledger/fabric/dpod/org2.example.com

viii. In service peer0.org2.example.com, under the volumes section, add:

- /etc/hyperledger/fabric/dpod/org2.example.com:/etc/hyperledger/fabric/dpod/org2.example.com

ix. In service peer1.org2.example.com, under the environment section, add:

- CORE_PEER_BCCSP_PKCS11_LABEL=org2.example.com
- CORE_PEER_BCCSP_PKCS11_LIBRARY=/etc/hyperledger/fabric/dpod/org2.example.com/libs/64/libCryptoki2.so
- ChrystokiConfigurationPath=/etc/hyperledger/fabric/dpod/org2.example.com

x. In service peer1.org2.example.com, under the volumes section, add:

- /etc/hyperledger/fabric/dpod/org2.example.com:/etc/hyperledger/fabric/dpod/org2.example.com

Open the docker-compose-cli.yaml file located at $GOPATH/src/github.com/hyperledger/fabric-samples/first-network/ and make the following changes in the cli section:

i. Add or modify the following text:

image: fabric-tools-pkcs11:${IMAGE_TAG}
build:
context: .
dockerfile: ../docker-files/Dockerfile.tools
args:
- IMAGE_TAG=${IMAGE_TAG}

ii. Add the following under the environment section:

- CORE_PEER_BCCSP_PKCS11_PIN=userpin

iii. Add the following under the volumes section:

- /etc/hyperledger/fabric/dpod:/etc/hyperledger/fabric/dpod
- ./core.yaml:/etc/hyperledger/fabric/core.yaml

Open the utils.sh file located at $GOPATH/src/github.com/hyperledger/fabric-samples/first-network/scripts/ and make the following changes to the setGlobals function:

i. After the line if [ $ORG -eq 1 ], add the following code:

export CORE_PEER_BCCSP_PKCS11_LABEL=org1.example.com
export CORE_PEER_BCCSP_PKCS11_LIBRARY=/etc/hyperledger/fabric/dpod/org1.example.com/libs/64/libCryptoki2.so
export ChrystokiConfigurationPath=/etc/hyperledger/fabric/dpod/org1.example.com

ii. After the line elif [ $ORG -eq 2 ], add the following code:

export CORE_PEER_BCCSP_PKCS11_LABEL=org2.example.com
export CORE_PEER_BCCSP_PKCS11_LIBRARY=/etc/hyperledger/fabric/dpod/org2.example.com/libs/64/libCryptoki2.so
export ChrystokiConfigurationPath=/etc/hyperledger/fabric/dpod/org2.example.com

Create a directory named docker-files at $GOPATH/src/github.com/hyperledger/fabric-samples/ using the following command:

mkdir $GOPATH/src/github.com/hyperledger/fabric-samples/docker-files

Create a file named Dockerfile.orderer at $GOPATH/src/github.com/hyperledger/fabric-samples/docker-files/ and add the following code:

ARG IMAGE_TAG
FROM hyperledger/fabric-orderer:$IMAGE_TAG
RUN apt-get update && apt-get install -y libtool
COPY ./bin/orderer /usr/local/bin

Create a file named Dockerfile.peer at $GOPATH/src/github.com/hyperledger/fabric-samples/docker-files/ and add the following code:

ARG IMAGE_TAG
FROM hyperledger/fabric-peer:$IMAGE_TAG
RUN apt-get update && apt-get install -y libtool
COPY ./bin/peer /usr/local/bin

Create a file named Dockerfile.tools at $GOPATH/src/github.com/hyperledger/fabric-samples/docker-files/ and add the following code:

ARG IMAGE_TAG
FROM hyperledger/fabric-tools:$IMAGE_TAG
RUN apt-get update && apt-get install -y libtool
COPY ./bin/peer /usr/local/bin
COPY ./bin/fabric-ca-client /usr/local/bin

Open the $GOPATH/src/github.com/hyperledger/fabric-samples/first-network/byfn.sh file and make the following changes:

i. Comment the following code in the networkDown function:

rm -rf channel-artifacts/*.block channel-artifacts/*.tx crypto-config ./org3-artifacts/crypto-config/ channel-artifacts/org3.json

ii. Add ./gencerts.sh between replacePrivateKey and generateChannelArtifacts in the main function after line no. 599:

elif [ "${MODE}" == "generate" ]; then 
generateCerts
replacePrivateKey
./gencerts.sh
generateChannelArtifacts

Change the directory to $GOPATH/src/github.com/hyperledger/fabric-samples/first-network using the following command:

cd $GOPATH/src/github.com/hyperledger/fabric-samples/first-network

Generate the cryptographic material in the HSM partitions, create Certificate Signing Requests (CSRs), and issue certificates using the command:

./byfn.sh generate

Execute the first-network example using the following command:

./byfn.sh up -i 1.4.8

Ensure successful completion by confirming the presence of the BYFN execution completed message.

Install Node.js and npm using your Linux package manager.

Add the fabric-ca-client and configtxgen binaries to your path:

export PATH=/opt/gopath/src/github.com/hyperledger/fabric-ca/bin:/opt/gopath/src/github.com/hyperledger/fabric/release/linux-amd64/bin:$PATH

Check out the fabric-sdk-node source code:

cd $GOPATH/src/github.com/hyperledger
git clone https://gerrit.hyperledger.org/r/fabric-sdk-node
cd fabric-sdk-node
git checkout -b v1.4.0 v1.4.0
cd ..

These instructions are based on Hyperledger Fabric and Fabric Client SDK tag v1.4.0. Ensure compatibility with the latest tags, as the instructions may differ for the master branch.

Check out the Fabric SDK HSM Integration repo:

git clone https://github.com/gemalto/fabric-sdk-hsm

Generate the fabric-ca-client default configuration file:

fabric-ca-client gencsr

Modify the bccsp section in ~/.fabric-ca-client/fabric-ca-client-config.yaml:

bccsp:
default: PKCS11
pkcs11:
hash: SHA2
security: 256
library: /usr/safenet/lunaclient/lib/libCryptoki2_64.so
label: 
pin: 
filekeystore:
keystore: msp/keystore

Pay attention to spaces, not tabs. Ensure the correct path to the Thales Cryptoki library.

Run the helper script to generate private keys in the HSM:

PKCS11_LABEL=fabric-sdk PKCS11_PIN=userpin ./fabric-sdk-hsm/node/genAdminPkcs11Node.sh

Copy required JavaScript files from fabric-sdk-hsm to fabric-sdk-node:

cp fabric-sdk-hsm/node/e2eHSM.js fabric-sdk-node/test/integration/
cp fabric-sdk-hsm/node/utilHSM.js fabric-sdk-node/test/unit/

Install gulp and required dependencies:

cd fabric-sdk-node
sudo npm install -g gulp
npm install
gulp ca

Open a new terminal in the fabric-sdk-node directory and start the fabric docker containers:

cd test/fixtures
export DOCKER_IMG_TAG=:1.4.0
docker-compose up

In the previous terminal, configure constant values in the test/unit/utilHSM.js file:

const PKCS11_LIB = '/usr/safenet/lunaclient/lib/libCryptoki2_64.so';
const PKCS11_SLOT = 0;
const PKCS11_PIN = 'userpin';
const PKCS11_USER_TYPE = 1;

Ensure the PKCS11_LIB path points to the correct Thales Cryptoki library when using Thales Luna HSM or Luna Cloud Service.

Run the end-to-end HSM integration test:

node test/integration/e2eHSM.js

Ensure the test completes successfully, and you should observe the following snippet in the output:

***** TransientMap Support in Proposals *****
ok 207 Successfully retrieved TLS certificate
ok 208 Successfully loaded member from persistence
ok 209 Successfully enrolled user 'admin' (e2eUtil 4)
ok 210 Checking the result has the transientMap value returned by the chaincode
ok 211 Checking the result has the transientMap value returned by the chaincode
ok 212 Successfully verified transient map values
1..212
tests 212
pass  212
ok

To clean up the Docker containers in the docker-compose terminal, press CTRL-C and run the following commands:

docker rm -f $(docker ps -aq)
docker-compose up

To re-execute the end-to-end HSM integration test for further verification, repeat the end-to-end HSM integration test mentioned in step 12 above.

Install Java and Maven using your Linux package manager.

Add the fabric-ca-client and configtxgen binaries to the system path:

export PATH=/opt/gopath/src/github.com/hyperledger/fabric-ca/bin:/opt/gopath/src/github.com/hyperledger/fabric/release/linux-amd64/bin:$PATH

Copy LunaProvider.jar and libLunaAPI.so into the <Java installation path>/jre/lib/ext directory. For example:

cp /usr/safenet/lunaclient/jsp/lib/LunaProvider.jar /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.201.b09-2.el7_6.x86_64/jre/lib/ext
cp /usr/safenet/lunaclient/jsp/lib/libLunaAPI.so /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.201.b09-2.el7_6.x86_64/jre/lib/ext

For Luna Cloud, use the files available at <Luna Cloud HSM Installation Directory>/jsp/LunaProvider.jar and <Luna Cloud HSM Installation Directory>/jsp/64/libLunaAPI.so.

Clone the fabric-sdk-java source code and switch to the specified tag:

git clone https://gerrit.hyperledger.org/r/fabric-sdk-java
cd fabric-sdk-java
git checkout -b v1.4.0 v1.4.0
cd ..

These instructions are based on Hyperledger Fabric and Fabric Client SDK tag v1.4.0. Use the specified tag for compatibility.

Clone the Fabric SDK HSM Integration repository:

git clone https://github.com/gemalto/fabric-sdk-hsm

Generate the fabric-ca-client default configuration file using the following command:

fabric-ca-client gencsr

Modify the BCCSP section in ~/.fabric-ca-client/fabric-ca-client-config.yaml to set PKCS11 as the default BCCSP:

bccsp:
default: PKCS11
pkcs11:
hash: SHA2
security: 256
library: /usr/safenet/lunaclient/lib/libCryptoki2_64.so
label: 
pin: 
filekeystore:
keystore: msp/keystore

Use spaces (not tabs) and ensure the correct Thales Cryptoki library path when using Thales Luna HSM or Luna Cloud Service.

Execute the helper script to generate private keys in the HSM, create Certificate Signing Requests (CSRs) for Peer and Orderer Admin users, and generate certificates:

PKCS11_LABEL=fabric-sdk PKCS11_PIN=userpin ./fabric-sdk-hsm/java/genAdminPkcs11Java.sh

Replace fabric-sdk with the partition label and userpin with the partition CO password. This script utilizes configtxgen and generates the genesis block with new certificates.

Copy the required Java files from fabric-sdk-hsm to fabric-sdk-java:

cp fabric-sdk-hsm/java/End2endHSMIT.java fabric-sdk-java/src/test/java/org/hyperledger/fabric/sdkintegration/
cp fabric-sdk-hsm/java/SampleHSMStore.java fabric-sdk-java/src/test/java/org/hyperledger/fabric/sdkintegration/

Open a new terminal, navigate to the fabric-sdk-java directory, and start the Fabric Docker containers:

cd ./fabric-sdk-java/src/test/fixture/sdkintegration
export DOCKER_IMG_TAG=:1.4.0
docker-compose up

In the previous terminal, go to fabric-sdk-java/src/test/java/org/hyperledger/fabric/sdkintegration/End2endHSMIT.java and configure constant values for the slot and partition password if needed:

private static final String TOKEN_LABEL = "fabric-sdk";
private static final String PARTITION_PASSWORD = "userpin";

In this context, fabric-sdk refers to the partition label, and userpin refers to the partition CO password.

Execute the end-to-end HSM integration test with the following commands:

cd fabric-sdk-java
mvn failsafe:integration-test -Dtest=End2endHSMIT test

Verify successful test completion. Upon successful completion, the following snippet will appear on your screen:

--------------------------------------------------------------------------
That's all folks!
Tests run: 1, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 40.431 sec - in org.hyperledger.fabric.sdkintegration.End2endHSMIT
Results :
Tests run: 1, Failures: 0, Errors: 0, Skipped: 0
[INFO]
[INFO] --- jacoco-maven-plugin:0.7.9:report (post-unit-test) @ fabric-sdk-java ---
[INFO] Loading execution data file /opt/gopath/src/github.com/hyperledger/fabric-sdk-java/target/coverage-reports/jacoco-ut.exec
[INFO] Analyzed bundle 'fabric-java-sdk' with 231 classes
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 1:42.468s
[INFO] Finished at: Mon Apr 08 13:04:06 IST 2019
[INFO] Final Memory: 30M/188M
[INFO] ------------------------------------------------------------------------

Clean up Docker containers in the docker-compose terminal by pressing CTRL-C and running the following commands:

docker rm -f $(docker ps -aq)
docker-compose up

Repeat Step 12, if desired, to execute the end-to-end HSM integration test again.

Use the following command to install required libraries:

apk add --no-cache docker docker-compose go git make curl alien python3 py3-pip libltdl jq build-base bash libc6-compat gcompat

Execute the following commands to confirm the Docker service is running:

service docker start
service docker status

Download the Universal Client Minimal Package for Alpine Linux and perform the following steps:

mkdir -p /usr/local/lunaclient
tar xvf LunaClient-Minimal-10.3.0-277.alpinelinux3.13.5.tar --strip 1 -C /usr/local/lunaclient

Adjust the file name according to the version you are using.

Create working directory:

mkdir -p $HOME/go/src/github.com/hyperledger
cd $HOME/go/src/github.com/hyperledger

Clone the Hyperledger Fabric repository and switch to the 2.4.7 branch:

git clone https://github.com/hyperledger/fabric.git
cd $HOME/go/src/github.com/hyperledger/fabric
git checkout -b tag_v2.4.7 v2.4.7

These instructions are based on the Hyperledger Fabric release-2.4.7 tag. Use this repository checkout for compatibility.

Build Docker images and compile binaries:

make GO_TAGS=pkcs11 docker peer orderer
cd $HOME/go/src/github.com/hyperledger

Clone Hyperledger Fabric Samples repository:

git clone https://github.com/hyperledger/fabric-samples.git

Download the install script and install Fabric binaries for version 2.4.7:

curl -sSLO https://raw.githubusercontent.com/hyperledger/fabric/main/scripts/install-fabric.sh && chmod +x install-fabric.sh
./install-fabric.sh --fabric-version 2.4.7 binaries

Copy the sample config from the Fabric repository to the fabric-samples repository:

cp -r $HOME/go/src/github.com/hyperledger/fabric/sampleconfig/ $HOME/go/src/github.com/hyperledger/fabric-samples/config

Copy the compiled peer and orderer binaries from the Fabric repository to the fabric-samples repository:

cp $HOME/go/src/github.com/hyperledger/fabric/build/bin/peer $HOME/go/src/github.com/hyperledger/fabric-samples/bin/
cp $HOME/go/src/github.com/hyperledger/fabric/build/bin/orderer $HOME/go/src/github.com/hyperledger/fabric-samples/bin/

Clone the fabric-ca repository, build the fabric-ca-client, and copy the fabric-ca-client binary to the fabric-samples repository:

git clone https://github.com/hyperledger/fabric-ca.git
cd $HOME/go/src/github.com/hyperledger/fabric-ca
make fabric-ca-client
cp $HOME/go/src/github.com/hyperledger/fabric-ca/bin/fabric-ca-client $HOME/go/src/github.com/hyperledger/fabric-samples/bin/

Create a directory to store the Chrystoki.conf files and NTLS certs/keys:

cd $HOME/go/src/github.com/hyperledger/fabric-samples/test-network
mkdir -p luna/org1

The location of Chrystoki.conf for Universal Client 10.3.0 Minimal Client for Alpine Linux is /usr/local/lunaclient/conf/Chrystoki.conf.

Copy the Chrystoki.conf file for org1 to the designated directory:

cp /usr/local/lunaclient/conf/Chrystoki.conf luna/org1

Open the copied Chrystoki.conf inside the luna/org1 directory and modify the LunaSA Client section for org1 as follows:

LunaSA Client = {
ReceiveTimeout = 20000;
SSLConfigFile = /usr/local/lunaclient/bin/openssl.cnf;
ClientPrivKeyFile = ./luna/org1/org1Key.pem;
ClientCertFile = ./luna/org1/org1.pem;
ServerCAFile = ./luna/org1/server.pem;
NetClient = 1;
TCPKeepAlive = 1;
ServerName00 = ;
ServerPort00 = ;
ServerHtl00 = ;
}

Generate the client certificate and private key for org1 and copy the generated client certificate to Luna HSM for client registration.

export ChrystokiConfigurationPath=luna/org1
/usr/local/lunaclient/bin/vtl createCert -n org1

Copy the certificate file server.pem from the Luna HSM, then run:

/usr/local/lunaclient/bin/vtl addServer -n  -c server.pem

Create a partition named org1.example.com in the Luna HSM, register the client, and initialize the partition along with the CO and CU roles accordingly.

Ensure that the Luna partition is visible by running the lunacm utility.

/usr/local/lunaclient/bin/lunacm

Ensure to use separate partitions for all Peers, Orderers, and Users. Initialize partitions with the labels provided above for successful Fabric network deployment. Set the partition password according to your organization’s security policy.

Modify the createOrg1 function in the file $HOME/go/src/github.com/hyperledger/fabric-samples/test-network/organizations/fabric-ca/registerEnroll.sh as follows:

i. After the line containing export FABRIC_CA_CLIENT_HOME=${PWD}/organizations/peerOrganizations/org2.example.com/, add the following lines:

export ChrystokiConfigurationPath=luna/org1
export FABRIC_CA_CLIENT_BCCSP_DEFAULT=PKCS11
export FABRIC_CA_CLIENT_BCCSP_PKCS11_LABEL=org1.example.com
export FABRIC_CA_CLIENT_BCCSP_PKCS11_PIN=
export FABRIC_CA_CLIENT_BCCSP_PKCS11_LIBRARY=
fabric-ca-client gencsr -u https://admin:adminpw@localhost:7054
sed -i 's/bccsp:/bccsp:\n    pkcs11:\n        hash: SHA2\n        security: 384\n        library:\n        label:\n        pin:\n/' ${FABRIC_CA_CLIENT_HOME}/fabric-ca-client-config.yaml
sed -i 's/size: 256/size: 384/' ${FABRIC_CA_CLIENT_HOME}/fabric-ca-client-config.yaml

ii. After the line containing infoln “Generating the peer0-tls certificates, use --csr.hosts to specify Subject Alternative Names”, add the following line:

export FABRIC_CA_CLIENT_BCCSP_DEFAULT=SW

iii. After the line containing infoln “Generating the user msp”, add the following line:

export FABRIC_CA_CLIENT_BCCSP_DEFAULT=PKCS11

Apply the above modifications to the createOrg2 and createOrderer functions.

Copy the HSM PKCS11 library to a new directory to be used by the docker containers.

cd $HOME/go/src/github.com/hyperledger/fabric-samples/test-network
mkdir docker
cp [HSM PKCS11 Library] ./docker

Create a Dockerfile (Dockerfile.peer) inside the docker directory with the following contents to build a peer image with the client library:

FROM hyperledger/fabric-peer:2.4.7
COPY libCryptoki2_64.so /usr/local/lunaclient/lib/libCryptoki2_64.so
RUN apk add libstdc++

In the COPY command, libCryptoki2_64.so refers to the source HSM PKCS11 Library previously copied to the ./docker location, and /usr/local/lunaclient/lib/libCryptoki2_64.so indicates the destination path inside the Docker image.

Create the peer image using the Dockerfile by executing the following command:

cd $HOME/go/src/github.com/hyperledger/fabric-samples/test-network/docker
docker build -t hsm/fabric-peer:latest -f Dockerfile.peer .

Follow the same process to create Dockerfiles for orderer and tools to build orderer and tools images with the client library.

• For orderer (Dockerfile.orderer):

FROM hyperledger/fabric-orderer:2.4.7
COPY libCryptoki2_64.so /usr/local/lunaclient/lib/libCryptoki2_64.so
RUN apk add libstdc++

• For tools (Dockerfile.tools):

FROM hyperledger/fabric-tools:2.4.7
COPY libCryptoki2_64.so /usr/local/lunaclient/lib/libCryptoki2_64.so
RUN apk add libstdc++

Build the orderer and tools images using the Dockerfiles:

• For orderer image:

docker build -t hsm/fabric-orderer:latest -f Dockerfile.orderer .

• For tools image:

docker build -t hsm/fabric-tools:latest -f Dockerfile.tools .

Change to the appropriate directory if needed (cd $HOME/go/src/github.com/hyperledger/fabric-samples/test-network).

Update Docker Compose configuration:

i. In services -> orderer.example.com section:

• Modify the image to:

image: hsm/fabric-orderer:latest

• Add the following environment variables under the environment section:

- ORDERER_GENERAL_BCCSP_DEFAULT=PKCS11
- ORDERER_GENERAL_BCCSP_PKCS11_LABEL=orderer.example.com
- ORDERER_GENERAL_BCCSP_PKCS11_PIN=[Partition Password]
- ORDERER_GENERAL_BCCSP_PKCS11_LIBRARY=[HSM PKCS11 Library]
- ORDERER_GENERAL_BCCSP_PKCS11_HASH=SHA2
- ORDERER_GENERAL_BCCSP_PKCS11_SECURITY=384
- ChrystokiConfigurationPath=luna/orderer

• Add the following entries under the volume section:

- /usr/local/lunaclient:/usr/local/lunaclient
- ../luna:/root/luna

ii. In services -> peer0.org1.example.com section:

• Modify the image to:

image: hsm/fabric-peer:latest

• Add the following environment variables under the environment section:

- CORE_PEER_BCCSP_DEFAULT=PKCS11
- CORE_PEER_BCCSP_PKCS11_LABEL=org1.example.com
- CORE_PEER_BCCSP_PKCS11_PIN=[Partition Password]
- CORE_PEER_BCCSP_PKCS11_LIBRARY=[HSM PKCS11 Library]
- CORE_PEER_BCCSP_PKCS11_HASH=SHA2
- CORE_PEER_BCCSP_PKCS11_SECURITY=384
- ChrystokiConfigurationPath=luna/org1

• Add the following entries under the volume section:

- /usr/local/lunaclient:/usr/local/lunaclient
- ../luna:/root/luna

iii. In services -> peer0.org2.example.com section:

• Modify the image to:

image: hsm/fabric-peer:latest

• Add the following environment variables under the environment section:

- CORE_PEER_BCCSP_DEFAULT=PKCS11
- CORE_PEER_BCCSP_PKCS11_LABEL=org2.example.com
- CORE_PEER_BCCSP_PKCS11_PIN=[Partition Password]
- CORE_PEER_BCCSP_PKCS11_LIBRARY=[HSM PKCS11 Library]
- CORE_PEER_BCCSP_PKCS11_HASH=SHA2
- CORE_PEER_BCCSP_PKCS11_SECURITY=384
- ChrystokiConfigurationPath=luna/org2

• Add the following entries under the volume section:

- /usr/local/lunaclient:/usr/local/lunaclient
- ../luna:/root/luna

iv. In services -> cli section:

• Modify the image field to:

image: hsm/fabric-tools:latest

• Add the following entries under the volume section:

- /usr/local/lunaclient:/usr/local/lunaclient
- ../luna:/opt/gopath/src/github.com/hyperledger/fabric/peer/luna

Update Docker Compose test network configuration:

i. Peer Configuration: In services -> peer0.org1.example.com and services -> peer0.org2.example.com, change the image field to: image: hsm/fabric-peer:latest.

ii. CLI Configuration: In services -> cli, change the image field to: image: hsm/fabric-tools:latest

Change the BCCSP security from 256 to 384 for the following configuration files:

• $HOME/go/src/github.com/hyperledger/fabric-samples/test-network/organizations/fabric-ca/org1/fabric-ca-server-config.yaml

• $HOME/go/src/github.com/hyperledger/fabric-samples/test-network/organizations/fabric-ca/org2/fabric-ca-server-config.yaml

• $HOME/go/src/github.com/hyperledger/fabric-samples/test-network/organizations/fabric-ca/ordererOrg/fabric-ca-server-config.yaml

Update envVar.sh script:

i. Add the following lines in the if [ $USING_ORG -eq 1 ]; then block:

export ChrystokiConfigurationPath=luna/org1
export CORE_PEER_BCCSP_DEFAULT=PKCS11
export CORE_PEER_BCCSP_PKCS11_SECURITY=384
export CORE_PEER_BCCSP_PKCS11_HASH=SHA2
export CORE_PEER_BCCSP_PKCS11_LABEL=org1.example.com
export CORE_PEER_BCCSP_PKCS11_PIN=[Partition Password]
export CORE_PEER_BCCSP_PKCS11_LIBRARY=[HSM PKCS11 Library]

ii. Add the following lines in the elif [ $USING_ORG -eq 2 ]; then block:

export ChrystokiConfigurationPath=luna/org2
export CORE_PEER_BCCSP_DEFAULT=PKCS11
export CORE_PEER_BCCSP_PKCS11_SECURITY=384
export CORE_PEER_BCCSP_PKCS11_HASH=SHA2
export CORE_PEER_BCCSP_PKCS11_LABEL=org2.example.com
export CORE_PEER_BCCSP_PKCS11_PIN=[Partition Password]
export CORE_PEER_BCCSP_PKCS11_LIBRARY=[HSM PKCS11 Library]

Execute the following commands to bring up the Fabric orderer and peer nodes and generate the network crypto material using Certificate Authorities:

cd $HOME/go/src/github.com/hyperledger/fabric-samples/test-network
./network.sh up –ca

Verify network creation. If the command is successful, you will see the logs indicating the creation of the nodes.

Verify the ECDSA signing key pairs generated in the Luna HSM partitions for org1, org2, and the orderer. For instance, to inspect the contents of the Luna HSM partition named org1.example.com, execute the following command:

localhost:~/go/src/github.com/hyperledger/fabric-samples/test-network# export ChrystokiConfigurationPath=luna/org1
localhost:~/go/src/github.com/hyperledger/fabric-samples/test-network# /usr/local/lunaclient/bin/lunacm
lunacm (64-bit) v10.3.0-277. Copyright (c) 2021 SafeNet. All rights reserved.

Available HSMs:
Slot Id ->              0
Label ->                org1.example.com
Serial Number ->        1280780175902
Model ->                LunaSA 7.7.1
Firmware Version ->     7.7.2
Bootloader Version ->   1.1.2
Configuration ->        Luna User Partition With SO (PW) Key Export With 
                        Cloning Mode
Slot Description ->     Net Token Slot
FM HW Status ->         Non-FM
Current Slot Id: 0

lunacm:>role login -n co -p 

Command Result : No Error

lunacm:>par con

The 'Crypto Officer' is currently logged in. Looking for objects
accessible to the 'Crypto Officer'.

Object list:

Label:       fef1897158e6b2f60afb79a34868e0938adff228f1c134e12e6a853bbbf9b945
Handle:      224
Object Type: Private Key
Usage Limit: none
Object UID:  420400003e000003cb640800

Label:       fef1897158e6b2f60afb79a34868e0938adff228f1c134e12e6a853bbbf9b945
Handle:      225
Object Type: Public Key
Usage Limit: none
Object UID:  410400003e000003cb640800

Label:       75245626aae524d991b0305e674e4803c6c2231e2976f68959dd9dce24c38ccb
Handle:      230
Object Type: Private Key
Usage Limit: none
Object UID:  400400003e000003cb640800

Label:       75245626aae524d991b0305e674e4803c6c2231e2976f68959dd9dce24c38ccb
Handle:      236
Object Type: Public Key
Usage Limit: none
Object UID:  3f0400003e000003cb640800

Label:       71bc51e6134a3603ea05ef8837364b9ee0822a36f461fe6fb5cc433ae9be21a7
Handle:      235
Object Type: Private Key
Usage Limit: none
Object UID:  3e0400003e000003cb640800

Label:       71bc51e6134a3603ea05ef8837364b9ee0822a36f461fe6fb5cc433ae9be21a7
Handle:      202
Object Type: Public Key
Usage Limit: none
Object UID:  3d0400003e000003cb640800

Label:       c5930e285c2a570c2aa1ef94478adfe7c1592b5aa34c3d0a76cbee03436888bc
Handle:      205
Object Type: Private Key
Usage Limit: none
Object UID:  3c0400003e000003cb640800

Label:       c5930e285c2a570c2aa1ef94478adfe7c1592b5aa34c3d0a76cbee03436888bc
Handle:      203
Object Type: Public Key
Usage Limit: none
Object UID:  3b0400003e000003cb640800

Number of objects:  8

Command Result : No Error

lunacm:>

Examine the contents of the "org2" and "orderer" partitions by following the above-mentioned process.

Execute the following command to create and join the channel, after successfully creating the network:

./network.sh createChannel

Check the logs for a successful execution. If successful, the logs will display the message:

Channel 'mychannel' joined

Deploy the chaincode to the created channel using the following command:

./network.sh deployCC -ccn basic -ccp ../asset-transfer-basic/chaincode-go -ccl go

To interact with the network using the peer CLI, navigate to the "test-network" directory and add the peer binaries to your CLI path with these commands:

cd $HOME/go/src/github.com/hyperledger/fabric-samples/test-network
export PATH=${PWD}/../bin:$PATH

These commands enable you to use the peer CLI for various operations directly from the command line.

Set the FABRIC_CFG_PATH environment variable to point to the "core.yaml" file in the fabric-samples repository:

export FABRIC_CFG_PATH=$PWD/../config/

To operate the peer CLI as Org1, set the necessary environment variables with the following commands:

export CORE_PEER_TLS_ENABLED=true
export CORE_PEER_LOCALMSPID="Org1MSP"
export CORE_PEER_TLS_ROOTCERT_FILE=${PWD}/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/ca.crt
export CORE_PEER_MSPCONFIGPATH=${PWD}/organizations/peerOrganizations/org1.example.com/users/Admin@org1.example.com/msp
export CORE_PEER_ADDRESS=localhost:7051
export ChrystokiConfigurationPath=luna/org1
export CORE_PEER_BCCSP_DEFAULT=PKCS11
export CORE_PEER_BCCSP_PKCS11_SECURITY=384
export CORE_PEER_BCCSP_PKCS11_HASH=SHA2
export CORE_PEER_BCCSP_PKCS11_LABEL=org1.example.com
export CORE_PEER_BCCSP_PKCS11_PIN=[Partition Password]
export CORE_PEER_BCCSP_PKCS11_LIBRARY=[HSM PKCS11 Library]

These environment variables are essential for interacting with the Fabric network using the peer CLI as Org1. Adjust the values as per your configuration.

Execute the following command to initialize the ledger with assets:

peer chaincode invoke -o localhost:7050 --ordererTLSHostnameOverride orderer.example.com --tls --cafile "${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer.example.com/msp/tlscacerts/tlsca.example.com-cert.pem" -C mychannel -n basic --peerAddresses localhost:7051 --tlsRootCertFiles "${PWD}/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/ca.crt" --peerAddresses localhost:9051 --tlsRootCertFiles "${PWD}/organizations/peerOrganizations/org2.example.com/peers/peer0.org2.example.com/tls/ca.crt" -c '{"function":"InitLedger","Args":[]}'

If the process is successful, the output should resemble the following example:

INFO [chaincodeCmd] chaincodeInvokeOrQuery -> Chaincode invoke successful. result: status:200

Execute the following command to query the ledger and get the list of assets:

peer chaincode query -C mychannel -n basic -c '{"Args":["GetAllAssets"]}'

If the operation is successful, the output should resemble the following example:

[{"AppraisedValue":300,"Color":"blue","ID":"asset1","Owner":"Tomoko","Size":5},{"AppraisedValue":400,"Color":"red","ID":"asset2","Owner":"Brad","Size":5},{"AppraisedValue":500,"Color":"green","ID":"asset3","Owner":"Jin Soo","Size":10},{"AppraisedValue":600,"Color":"yellow","ID":"asset4","Owner":"Max","Size":10},{"AppraisedValue":700,"Color":"black","ID":"asset5","Owner":"Adriana","Size":15},{"AppraisedValue":800,"Color":"white","ID":"asset6","Owner":"Michel","Size":15}]

Execute the following command to change the owner of an asset:

peer chaincode invoke -o localhost:7050 --ordererTLSHostnameOverride orderer.example.com --tls --cafile "${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer.example.com/msp/tlscacerts/tlsca.example.com-cert.pem" -C mychannel -n basic --peerAddresses localhost:7051 --tlsRootCertFiles "${PWD}/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/ca.crt" --peerAddresses localhost:9051 --tlsRootCertFiles "${PWD}/organizations/peerOrganizations/org2.example.com/peers/peer0.org2.example.com/tls/ca.crt" -c '{"function":"TransferAsset","Args":["asset6","Christopher"]}'

Verify the output. If the operation is successful, the output should resemble the following example:

INFO [chaincodeCmd] chaincodeInvokeOrQuery -> Chaincode invoke successful. result: status:200

Set the following variables to query the chaincode running on Org2 peer:

export CORE_PEER_TLS_ENABLED=true
export CORE_PEER_LOCALMSPID="Org2MSP"
export CORE_PEER_TLS_ROOTCERT_FILE=${PWD}/organizations/peerOrganizations/org2.example.com/peers/peer0.org2.example.com/tls/ca.crt
export CORE_PEER_MSPCONFIGPATH=${PWD}/organizations/peerOrganizations/org2.example.com/users/Admin@org2.example.com/msp
export CORE_PEER_ADDRESS=localhost:9051
export ChrystokiConfigurationPath=luna/org2
export CORE_PEER_BCCSP_DEFAULT=PKCS11
export CORE_PEER_BCCSP_PKCS11_SECURITY=384
export CORE_PEER_BCCSP_PKCS11_HASH=SHA2
export CORE_PEER_BCCSP_PKCS11_LABEL=org2.example.com
export CORE_PEER_BCCSP_PKCS11_PIN=[Partition Password]
export CORE_PEER_BCCSP_PKCS11_LIBRARY=[HSM PKCS11 Library]

Query the asset-transfer (basic) chaincode running on peer0.org2.example.com:

peer chaincode query -C mychannel -n basic -c '{"Args":["ReadAsset","asset6"]}'

Verify the result. If the command is successful, the output will indicate that asset6 was transferred to Christopher: