0

I have setup Multiple Organization on different machines. 

Machine 1
 -> peer0.org1.example.com
 -> ca.org1.example.com
 -> orderer.example.com 

Machine 2
-> peer0.org2.example.com
-> peer0.org3.example.com

I have created a channel which is shared by all three organization.

Now the issue is When I try to access the data from Org 2 and Org 3, it gives me below error message

UNKNOWN: access denied: channel [mychannel] creator org [Org2MSP]

On other hands, If I tried to execute the same query through CLI, the transaction gets executed successfully without any error

My question is: Can we setup one CA for multiple Organization. if yes, How to resolve access denied issue?

jambu gunvant
  • 121
  • 4

1 Answers1

2

To answer your primary question: Is it possible for 1 ca server to contain more then 1 root identity. The answer is yes Multiple CAs. This solution uses one 1 fabric-ca-server to serve more then 1 root identity. In Hyperledger fabric the root identity is used as the root Identity 1 organization.

But should you use this kind of architecture? To answer this question we have to know the role of the fabric-ca-server and how identity is handled within the blockchain network(Hyperledger specific.)

  1. To validate identity within the blockchain network and in between the different components (peers, orderders, clients). HLF(Hyperledger Fabric) uses the abstract concept of an MSP (Membership Service Provider). In the current implementation of HLF it uses X509 certificate to construct this identity. It is import to know that the only requirements is that of X509 certificates. You do not need a fabric-ca-server. To construct the MSP fabric needs a specific structure on disk of MSP certificates to construct the identity. All components need (some part) of this structure.
  2. The fabric-ca-server is used to create the X509 certificate needed for the MSP structure. For instance this is used when you want to enroll an extra peer , orderer, client etc... To get all this material in general you can use fabric-ca-client or the SDK. The client is able to export this material in the correct folder structure used by the default MSP.

So should you use 1 fabric-ca-server for multiple organization? My answer would be no. What you want is that all the organization are independent of each other and that 1 ORG can not construct an identity for another ORG. If you use 1 server to contain multiple identities this also means that the private-key material is stored on 1 server, and thus you can create identities for all organizations.

So the next question How to resolve access denied is actually a different question. This is most likely due to incorrect configuration of the environment variables that HLF uses to point to specific parts inside of an MSP folder structure. So you need to see what kind of environments variables are used inside the CLI and use the same inside your other container (if you want to have to same identity).

TL;DR; fabric-ca-server is used to create X509 certificates that can be used to construct an MSP. The MSP is what is the actual identity inside of HLF, best practice is to use 1 root-ca for every organization.

Gerben
  • 363
  • 1
  • 7