Got "this policy requires 1 of the 'Writers' sub-policies to be satisfied: permission denied" error when creating a channel

Question

When I try to create a channel, I got an error like below:

implicit policy evaluation failed - 0 sub-policies were satisfied, but this policy requires 1 of the 'Writers' sub-policies to be satisfied: permission denied

As the error message said, it seems like that I'm using wrong identity to sign the transaction to create a channel. However, I cannot find any mistake about the channel configuration or the identity registration & enrollment.

My channel config for the organization is:

Organizations:
  - &BPLOrg
    Name: BPLMSP
    ID: BPLMSP
    MSPDir: artifacts/crypto/org-msp

    Policies:
      Readers:
        Type: Signature
        Rule: "OR('BPLMSP.admin', 'BPLMSP.peer', 'BPLMSP.client')"
      Writers:
        Type: Signature
        Rule: "OR('BPLMSP.admin', 'BPLMSP.client')"
      Admins:
        Type: Signature
        Rule: "OR('BPLMSP.admin')"

So, according to the config, admin type identity can sign the transaction to create the channel.

My admin type identity is already registered and enrolled like below:

fabric-ca-client register -d --id.name $ADMIN_ID --id.secret $ADMIN_PW --id.type admin -u https://$CA_ADMIN_ID:$CA_ADMIN_PW@$CA_NODE:7054
fabric-ca-client enroll -d --csr.names $CSR -u https://$ADMIN_ID:$ADMIN_PW@$CA_NODE:7054

Registration & Enrollment were processed well with the argument --id.type admin and, to sign the transaction to create a channel, I'm using the key that I got from this enrollment.

Where can I start to invest this error? Any kind of ideas will be very helpful. Thanks!

--

• Fabric 1.4.4 version
• I'm using node-SDK, not CLI.

--

[EDIT] I added my orderer's log.

2019-12-28 05:56:55.689 UTC [localconfig] completeInitialization -> INFO 001 Kafka.Version unset, setting to 0.10.2.0
2019-12-28 05:56:55.718 UTC [orderer.common.server] prettyPrintStruct -> INFO 002 Orderer config values:
    General.LedgerType = "file"
    General.ListenAddress = "0.0.0.0"
    General.ListenPort = 7050
    General.TLS.Enabled = true
    General.TLS.PrivateKey = "/artifacts/tls/keystore/key.pem"
    General.TLS.Certificate = "/artifacts/tls/signcerts/cert.pem"
    General.TLS.RootCAs = [/artifacts/tls/tlscacerts/ca-cert.pem]
    General.TLS.ClientAuthRequired = false
    General.TLS.ClientRootCAs = []
    General.Cluster.ListenAddress = ""
    General.Cluster.ListenPort = 0
    General.Cluster.ServerCertificate = ""
    General.Cluster.ServerPrivateKey = ""
    General.Cluster.ClientCertificate = "/artifacts/tls/signcerts/cert.pem"
    General.Cluster.ClientPrivateKey = "/artifacts/tls/keystore/key.pem"
    General.Cluster.RootCAs = [/artifacts/tls/tlscacerts/ca-cert.pem]
    General.Cluster.DialTimeout = 5s
    General.Cluster.RPCTimeout = 7s
    General.Cluster.ReplicationBufferSize = 20971520
    General.Cluster.ReplicationPullTimeout = 5s
    General.Cluster.ReplicationRetryTimeout = 5s
    General.Cluster.ReplicationBackgroundRefreshInterval = 5m0s
    General.Cluster.ReplicationMaxRetries = 12
    General.Cluster.SendBufferSize = 10
    General.Cluster.CertExpirationWarningThreshold = 168h0m0s
    General.Cluster.TLSHandshakeTimeShift = 0s
    General.Keepalive.ServerMinInterval = 1m0s
    General.Keepalive.ServerInterval = 2h0m0s
    General.Keepalive.ServerTimeout = 20s
    General.ConnectionTimeout = 0s
    General.GenesisMethod = "file"
    General.GenesisProfile = "SampleInsecureSolo"
    General.SystemChannel = "test-system-channel-name"
    General.GenesisFile = "/artifacts/genesis.block"
    General.Profile.Enabled = false
    General.Profile.Address = "0.0.0.0:6060"
    General.LocalMSPDir = "/artifacts/msp"
    General.LocalMSPID = "BPLMSP"
    General.BCCSP.ProviderName = "SW"
    General.BCCSP.SwOpts.SecLevel = 256
    General.BCCSP.SwOpts.HashFamily = "SHA2"
    General.BCCSP.SwOpts.Ephemeral = false
    General.BCCSP.SwOpts.FileKeystore.KeyStorePath = "/artifacts/msp/keystore"
    General.BCCSP.SwOpts.DummyKeystore =
    General.BCCSP.SwOpts.InmemKeystore =
    General.BCCSP.PluginOpts =
    General.Authentication.TimeWindow = 15m0s
    General.Authentication.NoExpirationChecks = false
    FileLedger.Location = "/var/hyperledger/production/orderer"
    FileLedger.Prefix = "hyperledger-fabric-ordererledger"
    RAMLedger.HistorySize = 1000
    Kafka.Retry.ShortInterval = 5s
    Kafka.Retry.ShortTotal = 10m0s
    Kafka.Retry.LongInterval = 5m0s
    Kafka.Retry.LongTotal = 12h0m0s
    Kafka.Retry.NetworkTimeouts.DialTimeout = 10s
    Kafka.Retry.NetworkTimeouts.ReadTimeout = 10s
    Kafka.Retry.NetworkTimeouts.WriteTimeout = 10s
    Kafka.Retry.Metadata.RetryMax = 3
    Kafka.Retry.Metadata.RetryBackoff = 250ms
    Kafka.Retry.Producer.RetryMax = 3
    Kafka.Retry.Producer.RetryBackoff = 100ms
    Kafka.Retry.Consumer.RetryBackoff = 2s
    Kafka.Verbose = true
    Kafka.Version = 0.10.2.0
    Kafka.TLS.Enabled = false
    Kafka.TLS.PrivateKey = ""
    Kafka.TLS.Certificate = ""
    Kafka.TLS.RootCAs = []
    Kafka.TLS.ClientAuthRequired = false
    Kafka.TLS.ClientRootCAs = []
    Kafka.SASLPlain.Enabled = false
    Kafka.SASLPlain.User = ""
    Kafka.SASLPlain.Password = ""
    Kafka.Topic.ReplicationFactor = 1
    Debug.BroadcastTraceDir = ""
    Debug.DeliverTraceDir = ""
    Consensus = map[SnapDir:/var/hyperledger/production/orderer/etcdraft/snapshot WALDir:/var/hyperledger/production/orderer/etcdraft/wal]
    Operations.ListenAddress = "orderer0.bpl:8443"
    Operations.TLS.Enabled = false
    Operations.TLS.PrivateKey = ""
    Operations.TLS.Certificate = ""
    Operations.TLS.RootCAs = []
    Operations.TLS.ClientAuthRequired = false
    Operations.TLS.ClientRootCAs = []
    Metrics.Provider = "disabled"
    Metrics.Statsd.Network = "udp"
    Metrics.Statsd.Address = "127.0.0.1:8125"
    Metrics.Statsd.WriteInterval = 30s
    Metrics.Statsd.Prefix = ""
2019-12-28 05:56:55.790 UTC [orderer.common.server] extractSysChanLastConfig -> INFO 003 Bootstrapping because no existing channels
2019-12-28 05:56:55.813 UTC [orderer.common.server] initializeServerConfig -> INFO 004 Starting orderer with TLS enabled
2019-12-28 05:56:55.813 UTC [orderer.common.server] configureClusterListener -> INFO 005 Cluster listener is not configured, defaulting to use the general listener on port 7050
2019-12-28 05:56:55.820 UTC [fsblkstorage] newBlockfileMgr -> INFO 006 Getting block information from block storage
2019-12-28 05:56:55.836 UTC [orderer.consensus.etcdraft] HandleChain -> INFO 007 EvictionSuspicion not set, defaulting to 10m0s
2019-12-28 05:56:55.842 UTC [orderer.consensus.etcdraft] createOrReadWAL -> INFO 008 No WAL data found, creating new WAL at path '/var/hyperledger/production/orderer/etcdraft/wal/trust-chain-system-channel' channel=trust-chain-system-channel node=1
2019-12-28 05:56:55.866 UTC [orderer.commmon.multichannel] Initialize -> INFO 009 Starting system channel 'trust-chain-system-channel' with genesis block hash 43e31dcb085730c17b70777c05983ade72df5b137da3ffeaa4e1f5c187b9c3d9 and orderer type etcdraft
2019-12-28 05:56:55.866 UTC [orderer.consensus.etcdraft] Start -> INFO 00a Starting Raft node channel=trust-chain-system-channel node=1
2019-12-28 05:56:55.866 UTC [orderer.common.cluster] Configure -> INFO 00b Entering, channel: trust-chain-system-channel, nodes: [ID: 2,
Endpoint: orderer1.bpl:7050,
ServerTLSCert:-----BEGIN CERTIFICATE-----
MIIC2zCCAoKgAwIBAgIUOerWLLNwC5CYnqRuSFx3jDehZFEwCgYIKoZIzj0EAwIw
VjELMAkGA1UEBhMCS1IxEDAOBgNVBAgTB0RhZWplb24xFzAVBgNVBAoTDmJpZ3Bp
Y3R1cmVsYWJzMQswCQYDVQQLEwJjYTEPMA0GA1UEAxMGY2EtYnBsMB4XDTE5MTIy
ODA1MzgwMFoXDTIwMTIyNzA1NDMwMFowfDELMAkGA1UEBhMCS1IxEDAOBgNVBAgT
B0RhZWplb24xFzAVBgNVBAoTDmJpZ3BpY3R1cmVsYWJzMSswDgYDVQQLEwdvcmRl
cmVyMAoGA1UECxMDYnBsMA0GA1UECxMGZmFicmljMRUwEwYDVQQDEwxvcmRlcmVy
MS5icGwwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASkTScK+zOyx1DuzACYmUKD
ttq/NUORM1+aPm8Bp43hFrKhqeS5aZ9eA9+HWBO7B95W3YqPxkw68HAKYcpPIsIs
o4IBBjCCAQIwDgYDVR0PAQH/BAQDAgOoMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggr
BgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBSHs7V8NpqyYzHpjAQr1euf
p9LJ6TAfBgNVHSMEGDAWgBQUQCH0Jo1n+EwtZOMd6qwL4gDAZjAXBgNVHREEEDAO
ggxvcmRlcmVyMS5icGwwagYIKgMEBQYHCAEEXnsiYXR0cnMiOnsiaGYuQWZmaWxp
YXRpb24iOiJicGwuZmFicmljIiwiaGYuRW5yb2xsbWVudElEIjoib3JkZXJlcjEu
YnBsIiwiaGYuVHlwZSI6Im9yZGVyZXIifX0wCgYIKoZIzj0EAwIDRwAwRAIgJzms
QawGjZDPH6kIIYrmB58eKZvCEB+csUD0BB/PfNUCIBuKfw8XhYS8WBih/ddU8NyV
9OuM5QWsOp2/nr5i76lh
-----END CERTIFICATE-----
, ClientTLSCert:-----BEGIN CERTIFICATE-----
MIIC2zCCAoKgAwIBAgIUOerWLLNwC5CYnqRuSFx3jDehZFEwCgYIKoZIzj0EAwIw
VjELMAkGA1UEBhMCS1IxEDAOBgNVBAgTB0RhZWplb24xFzAVBgNVBAoTDmJpZ3Bp
Y3R1cmVsYWJzMQswCQYDVQQLEwJjYTEPMA0GA1UEAxMGY2EtYnBsMB4XDTE5MTIy
ODA1MzgwMFoXDTIwMTIyNzA1NDMwMFowfDELMAkGA1UEBhMCS1IxEDAOBgNVBAgT
B0RhZWplb24xFzAVBgNVBAoTDmJpZ3BpY3R1cmVsYWJzMSswDgYDVQQLEwdvcmRl
cmVyMAoGA1UECxMDYnBsMA0GA1UECxMGZmFicmljMRUwEwYDVQQDEwxvcmRlcmVy
MS5icGwwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASkTScK+zOyx1DuzACYmUKD
ttq/NUORM1+aPm8Bp43hFrKhqeS5aZ9eA9+HWBO7B95W3YqPxkw68HAKYcpPIsIs
o4IBBjCCAQIwDgYDVR0PAQH/BAQDAgOoMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggr
BgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBSHs7V8NpqyYzHpjAQr1euf
p9LJ6TAfBgNVHSMEGDAWgBQUQCH0Jo1n+EwtZOMd6qwL4gDAZjAXBgNVHREEEDAO
ggxvcmRlcmVyMS5icGwwagYIKgMEBQYHCAEEXnsiYXR0cnMiOnsiaGYuQWZmaWxp
YXRpb24iOiJicGwuZmFicmljIiwiaGYuRW5yb2xsbWVudElEIjoib3JkZXJlcjEu
YnBsIiwiaGYuVHlwZSI6Im9yZGVyZXIifX0wCgYIKoZIzj0EAwIDRwAwRAIgJzms
QawGjZDPH6kIIYrmB58eKZvCEB+csUD0BB/PfNUCIBuKfw8XhYS8WBih/ddU8NyV
9OuM5QWsOp2/nr5i76lh
-----END CERTIFICATE-----
 ID: 3,
Endpoint: orderer2.bpl:7050,
ServerTLSCert:-----BEGIN CERTIFICATE-----
MIIC3DCCAoKgAwIBAgIUTIRaoY38ylFYlyo5UPJaHO8UyL4wCgYIKoZIzj0EAwIw
VjELMAkGA1UEBhMCS1IxEDAOBgNVBAgTB0RhZWplb24xFzAVBgNVBAoTDmJpZ3Bp
Y3R1cmVsYWJzMQswCQYDVQQLEwJjYTEPMA0GA1UEAxMGY2EtYnBsMB4XDTE5MTIy
ODA1MzgwMFoXDTIwMTIyNzA1NDMwMFowfDELMAkGA1UEBhMCS1IxEDAOBgNVBAgT
B0RhZWplb24xFzAVBgNVBAoTDmJpZ3BpY3R1cmVsYWJzMSswDgYDVQQLEwdvcmRl
cmVyMAoGA1UECxMDYnBsMA0GA1UECxMGZmFicmljMRUwEwYDVQQDEwxvcmRlcmVy
Mi5icGwwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATD3raCU1OC0dmGpiFKixuZ
cYV/ikGwxNBdVGkdOU01ROZWHUpSzlYFq0i5Mq4JGLtcJuIdjCYIZ+MkEsTNbnpL
o4IBBjCCAQIwDgYDVR0PAQH/BAQDAgOoMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggr
BgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBRVXLrZSEK8x4DPkawYGaNM
SO3DCTAfBgNVHSMEGDAWgBQUQCH0Jo1n+EwtZOMd6qwL4gDAZjAXBgNVHREEEDAO
ggxvcmRlcmVyMi5icGwwagYIKgMEBQYHCAEEXnsiYXR0cnMiOnsiaGYuQWZmaWxp
YXRpb24iOiJicGwuZmFicmljIiwiaGYuRW5yb2xsbWVudElEIjoib3JkZXJlcjIu
YnBsIiwiaGYuVHlwZSI6Im9yZGVyZXIifX0wCgYIKoZIzj0EAwIDSAAwRQIhALqM
SUA0+Aewypl30NF/C2Y0DdFQTw9/LF2XnWZZ/rCmAiAxNf2eoimI49XyL0DrAM0k
+HahGiLAK/F4GhTBv8Ct+A==
-----END CERTIFICATE-----
, ClientTLSCert:-----BEGIN CERTIFICATE-----
MIIC3DCCAoKgAwIBAgIUTIRaoY38ylFYlyo5UPJaHO8UyL4wCgYIKoZIzj0EAwIw
VjELMAkGA1UEBhMCS1IxEDAOBgNVBAgTB0RhZWplb24xFzAVBgNVBAoTDmJpZ3Bp
Y3R1cmVsYWJzMQswCQYDVQQLEwJjYTEPMA0GA1UEAxMGY2EtYnBsMB4XDTE5MTIy
ODA1MzgwMFoXDTIwMTIyNzA1NDMwMFowfDELMAkGA1UEBhMCS1IxEDAOBgNVBAgT
B0RhZWplb24xFzAVBgNVBAoTDmJpZ3BpY3R1cmVsYWJzMSswDgYDVQQLEwdvcmRl
cmVyMAoGA1UECxMDYnBsMA0GA1UECxMGZmFicmljMRUwEwYDVQQDEwxvcmRlcmVy
Mi5icGwwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATD3raCU1OC0dmGpiFKixuZ
cYV/ikGwxNBdVGkdOU01ROZWHUpSzlYFq0i5Mq4JGLtcJuIdjCYIZ+MkEsTNbnpL
o4IBBjCCAQIwDgYDVR0PAQH/BAQDAgOoMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggr
BgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBRVXLrZSEK8x4DPkawYGaNM
SO3DCTAfBgNVHSMEGDAWgBQUQCH0Jo1n+EwtZOMd6qwL4gDAZjAXBgNVHREEEDAO
ggxvcmRlcmVyMi5icGwwagYIKgMEBQYHCAEEXnsiYXR0cnMiOnsiaGYuQWZmaWxp
YXRpb24iOiJicGwuZmFicmljIiwiaGYuRW5yb2xsbWVudElEIjoib3JkZXJlcjIu
YnBsIiwiaGYuVHlwZSI6Im9yZGVyZXIifX0wCgYIKoZIzj0EAwIDSAAwRQIhALqM
SUA0+Aewypl30NF/C2Y0DdFQTw9/LF2XnWZZ/rCmAiAxNf2eoimI49XyL0DrAM0k
+HahGiLAK/F4GhTBv8Ct+A==
-----END CERTIFICATE-----
]
2019-12-28 05:56:55.867 UTC [orderer.common.cluster] updateStubInMapping -> INFO 00c Allocating a new stub for node 2 with endpoint of orderer1.bpl:7050 for channel trust-chain-system-channel
2019-12-28 05:56:55.867 UTC [orderer.common.cluster] updateStubInMapping -> INFO 00d Deactivating node 2 in channel trust-chain-system-channel with endpoint of orderer1.bpl:7050 due to TLS certificate change
2019-12-28 05:56:55.867 UTC [orderer.common.cluster] updateStubInMapping -> INFO 00e Allocating a new stub for node 3 with endpoint of orderer2.bpl:7050 for channel trust-chain-system-channel
2019-12-28 05:56:55.867 UTC [orderer.common.cluster] updateStubInMapping -> INFO 00f Deactivating node 3 in channel trust-chain-system-channel with endpoint of orderer2.bpl:7050 due to TLS certificate change
2019-12-28 05:56:55.868 UTC [orderer.common.cluster] applyMembershipConfig -> INFO 010 2 exists in both old and new membership for channel trust-chain-system-channel , skipping its deactivation
2019-12-28 05:56:55.868 UTC [orderer.common.cluster] applyMembershipConfig -> INFO 011 3 exists in both old and new membership for channel trust-chain-system-channel , skipping its deactivation
2019-12-28 05:56:55.868 UTC [orderer.common.cluster] Configure -> INFO 012 Exiting
2019-12-28 05:56:55.868 UTC [orderer.consensus.etcdraft] start -> INFO 013 Starting raft node as part of a new channel channel=trust-chain-system-channel node=1
2019-12-28 05:56:55.868 UTC [orderer.consensus.etcdraft] becomeFollower -> INFO 014 1 became follower at term 0 channel=trust-chain-system-channel node=1
2019-12-28 05:56:55.868 UTC [orderer.consensus.etcdraft] newRaft -> INFO 015 newRaft 1 [peers: [], term: 0, commit: 0, applied: 0, lastindex: 0, lastterm: 0] channel=trust-chain-system-channel node=1
2019-12-28 05:56:55.868 UTC [orderer.consensus.etcdraft] becomeFollower -> INFO 016 1 became follower at term 1 channel=trust-chain-system-channel node=1
2019-12-28 05:56:55.869 UTC [orderer.common.server] Start -> INFO 017 Starting orderer:
 Version: 1.4.4
 Commit SHA: 7917a40
 Go version: go1.12.12
 OS/Arch: linux/amd64
2019-12-28 05:56:55.869 UTC [orderer.common.server] Start -> INFO 018 Beginning to serve requests
2019-12-28 05:56:55.869 UTC [orderer.consensus.etcdraft] apply -> INFO 019 Applied config change to add node 1, current nodes in channel: [1 2 3] channel=trust-chain-system-channel node=1
2019-12-28 05:56:55.869 UTC [orderer.consensus.etcdraft] apply -> INFO 01a Applied config change to add node 2, current nodes in channel: [1 2 3] channel=trust-chain-system-channel node=1
2019-12-28 05:56:55.869 UTC [orderer.consensus.etcdraft] apply -> INFO 01b Applied config change to add node 3, current nodes in channel: [1 2 3] channel=trust-chain-system-channel node=1
2019-12-28 05:56:57.686 UTC [orderer.consensus.etcdraft] Step -> INFO 01c 1 [logterm: 1, index: 3, vote: 0] cast MsgPreVote for 2 [logterm: 1, index: 3] at term 1 channel=trust-chain-system-channel node=1
2019-12-28 05:56:57.688 UTC [orderer.consensus.etcdraft] Step -> INFO 01d 1 [term: 1] received a MsgVote message with higher term from 2 [term: 2] channel=trust-chain-system-channel node=1
2019-12-28 05:56:57.688 UTC [orderer.consensus.etcdraft] becomeFollower -> INFO 01e 1 became follower at term 2 channel=trust-chain-system-channel node=1
2019-12-28 05:56:57.688 UTC [orderer.consensus.etcdraft] Step -> INFO 01f 1 [logterm: 1, index: 3, vote: 0] cast MsgVote for 2 [logterm: 1, index: 3] at term 2 channel=trust-chain-system-channel node=1
2019-12-28 05:56:57.691 UTC [orderer.consensus.etcdraft] run -> INFO 020 raft.node: 1 elected leader 2 at term 2 channel=trust-chain-system-channel node=1
2019-12-28 05:56:57.692 UTC [orderer.consensus.etcdraft] serveRequest -> INFO 021 Raft leader changed: 0 -> 2 channel=trust-chain-system-channel node=1
2019-12-28 05:57:31.382 UTC [orderer.common.broadcast] ProcessMessage -> WARN 022 [channel: activitych] Rejecting broadcast of config message from 172.22.0.1:52856 because of error: implicit policy evaluation failed - 0 sub-policies were satisfied, but this policy requires 1 of the 'Writers' sub-policies to be satisfied: permission denied
2019-12-28 05:57:31.384 UTC [comm.grpc.server] 1 -> INFO 023 streaming call completed grpc.service=orderer.AtomicBroadcast grpc.method=Broadcast grpc.peer_address=172.22.0.1:52856 grpc.code=OK grpc.call_duration=8.4914ms
2019-12-28 05:57:31.430 UTC [comm.grpc.server] 1 -> INFO 024 streaming call completed grpc.service=orderer.AtomicBroadcast grpc.method=Deliver grpc.peer_address=172.22.0.1:52858 grpc.code=OK grpc.call_duration=480.4µs

At this point, I'm curious that how I can get the admin identity. My policy is 'MSP.admin' and I'm using the identity, which is registered with the argument --id.type admin.

Answer 1

for your case:

0 sub-policies were satisfied

"zero" means no certificate was used for signing the transaction, so you just need to copy your admin certificate to the right directory!

Answer 2

Satisfying the Writers policy

The admin was actually correctly set up, or else the orderer would complain about the Admins policy not being satisfied. What has happened is that the orderer has accepted the request and created the genesis block for the channel. It then proceeds to set up a handler to broadcast future blocks for that channel, and in doing so it verifies that its certificate satisfies the /Channel/Writers policy, which is required to call the Broadcast API.

The mentioned policy is by default an of type ImplicitMeta, which means it should be satisfied via /Channel/Orderer/<ORG NAME>/Writers. Because the error message states that only 1 sub-policy needs to be satisfied (i.e. ANY Writers), it means your orderer's certificate does not meet up to its own organization's Writers policy. You need to add the OU type for an orderer to the rule, or set it to member to allow any certificate in the org to act as writer:

Writers:
    Type: Signature
    Rule: "OR('<ORG NAME>.admin', '<ORG NAME>.client', '<ORG NAME>.orderer')"

---

REGISTERING A CERTIFICATE AS ADMIN

---

The Dirty Quick Fix

Admins:
    Type: Signature
    Rule: "OR('BPLMSP.member')"

This will allow you to create a certificate within the BPLMSP org whenever, of whatever type, and use it for administrative purposes such as creating a channel. Fabric will skip checking the cert type (organizational unit, OU) and only check it is signed by the org's CA. Be aware that this loosens the security within your organization, as any (lost) certificate will have administrative rights.

---

The Correct Way

1. Register an identity of type client, peer or orderer with Fabric CA
2. Enroll a certificate for the registered identity
3. Place the certificate in admincerts/ of the BPLMSP org's MSP
4. Make sure the MSPDir for BPLOrg points to the BPLMSP org's MSP
5. Leave the Admins policy for BPLOrg to rule "OR('BPLMSP.admin')"
6. Create the genesis block for the OSN(s). This will include the certificate into the block
7. Start the network
8. Sign the channel creation request with the certificate, and send it to an OSN

If you want to join a peer to a channel and sign the request with the created certificate, then you will have to add the cert into the admincerts/ folder for that peer's local MSP. The peer reads this directory on boot, so you will have to restart it if you've made changes to the directory while it was running.

If you want to add an additional admin certificate while the network is already configured, you will have to perform a genesis block update, which should include the new certificate.

---

The Correct Way v1.4.3

This option allows you to register certificates as admins without having to add it to the genesis block, and without loosening security by having all types of certificates as admins.

This only works if:

1. The network at least runs Hyperledger Fabric v1.4.3 (August 26, 2019)
2. v1.4.3 channel capability is enabled
3. NodeOUs are enabled for the org
4. The OrganizationalUnitIdentifier is set for AdminOUIdentifier for the org

You would then proceed by enrolling a new identity and setting the type (OU) to match the OrganizationalUnitIdentifier. The certificate does not need to be added to the OSN's genesis block, as it will be identified as an admin based on the type (OU). See Hyperledger Fabric's doc for Identity Classification.

---

Notes

To create a channel, the ChannelCreationPolicy must be fulfilled. This defaults to ANY /Channel/Application/Admins. The policy cannot be set using configtxgen, the only way to modify it is by making a change to the genesis block. See FAB-13192.

The rule type <MSP ID>.admin is not the same as identity/certificate type (OU) admin. The rule type refers to signatures that have administrative permissions, however these signatures can come from certificates of any type (OU).

You do not create an admin by:

• Registering the identity as admin type (OU) pre v1.4.3
• Setting the attribute hf.Admin=true as the Amazon Managed Blockchain doc claims (this will fail as it is not a valid attribute)
• Setting admin=true:ecert as in the Fabric CA docs (Fabric only looks at attributes beginning with hf., so this has no effect other than adding confusion).

You can register a CA identity with any type, however valid admin certificates must be of (OU) type peer, orderer, client, or as OrganizationalUnitIdentifier is set for AdminOUIdentifier. Don't use the fabric-ca-client identity add command, as it will register an identity of type user. I can't say I know what the purpose of this type is.