1

I am trying to integrate softHSM with Hyperledger Fabric. I have followed the below steps:

  1. I have cloned the repo from this link https://github.com/hyperledger/fabric-ca (main-branch)

  2. Executed the below 3 commands from the above directory. After execution, I got the new binary and the new Fabric-CA image.

    make fabric-ca-server GO_TAGS=pkcs11

    make fabric-ca-client GO_TAGS=pkcs11

    make docker GO_TAGS=pkcs11

  3. I have replaced the old binary(fabric-ca-client and fabric-ca-server)

  4. I am trying to spin up the Fabric-CA in the docker container and passing the environment variables as per the official documentation.

    ORG1_RCA:

     image: hyperledger/fabric-ca:1.5.1
     container_name: ORG1_RCA
     environment:
       - FABRIC_CA_HOME=/etc/hyperledger/fabric-ca-server
       - FABRIC_CA_SERVER_CA_NAME=ORG1_RCA
       - FABRIC_CA_SERVER_TLS_ENABLED=true
       - FABRIC_CA_SERVER_PORT=7054
       - FABRIC_CA_SERVER_BCCSP_DEFAULT=PKCS11
       - FABRIC_CA_SERVER_BCCSP_PKCS11_LIBRARY=/etc/hyperledger/fabric/libsofthsm2.so
       - FABRIC_CA_SERVER_BCCSP_PKCS11_PIN=
       - FABRIC_CA_SERVER_BCCSP_PKCS11_LABEL=
     ports:
       - 7054:7054
     command: sh -c 'fabric-ca-server start -b admin:adminpw -d'
     environment:
      - SOFTHSM2_CONF=/etc/hyperledger/fabric/config.file
     volumes:
       - ./fabric-ca/verizon:/etc/hyperledger/fabric-ca-server
       - /home/softhsm/config.file:/etc/hyperledger/fabric/config.file
       - /usr/local/lib/softhsm/libsofthsm2.so:/etc/hyperledger/fabric/libsofthsm2.so
     networks:
       - contract
    

I am not providing the PIN and label for security purposes.When I am running this container, the private keys are still getting saved into the msp/keystore folder instead of HSM.

  • I don't believe we ever fixed the issue we have with overriding BCCSP config via environment variables. Can you try setting the BCCP values in the actual fabric-ca-server-config file instead? – Gari Singh Mar 17 '21 at 07:55
  • I have cloned the official fabric-ca repo from GitHub and run this command (fabric-ca-server start -b admin:adminpw) to start the server natively. After running, I can see few certificates and one config file. Then I modified the bccsp section to use PKCS11 format in the config file and restarted the server. These steps are fine or do I need any other configuration? – Arijit Mahapatra Mar 19 '21 at 08:17
  • that should be correct – Gari Singh Mar 19 '21 at 10:47
  • I modified the config file to use the PKCS11 interface and restarted the CA server. Now, I can see three private keys(**IssuerRevocationPrivateKey, IssuerSecretKey and 6f753f4708a755a53d450732eeff8103486c6eb188efa1108f7cd958517f00e8_sk**) are present inside msp/keystore folder. How can I be sure the private kets are stored inside HSM? – Arijit Mahapatra Mar 22 '21 at 12:10

0 Answers0