Fabric二进制建链

零、前言

0.1、目标

在Hyperledger Fabric v2.2.0版本下，参考test-network测试网络（docker）的搭建，使用最原生（二进制）的方式，在192.168.3.128单主机搭建fabric，要求1个排序节点orderer0，1个对等节点peer0，都在单机构org1下；要求使用raft共识类型；同时要求使用Fabric CA服务替代生产网络不推荐的cryptogen的方式。

0.2、相关资料

• 官方文档：https://hyperledger-fabric.readthedocs.io/en/release-2.2/
• 项目地址：https://github.com/hyperledger/fabric/tree/v2.2.0

一、准备工作

1.1、建目录

根据默认规则在~/fabric/下，建好组织和节点目录：

mkdir -p ~/fabric/organizations/ordererOrganizations/org1.example.com/msp
mkdir -p ~/fabric/organizations/ordererOrganizations/org1.example.com/orderers/orderer0.org1.example.com
mkdir -p ~/fabric/organizations/peerOrganizations/org1.example.com/msp
mkdir -p ~/fabric/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com
mkdir -p ~/fabric/bin
mkdir -p ~/fabric/config
1
2
3
4
5
6

1.2、下载二进制和配置文件

根据之前测试网络的经验，查看https://github.com/hyperledger/fabric/blob/v2.2.0/scripts/bootstrap.sh文件，确定Fabric CA和二进制版本：

# if version not passed in, default to latest released version
VERSION=2.2.0
# if ca version not passed in, default to latest released version
CA_VERSION=1.4.7
1
2
3
4

所以分别下载对应版本：

• https://github.com/hyperledger/fabric-ca/releases/download/v1.4.7/hyperledger-fabric-ca-linux-amd64-1.4.7.tar.gz
• https://github.com/hyperledger/fabric/releases/download/v2.2.0/hyperledger-fabric-linux-amd64-2.2.0.tar.gz

解压在~/fabric/下，得到：

/home/songzehao/fabric
├── bin
│   ├── configtxgen
│   ├── configtxlator
│   ├── cryptogen
│   ├── discover
│   ├── fabric-ca-client
│   ├── fabric-ca-server
│   ├── idemixgen
│   ├── orderer
│   └── peer
├── config
│   ├── configtx.yaml
│   ├── core.yaml
│   └── orderer.yaml
└── organizations
    ├── ordererOrganizations
    │   └── org1.example.com
    │       ├── msp
    │       └── orderers
    │           └── orderer0.org1.example.com
    └── peerOrganizations
        └── org1.example.com
            ├── msp
            └── peers
                └── peer0.org1.example.com

13 directories, 12 files
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28

在/etc/profile中新增环境变量，并source生效：

export PATH=/home/songzehao/fabric/bin:$PATH
export FABRIC_CA_CLIENT_HOME=/home/songzehao/fabric/fabric-ca-client
export FABRIC_CFG_PATH=/home/songzehao/fabric/config
1
2
3

二、fabric-ca-server

2.1、配置fabric-ca-server

在~/fabric下放置fabric-ca服务端配置文件fabric-ca-server-config.yaml，注意配置csr.hosts为自己机器的IP（192.168.3.128）：

#############################################################################
#   This is a configuration file for the fabric-ca-server command.
#
#   COMMAND LINE ARGUMENTS AND ENVIRONMENT VARIABLES
#   ------------------------------------------------
#   Each configuration element can be overridden via command line
#   arguments or environment variables.  The precedence for determining
#   the value of each element is as follows:
#   1) command line argument
#      Examples:
#      a) --port 443
#         To set the listening port
#      b) --ca.keyfile ../mykey.pem
#         To set the "keyfile" element in the "ca" section below;
#         note the '.' separator character.
#   2) environment variable
#      Examples:
#      a) FABRIC_CA_SERVER_PORT=443
#         To set the listening port
#      b) FABRIC_CA_SERVER_CA_KEYFILE="../mykey.pem"
#         To set the "keyfile" element in the "ca" section below;
#         note the '_' separator character.
#   3) configuration file
#   4) default value (if there is one)
#      All default values are shown beside each element below.
#
#   FILE NAME ELEMENTS
#   ------------------
#   The value of all fields whose name ends with "file" or "files" are
#   name or names of other files.
#   For example, see "tls.certfile" and "tls.clientauth.certfiles".
#   The value of each of these fields can be a simple filename, a
#   relative path, or an absolute path.  If the value is not an
#   absolute path, it is interpretted as being relative to the location
#   of this configuration file.
#
#############################################################################

# Version of config file
version: 1.2.0

# Server's listening port (default: 7054)
port: 7054

# Enables debug logging (default: false)
debug: false

# Size limit of an acceptable CRL in bytes (default: 512000)
crlsizelimit: 512000

#############################################################################
#  TLS section for the server's listening port
#
#  The following types are supported for client authentication: NoClientCert,
#  RequestClientCert, RequireAnyClientCert, VerifyClientCertIfGiven,
#  and RequireAndVerifyClientCert.
#
#  Certfiles is a list of root certificate authorities that the server uses
#  when verifying client certificates.
#############################################################################
tls:
  # Enable TLS (default: false)
  enabled: true
  # TLS for the server's listening port
  certfile:
  keyfile:
  clientauth:
    type: noclientcert
    certfiles:

#############################################################################
#  The CA section contains information related to the Certificate Authority
#  including the name of the CA, which should be unique for all members
#  of a blockchain network.  It also includes the key and certificate files
#  used when issuing enrollment certificates (ECerts) and transaction
#  certificates (TCerts).
#  The chainfile (if it exists) contains the certificate chain which
#  should be trusted for this CA, where the 1st in the chain is always the
#  root CA certificate.
#############################################################################
ca:
  # Name of this CA
  name: ca-org1
  # Key file (is only used to import a private key into BCCSP)
  keyfile:
  # Certificate file (default: ca-cert.pem)
  certfile:
  # Chain file
  chainfile:

#############################################################################
#  The gencrl REST endpoint is used to generate a CRL that contains revoked
#  certificates. This section contains configuration options that are used
#  during gencrl request processing.
#############################################################################
crl:
  # Specifies expiration for the generated CRL. The number of hours
  # specified by this property is added to the UTC time, the resulting time
  # is used to set the 'Next Update' date of the CRL.
  expiry: 24h

#############################################################################
#  The registry section controls how the fabric-ca-server does two things:
#  1) authenticates enrollment requests which contain a username and password
#     (also known as an enrollment ID and secret).
#  2) once authenticated, retrieves the identity's attribute names and
#     values which the fabric-ca-server optionally puts into TCerts
#     which it issues for transacting on the Hyperledger Fabric blockchain.
#     These attributes are useful for making access control decisions in
#     chaincode.
#  There are two main configuration options:
#  1) The fabric-ca-server is the registry.
#     This is true if "ldap.enabled" in the ldap section below is false.
#  2) An LDAP server is the registry, in which case the fabric-ca-server
#     calls the LDAP server to perform these tasks.
#     This is true if "ldap.enabled" in the ldap section below is true,
#     which means this "registry" section is ignored.
#############################################################################
registry:
  # Maximum number of times a password/secret can be reused for enrollment
  # (default: -1, which means there is no limit)
  maxenrollments: -1

  # Contains identity information which is used when LDAP is disabled
  identities:
     - name: admin
       pass: adminpw
       type: client
       affiliation: ""
       attrs:
          hf.Registrar.Roles: "*"
          hf.Registrar.DelegateRoles: "*"
          hf.Revoker: true
          hf.IntermediateCA: true
          hf.GenCRL: true
          hf.Registrar.Attributes: "*"
          hf.AffiliationMgr: true

#############################################################################
#  Database section
#  Supported types are: "sqlite3", "postgres", and "mysql".
#  The datasource value depends on the type.
#  If the type is "sqlite3", the datasource value is a file name to use
#  as the database store.  Since "sqlite3" is an embedded database, it
#  may not be used if you want to run the fabric-ca-server in a cluster.
#  To run the fabric-ca-server in a cluster, you must choose "postgres"
#  or "mysql".
#############################################################################
db:
  type: sqlite3
  datasource: fabric-ca-server.db
  tls:
      enabled: false
      certfiles:
      client:
        certfile:
        keyfile:

#############################################################################
#  LDAP section
#  If LDAP is enabled, the fabric-ca-server calls LDAP to:
#  1) authenticate enrollment ID and secret (i.e. username and password)
#     for enrollment requests;
#  2) To retrieve identity attributes
#############################################################################
ldap:
   # Enables or disables the LDAP client (default: false)
   # If this is set to true, the "registry" section is ignored.
   enabled: false
   # The URL of the LDAP server
   url: ldap://<adminDN>:<adminPassword>@<host>:<port>/<base>
   # TLS configuration for the client connection to the LDAP server
   tls:
      certfiles:
      client:
         certfile:
         keyfile:
   # Attribute related configuration for mapping from LDAP entries to Fabric CA attributes
   attribute:
      # 'names' is an array of strings containing the LDAP attribute names which are
      # requested from the LDAP server for an LDAP identity's entry
      names: ['uid','member']
      # The 'converters' section is used to convert an LDAP entry to the value of
      # a fabric CA attribute.
      # For example, the following converts an LDAP 'uid' attribute
      # whose value begins with 'revoker' to a fabric CA attribute
      # named "hf.Revoker" with a value of "true" (because the boolean expression
      # evaluates to true).
      #    converters:
      #       - name: hf.Revoker
      #         value: attr("uid") =~ "revoker*"
      converters:
         - name:
           value:
      # The 'maps' section contains named maps which may be referenced by the 'map'
      # function in the 'converters' section to map LDAP responses to arbitrary values.
      # For example, assume a user has an LDAP attribute named 'member' which has multiple
      # values which are each a distinguished name (i.e. a DN). For simplicity, assume the
      # values of the 'member' attribute are 'dn1', 'dn2', and 'dn3'.
      # Further assume the following configuration.
      #    converters:
      #       - name: hf.Registrar.Roles
      #         value: map(attr("member"),"groups")
      #    maps:
      #       groups:
      #          - name: dn1
      #            value: peer
      #          - name: dn2
      #            value: client
      # The value of the user's 'hf.Registrar.Roles' attribute is then computed to be
      # "peer,client,dn3".  This is because the value of 'attr("member")' is
      # "dn1,dn2,dn3", and the call to 'map' with a 2nd argument of
      # "group" replaces "dn1" with "peer" and "dn2" with "client".
      maps:
         groups:
            - name:
              value:

#############################################################################
# Affiliations section. Fabric CA server can be bootstrapped with the
# affiliations specified in this section. Affiliations are specified as maps.
# For example:
#   businessunit1:
#     department1:
#       - team1
#   businessunit2:
#     - department2
#     - department3
#
# Affiliations are hierarchical in nature. In the above example,
# department1 (used as businessunit1.department1) is the child of businessunit1.
# team1 (used as businessunit1.department1.team1) is the child of department1.
# department2 (used as businessunit2.department2) and department3 (businessunit2.department3)
# are children of businessunit2.
# Note: Affiliations are case sensitive except for the non-leaf affiliations
# (like businessunit1, department1, businessunit2) that are specified in the configuration file,
# which are always stored in lower case.
#############################################################################
affiliations:
   org1:
      - department1
      - department2
   org2:
      - department1

#############################################################################
#  Signing section
#
#  The "default" subsection is used to sign enrollment certificates;
#  the default expiration ("expiry" field) is "8760h", which is 1 year in hours.
#
#  The "ca" profile subsection is used to sign intermediate CA certificates;
#  the default expiration ("expiry" field) is "43800h" which is 5 years in hours.
#  Note that "isca" is true, meaning that it issues a CA certificate.
#  A maxpathlen of 0 means that the intermediate CA cannot issue other
#  intermediate CA certificates, though it can still issue end entity certificates.
#  (See RFC 5280, section 4.2.1.9)
#
#  The "tls" profile subsection is used to sign TLS certificate requests;
#  the default expiration ("expiry" field) is "8760h", which is 1 year in hours.
#############################################################################
signing:
    default:
      usage:
        - digital signature
      expiry: 8760h
    profiles:
      ca:
         usage:
           - cert sign
           - crl sign
         expiry: 43800h
         caconstraint:
           isca: true
           maxpathlen: 0
      tls:
         usage:
            - signing
            - key encipherment
            - server auth
            - client auth
            - key agreement
         expiry: 8760h

###########################################################################
#  Certificate Signing Request (CSR) section.
#  This controls the creation of the root CA certificate.
#  The expiration for the root CA certificate is configured with the
#  "ca.expiry" field below, whose default value is "131400h" which is
#  15 years in hours.
#  The pathlength field is used to limit CA certificate hierarchy as described
#  in section 4.2.1.9 of RFC 5280.
#  Examples:
#  1) No pathlength value means no limit is requested.
#  2) pathlength == 1 means a limit of 1 is requested which is the default for
#     a root CA.  This means the root CA can issue intermediate CA certificates,
#     but these intermediate CAs may not in turn issue other CA certificates
#     though they can still issue end entity certificates.
#  3) pathlength == 0 means a limit of 0 is requested;
#     this is the default for an intermediate CA, which means it can not issue
#     CA certificates though it can still issue end entity certificates.
###########################################################################
csr:
   cn: ca.org1.example.com
   names:
      - C: US
        ST: "North Carolina"
        L: "Durham"
        O: org1.example.com
        OU:
   hosts:
     - 192.168.3.128
   ca:
      expiry: 131400h
      pathlength: 1

#############################################################################
# BCCSP (BlockChain Crypto Service Provider) section is used to select which
# crypto library implementation to use
#############################################################################
bccsp:
    default: SW
    sw:
        hash: SHA2
        security: 256
        filekeystore:
            # The directory used for the software file-based keystore
            keystore: msp/keystore

#############################################################################
# Multi CA section
#
# Each Fabric CA server contains one CA by default.  This section is used
# to configure multiple CAs in a single server.
#
# 1) --cacount <number-of-CAs>
# Automatically generate <number-of-CAs> non-default CAs.  The names of these
# additional CAs are "ca1", "ca2", ... "caN", where "N" is <number-of-CAs>
# This is particularly useful in a development environment to quickly set up
# multiple CAs. Note that, this config option is not applicable to intermediate CA server
# i.e., Fabric CA server that is started with intermediate.parentserver.url config
# option (-u command line option)
#
# 2) --cafiles <CA-config-files>
# For each CA config file in the list, generate a separate signing CA.  Each CA
# config file in this list MAY contain all of the same elements as are found in
# the server config file except port, debug, and tls sections.
#
# Examples:
# fabric-ca-server start -b admin:adminpw --cacount 2
#
# fabric-ca-server start -b admin:adminpw --cafiles ca/ca1/fabric-ca-server-config.yaml
# --cafiles ca/ca2/fabric-ca-server-config.yaml
#
#############################################################################

cacount:

cafiles:

#############################################################################
# Intermediate CA section
#
# The relationship between servers and CAs is as follows:
#   1) A single server process may contain or function as one or more CAs.
#      This is configured by the "Multi CA section" above.
#   2) Each CA is either a root CA or an intermediate CA.
#   3) Each intermediate CA has a parent CA which is either a root CA or another intermediate CA.
#
# This section pertains to configuration of #2 and #3.
# If the "intermediate.parentserver.url" property is set,
# then this is an intermediate CA with the specified parent
# CA.
#
# parentserver section
#    url - The URL of the parent server
#    caname - Name of the CA to enroll within the server
#
# enrollment section used to enroll intermediate CA with parent CA
#    profile - Name of the signing profile to use in issuing the certificate
#    label - Label to use in HSM operations
#
# tls section for secure socket connection
#   certfiles - PEM-encoded list of trusted root certificate files
#   client:
#     certfile - PEM-encoded certificate file for when client authentication
#     is enabled on server
#     keyfile - PEM-encoded key file for when client authentication
#     is enabled on server
#############################################################################
intermediate:
  parentserver:
    url:
    caname:

  enrollment:
    hosts:
    profile:
    label:

  tls:
    certfiles:
    client:
      certfile:
      keyfile:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406

2.2、初始化fabric-ca-server

初始化fabric-ca-server：

fabric-ca-server init -b admin:adminpw
1

日志：

2023/11/01 11:04:09 [INFO] Configuration file location: /home/songzehao/fabric/fabric-ca-server-config.yaml
2023/11/01 11:04:09 [WARNING] Unknown provider type: ; metrics disabled
2023/11/01 11:04:09 [INFO] Server Version: 1.4.7
2023/11/01 11:04:09 [INFO] Server Levels: &{Identity:2 Affiliation:1 Certificate:1 Credential:1 RAInfo:1 Nonce:1}
2023-11-01 11:04:09.262 CST [bccsp_sw] createKeyStoreIfNotExists -> DEBU 001 KeyStore path [/home/songzehao/fabric/msp/keystore] missing [true]: [<clean>]
2023-11-01 11:04:09.262 CST [bccsp_sw] createKeyStore -> DEBU 002 Creating KeyStore at [/home/songzehao/fabric/msp/keystore]...
2023-11-01 11:04:09.262 CST [bccsp_sw] createKeyStore -> DEBU 003 KeyStore created at [/home/songzehao/fabric/msp/keystore].
2023-11-01 11:04:09.262 CST [bccsp_sw] openKeyStore -> DEBU 004 KeyStore opened at [/home/songzehao/fabric/msp/keystore]...done
2023/11/01 11:04:09 [WARNING] &{69 The specified CA certificate file /home/songzehao/fabric/ca-cert.pem does not exist}
2023/11/01 11:04:09 [INFO] generating key: &{A:ecdsa S:256}
2023/11/01 11:04:09 [INFO] encoded CSR
2023/11/01 11:04:09 [INFO] signed certificate with serial number 515509048791859448169569932922715069374585931842
2023/11/01 11:04:09 [INFO] The CA key and certificate were generated for CA ca-org1
2023/11/01 11:04:09 [INFO] The key was stored by BCCSP provider 'SW'
2023/11/01 11:04:09 [INFO] The certificate is at: /home/songzehao/fabric/ca-cert.pem
2023/11/01 11:04:09 [INFO] Initialized sqlite3 database at /home/songzehao/fabric/fabric-ca-server.db
2023-11-01 11:04:09.357 CST [bccsp_sw] loadPrivateKey -> DEBU 005 Loading private key [6fbaa8bc899a9d9c17eca6c82521839794cb31d25f5b3ed652ab8cd20c7118bf] at [/home/songzehao/fabric/msp/keystore/6fbaa8bc899a9d9c17eca6c82521839794cb31d25f5b3ed652ab8cd20c7118bf_sk]...
2023-11-01 11:04:09.357 CST [bccsp_sw] loadPrivateKey -> DEBU 006 Loading private key [6fbaa8bc899a9d9c17eca6c82521839794cb31d25f5b3ed652ab8cd20c7118bf] at [/home/songzehao/fabric/msp/keystore/6fbaa8bc899a9d9c17eca6c82521839794cb31d25f5b3ed652ab8cd20c7118bf_sk]...
2023/11/01 11:04:09 [INFO] The issuer key was successfully stored. The public key is at: /home/songzehao/fabric/IssuerPublicKey, secret key is at: /home/songzehao/fabric/msp/keystore/IssuerSecretKey
2023/11/01 11:04:09 [INFO] Idemix issuer revocation public and secret keys were generated for CA 'ca-org1'
2023/11/01 11:04:09 [INFO] The revocation key was successfully stored. The public key is at: /home/songzehao/fabric/IssuerRevocationPublicKey, private key is at: /home/songzehao/fabric/msp/keystore/IssuerRevocationPrivateKey
2023/11/01 11:04:09 [INFO] Home directory for default CA: /home/songzehao/fabric
2023/11/01 11:04:09 [INFO] Initialization was successful
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23

得到：

/home/songzehao/fabric
├── bin
│   ├── configtxgen
│   ├── configtxlator
│   ├── cryptogen
│   ├── discover
│   ├── fabric-ca-client
│   ├── fabric-ca-server
│   ├── idemixgen
│   ├── orderer
│   └── peer
├── ca-cert.pem
├── config
│   ├── configtx.yaml
│   ├── core.yaml
│   └── orderer.yaml
├── fabric-ca-server-config.yaml
├── fabric-ca-server.db
├── IssuerPublicKey
├── IssuerRevocationPublicKey
├── msp
│   └── keystore
│       ├── 6fbaa8bc899a9d9c17eca6c82521839794cb31d25f5b3ed652ab8cd20c7118bf_sk
│       ├── IssuerRevocationPrivateKey
│       └── IssuerSecretKey
└── organizations
    ├── ordererOrganizations
    │   └── org1.example.com
    │       ├── msp
    │       └── orderers
    │           └── orderer0.org1.example.com
    └── peerOrganizations
        └── org1.example.com
            ├── msp
            └── peers
                └── peer0.org1.example.com

15 directories, 20 files
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38

2.3、启动fabric-ca-server

启动fabric-ca-server：

fabric-ca-server start -b admin:adminpw
1

日志：

2023/11/01 11:04:55 [INFO] Configuration file location: /home/songzehao/fabric/fabric-ca-server-config.yaml
2023/11/01 11:04:55 [INFO] Starting server in home directory: /home/songzehao/fabric
2023/11/01 11:04:55 [WARNING] Unknown provider type: ; metrics disabled
2023/11/01 11:04:55 [INFO] Server Version: 1.4.7
2023/11/01 11:04:55 [INFO] Server Levels: &{Identity:2 Affiliation:1 Certificate:1 Credential:1 RAInfo:1 Nonce:1}
2023-11-01 11:04:55.274 CST [bccsp_sw] openKeyStore -> DEBU 001 KeyStore opened at [/home/songzehao/fabric/msp/keystore]...done
2023-11-01 11:04:55.275 CST [bccsp_sw] loadPrivateKey -> DEBU 002 Loading private key [6fbaa8bc899a9d9c17eca6c82521839794cb31d25f5b3ed652ab8cd20c7118bf] at [/home/songzehao/fabric/msp/keystore/6fbaa8bc899a9d9c17eca6c82521839794cb31d25f5b3ed652ab8cd20c7118bf_sk]...
2023/11/01 11:04:55 [INFO] The CA key and certificate already exist
2023/11/01 11:04:55 [INFO] The key is stored by BCCSP provider 'SW'
2023/11/01 11:04:55 [INFO] The certificate is at: /home/songzehao/fabric/ca-cert.pem
2023/11/01 11:04:55 [INFO] Initialized sqlite3 database at /home/songzehao/fabric/fabric-ca-server.db
2023-11-01 11:04:55.285 CST [bccsp_sw] loadPrivateKey -> DEBU 003 Loading private key [6fbaa8bc899a9d9c17eca6c82521839794cb31d25f5b3ed652ab8cd20c7118bf] at [/home/songzehao/fabric/msp/keystore/6fbaa8bc899a9d9c17eca6c82521839794cb31d25f5b3ed652ab8cd20c7118bf_sk]...
2023-11-01 11:04:55.285 CST [bccsp_sw] loadPrivateKey -> DEBU 004 Loading private key [6fbaa8bc899a9d9c17eca6c82521839794cb31d25f5b3ed652ab8cd20c7118bf] at [/home/songzehao/fabric/msp/keystore/6fbaa8bc899a9d9c17eca6c82521839794cb31d25f5b3ed652ab8cd20c7118bf_sk]...
2023/11/01 11:04:55 [INFO] The Idemix issuer public and secret key files already exist
2023/11/01 11:04:55 [INFO]    secret key file location: /home/songzehao/fabric/msp/keystore/IssuerSecretKey
2023/11/01 11:04:55 [INFO]    public key file location: /home/songzehao/fabric/IssuerPublicKey
2023/11/01 11:04:55 [INFO] The Idemix issuer revocation public and secret key files already exist
2023/11/01 11:04:55 [INFO]    private key file location: /home/songzehao/fabric/msp/keystore/IssuerRevocationPrivateKey
2023/11/01 11:04:55 [INFO]    public key file location: /home/songzehao/fabric/IssuerRevocationPublicKey
2023/11/01 11:04:55 [INFO] Home directory for default CA: /home/songzehao/fabric
2023/11/01 11:04:55 [INFO] Operation Server Listening on [::]:42729
2023-11-01 11:04:55.308 CST [bccsp_sw] openKeyStore -> DEBU 005 KeyStore opened at [/home/songzehao/fabric/msp/keystore]...done
2023/11/01 11:04:55 [INFO] generating key: &{A:ecdsa S:256}
2023/11/01 11:04:55 [INFO] encoded CSR
2023/11/01 11:04:55 [INFO] signed certificate with serial number 192879327564294815064593336931614473727786194412
2023-11-01 11:04:55.312 CST [bccsp_sw] loadPrivateKey -> DEBU 006 Loading private key [db9281216de1b9a66750dc0cfd6fc6b84a55dd41fde705d15137203f0f7d851b] at [/home/songzehao/fabric/msp/keystore/db9281216de1b9a66750dc0cfd6fc6b84a55dd41fde705d15137203f0f7d851b_sk]...
2023/11/01 11:04:55 [INFO] Listening on https://0.0.0.0:7054
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27

得到：

/home/songzehao/fabric
├── bin
│   ├── configtxgen
│   ├── configtxlator
│   ├── cryptogen
│   ├── discover
│   ├── fabric-ca-client
│   ├── fabric-ca-server
│   ├── idemixgen
│   ├── orderer
│   └── peer
├── ca-cert.pem
├── config
│   ├── configtx.yaml
│   ├── core.yaml
│   └── orderer.yaml
├── fabric-ca-server-config.yaml
├── fabric-ca-server.db
├── IssuerPublicKey
├── IssuerRevocationPublicKey
├── msp
│   ├── cacerts
│   ├── keystore
│   │   ├── 6fbaa8bc899a9d9c17eca6c82521839794cb31d25f5b3ed652ab8cd20c7118bf_sk
│   │   ├── db9281216de1b9a66750dc0cfd6fc6b84a55dd41fde705d15137203f0f7d851b_sk
│   │   ├── IssuerRevocationPrivateKey
│   │   └── IssuerSecretKey
│   ├── signcerts
│   └── user
├── organizations
│   ├── ordererOrganizations
│   │   └── org1.example.com
│   │       ├── msp
│   │       └── orderers
│   │           └── orderer0.org1.example.com
│   └── peerOrganizations
│       └── org1.example.com
│           ├── msp
│           └── peers
│               └── peer0.org1.example.com
└── tls-cert.pem

18 directories, 22 files
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43

登记ca的admin用户：

fabric-ca-client enroll -u https://admin:adminpw@192.168.3.128:7054 --caname ca-org1 --tls.certfiles ~/fabric/ca-cert.pem
1

日志：

2023/11/01 11:05:50 [INFO] Created a default configuration file at /home/songzehao/fabric/fabric-ca-client/fabric-ca-client-config.yaml
2023/11/01 11:05:50 [INFO] TLS Enabled
2023/11/01 11:05:50 [INFO] generating key: &{A:ecdsa S:256}
2023/11/01 11:05:50 [INFO] encoded CSR
2023/11/01 11:05:50 [INFO] Stored client certificate at /home/songzehao/fabric/fabric-ca-client/msp/signcerts/cert.pem
2023/11/01 11:05:50 [INFO] Stored root CA certificate at /home/songzehao/fabric/fabric-ca-client/msp/cacerts/192-168-3-128-7054-ca-org1.pem
2023/11/01 11:05:50 [INFO] Stored Issuer public key at /home/songzehao/fabric/fabric-ca-client/msp/IssuerPublicKey
2023/11/01 11:05:50 [INFO] Stored Issuer revocation public key at /home/songzehao/fabric/fabric-ca-client/msp/IssuerRevocationPublicKey
1
2
3
4
5
6
7
8

如果没配置FABRIC_CA_CLIENT_HOME环境变量，则默认生成密钥到 ~/.fabric-ca-client 目录，上面设置了 ~/fabric/fabric-ca-client：

/home/songzehao/fabric/fabric-ca-client
├── fabric-ca-client-config.yaml
└── msp
    ├── cacerts
    │   └── 192-168-3-128-7054-ca-org1.pem
    ├── IssuerPublicKey
    ├── IssuerRevocationPublicKey
    ├── keystore
    │   └── 87b4e348c0bf8d0bfd83999bfec3ce6ad8f0026f9d488668ce9b31c774647f93_sk
    ├── signcerts
    │   └── cert.pem
    └── user

5 directories, 6 files
1
2
3
4
5
6
7
8
9
10
11
12
13
14

三、准备peer0

3.1、生成peer组织org1的msp配置

手动生成peerOrganizations下组织org1的msp配置文件：

echo 'NodeOUs:
  Enable: true
  ClientOUIdentifier:
    Certificate: cacerts/192-168-3-128-7054-ca-org1.pem
    OrganizationalUnitIdentifier: client
  PeerOUIdentifier:
    Certificate: cacerts/192-168-3-128-7054-ca-org1.pem
    OrganizationalUnitIdentifier: peer
  AdminOUIdentifier:
    Certificate: cacerts/192-168-3-128-7054-ca-org1.pem
    OrganizationalUnitIdentifier: admin
  OrdererOUIdentifier:
    Certificate: cacerts/192-168-3-128-7054-ca-org1.pem
    OrganizationalUnitIdentifier: orderer' > /home/songzehao/fabric/organizations/peerOrganizations/org1.example.com/msp/config.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14

并拷贝org1的ca证书到org1的/msp/tlscacerts、/tlsca和/ca目录：

mkdir -p /home/songzehao/fabric/organizations/peerOrganizations/org1.example.com/msp/tlscacerts
cp /home/songzehao/fabric/ca-cert.pem /home/songzehao/fabric/organizations/peerOrganizations/org1.example.com/msp/tlscacerts/ca.crt

mkdir -p /home/songzehao/fabric/organizations/peerOrganizations/org1.example.com/tlsca
cp /home/songzehao/fabric/ca-cert.pem /home/songzehao/fabric/organizations/peerOrganizations/org1.example.com/tlsca/tlsca.org1.example.com-cert.pem

mkdir -p /home/songzehao/fabric/organizations/peerOrganizations/org1.example.com/ca
cp /home/songzehao/fabric/ca-cert.pem /home/songzehao/fabric/organizations/peerOrganizations/org1.example.com/ca/ca.org1.example.com-cert.pem
1
2
3
4
5
6
7
8

3.2、注册peer0

注册org1下面的节点身份peer0：

fabric-ca-client register --caname ca-org1 --id.name peer0 --id.secret peer0pw --id.type peer --tls.certfiles /home/songzehao/fabric/ca-cert.pem
1

日志：

2023/11/01 11:11:52 [INFO] Configuration file location: /home/songzehao/fabric/fabric-ca-client/fabric-ca-client-config.yaml
2023/11/01 11:11:52 [INFO] TLS Enabled
2023/11/01 11:11:52 [INFO] TLS Enabled
Password: peer0pw
1
2
3
4

3.3、注册peer组织org1的user

注册org1下面的用户身份user1：

fabric-ca-client register --caname ca-org1 --id.name user1 --id.secret user1pw --id.type client --tls.certfiles /home/songzehao/fabric/ca-cert.pem
1

日志：

2023/11/01 11:12:18 [INFO] Configuration file location: /home/songzehao/fabric/fabric-ca-client/fabric-ca-client-config.yaml
2023/11/01 11:12:18 [INFO] TLS Enabled
2023/11/01 11:12:18 [INFO] TLS Enabled
Password: user1pw
1
2
3
4

3.4、注册peer组织org1的admin

注册peer组织org1下面的管理员用户身份org1admin：

fabric-ca-client register --caname ca-org1 --id.name org1admin --id.secret org1adminpw --id.type admin --tls.certfiles /home/songzehao/fabric/ca-cert.pem
1

日志：

2023/11/01 11:12:28 [INFO] Configuration file location: /home/songzehao/fabric/fabric-ca-client/fabric-ca-client-config.yaml
2023/11/01 11:12:28 [INFO] TLS Enabled
2023/11/01 11:12:28 [INFO] TLS Enabled
Password: org1adminpw
1
2
3
4

3.5、登记peer0

登记生成peer0的msp目录：

fabric-ca-client enroll -u https://peer0:peer0pw@192.168.3.128:7054 --caname ca-org1 -M /home/songzehao/fabric/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/msp --tls.certfiles /home/songzehao/fabric/ca-cert.pem
1

并拷贝该组织的msp配置文件到peer0节点目录下：

cp /home/songzehao/fabric/organizations/peerOrganizations/org1.example.com/msp/config.yaml /home/songzehao/fabric/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/msp/config.yaml
1

日志：

2023/11/01 11:12:38 [INFO] TLS Enabled
2023/11/01 11:12:38 [INFO] generating key: &{A:ecdsa S:256}
2023/11/01 11:12:38 [INFO] encoded CSR
2023/11/01 11:12:38 [INFO] Stored client certificate at /home/songzehao/fabric/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/msp/signcerts/cert.pem
2023/11/01 11:12:38 [INFO] Stored root CA certificate at /home/songzehao/fabric/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/msp/cacerts/192-168-3-128-7054-ca-org1.pem
2023/11/01 11:12:38 [INFO] Stored Issuer public key at /home/songzehao/fabric/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/msp/IssuerPublicKey
2023/11/01 11:12:38 [INFO] Stored Issuer revocation public key at /home/songzehao/fabric/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/msp/IssuerRevocationPublicKey
1
2
3
4
5
6
7

3.6、登记peer0的tls

登记生成peer0的tls证书：

fabric-ca-client enroll -u https://peer0:peer0pw@192.168.3.128:7054 --caname ca-org1 -M /home/songzehao/fabric/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls --enrollment.profile tls --csr.hosts 192.168.3.128 --tls.certfiles /home/songzehao/fabric/ca-cert.pem
1

日志：

2023/11/01 11:12:58 [INFO] TLS Enabled
2023/11/01 11:12:58 [INFO] generating key: &{A:ecdsa S:256}
2023/11/01 11:12:59 [INFO] encoded CSR
2023/11/01 11:12:59 [INFO] Stored client certificate at /home/songzehao/fabric/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/signcerts/cert.pem
2023/11/01 11:12:59 [INFO] Stored TLS root CA certificate at /home/songzehao/fabric/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/tlscacerts/tls-192-168-3-128-7054-ca-org1.pem
2023/11/01 11:12:59 [INFO] Stored Issuer public key at /home/songzehao/fabric/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/IssuerPublicKey
2023/11/01 11:12:59 [INFO] Stored Issuer revocation public key at /home/songzehao/fabric/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/IssuerRevocationPublicKey
1
2
3
4
5
6
7

3.7、登记peer组织org1的user

登记生成peer组织org1下user1的msp目录：

cp /home/songzehao/fabric/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/tlscacerts/* /home/songzehao/fabric/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/ca.crt
cp /home/songzehao/fabric/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/signcerts/* /home/songzehao/fabric/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/server.crt
cp /home/songzehao/fabric/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/keystore/* /home/songzehao/fabric/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/server.key

fabric-ca-client enroll -u https://user1:user1pw@192.168.3.128:7054 --caname ca-org1 -M /home/songzehao/fabric/organizations/peerOrganizations/org1.example.com/users/User1@org1.example.com/msp --tls.certfiles /home/songzehao/fabric/ca-cert.pem

cp /home/songzehao/fabric/organizations/peerOrganizations/org1.example.com/msp/config.yaml /home/songzehao/fabric/organizations/peerOrganizations/org1.example.com/users/User1@org1.example.com/msp/config.yaml
1
2
3
4
5
6
7

日志：

2023/11/01 11:13:44 [INFO] TLS Enabled
2023/11/01 11:13:44 [INFO] generating key: &{A:ecdsa S:256}
2023/11/01 11:13:44 [INFO] encoded CSR
2023/11/01 11:13:44 [INFO] Stored client certificate at /home/songzehao/fabric/organizations/peerOrganizations/org1.example.com/users/User1@org1.example.com/msp/signcerts/cert.pem
2023/11/01 11:13:44 [INFO] Stored root CA certificate at /home/songzehao/fabric/organizations/peerOrganizations/org1.example.com/users/User1@org1.example.com/msp/cacerts/192-168-3-128-7054-ca-org1.pem
2023/11/01 11:13:44 [INFO] Stored Issuer public key at /home/songzehao/fabric/organizations/peerOrganizations/org1.example.com/users/User1@org1.example.com/msp/IssuerPublicKey
2023/11/01 11:13:44 [INFO] Stored Issuer revocation public key at /home/songzehao/fabric/organizations/peerOrganizations/org1.example.com/users/User1@org1.example.com/msp/IssuerRevocationPublicKey
1
2
3
4
5
6
7

3.8、登记peer组织org1的admin

登记生成peer组织org1下的org1admin的msp目录：

fabric-ca-client enroll -u https://org1admin:org1adminpw@192.168.3.128:7054 --caname ca-org1 -M /home/songzehao/fabric/organizations/peerOrganizations/org1.example.com/users/Admin@org1.example.com/msp --tls.certfiles /home/songzehao/fabric/ca-cert.pem

mv /home/songzehao/fabric/organizations/peerOrganizations/org1.example.com/users/Admin@org1.example.com/msp/keystore/* /home/songzehao/fabric/organizations/peerOrganizations/org1.example.com/users/Admin@org1.example.com/msp/keystore/priv_sk
cp /home/songzehao/fabric/organizations/peerOrganizations/org1.example.com/msp/config.yaml /home/songzehao/fabric/organizations/peerOrganizations/org1.example.com/users/Admin@org1.example.com/msp/config.yaml
1
2
3
4

日志：

2023/11/01 11:14:05 [INFO] TLS Enabled
2023/11/01 11:14:05 [INFO] generating key: &{A:ecdsa S:256}
2023/11/01 11:14:05 [INFO] encoded CSR
2023/11/01 11:14:05 [INFO] Stored client certificate at /home/songzehao/fabric/organizations/peerOrganizations/org1.example.com/users/Admin@org1.example.com/msp/signcerts/cert.pem
2023/11/01 11:14:05 [INFO] Stored root CA certificate at /home/songzehao/fabric/organizations/peerOrganizations/org1.example.com/users/Admin@org1.example.com/msp/cacerts/192-168-3-128-7054-ca-org1.pem
2023/11/01 11:14:05 [INFO] Stored Issuer public key at /home/songzehao/fabric/organizations/peerOrganizations/org1.example.com/users/Admin@org1.example.com/msp/IssuerPublicKey
2023/11/01 11:14:05 [INFO] Stored Issuer revocation public key at /home/songzehao/fabric/organizations/peerOrganizations/org1.example.com/users/Admin@org1.example.com/msp/IssuerRevocationPublicKey
1
2
3
4
5
6
7

四、准备orderer0

4.1、生成orderer组织org1的msp配置

手动生成ordererOrganizations下组织org1的msp配置文件：

echo 'NodeOUs:
  Enable: true
  ClientOUIdentifier:
    Certificate: cacerts/192-168-3-128-7054-ca-org1.pem
    OrganizationalUnitIdentifier: client
  PeerOUIdentifier:
    Certificate: cacerts/192-168-3-128-7054-ca-org1.pem
    OrganizationalUnitIdentifier: peer
  AdminOUIdentifier:
    Certificate: cacerts/192-168-3-128-7054-ca-org1.pem
    OrganizationalUnitIdentifier: admin
  OrdererOUIdentifier:
    Certificate: cacerts/192-168-3-128-7054-ca-org1.pem
    OrganizationalUnitIdentifier: orderer' > /home/songzehao/fabric/organizations/ordererOrganizations/org1.example.com/msp/config.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14

继续在ordererOrganizations/org1.example.com/msp目录下，创建tlscacerts子目录：

mkdir -p /home/songzehao/fabric/organizations/ordererOrganizations/org1.example.com/msp/tlscacerts
1

拷贝组织的ca证书到tlscacerts子目录：

cp /home/songzehao/fabric/ca-cert.pem /home/songzehao/fabric/organizations/ordererOrganizations/org1.example.com/msp/tlscacerts/tlsca.org1.example.com-cert.pem
1

创建~/fabric/organizations/ordererOrganizations/org1.example.com/tlsca目录：

mkdir ~/fabric/organizations/ordererOrganizations/org1.example.com/tlsca
1

拷贝组织的ca证书到tlsca子目录：

cp /home/songzehao/fabric/ca-cert.pem ~/fabric/organizations/ordererOrganizations/org1.example.com/tlsca/tlsca.org1.example.com-cert.pem
1

4.2、注册orderer0

注册排序节点orderer0到ca：

fabric-ca-client register --caname ca-org1 --id.name orderer0 --id.secret orderer0pw --id.type orderer --tls.certfiles /home/songzehao/fabric/ca-cert.pem
1

日志：

2023/11/01 11:14:47 [INFO] Configuration file location: /home/songzehao/fabric/fabric-ca-client/fabric-ca-client-config.yaml
2023/11/01 11:14:47 [INFO] TLS Enabled
2023/11/01 11:14:47 [INFO] TLS Enabled
Password: orderer0pw
1
2
3
4

4.3、注册orderer组织org1的admin

注册orderer组织org1的管理员ordererOrg1Admin到ca：

fabric-ca-client register --caname ca-org1 --id.name ordererOrg1Admin --id.secret ordererOrg1Adminpw --id.type admin --tls.certfiles /home/songzehao/fabric/ca-cert.pem
1

日志：

2023/11/01 11:14:58 [INFO] Configuration file location: /home/songzehao/fabric/fabric-ca-client/fabric-ca-client-config.yaml
2023/11/01 11:14:58 [INFO] TLS Enabled
2023/11/01 11:14:58 [INFO] TLS Enabled
Password: ordererOrg1Adminpw
1
2
3
4

4.4、登记orderer0

登记生成排序节点orderer0的msp目录：

fabric-ca-client enroll -u https://orderer0:orderer0pw@192.168.3.128:7054 --caname ca-org1 -M /home/songzehao/fabric/organizations/ordererOrganizations/org1.example.com/orderers/orderer0.org1.example.com/msp --tls.certfiles /home/songzehao/fabric/ca-cert.pem
1

日志：

2023/11/01 11:15:06 [INFO] TLS Enabled
2023/11/01 11:15:06 [INFO] generating key: &{A:ecdsa S:256}
2023/11/01 11:15:06 [INFO] encoded CSR
2023/11/01 11:15:07 [INFO] Stored client certificate at /home/songzehao/fabric/organizations/ordererOrganizations/org1.example.com/orderers/orderer0.org1.example.com/msp/signcerts/cert.pem
2023/11/01 11:15:07 [INFO] Stored root CA certificate at /home/songzehao/fabric/organizations/ordererOrganizations/org1.example.com/orderers/orderer0.org1.example.com/msp/cacerts/192-168-3-128-7054-ca-org1.pem
2023/11/01 11:15:07 [INFO] Stored Issuer public key at /home/songzehao/fabric/organizations/ordererOrganizations/org1.example.com/orderers/orderer0.org1.example.com/msp/IssuerPublicKey
2023/11/01 11:15:07 [INFO] Stored Issuer revocation public key at /home/songzehao/fabric/organizations/ordererOrganizations/org1.example.com/orderers/orderer0.org1.example.com/msp/IssuerRevocationPublicKey
1
2
3
4
5
6
7

查看orderer0节点的msp目录：

/home/songzehao/fabric/organizations/ordererOrganizations/org1.example.com/orderers/orderer0.org1.example.com/msp/
├── cacerts
│   └── 192-168-3-128-7054-ca-org1.pem
├── IssuerPublicKey
├── IssuerRevocationPublicKey
├── keystore
│   └── 9945284853ad9e407ed64a55ca23ce50a6867a8cf4fa70307ced639dbf6a3f48_sk
├── signcerts
│   └── cert.pem
└── user

4 directories, 5 files
1
2
3
4
5
6
7
8
9
10
11
12

并拷贝msp配置文件到orderer0节点目录下：

cp /home/songzehao/fabric/organizations/ordererOrganizations/org1.example.com/msp/config.yaml /home/songzehao/fabric/organizations/ordererOrganizations/org1.example.com/orderers/orderer0.org1.example.com/msp/config.yaml
1

4.6、登记orderer0的tls

登记生成排序节点orderer0的tls证书：

fabric-ca-client enroll -u https://orderer0:orderer0pw@192.168.3.128:7054 --caname ca-org1 -M /home/songzehao/fabric/organizations/ordererOrganizations/org1.example.com/orderers/orderer0.org1.example.com/tls --enrollment.profile tls --csr.hosts 192.168.3.128 --tls.certfiles /home/songzehao/fabric/ca-cert.pem
1

日志：

2023/11/01 11:15:34 [INFO] TLS Enabled
2023/11/01 11:15:34 [INFO] generating key: &{A:ecdsa S:256}
2023/11/01 11:15:34 [INFO] encoded CSR
2023/11/01 11:15:34 [INFO] Stored client certificate at /home/songzehao/fabric/organizations/ordererOrganizations/org1.example.com/orderers/orderer0.org1.example.com/tls/signcerts/cert.pem
2023/11/01 11:15:34 [INFO] Stored TLS root CA certificate at /home/songzehao/fabric/organizations/ordererOrganizations/org1.example.com/orderers/orderer0.org1.example.com/tls/tlscacerts/tls-192-168-3-128-7054-ca-org1.pem
2023/11/01 11:15:34 [INFO] Stored Issuer public key at /home/songzehao/fabric/organizations/ordererOrganizations/org1.example.com/orderers/orderer0.org1.example.com/tls/IssuerPublicKey
2023/11/01 11:15:34 [INFO] Stored Issuer revocation public key at /home/songzehao/fabric/organizations/ordererOrganizations/org1.example.com/orderers/orderer0.org1.example.com/tls/IssuerRevocationPublicKey
1
2
3
4
5
6
7

查看生成的tls证书目录：

/home/songzehao/fabric/organizations/ordererOrganizations/org1.example.com/orderers/orderer0.org1.example.com/tls/
├── cacerts
├── IssuerPublicKey
├── IssuerRevocationPublicKey
├── keystore
│   └── df3281616957b26543f3c90274f49cef89bc1d054f21043fe7a7ad3d703ad970_sk
├── signcerts
│   └── cert.pem
├── tlscacerts
│   └── tls-192-168-3-128-7054-ca-org1.pem
└── user

5 directories, 5 files
1
2
3
4
5
6
7
8
9
10
11
12
13

拷贝到tls目录下，并重命名为更好看的文件名：

cp /home/songzehao/fabric/organizations/ordererOrganizations/org1.example.com/orderers/orderer0.org1.example.com/tls/tlscacerts/* /home/songzehao/fabric/organizations/ordererOrganizations/org1.example.com/orderers/orderer0.org1.example.com/tls/ca.crt
cp /home/songzehao/fabric/organizations/ordererOrganizations/org1.example.com/orderers/orderer0.org1.example.com/tls/signcerts/* /home/songzehao/fabric/organizations/ordererOrganizations/org1.example.com/orderers/orderer0.org1.example.com/tls/server.crt
cp /home/songzehao/fabric/organizations/ordererOrganizations/org1.example.com/orderers/orderer0.org1.example.com/tls/keystore/* /home/songzehao/fabric/organizations/ordererOrganizations/org1.example.com/orderers/orderer0.org1.example.com/tls/server.key
1
2
3

重新查看生成的tls证书目录：

/home/songzehao/fabric/organizations/ordererOrganizations/org1.example.com/orderers/orderer0.org1.example.com/tls/
├── cacerts
├── ca.crt
├── IssuerPublicKey
├── IssuerRevocationPublicKey
├── keystore
│   └── df3281616957b26543f3c90274f49cef89bc1d054f21043fe7a7ad3d703ad970_sk
├── server.crt
├── server.key
├── signcerts
│   └── cert.pem
├── tlscacerts
│   └── tls-192-168-3-128-7054-ca-org1.pem
└── user

5 directories, 8 files
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

拷贝该tlsca证书到orderer0节点目录下msp/tlscacerts目录：

mkdir -p /home/songzehao/fabric/organizations/ordererOrganizations/org1.example.com/orderers/orderer0.org1.example.com/msp/tlscacerts
cp /home/songzehao/fabric/organizations/ordererOrganizations/org1.example.com/orderers/orderer0.org1.example.com/tls/tlscacerts/* /home/songzehao/fabric/organizations/ordererOrganizations/org1.example.com/orderers/orderer0.org1.example.com/msp/tlscacerts/tlsca.org1.example.com-cert.pem
1
2

4.7、登记orderer组织org1的admin

登记生成该组织管理员ordererOrg1Admin的msp：

fabric-ca-client enroll -u https://ordererOrg1Admin:ordererOrg1Adminpw@192.168.3.128:7054 --caname ca-org1 -M /home/songzehao/fabric/organizations/ordererOrganizations/org1.example.com/users/Admin@org1.example.com/msp --tls.certfiles /home/songzehao/fabric/ca-cert.pem

mv /home/songzehao/fabric/organizations/ordererOrganizations/org1.example.com/users/Admin@org1.example.com/msp/keystore/* /home/songzehao/fabric/organizations/ordererOrganizations/org1.example.com/users/Admin@org1.example.com/msp/keystore/priv_sk
1
2
3

日志：

2023/11/01 11:16:29 [INFO] TLS Enabled
2023/11/01 11:16:29 [INFO] generating key: &{A:ecdsa S:256}
2023/11/01 11:16:29 [INFO] encoded CSR
2023/11/01 11:16:29 [INFO] Stored client certificate at /home/songzehao/fabric/organizations/ordererOrganizations/org1.example.com/users/Admin@org1.example.com/msp/signcerts/cert.pem
2023/11/01 11:16:29 [INFO] Stored root CA certificate at /home/songzehao/fabric/organizations/ordererOrganizations/org1.example.com/users/Admin@org1.example.com/msp/cacerts/192-168-3-128-7054-ca-org1.pem
2023/11/01 11:16:29 [INFO] Stored Issuer public key at /home/songzehao/fabric/organizations/ordererOrganizations/org1.example.com/users/Admin@org1.example.com/msp/IssuerPublicKey
2023/11/01 11:16:29 [INFO] Stored Issuer revocation public key at /home/songzehao/fabric/organizations/ordererOrganizations/org1.example.com/users/Admin@org1.example.com/msp/IssuerRevocationPublicKey
1
2
3
4
5
6
7

拷贝msp配置文件到管理员的msp目录下：

cp /home/songzehao/fabric/organizations/ordererOrganizations/org1.example.com/msp/config.yaml /home/songzehao/fabric/organizations/ordererOrganizations/org1.example.com/users/Admin@org1.example.com/msp/config.yaml
1

最终的链目录：

/home/songzehao/fabric
├── bin
│   ├── configtxgen
│   ├── configtxlator
│   ├── cryptogen
│   ├── discover
│   ├── fabric-ca-client
│   ├── fabric-ca-server
│   ├── idemixgen
│   ├── orderer
│   └── peer
├── ca-cert.pem
├── config
│   ├── configtx.yaml
│   ├── core.yaml
│   └── orderer.yaml
├── fabric-ca-client
│   ├── fabric-ca-client-config.yaml
│   └── msp
│       ├── cacerts
│       │   └── 192-168-3-128-7054-ca-org1.pem
│       ├── IssuerPublicKey
│       ├── IssuerRevocationPublicKey
│       ├── keystore
│       │   └── 87b4e348c0bf8d0bfd83999bfec3ce6ad8f0026f9d488668ce9b31c774647f93_sk
│       ├── signcerts
│       │   └── cert.pem
│       └── user
├── fabric-ca-server-config.yaml
├── fabric-ca-server.db
├── IssuerPublicKey
├── IssuerRevocationPublicKey
├── msp
│   ├── cacerts
│   ├── keystore
│   │   ├── 6fbaa8bc899a9d9c17eca6c82521839794cb31d25f5b3ed652ab8cd20c7118bf_sk
│   │   ├── db9281216de1b9a66750dc0cfd6fc6b84a55dd41fde705d15137203f0f7d851b_sk
│   │   ├── IssuerRevocationPrivateKey
│   │   └── IssuerSecretKey
│   ├── signcerts
│   └── user
├── organizations
│   ├── ordererOrganizations
│   │   └── org1.example.com
│   │       ├── msp
│   │       │   ├── config.yaml
│   │       │   └── tlscacerts
│   │       │       └── tlsca.org1.example.com-cert.pem
│   │       ├── orderers
│   │       │   └── orderer0.org1.example.com
│   │       │       ├── msp
│   │       │       │   ├── cacerts
│   │       │       │   │   └── 192-168-3-128-7054-ca-org1.pem
│   │       │       │   ├── config.yaml
│   │       │       │   ├── IssuerPublicKey
│   │       │       │   ├── IssuerRevocationPublicKey
│   │       │       │   ├── keystore
│   │       │       │   │   └── 9945284853ad9e407ed64a55ca23ce50a6867a8cf4fa70307ced639dbf6a3f48_sk
│   │       │       │   ├── signcerts
│   │       │       │   │   └── cert.pem
│   │       │       │   ├── tlscacerts
│   │       │       │   │   └── tlsca.org1.example.com-cert.pem
│   │       │       │   └── user
│   │       │       └── tls
│   │       │           ├── cacerts
│   │       │           ├── ca.crt
│   │       │           ├── IssuerPublicKey
│   │       │           ├── IssuerRevocationPublicKey
│   │       │           ├── keystore
│   │       │           │   └── df3281616957b26543f3c90274f49cef89bc1d054f21043fe7a7ad3d703ad970_sk
│   │       │           ├── server.crt
│   │       │           ├── server.key
│   │       │           ├── signcerts
│   │       │           │   └── cert.pem
│   │       │           ├── tlscacerts
│   │       │           │   └── tls-192-168-3-128-7054-ca-org1.pem
│   │       │           └── user
│   │       ├── tlsca
│   │       │   └── tlsca.org1.example.com-cert.pem
│   │       └── users
│   │           └── Admin@org1.example.com
│   │               └── msp
│   │                   ├── cacerts
│   │                   │   └── 192-168-3-128-7054-ca-org1.pem
│   │                   ├── config.yaml
│   │                   ├── IssuerPublicKey
│   │                   ├── IssuerRevocationPublicKey
│   │                   ├── keystore
│   │                   │   └── priv_sk
│   │                   ├── signcerts
│   │                   │   └── cert.pem
│   │                   └── user
│   └── peerOrganizations
│       └── org1.example.com
│           ├── ca
│           │   └── ca.org1.example.com-cert.pem
│           ├── msp
│           │   ├── config.yaml
│           │   └── tlscacerts
│           │       └── ca.crt
│           ├── peers
│           │   └── peer0.org1.example.com
│           │       ├── msp
│           │       │   ├── cacerts
│           │       │   │   └── 192-168-3-128-7054-ca-org1.pem
│           │       │   ├── config.yaml
│           │       │   ├── IssuerPublicKey
│           │       │   ├── IssuerRevocationPublicKey
│           │       │   ├── keystore
│           │       │   │   └── 30de30badf40da9a3de007efd469e09316cc1f0c6600baaafe02670639767056_sk
│           │       │   ├── signcerts
│           │       │   │   └── cert.pem
│           │       │   └── user
│           │       └── tls
│           │           ├── cacerts
│           │           ├── ca.crt
│           │           ├── IssuerPublicKey
│           │           ├── IssuerRevocationPublicKey
│           │           ├── keystore
│           │           │   └── 697abecd06596b56c5faa1efa535acabad1f450a9895ed958bffc1bc75aa5e15_sk
│           │           ├── server.crt
│           │           ├── server.key
│           │           ├── signcerts
│           │           │   └── cert.pem
│           │           ├── tlscacerts
│           │           │   └── tls-192-168-3-128-7054-ca-org1.pem
│           │           └── user
│           ├── tlsca
│           │   └── tlsca.org1.example.com-cert.pem
│           └── users
│               ├── Admin@org1.example.com
│               │   └── msp
│               │       ├── cacerts
│               │       │   └── 192-168-3-128-7054-ca-org1.pem
│               │       ├── config.yaml
│               │       ├── IssuerPublicKey
│               │       ├── IssuerRevocationPublicKey
│               │       ├── keystore
│               │       │   └── priv_sk
│               │       ├── signcerts
│               │       │   └── cert.pem
│               │       └── user
│               └── User1@org1.example.com
│                   └── msp
│                       ├── cacerts
│                       │   └── 192-168-3-128-7054-ca-org1.pem
│                       ├── config.yaml
│                       ├── IssuerPublicKey
│                       ├── IssuerRevocationPublicKey
│                       ├── keystore
│                       │   └── b17c1696e4e0d3fbd316cb80c333f365bb15bb43d830bf40ac468e1456c68d87_sk
│                       ├── signcerts
│                       │   └── cert.pem
│                       └── user
└── tls-cert.pem

72 directories, 82 files
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157

五、启动peer0

更改core.yaml文件。最终的core.yaml：

# Copyright IBM Corp. All Rights Reserved.
#
# SPDX-License-Identifier: Apache-2.0
#

###############################################################################
#
#    Peer section
#
###############################################################################
peer:

    # The peer id provides a name for this peer instance and is used when
    # naming docker resources.
    id: peer0.org1.example.com

    # The networkId allows for logical separation of networks and is used when
    # naming docker resources.
    networkId: dev

    # The Address at local network interface this Peer will listen on.
    # By default, it will listen on all network interfaces
    listenAddress: 0.0.0.0:7051

    # The endpoint this peer uses to listen for inbound chaincode connections.
    # If this is commented-out, the listen address is selected to be
    # the peer's address (see below) with port 7052
    # chaincodeListenAddress: 0.0.0.0:7052

    # The endpoint the chaincode for this peer uses to connect to the peer.
    # If this is not specified, the chaincodeListenAddress address is selected.
    # And if chaincodeListenAddress is not specified, address is selected from
    # peer address (see below). If specified peer address is invalid then it
    # will fallback to the auto detected IP (local IP) regardless of the peer
    # addressAutoDetect value.
    # chaincodeAddress: 0.0.0.0:7052

    # When used as peer config, this represents the endpoint to other peers
    # in the same organization. For peers in other organization, see
    # gossip.externalEndpoint for more info.
    # When used as CLI config, this means the peer's endpoint to interact with
    address: 0.0.0.0:7051

    # Whether the Peer should programmatically determine its address
    # This case is useful for docker containers.
    # When set to true, will override peer address.
    addressAutoDetect: false

    # Keepalive settings for peer server and clients
    keepalive:
        # Interval is the duration after which if the server does not see
        # any activity from the client it pings the client to see if it's alive
        interval: 7200s
        # Timeout is the duration the server waits for a response
        # from the client after sending a ping before closing the connection
        timeout: 20s
        # MinInterval is the minimum permitted time between client pings.
        # If clients send pings more frequently, the peer server will
        # disconnect them
        minInterval: 60s
        # Client keepalive settings for communicating with other peer nodes
        client:
            # Interval is the time between pings to peer nodes.  This must
            # greater than or equal to the minInterval specified by peer
            # nodes
            interval: 60s
            # Timeout is the duration the client waits for a response from
            # peer nodes before closing the connection
            timeout: 20s
        # DeliveryClient keepalive settings for communication with ordering
        # nodes.
        deliveryClient:
            # Interval is the time between pings to ordering nodes.  This must
            # greater than or equal to the minInterval specified by ordering
            # nodes.
            interval: 60s
            # Timeout is the duration the client waits for a response from
            # ordering nodes before closing the connection
            timeout: 20s


    # Gossip related configuration
    gossip:
        # Bootstrap set to initialize gossip with.
        # This is a list of other peers that this peer reaches out to at startup.
        # Important: The endpoints here have to be endpoints of peers in the same
        # organization, because the peer would refuse connecting to these endpoints
        # unless they are in the same organization as the peer.
        bootstrap: 192.168.3.128:7051

        # NOTE: orgLeader and useLeaderElection parameters are mutual exclusive.
        # Setting both to true would result in the termination of the peer
        # since this is undefined state. If the peers are configured with
        # useLeaderElection=false, make sure there is at least 1 peer in the
        # organization that its orgLeader is set to true.

        # Defines whenever peer will initialize dynamic algorithm for
        # "leader" selection, where leader is the peer to establish
        # connection with ordering service and use delivery protocol
        # to pull ledger blocks from ordering service.
        useLeaderElection: false
        # Statically defines peer to be an organization "leader",
        # where this means that current peer will maintain connection
        # with ordering service and disseminate block across peers in
        # its own organization. Multiple peers or all peers in an organization
        # may be configured as org leaders, so that they all pull
        # blocks directly from ordering service.
        orgLeader: true

        # Interval for membershipTracker polling
        membershipTrackerInterval: 5s

        # Overrides the endpoint that the peer publishes to peers
        # in its organization. For peers in foreign organizations
        # see 'externalEndpoint'
        endpoint:
        # Maximum count of blocks stored in memory
        maxBlockCountToStore: 10
        # Max time between consecutive message pushes(unit: millisecond)
        maxPropagationBurstLatency: 10ms
        # Max number of messages stored until a push is triggered to remote peers
        maxPropagationBurstSize: 10
        # Number of times a message is pushed to remote peers
        propagateIterations: 1
        # Number of peers selected to push messages to
        propagatePeerNum: 3
        # Determines frequency of pull phases(unit: second)
        # Must be greater than digestWaitTime + responseWaitTime
        pullInterval: 4s
        # Number of peers to pull from
        pullPeerNum: 3
        # Determines frequency of pulling state info messages from peers(unit: second)
        requestStateInfoInterval: 4s
        # Determines frequency of pushing state info messages to peers(unit: second)
        publishStateInfoInterval: 4s
        # Maximum time a stateInfo message is kept until expired
        stateInfoRetentionInterval:
        # Time from startup certificates are included in Alive messages(unit: second)
        publishCertPeriod: 10s
        # Should we skip verifying block messages or not (currently not in use)
        skipBlockVerification: false
        # Dial timeout(unit: second)
        dialTimeout: 3s
        # Connection timeout(unit: second)
        connTimeout: 2s
        # Buffer size of received messages
        recvBuffSize: 20
        # Buffer size of sending messages
        sendBuffSize: 200
        # Time to wait before pull engine processes incoming digests (unit: second)
        # Should be slightly smaller than requestWaitTime
        digestWaitTime: 1s
        # Time to wait before pull engine removes incoming nonce (unit: milliseconds)
        # Should be slightly bigger than digestWaitTime
        requestWaitTime: 1500ms
        # Time to wait before pull engine ends pull (unit: second)
        responseWaitTime: 2s
        # Alive check interval(unit: second)
        aliveTimeInterval: 5s
        # Alive expiration timeout(unit: second)
        aliveExpirationTimeout: 25s
        # Reconnect interval(unit: second)
        reconnectInterval: 25s
        # Max number of attempts to connect to a peer
        maxConnectionAttempts: 120
        # Message expiration factor for alive messages
        msgExpirationFactor: 20
        # This is an endpoint that is published to peers outside of the organization.
        # If this isn't set, the peer will not be known to other organizations.
        externalEndpoint: 192.168.3.128:7051
        # Leader election service configuration
        election:
            # Longest time peer waits for stable membership during leader election startup (unit: second)
            startupGracePeriod: 15s
            # Interval gossip membership samples to check its stability (unit: second)
            membershipSampleInterval: 1s
            # Time passes since last declaration message before peer decides to perform leader election (unit: second)
            leaderAliveThreshold: 10s
            # Time between peer sends propose message and declares itself as a leader (sends declaration message) (unit: second)
            leaderElectionDuration: 5s

        pvtData:
            # pullRetryThreshold determines the maximum duration of time private data corresponding for a given block
            # would be attempted to be pulled from peers until the block would be committed without the private data
            pullRetryThreshold: 60s
            # As private data enters the transient store, it is associated with the peer's ledger's height at that time.
            # transientstoreMaxBlockRetention defines the maximum difference between the current ledger's height upon commit,
            # and the private data residing inside the transient store that is guaranteed not to be purged.
            # Private data is purged from the transient store when blocks with sequences that are multiples
            # of transientstoreMaxBlockRetention are committed.
            transientstoreMaxBlockRetention: 1000
            # pushAckTimeout is the maximum time to wait for an acknowledgement from each peer
            # at private data push at endorsement time.
            pushAckTimeout: 3s
            # Block to live pulling margin, used as a buffer
            # to prevent peer from trying to pull private data
            # from peers that is soon to be purged in next N blocks.
            # This helps a newly joined peer catch up to current
            # blockchain height quicker.
            btlPullMargin: 10
            # the process of reconciliation is done in an endless loop, while in each iteration reconciler tries to
            # pull from the other peers the most recent missing blocks with a maximum batch size limitation.
            # reconcileBatchSize determines the maximum batch size of missing private data that will be reconciled in a
            # single iteration.
            reconcileBatchSize: 10
            # reconcileSleepInterval determines the time reconciler sleeps from end of an iteration until the beginning
            # of the next reconciliation iteration.
            reconcileSleepInterval: 1m
            # reconciliationEnabled is a flag that indicates whether private data reconciliation is enable or not.
            reconciliationEnabled: true
            # skipPullingInvalidTransactionsDuringCommit is a flag that indicates whether pulling of invalid
            # transaction's private data from other peers need to be skipped during the commit time and pulled
            # only through reconciler.
            skipPullingInvalidTransactionsDuringCommit: false
            # implicitCollectionDisseminationPolicy specifies the dissemination  policy for the peer's own implicit collection.
            # When a peer endorses a proposal that writes to its own implicit collection, below values override the default values
            # for disseminating private data.
            # Note that it is applicable to all channels the peer has joined. The implication is that requiredPeerCount has to
            # be smaller than the number of peers in a channel that has the lowest numbers of peers from the organization.
            implicitCollectionDisseminationPolicy:
               # requiredPeerCount defines the minimum number of eligible peers to which the peer must successfully
               # disseminate private data for its own implicit collection during endorsement. Default value is 0.
               requiredPeerCount: 0
               # maxPeerCount defines the maximum number of eligible peers to which the peer will attempt to
               # disseminate private data for its own implicit collection during endorsement. Default value is 1.
               maxPeerCount: 1

        # Gossip state transfer related configuration
        state:
            # indicates whenever state transfer is enabled or not
            # default value is true, i.e. state transfer is active
            # and takes care to sync up missing blocks allowing
            # lagging peer to catch up to speed with rest network
            enabled: false
            # checkInterval interval to check whether peer is lagging behind enough to
            # request blocks via state transfer from another peer.
            checkInterval: 10s
            # responseTimeout amount of time to wait for state transfer response from
            # other peers
            responseTimeout: 3s
            # batchSize the number of blocks to request via state transfer from another peer
            batchSize: 10
            # blockBufferSize reflects the size of the re-ordering buffer
            # which captures blocks and takes care to deliver them in order
            # down to the ledger layer. The actual buffer size is bounded between
            # 0 and 2*blockBufferSize, each channel maintains its own buffer
            blockBufferSize: 20
            # maxRetries maximum number of re-tries to ask
            # for single state transfer request
            maxRetries: 3

    # TLS Settings
    tls:
        # Require server-side TLS
        enabled:  true
        # Require client certificates / mutual TLS.
        # Note that clients that are not configured to use a certificate will
        # fail to connect to the peer.
        clientAuthRequired: false
        # X.509 certificate used for TLS server
        cert:
            file: /home/songzehao/fabric/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/server.crt
        # Private key used for TLS server (and client if clientAuthEnabled
        # is set to true
        key:
            file: /home/songzehao/fabric/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/server.key
        # Trusted root certificate chain for tls.cert
        rootcert:
            file: /home/songzehao/fabric/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/ca.crt
        # Set of root certificate authorities used to verify client certificates
        clientRootCAs:
            files:
              - /home/songzehao/fabric/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/ca.crt
        # Private key used for TLS when making client connections.  If
        # not set, peer.tls.key.file will be used instead
        clientKey:
            file:
        # X.509 certificate used for TLS when making client connections.
        # If not set, peer.tls.cert.file will be used instead
        clientCert:
            file:

    # Authentication contains configuration parameters related to authenticating
    # client messages
    authentication:
        # the acceptable difference between the current server time and the
        # client's time as specified in a client request message
        timewindow: 15m

    # Path on the file system where peer will store data (eg ledger). This
    # location must be access control protected to prevent unintended
    # modification that might corrupt the peer operations.
    fileSystemPath: /home/songzehao/fabric/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/hyperledger/production

    # BCCSP (Blockchain crypto provider): Select which crypto implementation or
    # library to use
    BCCSP:
        Default: SW
        # Settings for the SW crypto provider (i.e. when DEFAULT: SW)
        SW:
            # TODO: The default Hash and Security level needs refactoring to be
            # fully configurable. Changing these defaults requires coordination
            # SHA2 is hardcoded in several places, not only BCCSP
            Hash: SHA2
            Security: 256
            # Location of Key Store
            FileKeyStore:
                # If "", defaults to 'mspConfigPath'/keystore
                KeyStore:
        # Settings for the PKCS#11 crypto provider (i.e. when DEFAULT: PKCS11)
        PKCS11:
            # Location of the PKCS11 module library
            Library:
            # Token Label
            Label:
            # User PIN
            Pin:
            Hash:
            Security:

    # Path on the file system where peer will find MSP local configurations
    mspConfigPath: /home/songzehao/fabric/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/msp

    # Identifier of the local MSP
    # ----!!!!IMPORTANT!!!-!!!IMPORTANT!!!-!!!IMPORTANT!!!!----
    # Deployers need to change the value of the localMspId string.
    # In particular, the name of the local MSP ID of a peer needs
    # to match the name of one of the MSPs in each of the channel
    # that this peer is a member of. Otherwise this peer's messages
    # will not be identified as valid by other nodes.
    localMspId: Org1MSP

    # CLI common client config options
    client:
        # connection timeout
        connTimeout: 3s

    # Delivery service related config
    deliveryclient:
        # It sets the total time the delivery service may spend in reconnection
        # attempts until its retry logic gives up and returns an error
        reconnectTotalTimeThreshold: 3600s

        # It sets the delivery service <-> ordering service node connection timeout
        connTimeout: 3s

        # It sets the delivery service maximal delay between consecutive retries
        reConnectBackoffThreshold: 3600s

        # A list of orderer endpoint addresses which should be overridden
        # when found in channel configurations.
        addressOverrides:
        #  - from:
        #    to:
        #    caCertsFile:
        #  - from:
        #    to:
        #    caCertsFile:

    # Type for the local MSP - by default it's of type bccsp
    localMspType: bccsp

    # Used with Go profiling tools only in none production environment. In
    # production, it should be disabled (eg enabled: false)
    profile:
        enabled:     false
        listenAddress: 0.0.0.0:6060

    # Handlers defines custom handlers that can filter and mutate
    # objects passing within the peer, such as:
    #   Auth filter - reject or forward proposals from clients
    #   Decorators  - append or mutate the chaincode input passed to the chaincode
    #   Endorsers   - Custom signing over proposal response payload and its mutation
    # Valid handler definition contains:
    #   - A name which is a factory method name defined in
    #     core/handlers/library/library.go for statically compiled handlers
    #   - library path to shared object binary for pluggable filters
    # Auth filters and decorators are chained and executed in the order that
    # they are defined. For example:
    # authFilters:
    #   -
    #     name: FilterOne
    #     library: /opt/lib/filter.so
    #   -
    #     name: FilterTwo
    # decorators:
    #   -
    #     name: DecoratorOne
    #   -
    #     name: DecoratorTwo
    #     library: /opt/lib/decorator.so
    # Endorsers are configured as a map that its keys are the endorsement system chaincodes that are being overridden.
    # Below is an example that overrides the default ESCC and uses an endorsement plugin that has the same functionality
    # as the default ESCC.
    # If the 'library' property is missing, the name is used as the constructor method in the builtin library similar
    # to auth filters and decorators.
    # endorsers:
    #   escc:
    #     name: DefaultESCC
    #     library: /etc/hyperledger/fabric/plugin/escc.so
    handlers:
        authFilters:
          -
            name: DefaultAuth
          -
            name: ExpirationCheck    # This filter checks identity x509 certificate expiration
        decorators:
          -
            name: DefaultDecorator
        endorsers:
          escc:
            name: DefaultEndorsement
            library:
        validators:
          vscc:
            name: DefaultValidation
            library:

    #    library: /etc/hyperledger/fabric/plugin/escc.so
    # Number of goroutines that will execute transaction validation in parallel.
    # By default, the peer chooses the number of CPUs on the machine. Set this
    # variable to override that choice.
    # NOTE: overriding this value might negatively influence the performance of
    # the peer so please change this value only if you know what you're doing
    validatorPoolSize:

    # The discovery service is used by clients to query information about peers,
    # such as - which peers have joined a certain channel, what is the latest
    # channel config, and most importantly - given a chaincode and a channel,
    # what possible sets of peers satisfy the endorsement policy.
    discovery:
        enabled: true
        # Whether the authentication cache is enabled or not.
        authCacheEnabled: true
        # The maximum size of the cache, after which a purge takes place
        authCacheMaxSize: 1000
        # The proportion (0 to 1) of entries that remain in the cache after the cache is purged due to overpopulation
        authCachePurgeRetentionRatio: 0.75
        # Whether to allow non-admins to perform non channel scoped queries.
        # When this is false, it means that only peer admins can perform non channel scoped queries.
        orgMembersAllowedAccess: false

    # Limits is used to configure some internal resource limits.
    limits:
        # Concurrency limits the number of concurrently running requests to a service on each peer.
        # Currently this option is only applied to endorser service and deliver service.
        # When the property is missing or the value is 0, the concurrency limit is disabled for the service.
        concurrency:
            # endorserService limits concurrent requests to endorser service that handles chaincode deployment, query and invocation,
            # including both user chaincodes and system chaincodes.
            endorserService: 2500
            # deliverService limits concurrent event listeners registered to deliver service for blocks and transaction events.
            deliverService: 2500

###############################################################################
#
#    VM section
#
###############################################################################
vm:

    # Endpoint of the vm management system.  For docker can be one of the following in general
    # unix:///var/run/docker.sock
    # http://localhost:2375
    # https://localhost:2376
    endpoint: unix:///var/run/docker.sock

    # settings for docker vms
    docker:
        tls:
            enabled: false
            ca:
                file: docker/ca.crt
            cert:
                file: docker/tls.crt
            key:
                file: docker/tls.key

        # Enables/disables the standard out/err from chaincode containers for
        # debugging purposes
        attachStdout: false

        # Parameters on creating docker container.
        # Container may be efficiently created using ipam & dns-server for cluster
        # NetworkMode - sets the networking mode for the container. Supported
        # standard values are: `host`(default),`bridge`,`ipvlan`,`none`.
        # Dns - a list of DNS servers for the container to use.
        # Note:  `Privileged` `Binds` `Links` and `PortBindings` properties of
        # Docker Host Config are not supported and will not be used if set.
        # LogConfig - sets the logging driver (Type) and related options
        # (Config) for Docker. For more info,
        # https://docs.docker.com/engine/admin/logging/overview/
        # Note: Set LogConfig using Environment Variables is not supported.
        hostConfig:
            NetworkMode: host
            Dns:
               # - 192.168.0.1
            LogConfig:
                Type: json-file
                Config:
                    max-size: "50m"
                    max-file: "5"
            Memory: 2147483648

###############################################################################
#
#    Chaincode section
#
###############################################################################
chaincode:

    # The id is used by the Chaincode stub to register the executing Chaincode
    # ID with the Peer and is generally supplied through ENV variables
    # the `path` form of ID is provided when installing the chaincode.
    # The `name` is used for all other requests and can be any string.
    id:
        path:
        name:

    # Generic builder environment, suitable for most chaincode types
    builder: $(DOCKER_NS)/fabric-ccenv:$(TWO_DIGIT_VERSION)

    # Enables/disables force pulling of the base docker images (listed below)
    # during user chaincode instantiation.
    # Useful when using moving image tags (such as :latest)
    pull: false

    golang:
        # golang will never need more than baseos
        runtime: $(DOCKER_NS)/fabric-baseos:$(TWO_DIGIT_VERSION)

        # whether or not golang chaincode should be linked dynamically
        dynamicLink: false

    java:
        # This is an image based on java:openjdk-8 with addition compiler
        # tools added for java shim layer packaging.
        # This image is packed with shim layer libraries that are necessary
        # for Java chaincode runtime.
        runtime: $(DOCKER_NS)/fabric-javaenv:$(TWO_DIGIT_VERSION)

    node:
        # This is an image based on node:$(NODE_VER)-alpine
        runtime: $(DOCKER_NS)/fabric-nodeenv:$(TWO_DIGIT_VERSION)

    # List of directories to treat as external builders and launchers for
    # chaincode. The external builder detection processing will iterate over the
    # builders in the order specified below.
    externalBuilders: []
        # - path: /path/to/directory
        #   name: descriptive-builder-name
        #   propagateEnvironment:
        #      - ENVVAR_NAME_TO_PROPAGATE_FROM_PEER
        #      - GOPROXY

    # The maximum duration to wait for the chaincode build and install process
    # to complete.
    installTimeout: 300s

    # Timeout duration for starting up a container and waiting for Register
    # to come through.
    startuptimeout: 300s

    # Timeout duration for Invoke and Init calls to prevent runaway.
    # This timeout is used by all chaincodes in all the channels, including
    # system chaincodes.
    # Note that during Invoke, if the image is not available (e.g. being
    # cleaned up when in development environment), the peer will automatically
    # build the image, which might take more time. In production environment,
    # the chaincode image is unlikely to be deleted, so the timeout could be
    # reduced accordingly.
    executetimeout: 30s

    # There are 2 modes: "dev" and "net".
    # In dev mode, user runs the chaincode after starting peer from
    # command line on local machine.
    # In net mode, peer will run chaincode in a docker container.
    mode: net

    # keepalive in seconds. In situations where the communication goes through a
    # proxy that does not support keep-alive, this parameter will maintain connection
    # between peer and chaincode.
    # A value <= 0 turns keepalive off
    keepalive: 0

    # enabled system chaincodes
    system:
        _lifecycle: enable
        cscc: enable
        lscc: enable
        escc: enable
        vscc: enable
        qscc: enable

    # Logging section for the chaincode container
    logging:
      # Default level for all loggers within the chaincode container
      level:  info
      # Override default level for the 'shim' logger
      shim:   warning
      # Format for the chaincode container logs
      format: '%{color}%{time:2006-01-02 15:04:05.000 MST} [%{module}] %{shortfunc} -> %{level:.4s} %{id:03x}%{color:reset} %{message}'

###############################################################################
#
#    Ledger section - ledger configuration encompasses both the blockchain
#    and the state
#
###############################################################################
ledger:

  blockchain:

  state:
    # stateDatabase - options are "goleveldb", "CouchDB"
    # goleveldb - default state database stored in goleveldb.
    # CouchDB - store state database in CouchDB
    stateDatabase: goleveldb
    # Limit on the number of records to return per query
    totalQueryLimit: 100000
    couchDBConfig:
       # It is recommended to run CouchDB on the same server as the peer, and
       # not map the CouchDB container port to a server port in docker-compose.
       # Otherwise proper security must be provided on the connection between
       # CouchDB client (on the peer) and server.
       couchDBAddress: 192.168.3.128:5984
       # This username must have read and write authority on CouchDB
       username:
       # The password is recommended to pass as an environment variable
       # during start up (eg CORE_LEDGER_STATE_COUCHDBCONFIG_PASSWORD).
       # If it is stored here, the file must be access control protected
       # to prevent unintended users from discovering the password.
       password:
       # Number of retries for CouchDB errors
       maxRetries: 3
       # Number of retries for CouchDB errors during peer startup.
       # The delay between retries doubles for each attempt.
       # Default of 10 retries results in 11 attempts over 2 minutes.
       maxRetriesOnStartup: 10
       # CouchDB request timeout (unit: duration, e.g. 20s)
       requestTimeout: 35s
       # Limit on the number of records per each CouchDB query
       # Note that chaincode queries are only bound by totalQueryLimit.
       # Internally the chaincode may execute multiple CouchDB queries,
       # each of size internalQueryLimit.
       internalQueryLimit: 1000
       # Limit on the number of records per CouchDB bulk update batch
       maxBatchUpdateSize: 1000
       # Warm indexes after every N blocks.
       # This option warms any indexes that have been
       # deployed to CouchDB after every N blocks.
       # A value of 1 will warm indexes after every block commit,
       # to ensure fast selector queries.
       # Increasing the value may improve write efficiency of peer and CouchDB,
       # but may degrade query response time.
       warmIndexesAfterNBlocks: 1
       # Create the _global_changes system database
       # This is optional.  Creating the global changes database will require
       # additional system resources to track changes and maintain the database
       createGlobalChangesDB: false
       # CacheSize denotes the maximum mega bytes (MB) to be allocated for the in-memory state
       # cache. Note that CacheSize needs to be a multiple of 32 MB. If it is not a multiple
       # of 32 MB, the peer would round the size to the next multiple of 32 MB.
       # To disable the cache, 0 MB needs to be assigned to the cacheSize.
       cacheSize: 64

  history:
    # enableHistoryDatabase - options are true or false
    # Indicates if the history of key updates should be stored.
    # All history 'index' will be stored in goleveldb, regardless if using
    # CouchDB or alternate database for the state.
    enableHistoryDatabase: true

  pvtdataStore:
    # the maximum db batch size for converting
    # the ineligible missing data entries to eligible missing data entries
    collElgProcMaxDbBatchSize: 5000
    # the minimum duration (in milliseconds) between writing
    # two consecutive db batches for converting the ineligible missing data entries to eligible missing data entries
    collElgProcDbBatchesInterval: 1000

###############################################################################
#
#    Operations section
#
###############################################################################
operations:
    # host and port for the operations server
    listenAddress: 192.168.3.128:9443

    # TLS configuration for the operations endpoint
    tls:
        # TLS enabled
        enabled: false

        # path to PEM encoded server certificate for the operations server
        cert:
            file:

        # path to PEM encoded server key for the operations server
        key:
            file:

        # most operations service endpoints require client authentication when TLS
        # is enabled. clientAuthRequired requires client certificate authentication
        # at the TLS layer to access all resources.
        clientAuthRequired: false

        # paths to PEM encoded ca certificates to trust for client authentication
        clientRootCAs:
            files: []

###############################################################################
#
#    Metrics section
#
###############################################################################
metrics:
    # metrics provider is one of statsd, prometheus, or disabled
    provider: disabled

    # statsd configuration
    statsd:
        # network type: tcp or udp
        network: udp

        # statsd server address
        address: 192.168.3.128:8125

        # the interval at which locally cached counters and gauges are pushed
        # to statsd; timings are pushed immediately
        writeInterval: 10s

        # prefix is prepended to all emitted statsd metrics
        prefix:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735

设置peer0相关的环境变量，以正常运行peer二进制命令：

# export FABRIC_LOGGING_SPEC=DEBUG  # 根据需要配置，对服务端和客户端都有效
export CORE_PEER_TLS_ENABLED=true
export CORE_PEER_LOCALMSPID="Org1MSP"
export CORE_PEER_TLS_ROOTCERT_FILE=/home/songzehao/fabric/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/ca.crt
export CORE_PEER_MSPCONFIGPATH=/home/songzehao/fabric/organizations/peerOrganizations/org1.example.com/users/Admin@org1.example.com/msp
export CORE_PEER_ADDRESS=192.168.3.128:7051
# export CORE_PEER_GOSSIP_EXTERNALENDPOINT=192.168.3.128:7051
1
2
3
4
5
6
7

启动peer0：

peer node start
1

日志：

2023-11-01 11:23:14.743 CST [nodeCmd] serve -> INFO 001 Starting peer:
 Version: 2.2.0
 Commit SHA: 5ea85bc54
 Go version: go1.14.4
 OS/Arch: linux/amd64
 Chaincode:
  Base Docker Label: org.hyperledger.fabric
  Docker Namespace: hyperledger
2023-11-01 11:23:14.743 CST [peer] getLocalAddress -> INFO 002 Auto-detected peer address: 192.168.3.128:7051
2023-11-01 11:23:14.744 CST [peer] getLocalAddress -> INFO 003 Returning 192.168.3.128:7051
2023-11-01 11:23:14.750 CST [nodeCmd] initGrpcSemaphores -> INFO 004 concurrency limit for endorser service is 2500
2023-11-01 11:23:14.750 CST [nodeCmd] initGrpcSemaphores -> INFO 005 concurrency limit for deliver service is 2500
2023-11-01 11:23:14.750 CST [nodeCmd] serve -> INFO 006 Starting peer with TLS enabled
2023-11-01 11:23:14.760 CST [ledgermgmt] NewLedgerMgr -> INFO 007 Initializing LedgerMgr
2023-11-01 11:23:14.768 CST [leveldbhelper] openDBAndCheckFormat -> INFO 008 DB is empty Setting db format as 2.0
2023-11-01 11:23:14.769 CST [blkstorage] NewProvider -> INFO 009 Creating new file ledger directory at /home/songzehao/fabric/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/hyperledger/production/ledgersData/chains/chains
2023-11-01 11:23:14.774 CST [leveldbhelper] openDBAndCheckFormat -> INFO 00a DB is empty Setting db format as 2.0
2023-11-01 11:23:14.781 CST [leveldbhelper] openDBAndCheckFormat -> INFO 00b DB is empty Setting db format as 2.0
2023-11-01 11:23:14.783 CST [ledgermgmt] NewLedgerMgr -> INFO 00c Initialized LedgerMgr
2023-11-01 11:23:14.789 CST [gossip.service] New -> INFO 00d Initialize gossip with endpoint 192.168.3.128:7051
2023-11-01 11:23:14.790 CST [gossip.gossip] New -> INFO 00e Creating gossip service with self membership of Endpoint: 192.168.3.128:7051, InternalEndpoint: 192.168.3.128:7051, PKI-ID: c4ed8c02f6d405ef18af1dee58b19a712a572de390f71b9ac57812aab8522838, Metadata: 
2023-11-01 11:23:14.796 CST [gossip.gossip] start -> INFO 00f Gossip instance 192.168.3.128:7051 started
2023-11-01 11:23:14.796 CST [lifecycle] InitializeLocalChaincodes -> INFO 010 Initialized lifecycle cache with 0 already installed chaincodes
2023-11-01 11:23:14.797 CST [nodeCmd] computeChaincodeEndpoint -> INFO 011 Entering computeChaincodeEndpoint with peerHostname: 192.168.3.128
2023-11-01 11:23:14.797 CST [nodeCmd] computeChaincodeEndpoint -> INFO 012 Exit with ccEndpoint: 192.168.3.128:7052
2023-11-01 11:23:14.797 CST [nodeCmd] createChaincodeServer -> WARN 013 peer.chaincodeListenAddress is not set, using 192.168.3.128:7052
2023-11-01 11:23:14.801 CST [sccapi] DeploySysCC -> INFO 014 deploying system chaincode 'lscc'
2023-11-01 11:23:14.801 CST [sccapi] DeploySysCC -> INFO 015 deploying system chaincode 'cscc'
2023-11-01 11:23:14.801 CST [sccapi] DeploySysCC -> INFO 016 deploying system chaincode 'qscc'
2023-11-01 11:23:14.802 CST [sccapi] DeploySysCC -> INFO 017 deploying system chaincode '_lifecycle'
2023-11-01 11:23:14.802 CST [nodeCmd] serve -> INFO 018 Deployed system chaincodes
2023-11-01 11:23:14.802 CST [discovery] NewService -> INFO 019 Created with config TLS: true, authCacheMaxSize: 1000, authCachePurgeRatio: 0.750000
2023-11-01 11:23:14.802 CST [nodeCmd] registerDiscoveryService -> INFO 01a Discovery service activated
2023-11-01 11:23:14.802 CST [nodeCmd] serve -> INFO 01b Starting peer with ID=[peer0.org1.example.com], network ID=[dev], address=[192.168.3.128:7051]
2023-11-01 11:23:14.803 CST [nodeCmd] serve -> INFO 01c Started peer with ID=[peer0.org1.example.com], network ID=[dev], address=[192.168.3.128:7051]
2023-11-01 11:23:14.803 CST [kvledger] LoadPreResetHeight -> INFO 01d Loading prereset height from path [/home/songzehao/fabric/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/hyperledger/production/ledgersData/chains]
2023-11-01 11:23:14.803 CST [blkstorage] preResetHtFiles -> INFO 01e No active channels passed
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37

六、启动orderer0

6.1、创建排序服务创世块

走到这一步，组织目录下msp/只有tlscacerts目录，缺少cacert：

/home/songzehao/fabric/organizations/ordererOrganizations/org1.example.com/msp/
├── config.yaml
└── tlscacerts
    └── tlsca.org1.example.com-cert.pem

1 directory, 2 files
1
2
3
4
5
6

所以先将orderer0的msp目录下的cacert，即~/fabric/organizations/ordererOrganizations/org1.example.com/orderers/orderer0.org1.example.com/msp/cacerts/放到~/fabric/organizations/ordererOrganizations/org1.example.com/msp/cacerts/，顺带给peer0也一起处理：

cp -r /home/songzehao/fabric/organizations/ordererOrganizations/org1.example.com/orderers/orderer0.org1.example.com/msp/cacerts /home/songzehao/fabric/organizations/ordererOrganizations/org1.example.com/msp
cp -r /home/songzehao/fabric/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/msp/cacerts /home/songzehao/fabric/organizations/peerOrganizations/org1.example.com/msp
1
2

更改configtx.yaml文件。最终的configtx.yaml：

# Copyright IBM Corp. All Rights Reserved.
#
# SPDX-License-Identifier: Apache-2.0
#

---
################################################################################
#
#   ORGANIZATIONS
#
#   This section defines the organizational identities that can be referenced
#   in the configuration profiles.
#
################################################################################
Organizations:

    # SampleOrg defines an MSP using the sampleconfig. It should never be used
    # in production but may be used as a template for other definitions.
    - &OrdererOrg1
        # Name is the key by which this org will be referenced in channel
        # configuration transactions.
        # Name can include alphanumeric characters as well as dots and dashes.
        Name: OrdererOrg1

        # SkipAsForeign can be set to true for org definitions which are to be
        # inherited from the orderer system channel during channel creation.  This
        # is especially useful when an admin of a single org without access to the
        # MSP directories of the other orgs wishes to create a channel.  Note
        # this property must always be set to false for orgs included in block
        # creation.
        SkipAsForeign: false

        # ID is the key by which this org's MSP definition will be referenced.
        # ID can include alphanumeric characters as well as dots and dashes.
        ID: OrdererOrg1MSP

        # MSPDir is the filesystem path which contains the MSP configuration.
        MSPDir: /home/songzehao/fabric/organizations/ordererOrganizations/org1.example.com/msp

        # Policies defines the set of policies at this level of the config tree
        # For organization policies, their canonical path is usually
        #   /Channel/<Application|Orderer>/<OrgName>/<PolicyName>
        Policies:
            Readers:
                Type: Signature
                Rule: "OR('OrdererOrg1MSP.member')"
                # If your MSP is configured with the new NodeOUs, you might
                # want to use a more specific rule like the following:
                # Rule: "OR('SampleOrg.admin', 'SampleOrg.peer', 'SampleOrg.client')"
            Writers:
                Type: Signature
                Rule: "OR('OrdererOrg1MSP.member')"
                # If your MSP is configured with the new NodeOUs, you might
                # want to use a more specific rule like the following:
                # Rule: "OR('SampleOrg.admin', 'SampleOrg.client')"
            Admins:
                Type: Signature
                Rule: "OR('OrdererOrg1MSP.admin')"

        # OrdererEndpoints is a list of all orderers this org runs which clients
        # and peers may to connect to to push transactions and receive blocks respectively.
        OrdererEndpoints:
            - "192.168.3.128:7050"

    - &Org1
        # Name is the key by which this org will be referenced in channel
        # configuration transactions.
        # Name can include alphanumeric characters as well as dots and dashes.
        Name: Org1MSP

        # SkipAsForeign can be set to true for org definitions which are to be
        # inherited from the orderer system channel during channel creation.  This
        # is especially useful when an admin of a single org without access to the
        # MSP directories of the other orgs wishes to create a channel.  Note
        # this property must always be set to false for orgs included in block
        # creation.
        SkipAsForeign: false

        # ID is the key by which this org's MSP definition will be referenced.
        # ID can include alphanumeric characters as well as dots and dashes.
        ID: Org1MSP

        # MSPDir is the filesystem path which contains the MSP configuration.
        MSPDir: /home/songzehao/fabric/organizations/peerOrganizations/org1.example.com/msp

        # Policies defines the set of policies at this level of the config tree
        # For organization policies, their canonical path is usually
        #   /Channel/<Application|Orderer>/<OrgName>/<PolicyName>
        Policies:
            Readers:
                Type: Signature
                Rule: "OR('Org1MSP.member')"
                # If your MSP is configured with the new NodeOUs, you might
                # want to use a more specific rule like the following:
                # Rule: "OR('SampleOrg.admin', 'SampleOrg.peer', 'SampleOrg.client')"
            Writers:
                Type: Signature
                Rule: "OR('Org1MSP.member')"
                # If your MSP is configured with the new NodeOUs, you might
                # want to use a more specific rule like the following:
                # Rule: "OR('SampleOrg.admin', 'SampleOrg.client')"
            Admins:
                Type: Signature
                Rule: "OR('Org1MSP.admin')"
            Endorsement:
                Type: Signature
                Rule: "OR('Org1MSP.member')"

        # AnchorPeers defines the location of peers which can be used for
        # cross-org gossip communication. Note, this value is only encoded in
        # the genesis block in the Application section context.
        AnchorPeers:
            - Host: 192.168.3.128
              Port: 7051

################################################################################
#
#   CAPABILITIES
#
#   This section defines the capabilities of fabric network. This is a new
#   concept as of v1.1.0 and should not be utilized in mixed networks with
#   v1.0.x peers and orderers.  Capabilities define features which must be
#   present in a fabric binary for that binary to safely participate in the
#   fabric network.  For instance, if a new MSP type is added, newer binaries
#   might recognize and validate the signatures from this type, while older
#   binaries without this support would be unable to validate those
#   transactions.  This could lead to different versions of the fabric binaries
#   having different world states.  Instead, defining a capability for a channel
#   informs those binaries without this capability that they must cease
#   processing transactions until they have been upgraded.  For v1.0.x if any
#   capabilities are defined (including a map with all capabilities turned off)
#   then the v1.0.x peer will deliberately crash.
#
################################################################################
Capabilities:
    # Channel capabilities apply to both the orderers and the peers and must be
    # supported by both.
    # Set the value of the capability to true to require it.
    Channel: &ChannelCapabilities
        # V2.0 for Channel is a catchall flag for behavior which has been
        # determined to be desired for all orderers and peers running at the v2.0.0
        # level, but which would be incompatible with orderers and peers from
        # prior releases.
        # Prior to enabling V2.0 channel capabilities, ensure that all
        # orderers and peers on a channel are at v2.0.0 or later.
        V2_0: true

    # Orderer capabilities apply only to the orderers, and may be safely
    # used with prior release peers.
    # Set the value of the capability to true to require it.
    Orderer: &OrdererCapabilities
        # V1.1 for Orderer is a catchall flag for behavior which has been
        # determined to be desired for all orderers running at the v1.1.x
        # level, but which would be incompatible with orderers from prior releases.
        # Prior to enabling V2.0 orderer capabilities, ensure that all
        # orderers on a channel are at v2.0.0 or later.
        V2_0: true

    # Application capabilities apply only to the peer network, and may be safely
    # used with prior release orderers.
    # Set the value of the capability to true to require it.
    Application: &ApplicationCapabilities
        # V2.0 for Application enables the new non-backwards compatible
        # features and fixes of fabric v2.0.
        # Prior to enabling V2.0 orderer capabilities, ensure that all
        # orderers on a channel are at v2.0.0 or later.
        V2_0: true

################################################################################
#
#   APPLICATION
#
#   This section defines the values to encode into a config transaction or
#   genesis block for application-related parameters.
#
################################################################################
Application: &ApplicationDefaults
#    ACLs: &ACLsDefault
        # This section provides defaults for policies for various resources
        # in the system. These "resources" could be functions on system chaincodes
        # (e.g., "GetBlockByNumber" on the "qscc" system chaincode) or other resources
        # (e.g.,who can receive Block events). This section does NOT specify the resource's
        # definition or API, but just the ACL policy for it.
        #
        # Users can override these defaults with their own policy mapping by defining the
        # mapping under ACLs in their channel definition

        #---New Lifecycle System Chaincode (_lifecycle) function to policy mapping for access control--#

        # ACL policy for _lifecycle's "CheckCommitReadiness" function
#        _lifecycle/CheckCommitReadiness: /Channel/Application/Writers

        # ACL policy for _lifecycle's "CommitChaincodeDefinition" function
#        _lifecycle/CommitChaincodeDefinition: /Channel/Application/Writers

        # ACL policy for _lifecycle's "QueryChaincodeDefinition" function
#        _lifecycle/QueryChaincodeDefinition: /Channel/Application/Readers

        # ACL policy for _lifecycle's "QueryChaincodeDefinitions" function
#        _lifecycle/QueryChaincodeDefinitions: /Channel/Application/Readers

        #---Lifecycle System Chaincode (lscc) function to policy mapping for access control---#

        # ACL policy for lscc's "getid" function
#        lscc/ChaincodeExists: /Channel/Application/Readers

        # ACL policy for lscc's "getdepspec" function
#        lscc/GetDeploymentSpec: /Channel/Application/Readers

        # ACL policy for lscc's "getccdata" function
#        lscc/GetChaincodeData: /Channel/Application/Readers

        # ACL Policy for lscc's "getchaincodes" function
#        lscc/GetInstantiatedChaincodes: /Channel/Application/Readers

        #---Query System Chaincode (qscc) function to policy mapping for access control---#

        # ACL policy for qscc's "GetChainInfo" function
#        qscc/GetChainInfo: /Channel/Application/Readers

        # ACL policy for qscc's "GetBlockByNumber" function
#        qscc/GetBlockByNumber: /Channel/Application/Readers

        # ACL policy for qscc's  "GetBlockByHash" function
#        qscc/GetBlockByHash: /Channel/Application/Readers

        # ACL policy for qscc's "GetTransactionByID" function
#        qscc/GetTransactionByID: /Channel/Application/Readers

        # ACL policy for qscc's "GetBlockByTxID" function
#        qscc/GetBlockByTxID: /Channel/Application/Readers

        #---Configuration System Chaincode (cscc) function to policy mapping for access control---#

        # ACL policy for cscc's "GetConfigBlock" function
#        cscc/GetConfigBlock: /Channel/Application/Readers

        # ACL policy for cscc's "GetConfigTree" function
#        cscc/GetConfigTree: /Channel/Application/Readers

        # ACL policy for cscc's "SimulateConfigTreeUpdate" function
#        cscc/SimulateConfigTreeUpdate: /Channel/Application/Readers

        #---Miscellaneous peer function to policy mapping for access control---#

        # ACL policy for invoking chaincodes on peer
#        peer/Propose: /Channel/Application/Writers

        # ACL policy for chaincode to chaincode invocation
#        peer/ChaincodeToChaincode: /Channel/Application/Readers

        #---Events resource to policy mapping for access control###---#

        # ACL policy for sending block events
#        event/Block: /Channel/Application/Readers

        # ACL policy for sending filtered block events
#        event/FilteredBlock: /Channel/Application/Readers

    # Organizations lists the orgs participating on the application side of the
    # network.
    Organizations:

    # Policies defines the set of policies at this level of the config tree
    # For Application policies, their canonical path is
    #   /Channel/Application/<PolicyName>
    Policies:
        LifecycleEndorsement:
            Type: ImplicitMeta
            Rule: "MAJORITY Endorsement"
        Endorsement:
            Type: ImplicitMeta
            Rule: "MAJORITY Endorsement"
        Readers:
            Type: ImplicitMeta
            Rule: "ANY Readers"
        Writers:
            Type: ImplicitMeta
            Rule: "ANY Writers"
        Admins:
            Type: ImplicitMeta
            Rule: "MAJORITY Admins"

    # Capabilities describes the application level capabilities, see the
    # dedicated Capabilities section elsewhere in this file for a full
    # description
    Capabilities:
        <<: *ApplicationCapabilities

################################################################################
#
#   ORDERER
#
#   This section defines the values to encode into a config transaction or
#   genesis block for orderer related parameters.
#
################################################################################
Orderer: &OrdererDefaults

    # Orderer Type: The orderer implementation to start.
    # Available types are "solo", "kafka" and "etcdraft".
    OrdererType: etcdraft

    # Addresses used to be the list of orderer addresses that clients and peers
    # could connect to.  However, this does not allow clients to associate orderer
    # addresses and orderer organizations which can be useful for things such
    # as TLS validation.  The preferred way to specify orderer addresses is now
    # to include the OrdererEndpoints item in your org definition
    Addresses:
        - 192.168.3.128:7050

    
    EtcdRaft:
        Consenters:
        - Host: 192.168.3.128
          Port: 7050
          ClientTLSCert: /home/songzehao/fabric/organizations/ordererOrganizations/org1.example.com/orderers/orderer0.org1.example.com/tls/server.crt
          ServerTLSCert: /home/songzehao/fabric/organizations/ordererOrganizations/org1.example.com/orderers/orderer0.org1.example.com/tls/server.crt

    # Batch Timeout: The amount of time to wait before creating a batch.
    BatchTimeout: 2s

    # Batch Size: Controls the number of messages batched into a block.
    # The orderer views messages opaquely, but typically, messages may
    # be considered to be Fabric transactions.  The 'batch' is the group
    # of messages in the 'data' field of the block.  Blocks will be a few kb
    # larger than the batch size, when signatures, hashes, and other metadata
    # is applied.
    BatchSize:

        # Max Message Count: The maximum number of messages to permit in a
        # batch.  No block will contain more than this number of messages.
        MaxMessageCount: 10

        # Absolute Max Bytes: The absolute maximum number of bytes allowed for
        # the serialized messages in a batch. The maximum block size is this value
        # plus the size of the associated metadata (usually a few KB depending
        # upon the size of the signing identities). Any transaction larger than
        # this value will be rejected by ordering. If the "kafka" OrdererType is
        # selected, set 'message.max.bytes' and 'replica.fetch.max.bytes' on
        # the Kafka brokers to a value that is larger than this one.
        AbsoluteMaxBytes: 99 MB

        # Preferred Max Bytes: The preferred maximum number of bytes allowed
        # for the serialized messages in a batch. Roughly, this field may be considered
        # the best effort maximum size of a batch. A batch will fill with messages
        # until this size is reached (or the max message count, or batch timeout is
        # exceeded).  If adding a new message to the batch would cause the batch to
        # exceed the preferred max bytes, then the current batch is closed and written
        # to a block, and a new batch containing the new message is created.  If a
        # message larger than the preferred max bytes is received, then its batch
        # will contain only that message.  Because messages may be larger than
        # preferred max bytes (up to AbsoluteMaxBytes), some batches may exceed
        # the preferred max bytes, but will always contain exactly one transaction.
        PreferredMaxBytes: 521 KB

    # Max Channels is the maximum number of channels to allow on the ordering
    # network. When set to 0, this implies no maximum number of channels.
    MaxChannels: 0

#    Kafka:
        # Brokers: A list of Kafka brokers to which the orderer connects. Edit
        # this list to identify the brokers of the ordering service.
        # NOTE: Use IP:port notation.
#        Brokers:
#            - kafka0:9092
#            - kafka1:9092
#            - kafka2:9092


    # Organizations lists the orgs participating on the orderer side of the
    # network.
    Organizations:

    # Policies defines the set of policies at this level of the config tree
    # For Orderer policies, their canonical path is
    #   /Channel/Orderer/<PolicyName>
    Policies:
        Readers:
            Type: ImplicitMeta
            Rule: "ANY Readers"
        Writers:
            Type: ImplicitMeta
            Rule: "ANY Writers"
        Admins:
            Type: ImplicitMeta
            Rule: "MAJORITY Admins"
        # BlockValidation specifies what signatures must be included in the block
        # from the orderer for the peer to validate it.
        BlockValidation:
            Type: ImplicitMeta
            Rule: "ANY Writers"

    # Capabilities describes the orderer level capabilities, see the
    # dedicated Capabilities section elsewhere in this file for a full
    # description
#    Capabilities:
#        <<: *OrdererCapabilities

################################################################################
#
#   CHANNEL
#
#   This section defines the values to encode into a config transaction or
#   genesis block for channel related parameters.
#
################################################################################
Channel: &ChannelDefaults
    # Policies defines the set of policies at this level of the config tree
    # For Channel policies, their canonical path is
    #   /Channel/<PolicyName>
    Policies:
        # Who may invoke the 'Deliver' API
        Readers:
            Type: ImplicitMeta
            Rule: "ANY Readers"
        # Who may invoke the 'Broadcast' API
        Writers:
            Type: ImplicitMeta
            Rule: "ANY Writers"
        # By default, who may modify elements at this config level
        Admins:
            Type: ImplicitMeta
            Rule: "MAJORITY Admins"


    # Capabilities describes the channel level capabilities, see the
    # dedicated Capabilities section elsewhere in this file for a full
    # description
    Capabilities:
        <<: *ChannelCapabilities

################################################################################
#
#   PROFILES
#
#   Different configuration profiles may be encoded here to be specified as
#   parameters to the configtxgen tool. The profiles which specify consortiums
#   are to be used for generating the orderer genesis block. With the correct
#   consortium members defined in the orderer genesis block, channel creation
#   requests may be generated with only the org member names and a consortium
#   name.
#
################################################################################
Profiles:

    OneOrgOrdererGenesis:
        <<: *ChannelDefaults
        Orderer:
            <<: *OrdererDefaults
            Organizations:
                - *OrdererOrg1
            Capabilities:
                <<: *OrdererCapabilities
        Consortiums:
            SampleConsortium:
                Organizations:
                    - *Org1
    Channel1:
        Consortium: SampleConsortium
        <<: *ChannelDefaults
        Application:
            <<: *ApplicationDefaults
            Organizations:
                - *Org1
            Capabilities:
                <<: *ApplicationCapabilities
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467

创建创世块：

configtxgen -profile OneOrgOrdererGenesis -channelID system-channel -outputBlock /home/songzehao/fabric/config/system-genesis-block/genesis.block
1

得到：

/home/songzehao/fabric/config/system-genesis-block/
└── genesis.block

0 directories, 1 file
1
2
3
4

日志：

2023-11-01 11:26:45.901 CST [common.tools.configtxgen] main -> INFO 001 Loading configuration
2023-11-01 11:26:45.914 CST [common.tools.configtxgen.localconfig] completeInitialization -> INFO 002 orderer type: etcdraft
2023-11-01 11:26:45.915 CST [common.tools.configtxgen.localconfig] completeInitialization -> INFO 003 Orderer.EtcdRaft.Options unset, setting to tick_interval:"500ms" election_tick:10 heartbeat_tick:1 max_inflight_blocks:5 snapshot_interval_size:16777216 
2023-11-01 11:26:45.915 CST [common.tools.configtxgen.localconfig] Load -> INFO 004 Loaded configuration: /home/songzehao/fabric/config/configtx.yaml
2023-11-01 11:26:45.916 CST [common.tools.configtxgen] doOutputBlock -> INFO 005 Generating genesis block
2023-11-01 11:26:45.916 CST [common.tools.configtxgen] doOutputBlock -> INFO 006 Writing genesis block
1
2
3
4
5
6

6.2、启动orderer0

更改orderer.yaml文件。最终的orderer.yaml：

# Copyright IBM Corp. All Rights Reserved.
#
# SPDX-License-Identifier: Apache-2.0
#

---
################################################################################
#
#   Orderer Configuration
#
#   - This controls the type and configuration of the orderer.
#
################################################################################
General:
    # Listen address: The IP on which to bind to listen.
    ListenAddress: 192.168.3.128

    # Listen port: The port on which to bind to listen.
    ListenPort: 7050

    # TLS: TLS settings for the GRPC server.
    TLS:
        Enabled: true
        # PrivateKey governs the file location of the private key of the TLS certificate.
        PrivateKey: /home/songzehao/fabric/organizations/ordererOrganizations/org1.example.com/orderers/orderer0.org1.example.com/tls/server.key
        # Certificate governs the file location of the server TLS certificate.
        Certificate: /home/songzehao/fabric/organizations/ordererOrganizations/org1.example.com/orderers/orderer0.org1.example.com/tls/server.crt
        RootCAs:
          - /home/songzehao/fabric/organizations/ordererOrganizations/org1.example.com/orderers/orderer0.org1.example.com/tls/ca.crt
        ClientAuthRequired: false
        ClientRootCAs:
    # Keepalive settings for the GRPC server.
    Keepalive:
        # ServerMinInterval is the minimum permitted time between client pings.
        # If clients send pings more frequently, the server will
        # disconnect them.
        ServerMinInterval: 60s
        # ServerInterval is the time between pings to clients.
        ServerInterval: 7200s
        # ServerTimeout is the duration the server waits for a response from
        # a client before closing the connection.
        ServerTimeout: 20s
    # Cluster settings for ordering service nodes that communicate with other ordering service nodes
    # such as Raft based ordering service.
    Cluster:
        # SendBufferSize is the maximum number of messages in the egress buffer.
        # Consensus messages are dropped if the buffer is full, and transaction
        # messages are waiting for space to be freed.
        SendBufferSize: 10
        # ClientCertificate governs the file location of the client TLS certificate
        # used to establish mutual TLS connections with other ordering service nodes.
        ClientCertificate: /home/songzehao/fabric/organizations/ordererOrganizations/org1.example.com/orderers/orderer0.org1.example.com/tls/server.crt
        # ClientPrivateKey governs the file location of the private key of the client TLS certificate.
        ClientPrivateKey: /home/songzehao/fabric/organizations/ordererOrganizations/org1.example.com/orderers/orderer0.org1.example.com/tls/server.key
        # The below 4 properties should be either set together, or be unset together.
        # If they are set, then the orderer node uses a separate listener for intra-cluster
        # communication. If they are unset, then the general orderer listener is used.
        # This is useful if you want to use a different TLS server certificates on the
        # client-facing and the intra-cluster listeners.

        # ListenPort defines the port on which the cluster listens to connections.
        ListenPort:
        # ListenAddress defines the IP on which to listen to intra-cluster communication.
        ListenAddress:
        # ServerCertificate defines the file location of the server TLS certificate used for intra-cluster
        # communication.
        ServerCertificate:
        # ServerPrivateKey defines the file location of the private key of the TLS certificate.
        ServerPrivateKey:

    # Bootstrap method: The method by which to obtain the bootstrap block
    # system channel is specified. The option can be one of:
    #   "file" - path to a file containing the genesis block or config block of system channel
    #   "none" - allows an orderer to start without a system channel configuration
    BootstrapMethod: file

    # Bootstrap file: The file containing the bootstrap block to use when
    # initializing the orderer system channel and BootstrapMethod is set to
    # "file".  The bootstrap file can be the genesis block, and it can also be
    # a config block for late bootstrap of some consensus methods like Raft.
    # Generate a genesis block by updating $FABRIC_CFG_PATH/configtx.yaml and
    # using configtxgen command with "-outputBlock" option.
    # Defaults to file "genesisblock" (in $FABRIC_CFG_PATH directory) if not specified.
    BootstrapFile: /home/songzehao/fabric/config/system-genesis-block/genesis.block

    # LocalMSPDir is where to find the private crypto material needed by the
    # orderer. It is set relative here as a default for dev environments but
    # should be changed to the real location in production.
    LocalMSPDir: /home/songzehao/fabric/organizations/ordererOrganizations/org1.example.com/orderers/orderer0.org1.example.com/msp

    # LocalMSPID is the identity to register the local MSP material with the MSP
    # manager. IMPORTANT: The local MSP ID of an orderer needs to match the MSP
    # ID of one of the organizations defined in the orderer system channel's
    # /Channel/Orderer configuration. The sample organization defined in the
    # sample configuration provided has an MSP ID of "SampleOrg".
    LocalMSPID: OrdererOrg1MSP

    # Enable an HTTP service for Go "pprof" profiling as documented at:
    # https://golang.org/pkg/net/http/pprof
    Profile:
        Enabled: false
        Address: 0.0.0.0:6060

    # BCCSP configures the blockchain crypto service providers.
    BCCSP:
        # Default specifies the preferred blockchain crypto service provider
        # to use. If the preferred provider is not available, the software
        # based provider ("SW") will be used.
        # Valid providers are:
        #  - SW: a software based crypto provider
        #  - PKCS11: a CA hardware security module crypto provider.
        Default: SW

        # SW configures the software based blockchain crypto provider.
        SW:
            # TODO: The default Hash and Security level needs refactoring to be
            # fully configurable. Changing these defaults requires coordination
            # SHA2 is hardcoded in several places, not only BCCSP
            Hash: SHA2
            Security: 256
            # Location of key store. If this is unset, a location will be
            # chosen using: 'LocalMSPDir'/keystore
            FileKeyStore:
                KeyStore:

        # Settings for the PKCS#11 crypto provider (i.e. when DEFAULT: PKCS11)
        PKCS11:
            # Location of the PKCS11 module library
            Library:
            # Token Label
            Label:
            # User PIN
            Pin:
            Hash:
            Security:
            FileKeyStore:
                KeyStore:

    # Authentication contains configuration parameters related to authenticating
    # client messages
    Authentication:
        # the acceptable difference between the current server time and the
        # client's time as specified in a client request message
        TimeWindow: 15m


################################################################################
#
#   SECTION: File Ledger
#
#   - This section applies to the configuration of the file or json ledgers.
#
################################################################################
FileLedger:

    # Location: The directory to store the blocks in.
    # NOTE: If this is unset, a new temporary location will be chosen every time
    # the orderer is restarted, using the prefix specified by Prefix.
    Location: /home/songzehao/fabric/organizations/ordererOrganizations/org1.example.com/orderers/orderer0.org1.example.com/hyperledger/production/orderer

    # The prefix to use when generating a ledger directory in temporary space.
    # Otherwise, this value is ignored.
    Prefix: hyperledger-fabric-ordererledger

################################################################################
#
#   SECTION: Kafka
#
#   - This section applies to the configuration of the Kafka-based orderer, and
#     its interaction with the Kafka cluster.
#
################################################################################
Kafka:

    # Retry: What do if a connection to the Kafka cluster cannot be established,
    # or if a metadata request to the Kafka cluster needs to be repeated.
    Retry:
        # When a new channel is created, or when an existing channel is reloaded
        # (in case of a just-restarted orderer), the orderer interacts with the
        # Kafka cluster in the following ways:
        # 1. It creates a Kafka producer (writer) for the Kafka partition that
        # corresponds to the channel.
        # 2. It uses that producer to post a no-op CONNECT message to that
        # partition
        # 3. It creates a Kafka consumer (reader) for that partition.
        # If any of these steps fail, they will be re-attempted every
        # <ShortInterval> for a total of <ShortTotal>, and then every
        # <LongInterval> for a total of <LongTotal> until they succeed.
        # Note that the orderer will be unable to write to or read from a
        # channel until all of the steps above have been completed successfully.
        ShortInterval: 5s
        ShortTotal: 10m
        LongInterval: 5m
        LongTotal: 12h
        # Affects the socket timeouts when waiting for an initial connection, a
        # response, or a transmission. See Config.Net for more info:
        # https://godoc.org/github.com/Shopify/sarama#Config
        NetworkTimeouts:
            DialTimeout: 10s
            ReadTimeout: 10s
            WriteTimeout: 10s
        # Affects the metadata requests when the Kafka cluster is in the middle
        # of a leader election.See Config.Metadata for more info:
        # https://godoc.org/github.com/Shopify/sarama#Config
        Metadata:
            RetryBackoff: 250ms
            RetryMax: 3
        # What to do if posting a message to the Kafka cluster fails. See
        # Config.Producer for more info:
        # https://godoc.org/github.com/Shopify/sarama#Config
        Producer:
            RetryBackoff: 100ms
            RetryMax: 3
        # What to do if reading from the Kafka cluster fails. See
        # Config.Consumer for more info:
        # https://godoc.org/github.com/Shopify/sarama#Config
        Consumer:
            RetryBackoff: 2s
    # Settings to use when creating Kafka topics.  Only applies when
    # Kafka.Version is v0.10.1.0 or higher
    Topic:
        # The number of Kafka brokers across which to replicate the topic
        ReplicationFactor: 3
    # Verbose: Enable logging for interactions with the Kafka cluster.
    Verbose: false

    # TLS: TLS settings for the orderer's connection to the Kafka cluster.
    TLS:

      # Enabled: Use TLS when connecting to the Kafka cluster.
      Enabled: false

      # PrivateKey: PEM-encoded private key the orderer will use for
      # authentication.
      PrivateKey:
        # As an alternative to specifying the PrivateKey here, uncomment the
        # following "File" key and specify the file name from which to load the
        # value of PrivateKey.
        #File: path/to/PrivateKey

      # Certificate: PEM-encoded signed public key certificate the orderer will
      # use for authentication.
      Certificate:
        # As an alternative to specifying the Certificate here, uncomment the
        # following "File" key and specify the file name from which to load the
        # value of Certificate.
        #File: path/to/Certificate

      # RootCAs: PEM-encoded trusted root certificates used to validate
      # certificates from the Kafka cluster.
      RootCAs:
        # As an alternative to specifying the RootCAs here, uncomment the
        # following "File" key and specify the file name from which to load the
        # value of RootCAs.
        #File: path/to/RootCAs

    # SASLPlain: Settings for using SASL/PLAIN authentication with Kafka brokers
    SASLPlain:
      # Enabled: Use SASL/PLAIN to authenticate with Kafka brokers
      Enabled: false
      # User: Required when Enabled is set to true
      User:
      # Password: Required when Enabled is set to true
      Password:

    # Kafka protocol version used to communicate with the Kafka cluster brokers
    # (defaults to 0.10.2.0 if not specified)
    Version:

################################################################################
#
#   Debug Configuration
#
#   - This controls the debugging options for the orderer
#
################################################################################
Debug:

    # BroadcastTraceDir when set will cause each request to the Broadcast service
    # for this orderer to be written to a file in this directory
    BroadcastTraceDir:

    # DeliverTraceDir when set will cause each request to the Deliver service
    # for this orderer to be written to a file in this directory
    DeliverTraceDir:

################################################################################
#
#   Operations Configuration
#
#   - This configures the operations server endpoint for the orderer
#
################################################################################
Operations:
    # host and port for the operations server
    ListenAddress: 192.168.3.128:8443

    # TLS configuration for the operations endpoint
    TLS:
        # TLS enabled
        Enabled: false

        # Certificate is the location of the PEM encoded TLS certificate
        Certificate:

        # PrivateKey points to the location of the PEM-encoded key
        PrivateKey:

        # Most operations service endpoints require client authentication when TLS
        # is enabled. ClientAuthRequired requires client certificate authentication
        # at the TLS layer to access all resources.
        ClientAuthRequired: false

        # Paths to PEM encoded ca certificates to trust for client authentication
        ClientRootCAs: []

################################################################################
#
#   Metrics  Configuration
#
#   - This configures metrics collection for the orderer
#
################################################################################
Metrics:
    # The metrics provider is one of statsd, prometheus, or disabled
    Provider: disabled

    # The statsd configuration
    Statsd:
      # network type: tcp or udp
      Network: udp

      # the statsd server address
      Address: 192.168.3.128:8125

      # The interval at which locally cached counters and gauges are pushed
      # to statsd; timings are pushed immediately
      WriteInterval: 30s

      # The prefix is prepended to all emitted statsd metrics
      Prefix:


################################################################################
#
#   Consensus Configuration
#
#   - This section contains config options for a consensus plugin. It is opaque
#     to orderer, and completely up to consensus implementation to make use of.
#
################################################################################
Consensus:
    # The allowed key-value pairs here depend on consensus plugin. For etcd/raft,
    # we use following options:

    # WALDir specifies the location at which Write Ahead Logs for etcd/raft are
    # stored. Each channel will have its own subdir named after channel ID.
    WALDir: /home/songzehao/fabric/organizations/ordererOrganizations/org1.example.com/orderers/orderer0.org1.example.com/hyperledger/production/orderer/etcdraft/wal

    # SnapDir specifies the location at which snapshots for etcd/raft are
    # stored. Each channel will have its own subdir named after channel ID.
    SnapDir: /home/songzehao/fabric/organizations/ordererOrganizations/org1.example.com/orderers/orderer0.org1.example.com/hyperledger/production/orderer/etcdraft/snapshot
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362

启动orderer：

orderer start
1

日志：

2023-11-01 11:32:18.760 CST [localconfig] completeInitialization -> INFO 001 Kafka.Version unset, setting to 0.10.2.0
2023-11-01 11:32:18.760 CST [orderer.common.server] prettyPrintStruct -> INFO 002 Orderer config values:
	General.ListenAddress = "192.168.3.128"
	General.ListenPort = 7050
	General.TLS.Enabled = true
	General.TLS.PrivateKey = "/home/songzehao/fabric/organizations/ordererOrganizations/org1.example.com/orderers/orderer0.org1.example.com/tls/server.key"
	General.TLS.Certificate = "/home/songzehao/fabric/organizations/ordererOrganizations/org1.example.com/orderers/orderer0.org1.example.com/tls/server.crt"
	General.TLS.RootCAs = [/home/songzehao/fabric/organizations/ordererOrganizations/org1.example.com/orderers/orderer0.org1.example.com/tls/ca.crt]
	General.TLS.ClientAuthRequired = false
	General.TLS.ClientRootCAs = []
	General.Cluster.ListenAddress = ""
	General.Cluster.ListenPort = 0
	General.Cluster.ServerCertificate = ""
	General.Cluster.ServerPrivateKey = ""
	General.Cluster.ClientCertificate = "/home/songzehao/fabric/organizations/ordererOrganizations/org1.example.com/orderers/orderer0.org1.example.com/tls/server.crt"
	General.Cluster.ClientPrivateKey = "/home/songzehao/fabric/organizations/ordererOrganizations/org1.example.com/orderers/orderer0.org1.example.com/tls/server.key"
	General.Cluster.RootCAs = []
	General.Cluster.DialTimeout = 5s
	General.Cluster.RPCTimeout = 7s
	General.Cluster.ReplicationBufferSize = 20971520
	General.Cluster.ReplicationPullTimeout = 5s
	General.Cluster.ReplicationRetryTimeout = 5s
	General.Cluster.ReplicationBackgroundRefreshInterval = 5m0s
	General.Cluster.ReplicationMaxRetries = 12
	General.Cluster.SendBufferSize = 10
	General.Cluster.CertExpirationWarningThreshold = 168h0m0s
	General.Cluster.TLSHandshakeTimeShift = 0s
	General.Keepalive.ServerMinInterval = 1m0s
	General.Keepalive.ServerInterval = 2h0m0s
	General.Keepalive.ServerTimeout = 20s
	General.ConnectionTimeout = 0s
	General.GenesisMethod = ""
	General.GenesisFile = ""
	General.BootstrapMethod = "file"
	General.BootstrapFile = "/home/songzehao/fabric/config/system-genesis-block/genesis.block"
	General.Profile.Enabled = false
	General.Profile.Address = "0.0.0.0:6060"
	General.LocalMSPDir = "/home/songzehao/fabric/organizations/ordererOrganizations/org1.example.com/orderers/orderer0.org1.example.com/msp"
	General.LocalMSPID = "OrdererOrg1MSP"
	General.BCCSP.ProviderName = "SW"
	General.BCCSP.SwOpts.SecLevel = 256
	General.BCCSP.SwOpts.HashFamily = "SHA2"
	General.BCCSP.SwOpts.Ephemeral = true
	General.BCCSP.SwOpts.FileKeystore.KeyStorePath = ""
	General.BCCSP.SwOpts.DummyKeystore =
	General.BCCSP.SwOpts.InmemKeystore =
	General.Authentication.TimeWindow = 15m0s
	General.Authentication.NoExpirationChecks = false
	FileLedger.Location = "/home/songzehao/fabric/organizations/ordererOrganizations/org1.example.com/orderers/orderer0.org1.example.com/hyperledger/production/orderer"
	FileLedger.Prefix = "hyperledger-fabric-ordererledger"
	Kafka.Retry.ShortInterval = 5s
	Kafka.Retry.ShortTotal = 10m0s
	Kafka.Retry.LongInterval = 5m0s
	Kafka.Retry.LongTotal = 12h0m0s
	Kafka.Retry.NetworkTimeouts.DialTimeout = 10s
	Kafka.Retry.NetworkTimeouts.ReadTimeout = 10s
	Kafka.Retry.NetworkTimeouts.WriteTimeout = 10s
	Kafka.Retry.Metadata.RetryMax = 3
	Kafka.Retry.Metadata.RetryBackoff = 250ms
	Kafka.Retry.Producer.RetryMax = 3
	Kafka.Retry.Producer.RetryBackoff = 100ms
	Kafka.Retry.Consumer.RetryBackoff = 2s
	Kafka.Verbose = false
	Kafka.Version = 0.10.2.0
	Kafka.TLS.Enabled = false
	Kafka.TLS.PrivateKey = ""
	Kafka.TLS.Certificate = ""
	Kafka.TLS.RootCAs = []
	Kafka.TLS.ClientAuthRequired = false
	Kafka.TLS.ClientRootCAs = []
	Kafka.SASLPlain.Enabled = false
	Kafka.SASLPlain.User = ""
	Kafka.SASLPlain.Password = ""
	Kafka.Topic.ReplicationFactor = 3
	Debug.BroadcastTraceDir = ""
	Debug.DeliverTraceDir = ""
	Consensus = map[SnapDir:/home/songzehao/fabric/organizations/ordererOrganizations/org1.example.com/orderers/orderer0.org1.example.com/hyperledger/production/orderer/etcdraft/snapshot WALDir:/home/songzehao/fabric/organizations/ordererOrganizations/org1.example.com/orderers/orderer0.org1.example.com/hyperledger/production/orderer/etcdraft/wal]
	Operations.ListenAddress = "192.168.3.128:8443"
	Operations.TLS.Enabled = false
	Operations.TLS.PrivateKey = ""
	Operations.TLS.Certificate = ""
	Operations.TLS.RootCAs = []
	Operations.TLS.ClientAuthRequired = false
	Operations.TLS.ClientRootCAs = []
	Metrics.Provider = "disabled"
	Metrics.Statsd.Network = "udp"
	Metrics.Statsd.Address = "192.168.3.128:8125"
	Metrics.Statsd.WriteInterval = 30s
	Metrics.Statsd.Prefix = ""
	ChannelParticipation.Enabled = false
	ChannelParticipation.RemoveStorage = false
2023-11-01 11:32:18.772 CST [orderer.common.server] initializeServerConfig -> INFO 003 Starting orderer with TLS enabled
2023-11-01 11:32:18.774 CST [blkstorage] NewProvider -> INFO 004 Creating new file ledger directory at /home/songzehao/fabric/organizations/ordererOrganizations/org1.example.com/orderers/orderer0.org1.example.com/hyperledger/production/orderer/chains
2023-11-01 11:32:18.776 CST [orderer.common.server] Main -> INFO 005 Bootstrapping the system channel
2023-11-01 11:32:18.776 CST [blkstorage] newBlockfileMgr -> INFO 006 Getting block information from block storage
2023-11-01 11:32:18.778 CST [orderer.common.server] selectClusterBootBlock -> INFO 007 Cluster boot block is bootstrap (genesis) block; Blocks Header.Number system-channel=0, bootstrap=0
2023-11-01 11:32:18.780 CST [orderer.common.server] Main -> INFO 008 Starting with system channel: system-channel, consensus type: etcdraft
2023-11-01 11:32:18.780 CST [orderer.common.server] Main -> INFO 009 Setting up cluster
2023-11-01 11:32:18.780 CST [orderer.common.server] reuseListener -> INFO 00a Cluster listener is not configured, defaulting to use the general listener on port 7050
2023-11-01 11:32:18.781 CST [orderer.common.cluster] loadVerifier -> INFO 00b Loaded verifier for channel system-channel from config block at index 0
2023-11-01 11:32:18.784 CST [orderer.consensus.etcdraft] HandleChain -> INFO 00c EvictionSuspicion not set, defaulting to 10m0s
2023-11-01 11:32:18.784 CST [orderer.consensus.etcdraft] createOrReadWAL -> INFO 00d No WAL data found, creating new WAL at path '/home/songzehao/fabric/organizations/ordererOrganizations/org1.example.com/orderers/orderer0.org1.example.com/hyperledger/production/orderer/etcdraft/wal/system-channel' channel=system-channel node=1
2023-11-01 11:32:18.791 CST [orderer.commmon.multichannel] Initialize -> INFO 00e Starting system channel 'system-channel' with genesis block hash cf0eea12e3ad0e100746fab436a756f291a683dd76e17d4b63b1eb2ce40fe407 and orderer type etcdraft
2023-11-01 11:32:18.792 CST [orderer.consensus.etcdraft] Start -> INFO 00f Starting Raft node channel=system-channel node=1
2023-11-01 11:32:18.792 CST [orderer.common.cluster] Configure -> INFO 010 Entering, channel: system-channel, nodes: []
2023-11-01 11:32:18.792 CST [orderer.common.cluster] Configure -> INFO 011 Exiting
2023-11-01 11:32:18.792 CST [orderer.consensus.etcdraft] start -> INFO 012 Starting raft node as part of a new channel channel=system-channel node=1
2023-11-01 11:32:18.792 CST [orderer.consensus.etcdraft] becomeFollower -> INFO 013 1 became follower at term 0 channel=system-channel node=1
2023-11-01 11:32:18.792 CST [orderer.consensus.etcdraft] newRaft -> INFO 014 newRaft 1 [peers: [], term: 0, commit: 0, applied: 0, lastindex: 0, lastterm: 0] channel=system-channel node=1
2023-11-01 11:32:18.792 CST [orderer.consensus.etcdraft] becomeFollower -> INFO 015 1 became follower at term 1 channel=system-channel node=1
2023-11-01 11:32:18.792 CST [orderer.common.server] Main -> INFO 016 Starting orderer:
 Version: 2.2.0
 Commit SHA: 5ea85bc54
 Go version: go1.14.4
 OS/Arch: linux/amd64
2023-11-01 11:32:18.792 CST [orderer.consensus.etcdraft] run -> INFO 017 This node is picked to start campaign channel=system-channel node=1
2023-11-01 11:32:18.792 CST [orderer.common.server] Main -> INFO 018 Beginning to serve requests
2023-11-01 11:32:18.793 CST [orderer.consensus.etcdraft] apply -> INFO 019 Applied config change to add node 1, current nodes in channel: [1] channel=system-channel node=1
2023-11-01 11:32:19.793 CST [orderer.consensus.etcdraft] Step -> INFO 01a 1 is starting a new election at term 1 channel=system-channel node=1
2023-11-01 11:32:19.793 CST [orderer.consensus.etcdraft] becomePreCandidate -> INFO 01b 1 became pre-candidate at term 1 channel=system-channel node=1
2023-11-01 11:32:19.793 CST [orderer.consensus.etcdraft] poll -> INFO 01c 1 received MsgPreVoteResp from 1 at term 1 channel=system-channel node=1
2023-11-01 11:32:19.793 CST [orderer.consensus.etcdraft] becomeCandidate -> INFO 01d 1 became candidate at term 2 channel=system-channel node=1
2023-11-01 11:32:19.793 CST [orderer.consensus.etcdraft] poll -> INFO 01e 1 received MsgVoteResp from 1 at term 2 channel=system-channel node=1
2023-11-01 11:32:19.793 CST [orderer.consensus.etcdraft] becomeLeader -> INFO 01f 1 became leader at term 2 channel=system-channel node=1
2023-11-01 11:32:19.793 CST [orderer.consensus.etcdraft] run -> INFO 020 raft.node: 1 elected leader 1 at term 2 channel=system-channel node=1
2023-11-01 11:32:19.794 CST [orderer.consensus.etcdraft] run -> INFO 021 Leader 1 is present, quit campaign channel=system-channel node=1
2023-11-01 11:32:19.794 CST [orderer.consensus.etcdraft] run -> INFO 022 Raft leader changed: 0 -> 1 channel=system-channel node=1
2023-11-01 11:32:19.794 CST [orderer.consensus.etcdraft] run -> INFO 023 Start accepting requests as Raft leader at block [0] channel=system-channel node=1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128

七、创建新通道

前面已经有系统通道了，现在准备创建一个应用通道。

7.1、创建应用通道tx交易文件

configtxgen -profile Channel1 -outputCreateChannelTx /home/songzehao/fabric/config/channel-artifacts/channel1.tx -channelID channel1
1

得到：

/home/songzehao/fabric/config/channel-artifacts/
└── channel1.tx

0 directories, 1 file
1
2
3
4

日志：

2023-11-01 11:33:43.714 CST [common.tools.configtxgen] main -> INFO 001 Loading configuration
2023-11-01 11:33:43.729 CST [common.tools.configtxgen.localconfig] Load -> INFO 002 Loaded configuration: /home/songzehao/fabric/config/configtx.yaml
2023-11-01 11:33:43.729 CST [common.tools.configtxgen] doOutputChannelCreateTx -> INFO 003 Generating new channel configtx
2023-11-01 11:33:43.730 CST [common.tools.configtxgen] doOutputChannelCreateTx -> INFO 004 Writing new channel tx
1
2
3
4

7.2、创建应用通道区块

peer channel create -o 192.168.3.128:7050 -c channel1 -f /home/songzehao/fabric/config/channel-artifacts/channel1.tx --outputBlock /home/songzehao/fabric/config/channel-artifacts/channel1.block --tls --cafile /home/songzehao/fabric/organizations/ordererOrganizations/org1.example.com/orderers/orderer0.org1.example.com/msp/tlscacerts/tlsca.org1.example.com-cert.pem
1

得到：

/home/songzehao/fabric/config/channel-artifacts/
├── channel1.block
└── channel1.tx

0 directories, 2 files
1
2
3
4
5

日志：

2023-11-01 11:34:05.239 CST [channelCmd] InitCmdFactory -> INFO 001 Endorser and orderer connections initialized
2023-11-01 11:34:05.249 CST [cli.common] readBlock -> INFO 002 Expect block, but got status: &{NOT_FOUND}
2023-11-01 11:34:05.253 CST [channelCmd] InitCmdFactory -> INFO 003 Endorser and orderer connections initialized
2023-11-01 11:34:05.454 CST [cli.common] readBlock -> INFO 004 Expect block, but got status: &{SERVICE_UNAVAILABLE}
2023-11-01 11:34:05.456 CST [channelCmd] InitCmdFactory -> INFO 005 Endorser and orderer connections initialized
2023-11-01 11:34:05.658 CST [cli.common] readBlock -> INFO 006 Expect block, but got status: &{SERVICE_UNAVAILABLE}
2023-11-01 11:34:05.660 CST [channelCmd] InitCmdFactory -> INFO 007 Endorser and orderer connections initialized
2023-11-01 11:34:05.862 CST [cli.common] readBlock -> INFO 008 Expect block, but got status: &{SERVICE_UNAVAILABLE}
2023-11-01 11:34:05.865 CST [channelCmd] InitCmdFactory -> INFO 009 Endorser and orderer connections initialized
2023-11-01 11:34:06.067 CST [cli.common] readBlock -> INFO 00a Expect block, but got status: &{SERVICE_UNAVAILABLE}
2023-11-01 11:34:06.069 CST [channelCmd] InitCmdFactory -> INFO 00b Endorser and orderer connections initialized
2023-11-01 11:34:06.271 CST [cli.common] readBlock -> INFO 00c Received block: 0
1
2
3
4
5
6
7
8
9
10
11
12

7.3、peer0加入应用通道

peer channel join -b /home/songzehao/fabric/config/channel-artifacts/channel1.block
1

日志：

2023-11-01 11:34:26.004 CST [channelCmd] InitCmdFactory -> INFO 001 Endorser and orderer connections initialized
2023-11-01 11:34:26.018 CST [channelCmd] executeJoin -> INFO 002 Successfully submitted proposal to join channel
1
2

查询peer加入的通道：

peer channel list
1

日志：

2023-11-01 11:34:37.778 CST [channelCmd] InitCmdFactory -> INFO 001 Endorser and orderer connections initialized
Channels peers has joined: 
channel1
1
2
3

7.4、获取应用通道最近的配置块

peer channel fetch config /home/songzehao/fabric/config/channel-artifacts/config_block.pb -o 192.168.3.128:7050 -c channel1 --tls --cafile /home/songzehao/fabric/organizations/ordererOrganizations/org1.example.com/orderers/orderer0.org1.example.com/msp/tlscacerts/tlsca.org1.example.com-cert.pem
1

得到：

/home/songzehao/fabric/config/channel-artifacts/
├── channel1.block
├── channel1.tx
└── config_block.pb

0 directories, 3 files
1
2
3
4
5
6

日志：

2023-11-01 11:34:53.572 CST [channelCmd] InitCmdFactory -> INFO 001 Endorser and orderer connections initialized
2023-11-01 11:34:53.574 CST [cli.common] readBlock -> INFO 002 Received block: 0
2023-11-01 11:34:53.574 CST [channelCmd] fetch -> INFO 003 Retrieving last config block: 0
2023-11-01 11:34:53.575 CST [cli.common] readBlock -> INFO 004 Received block: 0
1
2
3
4

7.5、生成锚节点更新配置文件

protobuf序列化（编码）后的.pb配置文件，转化为.json格式：

configtxlator proto_decode --input /home/songzehao/fabric/config/channel-artifacts/config_block.pb --type common.Block --output /home/songzehao/fabric/config/channel-artifacts/config_block.json
1

抽取配置部分的json，得到原始配置：

jq .data.data[0].payload.data.config /home/songzehao/fabric/config/channel-artifacts/config_block.json > /home/songzehao/fabric/config/channel-artifacts/Org1MSPconfig.json
1

进一步追加锚节点peer0信息到Org1MSP的values部分，得到更改后配置：

jq '.channel_group.groups.Application.groups.Org1MSP.values += {"AnchorPeers":{"mod_policy": "Admins","value":{"anchor_peers": [{"host": "192.168.3.128","port": 7051}]},"version": "0"}}' /home/songzehao/fabric/config/channel-artifacts/Org1MSPconfig.json > /home/songzehao/fabric/config/channel-artifacts/Org1MSPmodified_config.json
1

protobuf编码原始配置：

configtxlator proto_encode --input /home/songzehao/fabric/config/channel-artifacts/Org1MSPconfig.json --type common.Config --output /home/songzehao/fabric/config/channel-artifacts/original_config.pb
1

protobuf编码更改后配置：

configtxlator proto_encode --input /home/songzehao/fabric/config/channel-artifacts/Org1MSPmodified_config.json --type common.Config --output /home/songzehao/fabric/config/channel-artifacts/modified_config.pb
1

计算更改前后的配置差异，得到.pb的差异配置：

configtxlator compute_update --channel_id channel1 --original /home/songzehao/fabric/config/channel-artifacts/original_config.pb --updated /home/songzehao/fabric/config/channel-artifacts/modified_config.pb --output /home/songzehao/fabric/config/channel-artifacts/config_update.pb
1

protobuf解码为.json格式：

configtxlator proto_decode --input /home/songzehao/fabric/config/channel-artifacts/config_update.pb --type common.ConfigUpdate --output /home/songzehao/fabric/config/channel-artifacts/config_update.json
1

追加.json格式的差异文件内容到新包装后的.json文件：

echo '{"payload":{"header":{"channel_header":{"channel_id":"channel1", "type":2}},"data":{"config_update":'$(cat /home/songzehao/fabric/config/channel-artifacts/config_update.json)'}}}' | jq . > /home/songzehao/fabric/config/channel-artifacts/config_update_in_envelope.json
1

编码为Envelope类型的新的交易文件：

configtxlator proto_encode --input /home/songzehao/fabric/config/channel-artifacts/config_update_in_envelope.json --type common.Envelope --output /home/songzehao/fabric/config/channel-artifacts/Org1MSPanchors.tx
1

最终得到：

/home/songzehao/fabric/config/channel-artifacts/
├── channel1.block
├── channel1.tx
├── config_block.json
├── config_block.pb
├── config_update_in_envelope.json
├── config_update.json
├── config_update.pb
├── modified_config.pb
├── Org1MSPanchors.tx
├── Org1MSPconfig.json
├── Org1MSPmodified_config.json
└── original_config.pb

0 directories, 12 files
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

7.6、提交更新通道配置交易

peer channel update -o 192.168.3.128:7050 -c channel1 -f /home/songzehao/fabric/config/channel-artifacts/Org1MSPanchors.tx --tls --cafile /home/songzehao/fabric/organizations/ordererOrganizations/org1.example.com/orderers/orderer0.org1.example.com/msp/tlscacerts/tlsca.org1.example.com-cert.pem
1

日志：

2023-11-01 11:36:09.564 CST [channelCmd] InitCmdFactory -> INFO 001 Endorser and orderer connections initialized
2023-11-01 11:36:09.572 CST [channelCmd] update -> INFO 002 Successfully submitted channel update
1
2

八、部署链码发送交易

8.1、编译打包链码

将fabric-samples示例工程https://github.com/hyperledger/fabric-samples/tree/v2.2.0/拉下来：

git clone -b v2.2.0 https://gitee.com/hyperledger/fabric-samples.git
1

以其中一个asset-transfer-basic链码举例，编译该java链码：

rm -rf ~/fabric/fabric-samples/asset-transfer-basic/chaincode-java/build/install/

cd ~/fabric/fabric-samples/asset-transfer-basic/chaincode-java
./gradlew installDist
1
2
3
4

日志：

Starting a Gradle Daemon (subsequent builds will be faster)

> Task :test

AssetTransferTest > invokeGetAllAssetsTransaction() PASSED
AssetTransferTest > invokeInitLedgerTransaction() PASSED
AssetTransferTest > invokeUnknownTransaction() PASSED
AssetTransferTest > DeleteAssetTransaction > whenAssetDoesNotExist() PASSED
AssetTransferTest > UpdateAssetTransaction > whenAssetExists() PASSED
AssetTransferTest > UpdateAssetTransaction > whenAssetDoesNotExist() PASSED
AssetTransferTest > TransferAssetTransaction > whenAssetExists() PASSED
AssetTransferTest > TransferAssetTransaction > whenAssetDoesNotExist() PASSED
AssetTransferTest > InvokeCreateAssetTransaction > whenAssetExists() PASSED
AssetTransferTest > InvokeCreateAssetTransaction > whenAssetDoesNotExist() PASSED
AssetTransferTest > InvokeReadAssetTransaction > whenAssetExists() PASSED
AssetTransferTest > InvokeReadAssetTransaction > whenAssetDoesNotExist() PASSED
AssetTest > toStringIdentifiesAsset() PASSED
AssetTest > Equality > handlesOtherObjects() PASSED
AssetTest > Equality > isReflexive() PASSED
AssetTest > Equality > isTransitive() PASSED
AssetTest > Equality > handlesInequality() PASSED
AssetTest > Equality > isSymmetric() PASSED
AssetTest > Equality > handlesNull() PASSED

BUILD SUCCESSFUL in 16s
10 actionable tasks: 10 executed
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26

并打包为basic.tar.gz：

peer lifecycle chaincode package ~/fabric/config/basic.tar.gz --path ~/fabric/fabric-samples/asset-transfer-basic/chaincode-java/build/install/basic --lang java --label basic_1.0
1

得到：

$ file ~/fabric/config/basic.tar.gz 
/home/songzehao/fabric/config/basic.tar.gz: gzip compressed data, original size modulo 2^32 21309440
1
2

8.2、部署链码

进行链码安装：

peer lifecycle chaincode install ~/fabric/config/basic.tar.gz
1

日志：

2023-11-01 11:54:21.805 CST [cli.lifecycle.chaincode] submitInstallProposal -> INFO 001 Installed remotely: response:<status:200 payload:"\nJbasic_1.0:67b9d7ef205254d9b8ff59e5904d1d18a27f74d7d1679abe0e7ccde064826773\022\tbasic_1.0" > 
2023-11-01 11:54:21.805 CST [cli.lifecycle.chaincode] submitInstallProposal -> INFO 002 Chaincode code package identifier: basic_1.0:67b9d7ef205254d9b8ff59e5904d1d18a27f74d7d1679abe0e7ccde064826773
1
2

查看已安装的链码：

peer lifecycle chaincode queryinstalled
1

日志：

Installed chaincodes on peer:
Package ID: basic_1.0:67b9d7ef205254d9b8ff59e5904d1d18a27f74d7d1679abe0e7ccde064826773, Label: basic_1.0
1
2

批准链码定义：

peer lifecycle chaincode approveformyorg -o 192.168.3.128:7050 --channelID channel1 --name basic --version 1.0 --package-id basic_1.0:67b9d7ef205254d9b8ff59e5904d1d18a27f74d7d1679abe0e7ccde064826773 --sequence 1 --tls --cafile /home/songzehao/fabric/organizations/ordererOrganizations/org1.example.com/orderers/orderer0.org1.example.com/msp/tlscacerts/tlsca.org1.example.com-cert.pem
1

日志：

2023-11-01 11:54:55.578 CST [chaincodeCmd] ClientWait -> INFO 001 txid [6f0b3c359bed36b71a216475145d0fd384b6d23594e625d202c5874caac1c541] committed with status (VALID) at
1

检查批准状态：

peer lifecycle chaincode queryapproved -C channel1 -n basic
1

日志：

Approved chaincode definition for chaincode 'basic' on channel 'channel1':
sequence: 1, version: 1.0, init-required: false, package-id: basic_1.0:67b9d7ef205254d9b8ff59e5904d1d18a27f74d7d1679abe0e7ccde064826773, endorsement plugin: escc, validation plugin: vscc
1
2

检查提交就绪状态：

peer lifecycle chaincode checkcommitreadiness --channelID channel1 --name basic --version 1.0 --sequence 1 --output json
1

日志：

{
        "approvals": {
                "Org1MSP": true
        }
}
1
2
3
4
5

提交到peer0：

peer lifecycle chaincode commit -o 192.168.3.128:7050 --channelID channel1 --name basic --peerAddresses 192.168.3.128:7051 --tlsRootCertFiles /home/songzehao/fabric/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/ca.crt --version 1.0 --sequence 1 --tls --cafile /home/songzehao/fabric/organizations/ordererOrganizations/org1.example.com/orderers/orderer0.org1.example.com/msp/tlscacerts/tlsca.org1.example.com-cert.pem
1

日志：

2023-11-01 11:55:28.245 CST [chaincodeCmd] ClientWait -> INFO 001 txid [1d49f6e82ba2414c02f76618e3b73e44ad64ffd1c76debef4d41fcb9f6553b14] committed with status (VALID) at 192.168.3.128:7051
1

检查提交状态：

peer lifecycle chaincode querycommitted --channelID channel1 --name basic --tls --cafile /home/songzehao/fabric/organizations/ordererOrganizations/org1.example.com/orderers/orderer0.org1.example.com/msp/tlscacerts/tlsca.org1.example.com-cert.pem
1

日志：

Committed chaincode definition for chaincode 'basic' on channel 'channel1':
Version: 1.0, Sequence: 1, Endorsement Plugin: escc, Validation Plugin: vscc, Approvals: [Org1MSP: true]
1
2

docker验证新的链代码是否已在您的对等点上提交启动：

$ docker ps --no-trunc
CONTAINER ID                                                       IMAGE                                                                                                                                                                    COMMAND                                                         CREATED          STATUS          PORTS     NAMES
8d14f50cb83dd1956e48b6bdab88f03be34611d93512f7ff394282b6ce380837   dev-peer0.org1.example.com-basic_1.0-67b9d7ef205254d9b8ff59e5904d1d18a27f74d7d1679abe0e7ccde064826773-4ae135e5fa18d99cbd8dc7e8907079b31a3f779d0137e69204d3307d30236441   "/root/chaincode-java/start --peerAddress 192.168.3.128:7052"   22 seconds ago   Up 21 seconds             dev-peer0.org1.example.com-basic_1.0-67b9d7ef205254d9b8ff59e5904d1d18a27f74d7d1679abe0e7ccde064826773
1
2
3

8.3、发送交易

发交易，初始化资产（调用链码的初始化方法InitLedger）：

peer chaincode invoke -o 192.168.3.128:7050 -C channel1 -n basic --peerAddresses 192.168.3.128:7051 --tlsRootCertFiles /home/songzehao/fabric/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/ca.crt --tls --cafile /home/songzehao/fabric/organizations/ordererOrganizations/org1.example.com/orderers/orderer0.org1.example.com/msp/tlscacerts/tlsca.org1.example.com-cert.pem -c '{"function":"InitLedger","Args":[]}'
1

日志：

2023-11-01 11:56:26.590 CST [chaincodeCmd] chaincodeInvokeOrQuery -> INFO 001 Chaincode invoke successful. result: status:200
1

查询初始化后的资产（调用链码的GetAllAssets方法）：

peer chaincode invoke -o 192.168.3.128:7050 -C channel1 -n basic --peerAddresses 192.168.3.128:7051 --tlsRootCertFiles /home/songzehao/fabric/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/ca.crt --tls --cafile /home/songzehao/fabric/organizations/ordererOrganizations/org1.example.com/orderers/orderer0.org1.example.com/msp/tlscacerts/tlsca.org1.example.com-cert.pem -c '{"function":"GetAllAssets","Args":[]}'
1

日志：

2023-11-01 11:56:37.940 CST [chaincodeCmd] chaincodeInvokeOrQuery -> INFO 001 Chaincode invoke successful. result: status:200 payload:"[{\"appraisedValue\":300,\"assetID\":\"asset1\",\"color\":\"blue\",\"owner\":\"Tomoko\",\"size\":5},{\"appraisedValue\":400,\"assetID\":\"asset2\",\"color\":\"red\",\"owner\":\"Brad\",\"size\":5},{\"appraisedValue\":500,\"assetID\":\"asset3\",\"color\":\"green\",\"owner\":\"Jin Soo\",\"size\":10},{\"appraisedValue\":600,\"assetID\":\"asset4\",\"color\":\"yellow\",\"owner\":\"Max\",\"size\":10},{\"appraisedValue\":700,\"assetID\":\"asset5\",\"color\":\"black\",\"owner\":\"Adrian\",\"size\":15},{\"appraisedValue\":700,\"assetID\":\"asset6\",\"color\":\"white\",\"owner\":\"Michel\",\"size\":15}]"
1

发交易，新增资产（调用链码的初始化方法CreateAsset）：

peer chaincode invoke -o 192.168.3.128:7050 -C channel1 -n basic --peerAddresses 192.168.3.128:7051 --tlsRootCertFiles /home/songzehao/fabric/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/ca.crt --tls --cafile /home/songzehao/fabric/organizations/ordererOrganizations/org1.example.com/orderers/orderer0.org1.example.com/msp/tlscacerts/tlsca.org1.example.com-cert.pem -c '{"function":"CreateAsset","Args":["asset7", "pink", "18", "Jay", "800"]}'
1

日志：

2023-11-01 11:56:50.588 CST [chaincodeCmd] chaincodeInvokeOrQuery -> INFO 001 Chaincode invoke successful. result: status:200 payload:"{\"owner\":\"Jay\",\"color\":\"pink\",\"size\":18,\"appraisedValue\":800,\"assetID\":\"asset7\"}"
1