Step 5: Enroll an Administrative User
In this step, you use a pre-configured certificate to enroll a user with administrative permissions to your member's certificate authority (CA). To do this, you must create a certificate file. You also need the endpoint for the CA of your member, and the user name and password for the user that you created in Step 1: Create the Network and First Member.
Step 5.1: Create the Certificate File
Run the following command to copy the managedblockchain-tls-chain.pem
to the /home/ec2-user
directory. Replace
with the AWS Region you are using—for example, MyRegion
us-east-1
.
aws s3 cp s3://
MyRegion
.managedblockchain/etc/managedblockchain-tls-chain.pem /home/ec2-user/managedblockchain-tls-chain.pem
If the command fails with a permissions error, ensure that a service role associated with the EC2 instance allows access to the Amazon S3 bucket location. For more information see Example IAM Role Permissions Policy for Hyperledger Fabric Client EC2 Instance.
Run the following command to test that you copied the contents to the file correctly:
openssl x509 -noout -text -in /home/ec2-user/managedblockchain-tls-chain.pem
The command should return the contents of the certificate in human-readable format.
Step 5.2: Enroll the Administrative User
AMB Access registers the user identity that you specified when you created the member as an administrator. In Hyperledger Fabric, this user is known as the bootstrap identity because the identity is used to enroll itself. To enroll, you need the CA endpoint, as well as the user name and password for the administrator that you created in Step 1: Create the Network and First Member. For information about registering other user identities as administrators before you enroll them, see Register and Enroll a Hyperledger Fabric Admin.
Use the get-member
command to get the CA endpoint for your membership as shown in the following example. Replace the values of --network-id
and --member-id
with the values returned in Step 1: Create the Network and First Member.
aws managedblockchain get-member \ --network-id
n-MWY63ZJZU5HGNCMBQER7IN6OIU
\ --member-idm-K46ICRRXJRCGRNNS4ES4XUUS5A
The command returns information about the initial member that you created in
the network, as shown in the following example. Make a note of the
CaEndpoint
. You also need the AdminUsername
and
password that you created along with the network.
The command returns output similar to the following:
{ "Member": { "NetworkId": "n-MWY63ZJZU5HGNCMBQER7IN6OIU", "Status": "AVAILABLE", "Description": "MyNetDescription", "FrameworkAttributes": { "Fabric": { "CaEndpoint": "
ca.m-K46ICRRXJRCGRNNS4ES4XUUS5A.n-MWY63ZJZU5HGNCMBQER7IN6OIU.managedblockchain.
", "AdminUsername": "Example-AdminUser" } }, "StatusReason": "Network member created successfully", "CreationDate": 1542255358.74, "Id": "m-K46ICRRXJRCGRNNS4ES4XUUS5A", "Name": "org1" } }us-east-1
.amazonaws.com:30002
Use the CA endpoint, administrator profile, and the certificate file to enroll
the member administrator using the fabric-ca-client enroll
command, as
shown in the following example:
fabric-ca-client enroll \ -u 'https://${
AdminUsername
}:${AdminPassword
}@$CASERVICEENDPOINT' \ --tls.certfiles /home/ec2-user/managedblockchain-tls-chain.pem -M /home/ec2-user/admin-msp
To use this command, you will need to set the following environment variables:
AdminUsername — The admin username.
AdminPassword — The admin password.
Warning
Always use variables in your code to pass user credentials. For more information, see Move hard-coded credentials to AWS Secrets Manager
An example command with fictitious administrator name, password, and endpoint is shown in the following example:
fabric-ca-client enroll \ -u https://Example-AdminUser:Example-Password123@ca.m-K46ICRRXJRCGRNNS4ES4XUUS5A.n-MWY63ZJZU5HGNCMBQER7IN6OIU.managedblockchain.
us-east-1
.amazonaws.com:30002 \ --tls.certfiles /home/ec2-user/managedblockchain-tls-chain.pem -M /home/ec2-user/admin-msp
The command returns output similar to the following:
2018/11/16 02:21:40 [INFO] Created a default configuration file at /home/ec2-user/.fabric-ca-client/fabric-ca-client-config.yaml 2018/11/16 02:21:40 [INFO] TLS Enabled 2018/11/16 02:21:40 [INFO] generating key: &{A:ecdsa S:256} 2018/11/16 02:21:40 [INFO] encoded CSR 2018/11/16 02:21:40 [INFO] Stored client certificate at /home/ec2-user/admin-msp/signcerts/cert.pem 2018/11/16 02:21:40 [INFO] Stored root CA certificate at /home/ec2-user/admin-msp/cacerts/ca-abcd1efghijkllmn5op3q52rst-uqz2f2xakfd7vcfewqhckr7q5m-managedblockchain-us-east-1-amazonaws-com-30002.pem
Important
It may take a minute or two after you enroll for you to be able to use your administrator certificate to create a channel with the ordering service.
Step 5.3: Copy Certificates for the MSP
In Hyperledger Fabric, the Membership Service Provider (MSP) identifies which root
CAs and intermediate CAs are trusted to define the members of a trust domain.
Certificates for the administrator's MSP are in /home/ec2-user/admin-msp
in this tutorial. Because this MSP is
for the member administrator, copy the certificates from signcerts
to
admincerts
as shown in the following example. The example assumes you are in the /home/ec2-user
directory when running the command.
cp -r /home/ec2-user/admin-msp/signcerts admin-msp/admincerts