Creating a highly available Certificate Authority
The default certificate authority in a Hyperledger Fabric network is a single replica with an integrated SQLite database, however it is possible to configure the certificate authority to have an external PostgresSQL database and have multiple replicas of the certificate authority.
There are some limitations with the creation of replicas such as using the PostgreSQL database with the CA, or the restriction that an existing certificate authority with an integrated SQLite database cannot be upgraded to use a PostgresSQL database. Consequently, the playbook for this task checks for the existence of the named certificate authority and fails if it already exists.
Before you start
This task guide assumes that you have installed Ansible and the Hyperledger Fabric Ansible Collection, and are familiar with how to use these technologies.
This task guide also assumes that you have created a PostgresSQL database and that you have the connection details available.
Cloning the repository
This task guide uses a set of example playbooks which are stored in a GitHub repository. You must clone this GitHub repository in order to run the playbooks locally:
git clone https://github.com/hyperledger-labs/fabric-ansible-collection.git
After cloning the GitHub repository, you must change into the examples directory for this task guide:
cd fabric-ansible-collection/examples/create-ha-ca
Editing the variable file
You need to edit the variable file vars.yml. This file is used to pass information about your network into the example Ansible playbook.
The first set of values that you must set are :
Determine the URL of your instance’s console.
Determine the API key and secret you use to access your instance’s console. You can also use a username and password instead of an API key and secret.
Set
api_endpointto the URL of your console.
Set
api_authtypetobasic.
Set
api_keyto your API key or username.
Set
api_secretto your API secret or password.
The remaining values must always be set:
- Set - ha_ca_nameto the name of the new certificate authority, for example- HAOrg1 CA.
- Set - ca_admin_identityto the name of the CA administrator enroll ID.
- Set - ca_admin_passto the CA administrator enroll secret.
- Set - ca_admin_typeto- clientif you are not using NodeOU support or- adminif you are using NodeOU support.
- Set - db_datasourceto the connection details for your PostgresSQL database, for example:
host=mypostgressql.example.com port=999 user=myUsername password=myPassword dbname=mydb sslmode=verify-full
- Set - db_certfile1to the Base64 encoded value of the certificate for the PostgresSQL database.
- Set - ca_replicasto the number of replicas of the ca that you require.
Creating the certificate authority
Review the example playbook create-ha-ca.yml, then run it as follows:
ansible-playbook create-ha-ca.yml
Ensure that the example playbook completed successfully by examining the PLAY RECAP section in the output from Ansible.