hyperledger-labs · celder628 · Apr 17, 2024 · Apr 16, 2024 · Apr 16, 2024 · Apr 16, 2024
diff --git a/docs/source/tutorials/certificate-management.rst b/docs/source/tutorials/certificate-management.rst
@@ -0,0 +1,77 @@
+..
+.. SPDX-License-Identifier: Apache-2.0
+..
+
+Certificate Management
+======================
+
+This article will show you how to enroll/re-enroll/renew the following certificates: CA TLS certificate, Peer TLS/Ecert, and Orderer TLS/Ecert certificates on an existing Hyperledger Fabric network.
+
+For this tutorial, you can use the IBM Support for Hyperledger Fabric software or the Hyperledger Fabric Open Source Stack  running in a Red Hat OpenShift or Kubernetes cluster.
+
+Note: If the Orderer TLS certificate expired. We will not able renew the certificate using this process.
+
+Before you start
+----------------
+You will need to use the GitHub repositorythat you cloned in the previous tutorial. Ensure that you are in the tutorial directory:
+
+    ::
+
+        cd ansible-collection/tutorial
+
+Peer/Orderer Ecert/TLS certificate Enroll/Re-enroll
+===================================================
+
+For re-enroll/enroll the Peer TLS/Ecert you have edit the playbook `24-reenroll-peer-tls-and-ecert.yml` and change respective `vars_files`  and respective peer/orderer that you want re-enroll/enroll peer certificates. Once you have edited the file. Please execute the below command for the certificate renewal.
+
+    ::
+
+        ./enroll_or_reenroll_peer_and_orderer_cert.sh [-i] [-i <component type>] [-j <certificate type>] [-k <action>]
+
+Next, you will need to replace the variable placeholders with the required values.
+
+Replace ``<component type>`` with your component type for your HLF Console like `peer` or `orderer`.
+
+Replace ``<certificate type>`` with the certificate type that you want enroll/re-enroll like `ecert` OR `tls_cert`.
+
+Replace ``<action>`` with the action that you want to take enroll/re-enroll like `enroll` OR `reenroll` OR `restart`.
+
+
+Once you have replaced the above variable in the command. Execute the command,It will update and restart the peer. If the peer restarted successfully, please refresh the certs in the console of the corresponding component.
+
+
+CA TLS certificate Renewal
+==========================
+
+We will examine the process for renewing the CA TLS certificate in this section. We offer two options here: either renew the specific CA TLS certificate or renew all CA TLS certificates in the instance.
+
+For renewing all the CA components in the instance you have to edit the playbook `26-renew-all-ca-tls.yml` and change respective components `vars_files` that you want renew CA TLS certificates. Once you have edited the file. Please execute the below command for the certificate renewal.
+
+  ::
+
+        ./renew_ca_tls_cert.sh [-k <action flag>]
+
+
+Next, you will need to replace the variable placeholders with the required values.
+
+Replace ``<component name>`` with name of your CA component.
+
+Replace ``<component type>`` with the component type like 'peer' or 'orderer'. We use this flag to associate respective node with the CA.
+
+Replace ``<action flag>``  we are using the flag for renewing all the CA TLS certificates in instance. The flag will be like `all`.
+
+
+For renewing respective CA component in the instance you have to edit the playbook `30-renew-ca-tls.yml` and change respective components `vars_files` that you want renew CA TLS certificates. Once you have edited the file. Please execute the below command for the certificate renewal.
+
+
+    ::
+
+         ./renew_ca_tls_cert.sh [-i <component name>] [-j <component type>]
+
+Next, you will need to replace the variable placeholders with the required values.
+
+Replace ``<component name>`` with name of your CA component.
+
+Replace ``<component type>`` with the component type like 'peer' or 'orderer'. We use this flag to associate respective node with the CA..
+
+Once you've changed the above variable in the command. When you run the command, the CA will be updated and restarted, as well as the nodes associated with it. Once the process is finished, please refresh the certs in the appropriate CA component in console.
diff --git a/tutorial/24-reenroll-peer-tls-and-ecert.yml b/tutorial/24-reenroll-peer-tls-and-ecert.yml
@@ -0,0 +1,27 @@
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+---
+- name: Reenroll a Peer TLS Cert
+  hosts: localhost
+  vars:
+    peer_name: "Org2 Peer"
+  vars_files:
+    - org2-vars.yml
+  tasks:
+    - name: Reenroll a Peer TLS/Ecert Cert
+      hyperledger.fabric_ansible_collection.peer_action:
+        api_endpoint: "{{ api_endpoint }}"
+        api_authtype: "{{ api_authtype }}"
+        api_key: "{{ api_key }}"
+        api_secret: "{{ api_secret | default(omit) }}"
+        api_token_endpoint: "{{ api_token_endpoint | default(omit) }}"
+        name: "{{ peer_name }}"
+        action: "{{ action }}"
+        type: "{{ cert_type }}"
+      register: result
+
+    - name: Fail if the Certificate Authority did not accept the message
+      fail:
+        msg: result.response
+      when: not result.accepted
diff --git a/tutorial/25-reenroll-orderer-tls-and-ecert.yml b/tutorial/25-reenroll-orderer-tls-and-ecert.yml
@@ -0,0 +1,28 @@
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+---
+- name: Reenroll a Peer TLS Cert
+  hosts: localhost
+  vars:
+    ordering_msp_id: OrdererMSP
+    ordering_node_name: "{{ ordering_node_name }}"
+  vars_files:
+    - ordering-org-vars.yml
+  tasks:
+    - name: Restarting Ordering Service Node "{{ ordering_node_name }}"
+      hyperledger.fabric_ansible_collection.ordering_service_node_action:
+        api_endpoint: "{{ api_endpoint }}"
+        api_authtype: "{{ api_authtype }}"
+        api_key: "{{ api_key }}"
+        api_secret: "{{ api_secret | default(omit) }}"
+        api_token_endpoint: "{{ api_token_endpoint | default(omit) }}"
+        name: "{{ ordering_node_name }}"
+        action: "restart"
+        type: "{{ cert_type }}"
+      register: result
+
+    - name: Fail if Ordering Service Node "{{ ordering_node_name }}" did not accept the message
+      fail:
+        msg: result.response
+      when: not result.accepted
diff --git a/tutorial/26-renew-all-ca-tls.yml b/tutorial/26-renew-all-ca-tls.yml
@@ -0,0 +1,28 @@
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+---
+- name: Renew the TLS Certificate for all Certificate Authorities and Associated Nodes
+  hosts: localhost
+  vars_files:
+      - org1-vars.yml
+  tasks:
+      - name: Get the ALL Certificate Authorities
+        hyperledger.fabric_ansible_collection.certificate_authority_list_info:
+            api_endpoint: "{{ api_endpoint }}"
+            api_authtype: "{{ api_authtype }}"
+            api_key: "{{ api_key }}"
+            api_secret: "{{ api_secret | default(omit) }}"
+            api_token_endpoint: "{{ api_token_endpoint | default(omit) }}"
+        register: result
+
+      - name: Store the Certificate Authorities in a file
+        copy:
+            content: "{{ result.certificate_authorities | to_nice_json }}"
+            dest: "All_CAs.json"
+
+      - name: Renew TLS Certificates for Certificate Authorities
+        include_tasks: 27-renew-ca-tls-task.yml
+        loop: "{{ result.certificate_authorities }}"
+        loop_control:
+            loop_var: certificate_authority
diff --git a/tutorial/27-renew-ca-tls-task.yml b/tutorial/27-renew-ca-tls-task.yml
@@ -0,0 +1,60 @@
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+---
+- name: Renew the TLS Certificate for the Certificate Authority "{{ certificate_authority.name }}"
+  hyperledger.fabric_ansible_collection.certificate_authority_action:
+      api_endpoint: "{{ api_endpoint }}"
+      api_authtype: "{{ api_authtype }}"
+      api_key: "{{ api_key }}"
+      api_secret: "{{ api_secret | default(omit) }}"
+      api_token_endpoint: "{{ api_token_endpoint | default(omit) }}"
+      name: "{{ certificate_authority.name }}"
+      action: 'renew'
+  register: result
+
+- name: Fail if the Certificate Authority did not accept the message
+  fail:
+      msg: result.response
+  when: not result.accepted
+
+- name: Get the Certificate Authority
+  hyperledger.fabric_ansible_collection.certificate_authority_info:
+      api_endpoint: "{{ api_endpoint }}"
+      api_authtype: "{{ api_authtype }}"
+      api_key: "{{ api_key }}"
+      api_secret: "{{ api_secret | default(omit) }}"
+      api_token_endpoint: "{{ api_token_endpoint | default(omit) }}"
+      name: "{{ certificate_authority.name }}"
+  register: result
+
+- name: Configure the crypto update
+  set_fact:
+      crypto:
+          enrollment:
+              ca:
+                  tls_cert: "{{ result.certificate_authority.msp.component.tls_cert }}"
+              tlsca:
+                  tls_cert: "{{result.certificate_authority.msp.component.tls_cert}}"
+
+- name: Get the Nodes associated with the Certificate Authority "{{ certificate_authority.name }}"
+  hyperledger.fabric_ansible_collection.certificate_authority_associated_nodes:
+      api_endpoint: "{{ api_endpoint }}"
+      api_authtype: "{{ api_authtype }}"
+      api_key: "{{ api_key }}"
+      api_secret: "{{ api_secret | default(omit) }}"
+      api_token_endpoint: "{{ api_token_endpoint | default(omit) }}"
+      certificate_authority: "{{ certificate_authority.name }}"
+  register: nodes
+
+- name: Update Ordering Nodes associated with "{{ certificate_authority.name }}"
+  include_tasks: 28-update-ordering-node-task.yml
+  loop: "{{ nodes.ordering_service_nodes }}"
+  loop_control:
+      loop_var: ordering_service_node
+
+- name: Update Peers associated with "{{ certificate_authority.name }}"
+  include_tasks: 29-update-peer-task.yml
+  loop: "{{ nodes.peers }}"
+  loop_control:
+      loop_var: peer
diff --git a/tutorial/28-update-ordering-node-task.yml b/tutorial/28-update-ordering-node-task.yml
@@ -0,0 +1,40 @@
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+---
+- name: Updating Ordering Node "{{ ordering_service_node.name }}"
+  hyperledger.fabric_ansible_collection.ordering_service_node:
+      api_endpoint: "{{ api_endpoint }}"
+      api_authtype: "{{ api_authtype }}"
+      api_key: "{{ api_key }}"
+      api_secret: "{{ api_secret | default(omit) }}"
+      api_token_endpoint: "{{ api_token_endpoint | default(omit) }}"
+      name: "{{ ordering_service_node.name }}"
+      crypto: "{{ crypto }}"
+  register: result
+
+- name: Fail if Ordering Service Node "{{ ordering_service_node.name }}" was not updated
+  fail:
+      msg: "Ordering Service Node {{ ordering_service_node.name }} was not updated"
+  when: not result.changed
+
+- name: Write the updated Ordering Service Node "{{ ordering_service_node.name }}" to a file
+  copy:
+      content: "{{ result.ordering_service_node | to_nice_json }}"
+      dest: "updated_ordering_service_node.json"
+
+- name: Restarting Ordering Service Node "{{ ordering_service_node.name }}"
+  hyperledger.fabric_ansible_collection.ordering_service_node_action:
+      api_endpoint: "{{ api_endpoint }}"
+      api_authtype: "{{ api_authtype }}"
+      api_key: "{{ api_key }}"
+      api_secret: "{{ api_secret | default(omit) }}"
+      api_token_endpoint: "{{ api_token_endpoint | default(omit) }}"
+      name: "{{ ordering_service_node.name }}"
+      action: 'restart'
+  register: result
+
+- name: Fail if Ordering Service Node "{{ ordering_service_node.name }}" did not accept the message
+  fail:
+      msg: result.response
+  when: not result.accepted
diff --git a/tutorial/29-update-peer-task.yml b/tutorial/29-update-peer-task.yml
@@ -0,0 +1,40 @@
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+---
+- name: Updating Peer "{{ peer.name }}"
+  hyperledger.fabric_ansible_collection.peer:
+      api_endpoint: "{{ api_endpoint }}"
+      api_authtype: "{{ api_authtype }}"
+      api_key: "{{ api_key }}"
+      api_secret: "{{ api_secret | default(omit) }}"
+      api_token_endpoint: "{{ api_token_endpoint | default(omit) }}"
+      name: "{{ peer.name }}"
+      crypto: "{{ crypto }}"
+  register: result
+
+- name: Fail if Peer "{{ peer.name }}" was not updated
+  fail:
+      msg: "Peer {{ peer.name }} was not updated"
+  when: not result.changed
+
+- name: Write the updated peer "{{ peer.name }}" to a file
+  copy:
+      content: "{{ result.peer | to_nice_json }}"
+      dest: "updated_peer.json"
+
+- name: Restarting Peer "{{ peer.name }}"
+  hyperledger.fabric_ansible_collection.peer_action:
+      api_endpoint: "{{ api_endpoint }}"
+      api_authtype: "{{ api_authtype }}"
+      api_key: "{{ api_key }}"
+      api_secret: "{{ api_secret | default(omit) }}"
+      api_token_endpoint: "{{ api_token_endpoint | default(omit) }}"
+      name: "{{ peer.name }}"
+      action: 'restart'
+  register: result
+
+- name: Fail if Peer "{{ peer.name }}" did not accept the message
+  fail:
+      msg: result.response
+  when: not result.accepted
diff --git a/tutorial/30-renew-ca-tls.yml b/tutorial/30-renew-ca-tls.yml
@@ -0,0 +1,76 @@
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+---
+- name: Renew the TLS Certificate for all Certificate Authorities and Associated Nodes
+  hosts: localhost
+  vars_files:
+      - org1-vars.yml
+  tasks:
+      - name: Get the ALL Certificate Authorities
+        hyperledger.fabric_ansible_collection.certificate_authority_list_info:
+            api_endpoint: "{{ api_endpoint }}"
+            api_authtype: "{{ api_authtype }}"
+            api_key: "{{ api_key }}"
+            api_secret: "{{ api_secret | default(omit) }}"
+            api_token_endpoint: "{{ api_token_endpoint | default(omit) }}"
+        register: result_list
+
+      - name: Renew the TLS Certificate for the Certificate Authority "{{ component_name }}"
+        hyperledger.fabric_ansible_collection.certificate_authority_action:
+            api_endpoint: "{{ api_endpoint }}"
+            api_authtype: "{{ api_authtype }}"
+            api_key: "{{ api_key }}"
+            api_secret: "{{ api_secret | default(omit) }}"
+            api_token_endpoint: "{{ api_token_endpoint | default(omit) }}"
+            name: "{{ component_name }}"
+            action: 'renew'
+        register: result
+
+      - name: Fail if the Certificate Authority did not accept the message
+        fail:
+            msg: result.response
+        when: not result.accepted
+
+      - name: Get the Certificate Authority
+        hyperledger.fabric_ansible_collection.certificate_authority_info:
+            api_endpoint: "{{ api_endpoint }}"
+            api_authtype: "{{ api_authtype }}"
+            api_key: "{{ api_key }}"
+            api_secret: "{{ api_secret | default(omit) }}"
+            api_token_endpoint: "{{ api_token_endpoint | default(omit) }}"
+            name: "{{ component_name }}"
+        register: result
+
+      - name: Configure the crypto update
+        set_fact:
+            crypto:
+                enrollment:
+                    ca:
+                        tls_cert: "{{ result.certificate_authority.msp.component.tls_cert }}"
+                    tlsca:
+                        tls_cert: "{{result.certificate_authority.msp.component.tls_cert}}"
+
+      - name: Get the Nodes associated with the Certificate Authority "{{ component_name }}"
+        hyperledger.fabric_ansible_collection.certificate_authority_associated_nodes:
+            api_endpoint: "{{ api_endpoint }}"
+            api_authtype: "{{ api_authtype }}"
+            api_key: "{{ api_key }}"
+            api_secret: "{{ api_secret | default(omit) }}"
+            api_token_endpoint: "{{ api_token_endpoint | default(omit) }}"
+            certificate_authority: "{{ component_name }}"
+        register: nodes
+
+      - name: Update Ordering Nodes associated with "{{ component_name }}"
+        include_tasks: 28-update-ordering-node-task.yml
+        loop: "{{ nodes.ordering_service_nodes }}"
+        loop_control:
+            loop_var: ordering_service_node
+        when: "'{{ component_type }}' in ['orderer']"
+
+      - name: Update Peers associated with "{{ component_name }}"
+        include_tasks: 29-update-peer-task.yml
+        loop: "{{ nodes.peers }}"
+        loop_control:
+            loop_var: peer
+        when: "'{{ component_type }}' in ['peer']"