diff --git a/images/fabric-ca-fvt/Dockerfile.in b/images/fabric-ca-fvt/Dockerfile.in index a00132e2f..f52082234 100644 --- a/images/fabric-ca-fvt/Dockerfile.in +++ b/images/fabric-ca-fvt/Dockerfile.in @@ -11,6 +11,8 @@ ENV PATH="/usr/local/go/bin/:${PATH}" \ PGDATA="/usr/local/pgsql/data/" \ PGUSER="postgres" \ PGPASSWORD="postgres" \ + PGSSLCERT="/etc/hyperledger/fabric-ca/FabricTlsClientEEcert.pem" \ + PGSSLKEY="/etc/hyperledger/fabric-ca/FabricTlsClientEEkey.pem" \ PGVER=_PGVER_ \ HOSTADDR="127.0.0.1" \ LDAPPORT="389" \ diff --git a/scripts/fvt/fabric-ca_setup.sh b/scripts/fvt/fabric-ca_setup.sh index 02e2ec5df..6e61d2a2c 100755 --- a/scripts/fvt/fabric-ca_setup.sh +++ b/scripts/fvt/fabric-ca_setup.sh @@ -338,6 +338,7 @@ export CA_CFG_PATH # honor the command-line setting to turn on TLS # else honor the envvar # else (default) turn off tls +sslmode=disable if test -n "$TLS_ON"; then TLS_DISABLE='false'; LDAP_PORT=636; LDAP_PROTO="ldaps://";sslmode="require";mysqlTls='&tls=custom' else @@ -356,7 +357,7 @@ test -n "$SRC_KEY" && cp "$SRC_KEY" $DST_KEY RUNCONFIG="$DATADIR/runFabricCaFvt.yaml" case $DRIVER in - postgres) DATASRC="dbname=$DBNAME host=127.0.0.1 port=$POSTGRES_PORT user=postgres password=postgres sslmode=disable" ;; + postgres) DATASRC="dbname=$DBNAME host=127.0.0.1 port=$POSTGRES_PORT user=postgres password=postgres sslmode=$sslmode" ;; sqlite3) DATASRC="$DATADIR/$DBNAME" ;; mysql) DATASRC="root:mysql@tcp(localhost:$MYSQL_PORT)/$DBNAME?parseTime=true$mysqlTls" ;; esac diff --git a/scripts/fvt/intermediateca_test.sh b/scripts/fvt/intermediateca_test.sh index 11b535494..be4890cdb 100755 --- a/scripts/fvt/intermediateca_test.sh +++ b/scripts/fvt/intermediateca_test.sh @@ -43,7 +43,7 @@ function setupTLScerts() { -E "serverAuth,clientAuth,codeSigning,emailProtection,timeStamping" \ -e 20370101000000Z -s 20160101000000Z -p subTlsCa- >/dev/null 2>&1 # EE TLS certs - i=0;while test $((i++)) -lt $NUMINTCAS; do + i=0;while test $((i++)) -lt $((NUMINTCAS+1)); do rm -rf $TLSDIR/intFabCaTls${i}* $SCRIPTDIR/utils/pki -f newcert -a subTlsCa -t ec -l 256 -d sha512 \ -n "/C=US/ST=NC/L=RTP/O=IBM/O=Hyperledger/OU=FVT/CN=intFabCaTls${i}/" -S "IP:127.0.${i}.1" \ @@ -60,12 +60,14 @@ EOF function createRootCA() { # Start RootCA - $($FABRIC_TLS) && tlsopts="--tls.enabled --tls.certfile $TLSDIR/rootTlsCa-cert.pem \ - --tls.keyfile $TLSDIR/rootTlsCa-key.pem" + $($FABRIC_TLS) && tlsopts="--tls.enabled \ + --tls.certfile $TLSDIR/rootTlsCa-cert.pem \ + --tls.keyfile $TLSDIR/rootTlsCa-key.pem \ + --db.tls.certfiles $FABRIC_CA_DATA/$TLS_BUNDLE \ + --db.tls.client.certfile $PGSSLCERT \ + --db.tls.client.keyfile $PGSSLKEY" mkdir -p "$TDIR/root" $SCRIPTDIR/fabric-ca_setup.sh -I -x "$TDIR/root" -d $driver -m $MAXENROLL - sed -i "s@\(^[[:blank:]]*certfile:\).*.pem@\1 $TLSDIR/rootTlsCa-cert.pem@" $TDIR/root/runFabricCaFvt.yaml - sed -i "s@\(^[[:blank:]]*keyfile:\).*.pem@\1 $TLSDIR/rootTlsCa-key.pem@" $TDIR/root/runFabricCaFvt.yaml FABRIC_CA_SERVER_HOME="$TDIR/root" fabric-ca-server start \ --csr.hosts $ROOT_CA_ADDR --address $ROOT_CA_ADDR \ $tlsopts -c $TDIR/root/runFabricCaFvt.yaml -d 2>&1 | @@ -80,7 +82,12 @@ function createIntCA() { cp "$TDIR/intFabricCaFvt.yaml" "$TDIR/int${i}/runFabricCaFvt.yaml" $($FABRIC_TLS) && tlsopts="--tls.enabled --tls.certfile $TLSDIR/intFabCaTls${i}-cert.pem \ --tls.keyfile $TLSDIR/intFabCaTls${i}-key.pem \ - --intermediate.tls.certfiles $TLSDIR/tlsroots.pem" + --db.tls.certfiles $FABRIC_CA_DATA/$TLS_BUNDLE \ + --db.tls.client.certfile $PGSSLCERT \ + --db.tls.client.keyfile $PGSSLKEY \ + --intermediate.tls.certfiles $TLSDIR/tlsroots.pem \ + --intermediate.tls.client.certfile $TLSDIR/intFabCaTls${i}-cert.pem \ + --intermediate.tls.client.keyfile $TLSDIR/intFabCaTls${i}-key.pem" ADDR=127.0.${i}.1 FABRIC_CA_SERVER_HOME="$TDIR/int${i}" fabric-ca-server start --csr.hosts $ADDR -c $TDIR/int${i}/runFabricCaFvt.yaml \ --address $ADDR $tlsopts -b admin:adminpw \ @@ -99,7 +106,12 @@ function createFailingCA { cp "$TDIR/intFabricCaFvt.yaml" "$TDIR/int${last}/runFabricCaFvt.yaml" $($FABRIC_TLS) && tlsopts="--tls.enabled --tls.certfile $TLSDIR/intFabCaTls${last}-cert.pem \ --tls.keyfile $TLSDIR/intFabCaTls${last}-key.pem \ - --intermediate.tls.certfiles $TLSDIR/tlsroots.pem" + --db.tls.certfiles $FABRIC_CA_DATA/$TLS_BUNDLE \ + --db.tls.client.certfile $PGSSLCERT \ + --db.tls.client.keyfile $PGSSLKEY \ + --intermediate.tls.certfiles $TLSDIR/tlsroots.pem \ + --intermediate.tls.client.certfile $TLSDIR/intFabCaTls${last}-cert.pem \ + --intermediate.tls.client.keyfile $TLSDIR/intFabCaTls${last}-key.pem" FABRIC_CA_SERVER_HOME="$TDIR/int${last}" fabric-ca-server init --csr.hosts 127.0.${last}.1 -c "$TDIR/int${last}/runFabricCaFvt.yaml" \ --address 127.0.${last}.1 $tlsopts -b admin:adminpw \ -u ${PROTO}intermediateCa${last}:intermediateCa${last}pw@$ADDR:$CA_DEFAULT_PORT -d 2>&1 | tee $TDIR/int${last}/server.log diff --git a/scripts/fvt/reenroll_test.sh b/scripts/fvt/reenroll_test.sh index 25e0d27f8..325267a00 100755 --- a/scripts/fvt/reenroll_test.sh +++ b/scripts/fvt/reenroll_test.sh @@ -23,7 +23,7 @@ now=$(date +"%g%m%d%H%M%SZ") future=$(date +"$next_year%m%d%H%M%SZ") NUM_SERVERS=4 -USER_SERVER_RATIO=8 +USER_SERVER_RATIO=8 for u in $(eval echo {1..$((NUM_SERVERS*USER_SERVER_RATIO-1))}); do USERS[u]="user$u" done diff --git a/scripts/fvt/roundrobin_test.sh b/scripts/fvt/roundrobin_test.sh index c62b74b9f..8161f4833 100755 --- a/scripts/fvt/roundrobin_test.sh +++ b/scripts/fvt/roundrobin_test.sh @@ -35,10 +35,10 @@ for driver in sqlite3 mysql postgres ; do $SCRIPTDIR/registerAndEnroll.sh -u "${USERS[*]}" test $? -ne 0 && ErrorMsg "registerAndEnroll failed" reenroll admin - if ! $(${FABRIC_TLS:-false}); then + if ! $(${FABRIC_TLS:-false}); then nums=$((NUM_SERVERS-1)) for s in $(eval echo {0..$nums}); do - curl -s http://$HOST/ | + curl -s http://$HOST/ | awk -v s="server${s}\"" '$0~s'| html2text | egrep "HTTP|server${s}"