From 74969dd14cab8266e7c7e6c16c1bddc7c80505ea Mon Sep 17 00:00:00 2001 From: MuthuSundaravadivel Date: Fri, 5 Apr 2024 12:29:36 +0530 Subject: [PATCH 1/5] Certificate renewal changes --- .../tutorials/certificate-management.rst | 32 ++++++++ tutorial/24-reenroll-peer-tls-and-ecert.yml | 27 +++++++ .../25-reenroll-orderer-tls-and-ecert.yml | 28 +++++++ tutorial/26-renew-all-ca-tls.yml | 30 +++++++ tutorial/27-renew-ca-tls-task.yml | 61 ++++++++++++++ tutorial/28-update-ordering-node-task.yml | 36 +++++++++ tutorial/29-update-peer-task.yml | 36 +++++++++ tutorial/30-renew-ca-tls.yml | 79 +++++++++++++++++++ ...nroll_or_reenroll_peer_and_orderer_cert.sh | 58 ++++++++++++++ tutorial/renew_ca_tls_cert.sh | 54 +++++++++++++ 10 files changed, 441 insertions(+) create mode 100644 docs/source/tutorials/certificate-management.rst create mode 100644 tutorial/24-reenroll-peer-tls-and-ecert.yml create mode 100644 tutorial/25-reenroll-orderer-tls-and-ecert.yml create mode 100644 tutorial/26-renew-all-ca-tls.yml create mode 100644 tutorial/27-renew-ca-tls-task.yml create mode 100644 tutorial/28-update-ordering-node-task.yml create mode 100644 tutorial/29-update-peer-task.yml create mode 100644 tutorial/30-renew-ca-tls.yml create mode 100755 tutorial/enroll_or_reenroll_peer_and_orderer_cert.sh create mode 100755 tutorial/renew_ca_tls_cert.sh diff --git a/docs/source/tutorials/certificate-management.rst b/docs/source/tutorials/certificate-management.rst new file mode 100644 index 00000000..bfcade0f --- /dev/null +++ b/docs/source/tutorials/certificate-management.rst @@ -0,0 +1,32 @@ +.. +.. SPDX-License-Identifier: Apache-2.0 +.. + +Certificate Management +====================== + +This tutorial will demonstrate how to enroll/re-enroll/renew the CA TLS certificate , Peer TLS/Ecert and Orderer TLS/Ecert certificates an existing Hyperledger Fabric network. + +For this tutorial, you can use the IBM Support for Hyperledger Fabric software running in a Red Hat OpenShift or Kubernetes cluster. + +Note: If the Orderer TLS certificate expired. We will not able renew the certificate using this process. + +Before you start +---------------- +You will need to use the GitHub repositorythat you cloned in the previous tutorial. Ensure that you are in the tutorial directory: + + .. highlight:: none + + :: + + cd ansible-collection/tutorial + +Peer Enrollment/TLS certificate Management +========================================== + +For re-enroll/enroll the Peer TLS/Ecert you hav edit the playbook `24-reenroll-peer-tls-and-ecert.yml` and change respective `vars_files` that you want re-enroll/enroll peer certificates. Once you have edited the file. Please execute the below command for the certificate renewal. + + :: + + ./enroll_or_reenroll_peer_and_orderer_cert [-i] [-i ] [-j ] [-k ] + diff --git a/tutorial/24-reenroll-peer-tls-and-ecert.yml b/tutorial/24-reenroll-peer-tls-and-ecert.yml new file mode 100644 index 00000000..a9f83848 --- /dev/null +++ b/tutorial/24-reenroll-peer-tls-and-ecert.yml @@ -0,0 +1,27 @@ +# +# SPDX-License-Identifier: Apache-2.0 +# +--- +- name: Reenroll a Peer TLS Cert + hosts: localhost + vars: + peer_name: "Org1 Peer" + vars_files: + - org1-vars.yml + tasks: + - name: Reenroll a Peer TLS/Ecert Cert + hyperledger.fabric_ansible_collection.peer_action: + api_endpoint: "{{ api_endpoint }}" + api_authtype: "{{ api_authtype }}" + api_key: "{{ api_key }}" + api_secret: "{{ api_secret | default(omit) }}" + api_token_endpoint: "{{ api_token_endpoint | default(omit) }}" + name: "{{ peer_name }}" + action: "{{ action }}" + type: "{{ cert_type }}" + register: result + + - name: Fail if the Certificate Authority did not accept the message + fail: + msg: result.response + when: not result.accepted diff --git a/tutorial/25-reenroll-orderer-tls-and-ecert.yml b/tutorial/25-reenroll-orderer-tls-and-ecert.yml new file mode 100644 index 00000000..dc01c39f --- /dev/null +++ b/tutorial/25-reenroll-orderer-tls-and-ecert.yml @@ -0,0 +1,28 @@ +# +# SPDX-License-Identifier: Apache-2.0 +# +--- +- name: Reenroll a Peer TLS Cert + hosts: localhost + vars: + ordering_msp_id: OrdererMSP + ordering_node_name: "{{ ordering_node_name }}" + vars_files: + - ordering-org-vars.yml + tasks: + - name: Restarting Ordering Service Node "{{ ordering_node_name }}" + hyperledger.fabric_ansible_collection.ordering_service_node_action: + api_endpoint: "{{ api_endpoint }}" + api_authtype: "{{ api_authtype }}" + api_key: "{{ api_key }}" + api_secret: "{{ api_secret | default(omit) }}" + api_token_endpoint: "{{ api_token_endpoint | default(omit) }}" + name: "{{ ordering_node_name }}" + action: "restart" + type: "{{ cert_type }}" + register: result + + - name: Fail if Ordering Service Node "{{ ordering_node_name }}" did not accept the message + fail: + msg: result.response + when: not result.accepted diff --git a/tutorial/26-renew-all-ca-tls.yml b/tutorial/26-renew-all-ca-tls.yml new file mode 100644 index 00000000..e071d171 --- /dev/null +++ b/tutorial/26-renew-all-ca-tls.yml @@ -0,0 +1,30 @@ +# +# SPDX-License-Identifier: Apache-2.0 +# +--- +- name: Renew the TLS Certificate for all Certificate Authorities and Associated Nodes + hosts: localhost + vars_files: + - org1-vars.yml + tasks: + - name: Get the ALL Certificate Authorities + hyperledger.fabric_ansible_collection.certificate_authority_list_info: + api_endpoint: "{{ api_endpoint }}" + api_authtype: "{{ api_authtype }}" + api_key: "{{ api_key }}" + api_secret: "{{ api_secret | default(omit) }}" + api_token_endpoint: "{{ api_token_endpoint | default(omit) }}" + register: result + + - name: Store the Certificate Authorities in a file + copy: + content: "{{ result.certificate_authorities | to_nice_json }}" + dest: "All_CAs.json" + + - name: Renew TLS Certificates for Certificate Authorities + include_tasks: 27-renew-ca-tls-task.yml + loop: "{{ result.certificate_authorities }}" + loop_control: + loop_var: certificate_authority + + diff --git a/tutorial/27-renew-ca-tls-task.yml b/tutorial/27-renew-ca-tls-task.yml new file mode 100644 index 00000000..3d5f8d7d --- /dev/null +++ b/tutorial/27-renew-ca-tls-task.yml @@ -0,0 +1,61 @@ +# +# SPDX-License-Identifier: Apache-2.0 +# +--- +- name: Renew the TLS Certificate for the Certificate Authority "{{ certificate_authority.name }}" + hyperledger.fabric_ansible_collection.certificate_authority_action: + api_endpoint: "{{ api_endpoint }}" + api_authtype: "{{ api_authtype }}" + api_key: "{{ api_key }}" + api_secret: "{{ api_secret | default(omit) }}" + api_token_endpoint: "{{ api_token_endpoint | default(omit) }}" + name: "{{ certificate_authority.name }}" + action: 'renew' + register: result + +- name: Fail if the Certificate Authority did not accept the message + fail: + msg: result.response + when: not result.accepted + +- name: Get the Certificate Authority + hyperledger.fabric_ansible_collection.certificate_authority_info: + api_endpoint: "{{ api_endpoint }}" + api_authtype: "{{ api_authtype }}" + api_key: "{{ api_key }}" + api_secret: "{{ api_secret | default(omit) }}" + api_token_endpoint: "{{ api_token_endpoint | default(omit) }}" + name: "{{ certificate_authority.name }}" + register: result + +- name: Configure the crypto update + set_fact: + crypto: + enrollment: + ca: + tls_cert: "{{ result.certificate_authority.msp.component.tls_cert }}" + tlsca: + tls_cert: "{{result.certificate_authority.msp.component.tls_cert}}" + +- name: Get the Nodes associated with the Certificate Authority "{{ certificate_authority.name }}" + hyperledger.fabric_ansible_collection.certificate_authority_associated_nodes: + api_endpoint: "{{ api_endpoint }}" + api_authtype: "{{ api_authtype }}" + api_key: "{{ api_key }}" + api_secret: "{{ api_secret | default(omit) }}" + api_token_endpoint: "{{ api_token_endpoint | default(omit) }}" + certificate_authority: "{{ certificate_authority.name }}" + register: nodes + +- name: Update Ordering Nodes associated with "{{ certificate_authority.name }}" + include_tasks: 28-update-ordering-node-task.yml + loop: "{{ nodes.ordering_service_nodes }}" + loop_control: + loop_var: ordering_service_node + +- name: Update Peers associated with "{{ certificate_authority.name }}" + include_tasks: 29-update-peer-task.yml + loop: "{{ nodes.peers }}" + loop_control: + loop_var: peer + diff --git a/tutorial/28-update-ordering-node-task.yml b/tutorial/28-update-ordering-node-task.yml new file mode 100644 index 00000000..6b95a2c7 --- /dev/null +++ b/tutorial/28-update-ordering-node-task.yml @@ -0,0 +1,36 @@ +- name: Updating Ordering Node "{{ ordering_service_node.name }}" + hyperledger.fabric_ansible_collection.ordering_service_node: + api_endpoint: "{{ api_endpoint }}" + api_authtype: "{{ api_authtype }}" + api_key: "{{ api_key }}" + api_secret: "{{ api_secret | default(omit) }}" + api_token_endpoint: "{{ api_token_endpoint | default(omit) }}" + name: "{{ ordering_service_node.name }}" + crypto: "{{ crypto }}" + register: result + +- name: Fail if Ordering Service Node "{{ ordering_service_node.name }}" was not updated + fail: + msg: "Ordering Service Node {{ ordering_service_node.name }} was not updated" + when: not result.changed + +- name: Write the updated Ordering Service Node "{{ ordering_service_node.name }}" to a file + copy: + content: "{{ result.ordering_service_node | to_nice_json }}" + dest: "updated_ordering_service_node.json" + +- name: Restarting Ordering Service Node "{{ ordering_service_node.name }}" + hyperledger.fabric_ansible_collection.ordering_service_node_action: + api_endpoint: "{{ api_endpoint }}" + api_authtype: "{{ api_authtype }}" + api_key: "{{ api_key }}" + api_secret: "{{ api_secret | default(omit) }}" + api_token_endpoint: "{{ api_token_endpoint | default(omit) }}" + name: "{{ ordering_service_node.name }}" + action: 'restart' + register: result + +- name: Fail if Ordering Service Node "{{ ordering_service_node.name }}" did not accept the message + fail: + msg: result.response + when: not result.accepted \ No newline at end of file diff --git a/tutorial/29-update-peer-task.yml b/tutorial/29-update-peer-task.yml new file mode 100644 index 00000000..21f9eed4 --- /dev/null +++ b/tutorial/29-update-peer-task.yml @@ -0,0 +1,36 @@ +- name: Updating Peer "{{ peer.name }}" + hyperledger.fabric_ansible_collection.peer: + api_endpoint: "{{ api_endpoint }}" + api_authtype: "{{ api_authtype }}" + api_key: "{{ api_key }}" + api_secret: "{{ api_secret | default(omit) }}" + api_token_endpoint: "{{ api_token_endpoint | default(omit) }}" + name: "{{ peer.name }}" + crypto: "{{ crypto }}" + register: result + +- name: Fail if Peer "{{ peer.name }}" was not updated + fail: + msg: "Peer {{ peer.name }} was not updated" + when: not result.changed + +- name: Write the updated peer "{{ peer.name }}" to a file + copy: + content: "{{ result.peer | to_nice_json }}" + dest: "updated_peer.json" + +- name: Restarting Peer "{{ peer.name }}" + hyperledger.fabric_ansible_collection.peer_action: + api_endpoint: "{{ api_endpoint }}" + api_authtype: "{{ api_authtype }}" + api_key: "{{ api_key }}" + api_secret: "{{ api_secret | default(omit) }}" + api_token_endpoint: "{{ api_token_endpoint | default(omit) }}" + name: "{{ peer.name }}" + action: 'restart' + register: result + +- name: Fail if Peer "{{ peer.name }}" did not accept the message + fail: + msg: result.response + when: not result.accepted \ No newline at end of file diff --git a/tutorial/30-renew-ca-tls.yml b/tutorial/30-renew-ca-tls.yml new file mode 100644 index 00000000..47fb4614 --- /dev/null +++ b/tutorial/30-renew-ca-tls.yml @@ -0,0 +1,79 @@ +# +# SPDX-License-Identifier: Apache-2.0 +# +--- +- name: Renew the TLS Certificate for all Certificate Authorities and Associated Nodes + hosts: localhost + vars_files: + - org1-vars.yml + tasks: + - name: Get the ALL Certificate Authorities + hyperledger.fabric_ansible_collection.certificate_authority_list_info: + api_endpoint: "{{ api_endpoint }}" + api_authtype: "{{ api_authtype }}" + api_key: "{{ api_key }}" + api_secret: "{{ api_secret | default(omit) }}" + api_token_endpoint: "{{ api_token_endpoint | default(omit) }}" + register: result_list + + - name: Renew the TLS Certificate for the Certificate Authority "{{ component_name }}" + hyperledger.fabric_ansible_collection.certificate_authority_action: + api_endpoint: "{{ api_endpoint }}" + api_authtype: "{{ api_authtype }}" + api_key: "{{ api_key }}" + api_secret: "{{ api_secret | default(omit) }}" + api_token_endpoint: "{{ api_token_endpoint | default(omit) }}" + name: "{{ component_name }}" + action: 'renew' + register: result + + - name: Fail if the Certificate Authority did not accept the message + fail: + msg: result.response + when: not result.accepted + + - name: Get the Certificate Authority + hyperledger.fabric_ansible_collection.certificate_authority_info: + api_endpoint: "{{ api_endpoint }}" + api_authtype: "{{ api_authtype }}" + api_key: "{{ api_key }}" + api_secret: "{{ api_secret | default(omit) }}" + api_token_endpoint: "{{ api_token_endpoint | default(omit) }}" + name: "{{ component_name }}" + register: result + + - name: Configure the crypto update + set_fact: + crypto: + enrollment: + ca: + tls_cert: "{{ result.certificate_authority.msp.component.tls_cert }}" + tlsca: + tls_cert: "{{result.certificate_authority.msp.component.tls_cert}}" + + - name: Get the Nodes associated with the Certificate Authority "{{ component_name }}" + hyperledger.fabric_ansible_collection.certificate_authority_associated_nodes: + api_endpoint: "{{ api_endpoint }}" + api_authtype: "{{ api_authtype }}" + api_key: "{{ api_key }}" + api_secret: "{{ api_secret | default(omit) }}" + api_token_endpoint: "{{ api_token_endpoint | default(omit) }}" + certificate_authority: "{{ component_name }}" + register: nodes + + - name: Update Ordering Nodes associated with "{{ component_name }}" + include_tasks: 28-update-ordering-node-task.yml + loop: "{{ nodes.ordering_service_nodes }}" + loop_control: + loop_var: ordering_service_node + when: "'{{ component_type }}' in ['orderer']" + + - name: Update Peers associated with "{{ component_name }}" + include_tasks: 29-update-peer-task.yml + loop: "{{ nodes.peers }}" + loop_control: + loop_var: peer + when: "'{{ component_type }}' in ['peer']" + + + diff --git a/tutorial/enroll_or_reenroll_peer_and_orderer_cert.sh b/tutorial/enroll_or_reenroll_peer_and_orderer_cert.sh new file mode 100755 index 00000000..3da5e240 --- /dev/null +++ b/tutorial/enroll_or_reenroll_peer_and_orderer_cert.sh @@ -0,0 +1,58 @@ +#!/usr/bin/env bash +set -e +cd "$(dirname "$0")" +IMPORT_EXPORT_REQUIRED=0 +function usage { + echo "Usage: renew_certificate.sh [-i] [-i ] [-j ] [-k ]" 1>&2 + exit 1 +} +OPTSTRING=":i:j:k:" + +while getopts ${OPTSTRING} opt; do + case "${opt}" in + i) + component_type=${OPTARG} + IMPORT_EXPORT_REQUIRED=1 + ;; + j) + cert_type=${OPTARG} + IMPORT_EXPORT_REQUIRED=1 + ;; + k) + action=${OPTARG} + IMPORT_EXPORT_REQUIRED=1 + ;; + *) + usage + ;; + esac +done +shift $((OPTIND-1)) +if [ -z "${component_type}" ] || [ -z "${cert_type}" ] || [ -z "${action}" ]; then + usage +fi +if [ "${component_type}" = "peer" ]; then + set -x + if [ "${cert_type}" = "ecert" ]; then + ansible-playbook 24-reenroll-peer-tls-and-ecert.yml --extra-vars '{"cert_type":'${cert_type}',"action":'${action}'}' + else + ansible-playbook 24-reenroll-peer-tls-and-ecert.yml --extra-vars '{"cert_type":'${cert_type}',"action":'${action}'}' + fi + + set +x +elif [ "${component_type}" = "orderer" ]; then + set -x + if [ "${cert_type}" = "ecert" ]; then + ansible-playbook 25-reenroll-orderer-tls-and-ecert.yml --extra-vars '{"cert_type":'${cert_type}',"action":'${action}'}' + else + ansible-playbook 25-reenroll-orderer-tls-and-ecert.yml --extra-vars '{"cert_type":'${cert_type}',"action":'${action}'}' + fi + set +x +elif [ "${component_type}" = "ca" ]; then + set -x + ansible-playbook 26-renew-all-ca-tls.yml + set +x +fi +echo "s = ${component_type}" +echo "p = ${cert_type}" + diff --git a/tutorial/renew_ca_tls_cert.sh b/tutorial/renew_ca_tls_cert.sh new file mode 100755 index 00000000..c3c7df67 --- /dev/null +++ b/tutorial/renew_ca_tls_cert.sh @@ -0,0 +1,54 @@ +#!/usr/bin/env bash +set -e +cd "$(dirname "$0")" +IMPORT_EXPORT_REQUIRED=0 +function usage { + echo "Usage: renew_ca_tls_cert.sh [-i ] [-j ]" 1>&2 + exit 1 +} +OPTSTRING=":i:j:k:" +while getopts ${OPTSTRING} opt; do + case "${opt}" in + i) + component_name=${OPTARG} + ;; + j) + component_type=${OPTARG} + ;; + k) + all_flag=${OPTARG} + ;; + :) + echo "Option -${OPTARG} requires an argument." + usage + exit 1 + ;; + ?) + echo "Invalid option: -${OPTARG}." + exit 1 + ;; + *) + usage + ;; + esac +done +shift $((OPTIND-1)) +if [ -z "${component_name}" ] || [ -z "${component_type}" ]; then + usage +fi +echo "component_name = ${component_name}" +echo "component_type = ${component_type}" +echo "all_flag = ${all_flag}" +if [ -z "${all_flag}" ]; then + set -x + ansible-playbook 30-renew-ca-tls.yml --extra-vars "{\"component_type\":\"${component_type}\",\"component_name\":\"${component_name}\"}" + set +x +else + set -x + ansible-playbook 26-renew-all-ca-tls.yml + set +x +fi + + + + From d8d66f48900e4b79128673c95635a0c4102b6ef7 Mon Sep 17 00:00:00 2001 From: MuthuSundaravadivel Date: Fri, 5 Apr 2024 13:32:46 +0530 Subject: [PATCH 2/5] Doc changs Signed-off-by: MuthuSundaravadivel --- .../tutorials/certificate-management.rst | 55 +++++++++++++++++-- ...nroll_or_reenroll_peer_and_orderer_cert.sh | 2 +- tutorial/renew_ca_tls_cert.sh | 5 +- 3 files changed, 53 insertions(+), 9 deletions(-) diff --git a/docs/source/tutorials/certificate-management.rst b/docs/source/tutorials/certificate-management.rst index bfcade0f..a0d57305 100644 --- a/docs/source/tutorials/certificate-management.rst +++ b/docs/source/tutorials/certificate-management.rst @@ -21,12 +21,59 @@ You will need to use the GitHub repositorythat you cloned in the previous tutori cd ansible-collection/tutorial -Peer Enrollment/TLS certificate Management -========================================== +Peer/Orderer Enrollment/TLS certificate Enroll/Re-enroll +======================================================== -For re-enroll/enroll the Peer TLS/Ecert you hav edit the playbook `24-reenroll-peer-tls-and-ecert.yml` and change respective `vars_files` that you want re-enroll/enroll peer certificates. Once you have edited the file. Please execute the below command for the certificate renewal. +For re-enroll/enroll the Peer TLS/Ecert you have edit the playbook `24-reenroll-peer-tls-and-ecert.yml` and change respective `vars_files` that you want re-enroll/enroll peer certificates. Once you have edited the file. Please execute the below command for the certificate renewal. :: - ./enroll_or_reenroll_peer_and_orderer_cert [-i] [-i ] [-j ] [-k ] + ./enroll_or_reenroll_peer_and_orderer_cert.sh [-i] [-i ] [-j ] [-k ] +Next, you will need to replace the variable placeholders with the required values. + +Replace ```` with your component type for your HLF Console like `peer` or `orderer`. + +Replace ```` with the certificate type that you want enroll/re-enroll like `ecert` OR `tls_cert`. + +Replace ```` with the action that you want to take enroll/re-enroll like `enroll` OR `reenroll` OR `restart`. + + +Once you have replaced the above variable in the command. Execute the command,It will update and restart the peer. If the peer restarted successfully, please refresh the certs in the console of the corresponding component. + + +CA TLS certificate Renewal +========================== + +We will examine the process for renewing the CA TLS certificate in this section. We offer two options here: either renew the specific CA TLS certificate or renew all CA TLS certificates in the instance. + +For renewing all the CA components in the instance you have to edit the playbook `26-renew-all-ca-tls.yml` and change respective components `vars_files` that you want renew CA TLS certificates. Once you have edited the file. Please execute the below command for the certificate renewal. + + :: + + ./renew_ca_tls_cert.sh [-k ] + + +Next, you will need to replace the variable placeholders with the required values. + +Replace ```` with name of your CA component. + +Replace ```` with the component type like 'peer' or 'orderer'. We use this flag to associate respective node with the CA. + +Replace ```` we are using the flag for renewing all the CA TLS certificates in instance. The flag will be like `all`. + + +For renewing respective CA component in the instance you have to edit the playbook `26-renew-all-ca-tls.yml` and change respective components `vars_files` that you want renew CA TLS certificates. Once you have edited the file. Please execute the below command for the certificate renewal. + + + :: + + ./renew_ca_tls_cert.sh [-i ] [-j ] + +Next, you will need to replace the variable placeholders with the required values. + +Replace ```` with name of your CA component. + +Replace ```` with the component type like 'peer' or 'orderer'. We use this flag to associate respective node with the CA.. + +Once you have replaced the above variable in the command. Execute the command, it will update and restart the CA and also associate the respective nodes. Once the process completes please refresh the certs in in the respective CA component. diff --git a/tutorial/enroll_or_reenroll_peer_and_orderer_cert.sh b/tutorial/enroll_or_reenroll_peer_and_orderer_cert.sh index 3da5e240..150442e7 100755 --- a/tutorial/enroll_or_reenroll_peer_and_orderer_cert.sh +++ b/tutorial/enroll_or_reenroll_peer_and_orderer_cert.sh @@ -3,7 +3,7 @@ set -e cd "$(dirname "$0")" IMPORT_EXPORT_REQUIRED=0 function usage { - echo "Usage: renew_certificate.sh [-i] [-i ] [-j ] [-k ]" 1>&2 + echo "Usage: renew_certificate.sh [-i] [-i ] [-j ] [-k ]" 1>&2 exit 1 } OPTSTRING=":i:j:k:" diff --git a/tutorial/renew_ca_tls_cert.sh b/tutorial/renew_ca_tls_cert.sh index c3c7df67..1c773fcf 100755 --- a/tutorial/renew_ca_tls_cert.sh +++ b/tutorial/renew_ca_tls_cert.sh @@ -3,7 +3,7 @@ set -e cd "$(dirname "$0")" IMPORT_EXPORT_REQUIRED=0 function usage { - echo "Usage: renew_ca_tls_cert.sh [-i ] [-j ]" 1>&2 + echo "Usage: renew_ca_tls_cert.sh [-i ] [-j ] [-k ]" 1>&2 exit 1 } OPTSTRING=":i:j:k:" @@ -33,9 +33,6 @@ while getopts ${OPTSTRING} opt; do esac done shift $((OPTIND-1)) -if [ -z "${component_name}" ] || [ -z "${component_type}" ]; then - usage -fi echo "component_name = ${component_name}" echo "component_type = ${component_type}" echo "all_flag = ${all_flag}" From 985dd92642dcf19a449e1ca20698f645e7af560d Mon Sep 17 00:00:00 2001 From: MuthuSundaravadivel Date: Fri, 5 Apr 2024 13:40:34 +0530 Subject: [PATCH 3/5] Doc changs Signed-off-by: MuthuSundaravadivel --- docs/source/tutorials/certificate-management.rst | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/docs/source/tutorials/certificate-management.rst b/docs/source/tutorials/certificate-management.rst index a0d57305..a71202dc 100644 --- a/docs/source/tutorials/certificate-management.rst +++ b/docs/source/tutorials/certificate-management.rst @@ -5,7 +5,7 @@ Certificate Management ====================== -This tutorial will demonstrate how to enroll/re-enroll/renew the CA TLS certificate , Peer TLS/Ecert and Orderer TLS/Ecert certificates an existing Hyperledger Fabric network. +This article will show you how to enroll/re-enroll/renew the following certificates: CA TLS certificate, Peer TLS/Ecert, and Orderer TLS/Ecert certificates on an existing Hyperledger Fabric network. For this tutorial, you can use the IBM Support for Hyperledger Fabric software running in a Red Hat OpenShift or Kubernetes cluster. @@ -21,8 +21,8 @@ You will need to use the GitHub repositorythat you cloned in the previous tutori cd ansible-collection/tutorial -Peer/Orderer Enrollment/TLS certificate Enroll/Re-enroll -======================================================== +Peer/Orderer Ecert/TLS certificate Enroll/Re-enroll +=================================================== For re-enroll/enroll the Peer TLS/Ecert you have edit the playbook `24-reenroll-peer-tls-and-ecert.yml` and change respective `vars_files` that you want re-enroll/enroll peer certificates. Once you have edited the file. Please execute the below command for the certificate renewal. @@ -63,7 +63,7 @@ Replace ```` with the component type like 'peer' or 'orderer'. W Replace ```` we are using the flag for renewing all the CA TLS certificates in instance. The flag will be like `all`. -For renewing respective CA component in the instance you have to edit the playbook `26-renew-all-ca-tls.yml` and change respective components `vars_files` that you want renew CA TLS certificates. Once you have edited the file. Please execute the below command for the certificate renewal. +For renewing respective CA component in the instance you have to edit the playbook `30-renew-ca-tls.yml` and change respective components `vars_files` that you want renew CA TLS certificates. Once you have edited the file. Please execute the below command for the certificate renewal. :: @@ -76,4 +76,4 @@ Replace ```` with name of your CA component. Replace ```` with the component type like 'peer' or 'orderer'. We use this flag to associate respective node with the CA.. -Once you have replaced the above variable in the command. Execute the command, it will update and restart the CA and also associate the respective nodes. Once the process completes please refresh the certs in in the respective CA component. +Once you've changed the above variable in the command. When you run the command, the CA will be updated and restarted, as well as the nodes associated with it. Once the process is finished, please refresh the certs in the appropriate CA component in console. From 5a5971ea24d8d946f89161df872a616508dacb47 Mon Sep 17 00:00:00 2001 From: MuthuSundaravadivel Date: Fri, 5 Apr 2024 13:41:35 +0530 Subject: [PATCH 4/5] Doc changs Signed-off-by: MuthuSundaravadivel --- docs/source/tutorials/certificate-management.rst | 2 -- 1 file changed, 2 deletions(-) diff --git a/docs/source/tutorials/certificate-management.rst b/docs/source/tutorials/certificate-management.rst index a71202dc..d3f5e769 100644 --- a/docs/source/tutorials/certificate-management.rst +++ b/docs/source/tutorials/certificate-management.rst @@ -15,8 +15,6 @@ Before you start ---------------- You will need to use the GitHub repositorythat you cloned in the previous tutorial. Ensure that you are in the tutorial directory: - .. highlight:: none - :: cd ansible-collection/tutorial From e5356fc52b61f4622c7195b942716865b3357431 Mon Sep 17 00:00:00 2001 From: MuthuSundaravadivel Date: Fri, 5 Apr 2024 13:51:39 +0530 Subject: [PATCH 5/5] Certificate Renewal Doc changs Signed-off-by: MuthuSundaravadivel --- docs/source/tutorials/certificate-management.rst | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/docs/source/tutorials/certificate-management.rst b/docs/source/tutorials/certificate-management.rst index d3f5e769..08b28a68 100644 --- a/docs/source/tutorials/certificate-management.rst +++ b/docs/source/tutorials/certificate-management.rst @@ -22,7 +22,7 @@ You will need to use the GitHub repositorythat you cloned in the previous tutori Peer/Orderer Ecert/TLS certificate Enroll/Re-enroll =================================================== -For re-enroll/enroll the Peer TLS/Ecert you have edit the playbook `24-reenroll-peer-tls-and-ecert.yml` and change respective `vars_files` that you want re-enroll/enroll peer certificates. Once you have edited the file. Please execute the below command for the certificate renewal. +For re-enroll/enroll the Peer TLS/Ecert you have edit the playbook ``24-reenroll-peer-tls-and-ecert.yml`` and change respective ``vars_files`` that you want re-enroll/enroll peer certificates. Once you have edited the file. Please execute the below command for the certificate renewal. :: @@ -30,11 +30,11 @@ For re-enroll/enroll the Peer TLS/Ecert you have edit the playbook `24-reenroll- Next, you will need to replace the variable placeholders with the required values. -Replace ```` with your component type for your HLF Console like `peer` or `orderer`. +Replace ```` with your component type for your HLF Console like ``peer`` or ``orderer``. -Replace ```` with the certificate type that you want enroll/re-enroll like `ecert` OR `tls_cert`. +Replace ```` with the certificate type that you want enroll/re-enroll like ``ecert`` OR ``tls_cert``. -Replace ```` with the action that you want to take enroll/re-enroll like `enroll` OR `reenroll` OR `restart`. +Replace ```` with the action that you want to take enroll/re-enroll like ``enroll`` OR ``reenroll`` OR ``restart``. Once you have replaced the above variable in the command. Execute the command,It will update and restart the peer. If the peer restarted successfully, please refresh the certs in the console of the corresponding component. @@ -45,7 +45,7 @@ CA TLS certificate Renewal We will examine the process for renewing the CA TLS certificate in this section. We offer two options here: either renew the specific CA TLS certificate or renew all CA TLS certificates in the instance. -For renewing all the CA components in the instance you have to edit the playbook `26-renew-all-ca-tls.yml` and change respective components `vars_files` that you want renew CA TLS certificates. Once you have edited the file. Please execute the below command for the certificate renewal. +For renewing all the CA components in the instance you have to edit the playbook ``26-renew-all-ca-tls.yml`` and change respective components ``vars_files`` that you want renew CA TLS certificates. Once you have edited the file. Please execute the below command for the certificate renewal. :: @@ -58,10 +58,10 @@ Replace ```` with name of your CA component. Replace ```` with the component type like 'peer' or 'orderer'. We use this flag to associate respective node with the CA. -Replace ```` we are using the flag for renewing all the CA TLS certificates in instance. The flag will be like `all`. +Replace ```` we are using the flag for renewing all the CA TLS certificates in instance. The flag will be like ``all``. -For renewing respective CA component in the instance you have to edit the playbook `30-renew-ca-tls.yml` and change respective components `vars_files` that you want renew CA TLS certificates. Once you have edited the file. Please execute the below command for the certificate renewal. +For renewing respective CA component in the instance you have to edit the playbook ``30-renew-ca-tls.yml`` and change respective components ``vars_files`` that you want renew CA TLS certificates. Once you have edited the file. Please execute the below command for the certificate renewal. ::