Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 5 years ago.
Improve this question
Recently I have observed that we would have to use Card in order to create identity.
I have following following link, but still not able to understand what additional advantages or benefits we are getting out of Business Network Card.
https://hyperledger.github.io/composer//playground/id-cards-playground
A Business Network Card provides the means to connect to a Composer business network which runs in a Composer runtime container. It is only possible to access a Composer business network through a valid Business Network Card. It consists of a connection profile, some metadata for the identity using it, and ultimately, a set of credentials (certificate/private key). An identity can have one or more cards, to connect to one or more business networks.
The benefits are that once you export a card, it is a portable card to connect to the Composer business network running on the blockchain network, so can be issued/given to someone (usually that real identity in that Organisation) to then transact on business network, on the blockchain network.
See here -> https://hyperledger.github.io/composer/managing/participantsandidentities.html . An identity maps to a signed identity issued by the CA server (configured as a node or set of nodes that are part of the Fabric / blockchain network). Composer can register/request these identities, but to interact with a Composer business network, that identity must be mapped to a participant defined in Composer. The identity (ie ultimately its set of credentials) is a constituent part of a Composer business network card - the card also includes connection information (how to connect to the blockchain network), info about the business network its used with (eg. trade-network), and some metadata about the identity itself. Cards once generated, are imported into the user's card store/wallet. From there, that identity can interact (by using the card) as a participant, with the business network, and generate transactions signed by his/her certificate.
Related
Closed. This question is not about programming or software development. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 7 days ago.
Improve this question
I have an issue where Windows Server Service Accounts [on prem] are not syncing with Azure AD to Azure VM server.
Currently have a VM in Azure and AD on prem which syncs with AAD.
All user accounts sync but not Service accounts.
My question is what are Azure equivalent for Windows service accounts if those type of account cannot sync? Can we use user/system-assigned managed identity instead? If so..how? And lastly how will we see this managed identity in the Azure VM?
I am new to AAD so any help would be appreciated.
I have created a user-assigned managed identity but cannot see this as a type of service account in the VM. It is not appearing in Active Directory in the VM in Azure.
I tried to reproduce the same in my environment to sync service Accounts on -prem to Azure AD
I created a service account on-prem like below:
Add-KDSRootKey -EffectiveTime ((Get-Date).AddHours(-8))
add-kdsrootkey -EffectiveImmediately
Get-KdsRootKey
New-ADServiceAccount –Name gserviceaccount1–DNSHostname DC1.comptech.com –PrincipalsAllowedToRetrieveManagedPassword "gserviceaccount1Group"
Note that: Azure service accounts are specific to the Azure platform and are not associated with an on-premises Active Directory. Synchronizing an Azure service account from an on-premises AD to Azure Active Directory is not possible.
Service accounts shouldn't be members of any privileged groups, because privileged group membership confers permissions that might be a security risk.
My question is what are Azure equivalent for Windows service accounts if those type of account cannot sync? Can we use user/system-assigned managed identity instead? If so..how? And lastly how will we see this managed identity in the Azure VM?
You can use user/system-assigned managed identity for that In your Virtual machine -> undersetting. click identity -> status on like below:
In your subscription or any service click Access control (IAM), choose assign access as Managed identity and select your vm members like below:
Reference:
Active Directory service accounts - Microsoft Entra | Microsoft Learn
I am trying to build a mobile application working against a blockchain network. The thing i am not understanding is how the user actually becomes a member( registered ) in the network. Suppose user open’s our applications than what credentials does he enter so that he becomes a participant in the network.
In Composer the first thing to do is to create a participant, then using the Admin Card, Issue an Identity to the participant. (Identity is a Hyperledger Fabric concept, and Composer is built on top of Fabric.) Once the Identity has been Issued (and a card created) you can use that Identity.
I would suggest trying out Participant and Identities using the Composer Playground (either online, or installed locally).
If you haven't seen them, then the Composer Tutorials are a good resource, then perhaps look at this tutorial that uses the Composer Rest Server in Multi-User mode.
To understand application architecture of composer rest server, I would like to understand following things.
Lets say, We have 4 peers of different organization. Now, What would be recommended approach in context of how we would be managing composer rest server.
1) Having one composer rest server per peer
2) Having one composer rest server per network and all peers will share composer rest server
3) Having one composer rest server per channel
firstly, just to confirm its called 'Hyperledger Composer' and 'Fabric Composer' was its old name from way back.
secondly, the answer is you would have one or more (think HA and availability) REST server instances per Composer business network, per Organisation that participates in that business network. It is also dependent on how each deploys REST server instances within their own infrastructure zones and somewhat dependent what user / user base will be authenticating to it (the likelihood is they would be authenticating their own users / REST clients to consume the REST server APIs - by whatever the chosen Passport strategy is, to authenticate in a multi-user environment - eg. LDAP OAuth2 etc. So, the REST server is not strictly tied to 'peers' per se. The peer information is defined in the connection profile info, in the business network card.
Composer business networks are deployed to a specific channel/ledger - and configured so in the business network cards that access it - the connection info specifies the channel, and the REST server instance is instantiated using an appropriate business network card.
See more on deploying your REST server here:
https://hyperledger.github.io/composer/integrating/deploying-the-rest-server.html
I have a fabric network with two organizations with its individual MSP hence 2 MSP. Each organization manages 1 peer, I want to create a channel and have the peer of each Org to join this channel, would composer be able to handle two MSP? The createComposerProfile.sh is able to create multiple peers but not multiple MSP. How do I create a composer profile to associate the different MSP for the individual peer?
With hyperledger composer, a connection profile represents a connection from one organisation to a specific channel where a business network has been deployed. Each organisation in a multi-organisation fabric topology will have connection profiles representive of their individual MSP. An organisation may also have more than one connection profile as well, for example one to perform composer runtime installations, one to transact on a business network and even one to query a business network.
createComposerProfile.sh creates a connection profile for the developer server provided by hyperledger composer and only creates a reference to the single peer defined by that developer server.
Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 10 years ago.
Improve this question
I really need to use SSL in my Socket Server\Client Communication but paying for a certification is too over priced for me :( i can't afford payed Certification
[Note] : my program will be publicly released so i wanna to secure my program communication with my server
The Question Is : Is it possible to use SSL\TLS for free in an effective [Without Security Riscs] way because i can't afford payed certificates... ?
Is it possible to use SSL\TLS for free in an effective way because i
can't afford payed certificates... ?
Yes it is. Buying certificates from a trusted CA, makes your server be trusted by all browsers without any manual action (e.g. Verisign).
If you own both the client and server and you are using SSL you can create your own certificates (or get free ones) and install them to all clients as trusted (in an off-line process).
The only part that relates to security now is the key size. Should be at least 2048 bits.
But there is one catch. If you create your own certificates you need to be careful what extensions you set so that you don't have any issues during deployment. The CAs know how to create X509v3 compliant certificates to be accepted by all browser (libraries) without any issues
Short answer: yes.
Long answer: What you're buying from a CA (certificate authority) is typically NOT a certificate. Typically, you create your own certificate, and ask the CA for a "signature", which you present to the client (browser, etc) in order to show that your certificate is trusted by that CA.
Browsers (and other software) typically have a internal list of CAs they trust. This is why one generally buys a signature - to have one's certificate recognized as valid by currently deployed software.
However, you are not required to get such a signature. You can just as well create your certificate (typically referred to as a "self signed" certificate) and either ask the end-user to introduce it to the software as trusted, or distribute it included in the software itself.
There are lots of instructions on how to create a self-signed certificate on the web, typicaly using the openSSL CLI, but also IIS, or Java.
As to how you deploy such a certificate on your software, you're better of asking another question.