Versions Compared

Old Version 5

changes.mady.by.user jimm1

Saved on

compared with

New Version 6

changes.mady.by.user jimm1

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents

...

How to manage key rotations to make ledger queries easier

Dave >> 

I’ll also say that a cert rotation test using a single orderer node is not representative of production environments. Orderer nodes use the certs in the consenter section to identify each other. If there is only one orderer node it doesn’t have any other orderer nodes to identify! Everything else validates against the org-level issuing CAs configured in the channel MSPs, and since both the old and new certs were issued by the CAs configured in the channel MSPs, they are all still valid.


Baohua >>

It's normal as the old certs are still considered valid by the network.

 

When it's expired, the transactions signed with old credentials will be blocked.

...

On Tue, Mar 28, 2023 at 6:03 PM Vijaya Bhaskar <acvbhaskar94@gmail.com> wrote:

Hi All,

 

I am trying to renew the certificates (identity and tls) of the network.

Following are the steps i have followed.

1)created the network (on kubernetes)

2)executed some transactions and verified it in couch db 

3) generated new set of certificates for orderer and peers (i have one orderer and one peer( one peer org))

4) since i have 2 channels , one system channel and one application channel,

a)did a system update (replacing the base64 of newly generated cert in the consenter section) for system channel

b) did another syatem system update for application channel

 

now, before swapping the new certs, i tried to execute a transaction which went through successfully (the old certs are still not expired).

is this normal or am i missing something?


Designing a Smart Contract process where oracles are needed


General idea, 

avoid calling directly from the contract ( chaincode ) to an external service

in Fabric, all validator nodes that execute the contract will be calling the oracle first.

If any validator has an environment issue calling the oracle, it will slow overall execution ( approval ) of the contract transaction.

Better idea

1> call the oracle BEFORE submitting the contract transaction request - include any key data from the oracle in the request
all the validators will run faster with lower error risks

2> choreograph the workflow 
use a parent ( or first contract ) that
calls the oracle with a single validator and writes the oracle result to the ledger
calls the normal contract transaction request with either the oracle result or a link to the result on the ledger or world state db



Candidate Solutions



Create a Fabric Write and Read channels for better performance, history

...

It may be more efficient to ‘replay’ the blocks/transactions rather than use the chaincode APIs. See the sample of how to process all prior blocks/transactions using block events:

https://github.com/hyperledger/fabric-samples/tree/main/off_chain_data

Your block/transaction re-processing could for example write to a new chain. You could write the original state data as well as some of the original transaction metadata to the new chain to preserve as much historical record as possible. 


Dealing with expired certs is indeed difficult. I would highly recommend using a blockchain service that has experience with preventing and resolving cert expirations.

...