使用基于硬件加密模块的控制台和Java SDK¶
当您的应用需要与使用2.8.0-hsm版本的节点建立,需要使用基于硬件加密模块的Java SDK
准备环境¶
请确保将符合了GMT0018-2012规范的头文件和库文件安装在了动态库默认的搜索路径中,请确保动态库libswsds.so的版本为v1.4.06。
- 确保头文件
swsds.h
在目录/usr/include
中,并保证所有用户都有读权限。 - 如果您使用的是Ubuntu操作系统,请将库文件
libswsds.so
放在/usr/lib
目录下,保重用户具有读和执行权限。 - 如果您使用的是Centos操作系统,请将库文件
libswsds.so
以及/lib64
目录下,保证用户具有读和执行权限。
下载swssl,请在-H
后输入连接加密机的正确IP地址、端口、密码。
curl -#LO https://raw.githubusercontent.com/MaggieNgWu/FISCO-BCOS/newoct/tools/download_swssl.sh
bash download_swssl.sh -H 192.168.10.12,10000,XXXXX
使用基于硬件加密模块的控制台。¶
下载控制台¶
首先,下载并构建控制台。
mkdir ~/fisco
cd ~/fisco
git clone https://github.com/FISCO-BCOS/console.git -b release-2.8.0
# 需要连接fisco-bcos-2.8.0-hsm的节点,控制台也必须使用hsm版的Java SDK(fisco-bcos-java-sdk-2.8.0-hsm.jar)
./gradlew build -b build-hsm.gradle
配置和运行使用密码机内部密钥的控制台¶
首先,请参照扩容一个使用密码机的节点教程,使用gen_gm_hsm_node_cert.sh
脚本为SDK生成密钥文件。
假设,您指定了使用31,32号密钥座位上SDK的签名密钥和加密密钥,那么你将得到以下文件:
sdk
|---gm
| |----gmca.crt
| |----gmensdk.crt
| |----gmnode.serial
| |----gmsdk.crt
| |----gmsdk.publickey
|
|---swssl.cnf
|---swsds.ini
然后,请将这些文件复制到console的正确目录下。
cp -r sdk/gm ~/fisco/console/dist/conf/
cp swsds.ini swsds.cnf ~/fisco/console/dist/
接着,配置console,将config-hsm-example.toml
复制成config.toml
, 修改配置。
cd ~/fisco/console/dist/
cp conf/config-hsm-example.toml config.toml
vim conf/config.toml
将config.toml中的sslKeyIndex
和enSslKeyIndex
改成生成SDK时使用的签名密钥索引和加密密钥索引的值,在本例中是31、32.
如果您要使用密码机内部密钥进行交易签名,请在[account]下修改配置,改成正确的签名密钥索引,以及密码。如果没有密码则配置成password = ""
.
cryptoMaterial]
certPath = "conf" # The certification path
# The following configurations take the certPath by default if commented
# caCert = "conf/ca.crt" # CA cert file path
# If connect to the GM node, default CA cert path is ${certPath}/gm/gmca.crt
# sslCert = "conf/sdk.crt" # SSL cert file path
# If connect to the GM node, the default SDK cert path is ${certPath}/gm/gmsdk.crt
# sslKey = "conf/sdk.key" # SSL key file path
# If connect to the GM node, the default SDK privateKey path is ${certPath}/gm/gmsdk.key
# enSslCert = "conf/gm/gmensdk.crt" # GM encryption cert file path
# default load the GM SSL encryption cert from ${certPath}/gm/gmensdk.crt
# enSslKey = "conf/gm/gmensdk.key" # GM ssl cert file path
# default load the GM SSL encryption privateKey from ${certPath}/gm/gmensdk.key
cryptoProvider = "hsm"
sslKeyIndex = "31"
enSslKeyIndex = "32"
[network]
peers=["127.0.0.1:20200", "127.0.0.1:20201"] # The peer list to connect
# AMOP configuration
# You can use following two methods to configure as a private topic message sender or subscriber.
# Usually, the public key and private key is generated by subscriber.
# Message sender receive public key from topic subscriber then make configuration.
# But, please do not config as both the message sender and the subscriber of one private topic, or you may send the message to yourself.
# Configure a private topic as a topic message sender.
# [[amop]]
# topicName = "PrivateTopic"
# publicKeys = [ "conf/amop/consumer_public_key_1.pem" ] # Public keys of the nodes that you want to send AMOP message of this topic to.
# Configure a private topic as a topic subscriber.
# [[amop]]
# topicName = "PrivateTopic"
# privateKey = "conf/amop/consumer_private_key.p12" # Your private key that used to subscriber verification.
# password = "123456"
[account]
# keyStoreDir = "account" # The directory to load/store the account file, default is "account"
# accountFilePath = "" # The account file path (default load from the path specified by the keyStoreDir)
# accountFileFormat = "pem" # The storage format of account file (Default is "pem", "p12" as an option)
# accountAddress = "" # The transactions sending account address
# Default is a randomly generated account
# The randomly generated account is stored in the path specified by the keyStoreDir
# password = "" # The password used to load the account file
accountKeyIndex = "53" # If use hardware inner key, please config the key index and password
password = "" # If use hardware inner key, please config the key index and password
[threadPool]
# channelProcessorThreadSize = "16" # The size of the thread pool to process channel callback
# Default is the number of cpu cores
# receiptProcessorThreadSize = "16" # The size of the thread pool to process transaction receipt notification
# Default is the number of cpu cores
maxBlockingQueueSize = "102400" # The max blocking queue size of the thread pool
注解
您在配置文件的[Account]下指定了accountKeyIndex, 那么您在部署合约时将使用该密钥进行签名。因此,不需要手动在控制台生成账户。
最后,运行控制台
cd ~/fisco/console/dist
export LD_LIBRARY_PATH=~/.fisco/swssl/lib
export USE_SWSSL_HSM=true
./start.sh
注解
在使用控制台调用listAccount时,只显示软件密钥,暂不显示密码机内部密钥。当你进行权限管理时,你使用的是密码机内部密钥进行权限管理。如果你需要使用软件密钥进行权限管理,则请使用loadAccount进行切换。
配置和运行使用密码机外部密钥的控制台¶
如果你的控制台使用的是外部密钥
mkdir ~/fisco
cd ~/fisco
git clone https://github.com/FISCO-BCOS/console.git -b release-2.8.0
cd console
# 需要连接fisco-bcos-2.8.0-hsm的节点,控制台也必须使用hsm版的Java SDK(fisco-bcos-java-sdk-2.8.0-hsm.jar)
./gradlew build -b build-hsm.gradle
cd dist/
cp conf/config-example.toml config.toml
# 将节点sdk目录下的所有文件复制到conf目录下。
export LD_LIBRARY_PATH=~/.fisco/swssl/lib
./start.sh
使用基于硬件加密模块的Java SDK Demo。¶
下载Java SDK Demo¶
首先,下载并构建控制台。
mkdir ~/fisco
cd ~/fisco
# 下载源码
git clone https://github.com/FISCO-BCOS/java-sdk-demo -b release-2.8.0
cd java-sdk-demo
# 编译源码
./gradlew build -b build-hsm.gradle
注解
当网络无法访问GitHub时,请从https://gitee.com/FISCO-BCOS/java-sdk-demo处下载源码。
配置和运行使用密码机内部密钥的java sdk demo¶
首先,请参照扩容一个使用密码机的节点教程,使用gen_gm_hsm_node_cert.sh
脚本为SDK生成密钥文件。
假设,您指定了使用31,32号密钥座位上SDK的签名密钥和加密密钥,那么你将得到以下文件:
sdk
|---gm
| |----gmca.crt
| |----gmensdk.crt
| |----gmnode.serial
| |----gmsdk.crt
| |----gmsdk.publickey
|
|---swssl.cnf
|---swsds.ini
然后,请将这些文件复制到java-sdk-demo的正确目录下。
cp -r sdk/gm ~/fisco/java-sdk-demo/dist/conf/
cp swsds.ini swsds.cnf ~/fisco/java-sdk-demo/dist/
sudo cp swsds.ini /etc/
接着,配置java-sdk-demo,将config-hsm-example.toml
复制成config.toml
, 修改配置。
cd ~/fisco/java-sdk-demo/dist/
cp conf/config-hsm-example.toml config.toml
vim conf/config.toml
将config.toml中的sslKeyIndex
和enSslKeyIndex
改成生成SDK时使用的签名密钥索引和加密密钥索引的值,在本例中是31、32.
如果您要使用密码机内部密钥进行交易签名,请在[account]下修改配置,改成正确的签名密钥索引,以及密码。如果没有密码则配置成password = ""
.
cryptoMaterial]
certPath = "conf" # The certification path
# The following configurations take the certPath by default if commented
# caCert = "conf/ca.crt" # CA cert file path
# If connect to the GM node, default CA cert path is ${certPath}/gm/gmca.crt
# sslCert = "conf/sdk.crt" # SSL cert file path
# If connect to the GM node, the default SDK cert path is ${certPath}/gm/gmsdk.crt
# sslKey = "conf/sdk.key" # SSL key file path
# If connect to the GM node, the default SDK privateKey path is ${certPath}/gm/gmsdk.key
# enSslCert = "conf/gm/gmensdk.crt" # GM encryption cert file path
# default load the GM SSL encryption cert from ${certPath}/gm/gmensdk.crt
# enSslKey = "conf/gm/gmensdk.key" # GM ssl cert file path
# default load the GM SSL encryption privateKey from ${certPath}/gm/gmensdk.key
cryptoProvider = "hsm"
sslKeyIndex = "31"
enSslKeyIndex = "32"
[network]
peers=["127.0.0.1:20200", "127.0.0.1:20201"] # The peer list to connect
# AMOP configuration
# You can use following two methods to configure as a private topic message sender or subscriber.
# Usually, the public key and private key is generated by subscriber.
# Message sender receive public key from topic subscriber then make configuration.
# But, please do not config as both the message sender and the subscriber of one private topic, or you may send the message to yourself.
# Configure a private topic as a topic message sender.
# [[amop]]
# topicName = "PrivateTopic"
# publicKeys = [ "conf/amop/consumer_public_key_1.pem" ] # Public keys of the nodes that you want to send AMOP message of this topic to.
# Configure a private topic as a topic subscriber.
# [[amop]]
# topicName = "PrivateTopic"
# privateKey = "conf/amop/consumer_private_key.p12" # Your private key that used to subscriber verification.
# password = "123456"
[account]
# keyStoreDir = "account" # The directory to load/store the account file, default is "account"
# accountFilePath = "" # The account file path (default load from the path specified by the keyStoreDir)
# accountFileFormat = "pem" # The storage format of account file (Default is "pem", "p12" as an option)
# accountAddress = "" # The transactions sending account address
# Default is a randomly generated account
# The randomly generated account is stored in the path specified by the keyStoreDir
# password = "" # The password used to load the account file
accountKeyIndex = "53" # If use hardware inner key, please config the key index and password
password = "" # If use hardware inner key, please config the key index and password
[threadPool]
# channelProcessorThreadSize = "16" # The size of the thread pool to process channel callback
# Default is the number of cpu cores
# receiptProcessorThreadSize = "16" # The size of the thread pool to process transaction receipt notification
# Default is the number of cpu cores
maxBlockingQueueSize = "102400" # The max blocking queue size of the thread pool
最后,运行Java SDK Demo
cd ~/fisco/java-sdk-demo/dist
export LD_LIBRARY_PATH=~/.fisco/swssl/lib
export OPENSSL_CONF=swssl.cnf
export USE_SWSSL_HSM=true
java -cp 'conf/:lib/*:apps/*' org.fisco.bcos.sdk.demo.perf.ParallelOkPerf [precompiled] [groupID] [add] [count] [tps] [file]