Fabric Hardening

Table of Contents

Fabric API/WS Hardening

Step 1 - Import or Generate TLS Certificate

Import a TLS Certificate

Option 1: Import your existing TLS certificate into the keystore (recommended).

If you already have a TLS certificate, import it to the keystore:

${FABRIC_HOME}/fabric/scripts/certificates.sh addkey webserver ~/.keystore changeit

Generate a Self-signed TLS Certificate

Option 2: Generate a self-signed certificate

The Generating a Self-Signed Certificate in Fabric article explains how to create and use a self-signed certificate in Fabric using the certificates.sh helper script, and alternatively, how to use the keytool utility directly. It also covers advanced options for IP-based access and browser trust configuration.

Step 2 - Copy the Key to All Fabric Nodes

If you have multiple Fabric nodes and want all nodes to use the same certificate, copy the ${user.home}/.keystore created in the first step to the same path on each node.

If Fabric is running in a Docker container, the user may differ. In that case, change the file owner by running the following command:

chown fabric fabric ~/.keystore

Step 3 - Configure Fabric

Uncomment the following lines in the fabric section of the config.ini file:

#WEB_SERVICE_SECURE_PORT=8443
#WEB_SERVICE_KEY_ALIAS=webserver

Step 4 - Check the Access to Fabric Web UI via HTTPS

  • Restart each one of the Fabric nodes.
  • Use the following access points to check whether the https access has been properly granted:
    • Admin Panel: https://10.0.0.0:8443/app/admin

Fabric JDBC Driver Hardening

To securely access Fabric data via its JDBC driver, the TLS option is enabled (true) by default in the [jdbc-server] section of the config.ini file:

## Turn on TLS for the Fabric driver protocol
#SECURE=true

To disable hardening, set the SECURE flag to false.

Previous

Fabric Hardening

Table of Contents

Fabric API/WS Hardening

Step 1 - Import or Generate TLS Certificate

Import a TLS Certificate

Option 1: Import your existing TLS certificate into the keystore (recommended).

If you already have a TLS certificate, import it to the keystore:

${FABRIC_HOME}/fabric/scripts/certificates.sh addkey webserver ~/.keystore changeit

Generate a Self-signed TLS Certificate

Option 2: Generate a self-signed certificate

The Generating a Self-Signed Certificate in Fabric article explains how to create and use a self-signed certificate in Fabric using the certificates.sh helper script, and alternatively, how to use the keytool utility directly. It also covers advanced options for IP-based access and browser trust configuration.

Step 2 - Copy the Key to All Fabric Nodes

If you have multiple Fabric nodes and want all nodes to use the same certificate, copy the ${user.home}/.keystore created in the first step to the same path on each node.

If Fabric is running in a Docker container, the user may differ. In that case, change the file owner by running the following command:

chown fabric fabric ~/.keystore

Step 3 - Configure Fabric

Uncomment the following lines in the fabric section of the config.ini file:

#WEB_SERVICE_SECURE_PORT=8443
#WEB_SERVICE_KEY_ALIAS=webserver

Step 4 - Check the Access to Fabric Web UI via HTTPS

  • Restart each one of the Fabric nodes.
  • Use the following access points to check whether the https access has been properly granted:
    • Admin Panel: https://10.0.0.0:8443/app/admin

Fabric JDBC Driver Hardening

To securely access Fabric data via its JDBC driver, the TLS option is enabled (true) by default in the [jdbc-server] section of the config.ini file:

## Turn on TLS for the Fabric driver protocol
#SECURE=true

To disable hardening, set the SECURE flag to false.

Previous