fabric icon indicating copy to clipboard operation
fabric copied to clipboard

Published 20 hours ago verified publisher icon hyperledger-archives

"Identity or token does not match" even if a correct enrolment ID/secret is used.

Open sachikoy opened this issue 8 years ago • 4 comments

Description

REST API call to /registrar returns an error which says "Identity or token does not match" even if a correct enrolment ID/secret is used.

Describe How to Reproduce

An easy way to reproduce:

  1. set up a blockchain network with multiple (e.g., four) validating peers, with security enabled.
  2. access one peer's /registrar as an enrolment ID/secret (e.g., test_user0)
  3. access another peer's /registrar using the same enrolment ID/secret (e.g., test_user0)
  4. then the second attempt fails with the error mentioned above.

Is this intended by design? A problem is there seems to be no way to allow the user to access to validating peers, or switch from one to another. In addition, the same problem seems to occur when a validating peer crashes and rebooted. The enrolment ID that was used before can never be used.

sachikoy avatar Jun 24 '16 09:06 sachikoy

Hi @sachikoy,

The enrollmentID and enrollmentSecret pair that is used to perform the enrollment with the membership service server is indeed a one-time-use set of credentials. Once you have performed the enrollment one time on one peer, it will fail on subsequent enrollments. This is elaborated on here:

https://github.com/hyperledger/fabric/blob/master/docs/API/SandboxSetup.md#note-on-security-functionality

If you must you send your transaction to one of the other peer IP addresses, not the original peer IP that performed the user enrollment, that second peer will not have the appropriate user cert/tokens to transact. The current approach to transacting through multiple peers was to configure the application and peer nodes to replicate the location of the stored crypto among themselves. This was the approach that was discussed quite some time ago. @adecaro and @elli-androulaki, I assume that is still the suggested approach at this time?

Though I appreciate you bringing this issue back up to our attention as we need to document a more straight forward way of actually going through the procedure above.

angrbrd avatar Jun 24 '16 16:06 angrbrd

Hi @angrbrd So I think the current design assumes that when a user performed enrolment on one peer, the peer is trusted by the user, and maintains the security tokens (especially the private key of Ecert) for the user, retrieve Tcerts and sign transaction using the Tcert keys. But on the other hand, when one access the REST API, he can easily impersonate another user by specifying the enrolment ID in the REST request. I raised the issue before. https://github.com/hyperledger/fabric/issues/1459

I still cannot understand what is the best practice for using the REST API with security.

sachikoy avatar Jun 27 '16 14:06 sachikoy

@sachikoy The REST API is not secure. You should use the new node SDK API. This will keep the ecert's private key in the local KeyValStore, which means it doesn't matter which peer you connect to. See fabric/sdk/node/README.md for more info.

smithbk avatar Jun 27 '16 15:06 smithbk

@angrbrd @sachikoy I am also getting the same error(dentity or token does not match) even though I am using correct enrollID and enrollSecret. I have gone through all the discussion here and also https://github.com/hyperledger-archives/fabric/issues/2004, but I am not able to figure out how to rectify this.

Below is the command that is causing the error

kishan@kishan-Inspiron-3542:~/composer-sample-app$ composer archive create --archiveFile digitalproperty-network.bna --sourceType module --sourceName digitalproperty-network && composer network deploy --archiveFile  digitalproperty-network.bna  --enrollId admin --enrollSecret Xurw3yU9zI0l

Creating Business Network Archive

Node module search path : 
undefined 

Not found in main node_module search path, trying current directory :/home/kishan/composer-sample-app/node_modules/digitalproperty-network
Looking for package.json of Business Network Definition in /home/kishan/composer-sample-app/node_modules/digitalproperty-network

Found:
Description:Digital Property Network
Name:digitalproperty-network
Identifier:[email protected]

Written Business Network Definition Archive file to digitalproperty-network.bna
Command completed successfully.

Command succeeded


Deploying business network from archive: digitalproperty-network.bna
Business network definition:
	Identifier: [email protected]
	Description: Digital Property Network


Error: Identity or token does not match.
Command failed

kishan@kishan-Inspiron-3542:~/composer-sample-app$

Also @angrbrd https://github.com/hyperledger/fabric/blob/master/docs/API/SandboxSetup.md#note-on-security-functionality link does not exist if there is some other link where this material is available, plz post the link here.

kishansagathiya avatar May 23 '17 09:05 kishansagathiya