
Trying to achieve multicloud architecture between Azure and GCP. We have the orderer in a separate vm running in Azure. Now trying to join a peer which is running in another vm in google cloud platform. Our requirement is to join that peer to the channel in azure network. Inorder to join the peer to the channel, we tried fetching the genesis block from the orderer. But getting the following error:

peer channel fetch newest genesis.block -c composerchannelrest --orderer orderer0:7050 --tls --cafile /root/bcnetwork/conf/crypto-config/ordererOrganizations/ordererorg0/tlsca/tlsca.ordererorg0-cert.pem 2019-11-20 08:35:33.754 UTC [channelCmd] InitCmdFactory -> INFO 001 Endorser and orderer connections initialized 2019-11-20 08:35:33.932 UTC [cli.common] readBlock -> INFO 002 Got status: &{FORBIDDEN} Error: can't read the block: &{FORBIDDEN}

Exported the env. variables as: export CHANNEL_NAME=composerchannelrest \

export CORE_PEER_ADDRESS=peer2:7051 \ export CORE_PEER_ID=Intainpeer2 \ export CORE_PEER_LOCALMSPID=Org0MSP \ export CORE_PEER_TLS_ENABLED=true \ export CORE_PEER_TLS_KEY_FILE=/root/bcnetwork/conf/crypto-config/peerOrganizations/org0/peers/peer2.org0/tls/server.key \ export CORE_PEER_TLS_CERT_FILE=/root/bcnetwork/conf/crypto-config/peerOrganizations/org0/peers/peer2.org0/tls/server.crt \ export CORE_PEER_TLS_ROOTCERT_FILE=/root/bcnetwork/conf/crypto-config/peerOrganizations/org0/peers/peer2.org0/tls/ca.crt \ export CORE_PEER_MSPCONFIGPATH=/root/bcnetwork/conf/crypto-config/peerOrganizations/org0/peers/peer2.org0/msp \ and FABRIC_CFG_PATH is under /root/bcnetwork/conf/crypto-config

Additional info: In the orderer vm, under /etc/hosts, we specified the internal IPs of peers(peers running in different VMs) and orderer. In the peer vm, under /etc/hosts, we specified the external IPs.

is your requirement : An Azure VM has to connect to a VM on Google cloud on private network?Prashant
Yes, have to join the peer in one vm(this vm is in gcp) to the channel on azure networkSoundarya
Are they on VPN? If yes. Please update your question to reflect the network infrastructurePrashant
The orderer0 logs will help. A lot.kekomal
In the orderer log, it is showing the following error: Principal deserialization failure (MSP IntainOrg is unknown) for identity 0 Principal deserialization failure (MSP IntainOrg is unknown) for identity 0 WARN 4e8 [channel: composerchannelrest] Client authorization revoked for deliver request from implicit policy evaluation failed - 0 sub-policies were satisfied, but this policy requires 1 of the 'Readers' sub-policies to be satisfied: permission deniedSoundarya

2 Answers


From your log in the comments. What MSP ID is IntainOrg? You declare CORE_PEER_LOCALMSPID=Org0MSP, but it seems that your client's certificate (the one in $CORE_PEER_MSPCONFIGPATH/signcerts/cert.pem) belongs to a IntainOrg not recognised by your orderer, as probably Org0MSP or something similar is expected.

Maybe your organization of MSP ID Org0MSP has a MSP name IntainOrg, i don't know without your configtx.yaml (and I don't remember if the log shows the MSP ID or the MSP name), but the fact is that the orderer does not recognise the organization whose CA is signing your client's certificate.

Copyright IBM Corp. All Rights Reserved.
# SPDX-License-Identifier: Apache-2.0

#   Section: Organizations
#   - This section defines the different organizational identities which will
#   be referenced later in the configuration.

    # SampleOrg defines an MSP using the sampleconfig.  It should never be used
    # in production but may be used as a template for other definitions
    - &OrdererOrg
        # DefaultOrg defines the organization which is used in the sampleconfig
        # of the fabric.git development environment
        Name: OrdererOrg

        # ID to load the MSP definition as
        ID: OrdererMSP

        # MSPDir is the filesystem path which contains the MSP configuration
        MSPDir: crypto-config/ordererOrganizations/example.com/msp

        # Policies defines the set of policies at this level of the config tree
        # For organization policies, their canonical path is usually
        #   /Channel/<Application|Orderer>/<OrgName>/<PolicyName>
                Type: Signature
                Rule: "OR('OrdererMSP.member')"
                Type: Signature
                Rule: "OR('OrdererMSP.member')"
                Type: Signature
                Rule: "OR('OrdererMSP.admin')"

    - &Org1
        # DefaultOrg defines the organization which is used in the sampleconfig
        # of the fabric.git development environment
        Name: Org1MSP

        # ID to load the MSP definition as
        ID: Org1MSP

        MSPDir: crypto-config/peerOrganizations/org1.example.com/msp

        # Policies defines the set of policies at this level of the config tree
        # For organization policies, their canonical path is usually
        #   /Channel/<Application|Orderer>/<OrgName>/<PolicyName>
                Type: Signature
                Rule: "OR('Org1MSP.admin', 'Org1MSP.peer', 'Org1MSP.client')"
                Type: Signature
                Rule: "OR('Org1MSP.admin', 'Org1MSP.client')"
                Type: Signature
                Rule: "OR('Org1MSP.admin')"

        # leave this flag set to true.
            # AnchorPeers defines the location of peers which can be used
            # for cross org gossip communication.  Note, this value is only
            # encoded in the genesis block in the Application section context
            - Host: peer0.org1.example.com
              Port: 7051

    - &Org2
        # DefaultOrg defines the organization which is used in the sampleconfig
        # of the fabric.git development environment
        Name: Org2MSP

        # ID to load the MSP definition as
        ID: Org2MSP

        MSPDir: crypto-config/peerOrganizations/org2.example.com/msp

        # Policies defines the set of policies at this level of the config tree
        # For organization policies, their canonical path is usually
        #   /Channel/<Application|Orderer>/<OrgName>/<PolicyName>
                Type: Signature
                Rule: "OR('Org2MSP.admin', 'Org2MSP.peer', 'Org2MSP.client')"
                Type: Signature
                Rule: "OR('Org2MSP.admin', 'Org2MSP.client')"
                Type: Signature
                Rule: "OR('Org2MSP.admin')"

            # AnchorPeers defines the location of peers which can be used
            # for cross org gossip communication.  Note, this value is only
            # encoded in the genesis block in the Application section context
            - Host: peer0.org2.example.com
              Port: 7051

#   SECTION: Capabilities
#   - This section defines the capabilities of fabric network. This is a new
#   concept as of v1.1.0 and should not be utilized in mixed networks with
#   v1.0.x peers and orderers.  Capabilities define features which must be
#   present in a fabric binary for that binary to safely participate in the
#   fabric network.  For instance, if a new MSP type is added, newer binaries
#   might recognize and validate the signatures from this type, while older
#   binaries without this support would be unable to validate those
#   transactions.  This could lead to different versions of the fabric binaries
#   having different world states.  Instead, defining a capability for a channel
#   informs those binaries without this capability that they must cease
#   processing transactions until they have been upgraded.  For v1.0.x if any
#   capabilities are defined (including a map with all capabilities turned off)
#   then the v1.0.x peer will deliberately crash.
    # Channel capabilities apply to both the orderers and the peers and must be
    # supported by both.
    # Set the value of the capability to true to require it.
    Channel: &ChannelCapabilities
        # V1.3 for Channel is a catchall flag for behavior which has been
        # determined to be desired for all orderers and peers running at the v1.3.x
        # level, but which would be incompatible with orderers and peers from
        # prior releases.
        # Prior to enabling V1.3 channel capabilities, ensure that all
        # orderers and peers on a channel are at v1.3.0 or later.
        V1_3: true

    # Orderer capabilities apply only to the orderers, and may be safely
    # used with prior release peers.
    # Set the value of the capability to true to require it.
    Orderer: &OrdererCapabilities
        # V1.1 for Orderer is a catchall flag for behavior which has been
        # determined to be desired for all orderers running at the v1.1.x
        # level, but which would be incompatible with orderers from prior releases.
        # Prior to enabling V1.1 orderer capabilities, ensure that all
        # orderers on a channel are at v1.1.0 or later.
        V1_1: true

    # Application capabilities apply only to the peer network, and may be safely
    # used with prior release orderers.
    # Set the value of the capability to true to require it.
    Application: &ApplicationCapabilities
        # V1.3 for Application enables the new non-backwards compatible
        # features and fixes of fabric v1.3.
        V1_3: true
        # V1.2 for Application enables the new non-backwards compatible
        # features and fixes of fabric v1.2 (note, this need not be set if
        # later version capabilities are set)
        V1_2: false
        # V1.1 for Application enables the new non-backwards compatible
        # features and fixes of fabric v1.1 (note, this need not be set if
        # later version capabilities are set).
        V1_1: false

#   SECTION: Application
#   - This section defines the values to encode into a config transaction or
#   genesis block for application related parameters
Application: &ApplicationDefaults

    # Organizations is the list of orgs which are defined as participants on
    # the application side of the network

    # Policies defines the set of policies at this level of the config tree
    # For Application policies, their canonical path is
    #   /Channel/Application/<PolicyName>
            Type: ImplicitMeta
            Rule: "ANY Readers"
            Type: ImplicitMeta
            Rule: "ANY Writers"
            Type: ImplicitMeta
            Rule: "MAJORITY Admins"

        <<: *ApplicationCapabilities
#   SECTION: Orderer
#   - This section defines the values to encode into a config transaction or
#   genesis block for orderer related parameters
Orderer: &OrdererDefaults

    # Orderer Type: The orderer implementation to start
    # Available types are "solo" and "kafka"
    OrdererType: solo

        - orderer.example.com:7050

    # Batch Timeout: The amount of time to wait before creating a batch
    BatchTimeout: 2s

    # Batch Size: Controls the number of messages batched into a block

        # Max Message Count: The maximum number of messages to permit in a batch
        MaxMessageCount: 10

        # Absolute Max Bytes: The absolute maximum number of bytes allowed for
        # the serialized messages in a batch.
        AbsoluteMaxBytes: 99 MB

        # Preferred Max Bytes: The preferred maximum number of bytes allowed for
        # the serialized messages in a batch. A message larger than the preferred
        # max bytes will result in a batch larger than preferred max bytes.
        PreferredMaxBytes: 512 KB

        # Brokers: A list of Kafka brokers to which the orderer connects
        # NOTE: Use IP:port notation

    # Organizations is the list of orgs which are defined as participants on
    # the orderer side of the network

    # Policies defines the set of policies at this level of the config tree
    # For Orderer policies, their canonical path is
    #   /Channel/Orderer/<PolicyName>
            Type: ImplicitMeta
            Rule: "ANY Readers"
            Type: ImplicitMeta
            Rule: "ANY Writers"
            Type: ImplicitMeta
            Rule: "MAJORITY Admins"
        # BlockValidation specifies what signatures must be included in the block
        # from the orderer for the peer to validate it.
            Type: ImplicitMeta
            Rule: "ANY Writers"

#   This section defines the values to encode into a config transaction or
#   genesis block for channel related parameters.
Channel: &ChannelDefaults
    # Policies defines the set of policies at this level of the config tree
    # For Channel policies, their canonical path is
    #   /Channel/<PolicyName>
        # Who may invoke the 'Deliver' API
            Type: ImplicitMeta
            Rule: "ANY Readers"
        # Who may invoke the 'Broadcast' API
            Type: ImplicitMeta
            Rule: "ANY Writers"
        # By default, who may modify elements at this config level
            Type: ImplicitMeta
            Rule: "MAJORITY Admins"

    # Capabilities describes the channel level capabilities, see the
    # dedicated Capabilities section elsewhere in this file for a full
    # description
        <<: *ChannelCapabilities

#   Profile
#   - Different configuration profiles may be encoded here to be specified
#   as parameters to the configtxgen tool

        <<: *ChannelDefaults
            <<: *OrdererDefaults
                - *OrdererOrg
                <<: *OrdererCapabilities
                    - *Org1
                    - *Org2
        Consortium: SampleConsortium
            <<: *ApplicationDefaults
                - *Org1
                - *Org2
                <<: *ApplicationCapabilities

        <<: *ChannelDefaults
            <<: *ChannelCapabilities
            <<: *OrdererDefaults
            OrdererType: kafka
                - kafka.example.com:9092

            - *OrdererOrg
                <<: *OrdererCapabilities
            <<: *ApplicationDefaults
            - <<: *OrdererOrg
                - *Org1
                - *Org2