Practical considerations in managing users in Fabric CA

Typically, an organization has its own identity (LDAP) server for managing its employees. An organization may choose to participate in one or more Hyperledger Fabric networks, but only a subset of its employees may be onboarded to each network. The administrator of Fabric CA for each network may choose to register a subset of employees in each network.

Since an employee must generate and manage a private key to successfully participate in a Hyperledger Fabric network, the responsibility of managing the private key and its corresponding digital certificate lies with the employee of an organization. Managing private keys and digital certificates is non-trivial, and this can place an undue burden on an employee and may lead to inadvertent key exposures by the employee. Since an employee needs to remember their organization issued credentials (e.g., username and password) to log on to the organization systems, an organization can choose to manage the private keys and certificates on behalf of its employees that participate in one or more Hyperledger Fabric networks. Depending on the industry, the private keys may be stored in hardware security modules, which will make it infeasible to tamper with the keys. The precise configuration of hardware security modules is beyond the scope of this chapter.