[CE-395] Enable mutual tls in cello/ansible

Adding mutual tls option for the kubernetes network in cello/ansible. Making all the cert paths to be same in the network and adding resources to couchdb. Change-Id: I26bf21b96a48fb49263b7721eb5586404e04473c Signed-off-by: Surya <suryalnvs@gmail.com>
hyperledger · Aug 30, 2018 · 243460f · 243460f
1 parent a4017f5
commit 243460f
Show file tree

Hide file tree

Showing 11 changed files with 170 additions and 56 deletions.
diff --git a/src/agent/ansible/roles/common/config_apply.yml b/src/agent/ansible/roles/common/config_apply.yml
@@ -24,6 +24,8 @@
     allorderers: "{{ [] }}"
     clipeer: "{}"
     cliorderer: "{}"
+    tls: "{}"
+    mutualtls: "{}"
 
 - name: Make sure that working directory exists
   file:
@@ -115,3 +117,41 @@
 - name: Create all orgs list
   set_fact:
     allorgs: "{{ (caorgs + peerorgs + ordererorgs) | sort | unique }}"
+
+- name: TLS
+  set_fact:
+    tls: "{{ fabric.tls | default('true') }}"
+    mutualtls: "false"
+  when: fabric.tls != "client"
+
+- name: Mutual tls
+  set_fact:
+    mutualtls: "true"
+    tls: "true"
+  when: fabric.tls == "client"
+
+- name: Create peerorg rootca list
+  set_fact:
+    peerorg_rootca: |
+      {{ peerorg_rootca | default([]) | replace('+', ',') }}  +  [ '/etc/hyperledger/fabric/artifacts/keyfiles/{{ item }}/ca/ca.{{ item }}-cert.pem' ]
+  with_items: "{{ peerorgs }}"
+  when: fabric.tls == "client"
+
+- name: Create peers rootca list
+  set_fact:
+    peers_rootca: |
+      {{ peers_rootca | default([]) | replace('+', ',') }}  +  [ '/etc/hyperledger/fabric/artifacts/keyfiles/{{ item.org }}/peers/{{ item.name }}.{{ item.org }}/tls/ca.crt' ]
+  with_items: "{{ allpeers }}"
+  when: fabric.tls == "client"
+
+- name: Create orderers rootca list
+  set_fact:
+    orderer_rootca: |
+      {{ orderer_rootca | default([]) | replace('+', ',') }} + [ '/etc/hyperledger/fabric/artifacts/keyfiles/{{ item.org }}/orderers/{{ item.name }}.{{ item.org }}/tls/ca.crt' ]
+  with_items: "{{ allorderers }}"
+  when: fabric.tls == "client"
+
+- name: Joining the orderer rootca list and peerorg rootca list
+  set_fact:
+    rootca: "{{ peerorg_rootca }} + {{ peers_rootca }} + {{ orderer_rootca }}"
+  when: fabric.tls == "client"
diff --git a/src/agent/ansible/roles/deploy_compose/certsetup/templates/connection.j2 b/src/agent/ansible/roles/deploy_compose/certsetup/templates/connection.j2
@@ -47,7 +47,7 @@
   "orderers": {
 {% for orderer in allorderers %}
     "{{ orderer.name }}": {
-      "url": "{{ fabric.tls|ternary('grpcs','grpc') }}://{{ orderer.name }}:7050",
+      "url": "{{ tls|ternary('grpcs','grpc') }}://{{ orderer.name }}:7050",
       "grpcOptions": {
         "ssl-target-name-override": "{{ orderer.name }}"
       },
@@ -60,8 +60,8 @@
   "peers": {
 {% for peer in allpeers|selectattr('org', 'equalto', item)|list %}
     "{{ peer.name }}": {
-      "url": "{{ fabric.tls|ternary('grpcs','grpc') }}://{{ peer.name }}:7051",
-      "eventUrl": "{{ fabric.tls|ternary('grpcs','grpc') }}://{{ peer.name }}:7053",
+      "url": "{{ tls|ternary('grpcs','grpc') }}://{{ peer.name }}:7051",
+      "eventUrl": "{{ tls|ternary('grpcs','grpc') }}://{{ peer.name }}:7053",
       "grpcOptions": {
         "ssl-target-name-override": "{{ peer.name }}"
       },
@@ -74,7 +74,7 @@
   "certificateAuthorities": {
 {% for ca in allcas|selectattr('org', 'equalto', item)|list %}
     "{{ ca.name }}": {
-      "url": "{{ fabric.tls|ternary('https','http') }}://{{ca.name}}:7054",
+      "url": "{{ tls|ternary('https','http') }}://{{ca.name}}:7054",
       "caName": "{{ ca.name }}",
       "httpOptions": {"verify": false}
     }{{ '' if loop.last else ',' }}

diff --git a/src/agent/ansible/roles/deploy_compose/chaincodesetup/templates/dochannel.j2 b/src/agent/ansible/roles/deploy_compose/chaincodesetup/templates/dochannel.j2
@@ -1,6 +1,6 @@
 #! /bin/bash
 
-{% if fabric.tls %}
+{% if tls %}
 
 # Set up environment varilables first
 
@@ -10,11 +10,21 @@ export CORE_PEER_ID={{ clipeer.name }}
 export CORE_PEER_ADDRESS={{ clipeer.name }}:7051
 export CORE_PEER_LOCALMSPID={{ clipeer.org }}
 export CORE_PEER_MSPCONFIGPATH=/etc/hyperledger/allorgs/{{ clipeer.org }}/users/Admin@{{ clipeer.org }}/msp
+{% if mutualtls %}
+export CORE_PEER_TLS_CLIENTAUTHREQUIRED=true
+export CORE_PEER_TLS_CLIENTKEY_FILE=/etc/hyperledger/fabric/artifacts/keyfiles/{{ clipeer.org }}/users/Admin@{{ clipeer.org }}/tls/client.key
+export CORE_PEER_TLS_CLIENTCERT_FILE=/etc/hyperledger/fabric/artifacts/keyfiles/{{ clipeer.org }}/users/Admin@{{ clipeer.org }}/tls/client.crt
+{% endif %}
 
 # Run the peer channel create command
 cd /etc/hyperledger/allorgs
 peer channel create -o {{ cliorderer.name }}:7050 -c firstchannel \
   -f /etc/hyperledger/allorgs/firstchannel.tx --tls true --timeout 240 \
+{% if mutualtls %}
+  --clientauth \
+  --certfile /etc/hyperledger/fabric/artifacts/keyfiles/{{ clipeer.org }}/users/Admin@{{ clipeer.org }}/tls/client.crt \
+  --keyfile /etc/hyperledger/fabric/artifacts/keyfiles/{{ clipeer.org }}/users/Admin@{{ clipeer.org }}/tls/client.key \
+{% endif %}
   --cafile /etc/hyperledger/allorgs/{{ cliorderer.org }}/orderers/{{ cliorderer.name }}.{{ cliorderer.org }}/msp/tlscacerts/tlsca.{{ cliorderer.org }}-cert.pem
 
 export CORE_PEER_TLS_ENABLED=true
@@ -29,10 +39,15 @@ export CORE_PEER_ID={{ peer.name }}
 export CORE_PEER_ADDRESS={{ peer.name }}:7051
 export CORE_PEER_LOCALMSPID={{ peer.org }}
 export CORE_PEER_MSPCONFIGPATH=/etc/hyperledger/allorgs/{{ peer.org }}/users/Admin@{{ peer.org }}/msp
+{% if mutualtls %}
+export CORE_PEER_TLS_CLIENTAUTHREQUIRED=true
+export CORE_PEER_TLS_CLIENTKEY_FILE=/etc/hyperledger/fabric/artifacts/keyfiles/{{ peer.org }}/users/Admin@{{ peer.org }}/tls/client.key
+export CORE_PEER_TLS_CLIENTCERT_FILE=/etc/hyperledger/fabric/artifacts/keyfiles/{{ peer.org }}/users/Admin@{{ peer.org }}/tls/client.crt
+{% endif %}
 
-peer channel join -b firstchannel.block
+peer channel join -b firstchannel.block {% if mutualtls %} --clientauth --certfile /etc/hyperledger/fabric/artifacts/keyfiles/{{ peer.org }}/users/Admin@{{ peer.org }}/tls/client.crt --keyfile /etc/hyperledger/fabric/artifacts/keyfiles/{{ peer.org }}/users/Admin@{{ peer.org }}/tls/client.key {% endif %}
 
-peer chaincode install -n firstchaincode -v 1.0 -p chaincode
+peer chaincode install {% if mutualtls %} --clientauth --certfile /etc/hyperledger/fabric/artifacts/keyfiles/{{ peer.org }}/users/Admin@{{ peer.org }}/tls/client.crt --keyfile /etc/hyperledger/fabric/artifacts/keyfiles/{{ peer.org }}/users/Admin@{{ peer.org }}/tls/client.key {% endif %} -n firstchaincode -v 1.0 -p chaincode
 
 {% endfor %}
 
@@ -46,8 +61,18 @@ export CORE_PEER_ID={{ chainpeer.name }}
 export CORE_PEER_ADDRESS={{ chainpeer.name }}:7051
 export CORE_PEER_LOCALMSPID={{ chainpeer.org }}
 export CORE_PEER_MSPCONFIGPATH=/etc/hyperledger/allorgs/{{ chainpeer.org }}/users/Admin@{{ chainpeer.org }}/msp
+{% if mutualtls %}
+export CORE_PEER_TLS_CLIENTAUTHREQUIRED=true
+export CORE_PEER_TLS_CLIENTKEY_FILE=/etc/hyperledger/fabric/artifacts/keyfiles/{{ chainpeer.org }}/users/Admin@{{ chainpeer.org }}/tls/client.key
+export CORE_PEER_TLS_CLIENTCERT_FILE=/etc/hyperledger/fabric/artifacts/keyfiles/{{ chainpeer.org }}/users/Admin@{{ chainpeer.org }}/tls/client.crt
+{% endif %}
 
 peer chaincode instantiate -o {{ cliorderer.name }}:7050 --tls true \
+{% if mutualtls %}
+  --clientauth \
+  --certfile /etc/hyperledger/fabric/artifacts/keyfiles/{{ chainpeer.org }}/users/Admin@{{ chainpeer.org }}/tls/client.crt \
+  --keyfile /etc/hyperledger/fabric/artifacts/keyfiles/{{ chainpeer.org }}/users/Admin@{{ chainpeer.org }}/tls/client.key \
+{% endif %}
   --cafile /etc/hyperledger/allorgs/{{ cliorderer.org }}/orderers/{{ cliorderer.name }}.{{ cliorderer.org }}/msp/tlscacerts/tlsca.{{ cliorderer.org }}-cert.pem \
   -C firstchannel -n firstchaincode -v 1.0 -c '{"Args":["init","a", "100", "b","200"]}' -P "OR ({{ orgmembers }})"
 

diff --git a/src/agent/ansible/roles/deploy_compose/fabricsetup/templates/ca-compose.j2 b/src/agent/ansible/roles/deploy_compose/fabricsetup/templates/ca-compose.j2
@@ -14,7 +14,7 @@ services:
       - FABRIC_CA_SERVER_CA_NAME={{ ca.name}}
       - FABRIC_CA_SERVER_CA_KEYFILE=/etc/hyperledger/fabric-ca-server-config/ca/ca_private.key
       - FABRIC_CA_SERVER_CA_CERTFILE=/etc/hyperledger/fabric-ca-server-config/ca/ca.{{ ca.org }}-cert.pem
-{% if fabric.tls %}
+{% if tls %}
       - FABRIC_CA_SERVER_TLS_ENABLED=true
       - FABRIC_CA_SERVER_TLS_KEYFILE=/etc/hyperledger/fabric-ca-server-config/tlsca/tlsca_private.key
       - FABRIC_CA_SERVER_TLS_CERTFILE=/etc/hyperledger/fabric-ca-server-config/tlsca/tlsca.{{ ca.org }}-cert.pem

diff --git a/src/agent/ansible/roles/deploy_compose/fabricsetup/templates/orderer-compose.j2 b/src/agent/ansible/roles/deploy_compose/fabricsetup/templates/orderer-compose.j2
@@ -16,13 +16,16 @@ services:
       - ORDERER_GENERAL_GENESISFILE=/var/hyperledger/allorgs/genesis.block
       - ORDERER_GENERAL_LOCALMSPID={{ orderer.org }}
       - ORDERER_GENERAL_LOCALMSPDIR=/var/hyperledger/orderer/msp
-      - ORDERER_GENERAL_TLS_ENABLED={{ fabric.tls | lower }}
-{% if fabric.tls %}
+      - ORDERER_GENERAL_TLS_ENABLED={{ tls | lower }}
+{% if tls %}
       - ORDERER_GENERAL_TLS_PRIVATEKEY=/var/hyperledger/orderer/tls/server.key
       - ORDERER_GENERAL_TLS_CERTIFICATE=/var/hyperledger/orderer/tls/server.crt
       - ORDERER_GENERAL_TLS_ROOTCAS=[/var/hyperledger/orderer/tls/ca.crt]
 {% endif %}
-      - ORDERER_GENERAL_TLS_CLIENTAUTHENABLED=false
+{% if mutualtls %}
+      - ORDERER_GENERAL_TLS_CLIENTAUTHREQUIRED=true
+      - ORDERER_GENERAL_TLS_CLIENTROOTCAS=[{{ rootca | list | join (", ")}}]
+{% endif %}
       - ORDERER_KAFKA_RETRY_SHORTINTERVAL=1s
       - ORDERER_KAFKA_RETRY_SHORTTOTAL=30s
       - ORDERER_KAFKA_VERBOSE=true

diff --git a/src/agent/ansible/roles/deploy_compose/fabricsetup/templates/peer-compose.j2 b/src/agent/ansible/roles/deploy_compose/fabricsetup/templates/peer-compose.j2
@@ -24,8 +24,8 @@ services:
       - CORE_PEER_GOSSIP_USELEADERELECTION={{ allpeers|selectattr('org','equalto',peer.org)|list|selectattr('role','equalto','leader')|list|length|int==0 }}
       - CORE_PEER_GOSSIP_ORGLEADER={{ (peer.role == "leader") | ternary('true','false') }}
       - CORE_PEER_PROFILE_ENABLED=true
-      - CORE_PEER_TLS_ENABLED={{ fabric.tls | lower }}
-{% if fabric.tls %}
+      - CORE_PEER_TLS_ENABLED={{ tls | lower }}
+{% if tls %}
       - CORE_PEER_TLS_CERT_FILE=/etc/hyperledger/fabric/tls/server.crt
       - CORE_PEER_TLS_KEY_FILE=/etc/hyperledger/fabric/tls/server.key
       - CORE_PEER_TLS_ROOTCERT_FILE=/etc/hyperledger/fabric/tls/ca.crt
@@ -35,6 +35,12 @@ services:
       - CORE_PEER_GOSSIP_EXTERNALENDPOINT={{ peer.name }}:7051
       - CORE_PEER_LOCALMSPID={{ peer.org }}
       - CORE_PEER_MSPCONFIGPATH=/etc/hyperledger/fabric/msp
+{% if mutualtls %}
+      - CORE_PEER_TLS_CLIENTAUTHREQUIRED=true
+      - CORE_PEER_TLS_CLIENTROOTCAS_FILES={{ rootca | list | join (" ") }}
+      - CORE_PEER_TLS_CLIENTKEY_FILE=/etc/hyperledger/fabric/artifacts/keyfiles/{{ peer.org }}/users/Admin@{{ peer.org }}/tls/client.key
+      - CORE_PEER_TLS_CLIENTCERT_FILE=/etc/hyperledger/fabric/artifacts/keyfiles/{{ peer.org }}/users/Admin@{{ peer.org }}/tls/client.crt
+{% endif %}
 {% if fabric.peer_db == 'CouchDB' %}
       - CORE_LEDGER_STATE_STATEDATABASE=CouchDB
       - CORE_LEDGER_STATE_COUCHDBCONFIG_COUCHDBADDRESS=couchdb-{{ peer.name }}:5984
@@ -44,4 +50,4 @@ services:
       - {{ fabricworkdir }}/run/keyfiles/{{ peer.org }}/peers/{{ peer.name }}.{{ peer.org }}:/etc/hyperledger/fabric
     command: peer node start
 
-{% endfor %}
+{% endfor %}
diff --git a/src/agent/ansible/roles/deploy_k8s/fabricsetup/templates/cli-k8s.j2 b/src/agent/ansible/roles/deploy_k8s/fabricsetup/templates/cli-k8s.j2
@@ -36,6 +36,6 @@ spec:
       volumeMounts:
         - mountPath: /host/var/run
           name: varrun
-        - mountPath: /etc/hyperledger/allorgs
+        - mountPath: /etc/hyperledger/fabric/artifacts
           name: task-pv-storage
-      command: ["/etc/hyperledger/allorgs/dochannel.sh"]
+      command: ["/etc/hyperledger/fabric/artifacts/dochannel.sh"]
diff --git a/src/agent/ansible/roles/deploy_k8s/fabricsetup/templates/dochannel.j2 b/src/agent/ansible/roles/deploy_k8s/fabricsetup/templates/dochannel.j2
@@ -7,27 +7,37 @@
 {% set tag = fabric.baseimage_tag.split('-') %}
 {% set project_version = tag[1] %}
 {% endif %}
-{% if fabric.tls %}
-export CORE_PEER_TLS_KEY_FILE=/etc/hyperledger/allorgs/keyfiles/{{ clipeer.org }}/peers/{{ clipeer.name }}.{{ clipeer.org }}/tls/server.key
-export CORE_PEER_TLS_ROOTCERT_FILE=/etc/hyperledger/allorgs/keyfiles/{{ clipeer.org }}/peers/{{ clipeer.name }}.{{ clipeer.org }}/tls/ca.crt
+{% if tls %}
+export CORE_PEER_TLS_KEY_FILE=/etc/hyperledger/fabric/artifacts/keyfiles/{{ clipeer.org }}/peers/{{ clipeer.name }}.{{ clipeer.org }}/tls/server.key
+export CORE_PEER_TLS_ROOTCERT_FILE=/etc/hyperledger/fabric/artifacts/keyfiles/{{ clipeer.org }}/peers/{{ clipeer.name }}.{{ clipeer.org }}/tls/ca.crt
 export CORE_PEER_ID={{ clipeer.name }}
 export CORE_PEER_ADDRESS={{ clipeer.name }}:7051
 export CORE_PEER_LISTENADDRESS={{ clipeer.name }}:7051
 export CORE_PEER_CHAINCODELISTENADDRESS={{ clipeer.name }}:7052
 export CORE_PEER_LOCALMSPID={{ clipeer.org }}
-export CORE_PEER_MSPCONFIGPATH=/etc/hyperledger/allorgs/keyfiles/{{ clipeer.org }}/users/Admin@{{ clipeer.org }}/msp
+export CORE_PEER_MSPCONFIGPATH=/etc/hyperledger/fabric/artifacts/keyfiles/{{ clipeer.org }}/users/Admin@{{ clipeer.org }}/msp
+{% if mutualtls %}
+export CORE_PEER_TLS_CLIENTAUTHREQUIRED=true
+export CORE_PEER_TLS_CLIENTKEY_FILE=/etc/hyperledger/fabric/artifacts/keyfiles/{{ clipeer.org }}/users/Admin@{{ clipeer.org }}/tls/client.key
+export CORE_PEER_TLS_CLIENTCERT_FILE=/etc/hyperledger/fabric/artifacts/keyfiles/{{ clipeer.org }}/users/Admin@{{ clipeer.org }}/tls/client.crt
+{% endif %}
 
 # Run the peer channel create command
-cd /etc/hyperledger/allorgs/keyfiles
+cd /etc/hyperledger/fabric/artifacts/keyfiles
 {% if project_version is version_compare('1.2.0','>=') or 'stable' in project_version or project_version == 'latest' %}
 TIMEOUT=240s
 {% else %}
 TIMEOUT=240
 {% endif %}
 
 peer channel create -o {{ cliorderer.name }}:7050 -c firstchannel \
-  -f /etc/hyperledger/allorgs/keyfiles/firstchannel.tx --tls true --timeout $TIMEOUT \
-  --cafile /etc/hyperledger/allorgs/keyfiles/{{ cliorderer.org }}/orderers/{{ cliorderer.name }}.{{ cliorderer.org }}/msp/tlscacerts/tlsca.{{ cliorderer.org }}-cert.pem
+  -f /etc/hyperledger/fabric/artifacts/keyfiles/firstchannel.tx --tls true --timeout $TIMEOUT \
+{% if mutualtls %}
+  --clientauth \
+  --certfile /etc/hyperledger/fabric/artifacts/keyfiles/{{ clipeer.org }}/users/Admin@{{ clipeer.org }}/tls/client.crt \
+  --keyfile /etc/hyperledger/fabric/artifacts/keyfiles/{{ clipeer.org }}/users/Admin@{{ clipeer.org }}/tls/client.key \
+{% endif %}
+  --cafile /etc/hyperledger/fabric/artifacts/keyfiles/{{ cliorderer.org }}/orderers/{{ cliorderer.name }}.{{ cliorderer.org }}/msp/tlscacerts/tlsca.{{ cliorderer.org }}-cert.pem
 
 export CORE_PEER_TLS_ENABLED=true
 export GOPATH=/opt/gopath
@@ -36,36 +46,51 @@ cp ../firstcode.go $GOPATH/src/chaincode
 
 {% for peer in allpeers %}
 
-export CORE_PEER_TLS_KEY_FILE=/etc/hyperledger/allorgs/keyfiles/{{ peer.org }}/peers/{{ peer.name }}.{{ peer.org }}/tls/server.key
-export CORE_PEER_TLS_ROOTCERT_FILE=/etc/hyperledger/allorgs/keyfiles/{{ peer.org }}/peers/{{ peer.name }}.{{ peer.org }}/tls/ca.crt
+export CORE_PEER_TLS_KEY_FILE=/etc/hyperledger/fabric/artifacts/keyfiles/{{ peer.org }}/peers/{{ peer.name }}.{{ peer.org }}/tls/server.key
+export CORE_PEER_TLS_ROOTCERT_FILE=/etc/hyperledger/fabric/artifacts/keyfiles/{{ peer.org }}/peers/{{ peer.name }}.{{ peer.org }}/tls/ca.crt
 export CORE_PEER_ID={{ peer.name }}
 export CORE_PEER_ADDRESS={{ peer.name }}:7051
 export CORE_PEER_LISTENADDRESS={{ peer.name }}:7051
 export CORE_PEER_CHAINCODELISTENADDRESS={{ peer.name }}:7052
 export CORE_PEER_LOCALMSPID={{ peer.org }}
-export CORE_PEER_MSPCONFIGPATH=/etc/hyperledger/allorgs/keyfiles/{{ peer.org }}/users/Admin@{{ peer.org }}/msp
+export CORE_PEER_MSPCONFIGPATH=/etc/hyperledger/fabric/artifacts/keyfiles/{{ peer.org }}/users/Admin@{{ peer.org }}/msp
+{% if mutualtls %}
+export CORE_PEER_TLS_CLIENTAUTHREQUIRED=true
+export CORE_PEER_TLS_CLIENTKEY_FILE=/etc/hyperledger/fabric/artifacts/keyfiles/{{ peer.org }}/users/Admin@{{ peer.org }}/tls/client.key
+export CORE_PEER_TLS_CLIENTCERT_FILE=/etc/hyperledger/fabric/artifacts/keyfiles/{{ peer.org }}/users/Admin@{{ peer.org }}/tls/client.crt
+{% endif %}
 
-peer channel join -b firstchannel.block
+peer channel join -b firstchannel.block {% if mutualtls %} --clientauth --certfile /etc/hyperledger/fabric/artifacts/keyfiles/{{ peer.org }}/users/Admin@{{ peer.org }}/tls/client.crt --keyfile /etc/hyperledger/fabric/artifacts/keyfiles/{{ peer.org }}/users/Admin@{{ peer.org }}/tls/client.key {% endif %}
 
-peer chaincode install -n firstchaincode -v 1.0 -p chaincode
+peer chaincode install --tls {% if mutualtls %} --clientauth --certfile /etc/hyperledger/fabric/artifacts/keyfiles/{{ peer.org }}/users/Admin@{{ peer.org }}/tls/client.crt --keyfile /etc/hyperledger/fabric/artifacts/keyfiles/{{ peer.org }}/users/Admin@{{ peer.org }}/tls/client.key {% endif %} -n firstchaincode -v 1.0 -p chaincode
 
 {% endfor %}
 
 # Instantiate the chaincode
 echo '-------------- Instantiate chaincode'
 
 {% set chainpeer = allpeers[0] %}
-export CORE_PEER_TLS_KEY_FILE=/etc/hyperledger/allorgs/keyfiles/{{ chainpeer.org }}/peers/{{ chainpeer.name }}.{{ chainpeer.org }}/tls/server.key
-export CORE_PEER_TLS_ROOTCERT_FILE=/etc/hyperledger/allorgs/keyfiles/{{ chainpeer.org }}/peers/{{ chainpeer.name }}.{{ chainpeer.org }}/tls/ca.crt
+export CORE_PEER_TLS_KEY_FILE=/etc/hyperledger/fabric/artifacts/keyfiles/{{ chainpeer.org }}/peers/{{ chainpeer.name }}.{{ chainpeer.org }}/tls/server.key
+export CORE_PEER_TLS_ROOTCERT_FILE=/etc/hyperledger/fabric/artifacts/keyfiles/{{ chainpeer.org }}/peers/{{ chainpeer.name }}.{{ chainpeer.org }}/tls/ca.crt
 export CORE_PEER_ID={{ chainpeer.name }}
 export CORE_PEER_ADDRESS={{ chainpeer.name }}:7051
 export CORE_PEER_LISTENADDRESS={{ chainpeer.name }}:7051
 export CORE_PEER_CHAINCODELISTENADDRESS={{ chainpeer.name }}:7052
 export CORE_PEER_LOCALMSPID={{ chainpeer.org }}
-export CORE_PEER_MSPCONFIGPATH=/etc/hyperledger/allorgs/keyfiles/{{ chainpeer.org }}/users/Admin@{{ chainpeer.org }}/msp
+export CORE_PEER_MSPCONFIGPATH=/etc/hyperledger/fabric/artifacts/keyfiles/{{ chainpeer.org }}/users/Admin@{{ chainpeer.org }}/msp
+{% if mutualtls %}
+export CORE_PEER_TLS_CLIENTAUTHREQUIRED=true
+export CORE_PEER_TLS_CLIENTKEY_FILE=/etc/hyperledger/fabric/artifacts/keyfiles/{{ chainpeer.org }}/users/Admin@{{ chainpeer.org }}/tls/client.key
+export CORE_PEER_TLS_CLIENTCERT_FILE=/etc/hyperledger/fabric/artifacts/keyfiles/{{ chainpeer.org }}/users/Admin@{{ chainpeer.org }}/tls/client.crt
+{% endif %}
 
 peer chaincode instantiate -o {{ cliorderer.name }}:7050 --tls true \
-  --cafile /etc/hyperledger/allorgs/keyfiles/{{ cliorderer.org }}/orderers/{{ cliorderer.name }}.{{ cliorderer.org }}/msp/tlscacerts/tlsca.{{ cliorderer.org }}-cert.pem \
+{% if mutualtls %}
+  --clientauth \
+  --certfile /etc/hyperledger/fabric/artifacts/keyfiles/{{ chainpeer.org }}/users/Admin@{{ chainpeer.org }}/tls/client.crt \
+  --keyfile /etc/hyperledger/fabric/artifacts/keyfiles/{{ chainpeer.org }}/users/Admin@{{ chainpeer.org }}/tls/client.key \
+{% endif %}
+  --cafile /etc/hyperledger/fabric/artifacts/keyfiles/{{ cliorderer.org }}/orderers/{{ cliorderer.name }}.{{ cliorderer.org }}/msp/tlscacerts/tlsca.{{ cliorderer.org }}-cert.pem \
   -C firstchannel -n firstchaincode -v 1.0 -c '{"Args":["init","a", "100", "b","200"]}' -P "AND ({{ orgmembers }})"
 
 # Query the chaincode
@@ -79,18 +104,18 @@ export CORE_PEER_ADDRESS={{ clipeer.name }}:7051
 export CORE_PEER_LISTENADDRESS={{ clipeer.name }}:7051
 export CORE_PEER_CHAINCODELISTENADDRESS={{ clipeer.name }}:7052
 export CORE_PEER_LOCALMSPID={{ clipeer.org }}
-export CORE_PEER_MSPCONFIGPATH=/etc/hyperledger/allorgs/keyfiles/{{ clipeer.org }}/users/Admin@{{ clipeer.org }}/msp
+export CORE_PEER_MSPCONFIGPATH=/etc/hyperledger/fabric/artifacts/keyfiles/{{ clipeer.org }}/users/Admin@{{ clipeer.org }}/msp
 
 # Run the peer channel create command
-cd /etc/hyperledger/allorgs/keyfiles
+cd /etc/hyperledger/fabric/artifacts/keyfiles
 {% if project_version is version_compare('1.2.0','>=') or 'stable' in project_version or project_version == 'latest' %}
 TIMEOUT=240s
 {% else %}
 TIMEOUT=240
 {% endif %}
 
 peer channel create -o {{ cliorderer.name }}:7050 -c firstchannel \
-  -f /etc/hyperledger/allorgs/keyfiles/firstchannel.tx --timeout $TIMEOUT
+  -f /etc/hyperledger/fabric/artifacts/keyfiles/firstchannel.tx --timeout $TIMEOUT
 
 export CORE_PEER_TLS_ENABLED=false
 export GOPATH=/opt/gopath
@@ -105,7 +130,7 @@ export CORE_PEER_LISTENADDRESS={{ peer.name }}:7051
 export CORE_PEER_CHAINCODELISTENADDRESS={{ peer.name }}:7052
 
 export CORE_PEER_LOCALMSPID={{ peer.org }}
-export CORE_PEER_MSPCONFIGPATH=/etc/hyperledger/allorgs/keyfiles/{{ peer.org }}/users/Admin@{{ peer.org }}/msp
+export CORE_PEER_MSPCONFIGPATH=/etc/hyperledger/fabric/artifacts/keyfiles/{{ peer.org }}/users/Admin@{{ peer.org }}/msp
 
 peer channel join -b firstchannel.block
 
@@ -122,7 +147,7 @@ export CORE_PEER_ADDRESS={{ chainpeer.name }}:7051
 export CORE_PEER_LISTENADDRESS={{ chainpeer.name }}:7051
 export CORE_PEER_CHAINCODELISTENADDRESS={{ chainpeer.name }}:7052
 export CORE_PEER_LOCALMSPID={{ chainpeer.org }}
-export CORE_PEER_MSPCONFIGPATH=/etc/hyperledger/allorgs/keyfiles/{{ chainpeer.org }}/users/Admin@{{ chainpeer.org }}/msp
+export CORE_PEER_MSPCONFIGPATH=/etc/hyperledger/fabric/artifacts/keyfiles/{{ chainpeer.org }}/users/Admin@{{ chainpeer.org }}/msp
 
 peer chaincode instantiate -o {{ cliorderer.name }}:7050 \
   -C firstchannel -n firstchaincode -v 1.0 -c '{"Args":["init","a", "100", "b","200"]}' -P "OR ({{ orgmembers }})"