Although cryptographic material for organization users can be created statically using the cryptogen tool, we must build capabilities in the middleware to dynamically create user identities and credentials, and enable those users to sign in to the network to submit transactions and query the ledger state. These operations require the mediation of users with privileged access (or administrators), who must be created when fabric-ca-server is started. By default, an administrative user is given the ID admin and the password adminpw, which is what we will use for our exercise in this section. The network that we created and launched uses these defaults, and it is left to the reader to modify them in fabric-ca-server and start commands in network/docker-compose-e2e.yaml (the following is from the exporter-ca section):

fabric-ca-server start --ca.certfile /etc/hyperledger/fabric-ca-server-config/ca.exporterorg.trade.com-cert.pem --ca.keyfile /etc/hyperledger/fabric-ca-server-config/cc58284b6af2c33812cfaef9e40b8c911dbbefb83ca2e7564e8fbf5e7039c22e_sk -b admin:adminpw -d

The steps to create a user through an administrator are as follows:

1. Load administrative user credentials from the local storage
2. If thee credentials don't exist, enroll, or sign in, the administrator to the Fabric CA server and obtain their credentials (private key and enrollment certificate)
3. Have the administrative user register another user with a given ID, specifying roles and affiliations, with the Fabric CA server
4. Using a secret returned upon registration, enroll the new user and obtain credentials for that user
5. Save the credentials to the local storage

Sample code for this can be found in clientUtils.js, with the following code snippets mostly being from the getUserMember function, which takes administrator credentials, the name of the organization to which the user must be enrolled, and the name/ID of the user to enroll. A handle to a client (an instance of fabric-client, or a client object (https://fabric-sdk-node.github.io/Client.html) must also be passed to the function:

var cryptoSuite = client.getCryptoSuite();
if (!cryptoSuite) {
  cryptoSuite = Client.newCryptoSuite();
  if (userOrg) {
    cryptoSuite.setCryptoKeyStore(Client.newCryptoKeyStore({path: module.exports.storePathForOrg(ORGS[userOrg].name)}));
    client.setCryptoSuite(cryptoSuite);
  }
}

The preceding code associates the client handle with the local store, partitioned by organization, to store the credentials of  the administrator and other users created on the fly:

var member = new User(adminUser);
member.setCryptoSuite(cryptoSuite);

This code ensures that the administrator user handle will be associated with our store:

var copService = require('fabric-ca-client/lib/FabricCAClientImpl.js'),
var caUrl = ORGS[userOrg].ca.url;
var cop = new copService(caUrl, tlsOptions, ORGS[userOrg].ca.name, cryptoSuite);
return cop.enroll({
  enrollmentID: adminUser,
  enrollmentSecret: adminPassword
}).then((enrollment) => {
  console.log('Successfully enrolled admin user'),
  return member.setEnrollment(enrollment.key, enrollment.certificate, ORGS[userOrg].mspid);
})

Here, we use the fabric-ca-client library to connect to the fabric-ca-server instance associated with a given organization (whose URL can be obtained from our config.json; for example, the caUrl for the exporter organization will be https://localhost:7054). The enroll function allows the administrator to log in with the MSP, and obtain the enrollment key and certificate.

Now that we have a handle to the administrator user in the form of the member object, we can use it to enroll a new user with the user ID, which is represented by their username, as follows:

var enrollUser = new User(username);
return cop.register({
  enrollmentID: username,
  role: 'client',
  affiliation: 'org1.department1'
}, member).then((userSecret) => {
  userPassword = userSecret;
  return cop.enroll({
    enrollmentID: username,
    enrollmentSecret: userSecret
  });
}).then((enrollment) => {
  return enrollUser.setEnrollment(enrollment.key, enrollment.certificate, ORGS[userOrg].mspid);
}).then(() => {
  return client.setUserContext(enrollUser, false);
}).then(() => {
  return client.saveUserToStateStore();
})

During registration, we can specify what the user's roles will be, which in the preceding code is client, allowing the username to submit invocations and queries to the chaincode. The affiliation specified here is one of the subdivisions within an organization that are specified in a Fabric CA server's configuration (http://hyperledger-fabric-ca.readthedocs.io/en/latest/serverconfig.html) (updating this configuration is left as an exercise to the reader; here, we will use the default affiliation). Using the returned secret, the username is now enrolled with the server, and its key and enrollment certificate are saved.

The call to client.setUserContext associates this user with the client handle, and client.saveUserToStateStore saves the user's credentials to our local store on the file system.

Similar functions to get handles to administrator users are getAdmin and getMember, also defined in clientUtils.js. The former retrieves an administrator user whose credentials were created using cryptogen, whereas the latter creates a new admin member dynamically.