Hi Cho,I assume you are using a recent copy of openxpki and you got this command from an old mailinglist entry?
The names of the workflows changed when we moved to 1.0, it is now simply "crl_issuance" and no longer I18N_..... Besides, the default config grants access to this workflow to Anonymous, so you can leave out the auth* parameters and simply say:
openxpkicmd --realm ca-two crl_issuance Oliver Am 24.01.2017 um 16:16 schrieb Cho Chan:
Hi all,
I am having some troubles with trying to issue CRL via openxpkicmd. I am
receiving the following error:
'I18N_OPENXPKI_SERVER_ACL_AUTHORIZE_WORKFLOW_CREATE_PERMISSION_DENIED'
Full output of the command:
$ openxpkicmd --socketfile /var/openxpki/openxpki.socket --authstack
"Operator" --authuser "raop" --authpass "openxpki" --realm "ca-two"
--debug I18N_OPENXPKI_WF_TYPE_CRL_ISSUANCE
Socketfile: /var/openxpki/openxpki.socket
Session id: 5dc729f12a41b48ffeb51c9cc2907ef8
$VAR1 = {
'PARAMS' => {
'PKI_REALMS' => {
'ca-one' => {
'NAME' => 'ca-one',
'DESCRIPTION' =>
'CA-ONE Certification Authority',
'LABEL' =>
'CA-ONE Certification Authority'
},
'ca-two' => {
'NAME' => 'ca-two',
'LABEL' =>
'CA-TWO Certification Authority',
'DESCRIPTION' =>
'CA-TWO Certification Authority'
}
}
},
'SERVICE_MSG' => 'GET_PKI_REALM'
};
$VAR1 = {
'PARAMS' => {
'AUTHENTICATION_STACKS' => {
'_System' => {
'NAME' => '_System',
'DESCRIPTION' => 'I18N_OPENXPKI_CONFIG_AUTH_STACK_DESCRIPTION_AUTH_SYSTEM',
'LABEL' => '_System'
},
'_SmartCard' => {
'DESCRIPTION' => undef,
'LABEL' => '_SmartCard',
'NAME' => '_SmartCard'
},
'User' => {
'DESCRIPTION' => 'I18N_OPENXPKI_CONFIG_AUTH_STACK_DESCRIPTION_USER',
'LABEL'
=> 'User',
'NAME'
=> 'User'
},
'Operator' => {
'LABEL' => 'Operator',
'DESCRIPTION' => 'I18N_OPENXPKI_CONFIG_AUTH_STACK_DESCRIPTION_OPERATOR',
'NAME' => 'Operator'
},
'Testing' => {
'LABEL' => 'Testing',
'DESCRIPTION' => 'This handler is used internally for testing, REMOVE IT',
'NAME' => 'Testing'
},
'Anonymous' => {
'DESCRIPTION' => 'I18N_OPENXPKI_CONFIG_AUTH_STACK_DESCRIPTION_ANONYMOUS',
'LABEL' => 'Anonymous',
'NAME' => 'Anonymous'
}
}
},
'SERVICE_MSG' => 'GET_AUTHENTICATION_STACK'
};
$VAR1 = {
'SERVICE_MSG' => 'GET_PASSWD_LOGIN',
'PARAMS' => {
'NAME' => 'Operator Password',
'DESCRIPTION' =>
'I18N_OPENXPKI_CONFIG_AUTH_HANDLER_DESCRIPTION_PASSWORD'
}
};
$VAR1 = {
'SERVICE_MSG' => 'SERVICE_READY'
};
Error:
$VAR1 = {
'LIST' => [
{
'PARAMS' => {
'__WF_TYPE__' =>
'I18N_OPENXPKI_WF_TYPE_CRL_ISSUANCE',
'__ROLE__' => 'RA Operator',
'__REALM__' => 'ca-two'
},
'LABEL' =>
'I18N_OPENXPKI_SERVER_ACL_AUTHORIZE_WORKFLOW_CREATE_PERMISSION_DENIED'
}
],
'SERVICE_MSG' => 'ERROR'
};
From the logs:
2017/01/24 16:13:24 connector.DEBUG:4488 Call get in Multi to
system.server.name <http://system.server.name>
2017/01/24 16:13:24 connector.DEBUG:4488 Call get in Multi to
system.server.service.default.timeout
2017/01/24 16:13:24 connector.DEBUG:4488 Node does not exist at default
2017/01/24 16:13:24 connector.DEBUG:4488 Node does not exist at default
2017/01/24 16:13:24 connector.DEBUG:4488 Call get in Multi to
system.server.session.directory
2017/01/24 16:13:24 connector.DEBUG:4488 Call get in Multi to
system.server.session.lifetime
2017/01/24 16:13:25 openxpki.system.INFO:4488
<http://openxpki.system.INFO:4488> [OpenXPKI::Service::Default
(/usr/lib/x86_64-linux-gnu/perl5/5.20/OpenXPKI/Service/Default.pm:224)@f5d8]
New session created
2017/01/24 16:13:25 connector.DEBUG:4488 Call get_keys in Multi to
system.realms
2017/01/24 16:13:25 connector.DEBUG:4488 Call get_keys in Multi to
system.realms
2017/01/24 16:13:25 connector.DEBUG:4488 Call get in Multi to
system.realms.ca-one.label
2017/01/24 16:13:25 connector.DEBUG:4488 Call get in Multi to
system.realms.ca-two.label
2017/01/24 16:13:25 connector.DEBUG:4488 Call get_keys in Multi to
system.realms
2017/01/24 16:13:25 connector.DEBUG:4488 Call get in Multi to
system.realms.ca-one.label
2017/01/24 16:13:25 connector.DEBUG:4488 Call get in Multi to
system.realms.ca-one.description
2017/01/24 16:13:25 connector.DEBUG:4488 Call get in Multi to
system.realms.ca-two.label
2017/01/24 16:13:25 connector.DEBUG:4488 Call get in Multi to
system.realms.ca-two.description
2017/01/24 16:13:25 connector.DEBUG:4488 Call exists in Multi to
system.realms.ca-two
2017/01/24 16:13:25 connector.DEBUG:4488 Call get_hash in Multi to
auth.handler.Operator Password.user.raop
2017/01/24 16:13:25 openxpki.auth.INFO:4488
<http://openxpki.auth.INFO:4488> [OpenXPKI::Server::Authentication
(/usr/lib/x86_64-linux-gnu/perl5/5.20/OpenXPKI/Server/Authentication.pm:269)@f5d8]
Login successful using authentication stack 'Operator' (user: 'raop',
role: 'RA Operator')
2017/01/24 16:13:25 connector.DEBUG:4488 Call get_keys in Multi to
system.realms
2017/01/24 16:13:25 connector.DEBUG:4488 Call get in Multi to
workflow.def.I18N_OPENXPKI_WF_TYPE_CRL_ISSUANCE.acl.RA Operator.creator
2017/01/24 16:13:25 connector.DEBUG:4488 Node does not exist at
I18N_OPENXPKI_WF_TYPE_CRL_ISSUANCE
2017/01/24 16:13:25 connector.DEBUG:4488 Node does not exist at
I18N_OPENXPKI_WF_TYPE_CRL_ISSUANCE
2017/01/24 16:13:25 connector.DEBUG:4488 Node does not exist at
I18N_OPENXPKI_WF_TYPE_CRL_ISSUANCE
2017/01/24 16:13:25 connector.DEBUG:4488 Node does not exist at
I18N_OPENXPKI_WF_TYPE_CRL_ISSUANCE
With the same user/pass I can issue CRL via web interface.
Am I missing something?
Thank you in advance!
Cho
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
-- Protect your environment - close windows and adopt a penguin!
smime.p7s
Description: S/MIME Cryptographic Signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
