Hi Oliver,
yes I got the command from old entry in the mailing list, because didn't
manage to find info in the documentation.
Thanks for the clarification, now everything is working.
Regards,
Vladimir
On Wed, Jan 25, 2017 at 8:57 AM, Oliver Welter <[email protected]> wrote:
> Hi Cho,
>
> I assume you are using a recent copy of openxpki and you got this command
> from an old mailinglist entry?
>
> The names of the workflows changed when we moved to 1.0, it is now simply
> "crl_issuance" and no longer I18N_.....
> Besides, the default config grants access to this workflow to Anonymous,
> so you can leave out the auth* parameters and simply say:
>
> openxpkicmd --realm ca-two crl_issuance
>
> Oliver
>
>
> Am 24.01.2017 um 16:16 schrieb Cho Chan:
>
>> Hi all,
>>
>> I am having some troubles with trying to issue CRL via openxpkicmd. I am
>> receiving the following error:
>>
>> 'I18N_OPENXPKI_SERVER_ACL_AUTHORIZE_WORKFLOW_CREATE_PERMISSION_DENIED'
>>
>> Full output of the command:
>>
>> $ openxpkicmd --socketfile /var/openxpki/openxpki.socket --authstack
>> "Operator" --authuser "raop" --authpass "openxpki" --realm "ca-two"
>> --debug I18N_OPENXPKI_WF_TYPE_CRL_ISSUANCE
>> Socketfile: /var/openxpki/openxpki.socket
>> Session id: 5dc729f12a41b48ffeb51c9cc2907ef8
>> $VAR1 = {
>> 'PARAMS' => {
>> 'PKI_REALMS' => {
>> 'ca-one' => {
>> 'NAME' =>
>> 'ca-one',
>> 'DESCRIPTION' =>
>> 'CA-ONE Certification Authority',
>> 'LABEL' =>
>> 'CA-ONE Certification Authority'
>> },
>> 'ca-two' => {
>> 'NAME' =>
>> 'ca-two',
>> 'LABEL' =>
>> 'CA-TWO Certification Authority',
>> 'DESCRIPTION' =>
>> 'CA-TWO Certification Authority'
>> }
>> }
>> },
>> 'SERVICE_MSG' => 'GET_PKI_REALM'
>> };
>>
>> $VAR1 = {
>> 'PARAMS' => {
>> 'AUTHENTICATION_STACKS' => {
>> '_System' => {
>>
>> 'NAME' => '_System',
>>
>> 'DESCRIPTION' => 'I18N_OPENXPKI_CONFIG_AUTH_STA
>> CK_DESCRIPTION_AUTH_SYSTEM',
>>
>> 'LABEL' => '_System'
>> },
>> '_SmartCard' => {
>>
>> 'DESCRIPTION' => undef,
>>
>> 'LABEL' => '_SmartCard',
>>
>> 'NAME' => '_SmartCard'
>> },
>> 'User' => {
>>
>> 'DESCRIPTION' => 'I18N_OPENXPKI_CONFIG_AUTH_STACK_DESCRIPTION_USER',
>> 'LABEL'
>> => 'User',
>> 'NAME'
>> => 'User'
>> },
>> 'Operator' => {
>>
>> 'LABEL' => 'Operator',
>>
>> 'DESCRIPTION' => 'I18N_OPENXPKI_CONFIG_AUTH_STACK_DESCRIPTION_OPERATOR',
>>
>> 'NAME' => 'Operator'
>> },
>> 'Testing' => {
>>
>> 'LABEL' => 'Testing',
>>
>> 'DESCRIPTION' => 'This handler is used internally for testing, REMOVE IT',
>>
>> 'NAME' => 'Testing'
>> },
>> 'Anonymous' => {
>>
>> 'DESCRIPTION' => 'I18N_OPENXPKI_CONFIG_AUTH_STACK_DESCRIPTION_ANONYMOUS',
>>
>> 'LABEL' => 'Anonymous',
>>
>> 'NAME' => 'Anonymous'
>> }
>> }
>> },
>> 'SERVICE_MSG' => 'GET_AUTHENTICATION_STACK'
>> };
>>
>> $VAR1 = {
>> 'SERVICE_MSG' => 'GET_PASSWD_LOGIN',
>> 'PARAMS' => {
>> 'NAME' => 'Operator Password',
>> 'DESCRIPTION' =>
>> 'I18N_OPENXPKI_CONFIG_AUTH_HANDLER_DESCRIPTION_PASSWORD'
>> }
>> };
>>
>> $VAR1 = {
>> 'SERVICE_MSG' => 'SERVICE_READY'
>> };
>>
>> Error:
>> $VAR1 = {
>> 'LIST' => [
>> {
>> 'PARAMS' => {
>> '__WF_TYPE__' =>
>> 'I18N_OPENXPKI_WF_TYPE_CRL_ISSUANCE',
>> '__ROLE__' => 'RA Operator',
>> '__REALM__' => 'ca-two'
>> },
>> 'LABEL' =>
>> 'I18N_OPENXPKI_SERVER_ACL_AUTHORIZE_WORKFLOW_CREATE_PERMISSION_DENIED'
>> }
>> ],
>> 'SERVICE_MSG' => 'ERROR'
>> };
>>
>>
>> From the logs:
>> 2017/01/24 16:13:24 connector.DEBUG:4488 Call get in Multi to
>> system.server.name <http://system.server.name>
>> 2017/01/24 16:13:24 connector.DEBUG:4488 Call get in Multi to
>> system.server.service.default.timeout
>> 2017/01/24 16:13:24 connector.DEBUG:4488 Node does not exist at default
>> 2017/01/24 16:13:24 connector.DEBUG:4488 Node does not exist at default
>> 2017/01/24 16:13:24 connector.DEBUG:4488 Call get in Multi to
>> system.server.session.directory
>> 2017/01/24 16:13:24 connector.DEBUG:4488 Call get in Multi to
>> system.server.session.lifetime
>> 2017/01/24 16:13:25 openxpki.system.INFO:4488
>> <http://openxpki.system.INFO:4488> [OpenXPKI::Service::Default
>>
>> (/usr/lib/x86_64-linux-gnu/perl5/5.20/OpenXPKI/Service/Default.pm:224
>> )@f5d8]
>> New session created
>> 2017/01/24 16:13:25 connector.DEBUG:4488 Call get_keys in Multi to
>> system.realms
>> 2017/01/24 16:13:25 connector.DEBUG:4488 Call get_keys in Multi to
>> system.realms
>> 2017/01/24 16:13:25 connector.DEBUG:4488 Call get in Multi to
>> system.realms.ca-one.label
>> 2017/01/24 16:13:25 connector.DEBUG:4488 Call get in Multi to
>> system.realms.ca-two.label
>> 2017/01/24 16:13:25 connector.DEBUG:4488 Call get_keys in Multi to
>> system.realms
>> 2017/01/24 16:13:25 connector.DEBUG:4488 Call get in Multi to
>> system.realms.ca-one.label
>> 2017/01/24 16:13:25 connector.DEBUG:4488 Call get in Multi to
>> system.realms.ca-one.description
>> 2017/01/24 16:13:25 connector.DEBUG:4488 Call get in Multi to
>> system.realms.ca-two.label
>> 2017/01/24 16:13:25 connector.DEBUG:4488 Call get in Multi to
>> system.realms.ca-two.description
>> 2017/01/24 16:13:25 connector.DEBUG:4488 Call exists in Multi to
>> system.realms.ca-two
>> 2017/01/24 16:13:25 connector.DEBUG:4488 Call get_hash in Multi to
>> auth.handler.Operator Password.user.raop
>> 2017/01/24 16:13:25 openxpki.auth.INFO:4488
>> <http://openxpki.auth.INFO:4488> [OpenXPKI::Server::Authentication
>> (/usr/lib/x86_64-linux-gnu/perl5/5.20/OpenXPKI/Server/Authen
>> tication.pm:269)@f5d8]
>> Login successful using authentication stack 'Operator' (user: 'raop',
>> role: 'RA Operator')
>> 2017/01/24 16:13:25 connector.DEBUG:4488 Call get_keys in Multi to
>> system.realms
>> 2017/01/24 16:13:25 connector.DEBUG:4488 Call get in Multi to
>> workflow.def.I18N_OPENXPKI_WF_TYPE_CRL_ISSUANCE.acl.RA Operator.creator
>> 2017/01/24 16:13:25 connector.DEBUG:4488 Node does not exist at
>> I18N_OPENXPKI_WF_TYPE_CRL_ISSUANCE
>> 2017/01/24 16:13:25 connector.DEBUG:4488 Node does not exist at
>> I18N_OPENXPKI_WF_TYPE_CRL_ISSUANCE
>> 2017/01/24 16:13:25 connector.DEBUG:4488 Node does not exist at
>> I18N_OPENXPKI_WF_TYPE_CRL_ISSUANCE
>> 2017/01/24 16:13:25 connector.DEBUG:4488 Node does not exist at
>> I18N_OPENXPKI_WF_TYPE_CRL_ISSUANCE
>>
>> With the same user/pass I can issue CRL via web interface.
>>
>> Am I missing something?
>>
>> Thank you in advance!
>>
>> Cho
>>
>>
>> ------------------------------------------------------------
>> ------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
>>
>>
>>
>> _______________________________________________
>> OpenXPKI-users mailing list
>> [email protected]
>> https://lists.sourceforge.net/lists/listinfo/openxpki-users
>>
>>
>
> --
> Protect your environment - close windows and adopt a penguin!
>
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> _______________________________________________
> OpenXPKI-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/openxpki-users
>
>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
