subject:"\[OpenXPKI\-users\] 4 eyes to approve\/issue certificate"

Re: [OpenXPKI-users] 4 eyes to approve/issue certificate

2021-09-08 Thread Montajab Saleh

Thanks Martin,

Actually when I checked the mentioned file I found this sentence :), which
is answer exactly my question

# If you want a 4-eyes approval, just add a second "RA Operator"
# e.g. "role: RA Operator, RA Operator" - you should add also
# add current approval count to the output in the relevant statesand

I do it and it works as expected,
And I hope in future releases to support this idea by showing
messages/notifications in UI interface showing approval status like;
- N Approvals are required
- Got 1 out of N approvals
THANKS

On Wed, Sep 8, 2021 at 2:43 PM Martin Bartosch via OpenXPKI-users <
openxpki-users@lists.sourceforge.net> wrote:

> Hi,
>
> > I mange to enforce policy of 2 approvals required by RA Operators (4
> eyes) in order to issue a certificate using WEBUI interface
> >
> > Is it possible! Any advice!
>
> (Almost) everything is possible with OpenXPKI ;-)
>
> For the automatic enrollment interfaces the approval policy is located in
> the PKI Realm endpoint configuration (e. g. scep/*.yaml or rpc/*.yaml).
> There you can configure the number of "approval points" which need to be
> present before a request is approved and the certificate is issued.
> The setting "approval_points" denotes the number of approvals required to
> proceed. Note that an approval point can be obtained both by an automatic
> check or by a manual approval.
>
> For manual enrollment (via the UI) a different workflow is used, hence the
> configuration is at a different place.
> If you wish to enforce the independent approval of multiple roles (e. g.
> two RA Operators must approve the request) this can be done by modifying
> the workflow configuration. Try this:
>
> --- a/config.d/realm.tpl/workflow/def/certificate_signing_request_v2.yaml
> +++ b/config.d/realm.tpl/workflow/def/certificate_signing_request_v2.yaml
> @@ -693,7 +693,9 @@ condition:
>  is_approved:
>  class: OpenXPKI::Server::Workflow::Condition::Approved
>  param:
> -role: RA Operator
> +role:
> +- RA Operator
> +- RA Operator
>
>  can_use_server_key:
>  class: OpenXPKI::Server::Workflow::Condition::KeyGenerationMode
>
> I have not checked it myself, but this should do the trick. If it does not
> work, try duplicating the "role: RA Operator" line instead, but I think I
> got it right.
>
> Cheers
>
> Martin
>
>
>
> ___
> OpenXPKI-users mailing list
> OpenXPKI-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openxpki-users
>


-- 
*Regards*
*Montajab Saleh*
___
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users

Re: [OpenXPKI-users] 4 eyes to approve/issue certificate

2021-09-08 Thread Martin Bartosch via OpenXPKI-users

Hi,

> I mange to enforce policy of 2 approvals required by RA Operators (4 eyes) in 
> order to issue a certificate using WEBUI interface
> 
> Is it possible! Any advice!

(Almost) everything is possible with OpenXPKI ;-)

For the automatic enrollment interfaces the approval policy is located in the 
PKI Realm endpoint configuration (e. g. scep/*.yaml or rpc/*.yaml). There you 
can configure the number of "approval points" which need to be present before a 
request is approved and the certificate is issued.
The setting "approval_points" denotes the number of approvals required to 
proceed. Note that an approval point can be obtained both by an automatic check 
or by a manual approval.

For manual enrollment (via the UI) a different workflow is used, hence the 
configuration is at a different place.
If you wish to enforce the independent approval of multiple roles (e. g. two RA 
Operators must approve the request) this can be done by modifying the workflow 
configuration. Try this:

--- a/config.d/realm.tpl/workflow/def/certificate_signing_request_v2.yaml
+++ b/config.d/realm.tpl/workflow/def/certificate_signing_request_v2.yaml
@@ -693,7 +693,9 @@ condition:
 is_approved:
 class: OpenXPKI::Server::Workflow::Condition::Approved
 param:
-role: RA Operator
+role:
+- RA Operator
+- RA Operator

 can_use_server_key:
 class: OpenXPKI::Server::Workflow::Condition::KeyGenerationMode

I have not checked it myself, but this should do the trick. If it does not 
work, try duplicating the "role: RA Operator" line instead, but I think I got 
it right.

Cheers

Martin



___
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users

[OpenXPKI-users] 4 eyes to approve/issue certificate

2021-08-31 Thread Montajab Saleh

Hi,

I mange to enforce policy of 2 approvals required by RA Operators (4 eyes)
in order to issue a certificate using WEBUI interface

Is it possible! Any advice!

Thanks

-- 
*Regards*
*Montajab Saleh*
___
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users

Re: [OpenXPKI-users] 4 eyes to approve/issue certificate

Re: [OpenXPKI-users] 4 eyes to approve/issue certificate

[OpenXPKI-users] 4 eyes to approve/issue certificate

3 matches

Site Navigation

Mail list logo

Footer information