Thanks Martin,
Actually when I checked the mentioned file I found this sentence :), which
is answer exactly my question
# If you want a 4-eyes approval, just add a second "RA Operator"
# e.g. "role: RA Operator, RA Operator" - you should add also
# add current approval count to the output in the relevant statesand
I do it and it works as expected,
And I hope in future releases to support this idea by showing
messages/notifications in UI interface showing approval status like;
- N Approvals are required
- Got 1 out of N approvals
THANKS
On Wed, Sep 8, 2021 at 2:43 PM Martin Bartosch via OpenXPKI-users <
openxpki-users@lists.sourceforge.net> wrote:
> Hi,
>
> > I mange to enforce policy of 2 approvals required by RA Operators (4
> eyes) in order to issue a certificate using WEBUI interface
> >
> > Is it possible! Any advice!
>
> (Almost) everything is possible with OpenXPKI ;-)
>
> For the automatic enrollment interfaces the approval policy is located in
> the PKI Realm endpoint configuration (e. g. scep/*.yaml or rpc/*.yaml).
> There you can configure the number of "approval points" which need to be
> present before a request is approved and the certificate is issued.
> The setting "approval_points" denotes the number of approvals required to
> proceed. Note that an approval point can be obtained both by an automatic
> check or by a manual approval.
>
> For manual enrollment (via the UI) a different workflow is used, hence the
> configuration is at a different place.
> If you wish to enforce the independent approval of multiple roles (e. g.
> two RA Operators must approve the request) this can be done by modifying
> the workflow configuration. Try this:
>
> --- a/config.d/realm.tpl/workflow/def/certificate_signing_request_v2.yaml
> +++ b/config.d/realm.tpl/workflow/def/certificate_signing_request_v2.yaml
> @@ -693,7 +693,9 @@ condition:
> is_approved:
> class: OpenXPKI::Server::Workflow::Condition::Approved
> param:
> -role: RA Operator
> +role:
> +- RA Operator
> +- RA Operator
>
> can_use_server_key:
> class: OpenXPKI::Server::Workflow::Condition::KeyGenerationMode
>
> I have not checked it myself, but this should do the trick. If it does not
> work, try duplicating the "role: RA Operator" line instead, but I think I
> got it right.
>
> Cheers
>
> Martin
>
>
>
> ___
> OpenXPKI-users mailing list
> OpenXPKI-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openxpki-users
>
--
*Regards*
*Montajab Saleh*
___
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users