Hi,
> I mange to enforce policy of 2 approvals required by RA Operators (4 eyes) in
> order to issue a certificate using WEBUI interface
>
> Is it possible! Any advice!
(Almost) everything is possible with OpenXPKI ;-)
For the automatic enrollment interfaces the approval policy is located in the
PKI Realm endpoint configuration (e. g. scep/*.yaml or rpc/*.yaml). There you
can configure the number of "approval points" which need to be present before a
request is approved and the certificate is issued.
The setting "approval_points" denotes the number of approvals required to
proceed. Note that an approval point can be obtained both by an automatic check
or by a manual approval.
For manual enrollment (via the UI) a different workflow is used, hence the
configuration is at a different place.
If you wish to enforce the independent approval of multiple roles (e. g. two RA
Operators must approve the request) this can be done by modifying the workflow
configuration. Try this:
--- a/config.d/realm.tpl/workflow/def/certificate_signing_request_v2.yaml
+++ b/config.d/realm.tpl/workflow/def/certificate_signing_request_v2.yaml
@@ -693,7 +693,9 @@ condition:
is_approved:
class: OpenXPKI::Server::Workflow::Condition::Approved
param:
- role: RA Operator
+ role:
+ - RA Operator
+ - RA Operator
can_use_server_key:
class: OpenXPKI::Server::Workflow::Condition::KeyGenerationMode
I have not checked it myself, but this should do the trick. If it does not
work, try duplicating the "role: RA Operator" line instead, but I think I got
it right.
Cheers
Martin
_______________________________________________
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users
