Hi Oliver,
Thank you very much for your detailed response. I am able to revoked
certificate by setting preset_flag_auto_approval. One more query, I also modify
the eligible section in enroll.yaml file based on one of the thread as below.
eligible: initial: #value@: connector:rpc.enroll.connector.intranet
#args: '[% context.cert_subject_parts.CN.0 %]' value: 1
renewal: value: 1
onbehalf: value: 1
For auto enrollment/renewal, do I need to change the eligible section like
above if HTTPS/HTTP?. Can you please throw some more light on this?.
Thanks in advance.
Regards,Mukilan On Friday, 11 November, 2022 at 09:20:13 am GMT+1, Oliver
Welter <m...@oliwel.de> wrote:
Hi Mukilan,
the workflow is intended to be used with TLS Client Auth and the "approval" is
then done based on the evaluation of the "authorized_signer" part as it is
documented for the enrollment workflow.
As the workflow has an "autoapproval" flag that is usually set when this is run
internally, you can use the "preset*" magic to set this, in
/etc/openxpki/rpc/enroll.conf append the last line as follows:
[RevokeCertificate]
workflow = certificate_revocation_request_v2
param = cert_identifier, reason_code, comment, invalidity_time
env = signer_cert, server
output = error_code
preset_flag_auto_approval = 1
This will set the parameter "flag_auto_approval" to the value of one for every
incoming call on this endpoint, you should obviously make sure that nobody can
access this endpoint address without proper authentication or otherwise anybody
with network access can revoke certificates which is very likely not what you
want.
Oliver
On 10.11.22 09:57, Mukilan P via OpenXPKI-users wrote:
Thank you very much Oliver.
I have gone through your reply. I need some clarity on your reply. Can you
please share sample enroll.yaml to enable auto approval of Revocation or the
configuration properties to make auto approval for revocation.
I am using plain HTTP for testing purpose.
Regards, Mukilan
On Wednesday, 9 November, 2022 at 09:35:26 am GMT+1, Oliver Welter
<m...@oliwel.de> wrote:
https://sourceforge.net/p/openxpki/mailman/message/37670844/
On 07.11.22 22:40, Mukilan P via OpenXPKI-users wrote:
Hi Experts,
Can you please provide sample workflow to skip authentication/authorization
for auto approval of revocation?.
I tried with the following sample config in /rpc/enroll.yml, but it is not
working out.
policy: # Authentication Options # Initial requests need ONE
authentication. # Activate Challenge Password and/or HMAC by setting the
appropriate # options below.
# if set requests can be authenticated by an operator
allow_man_authen: 0
# if set, no authentication is required at all and hmac/challenge is
# not evaluated even if it is set/present in the request!
allow_anon_enroll: 1
# Approval # If not autoapproved, allow opeerator to add approval by
hand allow_man_approv: 0
# if the eligibiliyt check failed the first time # show a button to
run a recheck (Workflow goes to PENDING) allow_eligibility_recheck: 0
# Approval points requirede (eligibity and operator count as one point
each) # if you set this to "0", all authenticated requests are
auto-approved! approval_points: 0
Regards, Mukilan
_______________________________________________
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users
--
Protect your environment - close windows and adopt a penguin!
_______________________________________________
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users
_______________________________________________
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users
--
Protect your environment - close windows and adopt a penguin!
_______________________________________________
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users
_______________________________________________
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users
