Set different PhenixID OneTouch certificate expiry date-time based on user permissions

This document describes how to set different PhenixID OneTouch certificate expiry date-time, based on the enrolling user permissions.

Configuration

- Backup config/phenix-store.json

- Login to Configuration Manager

- Browse to Advanced->Pipes

- Locate the pipe issuing OneTouch certificates. (by default, this pipe has a description value of "Default pipe for issuing certificates".

 (If you are not sure which pipe issues the OneTouch certificates, open config/phenix-store.json in a text editor, locate CA_CONFIGURATIONS -> The CA used for OneTouch -> The value of issue_pipe_ref).

- Add valves to perform the logic.
In the example below, a user that is member of the group OneTouch-1Y will be provisioned a OneTouch certificate with an expiry date-time according to the OneTouch CA default expiry date (by default one year). A user that is not member of a group will be provisioned a certificate that will expire in 8 hours (PT8H).

(Config in bold has been added to the default config).

Change your config to match your environment.

 

 {
 "id": "22d6a0b6-93e5-4284-bd2c-415030aa46cf",
 "description": "Default pipe for issuing certificates",
 "valves": [
 {
 "name": "ItemCreateValve",
 "config": {
 "dest_id": "{{request.subject}}"
 }
 },
 {
 "name": "PropertyAddValve",
 "config": {
 "name": "uid",
 "value": "{{request.subject}}"
 }
 },
 {
 "name": "PropertyReplaceValve",
 "config": {
 "source": "uid",
 "token": "CN=",
 "replacement": ""
 }
 },
 {
 "name": "LDAPSearchValve",
 "enabled": "true",
 "config": {
 "connection_ref": "dcb23736-083f-458d-8700-6e731a28ffa9",
 "base_dn": "OU=Users,DC=phenixid,DC=se",
 "scope": "SUB",
 "size_limit": "0",
 "filter_template": "samaccountname={{item.uid}}",
 "attributes": "memberof"
 },
 "created": "2018-03-07T12:20:05.383Z"
 },
 {
 "name": "ItemMergeValve",
 "config": {
 "dest_id": "{{request.subject}}"
 }
 },
 {
 "name": "PropertyJoinValve",
 "config": {
 "source": "memberOf",
"separator": ";"
  }
},
 {
 "name": "PropertyAddValve",
 "config": {
 "name": "not_after",
 "value": "{{request.not_after}}",
 "exec_if_expr": "flow.getPropertyValue('memberOf','').contains('CN=OneTouch-1Y,OU=Groups,DC=phenixid,DC=se')"
 }
 },
 {
 "name": "PropertyAddDateTimeValve",
 "config": {
 "name": "not_after",
 "duration": "PT8H",
 "skip_if_expr": "flow.getPropertyValue('memberOf','').contains('CN=OneTouch-1Y,OU=Groups,DC=phenixid,DC=se')"
 }
 },
 {
 "name": "CertificateIssuerValve",
 "config": {
 "dest": "certificate",
 "cert_subject_dn": "{{request.subject}}",
 "cert_subject_key": "{{request.key}}",
 "cert_serial_number": "{{request.serial_number}}",
 "cert_not_before": "{{request.not_before}}",
 "cert_not_after": "{{item.not_after}}",
 "cert_key_usage": "{{request.key_usage}}",
 "cert_ext_key_usage": "{{request.ext_key_usage}}",
 "cert_ocsp_url": "{{request.ocsp_url}}",
 "ca_ref": "da6711b0-9e84-4f80-9dd7-e5e919ef1d7c"
 }
 }
],
 "created": "2019-02-13T08:51:10.523Z"
 }