Remote Attributes

Certificate can be used standalone, or with help of remote RAS/RSS server support. When there is no Internet connection, certificate will be used in standalone mode, all authorizations are carried on against the local data stored in the certificate file. When used with remote support, authorization request is sent to RAS/RSS and authorization is against both local stored data and RAS/RSS feed backed data.

The remote RAS/RSS server needs to keep some of the attributes for support authorization. These attributes are called Remote Attributes.

The remote attributes are defined in certbuf_remoteauthattributes.

certbuf_remoteauthattributes

certbuf_remoteauthattributes is a bit mapped string, which defines the following flags and options:

  • Certificate is Valid
  • Force Block It
  • Force Allow
  • Use Local AccessCode Control
  • Check Allowed WanIP
  • Check Allowed LanIP
  • Use Time Of Day
  • Allow Runtime Config

The remote attributes data are asynchronous to certificate. A certificate is created once, but the remote attributes data associated to this certificate can be changed time by time. It realizes the real time control on top of the certificate's right by the administrator.

Once administrator wants to terminate a certificate, he can upload a updated certbuf_remoteauthattributes data to RAS/RSS in which "Certificate is Valid" is set to false. "Force Block It" option is a similar option that blocks the certificate to use.

If "Force Allow" is set to true, all other conditions are disregarded, the certificate will be authorized in any way.

If "Use Local AccessCode Control" is set to true, even all other conditions are met, it's still need to call the administrator for the PassCode.

If "Check Allowed WanIP" is set to true, RAS or RSS will check the authorization request sending IP against the preset "Allowed WanIP".

If "Check Allowed LanIP" is set to true, RAS will check the authorization request sending IP against the preset "Allowed LanIP". The RSS server cannot get LAN IP from the request, and therefore won't check this attribute.