13.6. Creating and Managing Users for a TPS

There are three defined roles for TPS users, which function as groups for the TPS:
  • Agents, who perform actual token management operations, such setting the token status and changing token policies
  • Administrators, who manage users for the TPS subsystem and have limited control over tokens
  • Operators, who have no management control but are able to view and list tokens, certificates, and activities performed through the TPS
Additional groups cannot be added for the TPS.
All of the TPS subsystem users are authenticated against an LDAP directory database that contains their certificate (because accessing the TPS's web services requires certificate-based authentication), and the authentication process checks the TPS group entries — ou=TUS Agents, ou=TUS Administrators, and ou=TUS Operators — to see to which roles the user belongs, using Apache's mod_tokendb module.
Users for the TPS are added and managed through the web services pages for the TPS. Users can be easily added to any or all TPS roles.

13.6.1. Searching for Users

  1. Open the TPS services page.
  2. Click the Administrator Operations tab.
  3. Click the Search Users link.
  4. Fill in the search parameters; to list all users, do not fill in any criteria.

13.6.2. Adding Users

  1. Obtain a user certificate for the new user. Requesting and submitting certificates is explained in the Chapter 4, Requesting, Enrolling, and Managing Certificates.


    A TPS administrator must have a signing certificate. The recommended profile to use is Manual User Signing and Encryption Certificates Enrollment.
  2. Click the Add New User link in the Administrator Operations tab.
  3. Fill in the user's name and ID and paste in the certificate, without the BEGIN CERTIFICATE and END CERTIFICATE lines.
  4. Select the roles to which the user belongs. The user can only see the tabs (services pages) of the roles to which he belongs.

13.6.3. Setting Profiles for Users

A TPS profile is much like a CA profile; it defines rules for processing different types of tokens. The profile is assigned automatically to a token based on some characteristic of the token, like the CUID. Users can only see tokens for the profiles which are assigned to them.


A user can only see entries relating to the profile configured for it, including both token operations and tokens themselves. For an administrator to be able to search and manage all tokens configured in the TPS, the administrator user entry should be set to All profiles. Setting specific profiles for users is a simple way to control access for operators and agents to specific users or token types.
Token profiles are sets of policies and configurations that are applied to a token. Token profiles are mapped to tokens automatically based on some kind of attribute in the token itself, such as a CCUID range. Token profiles are created as other certificate profiles (as in Section 2.5.2, “Creating Custom TPS Profiles”) in the CA profile directory and are then added to the TPS configuration file, CS.cfg, to map the CA's token profile to the token type. Configuring token mapping is covered in Section 5.2.2, “Mapping Token Types to Smart Card Operation Policies”.
  1. Search for or list the users, and click the link of the user's name in the results page.
  2. Scroll to the bottom of the page, and select the profile from the drop-down menu.
    Only fifteen (15) profiles are listed in the menu; if there are more than fifteen profiles available, then the last profile is Other, which allows the administrator to type in the selected profile manually.


    If the All Profiles option is added to the user, then any other configured profiles are dropped, because they are already included in the All Profiles option.
  3. Click the Add Profile button to add the profile to the user entry.
The new profile is listed as part of the user entry attributes. Up to fifteen profiles are listed on the profile; if there are more than fifteen, then the profile list is paginated.

13.6.4. Changing Roles for Users

A role is just a group within the TPS. Each role can view different tabs of the TPS services pages. The role is editable, so it is possible to add and remove role assignments for a user.
A user can belong to more than one role. The default admin user, for example, belongs to all three roles.
  1. Search for or list the users, and click the link of the user's name in the results page.
  2. Near the top of the page is a series of check boxes for the different roles, Operator, Agent, and Administrator. Check the boxes to assign the roles.
  3. Click the Update button to save the new role settings.

13.6.5. Renewing TPS Agent and Administrator Certificates

Regenerating the certificate takes its original key and its original profile and request, and recreates an identical key with a new validity period and expiration date.
The TPS has a default administrative user that was created at the time the subsystem was created. A new certificate can be requested for this user when their original one expires, using one of the default renewal profiles.
Certificates for administrative users can be renewed directly in the end user enrollment forms, using the serial number of the original certificate.
  1. Renew the user certificates through the CA's end users forms, as described in Section 4.8.2, “Certificate-Based Renewal”. This must be the same CA as first issued the certificate (or a clone of it).
    Agent certificates can be renewed by using the certificate-based renewal form in the end entities page, Self-renew user SSL client certificate. This form recognizes and updates the certificate stored in the browser's certificate store directly.


    It is also possible to renew the certificate using certutil, as described in Section 15.3.3, “Renewing Certificates Using certutil”. Rather than using the certificate stored in a browser to initiate renewal, certutil uses an input file with the original key.
  2. Paste the new certificate into the admin user's entry, as described in Section 13.6.2, “Adding Users”.

13.6.6. Deleting Users


It is possible to delete the last user account, and the operation cannot be undone. Be very careful about the user which is selected to be deleted.
  1. List the users, and click the link to the user to delete.
  2. Click the Delete button in the lower right of the edit page.