14.4. Creating and Managing Users for a TPS

There are three defined roles for TPS users, which function as groups for the TPS:
  • Agents, who perform actual token management operations, such setting the token status and changing token policies
  • Administrators, who manage users for the TPS subsystem and have limited control over tokens
  • Operators, who have no management control but are able to view and list tokens, certificates, and activities performed through the TPS
Additional groups cannot be added for the TPS.
All of the TPS subsystem users are authenticated against an LDAP directory database that contains their certificate (because accessing the TPS's web services requires certificate-based authentication), and the authentication process checks the TPS group entries — ou=TUS Agents, ou=TUS Administrators, and ou=TUS Operators — to see to which roles the user belongs, using Apache's mod_tokendb module.
Users for the TPS are added and managed through the Web UI or the CLI. The Web UI is accessible at https://server.example.com:8443/tps/ui/.
To use the Web UI or the CLI, the TPS administrator has to authenticate using a user certificate.

14.4.1. Listing and Searching for Users

14.4.1.1. From the Web UI

To list users from the Web UI:
  1. Click the Accounts tab.
  2. Click the Users menu item. The list of users appears on the page.
  3. To search for certain users, write the keyword in the search field and press Enter. To list all users again, remove the keyword and press Enter.

14.4.1.2. From the Command Line

To list users from the CLI, run: 
pki -d client_db_dir -c client_db_password -n admin_cert_nickname tps-user-find
To view user details from the CLI, run: 
pki -d client_db_dir -c client_db_password -n admin_cert_nickname tps-user-show username

14.4.2. Adding Users

14.4.2.1. From the Web UI

To add a user from the Web UI:
  1. Click the Accounts tab.
  2. Click the Users menu item.
  3. Click the Add button on the Users page.
  4. Fill in the user ID, full name, and TPS profile.
  5. Click the Save button.
14.4.2.1.1. From the Command Line
To add a user from the CLI, run: 
pki -d client_db_dir -c client_db_password -n admin_cert_nickname tps-user-add username --fullName full_name

14.4.3. Setting Profiles for Users

A TPS profile is much like a CA profile; it defines rules for processing different types of tokens. The profile is assigned automatically to a token based on some characteristic of the token, like the CUID. Users can only see tokens for the profiles which are assigned to them.

Note

A user can only see entries relating to the profile configured for it, including both token operations and tokens themselves. For an administrator to be able to search and manage all tokens configured in the TPS, the administrator user entry should be set to All profiles. Setting specific profiles for users is a simple way to control access for operators and agents to specific users or token types.
Token profiles are sets of policies and configurations that are applied to a token. Token profiles are mapped to tokens automatically based on some kind of attribute in the token itself, such as a CCUID range. Token profiles are created as other certificate profiles (as in Editing Enrollment Profiles for the TPS) in the CA profile directory and are then added to the TPS configuration file, CS.cfg, to map the CA's token profile to the token type. Configuring token mapping is covered in Section 6.7, “Mapping Resolver Configuration”.
To manage user profiles from the Web UI:
  1. Click the Accounts tab.
  2. Click the Users menu item.
  3. Click the user name of the user you want to modify.
  4. Click the Edit link.
  5. In the TPS Profile field, enter the profile names separated by commas, or enter All Profiles.
  6. Click the Save button.

14.4.4. Managing User Roles

A role is just a group within the TPS. Each role can view different tabs of the TPS services pages. The group is editable, so it is possible to add and remove role assignments for a user.
A user can belong to more than one role or group. The bootstrap user, for example, belongs to all three groups.

14.4.4.1. From the Web UI

To manage group members from the Web UI:
  1. Click the Accounts tab.
  2. Click the Groups menu item.
  3. Click the name of the group that you want to change, for example TPS Agents.
  4. To add a user to this group:
    1. Click the Add button.
    2. Enter the user ID.
    3. Click the Add button.
  5. To remove a user from this group:
    1. Select the check box next to the user.
    2. Click the Remove button.
    3. Click the OK button.

14.4.4.2. From the Command Line

To list groups from the CLI, run: 
pki -d client_db_dir -c client_db_password -n admin_cert_nickname tps-group-find
To list group members from the CLI, run: 
pki -d client_db_dir -c client_db_password -n admin_cert_nickname tps-group-member-find group_name
To add a user to a group from the CLI, run: 
pki -d client_db_dir -c client_db_password -n admin_cert_nickname tps-group-member-add group_name user_name
To delete a user from a group from the CLI, run: 
pki -d client_db_dir -c client_db_password -n admin_cert_nickname tps-group-member-del group_name user_name

14.4.5. Managing User Certificates

User certificates can be managed from the CLI:
  • To list user certificates, run: 
    pki -d client_db_dir -c client_db_password -n admin_cert_nickname tps-user-cert-find user_name
  • To add a certificate to a user:
  1. Obtain a user certificate for the new user. Requesting and submitting certificates is explained in Chapter 5, Requesting, Enrolling, and Managing Certificates.

    Important

    A TPS administrator must have a signing certificate. The recommended profile to use is Manual User Signing and Encryption Certificates Enrollment.
  2. Run the following command: 
    pki -d client_db_dir -c client_db_password -n admin_cert_nickname tps-user-cert-add user_name --serial cert_serial_number
  • To remove a certificate from a user, run: 
    pki -d client_db_dir -c client_db_password -n admin_cert_nickname tps-user-cert-del user_name cert_id

14.4.6. Renewing TPS Agent and Administrator Certificates

Regenerating the certificate takes its original key and its original profile and request, and recreates an identical key with a new validity period and expiration date.
The TPS has a bootstrap user that was created at the time the subsystem was created. A new certificate can be requested for this user when their original one expires, using one of the default renewal profiles.
Certificates for administrative users can be renewed directly in the end user enrollment forms, using the serial number of the original certificate.
  1. Renew the user certificates through the CA's end users forms, as described in Section 5.5.1.1.2, “Certificate-Based Renewal”. This must be the same CA as first issued the certificate (or a clone of it).
    Agent certificates can be renewed by using the certificate-based renewal form in the end entities page, Self-renew user SSL client certificate. This form recognizes and updates the certificate stored in the browser's certificate store directly.

    Note

    It is also possible to renew the certificate using certutil, as described in Section 16.3.3, “Renewing Certificates Using certutil”. Rather than using the certificate stored in a browser to initiate renewal, certutil uses an input file with the original key.
  2. Add the new certificate to the user and remove the old certificate as described in Section 14.4.5, “Managing User Certificates”.

14.4.7. Deleting Users

Warning

It is possible to delete the last user account, and the operation cannot be undone. Be very careful about the user which is selected to be deleted.
To delete users from the Web UI:
  1. Click the Accounts tab.
  2. Click the Users menu item.
  3. Select the check box next to the users to be deleted.
  4. Click the Remove button.
  5. Click the OK button.
To delete a user from the CLI, run: 
pki -d client_db_dir -c client_db_password -n admin_cert_nickname tps-user-del user_name