Registrar: user management in the portal

[vohmar]

Goal is to enable registrars to manage their own users and their accesses:

• add/remove users
• set user access rights (billing, epp, both)
• set expiration date for access
• manage IP whiltelist to enable access to the portal
• manage PKI certificates (view (alarm when expiration date is closing and it has arrived), create, sign, revoke, remove)

The regsitrar user that has privileges to manage registrars' users must be added only using admin interface (is super user) this shuld be preferably the accredited user. Users added using the portal for registrars do not have access to user management functionality.

[vohmar]

As a first step we should just list the data in the registrar portal - users of the registrar (username, status (active: true/false), permissions(super/epp/billing) and certificate info (incl validity)

Also it would be good to list the whitelisted IPs of the registrar

[vohmar]

For listing and managing registrar users, access certificates and allowed IP addresses I propose using the profile view accessible by clicking on the logged in user name in the top right corner of the registrar portal view. In the account view lets us the second column for this functionality: 1st block for users and certificates and 2nd block for IP addresses.

There is the "linked users" block in this column - that has almost no use in production environment and is mostly for testing. Lest move this block to the first column below Balance Auto-Reload block and if possible display it only if the logged in user has associations with multiple registrars - so there are multiple accounts to switch between.

As a results there are three blocks in first column: Details, Balance Auto-Reload, Linked users
And two blocks in second column: API users (username, status (active: true/false), permissions(super/epp/billing) and certificate info (incl validity)) and Allowed IPs (IP address, interface)

[vohmar]

IP address management:

• list allowed ip addresses (ip address, interfaces (API, Billing, Registrar full). Billing is the same as registrar today and Registrar full is api+billing. Same approach as with user permissions
• add new ip: single text box and interface selection (drop box perhaps?) - I will create separate ticket for IP address counting
• add info text / bullet for ip address field with text
  • en: "You can enter single ip or a network and IPv4 or IPv6 address address. Keep in mind that the number of allowed IP aadresses is limited as set in the registrar agreement"
  • et: "Sisestada saab nii üksikut IP kui võrgu aadressi ning IPv4 või IPv6 aadressi. Pea meeles, et lubatud IP aadresside arve on piiratud vastavalt registrilepingus sätestatule"

[vohmar]

Cert management:

• certs are user specific
• one active cert allowed at a time? (old certificate auto-revoked when new takes effect)
• certificates are signed by registry admin
• two options in the portal: request and renew certificate
• Request certificate has two options: with and without CSR (certificate signing request) file
  • with csr only certificate is made available for the user
  • without csr user get p12 file and just in case zip file containing certificate, ca certificate and key file
    • both p12 and zip file are password protected with the user password
• Renew certificate creates new certificate does not require csr,
  • if the original certificate was created without csr new certificate is generated with new ca cert and key (same as request new)
  • if original was created with csr then new is created based on the same csr
• certificate creation and renewal is not automatic - message/alert is created for the registry admin, admin will create the certs in admin interface as they are created now and the certificates need to be made available via registrar portal under each user

user flows:

• Registrar's super user adds new certificate request to a new user.

1. Super user clicks on freshly created user to open detailed view of the user
2. Super user clicks on create button in the Certificates section
3. Super user selects csr file from local disk
4. Super user clicks on request certificate button
5. Registry admin gets a notification about new certificate request
6. Registry admin clicks on the link in the notification, logs into registry admin interface and is directed to the user profile that the certificate request was created for
7. Registry admin creates the certificate using "offline" ca certificate and the csr file
8. Registry admin uploads the certificate file to the user profile
9. Super user gets notification about the availability of the certificate
10. Super user downloads the certificate
11. Registrar creates the p12 container if necessary (required for registrar portal access - install certificate to browser)
12. User is able to use the certificate / p12 certificate container to access .ee registry via epp or registrar portal

• User requests new certificate. The initial certificate was created without the csr - registry has the cert, ca cert and the key

1. User clicks on their username in the top right of the registrar portal to access their profile view
2. User clicks on an existing certificate
3. User clicks on renew button
4. Registry admin gets a notification about new certificate request
5. Registry admin clicks on the link in the notification, logs into registry admin interface and is directed to the user profile that the certificate request was created for
6. Registry admin creates new certificate using local "offline" ca certificate and local key
7. Registry admin creates p12 container with the certificate, ca certificate and the key file and protects it with the user's password
8. Registry admin creates zip container with the certificate, ca certificate and the key file and protects it with the user's password
9. Registry admin uploads p12 and zip file to the user profile
10. Old certificate is set to be auto-revoked in 7 days???
11. User gets notification about the availability of the certificate
12. User downloads the p12 file and installs it to their browser's key repository
13. User is able to access the registrar portal with the new certificate

[ratM1n]

About certificates .. I think that we agreed, that all certificates will be approved/signed manually by us, ad we will have a possibility to prepare certificate beforehand and registrar can just download it without doing anything else. This way the process will be more secure.

[vohmar]

We need to modify the IP management part a bit

• let's change the type selection as one or the other similarly to IPv4/IPv6 so user can specify only one type for each record (If they want to access API and the portal from them same IP they would have to enter the IP twice) - this would make the next two point better manageable
• send an email message to EIS admins when user adds or removes an ip address effective for APIs
• notify user with popup message when they add or remove an ip address effective for APIs. Message: "The changes related to EPP/REPP APIs need to be reviewed and approved by registry admins that can take up to 2 working days. Are you sure you want to proceed?"

[vohmar]

We need to notify the portal user when the API IP change has been committed. Propose to add a checkbox to the registry admin IP allow list labeled "committed". In case the IP record is entered in admin interface or the record type is registrar this should be auto-checked. If a record with API type is added or edited in the registrar portal the record is created unchecked or checkbox is cleared in case of update. When admin checks the box in admin email is sent to the api user that created the request in registrar portal.