In addition to the regular method of using a username and password to log into the LIR Portal, we also offer users the option to log in with an X.509 identity certificate installed in a web browser. On Tuesday, 6 September, the RIPE NCC will deploy an update to this "Identity Certificate Login" system and at the same time implement some changes to user management.
The LIR Portal offers two authentication methods: entering a combination of regid, username and password, or using the "Identity Certificate Login" method. Under the latter option, the user generates an X.509 identity certificate, which is then installed in the user's web browser. Once this is done, the user can click the "Identity Certificate Login" link on the LIR Portal front page; the X.509 certificate will be fetched by the web browser and used to authenticate the user.
The legacy code on the server side that made this functionality work has been replaced by a new, more robust and easier to maintain platform. In addition, we made a fundamental change to the user management. In the previous system, any user could decide to generate and use an identity certificate to log in; this is an option that the LIR Portal administrator can decide on and enforce for that LIR's users. The interface for managing users has also been redesigned to be more intuitive.
Let's have a look at what has changed...
When you log in as LIR Portal administrator, you will notice is that "List Users" is now more appropriately called "Manage Users":
This option provides an overview of all users the administrator has created and their roles. Please note that all icons are accompanied by a quick reference guide at the bottom of the page, explaining their purpose. The management screen includes an option to generate an identity certificate for this user:
Selecting this option will begin the enrollment process for an identity certificate. The user will be automatically be notified by email and asked to visit a page to generate a certificate. To complete the enrollment, the user will be asked to enter the one-time password that is displayed to the LIR Portal administrator. The administrator must communicate the one-time password to the LIR Portal user via a secure channel:
This is the email that the LIR Portal user will receive to complete the process:
Hello Joe Smith,
You have been enrolled by your LIR Portal administrator for a personal identity certificate. Once installed in your web browser, the certificate will allow you to access the LIR Portal via the "Identity Certificate Login" feature.
Please note that you are still two steps away from completing the enrollment process:
1. Receive a one-time password (OTP) from your LIR Portal administrator
2. Generate your personal certificate at: https://portal.example.net/ripe/init.jsp?id=nl.bluelight.joe
For any clarification, please contact your LIR Portal administrator.
When the LIR Portal user clicks the link in the email, they will be taken through the identity certificate enrollment process. It consists of just two steps:
- Enter the one-time password they have received from the LIR Portal Administrator.
- Generate and install an X.509 identity certificate compatible with the web browser that they are using.
Now, when the LIR Portal user clicks the "Identity Certificate Login" link on the LIR Portal homepage, the web browser will fetch the identity certificate, and use it to authenticate the user. Here is an example of Firefox prompting to choose the certificate:
IMPORTANT: Please note that this functionality is highly dependent on the client side web browser and the platform it runs on. Unfortunately this means that some issues exist with this system that are beyond our control. For example, it is currently not possible to use Safari 5.1 on Mac OS X with this functionality. You can read more about it in this thread on the Apple support forums.
It is also important to note that if a user does not have an identity certificate installed, or if the identity certificate is incorrectly configured or expired, the user will simply get an error message from the browser when they click the "Identity Certificate Login" link, telling them that a secure connection to the LIR Portal server could not be established. There is no way for us to present the user with a more specific message, because a connection to the LIR Portal server simply isn't established.