Creating a User Account

You can browse the public content of the Registry without logging in to the Registry. However, to gain read access to private objects and write access to public objects, you must have a user account with the Registry. After you create a user account, you can perform secure operations such as publishing, modifying, and removing objects.

Creating a user account involves the following general steps:

1. Fill out a new user's details form.

2. Associate a set of credentials with the user account. You can obtain these credentials in either of two ways:

   • The Registry can generate credentials for you. This is the simpler way to obtain credentials.

   • If you have a certificate issued by a third-party certificate authority, you can use this certificate to obtain credentials. Before you can use the certificate, an administrator must install the third-party root certificates into the Application Server domain for the Registry. See To Add Root Certificates to the Trusted Certificates in the Registry Domain in Service Registry 3.1 Administration Guide for details.

To create a user account, perform the following tasks:

• To Start the User Registration Wizard

• Either To Obtain a Registry-Generated Certificate or To Use a Third-Party Certificate

• Either To Load the Certificate into the Mozilla or Firefox Browser or To Load the Certificate into the Internet Explorer Browser

• To Log In to the Registry

• Authenticating to the Registry

To Start the User Registration Wizard

1. Click the Tasks tab in the left menu area, then click Create User Account.

2. Click the Start Registration Wizard button.

3. Read the instructions under Step 1: Requirements and click Next.

4. Fill out the New User's Details form.

   You must enter data in the following fields:

   • First Name

   • Last Name

   • City

   • State or Province

   • Country (limited to two characters; use country code)

5. Click Next.

   The User Authentication Details page appears.

6. On the User Authentication Details page, select one of the following radio buttons:

   • Select Generate Key Pair and Download PKCS12 KeyStore (the default) if you want the Registry to create a certificate for you. See To Obtain a Registry-Generated Certificate for details about this task.

   • Select Upload X.509 Certificate (DER) if you want to use an existing third-party certificate. See To Use a Third-Party Certificate for details about this task.

To Obtain a Registry-Generated Certificate

Follow these steps if you selected the Generate Key Pair and Download PKCS12 KeyStore radio button on the User Authentication Details page.

1. On the User Authentication Details page, type a user name in the Alias text field.

2. Type a password in the Password and Password (repeat) text fields.

   The password must be at least 6 characters in length.

3. Type values in the following text fields:

   • Organizational Unit

   • Organization

   The Name field contains the name that you specified as the Last Name in the New User's Details form. The City, State or Province, and Country fields also contain the values you specified in the New User's Details form. These fields are not editable. If you need to make corrections in these fields, click Previous and make the corrections in the New User's Details form.

   All fields are required.

4. Click Next.

   A page labeled Step 4: Load Key to Web browser appears, with the message “New user successfully registered.”

5. Click Download.

6. In the dialog box, choose the option that allows you to save the generated certificate to disk. In the file chooser dialog, choose a directory and name for the file.

   The file must have the suffix .p12.

   The default action is to save the certificate in your home directory, in a file that is named generated-key.p12.

7. Import the generated certificate into your browser.

   See To Load the Certificate into the Mozilla or Firefox Browser or To Load the Certificate into the Internet Explorer Browser for details.

To Use a Third-Party Certificate

Follow these steps if you selected the Upload X.509 Certificate (DER) radio button on the User Authentication Details page. These steps place the certificate in the server keystore for the Registry and load the certificate into the browser.

Before You Begin

The third-party certificate must be in X.509 format. Typically, the certificate is in a file with the suffix .cer.

1. On the User Authentication Details page, click the Choose Certificate File button.

2. In the File Upload dialog box, click the Browse button to locate the file to upload, then click Upload File.

3. Click OK.

   The name of the file appears on the User Authentication Details page next to the Choose Certificate File button.

4. Click Next.

5. On the Step 4: Load Key to Web browser page, follow the instructions to import the certificate into your browser if it is not already there.

   See To Load the Certificate into the Mozilla or Firefox Browser or To Load the Certificate into the Internet Explorer Browser for details.

To Load the Certificate into the Mozilla or Firefox Browser

1. Navigate to the certificate manager window. Depending on your version of Mozilla or Firefox, the path to this window could be any of the following:

   • Edit->Preferences->Privacy & Security->Certificates->Manage Certificates

   • Edit->Preferences->Advanced->Security->View Certificates

   • Tools->Options->Advanced->Certificates->Manage Certificates

   • Tools->Options->Advanced->Encryption->View Certificates

   The certificate manager window appears, open to the Your Certificates tab.

2. In Mozilla or more recent versions of Firefox, click the Manage Certificates button. In some earlier versions of Firefox, click View Certificates.

3. Click the Import button.

4. In the File Name to Restore file chooser dialog, select the .p12 certificate file, then click Open.

5. In the Prompt dialog, type an account password for the Master Password for the Software Security Device.

   This password is specific to your browser account and is assigned by the browser profile owner. A common convention is to use the same password as the login account on the client machine.

6. In the Password Entry dialog, type the certificate password.

   This password is used to protect the client certificate. If you are using a registry-generated certificate, type the password that you specified on the User Authentication Details page.

   An Alert dialog with the message: “Successfully restored your security certificate(s) and private key(s)” appears.

7. Click OK.

8. Close the Certificate Manager and Preferences/Options dialogs.

Next Steps

After you import the certificate, you are ready to log in to the registry. See To Log In to the Registry for details.

To Load the Certificate into the Internet Explorer Browser

1. Choose Internet Options from the Tools menu.

2. Click the Content tab.

3. Click Certificates.

4. Click Import to open the Certificate Import Wizard.

5. In the Certificate Import Wizard, click Next.

6. On the File to Import page, click Browse and locate the .p12 file, then click Next.

7. On the Password page, do the following:

   1. Type the password that you specified for the certificate.

   2. Select the Mark the Key as Exportable checkbox.

   3. Do not select the Enable Strong Private Key Protection checkbox.

   4. Click Next.

8. On the Certificate Store page, choose the default, Place All Certificates in the Following Store (Personal), then click Next.

9. Click Finish.

10. Click OK in the information dialog that appears.

    The new certificate, with the first and last name you specified, appears in the Certificates window.

11. Click Close in the Certificates window.

12. Click OK in the Internet Options window.

Next Steps

After you import the certificate, you are ready to log in to the registry. See To Log In to the Registry for details.

To Log In to the Registry

After you import a certificate to the browser, you are ready to log in.

1. On the Step 4: Load Key to Web browser page, click the Finish button.

2. In the top banner area of the Web Console, click the Login button.

3. Click OK in the dialog boxes to verify the certificate.

   After you log in, an “Authentication successful.” message appears in the top banner area. In addition, the first and last names you entered appear after the Current User label in the top banner area of the Web Console, in Lastname, Firstname format.

Authenticating to the Registry

After you log in to the Registry, authentication happens transparently whenever you try to add, delete, or modify a Registry object, because any write request triggers authentication based on the client certificate loaded into your browser.

After authentication is completed, access to the Registry is over https.

When your session expires, you are no longer authenticated by the Registry. A subsequent write request prompts the Web Console to re-authenticate you.

If authentication fails, stop and restart your browser and try again. If you accidentally choose the wrong certificate and have difficulty logging in, see Login Error from Mistake in Client Certificate Selection for information on what to do.