Federated Identity Service Certificate Download Requirements



Similar documents
Crystal Print Control Installation Instructions for PCs running Microsoft Windows XP and using the Internet Explorer browser

ProjectDox 7.7 Setup Requirements

Important Notes for WinConnect Server VS Software Installation:

SmartOffice Configuration Guide for Microsoft Windows XP with Internet Explorer 7

eadvantage Certificate Enrollment Procedures

MAG Windows 7 Strong Key Protection Software Update

STEP BY STEP IIS, DotNET and SQL-Server Installation for an ARAS Innovator9x Test System

E-PLAN FREQUENTLY ASKED QUESTIONS

Virtual Office Remote Installation Guide

Optimal Internet Explorer v6.0 Settings User Guide

TECHNICAL NOTE. The following information is provided as a service to our users, customers, and distributors.

Using ProjectWise Explorer for File Transfer

XF Extracellular Flux Analyzer. Installation and Troubleshooting Guide

Java. How to install the Java Runtime Environment (JRE)

ProperSync 1.3 User Manual. Rev 1.2

Important Notes for WinConnect Server ES Software Installation:

Aras Innovator Internet Explorer Client Configuration

a) Network connection problems (check these for existing installations)

Aspera Connect User Guide

CONNECT-TO-CHOP USER GUIDE

Troubleshooting steps for Oracle Financials and Markview. Jan 2015

Remote Access to Niagara Wheatfield s Computer Network

Passport Installation. Windows XP + Internet Explorer 8

isupplier PORTAL ACCESS SYSTEM REQUIREMENTS

Network Connect Installation and Usage Guide

How To Configure CU*BASE Encryption

Topaz Installation Sheet

Internet Explorer 7 for Windows XP: Obtaining MIT Certificates

CITRIX TROUBLESHOOTING TIPS

Microsoft Windows Installation and Troubleshooting Guide

Passport Installation. Windows 8 + Internet Explorer 10

How to install and use the File Sharing Outlook Plugin

MED ACCESS USER INSTRUCTIONS FOR INSTALLING THE CITRIX RECEIVER FOR ACCESS TO ALBERTA NETCARE VIA PLB

Software Installation Requirements

SmartOffice Configuration Guide for Microsoft Windows XP Service Pack 2

Mercy s Remote Access Instructions

Internet Explorer Security Settings. Help Sheet. Client Services. Version 4 Definitive 21 July 2009

Installing Digital Certificates Using Microsoft Windows 7 And MSIE 8 or MSIE 10

How To Create An Easybelle History Database On A Microsoft Powerbook (Windows)

How to Use Remote Access Using Internet Explorer

ilaw Installation Procedure

1. Open the preferences screen by opening the Mail menu and selecting Preferences...

VeriCentre 3.0 Upgrade Pre-Installation and Post Installation Guidelines

How to Configure Windows 8.1 to run ereports on IE11

XStream Remote Control: Configuring DCOM Connectivity

SmartDraw Installation Guide

How To Upgrade Your Microsoft SQL Server for Accounting CS Version

How To Use A Pvpn On A Pc Or Mac Or Ipad (For Pc) With A Password Protected (For Mac) On A Network (For Windows) On Your Computer (For Ipad) On An Ipad Or Ipa

Using Microsoft Internet Explorer 6 (Windows 2000/ Windows XP/ Windows Server 2003)

Manual for configuring NIC VPN in Windows OS

American Honda Motor Co., Inc. Page 1 of 11

Cognos 10 Getting Started with Internet Explorer and Windows 7

Idera SQL Diagnostic Manager Management Pack Guide for System Center Operations Manager. Install Guide. Idera Inc., Published: April 2013

8x8 Click2Pop User Guide

Schools Remote Access Server

Password Manager Windows Desktop Client

Citrix Remote Access Work Instructions

Aladin. There are currently two recommended links for Aladin. Suitable for most users, the default Aladin link is:

MySabre with Sabre VPN

BusinessObjects Enterprise XI Release 2

Troubleshooting BPMS Errors

InduSoft Web Studio + Windows XP SP2. Introduction. Initial Considerations. Affected Features. Configuring the Windows Firewall

Batch Scanning. 70 Royal Little Drive. Providence, RI Copyright Ingenix. All rights reserved.

For Mac User Directions, see page 5

Wavecrest Certificate

Problems with Host On-Demand

Roth IRA Conversion Evaluator

Checking Browser Settings, and Basic System Requirements for QuestionPoint

Nintex Workflow 2010 Installation Guide. Installation Guide Nintex USA LLC, All rights reserved. Errors and omissions excepted.

FileBound: Internet Settings & Requirements

Installation and Connection Guide to the simulation environment GLOBAL VISION

USER GUIDE FOR DIGITAL CERTIFICATE

Pre-Requisites: PC and Browser Configuration Guide v1.3

CAMPUSCALL 3.9 Station Setup

OPC Server Machine Configuration

4cast Client Specification and Installation

How to Log in to LDRPS-Web v10 (L10)

Server Sentinel Client Workstation

Remote Access Services Microsoft Windows - Installation Guide

Guide to Installing BBL Crystal MIND on Windows 7

CalREDIE Browser Requirements

Install the Production Treasury Root Certificate (Vista / Win 7)

BSDI Advanced Fitness & Wellness Software

Code Signing Digital IDs GCC Certificate Installation Guide Rev 1.4

What is My Teamwork? What s new in this release? MY TEAMWORK 5.0 QUICK START GUIDE

Hosted Service Tips and Troubleshooting

Windows Vista and Windows 7 Users:

If you are experiencing difficulty joining a session, determine which scenario is applicable to you and follow the recommended guidelines.

Salesnet CRM Documents

Instructions for Accessing the Hodges University Virtual Lab

OrgPublisher 11 Client and Web Administration for Server 2003 Installation Guide

QIAsymphony Management Console User Manual

How to Connect to Berkeley College Virtual Lab Using Windows

Global VPN Client Getting Started Guide

Test Note Phone Manager Deployment Windows Group Policy Sever 2003 and XP SPII Clients

OrgPublisher 11 Web Administration Installation for Windows 2008 Server

XCM Internet Explorer Settings

Transcription:

Federated Identity Service Certificate Download Requirements Version 3.2 Exostar, LLC February 14, 2013

Table of Contents Introduction... 1 Purpose... 1 FIS System Requirements... 2 Adding Exostar as a trusted Internet Site... 2 Internet Explorer 6.0 settings... 2 Internet Explorer 7.0 settings... 4 Adding Exostar as a Trusted Internet Site... 4 System Permissions... 7 Registry Permissions... 7 File System Permissions... 8 Certificate Store Permissions... 8 Exostar ActiveX Installer... 9 Launching the ActiveX Installer... 9 Verify ActiveX Installation... 12 Common Errors... 13 Attempting to Download ActiveX components when a Website is not in the Trusted Sites Zone... 13 ii

Introduction The Exostar Federated Identity Service (FIS) and Managed Access Gateway (MAG) products can be used to issue both basic and medium assurance level certificates. In order to provide this functionality, these products require the use of a client side software component that is used to generate certificate requests and to install certificates on a client machine. This Exostar client side component is delivered to the client machine in the form of a Microsoft ActiveX control; a Microsoft technology that packages a piece software functionality of into an easily distributable and installable unit. To support the certificate issuance functionality provided by FIS and MAG, this Exostar signed ActiveX component must be installed on each client PC that will be used to obtain certificates.. The control is packaged for two different methods of distribution to a client PC: Cabinet file (CAB file) format for download and installation via the web and; Microsoft Installer (MSI) format which can be used to install the ActiveX component where ActiveX web download is not permissible. To verify the authenticity of the CAB file, MSI and the ActiveX component, each component is signed using Exostar s code signing certificate. Purpose This document describes the settings required on a client machine to allow the use of the Exostar ActiveX control. It indicates the errors that may be encountered when attempting to download and install the Exostar ActiveX control on a Windows XP, Windows 2000, or Windows Vista client PC. The document also includes a section on installation via the Exostar MSI. Note: The Exostar ActiveX control is currently supported on Windows XP, Windows 2000, Windows Vista with Service Pack 2 installed, and Windows 7. To complete the FIS Certificate download, you may have to also review and complete the following steps: 1. Adding Exostar as a trusted Internet site; and/or 2. Get appropriate system permissions from your network or security administrator; and/or 3. Install Exostar ActiveX Control You can access MAG by logging on to: https://portal.exostar.com. General help information is also available online at: http://www.myexostar.com/fis.aspx. Copyright 2009 Exostar LLC. All rights reserved Page 1 of 15

FIS System Requirements WINDOWS XP, 2000, WINDOWS Vista (with SP 2 installed) supported, Windows 7 Internet Explorer v 6.x, 7.x, 8 (Note: WINDOWS does not support IE6 on VISTA) Permissions to install an ActiveX control on the browser. Adding Exostar as a trusted Internet Site The section describes the steps that must be performed to add Exostar to the Internet Explorer (IE) list of trusted internet sites. The process differs between IE 6.0 and IE 7.0. Details of each version are provided below. Note: Internet Explorer 6 is not supported on the Windows Vista OS. As such the IE6 settings described in this section only apply when using the Exostar ActiveX component on Windows 2000 or Windows XP. Internet Explorer 6.0 settings The section describes the steps that must be performed to add Exostar to the Internet Explorer 6.0 list of trusted internet sites. 1. Launch Internet Explorer. 2. Select Internet Options from the Tools menu. This will open a tabbed dialog that allows Internet Explorer settings to be viewed and modified. 3. Select the Security tab and then select the Trusted sites Web content zone by clicking on it as shown below: 4. Click the Sites... button. This will open a window that allows the entry of a trusted site. In the Add this Web site to the zone: edit box add the web site https://*.exostar.com as shown below. Click the OK button to Copyright 2009 Exostar LLC. All rights reserved Page 2 of 15

close this window and return to the Security tab. Note that this Web site may have previously been added as a trusted site so performing this step may be unnecessary. 5. Click the Custom Level button towards the bottom of the Security tab to display the Security Settings window. 6. Follow the table below to verify and change if needed, settings that will allow the download and use of Exostar ActiveX controls: Section Setting Name Required Value ActiveX controls and plug-ins Miscellaneous Allow previously unused ActiveX controls to run without prompt Automatic prompting for ActiveX controls Binary and script behaviors Download signed ActiveX controls Run ActiveX controls and plug-ins Script ActiveX controls marked safe for scripting Don t prompt for client certificate when no certificates or only one certificate exists Use Popup Blocker* Disable NOTE: The Use Popup Blocker setting will disable popup blocking for all Web sites in the Trusted Internet zone. Alternatively, popup blocking can be disabled specifically for the Exostar web site by adding the Exostar website to the list of sites not blocked by the popup blocker functionality in Internet Explorer. Copyright 2009 Exostar LLC. All rights reserved Page 3 of 15

7. Click OK to close the zone setting dialog. 8. The Exostar MAG product takes advantage of the advanced security features of the TLS 1.0 protocol. To enable use of this protocol click the advanced tab on the Internet Explorer options dialog then scroll down to the security section. Check the Use TLS setting (as shown below) if it is not already checked. Internet Explorer 7.0, 8, 9 settings The section describes the steps that must be performed to add Exostar to the Internet Explorer 7.0 list of trusted internet sites. Adding Exostar as a Trusted Internet Site 1. Launch Internet Explorer. Note: If using the Windows Vista operating system and UAC is enabled, some Internet Explorer settings cannot be changed unless you have administrator permissions. In this case, launch Internet Explorer by right clicking on its icon and select Run as Administrator from the popup context menu. 2. Select Internet Options from the Tools menu or from the Tools Icon on the Internet Explorer toolbar. This will open a tabbed dialog that allows Internet Explorer settings to be viewed and modified. 3. Select the Security tab and then select the Trusted sites Web content zone by clicking on it as shown below: Copyright 2009 Exostar LLC. All rights reserved Page 4 of 15

4. Click the Sites... button. This will open a window that allows the entry of a trusted site. In the Add this Web site to the zone: edit box add the web site https://*.exostar.com as shown below. Click the OK button to close this window and return to the Security tab. Note that this Web site may have previously been added as a trusted site so performing this step may be unnecessary. 5. Click the Custom Level button towards the bottom of the Security tab to display the Security Settings window. 6. Follow the table below to verify and change if needed, settings that will allow the download and use of Exostar ActiveX controls: Copyright 2009 Exostar LLC. All rights reserved Page 5 of 15

Section Setting Name Required Value ActiveX controls and plug-ins Miscellaneous Allow previously unused ActiveX controls to run without prompt Automatic prompting for ActiveX controls Binary and script behaviors Download signed ActiveX controls Run ActiveX controls and plug-ins Script ActiveX controls marked safe for scripting Don t prompt for client certificate when no certificates or only one certificate exists Use Popup Blocker* Disable Note: The Use Popup Blocker setting will disable popup blocking for all Web sites in the Trusted Internet zone. Alternatively, popup blocking can be disabled specifically for the Exostar web site by adding the Exostar website to the list of sites not blocked by the popup blocker functionality in Internet Explorer. On Windows Vista operating systems there is an additional setting on the security page which is used to enable or disable protected mode. For Trusted Sites, protected mode is disabled by default. To use the Exostar ActiveX control, please ensure that the Protected Mode setting is not checked. Copyright 2009 Exostar LLC. All rights reserved Page 6 of 15

7. The Exostar MAG product takes advantage of the advanced security features of the TLS 1.0 protocol. To enable use of this protocol click the advanced tab on the Internet Explorer options dialog then scroll down to the security section. Check the Use TLS setting (as shown below) if it is not already checked. System Permissions The section describes the system permissions that must be granted (typically by a network or security administrator) to the logged on user s account. Please reach out to your network or security administrator to review these permissions. Registry Permissions The account logged into the Windows interactive desktop must have read write permissions to an area of the system registry that is used to maintain information about ActiveX controls. Specifically, the account must have permissions to the HKEY_CLASSES_ROOT\CLSID registry hive. Note that this hive is a mirror of the HKEY_LOCAL_MACHINE\Software\Classes hive; changes made to either hive will be reflected in the other hive. The following specific permissions must be allowed: Query Value, Set Value, Create Subkey Enumerate Subkeys Read Control Copyright 2009 Exostar LLC. All rights reserved Page 7 of 15

File System Permissions The account logged into the Windows interactive desktop must have read write permissions to the file system Windows\ Downloaded Program Files folder. This folder is used to store ActiveX controls downloaded by Internet Explorer. Certificate Store Permissions NOTE: A Microsoft generated dialog box may appear during FIS certificate installation if the logged on user does not have permissions to write a trusted root certificate to the system s trusted root certificate store. The user must click Yes on this dialog for FIS certificates to be installed correctly. This section provides detailed information concerning this issue. As part the certificate acquisition process for an FIS user, an attempt will be made by the Exostar ActiveX control to download and install one or more digital certificates in the certificate store of the user s system. Each certificate downloaded can be one of two general types: certificates issued to the FIS user (FIS end user certificates) that are installed in the user s personal certificate store; OR certificates that may be used to trace the user certificate to a trusted root authority (trusted root authority certificates) that are installed in the systems Trusted Root Certification Authorities certificate store (or Trusted Root Store for short). Scenarios: If the logged in user, i.e. the FIS user attempting to obtain an FIS certificate does have permissions to store the trusted root authority certificates in the Trusted Root Store, then the certificate installation process will complete successfully. If the logged in user, i.e. the FIS user attempting to obtain an FIS certificate does not have the permissions to store the trusted root authority certificates in the Trusted Root Store, then the FIS certificate download and install process can still proceed successfully, however due to a known Microsoft issue, the process may require an additional interactive step by the user. If the logged in user, i.e. the FIS user does not have the permissions to store the trusted root authority certificates in the Trusted Root Store, then an informational dialog box may be generated by the Microsoft operating system during the certificate installation process. The Microsoft dialog box (shown below), is intended to alert the user that an attempt to install a certificate in the Trusted Root Store is being made and allows the user to proceed with the operation or cancel it. Copyright 2009 Exostar LLC. All rights reserved Page 8 of 15

(Confusing Microsoft Error Message) Due to a known Microsoft issue (documented in the Microsoft Knowledge Base article #940275) the dialog appears as shown above and does not contain the intended informational message that is supposed to be displayed. Instead of a blank, not so informational message the message should appear as follows: You are about to install a certificate from a certification authority (CA) claiming to represent: CANameCertificate_Information Do you want to install this certificate? The missing message text makes the dialog very confusing to the end user. In order for FIS certificate installation to complete successfully, the FIS user must click the Yes button on the Microsoft dialog. IMPORTANT: The confusing dialog box will only appear under the following conditions: 1. The logged on user does not have permissions to store a trusted root certificate in the system s trusted root certificate store. 2. The trusted root certificate does not already exist in the trusted root store. If the certificate already exists then no attempt to install it will be made and therefore the Microsoft dialog will not appear. Exostar ActiveX Installer In certain situations the FIS user may not be able to obtain some or all of the permissions needed to download and install the Exostar ActiveX XEnrollPlus control via a web browser. To handle these situations, system administrators can use a Microsoft installer based package (MSI) to install the Exostar ActiveX control. There are three versions of the installer currently available one for Windows 2000 platforms, one for Windows XP and one for Windows Vista. Each version of the installer contains two files: 1. setup.exe This file is used to check and report whether the local system meets the requirements to successfully run the Exostar ActiveX control and to launch the Windows Installer to install the ActiveX control. 2. MSI extension file - This file can be run directly without running Setup.exe first. The Windows Installer will be used to install the Exostar ActiveX control. Launching the ActiveX Installer This section describes how to perform an Exostar ActiveX installation via the Exostar ActiveX installer, manually on a single desktop PC. To install please follow the instructions below: 1. Determine the Windows operating system of the desktop PC that the Exostar ActiveX control will be installed on. 2. If installing on a Windows Vista operating system then double click the XEnrollPlusVistaMSI.msi file located on the distribution media. Copyright 2009 Exostar LLC. All rights reserved Page 9 of 15

3. If installing on a Windows XP operating system then double click the XEnrollPlusMSI.msi file located on the distribution media. 4. If installing on a Windows 2000 operating system then double click the XEnrollPlusWin2k.msi file located on the distribution media. 5. The Windows installer will launch and run the Exostar ActiveX installer. Copyright 2009 Exostar LLC. All rights reserved Page 10 of 15

6. The following screen will appear. 7. Click the next button to continue the installation. 8. On the next screen select the Everyone option and then click next. Note: The ActiveX control software will be installed in the C:\Program Files\Exostar LLC\Exostar Certificate Issuance Control folder. Click the Browse button to select another location if desired. Copyright 2009 Exostar LLC. All rights reserved Page 11 of 15

9. Continue the installation process by clicking the next button on the Confirmation page that appears. This ActiveX control will be installed in the location specified in step 7 above. 10. The following screen will appear when the installation process has completed: 11. Click the Close button. Verify ActiveX Installation This section describes the steps that can be performed to verify that the Exostar ActiveX control has been installed (via the Exostar Installer MSI) correctly. NOTE: The Exostar ActiveX control will not appear in the objects list shown by Internet Explorer since the ActiveX control was not downloaded and installed via the browser. 1. Verify that the file has been installed in the OS file system. The default location for the ActiveX control is: C:\Program Files\Exostar LLC\Exostar Certificate Issuance Control. Verify that the file exists in this folder. Note: if a different installation folder was selected during the installation process then please verify that the control s file existed in the selected folder. 2. Optional. Verify that the control was registered in the system registry using a registry editing/viewing tool ex. regedit.exe. WARNING: Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall the operating system. Exostar cannot guarantee that these problems can be solved. View the registry at your own risk OR work with your network or security Administrator. Copyright 2009 Exostar LLC. All rights reserved Page 12 of 15

3. Locate the registry hive: HKEY_CLASSES_ROOT\CLSID\{3AFD96BC-5BB9-4614-B0D1-AE48A331E3E2}. Under this hive find the InprocServer32 hive. This default registry key in this hive should have the following value: C:\Program Files\Exostar LLC\Exostar Certificate Issuance Control\XEnrollPlus.dll NOTE: This value will be different than shown above if another folder was selected during installation. 4. If successfully installed, and browser setting (as described earlier in this document) are set to allow the use and scripting of ActiveX controls then no ActiveX related errors should appear when certificate requests via the FIS application are processed. Common Errors Some common errors that are encountered while downloading the ActiveX controls or the certificates are listed below. Please review this section before reaching out to Exostar at: http://www.myexostar.com/contactsupport.aspx. Attempting to Download ActiveX components when a Website is not in the Trusted Sites Zone When a Web page refers to an ActiveX control that is not currently present on your computer, the messages and prompts that may be displayed to a user depend on a number of factors including the Security Zone assigned to the Website, the security settings for ActiveX (as described above) for that zone, the Internet Explorer version and the operating system version. For example, Internet Explorer running on a Windows XP/SP2 platform will make use of an Information Bar to display status to the user. This section displays some of the messages that may be displayed when an attempt to download an ActiveX control occurs. NOTE: If the Exostar website is added to the Internet Explorer Trusted Sites zone and this zone is configured as described above then the prompts and messages displayed below will not be displayed. The intent of this section is to help troubleshoot issues when a message is displayed to the user during ActiveX download. Issue #1: Exostar website is not in the trusted zone. Internet Explorer will display the message below to the user. Copyright 2009 Exostar LLC. All rights reserved Page 13 of 15

When the user clicks close on the Information bar warning above, they can then right-click on the Information Bar and select Install ActiveX control as shown below. The dialog below will be displayed. Clicking the Install button will cause the ActiveX control to download and install. Issue #2: Exostar website is in the trusted zone. Download signed ActiveX controls setting for this zone is set to prompt. Internet Explorer will display the message below to the user. Clicking the Install button will cause the ActiveX control to download and install. Issue #3: Exostar website is in the trusted zone. Run ActiveX controls and plug-ins setting for this zone is set to prompt. Internet Explorer will display the message below to the user. Clicking the Yes button will allow the ActiveX control to run. Copyright 2009 Exostar LLC. All rights reserved Page 14 of 15

Issue #4: I am trying to download the certificates and receive an error message: The ActiveX Control is not installed or is not running. You need to install it or run it before you can proceed. This error will be displayed when you attempt to download the digital certificates and the Exostar ActiveX control is being blocked/cannot be downloaded. The most common causes for this error are Internet Explorer settings and/or system level permissions that are not set correctly and therefore do not allow the download and use of Exostar s ActiveX control. Copyright 2009 Exostar LLC. All rights reserved Page 15 of 15

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information