Eurex Clearing. Clearing Web GUI Access Guide. Access to Clearing Web GUI Systems. C7 Derivatives Clearing GUI. EurexOTC Clear GUI

Eurex Clearing Clearing Web GUI Access Guide Access to Clearing Web GUI Systems C7 Derivatives Clearing GUI EurexOTC Clear GUI EurexOTC Clear Margin Calculator GUI Securities Clearing GUI Date 21 March 2016

Eurex 2016 Deutsche Börse AG (DBAG), Clearstream Banking AG (Clearstream), Eurex Frankfurt AG, Eurex Clearing AG (Eurex Clearing) as well as Eurex Bonds GmbH (Eurex Bonds) and Eurex Repo GmbH (Eurex Repo) are corporate entities and are registered under German law. Eurex Zürich AG is a corporate entity and is registered under Swiss law. Clearstream Banking S.A. is a corporate entity and is registered under Luxembourg law. U.S. Exchange Holdings, Inc. and International Securities Exchange Holdings, Inc. (ISE) are corporate entities and are registered under U.S. American law. Deutsche Boerse Asia Holding Pte. Ltd., Eurex Clearing Asia Pte. Ltd. and Eurex Exchange Asia Pte. Ltd are corporate entities and are registered under Singapore law. Eurex Frankfurt AG (Eurex) is the administrating and operating institution of Eurex Deutschland. Eurex Deutschland and Eurex Zürich AG are in the following referred to as the Eurex Exchanges. All intellectual property, proprietary and other rights and interests in this publication and the subject matter hereof (other than certain trademarks and service marks listed below) are owned by DBAG and its affiliates and subsidiaries including, without limitation, all patent, registered design, copyright, trademark and service mark rights. While reasonable care has been taken in the preparation of this publication to provide details that are accurate and not misleading at the time of publication DBAG, Clearstream, Eurex, Eurex Clearing, Eurex Bonds, Eurex Repo as well as the Eurex Exchanges and their respective servants and agents (a) do not make any representations or warranties regarding the information contained herein, whether express or implied, including without limitation any implied warranty of merchantability or fitness for a particular purpose or any warranty with respect to the accuracy, correctness, quality, completeness or timeliness of such information, and (b) shall not be responsible or liable for any third party s use of any information contained herein under any circumstances, including, without limitation, in connection with actual trading or otherwise or for any errors or omissions contained in this publication. This publication is published for information purposes only and shall not constitute investment advice respectively does not constitute an offer, solicitation or recommendation to acquire or dispose of any investment or to engage in any other transaction. This publication is not intended for solicitation purposes but only for use as general information. All descriptions, examples and calculations contained in this publication are for illustrative purposes only. Eurex and Eurex Clearing offer services directly to members of the Eurex exchanges respectively to clearing members of Eurex Clearing. Those who desire to trade any products available on the Eurex market or who desire to offer and sell any such products to others or who desire to possess a clearing license of Eurex Clearing in order to participate in the clearing process provided by Eurex Clearing, should consider legal and regulatory requirements of those jurisdictions relevant to them, as well as the risks associated with such products, before doing so. Eurex derivatives are currently not available for offer, sale or trading in the United States or by United States persons (other than EURO STOXX 50 Index Futures, EURO STOXX 50 ex Financials Index Futures, EURO STOXX Select Dividend 30 Index Futures, EURO STOXX Index Futures, EURO STOXX Large/Mid/Small Index Futures, STOXX Europe 50 Index Futures, STOXX Europe 600 Index Futures, STOXX Europe 600 Banks/Industrial Goods & Services/Insurance/Media/Travel & Leisure/Utilities Futures, STOXX Europe Large/Mid/Small 200 Index Futures, Dow Jones Global Titans 50 IndexSM Futures (EUR & USD), DAX /Mini-DAX /MDAX /TecDAX Futures, SMIM Futures, SLI Swiss Leader Index Futures, MSCI World (FMWO, FMWP, FMWN)/Europe (FMEU, FMEP)/ Europe Value/Europe Growth/Emerging Markets (FMEM, FMEF, FMEN)/Emerging Markets Latin America/Emerging Markets EMEA/Emerging Markets Asia/China Free/India/Japan/Malaysia/South Africa/Thailand/AC Asia Pacific ex Japan Index Futures, TA-25 Index Futures, Daily Futures on TAIEX Futures, VSTOXX Futures, Gold and Silver Futures as well as Eurex FX, property and interest rate derivatives). Trademarks and Service Marks Buxl, DAX, DivDAX, eb.rexx, Eurex, Eurex Bonds, Eurex Repo, Eurex Strategy WizardSM, Euro GC Pooling, FDAX, FWB, GC Pooling,,GCPI, MDAX, ODAX, SDAX, TecDAX, USD GC Pooling, VDAX, VDAX-NEW and Xetra are registered trademarks of DBAG. All MSCI indexes are service marks and the exclusive property of MSCI Barra. ATX, ATX five, CECE and RDX are registered trademarks of Vienna Stock Exchange AG. IPD UK Annual All Property Index is a registered trademark of Investment Property Databank Ltd. IPD and has been licensed for the use by Eurex for derivatives. SLI, SMI and SMIM are registered trademarks of SIX Swiss Exchange AG. The STOXX indexes, the data included therein and the trademarks used in the index names are the intellectual property of STOXX Limited and/or its licensors Eurex derivatives based on the STOXX indexes are in no way sponsored, endorsed, sold or promoted by STOXX and its licensors and neither STOXX nor its licensors shall have any liability with respect thereto. Dow Jones, Dow Jones Global Titans 50 IndexSM and Dow Jones Sector Titans IndexesSM are service marks of Dow Jones & Company, Inc. All derivatives based on these indexes are not sponsored, endorsed, sold or promoted by Dow Jones & Company, Inc. Dow Jones & Company, Inc. does not make any representation regarding the advisability of trading or of investing in such products. Bloomberg Commodity IndexSM and any related sub-indexes are service marks of Bloomberg L.P. All references to London Gold and Silver Fixing prices are used with the permission of The London Gold Market Fixing Limited as well as The London Silver Market Fixing Limited, which for the avoidance of doubt has no involvement with and accepts no responsibility whatsoever for the underlying product to which the Fixing prices may be referenced. PCS and Property Claim Services are registered trademarks of ISO Services, Inc. Korea Exchange, KRX, KOSPI and KOSPI 200 are registered trademarks of Korea Exchange Inc. Taiwan Futures Exchange and TAIFEX are registered trademarks of Taiwan Futures Exchange Corporation. Taiwan Stock Exchange, TWSE and TAIEX are the registered trademarks of Taiwan Stock Exchange Corporation. BSE and SENSEX are trademarks/service marks of Bombay Stock Exchange (BSE) and all rights accruing from the same, statutory or otherwise, wholly vest with BSE. Any violation of the above would constitute an offence under the laws of India and international treaties governing the same. The names of other companies and third party products may be trademarks or service marks of their respective owners.

Introduction Table of Contents 1. Introduction... 4 1.1 Intended Audience... 4 1.2 Connectivity... 4 1.3 Enhanced security features... 4 1.3.1 Network security... 4 1.4 Browser requirements... 5 1.5 Delete certificates generated before April 15 th, 2015... 6 2. Access setup two-factor authentication process... 7 2.1 1st factor: Certificate authentication... 7 2.1.1 Step 1: Fill out the certificate request form... 8 2.1.2 Step 2: Create a certificate request... 8 2.1.3 Step 3: Send to Customer Technical Support... 8 2.1.4 Step 4: Download the file with the signed certificate from the Member Portal... 8 2.1.5 Step 5: Merge the signed certificate file with the private key... 10 2.1.6 Step 6: Install the certificate into web browser... 10 2.1.7 Step 7: Access GUI... 12 2.2 2 nd factor: User Login to Eurex Clearing GUIs... 12 2.2.1 Change of password during first login... 12 2.2.2 Logout from Eurex Clearing GUIs... 13 2.3 Access revocation... 13 3. 4. 5. Appendix A URL overview... 14 Appendix B Support information... 15 Appendix C OpenSSL usage for option CSR... 17 5.1 General information for option CSR... 17 5.2 Download OpenSSL... 17 5.3 Create Private Key... 17 5.4 Create a certificate signing request (CSR)... 18 5.5 Merge the signed Certificate with the private key... 19 6. Appendix D Browser setup details... 20 6.1 Internet Explorer... 20 6.2 Firefox... 22 6.3 Google Chrome... 25 7. Change log... 28 Access Guide New Clearing GUI Web Systems Page 3

Introduction 1. Introduction This document describes the required technical measures to be able to login and use the Eurex Clearing GUIs. C7 Derivatives Clearing GUI EurexOTC Clear GUI EurexOTC Clear Margin Calculator GUI Securities Clearing GUI 1.1 Intended Audience For a successful setup the Member s IT department should take note of this document. 1.2 Connectivity Basically, access to the Eurex Clearing GUIs is available via Internet GUI channel on leased lines To access the C7 Derivatives Clearing GUI it is necessary to request access to C7 beforehand. All details (Technical access / Interfaces to Eurex Clearing / Clearing system usage fees) can be found on the Eurex Clearing webpage: http://www.eurexclearing.com > Technology > Connectivity alternatives 1.3 Enhanced security features For the Clearing Web GUI a two factor authentication is implemented (see Chapter Access setup two-factor authentication process for more details): 1st factor: Certificate authentication - used to secure the connection between the Member and Eurex Clearing on a Business Unit level (MemberID level). The certificates are also used to distinguish between the simulation and production environments. 2nd factor: Username and password authentication - used to login to the Eurex Clearing Web GUI Services (UserID level). For the C7 Service, a third factor is implemented as well, which is based on network addresses. 1.3.1 Network security The feature is currently completely configurable and activated only for the C7 Derivatives Clearing GUI. Internet access: Per default any user of the given Member is permitted to access the application from any IP address. If the Member wants to restrict the default access, a list of IP addresses can be entered in the Member Section. Then it will only be possible to access the application from these explicitly stated IP addresses. Internet access for the given Member can be completely blocked by setting the corresponding radio-button. For the connection via Internet the Member can choose one of the following options: Access Guide New Clearing GUI Web Systems Page 4

Introduction Allow Internet access without restrictions (default) Completely disable Internet access Allow Internet access for certain IP addresses given by the Member Leased Line access: Eurex Clearing allows access from the Member leased line networks and from any associated Service Provider respectively. For the connection via leased line the GUI is checking the incoming IP address against the known network information for the corresponding Member. In case a Member connects through a Service Provider, the IP address is also checked against the known networks of the Service Provider. This implies that any Service Provider relationship needs to be maintained correctly in the Member Section if the Member is accessing any of the Eurex Clearing GUIs via the network of a Service Provider. The relationships can be registered via "Technical Connection / Requests & Configuration / New Request / Provider / New Provider / GUI Channel". 1.4 Browser requirements In order to connect successfully to the Eurex Clearing GUIs and to ensure a smooth service it is recommended to use one of the following web browsers to connect to the GUI: Windows 7: IE 11.0 (or higher) or Firefox Latest ESR (extended support release). Usage of Firefox is strongly recommended. Linux: Firefox Latest ESR (enterprise service release) Note: C7 Derivatives Clearing GUI also supports Google Chrome on best effort basis. The required browser settings are: Enable session cookie handling Allow JavaScript execution Support security protocols TLS 1.0, TLS 1.1 and TLS 1.2 Access Guide New Clearing GUI Web Systems Page 5

Introduction IT-Security Patches are highly recommended. Note: See Appendix D Browser setup details for further information about browser settings. Note: The network proxy settings must be configured according to the local network rules given at the Member-side. 1.5 Delete certificates generated before April 15 th, 2015 Already uploaded, self-signed certificates which are used for one of the Eurex Clearing GUIs can still be used. Anyhow, we strongly recommend replacing them with new certificates which are signed by Gruppe Deutsche Boerse CA. Certificates signed by Gruppe Deutsche Boerse CA will be required in the future to use additional features. This means, the User ID Configuration section will eventually become obsolete. To delete self-signed certificates Technical User Administrators follow these steps: 1. Log in to the Member Portal https://member.eurexclearing.com 2. Click on Technical Connection 3. Select Technical User Administration 4. Select Eurex Clearing GUIs 5. Select the tab UserID Configuration 6. Mark the user ID by CN 7. Click Button Delete User to delete the certificate Access Guide New Clearing GUI Web Systems Page 6

Access setup two-factor authentication process 2. Access setup two-factor authentication process The two-factor authentication process requires the usage of client certificates to establish and ensure an encrypted and exclusive connection between the Clearing Member and Eurex Clearing. Certificate authentication is required for both Internet and Leased Line access. Every Member may use only one certificate per Member ID to allow many users to authenticate by installing the same certificate into many users web browsers. However, Members may use more than one certificate according to their compliance requirements. An example would be a short term certificate for temporary user group, that needs to be revoked earlier than other certificates. Additionally, every single user of a Member has to authenticate himself individually by providing his individual username and password (UserID) in order to be able to log into the GUI. 2.1 1st factor: Certificate authentication To request a certificate fill out the certificate request form (downloadable from www.eurexclearing.com) and send it to ClearingCertificates@eurexclearing.com. There are two options to gain a valid certificate OBCR on behalf certificate request CSR self created certificate request (see Appendix C OpenSSL usage for details) OBCR on behalf certificate request means to request a certificate from Eurex Clearing which can be downloaded from Member Section and imported into the web browser(s). The certificate file contains an encrypted private key. CSR self created certificate request means to generate a private key and create a certificate signing request (CSR) which is sent to Eurex Clearing for signing. The file with the signed certificate can be downloaded from the Member Section and has to be merged with the private key. After that it can be imported into the web browser(s). Both options have to be proceeded accordingly following those steps: Ste p OBCR CSR 1 Fill out the certificate request form (see Chapter 2.1.1) 2 - Create a certificate request (see Chapter 5) 3 Send the certificate request form to ClearingCertificates@eurexclearing.com (see Chapter 2.1.3) Send the certificate request form including the CSR to ClearingCertificates@eurexclearing.com (see Chapter 2.1.3) 4 Download the file with the signed certificate (see Chapter 2.1.4) 5 - Merge certificate file with private key (see Chapter 5.5) 6 Install certificate to browser(s) (see Chapter 2.1.6) 8 Access the GUI (see Chapter 2.1.7) IMPORTANT: No login to the GUI is yet possible as username and password are required for a successful login! Access Guide New Clearing GUI Web Systems Page 7

Access setup two-factor authentication process 2.1.1 Step 1: Fill out the certificate request form OBCR Required CSR Required OBCR: Fill out the certificate request form. The request form can be obtained via http://www.eurexclearing.com > Resources > Forms > Search Term Eurex Clearing GUI Certificate Request/Revocation Form or from ClearingCertificates@eurexclearing.com CSR: Fill out the certificate signing request form. The request form can be obtained from ClearingCertificates@eurexclearing.com 2.1.2 Step 2: Create a certificate request OBCR Not Required CSR Required In case of a CSR self created certificate request create a CSR. See Chapter 5 for more information on how to create a CSR. 2.1.3 Step 3: Send to Customer Technical Support OBCR Required CSR Required OBCR: Send the certificate request form to ClearingCertificates@eurexclearing.com CSR: Send the certificate signing request form together with the CSR as attachment to ClearingCertificates@eurexclearing.com 2.1.4 Step 4: Download the file with the signed certificate from the Member Portal OBCR CSR Required Required Follow these steps to download the (signed) certificate from the Member Section 1. Log in to the Member Section https://member.eurexclearing.com 2. Click on Technical Connection 3. Select Request & Configuration 4. Select the WebGUI Installation with the syntax <Business Partner ID> - Web GUI Access-1 5. Select the certificate by CN on the right side of the window 6. Download the certificate file Access Guide New Clearing GUI Web Systems Page 8

Access setup two-factor authentication process Access Guide New Clearing GUI Web Systems Page 9

Access setup two-factor authentication process 2.1.5 Step 5: Merge the signed certificate file with the private key OBCR Not Required CSR Required See Chapter 5 for more information on how to merge the signed CSR with the private key. 2.1.6 Step 6: Install the certificate into web browser OBCR Required CSR Required Firefox: Tools > Options > Advanced > Certificates: View Certificates > Your Certificates > Import (see Screenshot) Internet Explorer: Tools > Internet Options > Content > Certificates > Personal > Import (see Screenshot) Be aware that the certificate file contains the private key. You need to protect the access to the certificate file. Access Guide New Clearing GUI Web Systems Page 10

Access setup two-factor authentication process Access Guide New Clearing GUI Web Systems Page 11

Access setup two-factor authentication process 2.1.7 Step 7: Access GUI OBCR Required CSR Required The Member accesses the corresponding Eurex Clearing GUI login screen via web browser by entering the URL. See Chapter 3 for URL details. 2.2 2 nd factor: User Login to Eurex Clearing GUIs To log in to the corresponding Clearing GUI following steps are required: 1. Enter the provided URL directly into the web browser address bar. 2. Enter username and password in the login window and click the Login button. In case of a successful login the application main window appears. If the login was not successful, an error message will be displayed to the user. After several unsuccessful login attempts the account is automatically locked. For C7 Derivative Clearing GUI the user needs to contact his security administrator or the hotline (see chapter 4) to reset the password. For other GUIs customer support must be contacted in order to reset the password (tel. +49 (0) 69 211 12453, e-mail: clearingdata@eurexclearing.com). 2.2.1 Change of password during first login It is necessary to change the initial password at the first login (within 7 days after receiving the initial password) or when the current password has expired (passwords expire every 90 days) and has been re-set (the new password has to be changed by the user within 24 hours). The following rules apply when creating a new password: Must be a minimum of eight characters long Must not match a previously used password Must contain at least one UPPER CASE and one LOWER CASE character Access Guide New Clearing GUI Web Systems Page 12

Access setup two-factor authentication process Must contain at least one numeric character Must contain at least one non-alphanumeric character In order to change the password the user needs to go to the change password/password Reset screen. The username, the old password and a new one must be provided there. 2.2.2 Logout from Eurex Clearing GUIs Click the Logout button on the GUI main window to log out. The GUI login screen will appear. The system automatically performs a logout after a period of idle time which has been configured per application. An automated logout is typically performed after 30 minutes of inactivity. 2.3 Access revocation If a member needs to revoke a certificate, the certificate request form has to be used. OBCR: Fill out the certificate request form, select cancel/revoke and enter the common names (CN) of the certificates to be revoked. The form can be obtained via http://www.eurexclearing.com > Resources > Forms > Search Term Eurex Clearing GUI Certificate Request/Revocation Form or from Customer Technical Support CSR: Fill out the certificate signing request form, select cancel/revoke and enter the common names (CN) of the certificates to be revoked.. The form can be obtained from Customer Technical Support You will be contacted during processing of the request and informed upon completion. Access Guide New Clearing GUI Web Systems Page 13

Appendix A URL overview 3. Appendix A URL overview Service Internet Leased Line C7 Derivatives Clearing GUI Simulation C7 Derivatives Clearing GUI Production EurexOTC Clear GUI Simulation EurexOTC Clear GUI Production EurexOTC Clear Margin Calculator GUI Simulation EurexOTC Clear Margin Calculator GUI Production Securities Clearing GUI Simulation Securities Clearing GUI Production https://simulation.eurexclearing.com:94 43/C7_GUI/ https://production.eurexclearing.com:84 43/C7_GUI/ https://simulation.eurexclearing.com:94 43/OTC_GUI/ https://production.eurexclearing.com:84 43/OTC_GUI/ https://simulation.eurexclearing.com:94 43/Margin_Calculator/ https://production.eurexclearing.com:84 43/Margin_Calculator/ https://simulation.eurexclearing.com:94 43/LOGIN_GUI/ https://production.eurexclearing.com:84 43/LOGIN_GUI/ https://simulation.vpn.eurexclearing.com:9 443/C7_GUI/ https://production.vpn.eurexclearing.com:8 443/C7_GUI/ https://simulation.vpn.eurexclearing.com:9 443/OTC_GUI/ https://production.vpn.eurexclearing.com:8 443/OTC_GUI/ https://simulation.vpn.eurexclearing.com:9 443/Margin_Calculator/ https://production.vpn.eurexclearing.com:8 443/Margin_Calculator/ https://simulation.vpn.eurexclearing.com:9 443/LOGIN_GUI/ https://production.vpn.eurexclearing.com:8 443/LOGIN_GUI/ Note: IP-addresses Production/Leased Line access IP-address 193.29.93.171 Simulation/Leased Line access IP-address 193.29.93.172 Production/Internet Line access IP-address 193.29.90.161 Simulation/Internet Line access IP-address 193.29.90.162 More details about the networks and the IP-addresses is to be found in Eurex Exchange and Eurex Clearing Network Access Manual. The corresponding manual for C7 can be found at www.eurexclearing.com Technology Eurex Clearing s C7 System documentation. Access Guide New Clearing GUI Web Systems Page 14

Appendix B Support information 4. Appendix B Support information Member Section Technical support is available under: Phone: +49 (0) 69-21 1 1 78 88 E-Mail: member.section@eurexchange.com Customer Technical Support Support for all technical issues is available under: Phone: +49 (0) 69-21 1 <TKAM VIP Number per Client> Fax: +49 (0) 69-21 1 <TKAM VIP Number per Client> E-Mail: cts@deutsche-boerse.com Clearing GUI services certificates Phone: +49 (0) 69-21 1 <TKAM VIP Number per Client> E-Mail: ClearingCertificates@eurexclearing.com C7 Derivatives Clearing GUI For C7 Derivatives Clearing GUI related questions a hotline is available under: Phone: +49(0)69-211-1 12 50 Fax: +49 (0) 69-211- 1 43 34 E-Mail: clearing@eurexclearing.com EurexOTC Clear GUI For general OTC IRS related questions the EurexOTC Clear Hotline is available under: Phone: +49(0)69-211-1 28 28 Fax: +49 (0) 69-211-61 28 28 E-Mail: OTCClear@eurexclearing.com For general OTC IRS simulation related questions, the EurexOTC Clear Simulation Hotline is available from Monday to Friday, 10:00 18:00 CET. Phone: +49(0)69-211-1 25 25 Fax: +49 (0) 69-211-61 25 25 E-Mail: OTCClear.simulation@eurexclearing.com EurexOTC Clear Margin Calculator GUI For general Margin Calculator related questions the EurexOTC Clear Hotline is available. EurexOTC Clear Hotline (Production) Access Guide New Clearing GUI Web Systems Page 15

Appendix B Support information Service times: 08:00-22:00 CET (Monday Friday) Phone: +49 (0) 69-211-1 28 28 Fax: +49 (0) 69-211-61 28 28 E-Mail: OTCClear@eurexclearing.com For general simulation related questions the EurexOTC Clear Simulation Hotline is available. EurexOTC Clear Hotline (Simulation) Service times: 10:00-18:00 CET (Monday Friday) Phone: +49 (0) 69-211-1 25 25 Fax: +49 (0) 69-211-61 25 25 E-Mail: OTCClear.simulation@eurexclearing.com Access Guide New Clearing GUI Web Systems Page 16

Appendix C OpenSSL usage for option CSR 5. Appendix C OpenSSL usage for option CSR 5.1 General information for option CSR In case of CSR self created certificate request the private key used for CSR generation must comply with the following parameters: The certificates must be base64 encoded. The certificate must be uploaded in a format defined by IETF in RFC1421 The certificate must be compliant with the X.509v3 standard. Key length must be 3072 bits The common name must be unique and conform to the following format: <MemberID>_CLEAR<PROD SIMU> Example for MemberID XYZFR and access to production: XYZFR_CLEARPROD Example for MemberID XYZFR and access to simulation: XYZFR_CLEARSIMU The signature algorithm has to be SHA256 5.2 Download OpenSSL Download and install OpenSSL (recommended tool) to create keys, self-signed certificates and PKCS#12 certificate files. Recommended source: www.openssl.org, version: 1.0.0e. 5.3 Create Private Key The Member has to create a private key by using OpenSSL (e.g. RSA private key, 3072 bit). Exemplary command line for the exemplary Member ID XYZFR: $>openssl genrsa -des3 -out XYZFR.key 3072 Generating RSA private key, 3072 bit long modulus............++.++ e is 65537 (0x10001) Enter pass phrase for XYZFR.key: Verifying - Enter pass phrase for XYZFR.key:< $> After entering the necessary information the private key will be saved automatically in the current working directory. $> ls -1 XYZFR.key $> Access Guide New Clearing GUI Web Systems Page 17

Appendix C OpenSSL usage for option CSR 5.4 Create a certificate signing request (CSR) The user is asked to enter the information (so called Distinguished Name or a DN) that will be incorporated into the certificate request. The field Common Name (CN) should be filled in with the corresponding value. All other fields should be filled in with a dot to disable these fields. Exemplary command line for the exemplary Member ID XYZFR in Simulation: $> openssl req -new -key XYZFR.key -out XYZFR.csr nodes Enter pass phrase for XYZFR.key: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:. State or Province Name (full name) [Some-State]:. Locality Name (eg, city) []:. Organization Name (eg, company) [Internet Widgits Pty Ltd]:. Organizational Unit Name (eg, section) []:. Common Name (e.g. server FQDN or YOUR name) []:XYZFR_CLEARSIMU_003 Email Address []:. Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:. An optional company name []:. $> After entering the necessary information the CSR will be saved automatically in the current working directory. $> ls -1 XYZFR.csr XYZFR.key $> Access Guide New Clearing GUI Web Systems Page 18

Appendix C OpenSSL usage for option CSR 5.5 Merge the signed Certificate with the private key The Member creates a PKCS#12 certificate by using the stored private key used for generating the CSR and the downloaded signed certificate (.crt-file). Exemplary command line for the exemplary Member ID XYZFR: $> openssl pkcs12 -export -clcerts -in XYZFR.crt -inkey XYZFR.key -out XYZFR.p12 Enter pass phrase for XYZFR.key: $> $> ls -1 XYZFR.csr XYZFR.key XYZFR.crt XYZFR.p12 $> Access Guide New Clearing GUI Web Systems Page 19

Appendix D Browser setup details 6. Appendix D Browser setup details 6.1 Internet Explorer The provided examples are relevant for Microsoft Internet Explorer 11. Enable session cookie handling: 1. Click on the Tools menu. 2. Select Internet Options in the menu - a new window opens. 3. Click on the Privacy tab near the top of the window. 4. Click on the Advanced button of the window. 5. Select the Option Override automatic cookie handling and choose Accept for First- and Third-party Cookies. 6. Save changes by clicking OK. Figure 1: Advanced Privacy Settings (Cookie handling) for Internet Explorer 1. 2. 3. Allow Javascript execution In Tools, click Internet Options, and then click on Security tab. Click the Internet zone and choose Custom Level. Set the corresponding settings as shown below and click OK. Access Guide New Clearing GUI Web Systems Page 20

Appendix D Browser setup details Figure 2: Configuration of Security Settings for Internet Explorer Note: To allow scripting on one special website only and to leave scripting disabled in the Internet zone, add this one website to the trusted sites zone. Access Guide New Clearing GUI Web Systems Page 21

Appendix D Browser setup details Support security protocols TLS 1.0, TLS 1.1 and TLS 1.2 The below settings can be set as follows. 1. 2. 3. On the Tools menu, click Internet Options. On the Advanced tab under Security the following boxes must be ticked: Use TLS 1.0 Use TLS 1.1 Use TLS 1.2 Click Apply, and then click OK. 6.2 Firefox Figure 3: Enabling secured transport protocols for Internet Explorer Enable session cookie handling Cookies are enabled by default in Firefox. 1. At the top of the Firefox window, click on the Firefox button and then click Options. 2. Select the Privacy panel. Access Guide New Clearing GUI Web Systems Page 22

Appendix D Browser setup details 3. 4. Under History: Select Use custom settings for history from dropdown menu. Tick Accept cookies from sites to enable Cookies, and untick it to disable them. Figure 4: Cookie handling for Firefox Choose how long cookies are allowed to be stored: Keep until: they expire: Each cookie will be removed when it reaches its expiration date, which is set by the site that sent the cookie. Keep until: I close Firefox: The cookies that are stored will be removed when Firefox is closed. Allow JavaScript execution JavaScript execution must be enabled in the Firefox Browser. This is a default setting in newer Firefox versions. It can be checked by entering about:config directly into the Firefox browser as shown below. Access Guide New Clearing GUI Web Systems Page 23

Appendix D Browser setup details Figure 5: Checking if JavaScript execution is enabled for Firefox In some older Firefox versions JavaScript execution must be enabled manually (see the example below). 1. 2. In the Options window, select the Content tab. Check box Enable JavaScript: Select this option to permit the execution of JavaScripts. Figure 6: Enabling of JavaScript for Firefox Support security protocols TLS 1.0, TLS 1.1 and TLS 1.2 In newer Firefox versions TLS protocols are being used per default. In older Firefox versions the usage of TLS 1.0 must be set explicitly (see the example below). The below settings must be set correctly. 1. On the Control Panel click Options. 2. On the Advanced tab under Encryption make sure that the following box is ticked: Use TLS 1.0 3. Click Apply, and then click OK. Access Guide New Clearing GUI Web Systems Page 24

Appendix D Browser setup details Figure 7: Enabling secured transport protocols for Firefox 6.3 Google Chrome Enable session cookie handling Cookies are usually enabled per default in Google Chrome. This can be checked by entering chrome://settings/content directly into the browser as shown below. Access Guide New Clearing GUI Web Systems Page 25

Appendix D Browser setup details Figure 8: Enabling cookies for Google Chrome Allow JavaScript execution JavaScript is usually enabled per default in Google Chrome. This can be checked by entering chrome://settings/content directly into the browser as shown below. Figure 9: Enabling of JavaScript for Google Chrome Support security protocols TLS 1.0, TLS 1.1 and TLS 1.2 1. On the Control Panel click Internet Options. 2. On the Advanced tab under Security, make sure that the following box is ticked: Access Guide New Clearing GUI Web Systems Page 26

Appendix D Browser setup details Use TLS 1.0 Use TLS 1.1 Use TLS 1.2 3. Click Apply, and then click OK. Figure 10: Enabling secured transport protocols for Google Chrome Access Guide New Clearing GUI Web Systems Page 27

Change log 7. Change log Major changes applied to this document after the last version has been published. No Date Change 3.2 21.03 2016 IP addresses web applications Web Browser recommendations Access Guide New Clearing GUI Web Systems Page 28