certificate download requirements - exostar · certificate store permissions note: a microsoft...

Federated Identity Service

Certificate Download Requirements

Version 3.2 Exostar, LLC

February 14, 2013

FIS Certificate Download Requirements

ii

Table of Contents Introduction .......................................................................................................................................... 1

Purpose ................................................................................................................................................ 1

FIS System Requirements ...................................................................................................................... 2

Adding Exostar as a trusted Internet Site................................................................................................ 2

Internet Explorer 6.0 settings............................................................................................................. 2

Internet Explorer 7.0 settings............................................................................................................. 4

Adding Exostar as a Trusted Internet Site ....................................................................................... 4

System Permissions ............................................................................................................................... 7

Registry Permissions .......................................................................................................................... 7

File System Permissions ..................................................................................................................... 8

Certificate Store Permissions ............................................................................................................. 8

Exostar ActiveX Installer ........................................................................................................................ 9

Launching the ActiveX Installer .......................................................................................................... 9

Verify ActiveX Installation ................................................................................................................ 12

Common Errors ................................................................................................................................... 13

Attempting to Download ActiveX components when a Website is not in the Trusted Sites Zone ........ 13


Copyright ©2009 Exostar LLC. All rights reserved Page 1 of 15

Introduction The Exostar Federated Identity Service (FIS) and Managed Access Gateway (MAG) products can be used to issue both basic and medium assurance level certificates. In order to provide this functionality, these products require the use of a client side software component that is used to generate certificate requests and to install certificates on a client machine. This Exostar client side component is delivered to the client machine in the form of a Microsoft ActiveX control; a Microsoft technology that packages a piece software functionality of into an easily distributable and installable unit. To support the certificate issuance functionality provided by FIS and MAG, this Exostar signed ActiveX component must be installed on each client PC that will be used to obtain certificates. . The control is packaged for two different methods of distribution to a client PC:

Cabinet file (CAB file) format for download and installation via the web and;

Microsoft Installer (MSI) format which can be used to install the ActiveX component where ActiveX web download is not permissible.

To verify the authenticity of the CAB file, MSI and the ActiveX component, each component is signed using Exostar’s code signing certificate.

Purpose This document describes the settings required on a client machine to allow the use of the Exostar ActiveX control. It indicates the errors that may be encountered when attempting to download and install the Exostar ActiveX control on a Windows XP, Windows 2000, or Windows Vista client PC. The document also includes a section on installation via the Exostar MSI.

Note: The Exostar ActiveX control is currently supported on Windows XP, Windows 2000, Windows Vista with Service Pack 2 installed, and Windows 7.

To complete the FIS Certificate download, you may have to also review and complete the following steps:

1. Adding Exostar as a trusted Internet site; and/or 2. Get appropriate system permissions from your network or security administrator; and/or 3. Install Exostar ActiveX Control

You can access MAG by logging on to: https://portal.exostar.com. General help information is also available online at: http://www.myexostar.com/fis.aspx.

https://portal.exostar.com/

http://www.myexostar.com/fis.aspx



FIS System Requirements

WINDOWS XP, 2000, WINDOWS Vista (with SP 2 installed) supported, Windows 7

Internet Explorer v 6.x, 7.x, 8 (Note: WINDOWS does not support IE6 on VISTA)

Permissions to install an ActiveX control on the browser.

Adding Exostar as a trusted Internet Site The section describes the steps that must be performed to add Exostar to the Internet Explorer (IE) list of trusted internet sites. The process differs between IE 6.0 and IE 7.0. Details of each version are provided below.

Note: Internet Explorer 6 is not supported on the Windows Vista OS. As such the IE6 settings described in this section only apply when using the Exostar ActiveX component on Windows 2000 or Windows XP.

Internet Explorer 6.0 settings

The section describes the steps that must be performed to add Exostar to the Internet Explorer 6.0 list of trusted internet sites. 1. Launch Internet Explorer. 2. Select “Internet Options…” from the Tools menu. This will open a tabbed dialog that allows Internet Explorer

settings to be viewed and modified. 3. Select the Security tab and then select the “Trusted sites” Web content zone by clicking on it as shown below:

4. Click the Sites... button. This will open a window that allows the entry of a trusted site. In the “Add this Web site to the zone:” edit box add the web site https://*.exostar.com as shown below. Click the OK button to



close this window and return to the Security tab. Note that this Web site may have previously been added as a trusted site so performing this step may be unnecessary.

5. Click the “Custom Level…” button towards the bottom of the Security tab to display the Security Settings

window. 6. Follow the table below to verify and change if needed, settings that will allow the download and use of

Exostar ActiveX controls:

Section Setting Name Required Value

ActiveX controls and plug-ins

Allow previously unused ActiveX controls to run without prompt

Enable

Automatic prompting for ActiveX controls

Enable

Binary and script behaviors Enable

Download signed ActiveX controls Enable

Run ActiveX controls and plug-ins Enable

Script ActiveX controls marked safe for scripting

Miscellaneous Don’t prompt for client certificate when no certificates or only one certificate exists

Enable

Use Popup Blocker* Disable

NOTE: The ”Use Popup Blocker” setting will disable popup blocking for all Web sites in the Trusted Internet zone. Alternatively, popup blocking can be disabled specifically for the Exostar web site by adding the Exostar website to the list of sites not blocked by the popup blocker functionality in Internet Explorer.



7. Click OK to close the zone setting dialog. 8. The Exostar MAG product takes advantage of the advanced security features of the TLS 1.0 protocol. To

enable use of this protocol click the advanced tab on the Internet Explorer options dialog then scroll down to the security section. Check the “Use TLS” setting (as shown below) if it is not already checked.

Internet Explorer 7.0, 8, 9 settings

The section describes the steps that must be performed to add Exostar to the Internet Explorer 7.0 list of trusted internet sites.

Adding Exostar as a Trusted Internet Site 1. Launch Internet Explorer.

Note: If using the Windows Vista operating system and UAC is enabled, some Internet Explorer settings cannot be changed unless you have administrator permissions. In this case, launch Internet Explorer by right clicking on its icon and select “Run as Administrator” from the popup context menu.

2. Select “Internet Options…” from the Tools menu or from the Tools Icon on the Internet Explorer toolbar. This will open a tabbed dialog that allows Internet Explorer settings to be viewed and modified.

3. Select the Security tab and then select the “Trusted sites” Web content zone by clicking on it as shown below:



4. Click the Sites... button. This will open a window that allows the entry of a trusted site. In the “Add this Web site to the zone:” edit box add the web site https://*.exostar.com as shown below. Click the OK button to close this window and return to the Security tab. Note that this Web site may have previously been added as a trusted site so performing this step may be unnecessary.

5. Click the “Custom Level…” button towards the bottom of the Security tab to display the Security Settings window.

6. Follow the table below to verify and change if needed, settings that will allow the download and use of Exostar ActiveX controls:



Section Setting Name Required Value

ActiveX controls and plug-ins

Allow previously unused ActiveX controls to run without prompt

Enable

Automatic prompting for ActiveX controls

Enable

Binary and script behaviors Enable

Download signed ActiveX controls Enable

Run ActiveX controls and plug-ins Enable

Script ActiveX controls marked safe for scripting

Enable

Miscellaneous Don’t prompt for client certificate when no certificates or only one certificate exists

Enable

Use Popup Blocker* Disable

Note: The ”Use Popup Blocker” setting will disable popup blocking for all Web sites in the Trusted Internet zone. Alternatively, popup blocking can be disabled specifically for the Exostar web site by adding the Exostar website to the list of sites not blocked by the popup blocker functionality in Internet Explorer.

On Windows Vista operating systems there is an additional setting on the security page which is used to enable or disable protected mode. For Trusted Sites, protected mode is disabled by default. To use the Exostar ActiveX control, please ensure that the “Enable Protected Mode” setting is not checked.



7. The Exostar MAG product takes advantage of the advanced security features of the TLS 1.0 protocol. To enable use of this protocol click the advanced tab on the Internet Explorer options dialog then scroll down to the security section. Check the “Use TLS” setting (as shown below) if it is not already checked.

System Permissions The section describes the system permissions that must be granted (typically by a network or security administrator) to the logged on user’s account. Please reach out to your network or security administrator to review these permissions.

Registry Permissions

The account logged into the Windows interactive desktop must have read write permissions to an area of the system registry that is used to maintain information about ActiveX controls. Specifically, the account must have permissions to the HKEY_CLASSES_ROOT\CLSID registry hive. Note that this hive is a mirror of the HKEY_LOCAL_MACHINE\Software\Classes hive; changes made to either hive will be reflected in the other hive. The following specific permissions must be allowed:

Query Value, Set Value,

Create Subkey Enumerate Subkeys

Read Control



File System Permissions

The account logged into the Windows interactive desktop must have read write permissions to the file system Windows\ Downloaded Program Files folder. This folder is used to store ActiveX controls downloaded by Internet Explorer.

Certificate Store Permissions

NOTE: A Microsoft generated dialog box may appear during FIS certificate installation if the logged on user does not have permissions to write a trusted root certificate to the system’s trusted root certificate store. The user must click “Yes” on this dialog for FIS certificates to be installed correctly. This section provides detailed information concerning this issue. As part the certificate acquisition process for an FIS user, an attempt will be made by the Exostar ActiveX control to download and install one or more digital certificates in the certificate store of the user’s system. Each certificate downloaded can be one of two general types:

certificates issued to the FIS user (FIS end user certificates) that are installed in the user’s personal certificate store; OR

certificates that may be used to trace the user certificate to a trusted root authority (trusted root authority certificates) that are installed in the systems “Trusted Root Certification Authorities certificate store” (or Trusted Root Store for short).

Scenarios:

If the logged in user, i.e. the FIS user attempting to obtain an FIS certificate does have permissions to

store the trusted root authority certificates in the Trusted Root Store, then the certificate installation process will complete successfully.

If the logged in user, i.e. the FIS user attempting to obtain an FIS certificate does not have the permissions to store the trusted root authority certificates in the Trusted Root Store, then the FIS certificate download and install process can still proceed successfully, however due to a known Microsoft issue, the process may require an additional interactive step by the user.

If the logged in user, i.e. the FIS user does not have the permissions to store the trusted root authority certificates in the Trusted Root Store, then an informational dialog box may be generated by the Microsoft operating system during the certificate installation process. The Microsoft dialog box (shown below), is intended to alert the user that an attempt to install a certificate in the Trusted Root Store is being made and allows the user to proceed with the operation or cancel it.



(Confusing Microsoft Error Message)

Due to a known Microsoft issue (documented in the Microsoft Knowledge Base article #940275) the dialog appears as shown above and does not contain the intended informational message that is supposed to be displayed. Instead of a blank, not so informational message the message should appear as follows: “You are about to install a certificate from a certification authority (CA) claiming to represent: CANameCertificate_Information Do you want to install this certificate”? The missing message text makes the dialog very confusing to the end user. In order for FIS certificate installation to complete successfully, the FIS user must click the “Yes” button on the Microsoft dialog. IMPORTANT: The confusing dialog box will only appear under the following conditions: 1. The logged on user does not have permissions to store a trusted root certificate in the system’s trusted root

certificate store. 2. The trusted root certificate does not already exist in the trusted root store. If the certificate already exists

then no attempt to install it will be made and therefore the Microsoft dialog will not appear.

Exostar ActiveX Installer In certain situations the FIS user may not be able to obtain some or all of the permissions needed to download and install the Exostar ActiveX XEnrollPlus control via a web browser. To handle these situations, system administrators can use a Microsoft installer based package (MSI) to install the Exostar ActiveX control. There are three versions of the installer currently available one for Windows 2000 platforms, one for Windows XP and one for Windows Vista. Each version of the installer contains two files: 1. setup.exe – This file is used to check and report whether the local system meets the requirements to

successfully run the Exostar ActiveX control and to launch the Windows Installer to install the ActiveX control. 2. MSI extension file - This file can be run directly without running Setup.exe first. The Windows Installer will be

used to install the Exostar ActiveX control.

Launching the ActiveX Installer

This section describes how to perform an Exostar ActiveX installation via the Exostar ActiveX installer, manually on a single desktop PC. To install please follow the instructions below:

1. Determine the Windows operating system of the desktop PC that the Exostar ActiveX control will be installed on.

2. If installing on a Windows Vista operating system then double click the XEnrollPlusVistaMSI.msi file located on the distribution media.



3. If installing on a Windows XP operating system then double click the XEnrollPlusMSI.msi file located on the distribution media.

4. If installing on a Windows 2000 operating system then double click the XEnrollPlusWin2k.msi file located on the distribution media.

5. The Windows installer will launch and run the Exostar ActiveX installer.



6. The following screen will appear.

7. Click the next button to continue the installation. 8. On the next screen select the “Everyone” option and then click next.

Note: The ActiveX control software will be installed in the C:\Program Files\Exostar LLC\Exostar Certificate Issuance Control folder. Click the Browse… button to select another location if desired.



9. Continue the installation process by clicking the next button on the Confirmation page that appears. This

ActiveX control will be installed in the location specified in step 7 above. 10. The following screen will appear when the installation process has completed:

11. Click the “Close” button.

Verify ActiveX Installation

This section describes the steps that can be performed to verify that the Exostar ActiveX control has been installed (via the Exostar Installer MSI) correctly. NOTE: The Exostar ActiveX control will not appear in the objects list shown by Internet Explorer since the ActiveX control was not downloaded and installed via the browser. 1. Verify that the file has been installed in the OS file system. The default location for the ActiveX control is:

C:\Program Files\Exostar LLC\Exostar Certificate Issuance Control. Verify that the file exists in this folder. Note: if a different installation folder was selected during the installation process then please verify that the control’s file existed in the selected folder.

2. Optional. Verify that the control was registered in the system registry using a registry editing/viewing tool ex. regedit.exe.

WARNING: Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall the operating system. Exostar cannot guarantee that these problems can be solved. View the registry at your own risk OR work with your network or security Administrator.



3. Locate the registry hive: HKEY_CLASSES_ROOT\CLSID\{3AFD96BC-5BB9-4614-B0D1-AE48A331E3E2}. Under this hive find the InprocServer32 hive. This “default” registry key in this hive should have the following value: C:\Program Files\Exostar LLC\Exostar Certificate Issuance Control\XEnrollPlus.dll

NOTE: This value will be different than shown above if another folder was selected during installation. 4. If successfully installed, and browser setting (as described earlier in this document) are set to allow the use

and scripting of ActiveX controls then no ActiveX related errors should appear when certificate requests via the FIS application are processed.

Common Errors Some common errors that are encountered while downloading the ActiveX controls or the certificates are listed below. Please review this section before reaching out to Exostar at: http://www.myexostar.com/contactSupport.aspx.

Attempting to Download ActiveX components when a Website is not in the Trusted Sites Zone

When a Web page refers to an ActiveX control that is not currently present on your computer, the messages and prompts that may be displayed to a user depend on a number of factors including the Security Zone assigned to the Website, the security settings for ActiveX (as described above) for that zone, the Internet Explorer version and the operating system version. For example, Internet Explorer running on a Windows XP/SP2 platform will make use of an Information Bar to display status to the user. This section displays some of the messages that may be displayed when an attempt to download an ActiveX control occurs. NOTE: If the Exostar website is added to the Internet Explorer Trusted Sites zone and this zone is configured as described above then the prompts and messages displayed below will not be displayed. The intent of this section is to help troubleshoot issues when a message is displayed to the user during ActiveX download. Issue #1: Exostar website is not in the trusted zone. Internet Explorer will display the message below to the user.

http://www.myexostar.com/contactSupport.aspx



When the user clicks close on the Information bar warning above, they can then right-click on the Information Bar and select “Install ActiveX control…” as shown below.

The dialog below will be displayed. Clicking the Install button will cause the ActiveX control to download and install.

Issue #2: Exostar website is in the trusted zone. Download signed ActiveX controls setting for this zone is set to prompt. Internet Explorer will display the message below to the user. Clicking the Install button will cause the ActiveX control to download and install.

Issue #3: Exostar website is in the trusted zone. Run ActiveX controls and plug-ins setting for this zone is set to prompt. Internet Explorer will display the message below to the user. Clicking the Yes button will allow the ActiveX control to run.



Issue #4: I am trying to download the certificates and receive an error message: “The ActiveX Control is not installed or is not running. You need to install it or run it before you can proceed”. This error will be displayed when you attempt to download the digital certificates and the Exostar ActiveX control is being blocked/cannot be downloaded. The most common causes for this error are Internet Explorer settings and/or system level permissions that are not set correctly and therefore do not allow the download and use of Exostar’s ActiveX control.

certificate download requirements - exostar · certificate store permissions note: a microsoft...

Documents