FIS and DCS User Guide Version 1.7 Exostar, LLC June 14, 2016
FIS and DCS User Guide
Version 1.7
Exostar, LLC
June 14, 2016
FIS AND DCS User Guide
Copyright ©2016 Exostar LLC. All rights reserved i
Table of Contents FIS AND DCS Overview .............................................................................................................................................1
FIS AND DCS System Requirements ........................................................................................................................1
Required Browser Settings .........................................................................................................................................1
Downloading Certificates / Installing ActiveX .............................................................................................................7
Backing Up FIS AND DCS Certificates ......................................................................................................................9
Troubleshooting ....................................................................................................................................................... 11
FIS AND DCS User Guide
Copyright ©2016 Exostar LLC. All rights reserved Page 1
FIS AND DCS Overview
Exostar’s Federated Identity Service (FIS AND DCS) is a fully-managed public key infrastructure (PKI) service for the issuance and maintenance of digital certificates. In order to provide this functionality, a client-side software component is required to generate certificate requests and install certificates on a client machine (PC). This client-side component is delivered to the client machine in the form of a Microsoft ActiveX control. To support the certificate issuance functionality, this Exostar-signed, ActiveX-component must be downloaded and installed on each client PC that will be used to obtain certificates. To verify authenticity, the ActiveX component is signed using the Exostar code-signing certificate issued by a third-party CA trusted by Microsoft. This guide has been created to help users verify or modify their browser settings so the ActiveX control can be properly installed and required certificates can be downloaded. This document contains a step-by-step guide for required browser settings, installing ActiveX, and backing up (exporting) your digital certificate. Additional information about FIS can be found by visiting: http://www.myexostar.com/Federated-Identity-Service/Get-Started/. For information on how to request FIS certificates, refer to the Requesting Access to FIS section of the MAG User guide. Information about DCS can be found in the DCS section under Find Information by Application on www.myexostar.com
FIS AND DCS System Requirements
WINDOWS VISTA (SP 2.0), Windows 7, and Windows 8 supported
Internet Explorer 7, 8, 9, 10, 11 supported
Permissions to enable ActiveX controls and plug-ins
Required Browser Settings 1. Adding Exostar as a Trusted Internet Site (Required)
Step Action
1 Launch Internet Explorer
2 From the Menu Bar, select Tools > Internet Options.
If the Menu Bar is not displayed, click the Gear icon at the upper-right corner of Internet Explorer, and then click Internet Options.
FIS AND DCS User Guide
Copyright ©2016 Exostar LLC. All rights reserved Page 2
The Internet Option page is displayed which allows Internet Explorer settings to be viewed and modified.
3 Select the Security tab and then select the Trusted Sites web content zone by clicking on it as shown
below:
4
Click the Sites button.
Step Action
5
The Trusted Site page is displayed. This allows the entry of a trusted site. In the Add this Web site to the zone edit box, type: https://*.exostar.com. Click the Add button.
FIS AND DCS User Guide
Copyright ©2016 Exostar LLC. All rights reserved Page 3
6
When finished, click the OK or Close to return to the Internet Options Menu. Note: If this website has been
previously added, you may receive a message indicating it is already in the Trusted Site Zone.
2. Security Settings for ActiveX (Required)
Step Action
1
From the Internet Options page > Security tab, select the Custom level for Security Level for this Zone – see
below:
2
Verify that the following Security Settings – Trusted Sites Zone are set as follows:
ActiveX Controls and Plug-in Settings Value
Allow previously unused ActiveX controls to run without prompt Enable
Automatic prompting for ActiveX controls Enable
Binary and Script behaviors Enable
Download Signed ActiveX controls Enable
Run ActiveX controls and plug-ins Enable
Script ActiveX controls and plug-ins Enable
3
Once settings are changed, click OK twice to save. Modifications will take effect after you restart Internet
Explorer
3. Miscellaneous Settings: Popup Blocker (Required)
Step Action
1 From the Internet Options page -> Security tab, select the Custom level for Security Level for this Zone –
see below:
Note: Settings
will take effect
after you restart
Internet Explorer
FIS AND DCS User Guide
Copyright ©2016 Exostar LLC. All rights reserved Page 4
2
Verify that the following Security Settings – Trusted Sites Zone are set as follows:
Miscellaneous Settings Value
Use Popup Blocker Disable
The ‘Use Popup Blocker’ setting will disable popup blocking for all web sites in the Trusted Internet zone.
2A
Alternatively, popup blocking can be disabled specifically for the Exostar web site by adding the Exostar website to the list of sites not blocked by the popup blocker functionality in Internet Explorer.
3
Once settings are changed, click OK twice to save. Modifications will take effect after you restart Internet
Explorer
Miscellaneous Settings: Enable Prompt for Certificate (Highly Recommended)
By default, Internet Explorer does not prompt to send a certificate if only one certificate is present. If a
valid certificate matches site requirements, it is automatically sent. This can be useful for those users
who prefer authentication to be transparent. However, users who have expired or invalid certificates on
their machine may be presented with a “page cannot be displayed” error. In order to resolve this error,
this should be set to enable the prompt.
Step Action
1
From the Internet Options page > Security tab, select the Custom level for Security Level for this Zone – see
below:
1. Launch Internet Explorer 2. Go to Tools > Popup Blocker > Pop-Up
Blocker Settings 3. Add https://*.exostar.com in the
Exception text box and click Add 4. The site will appear in the Allowed Sites
list 5. Click Close to complete.
FIS AND DCS User Guide
Copyright ©2016 Exostar LLC. All rights reserved Page 5
2
Verify that the following Security Settings – Trusted Sites Zone are set to the following:
Miscellaneous Settings Value
Don't prompt for client certificates when no certificates or only one certificate is present
Disable
3
Once settings are changed, click OK twice to save. Modifications will take effect after you restart Internet
Explorer.
IMPORTANT: Some configurations may require this setting to be enabled in all three Security Zones (Trusted
Sites, Local Intranet and Internet). Also, some Internet Explorer updates may overrite these settings when applied. In the event this happens, this setting will need to be re-enabled.
4. Security Settings: TLS 1.0
Transport Layer Security (TLS) protocol can be enabled in Internet Explorer. TLS protocol allows
client/server applications to communicate across a network in a way designated to prevent
eavesdropping, tampering, and message forgery. TLS provides endpoint authentication and
communications confidentiality over the internet using cryptography.
Step Action
1
Launch Internet Explorer
2
From the Menu Bar, select Tools > Internet Options. The Internet Option page is displayed which allows
Internet Explorer settings to be viewed and modified.
Step Action
3
Select the Advanced tab and scroll down to the Security section. Check the “Use TLS 1.0” setting as shown
below:
FIS AND DCS User Guide
Copyright ©2016 Exostar LLC. All rights reserved Page 6
4
To save settings, click Apply and OK. The modifications will take effect after you restart Internet Explorer.
FIS AND DCS User Guide
Copyright ©2016 Exostar LLC. All rights reserved Page 7
Downloading Certificates / Installing ActiveX This is a quick reference for downloading the certificates. For detailed information on pre-requisites and
downloading your FIS MLOA Software and Hardware certificates, refer to the Manage Certificates section of the
MAG User Guide. For detailed information on pre-requisites and downloading your DCS Software and Hardware
certificates, refer to DCS under the Find Information by Application section on www.myexostar.com. ti If your
organization does not allow the download of the ActiveX Control to your machine, your IT Security Administrator
can download the available MSI for your machine’s configuration here.
Step Action
1
After the User completes the FIS certificate request process through the Managed Access Gateway (MAG), and has been electronically notified by Exostar to retrieve their certificate, the User is now able to download certificate(s). Note: FIS Medium Level of Assurance (MLOA) Hardware Software Digital Certificates can only be issued upon completion of in-person proofing and Exostar approval. Basic Level of Assurance does not require in-person proofing. After the User completes the DCS certificate request process through the Secure Access Manager (SAM) and has been electronically notified by Exostar to retrieve their certificate, the User is now able to download certificate(s). Note: DCS Medium Level of Assurance (MLOA) Software and Hardware Digital Certificates can only be issued upon completion of Experian proofing or webcam proofing and Exostar approval.
2
For FIS Digital Certificates, the user logs into MAG and navigates to My Account > Manage Certificates > Download Certificates and is prompted for a Passcode:
IMPORTANT: You must refer to the Manage Certificates section of the MAG user guide for detailed information
on all FIS software and hardware certificates, including hardware tokens: http://www.myexostar.com/WorkArea/showcontent.aspx?id=912 For DCS Digital Certificate, after the Exostar Portal Administrator (EPA) approves the request, the user should receive an email alerting that they can download the certificate. The user will need to log into SAM with their Phone OTP credential and will need to open the DCS application. They will need to review the Terms and Conditions and click on the Agree and Download button to install the digital certificate.
Passcode for MLOA certificates
will be provided by the proofing
agent as part of the in-person
proofing process.
Passcode for BLOA certificates
will be provided via email upon
approval from Exostar.
FIS AND DCS User Guide
Copyright ©2016 Exostar LLC. All rights reserved Page 8
3
If the required browser settings are enabled, the User will be prompted to complete the download process without issue. Once the certificate(s) are successfully downloaded, they are available for immediate use. Upon completion of the certificate(s) download, it is recommend that the user perform an immediate back up (instructions are provided later in this document).
IF YOU DID NOT RECEIVE AN ERROR MESSAGE OR INFORMATION BAR WARNING, YOU HAVE SUCCESSFULLY INSTALLED YOUR DIGITAL CERTIFICATE AND CAN PROCEED TO BACK UP YOUR CERTIFICATE. OTHERWISE, PLEASE CONTINUE WITH STEP 4.
Step Action
4
If browser settings were not enabled, and the user has permissions to install ActiveX, the user may receive the following message below the browser tool bar and information pop-up dialogue box:
5
Click Close on the Information bar warning. Right-click on the Information Bar and select Install ActiveX Control…
6
You will be prompted with an Internet Explorer Security Warning asking if you want to install this software. Click Install to install ActiveX:
7
You will be prompted by Internet Explorer asking if you want to allow software such as ActiveX Controls and plug-ins to run. Click Yes to allow the ActiveX control to run:
8
Once complete, you will be able to download certificates.
Note: You may be prompted again with a 2nd Internet Security Warning (Exostar website is in the trusted zone; the download signed ActiveX controls setting for this zone is set to prompt you). Click on Install to cause the ActiveX control to download and install
FIS AND DCS User Guide
Copyright ©2016 Exostar LLC. All rights reserved Page 9
Backing Up FIS AND DCS Certificates (BLOA and MLOA SW only. Does
NOT apply to certificates loaded onto USB tokens) It is important to back up your FIS AND DCS Certificate(s). If you do not have a backup and your certificate(s)
becomes corrupt or lost, you will need to re-apply for the certificate. For Medium Level of Assurance (MLOA)
certificate(s), this will involve in-person proofing and could involve additional expense. It is also recommended to
back up your MLOA certificate(s) prior to enabling strong private key protection.
1. Exporting the Digital Certificate (Required)
Step Action
1
Launch Internet Explorer
2
From the Menu Bar, select Tools > Internet Options. The Internet Option page is displayed which allows
Explorer settings to be viewed and modified.
3
Select the Content tab and click on Certificates and go to the Personal tab
4
Select the certificate you wish to back up and click Export. This will launch the Certificate Export Wizard. Click Next to start the export.
Note: You will want to back up (Export) all three MLOA certificates: Signature, Encryption, and Identity. You will need to repeat the steps for each certificate. For authentication, the Identity
Certificate is most commonly used (i.e., access to portals, ForumPass, etc.). For more information about MLOA certificates, please visit: http://www.myexostar.com/myexostarAll.aspx?id=938
FIS AND DCS User Guide
Copyright ©2016 Exostar LLC. All rights reserved Page 10
Step Action
5
Select Yes to export the private key, and then click Next. For Personal Information Exchange, select Include all certificates for certificate path if possible AND Enable strong protection options (as shown below), and then click Next.
6
Apply a Password to the certificate and click Next.
7
Click Browse to identify a location to store your certificate and click Next.
8
Once you have determined a safe location to store your certificate, you will need to name the file. The File Name should indicate your name (First and Last) as well as what type of certificate it is. After completing your File Name, verify the file type is Personal Information Exchange *.pfx and click Save.
VERY IMPORTANT: you must remember this
password. It will be used during the certificate
import process. If your password is forgotten,
you will not be able to restore your
certificate(s).
For security reasons, it is important that
you maintain control of your digital
certificate at all times. Please ensure it is
saved to a safe location. If lost or corrupt,
you will need to re-apply for a new
certificate(s).
FIS AND DCS User Guide
Copyright ©2016 Exostar LLC. All rights reserved Page 11
Step Action
9
The Certificate Export Wizard will present the file name and path you have selected for storing your certificate. Once you have confirmed it is correct, click Next. The Certificate Export Wizard is now complete. Click Finish.
10
You will receive indication that the certificate export was successful. Click OK.
11
For information on importing the certificates, refer to the FIS AND DCS Certificate Export Import Guide for details: http://www.myexostar.com/WorkArea/showcontent.aspx?id=1038
For additional information about FIS AND DCS Certificates, Frequently Asked Questions, and documentation on
how to restore (import) certificates, or setting certificate security levels to ‘high’, please visit:
http://www.myexostar.com.
Troubleshooting For troubleshooting common errors, please visit our website at http://www.myexostar.com.
VERY IMPORTANT: File Name should include your
first and last name, as well as the certificate type:
First Name Last Name (Certificate Type).pfx
Example: Ryan Wick (Identity).pfx
If using MLOA certificates, you will need to repeat these steps to backup (export)
all related certificates. If you are utilizing ForumPass, you may want to consider
uploading your exported certificates to a document library in your MySite.