Smart card access to RTE s IS under Microsoft Windows 7

Transcription

1 Smart card access to RTE s IS under Microsoft Windows 7 PKI User guide Version 3, June 17 th 2016 Programmes & SI (PSI) TOUR MARCHAND 41 RUE BERTHELOT COURBEVOIE CEDEX TEL : FAX : LONG

2 Page : 2/106 Access to RTE s Information System by software certificates under Microsoft Windows 10 PKI user guide TABLE OF CONTENTS A. FOREWORD 5 1 Introduction Document purpose Context Warning regarding security practices The actors The client Registration Authority (RA) Certification Authority (CA) 8 B. certificates management ProcEdures 9 2 Certificates management process Foreword Software certificate request Preliminary steps Smart card reception Certificates renewal Revocation of certificates Case of revocation Revocation request 12 C. Workstation configuration 13 3 Installation and configuration of the workstation Network configuration General configuration Specificity of the VPN access Software configuration Installation of smart card reader 16 4 Smart card acknowledgement Foreword Acknowledgement through your browser Acknowledgement through the RTE Hotline 24 D. Web access to the RTE Information System 25

3 Page : 3/106 Access to RTE s Information System by software certificates under Microsoft Windows 10 PKI user guide 5 Microsoft Internet Explorer Preliminary configuration Configuration of the security settings Adding trusted sites Installing RTE s CA root certificate Download and install Visualisation and verification of RTE s CA root certificate Display and verification of your certificate on smart card Using your certificate Authentication and encryption Example of access to a RTE web application Additional operations Acknowledgement through the browser Connecting to the SSL VPN Foreword Prerequisite First connection Using the SSL VPN 55 6 Mozilla Firefox Preliminary configuration Configuration of security settings Adding the smart card to the security devices of Firefox Installing RTE s CA root certificate Download and install Visualisation and verification of RTE s CA root certificate Visualisation and verification of your smart card certificates Using your certificate Authentication and encryption Example of access to an RTE web application Additional operations Acknowledgement through the browser Connecting to the SSL VPN Foreword Prerequisites First connection Using the SSL VPN 87 E. Appendices 90 7 Changing the smart card PIN code 91 8 Secure environment (PKI) 95

4 Page : 4/106 Access to RTE s Information System by software certificates under Microsoft Windows 10 PKI user guide 8.1 Concepts and objects managed by a PKI What is a secure process? The importance of dual-keys Certificates Documentation Glossary Incident management and Support Support Frequently Asked Questions (FAQ) Error codes returned by 106

5 Page : 5/106 Access to RTE s Information System by software certificates under Microsoft Windows 10 PKI user guide A. FOREWORD

6 Page : 6/106 Access to RTE s Information System by software certificates under Microsoft Windows 10 PKI user guide 1 Introduction 1.1 Document purpose This document is aimed at the end user who wishes to access RTE s IS with a smart card under Microsoft Windows Seven. The present document enables the holder to: Understand the context and the principles of a secure environment (authentication, confidentiality, integrity and non-repudiation), as well as the general functioning of a public key management infrastructure (PKI). Know how to install and use his/her certificates in the following environments: o o Microsoft Windows Seven. Browsers: Internet Explorer and Mozilla Firefox for secure access with the HTTPS protocol. NOTE For the whole of this document, the pronoun «you» represents the certificate user. 1.2 Context Under the law of February 10, 2000 ( ) and the implementing decree of 16 July 2001, the operator of the public transport network has an obligation to preserve the confidentiality of economic, commercial, industrial, financial or technical information of which the disclosure would be likely to undermine the rules of free and fair competition and nondiscrimination required by law.

7 Page : 7/106 Access to RTE s Information System by software certificates under Microsoft Windows 10 PKI user guide 1.3 Warning regarding security practices Each software certificate holder has its own private key, all (certificate and associated private key) is generated by RTE and made available for download by the wearer as a passwordprotected file (PKCS # 12 file, extension "p12"). Then, each software certificate holder shall take all necessary precautions to prevent: the violation of his private key, the loss of his private key, the divulgation of his private key, the alteration of his certificate, the misuse of his certificate. Each private key and its associated certificate are stored on a smartcard protected by a password known only by the smart card holder. The Certification Authority (CA) "RTE Certification Authority" takes no responsibility for disputes related to misuse of private keys. 1.4 The actors The life cycle management of a certificate is based on three entities: the client (i.e. your company), the Registration Authority (RA), the Certification Authority (CA). NOTE To understand this better, one can draw a parallel with the allocation of official credentials: the applicant citizen of a credential is the Client; the town is the Registration Authority and the prefecture is the Certification Authority The client The client issues certificates requests for holders. It may also issue requests for revocation of the certificates (see Section B: certificate management procedures) Registration Authority (RA) The Registration Authority (RTE s manager of customer relations and the Operator) collects the certificates requests, affixes a date of validity for certificates and verifies the identity of their holders.

8 Page : 8/106 Access to RTE s Information System by software certificates under Microsoft Windows 10 PKI user guide Certification Authority (CA) The Certification Authority (RTE) is responsible and guarantor of certificates signed in its name and of the PKI s operation. It sets policy for the management and use of certificates. RTE certification authority is called: CN = RTE Certification Authority, O = RESEAU DE TRANSPORT D'ELECTRICITE

9 B. CERTIFICATES MANAGEMENT PROCEDURES Programmes & SI (PSI) TOUR MARCHAND 41 RUE BERTHELOT COURBEVOIE CEDEX TEL : FAX : LONG

10 Page : 10/106 2 Certificates management process 2.1 Foreword The main processes used to manage all the digital certificates issued to holders are: obtaining a certificate (obtaining one or more certificates), renewal of a certificate (replacement by a new certificate for a new validity period and a new key pair) revocation of a certificate (end of certificate validity). 2.2 Software certificate request Preliminary steps Beforehand, the following steps must be performed, The company representative issues an access request : The company representative must have completed and signed the request forms access to RTE IS services and applications" sent by his Customer Relations Manager, and then sent it back to him. In these forms, the company representative specifies in particular: o «Certificate », o «Chosen password». We register your request : Following receipt of the forms we create your account(s) to access the applications and we make a request for a personal smart card for each holder. The company representative receives a delivery package containing : o o The «PKI Access Kit» (containing this guide), A smart card reader (one per holder)

11 Page : 11/ Smart card reception After the smart card has been registered and validated by RTE, you will receive: An express mail package containing a smart card (on which are stored your certificates and associated private keys), A personal and confidential envelope containing the PIN code associated with the smart card. For security reasons, the smart card and the associated PIN code are sent to you separately. IMPORTANT NOTES It is strongly recommended to personalise the PIN code of your smart card (see 7). It is possible to do it as soon as your card reader is installed (see 3). 2.3 Certificates renewal Certificates have a lifespan limited to 2 years, in order to give them a high level of security. If the smart card has been correctly acknowledged (see 4), then forty days before the expiry of a certificate, an electronic message is sent to the holder to inform him/her of the forthcoming expiry of his/her certificate. In case, changes must be made concerning the holder s information, then the company representative contacts RTE s responsible for customer relations to inform him of the changes. Then the holder receives: An express mail package containing a new smart card (on which are stored the new certificates and associated private keys), A personal and confidential envelope containing the PIN code associated with the new smart card. To be able to use one s new smart card, the holder must complete his/her acknowledgement (see 4). It is strongly recommended to the holder to keep his/her former smart card.

12 Page : 12/ Revocation of certificates Case of revocation The company representative must issue a revocation request when any of the following occurs: Change of the holder, Loss, theft, compromise or suspected compromise (possible, probable or certain) of his private key or associated certificate Death or cessation of business of the certificate holder, Loss of the activation data, defective or lost support. IMPORTANT NOTES To revoke a certificate, it is necessary to revoke the smart card containing it. Consequently, all certificates contained on this smart card will be revoked. Thus we will talk of revocation of smart card to represent this Revocation request To revoke a certificate, the company representative should call the RTE Hotline. When the smart card is revoked, an is sent to the contact to notify the holder of the revocation of his/her smart card.

13 Page : 13/106 C. WORKSTATION CONFIGURATION

14 Page : 14/106 3 Installation and configuration of the workstation All operations of this chapter are to be performed only once by a computer specialist with Administrator privileges on your workstation, upon receipt of your "PKI Access Kit" and the smart card reader. Also note that only a few chapters of this manual concern you: the chapters corresponding to the software you use. Except the installation of the smart card drivers (see paragraph 3.3), all operations are done under the Windows Session of the certificate holder. 3.1 Network configuration General configuration The web browser access uses - in a way that is transparent to the user - a software certificate authentication system for access to the RTE portal and encryption of data exchanged via the Internet (HTTPS protocol). Mail exchanges between RTE and the user are routed over the Internet (SMTP protocol, S/MIME format). IMPORTANT NOTE Messaging and antivirus gateways, firewalls and content analysers should be configured not to alter or reject messages that are encrypted and signed S/MIME (application / x-pkcs7-mime,.p7s,.p7m) and not to prohibit the flow of HTTPS data (port 443). The network administrator may be requested to perform these operations.

15 Page : 15/ Specificity of the VPN access The VPN allows from your workstation to establish a secure connection (based on the authentication to a dedicated site) to RTE s IS via the Internet. Access to the SSL VPN requires that your workstation can resolve the address secure.iservices.rte-france.com. To see if this is the case, open your Start menu, type run in the search bar and click the icon "Run". In the window that appears, enter the command: cmd /k ping secure.iservices.rte-france.com Click the OK button.

16 Page : 16/106 A window appears containing the information: If the first line begins with "Sending a query 'ping' on secure.iservices.rte-france.com" the address secure.iservices.rte-france.com is resolved. Your workstation is configured properly. If the first line begins with "Ping request could not find the host secure.iservices.rtefrance.com." the address secure.iservices.rte-france.com is not resolved. Please contact your IT support so that they make the necessary changes. In addition to this test, you need to install on your workstation the module JIS (Juniper Installation Service) available on the RTE customer site. Refer to the section concerning the browser you use for more details: if you use Internet Explorer if you use Mozilla Firefox. 3.2 Software configuration The software configuration required for your workstation is as follows: Operating systems: Microsoft Windows Seven 32 bits without SP or with SP1 Microsoft Windows Seven 64 bits without SP or with SP1 Web browsers either: Microsoft Internet Explorer 11 Mozilla Firefox > 45 ESR 3.3 Installation of smart card reader A Gemalto smart card reader is given. Do not plug in the smart card reader before it is asked by the procedure. In a first step, it is necessary to install the driver relative to the smart card. To do this, execute the following program which you can find in the PKI Access Kit given by RTE (see 2). The driver exists in a 32 bits or 64 bits version:

17 Page : 17/106 <PACKAGE>\Smart Card Kit\Readers_Drivers\Gemalto\Classic_Client_32_Admin_setup.msi <PACKAGE>\Smart Card Kit\Readers_Drivers\Gemalto\Classic_Client_64_Admin_setup.msi If necessary, a window appears to ask you the authorisation to execute the installation folder of the smart card reader driver. In that case click Yes. You have the opportunity to choose the installation language from the window that appears: Click OK, then wait.

18 Page : 18/106 The following window appears: Click Next.

19 Page : 19/106 Select I accept the terms in the license agreement then click Next. Click Next. The next window enables you to choose the type of installation. Choose Complete.

20 Page : 20/106 Click Next. Click Install. If necessary, a window appears and asks you to authorise the installation program to selfexecute. Click Yes.

21 Page : 21/106 The smart card reader software installation launches. Please wait during installation. Once the installation is finished, click Finish.

22 Page : 22/106 Click Yes to restart the workstation. After restarting your workstation, the icon representing a smart card reader crossed by a red cross should appear in the taskbar (near the Windows clock): Now plug in the smart card reader on a USB port of your workstation. The detection and installation of the reader are automatic. After having plugged in the reader, an information bubble indicates the installation is ongoing. The icon representing a smart card reader should appear in the taskbar. This icon indicates the reader has been installed. Then an information bubble indicates the device USB Smart Card Reader is correctly installed. An icon in the taskbar indicates the state of the smart card reader. The list below shows the different states of the smart card reader and the associated icons.

23 Page : 23/106 The smart card reader is not connected. The smart card reader is connected but doesn t contain any smart card. The smart card reader is connected and a smart card has been inserted. No certificate is available. The smart card reader is connected and a smart card has been inserted. The smart card contains a certificate.

24 Page : 24/106 4 Smart card acknowledgement 4.1 Foreword After having installed your smart card reader, received your holder card and the associated PIN code, you will need to acknowledge you received the smart card, so that the IS access request is taken into account by RTE. IMPORTANT NOTE It is necessary to fulfiil your smart card upon receipt thereof and PIN code. Without this, RTE cannot guarantee the proper functioning of the service. Acknowledgement can be done through the browser that you use to connect to the applications portal or through telephoning the RTE Hotline. This step has to be done only once by the smart card holder. 4.2 Acknowledgement through your browser The acknowledgement process through the browser you use is described in the following paragraphs: 5.5 for Microsoft Internet Explorer 6.5 for Mozilla Firefox. 4.3 Acknowledgement through the RTE Hotline If you don t have web access (HTTP), you must then make your acknowledgement demand through the RTE Hotline. You must have with you your personal identifier (input in your form n o 3). NOTE You can now connect in HTTPS mode to the web services which you have subscribed.

25 Page : 25/106 D. WEB ACCESS TO THE RTE INFORMATION SYSTEM Please refer directly to the chapter associated with the browser you are using for your default Web exchanges with RTE: Chapter 5 if you are using Microsoft Internet Explorer as your web browser Chapter 6 if you are using Mozilla Firefox as your web browser

26 Page : 26/106 5 Microsoft Internet Explorer 5.1 Preliminary configuration Configuration of the security settings This section is about the configuration of the workstation to support the SSL standard, allowing access to sites with an encrypted connection (HTTPS protocol). In the browser, select the menu "Tools> Internet Options":

27 Page : 27/106 Select the tab Advanced : In the section Security, make sure that the boxes TLS 1.0, TLS 1.1 and TLS 1.2 are ticked, as shown above Adding trusted sites In order to log on web sites with you software certificate, it is imperative to add these sites to the list of trusted sites. The Trusted Sites zone allows the declaration of sites names you consider safe. In this section, you must be logged in to the workstation with the Windows account that will use the software certificate. To do this: open Internet Explorer and click the menu "Tools> Internet Options".

28 Page : 28/106 In the window that appears, click the "Security" tab. Select the "Trusted Sites" icon and click the "Sites" button.

29 Page : 29/106 The following window appears: In the field Add this website to the zone, enter the URL corresponding to the PKI: Then click Add. The site then appears in the Websites list as shown below.

30 Page : 30/106 Proceed in the same way to add the following websites: this is the internet portal this is the SSL VPN connection portal The 3 websites shall now appear in the list Websites. Click Close, then OK.

31 Page : 31/ Installing RTE s CA root certificate Download and install RTE s CA root certificate must now be installed in your browser so that RTE is recognized as a trusted Certificate Authority To do so, please go to the following address: IMPORTANT NOTE The site s address is case-sensitive, so it is imperative to follow exactly the URL address below (upper / lower case). The download window appears: Click the "Save" button and choose a location to save the file "Certification_Autority_RTE_2048.cer" containing the root certificate. Once the download is completed, the following window appears. Click "Open folder" to go to the directory where you saved the file. Right-click the "Certification_Autority_RTE_2048.cer" file you just downloaded and choose "Install Certificate".

32 Page : 32/106 The installation wizard of the certificate is displayed: Click Next. Select "Place all certificates in the following store" and click "Browse". In the window that appears, select "Trusted Root Certification Authorities" and click "OK".

33 Page : 33/106 Once you have chosen the certificate store, you get the following window: Click «Next».

34 Page : 34/106 Click "Finish", the next window will say the root certificates have been successfully imported. Click OK.

35 Page : 35/ Visualisation and verification of RTE s CA root certificate The root certificate that you just imported, is stored in the Trusted Root Certification Authorities store of Internet Explorer. To view them, click the menu "Tools> Internet Options".

36 Page : 36/106 A window appears. Go to the "Content" tab and click the "Certificates" button. In the window that appears, go to the tab "Trusted Root Certification Authorities": Select the certificate "RTE Certification Authority". Click the button "View" then click the "Details" tab to display detailed information about the certificate.

37 Page : 37/106 To ensure the authenticity of this certificate, carefully check that the thumbprint "SHA1" or "MD5" related to the certificate "RTE Certification Authority" is identical to those presented below. Digital hashes of the certificate «RTE Certification Authority» SHA1 39:83:D6:10:A2:C4:D5:60:45:A0:C1:D0:E3:FA:E1:42:45:8A:37:12 MD5 77:4C:12:7D:FD:1D:36:9E:8A:21:85:73:7C:2D:44:77 If this is not the case: delete the certificate and call the Hotline.

38 Page : 38/ Display and verification of your certificate on smart card You certificate on smart card is automatically detected by Internet Explorer and no extra configuration is necessary. To display the certificate of your smart card in Internet Explorer, start by inserting your smart card in the reader. You will need to access the web browser certificates store. To do it, open the certificate store via the menu "Tools> Internet Options":

39 Page : 39/106 Then select the "Content" tab, button "Certificates: Another window appears. Select your certificate then click View.

40 Page : 40/106 A window appears and displays the characteristics of the certificate. By default, the General tab is selected and displayed.

41 Page : 41/106 It is valid for 2 years from generation date of the smart card. The "Certification Path" tab allows checking the validity of your certificate. The "Certificate status" and the complete visualization of the certification path (2 levels) indicate that your certificate and the root certificate have been correctly installed and all use conditions of your certificate have been met. The tab "Details" allows you to view the full name of the holder and the address to which are attached the certificate.

42 Page : 42/106

43 Page : 43/ Using your certificate Authentication and encryption IMPORTANT NOTE To be able to use your smart card, it must absolutely have been acknowledged (see 4). WARNING To be able to authenticate yourself on a website with your smart card, the site URL must be part of the browser s list of trusted sites (see Erreur! Source du renvoi introuvable.). Steps to follow: Insert your smart card, Launch Internet Explorer, enter the URL to RTE s application or to RTE s customer service portal : during the authentication, the browser will ask you to select the certificate to use for authentication then (if it has been defined) the certificate store protection password, or the PIN code of your smart card, if multiple certificates are presented, you must choose the one supplied for the application you wish to access (use the button Display certificate to visualize its content). Once authentication is completed, all data you send or receive will be encrypted Example of access to a RTE web application Insert your smart card in the reader. Enter the URL of the application (starting with https ) in the Internet Explorer address bar then press Return. Then, Internet Explorer asks you to select a certificate enabling you to authenticate to the requested site.

44 Page : 44/106 The line click here to view certificate properties lets you view the content of the selected certificate. Click the OK button to access the application. The window below asks for the pin code of your smart card. Enter the code, then click the OK button. The home page is then securely displayed (appearance of the closed padlock to the right of the URL entry field):

45 Page : 45/ Additional operations Acknowledgement through the browser This paragraph describes the acknowledgement process (see chapter 4) via Microsoft Internet Explorer. Before starting, make sure you have done the preliminary Internet Explorer configuration (see 5.1) and have added the URL to trusted sites (see Erreur! Source du renvoi introuvable.). Connect to the following URL: IMPORTANTE NOTE The site s address is case sensitive (lower case / upper case), so it is imperative that you copy the URL below exactly. Click Acknowledgement. The following window appears: Enter the address linked to the certificate contained in the smart card to be acknowledged in the field Certificate and click Send.

46 Page : 46/106 Insert your smart card in the reader and click Continue. Select one of the certificates that are on your card. To choose it, you can display the different listed certificates and thus find the one to present. Then click OK. Then enter your card PIN code and click OK.

47 Page : 47/106 Verify the information displayed on the screen and click Send to acknowledge your smart card. The acknowledgement is finished.

48 Page : 48/ Connecting to the SSL VPN Foreword The connection via SSL VPN is a service for establishing a secure communications channel to RTE s FrontOffice via the Internet. This channel is established after authenticating with your certificate from a dedicated website (see section 4.4). Once the channel is established all communications with the requested RTE service will be encrypted. The use of SSL VPN requires the installation of a dedicated tool, installed during the first login to the site. The application is called Windows Secure Application Manager (WSAM). SSL VPN enables secure access to your mailboxes hosted on RTE s FrontOffice Prerequisite The website secure.iservices.rte-france.com must be declared as a trusted site (see 4.1.2) IMPORTANT NOTE Before your first connection, you must verify that your workstation can resolve the address secure.iservices.rte-france.com (see section 3.1) JIS (Juniper Installation Service) is a Windows service made available on the RTE customer site. This service allows, once installed, to update future WSAM versions without requiring the intervention of a person with administrator privileges on the machine. To do so, download the executable under the link:

49 Page : 49/106 And extract the compressed file: Once the file is executed, the following window appears, asking you the authorization to start the service. Click Run. The following window appears. Click «Yes». This will enable the service to start installing.

50 Page : 50/106 It will be automatically activated at every operating system launch. Click Close to close the window First connection This paragraph applies only to your first login to the SSL VPN with Internet Explorer. IMPORTANT The first connection must be made by a computer specialist with Administrator rights on your workstation in order to install the WSAM application. Before continuing, you need to disable ActiveX controls. To do so, press the "Alt" key on your keyboard. A menu bar at the top of the window. Click the Tools button, and make sure "ActiveX Filtering" is off. " Launch your browser and go to the following website:

51 Page : 51/106 The following window appears: Select your certificate then click OK. If necessary, the window below asks for the pin code of your smart card. Enter the code, then click the OK button.

52 Page : 52/106 If necessary, the browser then displays a link to download the WSAM if it has not yet been installed (see 5.6.2) : If no manual intervention has been done, the following installation pop-up appears:

53 Page : 53/106 If necessary, a window appears asking you the authorisation to execute the application. Click Yes. The Juniper client then gets installed and the WSAM application installation starts: Wait during the installation. If the following window appears, click Yes :

54 Page : 54/106 Once the installation is completed, the following page appears: If your Internet access requires authentication to a proxy, a window appears asking your login and password. Enter them and confirm. Then, the icon appears in your taskbar. Click the "Sign out" button (top right of the page) to end the session:

55 Page : 55/ Using the SSL VPN Establishing the connection Launch your browser and go to the following website: The following window appears: Select your certificate then click OK. If necessary, The window below asks for the pin code of your smart card. Enter the code, then click the OK button. If necessary, the window below appears. Click Yes.

56 Page : 56/106 The WSAM application launches automatically and the following page appears: If your Internet access requires authentication to a proxy, a window appears asking your login and password. Enter them and confirm. Then, the icon appears in your taskbar. Notes: The certificate is only used to establish the connection to the SSL VPN. To close the SSL VPN session, click the Sign out button (top right of the page).

57 Page : 57/ Use case to access hosted mailboxes The SSL VPN can be used to access mailboxes hosted on the FrontOffice with a standard client. Access to hosted mailboxes requires the SSL VPN connection to be established (see ). The account configuration in your mail client is then to be made with the following parameters: Mail server type : POP Server POP server address : pop.services.rte-france.com SMTP server address : smtp.services.rte-france.com When your access to RTE s FrontOffice is provided, you will receive your login name, your password and your address. NOTE Because the messages are transferred through a secure channel, sending and receiving messages do not require the use of a certificate to encrypt messages.

58 Page : 58/106 6 Mozilla Firefox 6.1 Preliminary configuration Configuration of security settings The SSL standard, allowing access to sites with an encrypted connection (protocol HTTPS) is disabled by default in recent versions of Firefox. The supported versions of Firefox are specified in 3.2. The standards supported by default are: TLS 1.0 to TLS 1.2. In case of problems, thank you to notify the issue to the support.

59 Page : 59/ Adding the smart card to the security devices of Firefox Mozilla Firefox does not automatically take into account the smart card reader. It is necessary to add manually in Firefox the smart card reader driver in the considered security devices. To do this, insert you smart card in the reader. Then go in the menu Tools at the top right of the Mozilla Firefox window, then click on the Options icon.

60 Page : 60/106 A window appears. Choose the Advanced tab, then the subcategory Certificates. It is necessary to add the smart card reader driver in order to have Firefox take into account the smart card. To do this, click Security Devices. The following window appears. Click Load. Another window appears as described below:

61 Page : 61/106 Give the module a name, for example Smart Card. Then click Browse. Browse your Gemalto software installation folder (for example C:\Program Files\Gemalto\Classic Client\BIN) to find the file named «gclib.dll». Select the «gclib.dll» file, then click Open. The following window appears. Click Ok. The smart card driver has been added to the list of Security Devices taken into account by Firefox. Click Ok.

62 Page : 62/ Installing RTE s CA root certificate Download and install RTE s CA root certificate must now be installed in your browser so that RTE is recognized as a trusted Certificate Authority To do so, please go to the following address: Select Save file then click OK. A location to save the file Certification_Autority_RTE_2048.cer might be requested.

63 Page : 63/106 Once the file is downloaded, click the menu Tools to right corner of the window then click the icon Options :

64 Page : 64/106 A window appears. Choose the Advanced tab then the subcategory Certificates. Click on the «View certificates» button. Select the Authorities tab and click Import :

65 Page : 65/106 Select the previously saved file. A dialog box is displayed, in which you must select the three check boxes "Trust this CA to identify [...]" to trust RTE's CA.

66 Page : 66/ Visualisation and verification of RTE s CA root certificate Click the "View" button to verify that the certificate that you are going to trust is the RTE root certificate: To ensure that you have downloaded the real RTE CA's root certificate, check carefully that the "SHA1" or "MD5" hashes displayed are identical to those shown below. Hashes of RTE s CA root certificate are recalled here: SHA1 39:83:D6:10:A2:C4:D5:60:45:A0:C1:D0:E3:FA:E1:42:45:8A:37:12 MD5 77:4C:12:7D:FD:1D:36:9E:8A:21:85:73:7C:2D:44:77 If this is not the case: click Close to go back to the precedent window and click Cancel then call RTE s Hotline.

67 Page : 67/106 If, after verification, the hash of the certificate that you imported matches the "SHA1" or "MD5" hash above, it is possible to consult the details of the certificate by clicking on the "Details" tab: By clicking on the "Close" button, you return to the initial window: "Downloading certificate" (see above). In this window, click the "OK" button: the RTE CA's root certificate is then installed in Mozilla Firefox. To view the certificate later in Mozilla Firefox, go to the "Tools" menu on the top right of the window then click the "Options" icon:

68 Page : 68/106 A window appears. Select the Advanced tab then the subcategory Certificates. Click the View certificates button.

69 Page : 69/106 In the Authorities tab you can verify that the root certificate RTE Certification Authority is well saved on your PC ( Software Security Device ) and view it by clicking on View.

70 Page : 70/ Visualisation and verification of your smart card certificates Once the smart card reader driver has been added to Firefox (in 6.1.2), it is possible to visualise the certificate contained in the smart card. To do this, insert your smart card in the card reader plug ged into your computer s USB port. Then get in the Tools menu at the top right of the window, and then click on the Options icon:

71 Page : 71/106 Choose the Advanced tab, then the Certificates subcategory. Click View Certificates. In the window that appears, input your card PIN code. Click OK.

72 Page : 72/106 Click on the Your Certificates tab. The certificates that are on your smart card are those where Gem appears in the column Security Devices. You can visualise your certificates by selecting them in the list then by clicking View. The 1 st tab General displays the message This certificate has been verified for the following uses.

73 Page : 73/106 The second tab Details displays the hierarchy of certificates with the RTE CA root certificate. This ensures that all certificates have been correctly installed, and that all correct usage conditions are brought together.

74 Page : 74/ Using your certificate Authentication and encryption Steps to follow: Insert your smart card, Launch Mozilla Firefox, enter the URL to RTE s application or to RTE s customer service portal : During the authentication, the browser will ask you to select the certificate to use for authentication then (if it has been defined) the certificate store protection password or the PIN code of your smart card, Multiple certificates are presented, you must choose the one supplied for the application you wish to access (use the button Display certificate to visualize its content). Once authentication is completed, all data you send or receive will be encrypted Example of access to an RTE web application When you access the https homepage, you will be asked to enter your smart card password: Then, you will be asked to choose your certificate. Select your certificate from the drop down list entitled Choose a certificate to present as identification then click OK.

75 Page : 75/106 The home page is then securely displayed, (appearance of the closed padlock to the left of the URL entry field):

76 Page : 76/ Additional operations Acknowledgement through the browser This paragraph describes the acknowledgement process (see chapter 4) via Mozilla Firefox. Before you start, make sure you have completed the Firefox preliminary configuration (see Erreur! Source du renvoi introuvable.). Make sure as well that the smart card reader driver has been correctly added and installed in Firefox. Connect to the following URL: REMARQUE IMPORTANTE The site s address is case sensitive, so it is imperative to copy the URL exactly (lower case/upper case). Click Acknowledgement.

77 Page : 77/106 The following page appears: Fill in the field Certificate with the address linked to the certificate contained in the smart card that is to be acknowledged, and click Send. Insert you smart card in the reader and click Continue. Input your card PIN code and click OK.

78 Page : 78/106 Select a valid certificate contained in your card. To choose it, you can display the different listed certificates and find the one to present. Then click OK. Verify the information presented on the screen and click Send to acknowledge you smart card.

79 Page : 79/106 The acknowledgement is finished.

80 Page : 80/ Connecting to the SSL VPN Foreword The connection via SSL VPN is a service for establishing a secure communications channel to RTE s FrontOffice via the Internet. This channel is established after authenticating with your certificate from a dedicated website (see section 6.4). Once the channel is established all communications with the requested RTE service will be encrypted. The use of SSL VPN requires the installation of a dedicated tool, installed during the first login to the site. The application is called Windows Secure Application Manager (WSAM). SSL VPN enables secure access to your mailboxes hosted on RTE s FrontOffice Prerequisites In order to connect to the SSL VPN with Firefox, Java SE Runtime Environment (JRE) or higher needs to be installed on your workstation. If this is not the case, you can download the latest version on Oracle s website: IMPORTANT NOTE Before your first connection, you must verify that your workstation can resolve the address secure.iservices.rte-france.com (see section 3.1). JIS (Juniper Installation Service) is a Windows service made available on the RTE customer site. This service allows, once installed, to update future WSAM versions without requiring the intervention of a person with administrator privileges on the machine. To do so, download the executable under the link :

81 Page : 81/106 And extract the compressed file: Once the file is executed, a window appears that asks the authorization to start the service. Click Run : The following window appears. Click Yes. This enables the service installation to start.

82 Page : 82/106 This service will be automatically activated at every operating system launch. Click Close to close the window.

83 Page : 83/ First connection This paragraph applies only to your first login to the SSL VPN with Mozilla Firefox. IMPORTANT The first connection must be made by a computer specialist with Administrator rights on your workstation in order to install the WSAM application. Launch your browser and go to the following website:: If necessary, you will be asked to input your smart card password: Click Ok. The following window appears: Select your certificate from the dropdown list entitled Choose a certificate to present as identification and click OK. If a window appears asking you permission to execute a script from Juniper Network, Inc. : click Yes.

84 Page : 84/106 If the red icon below appears, click it in the address bar. Then in the dropdown menu of the message, select "Allow and remember».

85 Page : 85/106 If necessary, the following window appears: If the window below appears: click Yes. The installation of the WSAM application starts: If your Internet access requires authentication to a proxy, a window appears asking your login and password. Enter them and confirm.

86 Page : 86/106 Then the window below appears: Then, the icon VPN. appears in your taskbar which means you are now connected to the SSL Click the "Sign out" button (top right of the page) to end the session:

87 Page : 87/ Using the SSL VPN Establishing the connection Run your browser and access the following website: If necessary, you will be asked to input your smart card password: Click Ok. The following window appears: Select your certificate from the dropdown list entitled Choose a certificate to present as identification and click OK

88 Page : 88/106 If a window appears asking you permission to execute a script from Juniper Network, Inc. : click Allow. If the window below appears: click Yes. If your Internet access requires authentication to a proxy, a window appears asking your login and password. Enter them and confirm. Then the window below appears: Then, the icon VPN. appears in your taskbar which means you are now connected to the SSL Notes: The certificate is only used to establish the connection to the SSL VPN. To close the SSL VPN session, click on the Sign out button (top right of the page).

89 Page : 89/ Use case: accessing hosted mailboxes The SSL VPN can be used to access mailboxes hosted on the FrontOffice with a standard client. Access to hosted mailboxes requires the SSL VPN connection to be established (see ). The account configuration in your mail client is then to be made with the following parameters: Mail server type : POP Server POP server address : pop.services.rte-france.com SMTP server address : smtp.services.rte-france.com When your access to RTE s FrontOffice is provided, you will receive your login name, your password and your address. NOTE Because the messages are transferred through a secure channel (all communications are automatically encrypted), sending and receiving messages do not require the use of a certificate to encrypt messages.

90 Page : 90/106 E. APPENDICES

91 Page : 91/106 7 Changing the smart card PIN code The smart card you have been given is protected by a PIN code (password) known only by the holder. This password is requested when you use your smart card and makes it possible to verify you are the genuine card holder (see 1.3). The initial PIN code is given to you in a personal and confidential envelope (see Erreur! Source du renvoi introuvable.). It is then strongly recommended to personalise your smart card PIN code. The constraints for your new PIN code are the following: o 6 to 16 digits, o different from the former PIN code, o repeat sequence of digits is forbidden. To change your card PIN code, please follow the process below: Insert your smart card in the reader. Click Start, then go in the All programs > Gemalto > Classic Client menu and click Classic Client Toolbox.

92 Page : 92/106 The following window appears. Click on the subcategory Administration Card.

93 Page : 93/106 Click on the PIN Management button, select your smart card reader in the list, check the Change PIN box then click Next. In the dropdown list, choose User. Input your current PIN code. Input your new PIN code.. Confirm your new PIN code. Your new PIN code must abide by the rules of the PIN Policy (box on the right side of the page), if it was defined. When you input the new PIN code, a green tick or a red cross will appear next to each rule depending on whether it was followed or not. You will be able to click Change PIN only if all the rules have green ticks like on the screenshot above.

94 Page : 94/106 Once it is possible, click Change PIN. Click OK. The PIN code of your smart card has been changed.

95 Page : 95/106 8 Secure environment (PKI) This appendix describes the secure environment in which the PKI is operated. Ii describes in particular: The concepts of secure environment and the corresponding data objects handled by the PKI, The role of the various entities involved in the operation process of a PKI. 8.1 Concepts and objects managed by a PKI This appendix presents the key concepts for understanding the role of objects managed by a PKI: presentation of the principles structuring a safe process, the role of dual-keys, certificates What is a secure process? Definition of a PKI With a PKI (Public Key Infrastructure), each holder has a pair of keys - a private key, known only by his owner, and a public key - linked by a complex mathematical relationship, making it virtually impossible to determine the private key from the only knowledge of the public key. This means that the probability of determining the private key from the public key in a reasonable time is very low. Data encrypted with a key (typically, the public key) can only be decrypted with the other (typically the private key). It is on the basis of this principle that is particularly assured the confidentiality of messages exchanged. This process is commonly called "asymmetric cryptography" as opposed to "symmetric cryptography" that uses a common key for both encryption and decryption.

96 Page : 96/ The four pillars of information exchange security This electronic identity card aims at establishing an environment of trust whose four pillars are: authentication identifies parties in a sure and reliable way, confidentiality prevents non-recipients to read the data, integrity ensures that data has not been altered, non-repudiation makes it impossible for a party to refute the transmitted information The cryptographic solution Because of the technology used (protocols, architectures, etc.), the information circulating on the Internet is not confidential. The technologies also do not allow to meet the other three security requirements set out above. To preserve the confidentiality of exchanges via the Internet, the data must be rendered incomprehensible to all except the recipients. Encryption is the right solution. Data encryption naturally accompanies system s users authentication. While some data are confidential, it is necessary for issuers and recipients of this information to authenticate safely and unequivocally, to conduct secure exchanges. Authentication is based on the possession of a certificate. This element is issued by a Certification Authority that stakeholders of a transaction trust (in our case, the Certification Authority is RTE). Thus, the carriers can have confidence in the information provided to them and RTE knows that only authorized holders access the information. NOTE In a similar process, in daily life, it is necessary to provide a piece of identification issued by an authority to access certain privileges reserved for citizens of the country (expensive purchases, voting right, etc.).

97 Page : 97/ The importance of dual-keys Each holder has a public key and an associated private key. The private key is a key that the holder must keep confidential. He is the only one to possess and with the ability to use it. He does not necessarily know it himself (for example: it may be in a smart card of which it cannot come out, but access to the card is protected by a PIN code known only to its owner) The public key, as its name suggests, is public and can be communicated to all. The public keys of holders are used only to encrypt messages intended for them. If an encrypted message was intercepted, it would be without consequence on its confidentiality as it cannot be decrypted (in a reasonable time) by a person not having the associated private key. The private key enables its owner to sign a message he sends and to decrypt an encrypted message he receives. In contrast, the public key of a person is used to encrypt a message sent to him and to verify the signature of a message he receives Encryption and decryption of a message Each message is encrypted by the recipient's public key that will decrypt it with his private key. When RTE sends a message to the client A: 1. RTE has the public key of client A (via the public part of the certificate). 2. RTE automatically encrypts the message using the public key of client A and sends it via RTE s system. 3. Client A receives the message and automatically decrypts it with his private key. Encryption and decryption with dual-keys.

98 Page : 98/ The use of keys to sign a message Each message is signed by the private key of the issuer. The origin (the signature) of a message can be controlled by the public key of the issuer, freely accessible via its certificate. To prove to client A that the received message is actually from RTE, RTE automatically signs the message with its (RTE s) private key before sending to the client A. Signing and signature verification with dual-keys. When the client A receives the message from RTE, it automatically verifies the signature of the received message with the public key of RTE.

99 Page : 99/ Certificates Objectives of digital certificates Since public keys are used to verify electronic signatures and encrypt messages, it is essential for any carrier to be certain of the identity of the owner of a public key: it is the role of the certificate Characteristics of a certificate A certificate is a digital ID: that guarantees the identity of the holder from a remote site, that includes data facilitating the identification, that is resistant to counterfeit and issued by a trusted third party: the Certification Authority. A Certification Authority is an entity that creates and manages certificates. It defines the rules for registration in the various holders PKI Structure of a certificate A digital certificate contains: the public key of its holder, the name of the holder and any other identification information ( address of the person if the certificate is used to sign s), the certificate s period of validity, the name of the certification authority that issued the certificate, a unique serial number, the signature of the certification authority.

100 Page : 100/ Examples of certificates A digital certificate on Internet Explorer

101 Page : 101/106 A digital certificate on Mozilla Firefox 8.2 Documentation Reference documents: Subscription contract to RTE s secure Information System. Websites: Law of 13th March 2000 on the adaptation of law of evidence to information technologies and on electronic signature: Directive 1999/93/CE of 13th December 1999 on a Community framework for electronic signatures : Draft decree on electronic signatures : OpenTrust (formerly Keynectis) :