Accessing the IS by smart card with Microsoft Windows Vista

Transcription

1 Index 1.4, 16/07/2009 This document is the property of RTE. No part of it may be disclosed, reproduced or published without RTE's express written authorisation. Programmes & IS (PIS) TOUR MARCHAND 41 RUE BERTHELOT COURBEVOIE CEDEX TEL: +33 (0) FAX: +33 (0) LONG

2 Page: 2/70 CONTENTS A. Avant-propos 5 1. Introduction Objet du document Contexte Avertissement relatif aux pratiques de écurié Les acteurs Le client L Autorié d Enregistrement (AE) Autorié de Certification (AC) 8 B. Proédures de gestion des certificats 9 2. Processus de gestion des certificats Avant-propos Demande d une carteà puce Étapes péalables éception de la carteà puce Renouvellement des certificats évocation des certificats Cas de évocation Demande de évocation 12 C. Configuration du poste Installation et configuration du poste Configuration éseau Configuration éérale Sécificié de l acès VPN Configuration logicielle Installation du lecteur de cartesà puce Acquittement de la carteà puce Acquittement sur le Web avec Internet Explorer Acquittement via la Hotline RTE 21 D. Navigateurs Web Internet Explorer Configuration péalable 23

3 Page: 3/ Ajouts des sites de confiance Installation du certificat racine de l AC RTE ééchargement et installation Visualisation et érification du certificat de l AC RTE Visualisation et érification de vos certificats sur carteà puce Utilisation de votre certificat Authentification et chiffrement Exemple d acèsà une application RTE Connexion au VPN SSL Avant-propos Pé-requis Premère connexion Utilisation du VPN SSL Mozilla Firefox Configuration péalable Installation du certificat racine de l AC RTE ééchargement et installation érification de l empreinte du certificat racine Visualisation et érification de vos certificats sur carteà puce Utilisation de votre certificat Authentification et chiffrement Exemple d acèsà une application RTE Connexion au VPN SSL Avant-propos Pé-requis Premère connexion Utilisation du VPN SSL 54 E. Annexes Changement du code PIN Environnement écurié (PKI) Concepts et objets éés par une PKI Qu est-ce qu un processus écurié? Le ôle du bi-cé Les certificats Documentation Glossaire Traitement d incident et support Support Foire aux questions (FAQ) 69

4 Page: 4/70

5 Page: 5/70 A. FOREWORD

6 Page: 6/70 1. Introduction 1.1 Object of the document This document is intended for end users who wish to access the RTE Information System by means of a smart card. It will enable the user to: understand the context and principles of a secure environment, and how a public key infrastructure (PKI) works in general, install and use software certificates in the following environments: o Microsoft Windows Vista, o Browsers: Internet Explorer and Mozilla Firefox for secure access via the HTTPS protocol and an SSL VPN. NOTE Throughout this document, the word "you" refers to the user of the certificate. 1.2 Context Under the French Law of 10 February 2000 ( ) and the applicatory decree n of 16 July 2001, the operator of the public transmission system is required to protect the confidential nature of economic, commercial, industrial, financial or technical information, the disclosure of which would adversely affect the legally imposed principles of free and fair competition and non-discrimination. 1.3 Warning on security practices Each smart card holder has his own private key generated securely using a cryptographic module. The smart card holder is then responsible for taking all necessary precautions to ensure that his: private key is not used without permission, his private key is not lost, his private key is not disclosed, his certificate is not amended, his certificate is not used without permission.

7 Page: 7/70 Each smart card holder accepts full responsibility for protecting his private key(s). Private keys and their associated certificates are stored on a Gemalto smart card protected by a PIN code (password), which is known only by the holder. The certificate authority (CA) "RTE France" cannot be held liable for any disputes arising from improper use of private keys. Refer to: Chapter 2 of the RTE France Certification Policy: <PACKAGE>\RTE Installation\fr\Politique de Certification RTE.pdf the Smart Card User's Charter: <PACKAGE>\Sécurité - Charte d'utilisation des supports matériels.pdf These documents can be found in the package supplied to the company manager. They are also available on RTE's corporate website at Parties involved Management of the lifecycle of a certificate revolves around three parties: the client (i.e. your company), the Registration Authority (RA), the Certificate Authority (CA). NOTE A good way of understanding this arrangement is to liken it to the process of obtaining a passport: the citizen applying for the passport is the equivalent of the client party, the passport office is the registration authority and the interior ministry is the certification authority The client The client requests certificates for its holders. It may also issue requests to revoke these certificates The Registration Authority (RA) The Registration Authority (customer relations manager at RTE and the Operator team) receives the certificate request and checks the identity of the holders for whom the certificates are intended.

8 Page: 8/ The Certificate Authority (CA) The Certificate Authority (RTE) is responsible for and acts as guarantor of the certificates signed on its behalf, as well as operation of the PKI. It defines the policy governing the management and use of certificates. The certificate authority, RTE, is referred to as follows: CN = RTE Certificate Authority, O = RESEAU DE TRANSPORT D ELECTRICITE

9 Page: 9/70 B. CERTIFICATE MANAGEMENT PROCEDURES

10 Page: 10/70 2. Certificate management processes 2.1 Foreword The main processes used for managing the digital certificates issued to holders are as follows: obtaining a certificate (one or more certificates), renewing a certificate (replacing an existing certificate with a new one for a new validity period and for a new dual key), revoking a certificate. RTE s certification policy can be found on its corporate website: Requesting a smart card Preliminary steps The following steps must be completed beforehand: The company's representative must request access: o the company's representative must have filled in and signed "request forms for access to the RTE IS and Applications", then returned them to the RTE customer relations manager. We have received the request: o once the forms have been received, we have created your account(s) for accessing applications, o we have ordered a personalized smart card for each holder. The company's representative has received a package containing: o o the "PKI Access Kit" (including this manual), a smart card reader (one per card holder).

11 Page: 11/ Receiving the smart card Once RTE has received and confirmed the smart card request, you will receive: an express letter containing a smart card (on which will be stored your certificates and their associated private key), a separate letter marked "personal and confidential", containing the PIN code for the smart card. IMPORTANT You are strongly advised to personalize the PIN code for your smart card (see 7). You can do this once your card reader is installed (see 3). 2.3 Renewing certificates To ensure a high level of security, certificates have a lifespan limited to two years. If the smart card has been properly activated (see Chapter 0), a notification is sent to the holder 40 days before the certificate is due to expire. If changes need to be made to the holder's details, then the company's representative must contact the RTE customer relations manager to provide the new information. The holder will then receive: an express letter containing a new smart card (on which will be stored the new certificates and their associated private key), a separate letter marked "personal and confidential", containing the PIN code for the new smart card. To be able to use the new smart card, the holder must activate it (see Chapter 0). The holder is strongly advised to keep the old smart card.

12 Page: 12/ Revoking certificates Grounds for revocation The client must request revocation in the cases listed below: if the identity of the holder changes, if the private key associated with the holder's certificate is lost, stolen, compromised or if there is a suspicion that the key has possibly, likely or definitely been compromised, if the certificate holder dies or ceases activity, if activation data are lost, or the card is lost or found to be defective. IMPORTANT To revoke a certificate, the smart card containing it must be revoked. Consequently, all certificates contained on that smart card will be revoked. So for the sake of simplicity, we will say that the smart card has been "revoked" Revocation request If he has web access (HTTP), the holder can revoke his smart card online. Otherwise, the holder can also request revocation of the card by phoning the RTE Hotline. In all cases, if the revocation request is deemed acceptable, RTE will revoke the card within 24 working hours following authentication of the request. Otherwise, it will contact the company's representative. In order to revoke a smart card online, the workstation must be configured correctly (see Chapter 3) and your web browser must be configured for using a smart card (see Chapters 5 or 5.6 depending on the browser used). To revoke your smart card, log onto the following URL:

13 Page: 13/70 Click on "Revoke smart card", and the following window opens. Enter your full name, consisting of your first name (no accents) and last name, your personal username (called "PKI Username" on the web portal) and the contained in your certificate, then click the "Search" button. Your valid certificates will appear, and you can revoke them by following the onscreen instructions.

14 Page: 14/70 C. CONFIGURING YOUR WORKSTATION

15 Page: 15/70 3. Installing and configuring your workstation All the steps described in this chapter must be performed only once by an IT Administrator on your workstation, when you receive your "PKI Access Kit" and the smart card reader. Also, please note that only a few chapters of this manual apply to you: those corresponding to the software you are using. 3.1 Network configuration General configuration Access via web browsers uses - transparently for the holder - a smart cardbased system of authentication for accessing the RTE portal and encrypting the data sent over the Internet (HTTPs protocol). IMPORTANT Anti-virus gateways, firewalls and content guards must be configured in such a way that they do not interfere with the HTTPS data flow (port 443). The network administrator may be asked to perform these steps VPN access Access to the SSL VPN requires the workstation to be able to resolve the address secure.iservices.rte-france.com. To check that this is the case, open the Start menu and click Run. In the window that appears, enter the following command: cmd /k ping secure.iservices.rte-france.com Click the OK button. A window pops up, containing the following information: If the first line begins with "Pinging secure.iservices.rte-france.com", then the address secure.iservices.rte-france.com is resolved and the workstation is correctly configured.

16 Page: 16/70 If the first line begins with "Ping request could not find host secure.iservices.rte-france.com", the address secure.iservices.rtefrance.com is not resolved. Please contact your IT support and ask them to make the necessary changes. 3.2 Software configuration The software configuration required for your computer workstation is as follows: Operating systems: Microsoft Windows Vista without service pack or SP1. One of the following Web browsers: Internet Explorer 7 or 8, Mozilla Firefox Installing the smart card reader A Gemalto smart card reader is also supplied. Do not plug in the card reader until prompted to do so. Run the following programme, which can be found in the "PKI Access Kit" supplied by RTE: <PACKAGE>\Smart Card Kit\Readers_Drivers\Gemalto\Setup_FR.msi

17 Page: 17/70 The following window opens: Click on "Next" Select "I accept the licence agreement" and click on "Next" Click on "Next" Click on "Install". If the account you have used to connect does not have local administrator rights for your workstation, Windows will display the "User Account Control" window. In this case, to continue with the installation process, a user with local administrator rights for your workstation will have to enter his or her username and password. Please wait while the installation process completes Click on "Finish"

18 Page: 18/70 After the system has rebooted, the icon " " depicting a smart card reader with a red cross through it should appear in the taskbar (beside the Windows clock): Click on "Yes" to restart your workstation Now plug the smart card reader into one of the workstation's USB ports. The reader is automatically detected and installed. After plugging in the reader, an information bubble will appear indicating that the installation is in progress. It will then indicate that the device "USB Smart Card Reader" has been successfully installed. The " " icon, depicting a smart card reader, should appear in the taskbar. This icon means that the reader is correctly connected. An icon in the taskbar indicates the status of the card reader. The list below shows the different possible status readings for the smart card reader and the relevant icons. The smart card reader is not connected. The smart card reader is connected but no smart card is inserted. The smart card reader is connected and a smart card is inserted. No certificate is available. The smart card reader is connected and a smart card is inserted. The smart card contains a certificate.

19 Page: 19/70 4. Activating the smart card After installing your smart card reader, receiving your card and the associated PIN code, you will have to activate the smart card in order for your request to access the IS to be acknowledged by RTE. IMPORTANT You must activate your smart card as soon as you receive it and the associated PIN code. If you do not, RTE will be unable to guarantee that the service provided will function correctly. The card must be activated in Internet Explorer, even if you use a different browser to connect to the application portals, or by phone. This step only needs to be performed once by the smart card holder. 4.1 Activation via the web with Internet Explorer If you can Internet access (HTTP), you can activate your smart card online. Before starting, ensure you have pre-configured Internet Explorer (see 5.1) and have added the URL to the list of trusted websites (see 5.2). Log onto the following URL: Insert your smart card in the reader, then click on "Activate card".

20 Page: 20/70 Next, enter the relevant PIN code for your card and click on OK. Select on of the certificates on your card. To choose it, you can display the various certificates listed and find the one to be selected. Then click on OK. Click on "Activate".

21 Page: 21/70 The activation process is now complete. 4.2 Activation via the RTE Hotline If you do not have Internet access (HTTP), you can activate your smart card by calling the RTE Hotline. Ensure you have your username and password to hand (the ones entered on form n 3). NOTE You can now connect to the web services for which you have signed up via HTTPS. The day after you have activated your card, you will be able to communicate by with the SMTP services you signed up for.

22 Page: 22/70 D. WEB BROWSERS

23 Page: 23/70 5. Internet Explorer 5.1 Prior configuration In the browser, go into the menu "Tools > Internet Options": Select the "Advanced" tab:

24 Page: 24/70 In the "Security" section, make sure the boxes SSL 2.0, SSL 3.0 and TLS 1.0 are checked, as shown above. 5.2 Adding trusted sites In order to sign into websites using your smart card, you must add them to your list of trusted sites. For this section, you must be connected to the workstation with the Windows account that will be using the smart card. To do this, open Internet Explorer and go into the menu "Tools > Internet Options". In the window that opens, click on the "Security" tab. Select the icon "Trusted sites", then click on the "Sites" button

25 Page: 25/70 The following window opens. In the "Add this website to the zone" field, enter the following URL: Then click on the "Add" button. The site then appears in the "Websites" list as shown below. Add the following websites in the same way: All four addresses should now be visible in the "Websites" list.

26 Page: 26/70 Click on "Close", and then on "OK". 5.3 Installing the root certificate of the RTE CA Downloading and installing You must now install the RTE root certificate in your browser, so that RTE is recognized as a trusted Certificate Authority. To do this, go to the RTE holders' portal at the following address: The following page will be displayed. Click on the link "Install RTE root certificate"

27 Page: 27/70 The RTE root certificate will then be installed in the store of Windows certificates, as per the process described below. Click on the "Open" button. Double-click on "RTE Certificate Authority".

28 Page: 28/70 Click on "Next". Click on the "Install certificate" button. Check the box "Place all certificates in the following store" and click on "Browse...". Click on "Finish", and the following window appears, showing the content of the root certificate to be imported. In the window that opens, select "Trusted root certificate authorities" and click on "OK". Click on "Next".

29 Page: 29/70 Click on "OK". Click on "Yes" (the RTE CA certificate will be verified in the next chapter) Viewing and verifying the RTE CA certificate The root certificate you have just downloaded has been placed in Internet Explorer's store of main trusted authorities. To view it, go into the menu "Tools > Internet Options..." Click on the "Content" tab and then the "Certificates..." button. In the "Certificates" window that opens, click on the "Trusted Root Certification Authorities" tab:

30 Page: 30/70 Click on the "Display" button, then the "Details" tab. To ensure you have downloaded a genuine root certificate from the RTE CA, check carefully that the digital thumbprint "SHA1" or "MD5" displayed is identical to those shown below. The thumbprints for the RTE CA root certificate are shown here: SHA1 A2:9A:4F:A1:77:14:2C:87:FA:30:2D:B0:8F:2C:02:37:37:C7:AE:37 MD5 53:42:6A:2E:A5:10:AB:2A:21:09:EE:88:13:67:A0:31 If this is not the case, delete the certificate and call our Hotline.

31 Page: 31/ Viewing and verifying certificates on the smart card Your smart card certificate is automatically detected by Internet Explorer and no further configuration is necessary. We are now going to view your smart card's certificates in Internet Explorer. Begin by inserting your smart card into the reader. In the browser, go into the menu "Tools > Internet Options": Click on the "Content" tab and then the "Certificates..." button: Select your certificate, then click on "View".

32 Page: 32/70 It is valid for 2 years from the date the card was created. This tab lets you see your certificate. The "valid" status shown for our certificate, together with the complete view of the certification path (2 levels) indicate that your certificate has been successfully installed along with the root certificate, and that all the requirements for using your certificate correctly have been met.

33 Page: 33/ Using your certificate Authentication and encryption IMPORTANT In order to use your smart card, it must first be activated (see 4). PLEASE NOTE To be able to sign into a website using your smart card, the site's URL must appear in the list of trusted sites in Internet Explorer (see 8.2) Steps to follow: insert your smart card into the reader, open Internet Explorer, enter the URL of the RTE application or the "RTE Client Service Portal" (this URL begins with " when you sign in, the browser will invite you to select the certificate you want to use to identify yourself, then the PIN code for your smart card, if you are presented with more than one certificate, you will have to choose the one provided for the application you are attempting to access (use the "Display certificate" button to view their content), all the data you receive or send will be encrypted Example of access to an RTE application Insert your smart card into the reader. Enter the URL of the application (beginning with "https") in the address bar of Internet Explorer, then confirm. Internet Explorer then invites you to choose a certificate.

34 Page: 34/70 The "Display certificate..." button lets you see the content of your chosen certificate. Next, click on "OK". If you have selected a certificate on the smart card, you will be asked for the PIN code. The application's homepage is then displayed securely. 5.6 Connecting to a SSL VPN Foreword Connection via SSL VPN is a service where a secure communication channel can be established to the RTE FrontOffice over the Internet. This channel is established after authentication with your certificate on a dedicated site. Anyone wanting to use the SSL VPN must first install a special utility when first connecting to the site. This utility is called Windows Secure Application Manager (WSAM). The SSL VPN allows access to your mailboxes hosted on the RTE FrontOffice.

35 Page: 35/ Requirements The website secure.iservices.rte-france.com must be named as a trusted site (see 5.2). IMPORTANT Before connecting for the first time, you must check that your workstation is able to resolve the following address: secure.iservices.rte-france.com (see 3.1.2) First connection This paragraph only concerns your first connection to the SSL VPN with Internet Explorer. IMPORTANT The first connection must be made by an IT administrator on your workstation, so the WSAM utility can be installed. Open your browser and enter the following URL: The following window opens: Select your smart card certificate, then click on the OK button.

36 Page: 36/70 Enter your smart card's PIN code, then click on the OK button. The browser will then display an information bar at the top of the screen, inviting you to install Activex Juniper: Click on the information bar, and then on "Install ActiveX control". The following window opens: Click on "Install". The WSAM utility then begins installing: Wait until it has finished.

37 Page: 37/70 Once the installation process is complete, the following page is displayed: If your Internet connection requires authentication with a proxy, a window will appear asking you for your username and password. Enter them and confirm. Next, the icon appears in your taskbar. Click on the Disconnect button (top-right) to end the session: Using the SSL VPN Establishing the connection Open your browser and enter the following URL: The following window opens:

38 Page: 38/70 Select your certificate, then click on the OK button. Enter your smart card's PIN code, then click on the OK button. The WSAM utility is launched automatically and the following page is displayed: If your Internet connection requires authentication with a proxy, a window will appear asking you for your username and password. Enter them and confirm. Next, the icon appears in your taskbar. Note: The certificate is only used to establish the connection to the SSL VPN. To close the SSL VPN session, click the Disconnect button (top-right) Accessing hosted mailboxes The SSL VPN can be used to access mailboxes hosted on the FrontOffice by means of a standard client. In order to access hosted mailboxes, the SSN VPN connection must be established (see ). The account in your client should then be configured in the normal way, with the following settings: server type: POP server POP server address: pop.services.rte-france.com

39 Page: 39/70 SMTP server address: smtp.services.rte-france.com When you are provided with access to the RTE FrontOffice, you will receive your connection username, password and address. NOTE Messages are transferred via a secure channel, so sending and receiving does not require the use of a certificate to encrypt messages.

40 Page: 40/70 6. Mozilla Firefox 6.1 Prior configuration Go into the menu "Tools > Options ", select the "Advanced" section and then the "Encryption" tab. In this window, check the two boxes "Use SSL 3.0" and "Use TLS 1.0". Then click on the "Security Devices" button. In the Device Manager window, click on the "Load" button.

41 Page: 41/70 In the Module Name field, enter "Gemplus PKCS11", and in the Module filename field, enter: Click on "OK". C:\Program Files\Gemplus\GemSafe Libraries\BIN\gclib.dll Click on OK. Click on OK. "Gemplus PKCS11" should now appear in the list of "Security Modules and Devices", as pictured below. Click on "OK" to close the window, then again on "OK" to close the options window. 6.2 Installing the root certificate of the RTE CA Downloading and installing You must now install the RTE root certificate in your browser, so that RTE is recognized as a trusted Certificate Authority. To do this, go to the RTE client site at the following address:

42 Page: 42/70 Click on the link "Install RTE root certificate". A dialogue box is displayed, in which you must select the three check boxes "Confirm this CA to identify [...]" to trust the RTE CA: Verifying the root certificate thumbprint Click on "View" to check that the certificate you are going to trust is indeed the RTE root certificate:

43 Page: 43/70 To ensure you download the genuine RTE CA certificate, carefully check that the digital thumbprint "SHA1" or "MD5" of the text displayed in the dialogue box is identical to that seen in the screenshot opposite. The thumbprints for the RTE CA root certificate are shown here : SHA1 A2:9A:4F:A1:77:14:2C:87:FA:30:2D:B0:8F:2C:02:37:37:C7:AE:37 MD5 53:42:6A:2E:A5:10:AB:2A:21:09:EE:88:13:67:A0:31 if this is not the case, click on "Close" to return to the previous window, where you should click on "Cancel" and call our technical support.

44 Page: 44/70 If the thumbprint is correct, continue with the process to finish importing the certificate. "Details" tab: Click on "Close" to return to the initial window (see above), and then click on "OK": the RTE CA root certificate is then installed in Mozilla Firefox. To view this certificate later, in Mozilla Firefox, go into the menu "Tools > Options ", select the "Advanced" section and click on the "Encryption" tab.

45 Page: 45/70 Click on the "View Certificates" button. In the "Authorities" tab, you can check that the root certificate "RTE Certificate Authority" is saved to your PC's hard drive ("Personal Security"), and view it by selecting it and clicking "View".

46 Page: 46/ Viewing and verifying certificates on the smart card For Mozilla Firefox, click on the "Advanced" section, and select the "Encryption" tab: Click on the "View Certificates" button. In the window that opens, enter the PIN code of your card. Click on "OK".

47 Page: 47/70 Click on the "Your Certificates" tab. The certificates on your smart card are those where "GemSAFE" appears in the "Security Device" column. You can view your certificates by selecting them from the list, then clicking on the "View" button.

48 Page: 48/70 The first tab shows the message "This certificate has been verified for the following uses".

49 Page: 49/70 The second tab shows the certification hierarchy with the RTE CA root certificate. This ensures that all the certificates have been correctly installed, and that the necessary conditions for using them properly are met.

50 Page: 50/ Using your certificate Authentication and encryption IMPORTANT In order to use your smart card, it must first be activated (see 4). Steps to follow: insert your smart card into the reader, open Mozilla Firefox, enter the URL of the RTE application or the "RTE Client Service Portal" (this URL begins with " when you sign in, the browser will invite you to select the certificate you want to use to identify yourself, then the PIN code for your smart card, if you are presented with more than one certificate, you will have to choose the one provided for the application you are attempting to access (the content of the certificate selected from the dropdown list is displayed beneath the list), all the data you receive or send will be encrypted Example of access to an RTE application Insert your smart card into the reader. Enter the URL of the application (beginning with "https") in the address bar of Firefox, then confirm. Firefox then invites you to choose a certificate. Select your certificate from the dropdown list entitled "Choose a certificate to present as identification" and click on "OK".

51 Page: 51/70 Enter your smart card's PIN code, then click on the OK button. The application's homepage is then displayed securely: 6.5 Connecting to a SSL VPN Foreword Connection via SSL VPN is a service where a secure communication channel can be established to the RTE FrontOffice over the Internet. This channel is established after authentication with your certificate on a dedicated site. Anyone wanting to use the SSL VPN must first install a special utility when first connecting to the site. This utility is called Windows Secure Application Manager (WSAM). The SSL VPN allows access to your mailboxes hosted on the RTE FrontOffice Requirements To connect to the SSL VPN with Firefox, Java SE Runtime Environment (JRE) or higher must be installed on your workstation. If this is not the case, you can download the latest version from the Sun Microsystems website: IMPORTANT Before connecting for the first time, you must check that your workstation is able to resolve the following address: secure.iservices.rte-france.com (see 3.1.2).

52 Page: 52/ First connection This paragraph only concerns your first connection to the SSL VPN with Mozilla Firefox. IMPORTANT The first connection must be made by an IT administrator on your workstation, so the WSAM utility can be installed Open your browser and enter the following URL: The following window opens: Select your certificate from the dropdown list entitled "Choose a certificate to present as identification" and click on OK. Enter your smart card's PIN code, then click on the OK button. If the following window appears, click on the "Authorise" button. If the window below appears, click on "Run".

53 Page: 53/70 The Windows Secure Application Manager installation process begins: The page below then appears: If your Internet connection requires authentication with a proxy, a window will appear asking you for your username and password. Enter them and confirm. Next, the icon the SSL VPN. appears in your taskbar, indicating that you are connected to Click on the Disconnect button (top-right) to end the session:

54 Page: 54/ Using the SSL VPN Establishing the connection Open your browser and enter the following URL: The following window opens: Select your certificate from the dropdown list entitled "Choose a certificate to present as identification" and click on OK. Enter your smart card's PIN code, then click on the OK button.

55 Page: 55/70 If the following window appears, click on the "Authorise" button. If the window below appears, click on "Run". The page below then appears: If your Internet connection requires authentication with a proxy, a window will appear asking you for your username and password. Enter them and confirm. Next, the icon appears in your taskbar, indicating that you are connected to the SSL VPN.

56 Page: 56/70 Note: The certificate is only used to establish the connection to the SSL VPN. To close the SSL VPN session, click the Disconnect button (top-right) Accessing hosted mailboxes The SSL VPN can be used to access mailboxes hosted on the FrontOffice by means of a standard client. In order to access hosted mailboxes, the SSN VPN connection must be established (see ). The account in your client should then be configured in the normal way, with the following settings: server type: POP server POP server address: pop.services.rte-france.com SMTP server address: smtp.services.rte-france.com When you are provided with access to the RTE FrontOffice, you will receive your connection username, password and address. NOTE Messages are transferred via a secure channel, so sending and receiving does not require the use of a certificate to encrypt messages.

57 Page: 57/70 E. APPENDICES:

58 Page: 58/70 7. Changing the PIN code The smart card provided to you is protected by a PIN code (password) which is known only to the holder. You will be asked to give the code when using your smart card, to verify that you are indeed the card holder (see 1.3). The initial PIN code is given to you in a letter marked "personal and confidential" (see 2.2.2). You are strongly advised to personalize the PIN code for your smart card. The requirements for your new PIN code are as follows: must be between 6 and 16 digits long, must be different from the old PIN code, must not contain any repeated sequences of digits. To change your card's PIN code, please follow the procedure below. Insert your smart card into the reader. Click on the "Start" button, then go into the menu "All Programs > Gemalto" and click on "GemSafe Toolbox". The following window opens. Click on the section "Card Administration".

59 Page: 59/70 Click on the "PIN Management" button, select your card reader from the list, check "Change PIN" and then click on "Next". From the dropdown list, choose "User". Enter your current PIN code. Enter your new PIN code. Confirm your new PIN code. Your new PIN code must comply with the rules of the "PIN Strategy" (right-hand section). When you enter the new PIN code, a green tick or a red cross will be displayed to the right of each rule, to indicate whether the rules has been followed. You will only be able to click on the "Change PIN" button if all the rules have green ticks next to them, as shown on the screenshot above. Once you have all green ticks, click on "Change PIN".

60 Page: 60/70 Click on OK. Your smart card's PIN code has now been changed.

61 Page: 61/70 8. Secure environment (PKI) This appendix describes the secure environment in which the PKI is operated. It focuses on: the concepts of the secure environment and the corresponding computer objects managed by the PKI, the roles of the various parties involves in the operation of a PKI. 8.1 Concepts and objects managed by a PKI This appendix describes the main concepts for understanding the role of the objects managed by a PKI: presentation of the principles governing a secure process, the role of the dual key, certificates What is a secure process? Definition of a PKI With a PKI (Public Key Infrastructure), each holder has a pair of keys - one private key, known only to its owner, and one public key. They are linked by a complex mathematical relationship, which makes it virtually impossible to determine the private key using just the public key. This means the likelihood of being able to determine the private key from the public key within a reasonable amount of time is extremely low. Data encrypted with one key (usually the public key) can only be decrypted using the other (generally the private key). This is the principle on which the confidentiality of messages sent between two key holders is guaranteed.

62 Page: 62/ The four pillars of trust in secure communications This electronic identity card is intended to establish a trusted environment, based on the following four pillars: authentication identifies the parties securely and positively, confidentiality prevents anyone but the intended recipient from reading the data, integrity ensures that the data are not altered, non-repudiation makes it impossible for a party to disown the data it has sent Cryptographic solutions Owing to the technologies used (i.e. protocols, architectures, etc.), information circulating over the Internet is not confidential. Nor do these technologies satisfy the other three security requirements listed above. In order to protect the confidentiality of data sent over the Internet, they must be made incomprehensible to anyone except the intended recipients. Encryption is the best way to do this. Data encryption is naturally used alongside mechanisms to authenticate users. Whilst some data are confidential, the senders and recipients need to be able to identify one another securely and unambiguously, in order to exchange data safely. Authentication is based on a system of certificates. These are issued by a Certificate Authority, who is trusted by the parties to a transaction (in our case, the Certificate Authority is RTE). The holders can therefore trust the information they receive and RTE knows that only the authorized holders can access that information. NOTE This arrangement is similar to showing identity papers issued by the government authorities of a country in order to access certain services or exercise certain rights granted to citizens of that country (e.g. purchasing high-value goods, voting, etc.).

63 Page: 63/ The role of the dual key Each holder has a public key and an associated private key: The private key must be kept confidential by the holder. He is its sole owner and the only one able to use it. He does not necessarily know it himself (for example, it may be contained on a smart card from which it cannot be removed, but access to the card is protected by a PIN code known only to its owner). The public key, as its name would suggest, is public and can be freely disclosed to anyone. The holders' public keys are only used to encrypt messages sent to them. If an encrypted message were to be intercepted, it would not affect the confidentiality as it could not be decrypted (within a reasonable amount of time) by anyone who did not have the private key. The private key enables its owner to sign the messages he sends and decrypt those that he receives.

64 Page: 64/ Certificates Purpose of the digital certificate Since public keys are used to verify electronic signatures and encrypt messages, it is vital for any holder to be absolutely certain of the identity of a public key owner: this is the purpose of the certificate Characteristics of a certificate The certificate is essentially an electronic ID card, which: guarantees its holder is who he says he is, carries data to facilitate identification, is resistant to forgery and is issued by a trusted third party: the Certificate Authority. A Certificate Authority is an entity that creates and manages certificates. It defines the rules for registering different holders in the PKI Structure of a certificate A digital certificate contains: the owner's public key, the name of the owner and any other identification details (the person's address in the case of a certificate used to sign s), the certificate's validity period, the name of the certificate authority which generated the certificate, a unique serial number, the certificate authority's signature.

65 Page: 65/ Examples of certificates A digital certificate in Internet Explorer A digital certificate in Mozilla Firefox

66 Page: 66/ Documentation Reference documents: RTE Certification Policy, Subscription agreement to the secure RTE IS. Websites: Law of 13 March 2000 adapting the evidentiary provisions for information technologies and concerning electronic signatures: Directive 1999/93/EC of 13 December 1999 on a Community framework for electronic signatures: Bill on electronic signatures: Keynectis:

67 Page: 67/70 9. Glossary When the holder takes his first steps into his new secure environment, he will be confronted with a specific terminology. Some of the main terms encountered are explained in this section. Authentication Check to establish that the declared identity of a holder, system or other entity in an information or communication system is valid and accurate. Certificate (or Certification) Authority An entity that issues digital certificates - electronic equivalents of identity papers - to a population. By distributing digital certificates, the Certificate Authority or Trusted Authority acts as a guarantor, by vouching for the identity of a person through the certificate it issues. Depending on the Certificate Authority's credit, the certificate will have a lesser or greater scope of applications: limited to internal communications within a company (like a company badge) or used in contacts with other organizations and administrations (like a national ID card or passport). Certificate A digital certificate acts as an electronic identity card (e-passport). It guarantees the identity of its owner in electronic transactions and contains all of the information needed to establish the person's identity (name, first name, company where applicable, address, etc). A digital certificate consists of a public key and personal information on the holder, all signed by a Certificate Authority. Confidentiality Property of data or information that is not made available or disclosed to unauthorized persons. Cryptography Discipline including the principles, means and methods of transforming data for the purpose of concealing their semantic content, establishing their authenticity, preventing them from being modified or disowned and preventing their unauthorized use. Private key Secret numeric value attached to a person, enabling him to decrypt messages received which have been encrypted with the corresponding public key, or to place a signature on the bottom of messages sent. Public key Numeric value attached to a person, who may then distribute it to others, enabling them to send him encrypted data or check his signature.

68 Page: 68/70 Encryption / Decryption Transformation of data by means of cryptography, to make them unintelligible and thereby ensure their confidentiality / Or the reverse process. Integrity Assurance that data or information have not been modified or altered without authorization. Non-repudiation Property obtained using cryptographic methods to prevent a person from denying having performed a particular action on the data (e.g. disowning an they have sent; proof of obligation, intention or commitment; establishing ownership). Revocation Revocation is the operation whereby the guarantee provided by the Certificate Authority on a certificate is removed. It is performed at the request of the subscriber or any other authorized person. The request may be the result of various types of events, such as a private key being compromised or destroyed, a change to the information contained in the certificate, or breach of the rules governing the certificate's use. Electronic signature Signing a document electronically involves signing a digital summary of the document with one's private key. The document can then no longer be altered without any changes being visible. Like a handwritten signature, it is binding upon the signatory. Virtual Private Network (VPN) A virtual private network, also known by the abbreviation VPN, is a means of interconnecting local networks via a "tunnel". The tunnel is a secure communication channel over the Internet, along which data can move back and forth in encrypted form.

69 Page: 69/ Troubleshooting and support If you encounter a problem, please contact the RTE Hotline, which will diagnose the problem and pass it on to the appropriate technician. The Hotline will send you the solution and if necessary guide you through the steps you need to take to access the RTE Information System once more Support For information, please contact the RTE Hotline on: or from France: Frequently Asked Questions Is it really necessary to activate my smart card? Yes. It's necessary for you to be able to enjoy all the functions offered by RTE's infrastructures. If you renew your smart card, you will also have to activate the new one. How can I tell if my smart card reader is installed correctly? If the reader icon is visible next to the Windows clock, then your reader is correctly installed and connected. If the icon has a red cross through it, the reader has not been detected. In this case, ensure your smart card reader is correctly connected. Try plugging the card reader into another of your PC's USB ports. Remember to restart your PC after installing drivers (see 3.3). If the problem persists, contact the RTE hotline. If neither of these two icons is visible next to the Windows clock, ensure you have followed the driver installation process correctly (see 3.3).

70 Page: 70/70 When does the certificate on my smart card expire? To ensure a high level of security, certificates have a lifespan limited to two years. A certificate's precise expiry date is displayed when you view the certificate (see 5.4 with Internet Explorer or 6.3 with Firefox). My certificate is set to expire soon. What should I do? If the smart card has been properly activated (see Chapter 4), the holder will receive an warning 40 days before the certificate on his smartcard is due to expire. If changes need to be made to the holder's details, then the company's representative must contact the RTE customer relations manager to provide the new information. Otherwise, a new smart card will be sent to the holder (see Chapter 2.3). How is a certificate on a smart card renewed? Refer to the procedure for renewing a smart card certificate in Chapter 2.3. What should I do if I lose my PIN code? Contact the RTE hotline. When is my card blocked? Your card will be blocked if you enter the wrong PIN code three times in a row, whichever software you are using. Closing and re-opening the browser will not reset the process. What should I do if my card is blocked? Contact the RTE hotline. With my Internet browser, certificate authentication fails even though I have selected the certificate on my smart card and entered the correct PIN. If you are using Internet Explorer, check that the website address has been added to your trusted sites (see 5.2). If not, add it. If the problem persists, the card's PIN code may be blocked. Contact the hotline. END OF DOCUMENT