Administrator Responsibilities

What to do when the user is renewing certificates?

When the user submits a certificate renewal request, the FIS Administrator may be able to change certain attributes of the certificate. All certificate information is pre-populated based on the certificate the user requested for renewal. Some users, due to a prior out-of-band certificate renewal, may have no value for the Validity Period field. The FIS Administrator must select a value of 1 year or 3 years.

If you do not think the user continues to need digital certificates, you can deny the renewal request. Note the user is able to submit additional renewal requests for the same certificate until the certificate expires.

What to do when the user is sponsored?

Make sure you select the appropriate level of assurance for the user, as required by the sponsoring organization. If the user requires Medium Level of Assurance (MLOA) certificates, and your organization is approved only for Basic Level of Assurance (BLOA) certificates, contact your Organization Administrator and follow the steps to upgrade your organization’s account.

Certificate Download and Renewal Errors

I get an error screen with only 'Yes' or 'No' options when I attempt to download the certificates? What happens when I click on 'No'?

Due to a known Microsoft issue (documented in the Microsoft Knowledge Base article # 940275), the dialog box appears as shown above and does not contain the intended informational message that is supposed to be displayed. When you encounter this error, select Yes.

If you click on No, you will receive the following message and will need to restart the download process: Error! Filename not specified.

I am trying to download the certificates and receive an error message: “The ActiveX Control is not installed or is not running. You need to install it or run it before you can proceed”. Why do I receive this error and what should I do?

This error will be displayed when you attempt to download the digital certificates and the Exostar ActiveX control is being blocked/cannot be downloaded. The most common causes for this error are Internet Explorer settings and/or system level permissions that are not set correctly and therefore do not allow the download and use of Exostar’s ActiveX control. To resolve the issue, refer to the Certificate Download Requirements document for details.  

In addition, in some organizations, due to IT Security polices, individuals may not be allowed to download the ActiveX control on to their machine. To support the installation of the ActiveX control by the use of Group Policy or administrative installation, Exostar has made available an MSI solution for each of the following Windows configurations:

• Windows Vista/ Windows 7 (32bit) - Download this zipped file for 32bit Windows Vista or Windows 7 version.
• Windows Vista/ Windows 7 (64bit) - Download this zipped file for 64bit Windows Vista or Windows 7 version.

I have a digital certificate. I am trying to download the certificates and receive an error message: “Automation server can't create object”

This error displays when you attempt to download the digital certificates and the Exostar ActiveX control is blocked or cannot be downloaded. The most common causes for this error are Internet Explorer settings and/or system level permissions that are not set correctly and therefore do not allow the download and use of Exostar's ActiveX control. Refer to the Certificate Download Requirements document. If you continue to have issues, please contact Exostar Customer Support.

I am attempting to download my Medium Level of Assurance Certificates. I receive the following error message with error code # 2146885613

This error message is received when either the Exostar Certificate Revoke List URL is blocked by the proxy/corporate policies. To confirm the issue, try to access the following two sets of URLs. If either of these URLs fails, then you need to contact IT Support within your organization to ensure that the host name is added to the list of "allowed" URLs.

FIS URLS: (Host URL: http://www.fis.evincible.com)

• FIS Root CA 2.crl
• FIS Root CA 2.p7c
• FIS Signing CA 2.crl
• FIS Signing CA 2.p7c
• DCS Signing CA 1.crl
• DCS Signing CA 1.p7c

Why do I get an error message "You are not currently logged in with your certificates" when I attempt to renew my certificates?

This error message is presented when the user is attempting to renew certificates but is not logged in with the expiring certificates. Click on the link highlighted in blue in the error message and you will be presented with the certificate selection list (if your IE is set to present the certificates to choose) or the system will automatically pick up a valid certificate and complete the login process. You should then click the Renew button if your certificate is eligible for renewal.

Why do I get a 'Certificate not eligible for renewal' message when I attempt to renew my certificates?

This message is presented if your certificate is not eligible for renewal. A certificate can be renewed from the date of expiration to 90 days prior to this date. If the date of expiration has passed, or it's before 90 days, then your certificate cannot be renewed.

Why do I get a message that there is an error with my digital certificates?

Follow the link provided in the error message for detailed information on how to resolve this error.

I received the following error: This page is displayed because of an error with your digital certificates: 

• You may be using expired, corrupted or revoked certificates;  or

• There may be an issue with the encryption connection.

Please verify that the certificates that you are using are valid, unexpired certificates for this action. 

Who can receive this error:  Users who require FIS certificates to access applications such as ForumPass, Rolls-Royce Global Supplier Portal or Lockheed Martin One Aero.

How to resolve this issue:

Step 1.  Retry accessing the application. Sometimes the system is unable to connect with the Certificate store to retrieve the certificates due to connectivity issues. Log out of Exostar's IAM Platform and retry accessing the application using your certificates. If this does not work, go to step 2.

Step 2.  Check if your certificate is expired. If they are expired, remove expired certificates, re-apply for a valid certificate.

IMPORTANT: If you have MLOA or BLOA SecureEmail certificates, make sure that you do not remove the expired encryption certificate.

Step 3.  Check your certificate prompt settings;

Step 4.  Check if your certificate is valid.

• Open IE > Tools > Internet Options > Content > Certificates > Select the appropriate certificate>View>Certification Path

If any of the certificates listed are highlighted in red, your certificate is invalid. If the top-level certificates is highlighted in red, contact Exostar Customer Support.

• Remove all invalid certificates and re-apply for a valid certificate.

I received the following error message: You are not currently logged in with your certificates.

This error message is presented when the user is attempting to renew certificates but is not logged in with the expiring certificates. Click the link highlighted in blue in the error message and you are presented with the certificate selection list (if your IE is set to present the certificates to choose), or the system automatically picks up a valid certificate and completes the login process. You should select the renew button if your certificate is eligible for renewal.

I received the following error message: Certificate not eligible for renewal.

This message displays if your certificate is not eligible for renewal. You can renew your a certificate any time from 90 days prior to the expiration date to the date of expiry.

I received the following error message: Error with your digital certificates. 

Follow the link provided in the error message for detailed information on how to resolve.

ForumPass-Related Questions

Whenever I try to login to a restricted site, I receive an error message “page cannot be displayed”?

This message may be displayed due to one of the following conditions:

1. Expired/Invalid VeriSign Certificates: If you currently have expired or invalid VeriSign certificates, you will not be able to access restricted sites. We are no longer supporting VeriSign Digital Certificates. Please ensure that you have a valid FIS digital certificate installed. Close the IE window and open a new instance. When prompted, select the Exostar FIS certificate and login to the application. If you do not have a valid Exostar FIS certificate, refer to the FIS User Subscription for MLOA Guide for information on requesting certificates. 
2. Expired Certificates/Invalid Certificates: If your FIS certificates have expired or are invalid, you will not be able to access the restricted sites. To access the restricted site, you will need to login to MAG and submit an FIS certificate request. For information on how to reapply for certificates, refer to the FIS Renewal/Re-apply Guide.
3. The prompt certificate is off: You may have an appropriate certificate, but may not be set-up to prompt for certificates. Refer to the Enable Certificate Prompt for InternetExplorer guide for further instructions.
4. Appropriate Certificate Level - Restricted sites require a MLOA digital certificate, if you have a BLOA you will not be able to access a Restricted site.  

When I attempt to access my project within ForumPass, I receive an error message: "Access to this site is restricted to holders of a medium-level credential, such as a vetted digital certificate. The credential that you presented for authentication is of lower grade. In order to access this site, you will need to logout of your current session and authenticate yourself using the appropriate credential. Please contact Exostar for further assistance if you are unsure how to proceed."

Sensitive and Restricted ForumPass sites require a MLOA digital certificate. If you receive this error you are trying to access one of these site templates without the appropriate credentials. You must logout of your current session and login to ForumPass again using your MLOA digital certificate. If you currently do not have a MLOA certificate, login to Exostar's IAM Platform (formerly MAG) and request access to FIS. 

I receive an 'Access Restricted' error message when I attempt to access a project in ForumPass 4. How can I resolve this problem?

You may receive this error message due to one of the following scenarios:

• You do not have a valid certificate: Sensitive sites require a BLOA digital certificate while Restricted sites require a MLOA digital certificate. If you are logged in with a Core profile and try to access a sensitive or restricted site you will receive this error message. You may Login to MAG and request the appropriate level certificate to access the requested site.
• Your certificate is invalid or expired: You may login to MAG and request the appropriate level certificate to access the requested site. certificate: If you have issues requesting a certificate, contact  Exostar Customer Support for further recommendations.
• Restricted Access turned "Off": If you are unable to resolve access issues, contact your ForumPass Application Administrator to review your subscription status and ensure that Restricted Access is set to 'ON'.

When do I need a digital certificate for ForumPass?

A digital certificate is required for ForumPass if you need to access either a Sensitive or Restricted site. If you require access to a Sensitive or Restricted site, login to Exostar's IAM Platform (formerly MAG) and select Request Access next to Federated Identity Service (FIS).  If your organization does not currently subscribe to FIS, you should contact your ForumPass Administrator. For more information, refer to ForumPass section of the website.

Common Tasks

How do I back-up my FIS Certificates?

Refer to the Export-Import Certificate guide for a step-by step process.

How do I import my MLOA/BLOA certificates to a Windows Vista machine (exported from Windows XP or older versions)?

Microsoft has identified an issue with importing certificates to Windows Vista machines (exported from Windows XP or Windows 2000). To successfully use the certificates backed-up from an older version to Vista, follow the steps below:

1. Download the Microsoft patch to the Windows Vista machine and follow the details provided under the Resolution section. Please review all information on the site to appropriately download the patch:http://support.microsoft.com/kb/970730.
2. Download the exported certificates to your Windows Vista machine. Refer to Export-Import Certificate guide for the step-by step process.

How do I enable strong private key protection for Medium Level of Assurance Certificates?

If you have existing certificates for which you would like to enable strong authentication, you need to back-up and import the certificate. Refer to the Export-Import Certificate guide for a step-by step process.

IMPORTANT: Please note that for MLOA certificates, you need to ensure that you back-up your certificate appropriately. If the certificate is corrupted/lost during this process, you will need to re-apply for the certificate and also go through the in-person proofing process again. Replacing a lost or corrupted certificate will be an additional expense.

Why am I being asked to set strong key protection for all certificates when I download certificates on Microsoft WINDOWS 7.x?

A software issue has been discovered in the Exostar Certificate Issuance control when used on the Microsoft Windows 7.x platform that forces Strong Key protection to be used on all private keys generated and used for Exostar FIS certificates. Detailed information on this issue, along with information for users with existing certificates ready to renew on Microsoft WINDOWS 7.x platform is available here.

How can I use my MLOA and BLOA digital certificates to digitally sign my email?

Refer to your email client documentation for details. e.g., Microsoft Outlook.

How can I use my MLOA and BLOA digital certificates to digitally sign a document?

Please refer to application-specific help for steps to digitally sign a document. For Microsoft Office 2007, click here.

Can I use my digital certificates after leaving my job at my current employer?

Your certificate contains attributes that uniquely associate you to your employer. If you leave this employer, the certificate information will not be valid.

How can my organization designate multiple FIS administrators?

During the FIS subscription process, one user can be assigned the FIS Administrator role. To add an additional FIS Administrators, the Organization Administrator can upgrade a user account as follows:

Step 1.  Designate a user to assign the FIS Administrator role and access their Exostar IAM Platform (MAG) Details page by going to the Administration tab then completing a search for users.

Step 2.  After completing search, click the user ID link to open the user's profile.

Step 3.  Scroll to the Application Settings section and select Application Admin from the Role column.

Step 4.  An application list is now available for selection. Select Federated Identity Service (FIS).

Step 5.  Click Continue and then review the changes you made.

Step 6.  Click Submit to save the changes.

The user receives an email providing information their account has been upgraded to the FIS Administrator role. This process may be utilized to upgrade a user to an administrator role for any other application.

The Organization Administrator can also set-up a new user account with the administrator roles by selecting the appropriate role from the Role drop-down list.

Certificate Subscription Information

I already have digital certificate from another vendor. Can I use it instead of buying Exostar's FIS certificates to access my application(s)?

If you already have digital certificates from another vendor, you cannot use them to access applications via Exostar's Identity and Access Management (IAM) Platform (formerly known as MAG). To be able to access your applications, you are required to get Exostar FIS certificates for the appropriate assurance level. Contact your project partner for detailed information on the assurance level of the certificates.

My organization is already subscribed to an Exostar product within Exostar's Identity and Access Management (IAM) Platform (formerly known as MAG). What will I need to do to subscribe to FIS?

If your organization already has an Exostar Identity and Access Management (IAM) Platform (formerly known as MAG) subscription, but does not have FIS subscription, an Organization Administrator from your organization may request an FIS subscription.

I already have an Exostar's Identity and Access Management (IAM) Platform (formerly known as MAG) user account. How can I request FIS subscription?

If you already have an Exostar Identity and Access Managment (IAM) Platform (formerly known as MAG) user account and your organization is already subscribed to FIS, you must login to Exostar's IAM Platform and click the Request Access button next to FIS on the Home tab. Your request will then need approval from both your FIS Administrator as well as Exostar. If your organization is not subscribed to FIS your Organization Administrator should request access. Once the subscription is approved, you can request access to FIS from the Home tab.

I already have FIS BLOA certificate. I have been asked to get MLOA certificates. What do I need to do?

Your organization must first be approved for a subscription to MLOA FIS. If your organization is approved for MLOA certificates, you can login to Exostar's Identity and Access Management (IAM) Platform (formerly known as MAG), under Manage Certificates, select the Reapply tab and review the information provided. You may then select the Reapply button to apply for the MLOA certificate. Your FIS Administrator can approve your request for the MLOA digital certificate. Refer to the MAG User Guide for details. If you have any questions, please contact Exostar Customer Support.

What is the validity period of my MLOA Digital certificates?

A MLOA digital certificate is valid for 1 or 3 years from the date of issue, depending upon the option selected when your certificate was issued. You will be sent a renewal notice before the expiration of your certificate. If you do not renew your certificates within your renewal period, your certificates will expire and you will be required to go through the in-person proofing process again to obtain valid digital certificates. The certificates will not be valid after the expiration date.

What is the validity period of my BLOA digital certificates?

Your certificates are valid for one year from the date of issue. You will be sent a renewal notice before the expiration of your certificate. If you do not renew your certificates within your renewal period, your certificates will expire and will not be valid for use after the expiration date.

What is the process of obtaining a Basic Level of Assurance (BLOA) FIS digital certificate?

If you already have a MAG account and your organization is already subscribed to FIS, you will need to login to MAG and click the “Request Access” button next to FIS on the Home tab. Your request will then need approval from both your FIS Administrator as well as Exostar. If your organization is not subscribed to FIS, your Organization Administrator should request access. Once your organization has access to FIS follow the steps above. When your FIS subscription is approved you will receive an email with instructions on how to install the digital certificate.

What is the process of obtaining a Medium Level of Assurance (MLOA) FIS digital certificate?

If you already have a MAG account and your organization is already subscribed to FIS for Medium Level of Assurance, you will need to login to MAG and click on the “Request Access” button next to FIS on the Home tab. Your request will then need approval for MLOA certificate by your FIS Administrator. Once Exostar receives approval from the FIS Administrator, an in-person proofing process is started. 

How can a Medium Level of Assurance digital certificate offered by Exostar be used?

Exostar's MLOA certificates are CertiPath compliant, which means they can be used throughout the aerospace and defense industry to enable secure information sharing. They may be used to support multiple functions, including: 

• Secure Email (digital signature and encryption)
• Secure Logon
• Server Authentication
• Code Signing
• Document Signing

What is difference between renewing your certificate and re-applying for a new one?

If you have a certificate that expires within 90 days, you are able to complete a renewal request for the certificate. When you renew a certificate, you provide all information to the FIS Administrator (FISA) to approve you for the correct certificate. In addition, irrespective of the type of certificate you are renewing, you receive the passcode to download the certificate in an email. You can only renew an unexpired certificate. You can always re-apply for a new certificate. You generally re-apply for a new certificate:

• If you want to upgrade from Basic Level of assurance (BLOA - Identity) to either BLOA (Secure Email) or Medium Level of Assurance (MLOA) certificates.
• If your current certificate has expired. If you re-apply for an MLOA certificate, you are required to complete face-to-face proofing session with an Exostar Trusted Agent.

When I attempt to open an encrypted email from a Boeing user, I get an error 'Cannot open this item. Your digital ID cannot be found by the underlying security system.'

This error is encountered when your email client is unable to search for the Boeing root certificates. Follow the instructions below to install the relevant Boeing root certificates:

Step 1. Go to http://www.boeing.com/crl/.

Step 2. Select the following certs: Secure Messaging.crt & The Boeing Company Root Certificate Authority.crt.

Step 3. Click on each of the certs under the Authority Information section.

Step 4. Select Open.

Step 5. Click Install Certificate (take all defaults).

Step 6. Click Next, click Next and click Finish.

Step 7. Select OK to close the dialog box that states the Import was successful. 

In-Person Proofing for MLOA Certificates

Can I use my birth certificate instead of a social security card for the proofing activity?

Yes, you can bring an original or certified copy of your birth certificate instead of the social security card for the proofing activity. Please note you also require an additional form of identification along with your birth certificate. List of acceptable forms of identification is provided here. Review this list prior to meeting your proofing agent.

Is my company-issued photo ID good enough as the second form of ID along with a driver's license?

No, you may not use your company-issued photo-ID as a valid form of ID along with a driver's license. Refer to the list of acceptable forms of identification provided here. Review this list prior to meeting your proofing agent.

Can our in-house notary complete the in-person vetting for MLOA certificates?

Unless your in-house notary is a designated National Notary Association (NNA) approved Trusted Enrollment Agent (TEA), you may not use your in-house notary for in-person vetting for MLOA certificates. If your in-house notary is a designated TEA, you should provide this information to Exostar during initial contact to ensure users from your organization may be assigned appropriately for proofing activity.

Basic Exostar Information

What is the Exostar's Identity and Access Management (IAM) Platform (formerly known as MAG)?

Exostar’s Identity and Access Management (IAM) Platform (formerly known as MAG) is a consolidated portal for registration, authentication, and account management across applications hosted by Exostar, those hosted by managed applications, and applications managed by external entities. This may include applications hosted by Exostar partners or third-party commercial applications.

Why is my organization registering with Exostar’s Identity and Access Management (IAM) Platform (formerly known as MAG)?

By registering your organization with Exostar, you will be able to access products and services hosted by Exostar and third parties. MAG is the account management system and “front door” for accessing these applications.

What is Federated Identity Service (FIS)?

Exostar’s Federated Identity Service (FIS) is a fully-managed public key infrastructure (PKI) service for the issuance and maintenance of digital certificates. As part of a suite of identity management services offered by Exostar, FIS is a comprehensive PKI solution that enables full lifecycle management of certificates, strong authentication practices, and controlled access to applications through Exostar’s Identity and Access Management (IAM) Platform (formerly known as MAG) - minimizing risk and assuring resources and intellectual assets are protected over the extended enterprise, because it is operationally modeled after and compliant with U.S Federal Bridge Certificate Authority security policies and federal best-practice guidelines, FIS is ideal to enable sensitive online transactions and secure access to information.

What is a digital certificate?

A Digital Certificate is the digital equivalent of an ID card and is issued by trusted third parties known as certification authorities (CAs), such as Exostar. A certificate may contain multiple attributes about its owner, which can be used to uniquely identify them online to systems or through email. Digital certificates are typically used to establish one’s identity online and do not authorize the holder of the certificate to perform any specific function within an online application.

What types of digital certificates does Exostar offer?

FIS is a subscriber service managed by Exostar that can issue multiple types of digital certificates for various levels of assurances:

• Signature
• Encryption
• Authentication

Levels of assurance:

• Basic Level of Assurance Certificates - Identity (BLOA-Identity)
• Basic Level of Assurance Certificates - SecureEmail (BLOA-SecureEmail)
• Medium Level of Assurance (MLOA) Software Digital Certificates: Software Digital Certificates that are modeled after CertiPath policies.
• Medium Level of Assurance (MLOA) Hardware Digital Certificates: Hardware Digital Certificates that are modeled after CertiPath policies.

Organization Registration

Why is my organization registering for this?

To enable secure collaboration and information sharing with colleagues and suppliers in the aerospace and defense industry.

SHA-256 

What is the US Federal IT mandate, and how may it affect my interaction with Aerospace and Defense industry and Federal customers, such as the US Department of Defense?

The National Institute of Standards and Technology (NIST), a bureau of the US Department of Commerce, is responsible for setting US Federal Government standards for computing and IT systems.  Due to recent advances in computing power, NIST has identified the need for Federal IT systems to migrate to a newer version of the Secure Hash Algorithm (SHA) than is used in many Internet-connected operating systems, applications, and hardware products.

All departments within the Federal government are required to transition to the new standard, "SHA-256", starting on January 1, 2011, with a phase out of the previous standard by January 1, 2013.  However, many commercial IT products and vendor solutions may require patches or version upgrades in order to be compatible with the new Federal standard.

What is the timeline for this change in US Federal standards?

The US Federal Government will begin issuing credentials using SHA-256 on or about January 1, 2011.  Electronic transactions such as secure email (S/MIME) and secure network sessions (SSL, IPSec) may transition to the new standard through 2012.

Further information may be obtained at the following US Government web sites:

http://www.idmanagement.gov/   

http://www.nist.gov/cybersecurity-portal.cfm

What is a digital certificate?

A digital certificate is an electric credential similar to a driver license, passport or membership card. A digital certificate is a piece of electronic information, generally stored on your computer or on a USB token or SmartCard, which serves as a form of identification that can be verified electronically and trusted by third parties.  Digital certificates are commonly used to login to secure website and to digitally sign and encrypt data.  

What is a virtual private network (VPN)?        

A virtual private network (VPN) is a private and secure network that is typically applied on top of an existing corporate network.  Generally, one may login to VPN software to access corporate email and other resources while outside of their office. 

How do I determine my operating system version and patch level?

In Microsoft Windows, navigate to "My Computer", right click, and select "Properties".  The operating system and service pack level will be displayed.

To determine whether specific patches are installed, navigate to "Control Panel", then to "Add or Remove Program", and select the "Show Updates" check box in the upper portion of the window.  Your Windows patch information should be displayed within the window.

If you are not able to access your computer settings or Windows control panel, you may need to contact your IT support organization for assistance.

What operating systems support the new standard, and which systems have known issues?

NOTE:  [For questions 6, 7, and 8] The following are the Microsoft and Adobe test findings for SHA-256 as of September, 2010.  Exostar will post additional information as it becomes available.  However, the page is intended for informational purposes only, and Exostar makes no representation or warranty regarding the accuracy or completeness of the information provided.  Supplier IT departments should coordinate directly with their operating system and application vendors.

What email systems support the new standard, and which systems have known issues?

NOTE: Microsoft Outlook 2010 will be posted soon.

What word processing and productivity applications support the new standard, and which systems have known issues?

What web browsers support the new standard?

Microsoft Internet Explorer 8 will be posted soon.