logorte

Web Access to the RTE Information System


Internet Explorer

Microsoft Internet Explorer

Preliminary configuration

Configuration of the security settings

This section is about the configuration of the workstation to support the SSL standard, allowing access to sites with an encrypted connection
(HTTPS protocol).

In the browser, select the menu " Tools > Internet Options ":

Paramètre de sécurité

Select the tab " Advanced ":

paramètre avancé

In the section " Security ", make sure that the boxes TLS 1.0, TLS 1.1 and TLS 1.2 are ticked, as shown above.


Adding trusted sites

In order to log on to the web sites with your software certificate, it is imperative to add these sites to the list of trusted sites.
The Trusted Sites zone allows the declaration of sites’ names you consider safe.
In this section, you must be logged into the workstation with the Windows account that will use the software certificate.

To do this: open Internet Explorer and click the menu " Tools > Internet Options ".

option internet

In the window that appears, click the " Security " tab. select the " Trusted Sites " icon and click the " Sites " button.

sites

The following window appears:

Fênetre ouverte

In the field " Add this website to the zone ", enter the URL corresponding to the PKI:


Then click " Add ". The site then appears in the list " Websites " as shown below.

Ajout

Proceed in the same way to add the following websites:

https://portail.iservices.rte-france.com: this is the internet portal
https://secure.iservices.rte-france.com: this is the SSL VPN connection portal

The 3 websites shall now appear in the list " Websites ".

Site web

Click " Close ", then " OK ".

Installing RTE’s CAs certificates

Download and install

RTE Certification Authority

This CA is the Historical CA of RTE, dealing with 2048 bit keys.
This CA is necessary to ensure the cohabitation between the former and the latter PKIs.
RTE Historical CA’s certificate must now be installed in your browser so that it is recognized as a trusted Certificate Authority.

IMPORTANT NOTE

It is imperative to respect the case (upper / lower case) of the site’s address.

The download window appears:

Fênetre de téléchargement

Click the " Save " button and choose a location to save the file " Certification_Autority_RTE_2048.cer " containing RTE Historical CA’s certificate.

Fênetre de fin du téléchargement

Click " Open folder " to go to the directory where you saved the file.

Right-click the " Certification_Autority_RTE_2048.cer " file you just downloaded and choose " Install Certificate ".

Installation du certificat

The installation wizard of the certificate is displayed:

Assistant d'installation

Click " Next ".

Assistant d'installation 2

Select " Place all certificates in the following store " and click " Browse ".

In the window that appears, select " Trusted Root Certification Authorities " and click " OK ".

Magasin de certificat

Once you have chosen the certificate store, you get the following window:

Magasin de certificat

Click " Next ".

Magasin de certificat

Click " Finish ".

Magasin de certificat

Click " Ok ".


RTE Root Certification Authority

This CA is the new Root CA of RTE, dealing with 4096 bit keys. This CA is necessary to ensure the validation of the chain of trust.
RTE Root CA certificate must now be installed in your browser.
To do so, please go to the following address:

IMPORTANT NOTE

It is imperative to respect the case (upper / lower case) of the site’s address.

The download window appears:

Fênetre de téléchargement

Click the " Save " button and choose a location to save the file " ACR_RTE_Root_CA_20160303.cer " containing RTE Root CA’s certificate.
Once the download is completed, the following window appears:

Téléchargement ACR

Click " Open folder " to go to the directory where you saved the file.

Right-click the " ACR_RTE_Root_CA_20160303.cer " file you just downloaded and choose " Install Certificate ".

Installation du certificat

The installation wizard of the certificate is displayed:

Assistant d'installation

Click " Next ".

Assistant d'installation 2

Select " Place all certificates in the following store " and click " Browse ".

In the window that appears, select " Trusted Root Certification Authorities " and click " OK ".

Magasin de certificat

Once you have chosen the certificate store, you get the following window:

Magasin de certificat

Click " Next ".

Magasin de certificat

Click " Finish ", and if the next window display a security Warning then click " Yes ":

Magasin de certificat

Click " OK ".

RTE Client Certification Authority

This CA is the new Client CA of RTE, dealing with 4096 bit keys. This CA is necessary to generate the new PKI’s certificates.
RTE Client CA certificate must now be installed in your browser.
To do so, please go to the following address:

IMPORTANT NOTE

It is imperative to respect the case (upper / lower case) of the site’s address.

The download window appears:

Certificat

Click the " Save " button and choose a location to save the file " ACR_RTE_Root_CA_20160303.cer " containing RTE Root CA’s certificate.
Once the download is completed, the following window appears:

Fin du téléchargement

Click " Open folder " to go to the directory where you saved the file.

Right-click the " ACR_RTE_Root_CA_20160303.cer " file you just downloaded and choose " Install Certificate ".

Installation du certificat

The installation wizard of the certificate is displayed:

Assistant d'installation

Click " Next ".

Assistant d'installation

Select " Automatically select the certificate store based on the type of certificate " and click " Next ".

Assistant d'installation

Click " Finish ".

Magasin de certificat

Click " Ok ".



Visualization and verification of RTE’s CA certificates

Visualization of installed RTE’s CA certificates

The certificates of RTE’s CA you just import are stored in the Certification Authorities store of Internet Explorer.

To view them, click the menu " Tools > Internet Options ".


certificats

A window appears. Go to the " Content " tab and click the " Certificates " button.


certificats

In the window that appears, go to the tab " Trusted Root Certification Authorities". You can see RTE Historical CA’s certificate (here) and RTE Root CA’s certificate (here):

certificats

On the tab " Intermediate Certification Authorities" you can see RTE Client CA’s certificate (here):

certificats

Verification of RTE Certification Authority certificate

Select the certificate " RTE Certification Authority ".

1.2.2.2 - 1 - certificats

Click the button " View ", then click the " Details " tab.

1.2.2.2 - 2 - certificats

To ensure the authenticity of this certificate, carefully check that the thumbprint " SHA1 " related to the certificate " RTE Certification Authority " is identical to the one presented below.

Digital hash of the certificate " RTE Certification Authority " SHA1

SHA1 39:83:D6:10:A2:C4:D5:60:45:A0:C1:D0:E3:FA:E1:42:45:8A:37:12


If this is not the case, delete the certificate and call RTE’s Hotline (click).


Verification of RTE Root Certification Authority certificate

Select the certificate " RTE Root Certification Authority ".

1.2.2.3 - 1 - certificats

Click the button " View " then click the " Details " tab.

1.2.2.3 - 2 - certificats

To ensure the authenticity of this certificate, carefully check that the thumbprint " SHA1 " related to the certificate " RTE Certification Authority " is identical to the one presented below.

Digital hash of the certificate " RTE Certification Authority " SHA1

SHA1 39:83:D6:10:A2:C4:D5:60:45:A0:C1:D0:E3:FA:E1:42:45:8A:37:12

If this is not the case, delete the certificate and call RTE’s Hotline (here).


Verification of RTE Client Certification Authority certificate

In the tab " Intermediate Certification Authorities ", select the certificate " RTE Client Certification Authority ".

1.2.2.4 - 1 - certificats

Click the button " View " then click the " Details " tab.
1.2.2.4 - 2 - certificats

To ensure the authenticity of this certificate, carefully check that the thumbprint " SHA1 " related to the certificate " RTE Certification Authority " is identical to the one presented below.

Digital hash of the certificate " RTE Certification Authority " SHA1

SHA1 C8:53:de:36:da:fd:38:37:c3:de:a5:6c:b0:d1:eb:06:28:f6:dc:ed

If this is not the case, delete the certificate and call RTE’s Hotline (here).

Installing your personal certificate

Authentication on the retrieval interface

The software certificate request must have been completed in accordance with the procedure of software certificate request.
To proceed to the retrieval you need the following information (here):

For your convenience you can copy and paste different values being careful not to copy any space at the beginning or end.

To create your certificate and the associated private key, log on the certificate retrieval website:
IMPORTANT NOTE

It is imperative to respect the case (upper / lower case) of the site’s address.
1.3.1 - 1
Click the button " "Retrieval of your personal certificate".
1.3.1 - 2
Fill the field " Certificate email " with the value indicated in the email " Access to RTE’s IS services ".

Click " Submit ".
1.3.1 - 3
Fill the fields: Finally click " Submit ".


Downloading your certificate

The following page appears.
1.3.2 - 1
Click " Download ".
1.3.2 - 2
In the window that appears, click " Save ".
1.3.2 - 3
Choose a directory to save your certificate, then click " Save ".

A window shows the progress of the download. Once the download is completed, click " Open folder ".
1.3.2 - 4
The folder containing your personal certificate appears.
IMPORTANT NOTE

Once downloaded, the PKCS#12 file (extension ".P12") containing your certificate and its associated private key must be stored on a removable media (USB stick or an external hard drive), that you have to put into a safe in order to protect access to it.

Also keep the mail " Access to RTE's IS services " that contains the password.

Installation of your personal certificate

Go to the download folder of the file.

Right-click the " certificate.p12 " file and choose " Install PFX ".
1.3.3 - 2
Click" Next ".
1.3.3 - 3
The name of the file containing your certificate is automatically filled, click " Next ".

The window below appears:
1.3.3 - 4
Click " Next ".
1.3.3 - 5
Select " Automatically select the certificate store based on the type of certificate ", and click " Next "
1.3.3 - 6
Finally, click " Finish ".

If you previously ticked the case " Enable strong private key protection ", then the following window appears:
1.3.3 - 7
Click the button " Set security level… ".
1.3.3 - 8
Select the case " High ", then click " Next ".
1.3.3 - 9
Enter a name for the private key to protect and a password then click the " Finish " button.
Warning: this password is required upon each use of the certificate.
1.3.3 - 10
Click " OK ".

Finally, the following window appears:
1.3.3 - 11
Click " OK ".

Your certificate and your private key have been successfully imported in Internet Explorer.


Visualization and verification of your software certificate

Regardless of the browser used, the content of the downloaded certificate is obviously the same, only the presentation of information on the screen differs. In the case of downloading with Internet Explorer, open the certificate store via the menu " Tools> Internet Options "," Content " tap,
button " Certificates… ":
1.3.4 - 1
Select your certificate then click " View ".
1.3.4 - 2
1.3.4 - 3
It is valid for 3 years from the date of withdrawal.

The " Certification Path " tab allows checking the validity of your certificate. The " Certificate status " and the complete visualization of the certification path indicate that your certificate has been correctly installed. As well as the trust chain (Root CA + Client CA or Historical CA), which confirms that everything has been configured correctly.
1.3.4 - 4
1.3.4 - 5

Using your certificate

Authentication and encryption

Steps to follow: Once authentication is completed, all data you send or receive will be encrypted.


Example of access to an RTE web application

Enter the URL https://portail.iservices.rte-france.com in the Internet Explorer address bar then press Return.

Then, Internet Explorer asks you to select a certificate enabling you to authenticate to the requested site.
1.4.2 - 1
The line " Click here to view certificate properties… " lets you view the content of the selected certificate.

Click the " OK " button to access the application.

The window below asks for the password that protects the private key associated with your certificate if it has been set.
1.4.2 - 2
The home page is then securely displayed (appearance of the closed padlock to the right of the URL entry field):
1.4.2 - 3

Additional operations

Export of your personal certificate

This section explains how to save the certificate with its private key and RTE’s trust chain. The procedure is to generate a file in PKCS#12 format (" .pfx " extension), protected by a password.

You can only export your certificate and private key if you checked " Mark this key as exportable " when Installing your personal certificate (here).

In Internet Explorer, click the menu " Tools> Internet Options.."
1.5.1 - 1
Then, click the " Content ", tab and then the " Certificates button ".
1.5.1 - 2
Another window appears. Select your certificate, then click " Export… ".
1.5.1 - 3
1.5.1 - 4
Select " Yes, export the private key ", and then click " Next ".
1.5.1 - 6
Select the check box " Include all certificates in the certification path if possible ", and then click " Next ".
1.5.1 - 7
Enter a password of your choice to protect the PKCS#12 file, and then click " Next ".
1.5.1 - 8
Select the location of the PKCS#12 file, and then click " Next ".
1.5.1 - 9
Finally, click the " Finish " button.
1.5.1 - 10
Click " OK ".

You have exported to a file in PKCS#12 format, protected by a password, your certificate's private key and RTE’s trust chain (who signed your certificate). These elements have therefore been exported, but remain present in the Internet Explorer’s store.


Deleting your personal certificate

This section details the procedure to remove a certificate and its private key from Internet Explorer’s Certificate store.
IMPORTANT NOTE

Before deleting your personal certificate, make sure to have a copy. If this is not the case, refer to here to export your certificate and private key as a PKCS#12 file. sous forme de fichier PKCS#12.
In Internet Explorer, go to " Tools > Internet Options ".
1.5.2 - 1
A window appears. Click the " Content " tab, then the " Certificates " button:
1.5.2 - 2
Select the certificate to delete and click " Remove ".
1.5.2 - 3
Click " Yes ".
1.5.2 - 4
The certificate is removed from the certificates list.

Connecting to the SSL VPN

Foreword

The connection via SSL VPN is a service for establishing a secure communications channel to RTE’s FrontOffice via the Internet. This channel is established after authenticating with your certificate from a dedicated website (here). Once the channel is established all communications with the requested RTE service will be encrypted.

The use of SSL VPN requires the installation of a dedicated tool, installed during the first login to the site. The application is called Secure Application Manager (SAM).

SSL VPN enables secure access to your mailboxes hosted on RTE’s FrontOffice.


Prerequisite

The website secure.iservices.rte-france.com must be declared as a trusted site (here)
IMPORTANT NOTE

Before your first connection, you must verify that your workstation can resolve the address secure.iservices.rte-france.com (here).
PSIS (Pulse Secure Installation Service) is a Windows service made available on the RTE customer site. This service allows, once installed, to update future SAM versions without requiring the intervention of a person with administrator privileges on the machine.

To do so, download the executable under the link:

http://clients.rte-france.com/lang/an/visiteurs/accueil/portail.jsp
1.6.2 - 1
And decompress the compressed file:
1.6.2 - 2
1.6.2 - 3
Once the file is executed, the following window appears, asking you the authorization to start the service. Click " Run ".

1.6.2 - 4
The following window appears. Click " Yes ".
87
It will be automatically activated at every operating system launch.


First connection

This paragraph applies only to your first login to the SSL VPN with Internet Explorer.
IMPORTANT NOTE

The first connection must be made by a computer specialist with Administrator rights on your workstation in order to install the SAM application.

Before continuing, you need to disable ActiveX controls on Internet Explorer. To do so, press the " Alt " key on the keyboard. A menu bar at the top of the window. Then click the Tools button, and make sure " ActiveX Filtering " is not selective (see the following screenshot).
1.6.3 - 1
Launch your browser and go to the following website: The following window appears:
1.6.3 - 2
Select your certificate then click " OK ".

If necessary, this window will ask for the password that protects the private key associated to your certificate.
1.6.3 - 3
The browser displays a link to install SAM (if it’s not already installed on your computer):
1.6.3 - 4
If no manual intervention is performed, the following installation pop-up appears:
1.6.3 - 5
If necessary, the following window appears:
1.6.3 - 6
Click " Yes ".
The Pulse Secure client then installs and the installation of the SAM application starts:
1.6.3 - 7
Wait during the installation.

If the following window appears, click " Yes ".
1.6.3 - 8


Once the installation is completed, the following page appears:
1.6.3 - 9
If your Internet access requires authentication to a proxy, a window appears asking your login and password. Enter them and confirm.

Then, the icon 1.6.3 - 10 appears in your task-bar: 1.6.3 - 11

Click the " Sign out " button (top right of the page) to end the session:
1.6.3 - 12



Using the SSL VPN

Establishing the connection

Launch your browser and go to the following website: The following window appears:
1.6.4.1 - 1
Select your certificate then click " OK ".

If necessary, a window will ask you the password that protects the private key associated with your certificate.

1.6.4.1 - 2
If necessary, the window below appears. Click " Yes ".
1.6.4.1 - 3
The SAM application launches automatically and the following page appears:
1.6.4.1 - 4
If your Internet access requires authentication to a proxy, a window appears asking your login and password. Enter them and confirm.

Then, the icon appears in your taskbar. Notes:
1.6.4.1 - 5

Use case to access hosted mailboxes

The SSL VPN can be used to access mailboxes hosted on the FrontOffice with a standard email client.

Access to hosted mailboxes requires the SSL VPN connection to be established (here). The Email account configuration in your mail client is then to be made with the following parameters: When your access to RTE’s FrontOffice is provided, you will receive your login name, your password and your email address.
IMPORTANT NOTE

Because the messages are transferred through a secure channel, sending and receiving messages do not require the use of a certificate to encrypt messages.