logorte

Web Access to the RTE Information System


mozilla

Mozilla Firefox

Preliminary configuration

The SSL standard, allowing access to sites with an encrypted connection (protocol HTTPS) is disabled by default in recent versions of Firefox. The supported versions of Firefox are specified here

The standards supported by default are: TLS 1.0 to TLS 1.2.

In case of problems, thank you to notify the issue to RTE’s Hotline (here).

Installing RTE’s CAs certificates

Download and install

RTE Historical Certification Authority

IThis CA is the Historical CA of RTE, dealing with 2048 bit keys. This CA is necessary to ensure the cohabitation between the former and the latter PKIs.

RTE Historical CA certificate must now be installed in your browser so that it is recognized as a trusted Certificate Authority.

To do so, please go to the following address:
IMPORTANTE NOTE

It is imperative to respect the case (upper / lower case) of the site’s address.


The following pop-up, in order to download the certificate, appears:
2.2.1.1 - 1
Select "Save file" then click "OK". A location to save the file "Certification_Autority_RTE_2048.cer" will eventually be requested.
2.2.1.1 - 2
Once the file is downloaded, click the menu "Tools" in the right corner of the window then click the icon "Options":
2.2.1.1 - 3
A window appears. Choose the "Advanced" tab then the subcategory "Certificates".
2.2.1.1 - 4
Click the "View certificates" button.
2.2.1.1 - 5
Select the "Authorities" tab and click "Import…".
2.2.1.1 - 6
Select the previously saved file.
2.2.1.1 - 7
A dialog box is displayed, in which you must select the three check boxes "Trust this CA to identify [...]" to trust RTE Historical CA.

Click "View" to check that the certificate you just install is RTE Historical CA’s certificate:
2.2.1.1 - 8
To ensure that you have downloaded the real RTE Historical CA's certificate, check carefully that the "SHA1" hash displayed is identical to the one shown below.
Digital hash of the certificate "RTE Certification Authority" SHA1

SHA1 39:83:D6:10:A2:C4:D5:60:45:A0:C1:D0:E3:FA:E1:42:45:8A:37:12


If this is not the case: click "Close" to go back to the precedent window and click "Cancel" then call RTE’s Hotline (here).

If, after verification, the hash of the certificate that you imported matches the "SHA1" hash above, it is possible to consult the details of the certificate by clicking on the "Details" tab:

2.2.1.1 - 9
By clicking on the "Close" button, you return to the initial window.
2.2.1.1 - 8
Click "OK". RTE Historical CA certificate is now installed in the certificate store of Mozilla Firefox


RTE Root Certification Authority

This CA is the new Root CA of RTE, dealing with 4096 bit keys. This CA is necessary to ensure the validation of the chain of trust.

RTE Root CA certificate must now be installed in your browser.

To do so, please go to the following address:
IMPORTANTE NOTE

It is imperative to respect the case (upper / lower case) of the site’s address.



The following pop-up, in order to download the certificate, appears:
2.2.1.2 - 1

Select "Save file" then click "OK". A location to save the file "ACR_RTE_Root_CA_20160303.cer" will eventually be requested.

Once the file is downloaded, click the menu "Tools" in the right corner of the window then click the icon "Options":
2.2.1.2 - 2

A window appears. Choose the "Advanced" tab then the subcategory "Certificates".
2.2.1.2 - 3
Click the "View certificates" button.
2.2.1.2 - 4
Select the "Authorities" tab and click "Import…".
2.2.1.2 - 5
Select the previously saved file.
2.2.1.2 - 6
A dialog box is displayed, in which you must select the three check boxes "Trust this CA to identify [...]" to trust RTE Root CA.

Click "View" to check that the certificate you just install is RTE Root CA’s certificate:
2.2.1.2 - 7
To ensure that you have downloaded the real RTE Root CA's certificate, check carefully that the "SHA1" hash displayed is identical to the one shown below.
Digital hash of the certificate "RTE Root Certification Authority"

SHA1 00:64:8c:01:f4:02:9d:dc:6b:4e:1e:37:ae:76:28:75:17:b1:72:ff


If this is not the case: click "Close" to go back to the precedent window and click "Cancel" then call RTE’s Hotline (here).

If, after verification, the hash of the certificate that you imported matches the "SHA1" hash above, it is possible to consult the details of the certificate by clicking on the "Details" tab:
2.2.1.2 - 8

By clicking on the "Close" button, you return to the initial window.
2.2.1.2 - 8
Click "OK". RTE Root CA certificate is now installed in the certificate store of Mozilla Firefox.


RTE Client Certification Authority

This CA is the new Client CA of RTE, dealing with 4096 bit keys. This CA is necessary to generate the new PKI’s certificates.

RTE Client CA certificate must now be installed in your browser.

To do so, please go to the following address:
IMPORTANTE NOTE

It is imperative to respect the case (upper / lower case) of the site’s address.

The following pop-up, in order to download the certificate, appears:
2.2.1.2 - 9
Select "Save file" then click "OK". A location to save the file "ACF_RTE_Client_CA_20160303.cer" will eventually be requested..

Once the file is downloaded, click the menu "Tools" in the right corner of the window then click the icon "Options":
2.2.1.2 - 10
A window appears. Choose the "Advanced" tab then the subcategory "Certificates".
2.2.1.2 - 11
Click the "View certificates" button.
2.2.1.2 - 12
Select the "Authorities" tab and click "Import…"
2.2.1.2 - 13
Select the previously saved file.
2.2.1.2 - 14
A dialog box is displayed, in which you must select the three check boxes "Trust this CA to identify [...]" to trust RTE Client CA.

Click "View" to check that the certificate you just install is RTE Client CA’s certificate:
2.2.1.2 - 15
To ensure that you have downloaded the real RTE Client CA's certificate, check carefully that the "SHA1" hash displayed is identical to the one shown below.
Digital hash of the certificate "RTE Client Certification Authority"

SHA1 C8:53:de:36:da:fd:38:37:c3:de:a5:6c:b0:d1:eb:06:28:f6:dc:ed


If this is not the case: click "Close" to go back to the precedent window and click "Cancel" then call RTE’s Hotline (here).

If, after verification, the hash of the certificate that you imported matches the "SHA1" hash above, it is possible to consult the details of the certificate by clicking on the "Details" tab:
2.2.1.2 - 16
By clicking on the "Close" button, you return to the initial window.
2.2.1.2 - 16
Click "OK". RTE Client CA certificate is now installed in the certificate store of Mozilla Firefox.


Visualization and verification of RTE CAs certificates

To see the certificates in Mozilla Firefox, click the menu "Tools" in the right corner of the window then click the icon "Options":
2.2.2 - 1
A window appears. Choose the "Advanced" tab then the subcategory "Certificates".
2.2.2 - 2
Click the "View certificates" button.
2.2.2 - 3
In "Authorities" tab, you can verify that the certificates you import are register with "RESEAU DE TRANSPORT D’ELECTRICITE" organization and are saved on your computer disk ("Software Security Device"). You can see the content of each certificate by clicking on the certificate and then clicking on "View".

Select "RTE Certification Authority" and click "View":
2.2.2 - 4

To ensure that you have downloaded the real RTE Historical CA's certificate, check carefully that the "SHA1" hash displayed is identical to the one shown below.
Digital hash of the certificate "RTE Certification Authority" SHA1

SHA1 39:83:D6:10:A2:C4:D5:60:45:A0:C1:D0:E3:FA:E1:42:45:8A:37:12
If this is not the case: click "Close" to go back to the precedent window and call RTE’s Hotline (here).

If, after verification, the hash of RTE Historical CA certificate that you imported matches the "SHA1" hash above, it is possible to consult the details of the certificate by clicking on the "Details" tab:
2.2.2 - 5
By clicking on the "Close" button, you return to the initial window. Select "RTE Root Certification Authority" and click "View":
2.2.2 - 6
To ensure that you have downloaded the real RTE Root CA's certificate, check carefully that the "SHA1" hash displayed is identical to the one shown below.
Digital hash of the certificate "RTE Root Certification Authority" SHA1

SHA1 00:64:8c:01:f4:02:9d:dc:6b:4e:1e:37:ae:76:28:75:17:b1:72:ff

If this is not the case: click "Close" to go back to the precedent window and call RTE’s Hotline (here).

If, after verification, the hash of RTE Root CA certificate that you imported matches the "SHA1" hash above, it is possible to consult the details of the certificate by clicking on the "Details" tab:
2.2.2 - 7
By clicking on the "Close" button, you return to the initial window.

Select "RTE Client Certification Authority" and click "View":
2.2.2 - 8
To ensure that you have downloaded the real RTE Client CA's certificate, check carefully that the "SHA1" hash displayed is identical to the one shown below.
Digital hash of the certificate "RTE Client Certification Authority" SHA1

SHA1 C8:53:de:36:da:fd:38:37:c3:de:a5:6c:b0:d1:eb:06:28:f6:dc:ed

If this is not the case: click "Close" to go back to the precedent window and call RTE’s Hotline (here).

If, after verification, the hash of RTE Client CA certificate that you imported matches the "SHA1" hash above, it is possible to consult the details of the certificate by clicking on the "Details" tab:
2.2.2 - 9
By clicking on the "Close" button, you return to the initial window.

Installing your personal certificate

Authentication on the retrieval interface

The software certificate request must have been completed.

To proceed to the retrieval you need the following information (see here): For your convenience you can copy and paste different values being careful not to copy any space at the beginning or end.

To create your certificate and the associated private key, log on the certificate retrieval website:
IMPORTANTE NOTE

It is imperative to respect the case (upper / lower case) of the site’s address.
2.3.1 - 1
Click the button "Retrieval of your personal certificate".
2.3.1 - 2
Fill the field "Certificate email" with the value indicated in the email "Access to RTE’s IS services" (see here).

Click "Submit".
2.3.1 - 3

Please complete the following: Finally, click "Submit".


Download of your certificate

The following page appears.
2.3.2 - 1
Click "Download".
2.3.2 - 2
In the window that appears, click "Save" then "OK".
2.3.2 - 3
Choose a directory to save your certificate, then click "Save".
IMPORTANT NOTE

Once downloaded, the PKCS#12 file (extension ".P12") containing your certificate and its associated private key must be stored on a removable media (USB stick, an external hard drive), that you have to put into a safe in order to protect access to it.

Also keep the mail "Access to RTE's IS services"(see here) that contains the password.

Installation of your personal certificate

In Firefox, go to the menu "Tools" on the top right of the window and click the "Options" icon:
2.3.3 - 1
A window appears. Choose the tab "Advanced" then the subcategory "Certificates".
2.3.3 - 2
Click "View Certificates".
2.3.3 - 3
Click "Import…".
2.3.3 - 4
Go to the folder you saved your certificate in, select your certificate "name_certificate.p12" and click "Open".

If necessary, the window below will ask you the access password to the Mozilla Firefox certificate store (click here to set this password):
2.3.3 - 5
Enter it and click "OK". The window below appears.
2.3.3 - 6
Enter the "Password" present in the email "Access to RTE’s IS services" (see here), then click "OK".
2.3.3 - 7
Your certificate and its associated private key have been successfully imported in Mozilla Firefox’s certificate store.


Visualization and verification of your software certificate

Regardless of the browser used, the content of the downloaded certificate is obviously the same, only the presentation of information on the screen differs.

In the case of Mozilla Firefox, go to the "Tools" menu (top-right corner of the window) then click the "Options" icon:
2.3.4 - 1
A window appears. Choose the "Advanced" tab then the "Certificates" subcategory.
2.3.4 - 2
Then click the "View Certificates" button.
2.3.4 - 3
Select the tab "Your Certificates".

The certificate is a software certificate: indeed, the "Software Security Dev…" indication appears at the right of its name. You can view it by selecting it and clicking "View…". The first tab "General" displays the following message "This certificate has been verified for the following uses". It is valid for 3 years from the date of withdrawal.
2.3.4 - 4
The second tab "Details" displays the certification hierarchy with the trust chain. This ensures that all certificates have been installed correctly, and that all the correct conditions of your certificate are met.
2.3.4 - 5

Using your certificate

Authentication and encryption

Steps to follow: Once authentication is completed, all data you send or receive will be encrypted


Example of access to an RTE web application

When you access the https://portail.iservices.rte-france.com, homepage, you will be asked to choose your certificate.
2.4.2 - 1
Select your certificate from the drop down list entitled "Choose a certificate to present as identification" then click "OK". The following window will ask you the access password to the Mozilla Firefox certificate store if it was defined.
2.4.2 - 2
The home page is then securely displayed, (appearance of the closed padlock near to the URL entry field):
2.4.2 - 3

Additional operations

Defining the master password for personal security

To protect the private key associated with your certificate it is strongly recommended to set a personal security password.

To do this, click the "Tools" menu on the top right of the window and click on the "Options" icon:
2.5.1 - 1
A window appears. Choose the "Security" tab.
2.5.1 - 2
If "Use a master password" is already checked, it means you already have a personal security password, and you have nothing to do.

Otherwise, check the "Use a master password" case. The following window appears:
2.5.1 - 3
Enter your new master password in both fields and click "OK".

Your personal security password is now defined.

You can change your personal security password at any time by going to the menu "Tools" on the top right of the window and clicking the "Options" icon.
2.5.1 - 4
A window appears. Choose the "Security" tab and click "Change Master Password…".
2.5.1 - 5


Export of your personal certificate

This section explains how to save the certificate with its private key and trust chain. The procedure is to generate a file in PKCS#12 format (".p12"), protected by a password.

Go the "Tools" menu at the top-right corner of the window then click the "Options" icon:
2.5.2 - 1
A window appears. Choose the "Advanced" tab then the "Certificates" subcategory.
2.5.2 - 2
Then click "View Certificates…".
2.5.2 - 3
Select your certificate and click "Backup…":

Choose a folder and a name for the output file in PKCS#12 format (extension ".p12"):
2.5.2 - 4
Click "Save".

If necessary, the following window will ask you the access password to the Mozilla Firefox certificate store:
2.5.2 - 5
Then the following window appears:
2.5.2 - 6
Enter a password of your choice to protect access to the PKCS#12 file and click "OK".
2.5.2 - 7
Your certificate, your private key and the trust chain are exported in the PKCS#12 generated file (extension ".p12").



Deleting your personal certificate

This section details the procedure to remove a certificate and its private key from Mozilla Firefox’s Certificate store.
IMPORTANT NOTE

Before deleting your personal certificate, make sure to have a copy. If this is not the case, refer to here to export your certificate and private key as a PKCS#12 file.
Go to the "Tools" menu at the top-right corner of the window then click the "Options" icon:
2.5.3 - 1
A window appears. Choose the "Advanced" tab then the "Certificates" subcategory.
2.5.3 - 2
Then click "View Certificates...".
2.5.3 - 3
Select your certificate and click "Delete…".
2.5.3 - 4
Validate by clicking "OK".

The certificate is then removed from the list of certificates.
2.5.3 - 5

Connecting to the SSL VPN

Foreword

The connection via SSL VPN is a service for establishing a secure communications channel to RTE’s FrontOffice via the Internet. This channel is established after authenticating with your certificate from a dedicated website (see here). Once the channel is established all communications with the requested RTE service will be encrypted.

LThe use of SSL VPN requires the installation of a dedicated tool, installed during the first login to the site. The application is called Secure Application Manager (SAM).

SSL VPN enables secure access to your mailboxes hosted on RTE’s FrontOffice.


Prerequisite

In order to connect to the SSL VPN with Firefox, Java SE Runtime Environment (JRE) 1.5.07 or higher needs to be installed on your workstation. If this is not the case, you can download the latest version on Oracle’s website:

http://java.com/fr/download/index.jsp
IMPORTANT NOTE

Before your first connection, you must verify that your workstation can resolve the address secure.iservices.rte-france.com (here).
PPSIS (Pulse Secure Installation Service) is a Windows service made available on the RTE customer site. This service allows, once installed, to update future SAM versions without requiring the intervention of a person with administrator privileges on the machine.

To do so, download the executable under the link:

http://clients.rte-france.com/lang/an/visiteurs/accueil/portail.jsp
2.6.2 - 1
And decompress the compressed file:
2.6.2 - 2
Once the file is executed, the following window appears, asking you the authorization to start the service. Click "Run".
2.6.2 - 3
Once the file is executed, the following window appears. Click "Yes".
2.6.2 - 4
It will be automatically activated at every operating system launch.


First connection

This paragraph applies only to your first login to the SSL VPN with Mozilla Firefox.
IMPORTANT

The first connection must be made by a computer specialist with Administrator rights on your workstation in order to install the SAM application.

Lunch your Mozilla Firefox browser and go on the following website:
The following window appears:
2.6.3 - 1
Select your certificate from the dropdown list entitled "Choose a certificate to present as identification" and click "OK". If necessary, the following window will ask you the access password to the Mozilla Firefox certificate store.
2.6.3 - 2
If a window asking you permission to execute a script from "Pulse Secure, LLC." appears, click "Yes".

2.6.3 - 3
If the following red icon appears, click it in the address bar. Then in the dropdown menu of the message, select "Activate all plugins" and then choose "Allow and remember".
2.6.3 - 3

The following window appears, click "Run":
2.6.3 - 4

If necessary, the following window appears:
2.6.3 - 5

If the window below appears, click "Yes".
2.6.3 - 6

The installation of the SAM application starts:
2.6.3 - 7
If your Internet access requires authentication to a proxy, a window appears asking your login and password. Enter them and confirm.

Then the window below appears:
2.6.3 - 8
Then, the icon 2.6.3 - 9 appears in your task-bar which means you are now connected to the SSL VPN.

Click the "Sign out" button (top right of the page) to end the session:
2.6.3 - 10

Using the SSL VPN

Establishing the connection

Run your browser and access the following website: The following window appears:
2.6.4.1 - 1
Select your certificate from the dropdown list entitled "Choose a certificate to present as identification" and click "OK". If necessary, the following window will ask you the access password to the Mozilla Firefox certificate store.
2.6.4.1 - 2
If a window appears asking you permission to execute a script from "Pulse Secure, LLC.": click "Yes"
2.6.4.1 - 3
If your Internet access requires authentication to a proxy, a window appears asking your login and password. Enter them and confirm.

Then the window below appears:
2.6.4.1 - 4
Then, the icon appears in your taskbar which means you are now connected to the SSL VPN.

Notes

Use to access hosted mailboxes

The SSL VPN can be used to access mailboxes hosted on the FrontOffice with a standard email client.

Access to hosted mailboxes requires the SSL VPN connection to be established (see here).

The Email account configuration in your mail client is then to be made with the following parameters: When your access to RTE’s FrontOffice is provided, you will receive your login name, your password and your email address.
NOTE

Since the messages are transferred through a secure channel (everything that passes through this channel is automatically encrypted), sending and receiving e-mail messages does not require the use of a certificate for message encryption.