Web Access to the RTE Information System

• Preliminary configuration
• Installing RTE’s CAs certificates
• Installing your personal certificate
• Using your certificate
• Additional operations
• Connecting to the SSL VPN

This section is about the configuration of the workstation to support the SSL standard, allowing access to sites with an encrypted connection
(HTTPS protocol).

In the browser, select the menu " Tools > Internet Options ":

Select the tab " Advanced ":

In the section " Security ", make sure that the boxes TLS 1.0, TLS 1.1 and TLS 1.2 are ticked, as shown above.

Adding trusted sites

In order to log on to the web sites with your software certificate, it is imperative to add these sites to the list of trusted sites.
The Trusted Sites zone allows the declaration of sites’ names you consider safe.
In this section, you must be logged into the workstation with the Windows account that will use the software certificate.

To do this: open Internet Explorer and click the menu " Tools > Internet Options ".

In the window that appears, click the " Security " tab. select the " Trusted Sites " icon and click the " Sites " button.

The following window appears:

In the field " Add this website to the zone ", enter the URL corresponding to the PKI:

Then click " Add ". The site then appears in the list " Websites " as shown below.

Proceed in the same way to add the following websites:

https://portail.iservices.rte-france.com: this is the internet portal
https://secure.iservices.rte-france.com: this is the SSL VPN connection portal

The 3 websites shall now appear in the list " Websites ".

Click " Close ", then " OK ".

This CA is the Historical CA of RTE, dealing with 2048 bit keys.
This CA is necessary to ensure the cohabitation between the former and the latter PKIs.
RTE Historical CA’s certificate must now be installed in your browser so that it is recognized as a trusted Certificate Authority.

The download window appears:

Click the " Save " button and choose a location to save the file " Certification_Autority_RTE_2048.cer " containing RTE Historical CA’s certificate.

Click " Open folder " to go to the directory where you saved the file.

Right-click the " Certification_Autority_RTE_2048.cer " file you just downloaded and choose " Install Certificate ".

The installation wizard of the certificate is displayed:

Click " Next ".

Select " Place all certificates in the following store " and click " Browse ".

In the window that appears, select " Trusted Root Certification Authorities " and click " OK ".

Once you have chosen the certificate store, you get the following window:

Click " Next ".

Click " Finish ".

Click " Ok ".

RTE Root Certification Authority

This CA is the new Root CA of RTE, dealing with 4096 bit keys. This CA is necessary to ensure the validation of the chain of trust.
RTE Root CA certificate must now be installed in your browser.
To do so, please go to the following address:

The download window appears:

Click the " Save " button and choose a location to save the file " ACR_RTE_Root_CA_20160303.cer " containing RTE Root CA’s certificate.
Once the download is completed, the following window appears:

Click " Open folder " to go to the directory where you saved the file.

Right-click the " ACR_RTE_Root_CA_20160303.cer " file you just downloaded and choose " Install Certificate ".

The installation wizard of the certificate is displayed:

Click " Next ".

Select " Place all certificates in the following store " and click " Browse ".

In the window that appears, select " Trusted Root Certification Authorities " and click " OK ".

Once you have chosen the certificate store, you get the following window:

Click " Next ".

Click " Finish ", and if the next window display a security Warning then click " Yes ":

Click " OK ".

RTE Client Certification Authority

This CA is the new Client CA of RTE, dealing with 4096 bit keys. This CA is necessary to generate the new PKI’s certificates.
RTE Client CA certificate must now be installed in your browser.
To do so, please go to the following address:

The download window appears:

Click the " Save " button and choose a location to save the file " ACR_RTE_Root_CA_20160303.cer " containing RTE Root CA’s certificate.
Once the download is completed, the following window appears:

Click " Open folder " to go to the directory where you saved the file.

Right-click the " ACF_RTE_Root_CA_20160303.cer " file you just downloaded and choose " Install Certificate ".

The installation wizard of the certificate is displayed:

Click " Next ".

Select " Automatically select the certificate store based on the type of certificate " and click " Next ".

Click " Finish ".

Click " Ok ".

Visualization and verification of RTE’s CA certificates

Visualization of installed RTE’s CA certificates

The certificates of RTE’s CA you just import are stored in the Certification Authorities store of Internet Explorer.

To view them, click the menu " Tools > Internet Options ".

A window appears. Go to the " Content " tab and click the " Certificates " button.

In the window that appears, go to the tab " Trusted Root Certification Authorities". You can see RTE Historical CA’s certificate (here) and RTE Root CA’s certificate (here):

On the tab " Intermediate Certification Authorities" you can see RTE Client CA’s certificate (here):

Verification of RTE Certification Authority certificate

Select the certificate " RTE Certification Authority ".

Click the button " View ", then click the " Details " tab.

To ensure the authenticity of this certificate, carefully check that the thumbprint " SHA1 " related to the certificate " RTE Certification Authority " is identical to the one presented below.

If this is not the case, delete the certificate and call RTE’s Hotline (here).

Verification of RTE Root Certification Authority certificate

Select the certificate " RTE Root Certification Authority ".

Click the button " View " then click the " Details " tab.


To ensure the authenticity of this certificate, carefully check that the thumbprint " SHA1 " related to the certificate " RTE Certification Authority " is identical to the one presented below.


If this is not the case, delete the certificate and call RTE’s Hotline (here).

Verification of RTE Client Certification Authority certificate

In the tab " Intermediate Certification Authorities ", select the certificate " RTE Client Certification Authority ".

Click the button " View " then click the " Details " tab.

To ensure the authenticity of this certificate, carefully check that the thumbprint " SHA1 " related to the certificate " RTE Certification Authority " is identical to the one presented below.


If this is not the case, delete the certificate and call RTE’s Hotline (here).

The software certificate request must have been completed in accordance with the procedure of software certificate request.
To proceed to the retrieval you need the following information (here):

• The chosen password you have chosen and supplied to RTE in the form to request access to RTE’s IS (here).
• Certificate email, Retrieval code and Password for the PKCS#12 file included in the email " Access to RTE’s IS services " (here).

For your convenience you can copy and paste different values being careful not to copy any space at the beginning or end.

To create your certificate and the associated private key, log on the certificate retrieval website:

Click the button " Retrieval of your personal certificate ". Fill the field " Certificate email " with the value indicated in the email " Access to RTE’s IS services ".

Click " Submit ". Fill the fields:

• " Retrieval code " as indicated in the email " Access to RTE’s IS services " (here).
• " Chosen password " which is the password you chose and provided to RTE in the form to request access to RTE’s IS (here).

Finally click " Submit ".

Downloading your certificate

The following page appears. Click " Download ". In the window that appears, click " Save ". Choose a directory to save your certificate, then click " Save ".

A window shows the progress of the download. Once the download is completed, click " Open folder ". The folder containing your personal certificate appears.

Installation of your personal certificate

Go to the download folder of the file.

Right-click the " certificate.p12 " file and choose " Install PFX ". Click" Next ". The name of the file containing your certificate is automatically filled, click " Next ".

The window below appears:

• In the field " Password ", enter the " Password " present in the email " Access to RTE’s IS services " (here).
• The case " Enable strong private key protection […] " is optional. Tick it if you wish to define a password that will be asked before every use of your private key in Internet Explorer.
• The case " Mark this key as exportable […] " is optional. Tick it if you wish to be able to export you private key later (here).
• Tick the case " Include all extended properties ".

Click " Next ". Select " Automatically select the certificate store based on the type of certificate ", and click " Next " Finally, click " Finish ".

If you previously ticked the case " Enable strong private key protection ", then the following window appears: Click the button " Set security level… ". Select the case " High ", then click " Next ". Enter a name for the private key to protect and a password then click the " Finish " button.
Warning: this password is required upon each use of the certificate. Click " OK ".

Finally, the following window appears: Click " OK ".

Your certificate and your private key have been successfully imported in Internet Explorer.

Visualization and verification of your software certificate

Regardless of the browser used, the content of the downloaded certificate is obviously the same, only the presentation of information on the screen differs.
In the case of downloading with IE, open the certificate store via the menu " Tools > Internet Options ", " Content " tap, button " Certificates… ": Select your certificate then click " View ". It is valid for 3 years from the date of withdrawal.

The " Certification Path " tab allows checking the validity of your certificate. The " Certificate status " and the complete visualization of the certification path indicate that your certificate has been correctly installed. As well as the trust chain (Root CA + Client CA or Historical CA), which confirms that everything has been configured correctly.

The tab " Details " allows you to view the full name of the holder and the email address to which are attached the certificate. Steps to follow:

• Run Internet Explorer,
• Enter the URL to RTE’s application or to " RTE’s customer service portal ":
  
  https://portail.iservices.rte-france.com
• During the authentication, the browser will ask you to select the certificate to use for authentication then (if it has been defined) the certificate store protection password,
• If multiple certificates are presented, you must choose the one supplied for the application you wish to access (use the button " Display certificate " to visualize its content).

Once authentication is completed, all data you send or receive will be encrypted.

Example of access to an RTE web application

Enter the URL https://portail.iservices.rte-france.com in the Internet Explorer address bar then press Return.

Then, Internet Explorer asks you to select a certificate enabling you to authenticate to the requested site. The ligne " Click here to view certificate properties… " lets you view the content of the selected certificate.

Click the " OK " button to access the application.

The window below asks for the password that protects the private key associated with your certificate if it has been set. The home page is then securely displayed (appearance of the closed padlock to the right of the URL entry field): This section explains how to save the certificate with its private key and RTE’s trust chain. The procedure is to generate a file in PKCS#12 format (".pfx"), protected by a password.

You can only export your certificate and private key if you checked " Mark this key as exportable " when Installing your personal certificate (here).

In Internet Explorer, click the menu " Tools > Internet Options.." Then, click the " Content ", tab and then the " Certificates " button. Another window appears. Select your certificate, then click " Export… ". Click " Next " Select " Yes, export the private key ", and then click " Next ". Select the check box " Include all certificates in the certification path if possible ", and then click " Next ". Enter a password of your choice to protect the PKCS#12 file, and then click " Next ". Click " Browse… " and select the location of the PKCS#12 file, and then click " Next ". Finally, click the " Finish " button. Click " OK ".

You have exported to a file in PKCS#12 format, protected by a password, your certificate's private key and RTE’s trust chain (who signed your certificate). These elements have therefore been exported, but remain present in the Internet Explorer’s store.

Deleting your personal certificate

This section details the procedure to remove a certificate and its private key from Internet Explorer’s Certificate store. In Internet Explorer, go to " Tools > Internet Options ". A window appears. Click the " Content " tab, then the " Certificates " button: Select the certificate to delete and click " Remove ". Click " Yes ". The certificate is removed from the certificates list. The connection via SSL VPN is a service for establishing a secure communications channel to RTE’s FrontOffice via the Internet. This channel is established after authenticating with your certificate from a dedicated website (here). Once the channel is established all communications with the requested RTE service will be encrypted.

The use of SSL VPN requires the installation of a dedicated tool, installed during the first login to the site. The application is called Secure Application Manager (SAM).

SSL VPN enables secure access to your mailboxes hosted on RTE’s FrontOffice.

Prerequisite

The website secure.iservices.rte-france.com must be declared as a trusted site (here) PSIS (Pulse Secure Installation Service) is a Windows service made available on the RTE customer site. This service allows, once installed, to update future SAM versions without requiring the intervention of a person with administrator privileges on the machine.

To do so, download the executable under the link:

http://clients.rte-france.com/lang/an/visiteurs/accueil/portail.jsp And decompress the compressed file: The following window appears. Click " Yes ". It will be automatically activated at every operating system launch.

First connection

This paragraph applies only to your first login to the SSL VPN with Internet Explorer. Before continuing, you need to disable ActiveX controls on Internet Explorer. To do so, press the " Alt " key on the keyboard. A menu bar at the top of the window. Then click the " Tools " button, and make sure " ActiveX Filtering " is not selective (see the following screenshot). Launch your browser and go to the following website: The following window appears: Select your certificate then click " OK ".

If necessary, this window will ask for the password that protects the private key associated to your certificate. The browser displays a link to install SAM (if it’s not already installed on your computer): If no manual intervention is performed, the following installation pop-up appears: If necessary, the following window appears: Click " Yes ".
The Pulse Secure client then installs and the installation of the SAM application starts: Wait during the installation.

If the following window appears, click " Yes ".

Once the installation is completed, the following page appears: If your Internet access requires authentication to a proxy, a window appears asking your login and password. Enter them and confirm.

Then, the icon appears in your task-bar:

Click the " Sign out " button (top right of the page) to end the session:

Using the SSL VPN

Establishing the connection

Launch your browser and go to the following website: The following window appears: Select your certificate then click " OK ".

If necessary, a window will ask you the password that protects the private key associated with your certificate.

If necessary, the window below appears. Click " Yes ". The SAM application launches automatically and the following page appears:
If your Internet access requires authentication to a proxy, a window appears asking your login and password. Enter them and confirm.

Then, the icon appears in your taskbar.

Notes:

• The certificate is only used to establish the connection to the SSL VPN.
• To close the SSL VPN session, click the " Sign out " button (top right of the page).

Use case to access hosted mailboxes

The SSL VPN can be used to access mailboxes hosted on the FrontOffice with a standard email client.

Access to hosted mailboxes requires the SSL VPN connection to be established (here). The Email account configuration in your mail client is then to be made with the following parameters:

• Incoming Mail server :
• Type of server : POP3
• Address (server hostname) : pop.services.rte-france.com
• Port : 110
• Cipher SSL : None
• Authentication : Password
• Outgoing Mail server :
• Type of server : SMTP
• Address (server hostname) : smtp.services.rte-france.com
• Port : 25
• Cipher SSL : None
• Authentication : None

When your access to RTE’s FrontOffice is provided, you will receive your login name, your password and your email address.