Differences

This shows you the differences between two versions of the page.

--- guides:workstation_installation_guide [2017/09/11 17:54] – administrator
+++ guides:workstation_installation_guide [2017/11/02 22:43] (current) – removed brett.zamora
@@ Line 1: / Line 1: @@
-===== Workstation Installation Guide =====
-==== Introduction ====
-With the implementation of the CeRTNA Documentation Wiki, this version of the Workstation Installation Guide serves as consolidation of multiple user guides. This document covers the installation and configuration requirements for the following platforms:
-  * APEX Transport Client
-  * ERDS Web Client
-  * G2G Web Client
-  * Entrust PKI Certificates
-You can quickly move to any section by clicking the table of contents shown above
-==== Overview ====
-The CeRTNA ERDS workstation configuration requirements are driven by several factors as shown below:
-  * Workstation Security As Outlined By The California DOJ
-  * Encryption & Authentication Technologies Used By Entrust
-  * Two-Factor Authentication Via SafeNet USB Tokens
-  * Support Of The ERDS Web Based Application
-In order to access the CeRTNA application, an ERDS application must meet the security requirements as outlined by the California DOJ. The California DOJ Baseline Security Requirements can be viewed at the following URL:
-[[https://oag.ca.gov/sites/all/files/agweb/pdfs/erds1/Baseline_9_2014.pdf]]
-Section 4.2.7 of the referenced DOJ document outlines the security requirements for a workstation.
-To ensure compliance with the DOJ regulations, a CeRTNA ERDS workstation must pass a security audit before it can be used to process production level electronic recording. A new section has been added to this document that outlines the steps to be taken to prepare for the initial workstation security audit.
-The CeRTNA application currently uses a toolkit provided by Entrust to perform authentication and encryption services. The Entrust services make use of Public Key Infrastructure (PKI) and Microsoft Cryptography API (CAPI) technologies. The Entrust toolkit uses Java to deliver its functionality and therefore a CeRTNA ERDS workstation must have a version of Java that is compatible with the version of Entrust tools that are in used by CeRTNA.
-To support Two-Factor Authentication the CeRTNA application uses USB token technology provided by SafeNet. Drivers are required to communicate with the token and CeRTNA receives SafeNet drivers from Entrusthat that are compatible with the Entrust toolkit. Information about where to obtain the latest drivers and how to install them is provided later in this document.
-Finally, the CeRTNA ERDS application is a web-based .NET application that is served up from a Microsoft Internet Information Services (IIS) web server platform. This means a web browser is required to access the CeRTNA ERDS application functionality. Currently the ERDS application will only work with the Microsoft’s Internet Explorer web browser.
-==== HW & OS Requirements ====
-{{page>[:guides:hw_and_os_reqs&noheader&noindent&nofooter&nouser&nodate&noeditbtn&nopermalink]}}
-==== Supporting Software Requirements ====
-=== Java Runtime Environment (JRE) ===
-CeRTNA is actively transitioning customers to its APEX software. Although APEX does not require Java, CeRTNA still supports customers using the ERDS or G2G web client to send and retrieve XML transactions. In order to use the CeRTNA ERDS or G2G web client, customers must have a Java Runtime Environment (JRE) installed.
-As mentioned in the overview section there are a variety of tools required to deliver the CeRTNA application functionality. An extensive number of hours have been invested by CeRTNA to validate the proper application functionality across operating systems, encryption decryption tools, browsers, platforms (ERDS & G2G), certificate renewals/downloads, application roles (submitters, counties, administrators) etc.
-In order for everything to work properly together the most important item becomes the Java Runtime Environment (JRE). Comprehensive functionality will only be supported if you are using one of the following JRE versions:
-{{tablelayout?colwidth="150px,500px"&rowsFixed=1&rowsVisible=10&float=left}}
-^ JRE Version          ^ Download URL     ^
-| JRE 7.51 (x86)   | [[https://www.certna.org/ErdsUI/Downloads/jre-7u51-windows-i586.zip]]        |
-| JRE 8.121 (x86)   | [[https://www.certna.org/ErdsUI/Downloads/jre-8u121-windows-i586.zip]]        |
-Due to requirements for installing and/or updating Entrust PKI certificates, CeRTNA cannot support JRE 6 Update 45. If you are still running JRE 6 Update 45, please update your workstation to use one of the supported versions shown in the preceding table. <color #00a2e8>CeRTNA recommends using JRE 8.121, if possible.</color>
-Once you have downloaded one of the JRE installation files shown above, unzip the file to a working folder such as C:\JRE_Setup or a folder name of your choosing. Once the zip file has been extracted open the following subfolder:
-C:\{your workfolder}\ and double-click the JRE setup program to start the setup process. If you are prompted by User Access Control (UAC) to allow the installation, click the Yes button.
-Click on one of the following links to view the installation instructions for either JRE7 or JRE8
-[[guides:jre7_setup|JRE Version 7 Update 51 Installation Instructions]]
-[[guides:jre8_setup|JRE Version 8 Update 121 Installation Instructions]]
-{{ :guides:images:jre010.png |}}
-Click the Install button and the installation process will start.
-As the installation progresses, the following panel will be displayed:
-{{ :guides:images:jre020.png |}}
-When the installation completes, the following panel will be displayed:
-{{ :guides:images:jre030.png |}}
-Click the Next button. The following screen will be displayed:
-{{ :guides:images:jre040.png |}}
-After the installation is complete, some of the settings in the Java Control Panel need to be adjusted. To adjust these settings follow the instructions on the next page.
-Open the following folder:
-Windows 64-bit systems:
-C:\Program Files (x86)\Java\jre1.8.0_121\bin
-Windows 32-bit systems:
-C:\Program Files\Java\jre1.8.0_121\bin
-The following window should be displayed:
-{{ :guides:images:jre050.png |}}
-Right-click the javacpl.exe program item and select Run As Administrator from the pop-up menu.
-If the User Access Control (UAC) prompts for authorization to run the program, select Yes.
-The following window will be displayed:
-{{ :guides:images:jre060.png |}}
-Click the Update tab and the following will be displayed:
-{{ :guides:images:jre070.png |}}
-Un-check the box labeled ‘Check for Updates Automatically’. This will disable the automatic updating of the JRE.
-The JRE needs to remain at JRE 7 Update 51 or JRE 8 Update 121 for all aspects of the CeRTNA application to function properly. (**Note:** You should only have one version of the JRE installed. Running multiple versions of the JRE can cause unpredictable behavior in the CeRTNA applications.)
-You will be presented with the following window:
-{{ :guides:images:jre080.png |}}
-Click the Do Not Check button.
-You will be returned to the Update Panel below:
-{{ :guides:images:jre090.png |}}
-Click the Apply button.
-Next Click the Advanced tab and the following panel will be displayed:
-Set the items that are highlighted below as shown.
-{{ :guides:images:jre100.png |}}
-{{ :guides:images:jre110.png |}}
-{{ :guides:images:jre120.png |}}
-Click the Ok button to close the window.
-==== XML Parser ====
-Starting with Windows 7, support for Microsoft’s Core XML Parser is delivered with the operating system. **It does not need to be downloaded and installed separately**.
-CeRTNA ERDS & G2G web applications require that you set your Internet Explorer browser into Compatibility Mode. If you do not configure your Internet Explorer browser for compatibility mode, you see the message **‘<color #ed1c24>XML Parser Not Found</color>’** if you attempt to complete a process that requires the application to parse an XML file, such as submitting a transaction or viewing a transaction.
-==== SafeNet Token Utilities ====
-The following items should be taken into consideration **before** installing the SafeNet Token Utilities:
-  * If you are using APEX and do not plan to send or retrieve transactions using the CeRTNA ERDS web client you do not need to install the SafeNet Token Utilities.
-  *
-  * If you are using a CeRTNA G2G workstation you do not need to install the SafeNet Token Utilities.
-  *
-  * **Important:** If you plan to use your APEX or CeRTNA G2G workstation as a backup to the CeRTNA ERDS workstation, you should install the SafeNet Token Utilities on your workstation.
-CeRTNA uses SafeNet USB tokens for ‘two-factor authentication’. These tokens require drivers to be installed in order to recognize the token. Currently CeRTNA is supporting two different types of tokens, the SafeNet iKey 4000 token and the SafeNet 5100 eToken.
-The current version of the Entrust SafeNet Authentication Client software can be downloaded from the following URL:
-[[https://www.certna.org/ErdsUI/Downloads/SAC83.zip]]
-This zip file is approximately 311 MB in size.
-**Important Note:** If you currently have the SafeNet 7.x software installed you will need to uninstall the SafeNet 7.x Client Tools and the SafeNet iKey Drivers before you can install the SafeNet 8.3 Client software. The SafeNet 7.x software can be uninstalled via the Windows Control Panel and you will have to restart your computer when the software is being uninstalled.
-**To install the SafeNet 8.3 Client software make sure your token is NOT plugged in.**
-Unzip the SAC83.zip file to a working directory, for example C:\SAC83_Setup or a name of your choosing.
-Once the zip file has been extracted open the following subfolder:
-C:\{your workfolder}\SafeNetAuthenticationClient-8.3\32x64 Installer
-Double-click the SafeNetAuthenticationClient-x32-x64-8.3.exe program to start the setup process.
-The following window is displayed:
-{{ :guides:images:snet010.png |}}
-Click the Next button to continue.
-The following window is displayed:
-{{ :guides:images:snet020.png |}}
-Click the Next button to continue.
-The following window is displayed:
-{{ :guides:images:snet030.png |}}
-Click on the I accept the license agreement radio button.
-Click on the Next button to continue.
-The following IMPORTANT window is displayed:
-{{ :guides:images:snet040.png |}}
-**IMPORTANT:** By default the Standard radio button is selected. (<color #ed1c24>You must change this.</color>)
-Click the BSec-compatible radio button.
-Note: SafeNet iKey4000 tokens require BSec compatibility and the SafeNet 5100 tokens function with this setting as well.
-Click the Next button.
-The following confirmation window will be displayed:
-{{ :guides:images:snet050.png |}}
-Click the Next button to start the installation.
-You will see a User Access Control (UAC) prompt requesting permission to install the software. Select Yes to allow the software to be installed.
-The following window is displayed while the installation progresses:
-{{ :guides:images:snet060.png |}}
-When the installation completes, the following window is displayed:
-{{ :guides:images:snet070.png |}}
-Click the Finish button.
-==== Token Installation ====
-To use the CeRTNA ERDS application for submitting or retrieving transactions customers must complete a fingerprint/background check. Once this process is complete and the approval paperwork has been provided to CeRTNA staff a SafeNet token will be mailed to you. The token will contain your Entrust Authentication certificate and your Entrust Encryption certificate.
-After you receive your token, insert your Token Key into an available USB port on your system.  The Token will be automatically recognized and installed as shown in the figure below.  This occurs because of the SafeNet Authentication Client software/driver installation completed in an earlier step.
-{{ :guides:images:ikey010.png |}}
-Once the device driver software is successfully installed you will see another popup as shown in figure below.
-{{ :guides:images:ikey020.png |}}
-Now you should see a confirmation that your Token has been inserted as shown in the figure below.
-{{ :guides:images:ikey030.png |}}
-This completes the Token Installation.
-==== Verifying PKI Certificate Installation ====
-The certificates that are installed on your token, depend on a ‘certificate chain’ in order to function properly. You can verify that the certificate chain is valid by completing the following steps with your token inserted in the USB port.
-**Note:** Depending on your local IT security policy, you may need to contact your local IT staff to perform the following steps:
-Click the Windows Start button and enter mmc.exe in the Search field.
-You should see mmc.exe listed at the top of the results list.
-Click mmc.exe and the following window will be displayed:
-{{ :guides:images:mmc010.png |}}
-Select the File / Add-Remove snap in… menu option.
-The following window is displayed:
-{{ :guides:images:mmc020.png |}}
-Select Certificates in the left panel and click the Add button.
-The following window is displayed:
-{{ :guides:images:mmc030.png |}}
-My user account should be already selected. (If not select it.)
-Click the finish button. You will be returned to the following updated window:
-{{ :guides:images:mmc040.png |}}
-The certificate snap-in should be shown in the right pane.
-Click the Ok button and the following window will be displayed:
-{{ :guides:images:mmc050.png |}}
-In the left pane, click the carat that appears next to Certificates – Current User
-In the left pane, click the carat that appears next to the Personal folder.
-Click the Certificates folder.
-Your window should look similar to the following:
-{{ :guides:images:mmc060.png |}}
-The certificates in the middle pane should reflect your identity.
-Double-click either certificate and the following window is displayed:
-{{ :guides:images:mmc070.png |}}
-Click the Certification Path tab and the following window is displayed:
-{{ :guides:images:mmc080.png |}}
-If you do not see a 3-tier certification path, your certificate installation is not complete. The most likely reason is that the Entrust Intermediate and Root certificates were not installed when you inserted the token. To resolve this issue, continue with the next section
-If your window shows the proper 3-tier certification path, you are finished with the certificate verification process and you can skip the next section entitled Entrust Intermediate & Root Certificate Installation.
-==== Entrust Intermediate & Root Certificate Installation ====
-Windows supports user-level certificate stores and computer-level certificate stores. If you need to manually install the Entrust Intermediate or Entrust Root certificates on your computer, CeRTNA recommends installing these certificates in the computer-level certificate store.
-Before you can install the Entrust Intermediate and Entrust Root certificates you will need to download them from the following URL:
-[[https://www.certna.org/ErdsUI/Downloads/Entrust_Token_Root_Intermediate_Certs.zip]]
-Once the zip file has been downloaded, unzip it to a working folder. You will have the following two files in your unzipped work folder:
-  * Token_Intermediate.cer
-  * Token_Root.cer
-These two certificates can be installed in either the user-level certificate store or the computer-level security store. CeRTNA recommends installing the certificates in the computer-level store so that you will not have to repeat this process for each Windows user login on the ERDS workstation.
-There are a couple of **important notes** here:
-  * You will need Administrator level access on the CeRTNA ERDS workstation in order to install certificates into the computer-level certificate store. CeRTNA recommends contacting your local IT support to assist with this.
-  * Depending on your local IT security policy, your Windows user may not have the appropriate authority to access the computer certificate store. If that is the case, then your local IT support staff can assist you with installing the certificates into the user-level certificate store.
-To install the Entrust Intermediate and Entrust  Root certificates complete the following steps:
-Click the Windows Start button and enter mmc.exe in the Search field.
-You should see mmc.exe listed at the top of the results list.
-Click mmc.exe and the following window will be displayed:
-Select the File / Add-Remove snap in… menu option.
-The following window is displayed:
-Select Certificates in the left panel and click the Add button.
-The following window is displayed:
-My user account should be already selected. (If not select it.)
-Click the finish button. You will be returned to the following updated window:
-The certificate snap-in should be shown in the right pane.
-Select the Certificates item in the left pane and click the Add button.
-The following window is displayed:
-Click the Computer account radio button to select it.
-Click the Next button. The following window is displayed:
-Select Local computer and click the Finish button.
-You are returned to the following updated window:
-Click the Ok button to be returned to the following window:
-I have highlighted the items we are interested in.
-=== Verifying / Installing The Entrust Root Certificate ===
-The first item we are interested in verifying and/or installing is the Entrust Root certificate.
-Review the following window:
-For each of the two certificate stores (highlighted) you should verify that you do NOT have an entry in the middle pane for ‘Entrust Managed Services Commercial Private Root CA’ (In my sample above, I have already imported my Root certificate.)
-If the Trusted Root Certificate is already installed in either of these two certificate stores, you should continue on and verify/install the Intermediate certificate.
-If you discover that both the Trusted Root and Intermediate certificates are already installed on your ERDS workstation but you did not see a valid 3-tier certificate path as shown in section 4.1 then this is an indication of a more complex problem and you will need to contact CeRTNA support staff to address the issue.
-If the ‘Entrust Managed Services Commercial Private Root CA’ certificate does not exist in the middle pane, you need to install the certificate carefully following steps outlined below:
-Right-click click the Certificates subfolder that is shown in the Certificates (Local Computer) / Trusted Root Certification Authorities path (as shown above)
-Select All Tasks / Import… from the pop-up menu.
-The following window is displayed:
-Click the Next button. The following window is displayed:
-Click the browse button.
-Locate the folder you extracted the zip file into as shown below:
-Select the Token_Root.cer file and click the Open button.
-The following window is displayed:
-Click the Next button.
-The following window is displayed:
-Click the Next button.
-The following window is displayed:
-Click the Finish button.
-A pop-up window indicating that the certificate was successfully installed should be displayed.
-Click the Ok button to close the pop-up window. You will be returned to the Certificates list.
-Select the Certificates folder in the Local Comptuer / Trusted Root Certification Authorities path and you should now have an ‘Entrust Managed Services Commercial Private Root CA’ certificate in the middle pane, as shown below:
-The process for verifying and importing the Entrust Intermediate certificates is primarily the same as just completed. The exact steps are documented in the next section.
-.2.2 Verifying / Installing the Entrust Intermediate Certificate
-The next item we are interested in verifying and/or installing is the Entrust Intermediate Certification Authority certificate.
-Review the following window:
-For each of the two certificate stores (highlighted) you should verify that you do NOT have an entry in the middle pane for ‘Commercial Private Sub CA1’ (In my sample above, I have already imported my Intermediate certificate.)
-If you discover that both the Trusted Root and Intermediate certificates are already installed on your ERDS workstation but you did not see a valid 3-tier certificate path as shown in section 4.1 then this is an indication of a more complex problem and you will need to contact CeRTNA support staff to address the issue.
-If the ‘Commercial Private Sub CA1’ certificate does not exist in the middle pane, you need to install the certificate carefully following steps outlined below:
-Right-click click the Certificates subfolder that is shown in the Certificates (Local Computer) / Intermediate Certification Authority path (as shown above)
-Select All Tasks / Import… from the pop-up menu.
-The following window is displayed:
-Click the Next button. The following window is displayed:
-Click the browse button.
-Locate the folder you extracted the zip file into as shown below:
-Select the Token_Intermediate.cer file and click the Open button.
-The following window is displayed:
-Click the Next button.
-The following window is displayed:
-Click the Next button.
-The following window is displayed:
-Click the Finish button.
-A pop-up window indicating that the certificate was successfully installed should be displayed.
-Click the Ok button to close the pop-up window. You will be returned to the Certificates list.
-Select the Certificates folder in the Local Comptuer / Trusted Root Certification Authorities path and you should now have an ‘Commercial Private Sub CA1’ certificate in the middle pane, as shown below:
-Once you have completed this process, you can return to section 4.1 and re-verify that your three-tier cerification path is displaying correctly. If the three-tier path is still not displaying correctly, you will need to contact CeRTNA support for additional assistance.
-==== Revisions ====
-{{tablelayout?colwidth="100px,100px,100px,350px"&rowsFixed=1&rowsVisible=10&float=left}}
-^ Date          ^ Version ^ Name           ^ Description     ^
-| 05-21-2009    | 1.0     | Brett Zamora   | Initial draft.        |
-| 04-29-2011    | 1.1     | Brett Zamora   | Added updates based on knowledge gained during first year of operation. These include adjusting settings on the Java Runtime Environment and some additional FAQ’s.        |
-| 05-10-2011    | 1.2     | Brett Zamora   | Updated graphic and text placement.        |
-| 08-10-2015    | 2.0     | Brett Zamora   | Reworked look & feel of this document and updated content to reflect a more current set of software. Also added section about preparing the workstation for the initial security audit.        |
-| 04-06-2016    | 2.1     | Brett Zamora   | (1) Added version to the cover page. (2) Removed reference to Internet Explorer 8. The only officially supported browser is Internet Explorer 11. (3) Updated Java Runtime section to provide information about support for JRE 8. (4) Updated the SafeNet Token installation section to include a comment regarding uninstalling existing SafeNet 7.x software and also updated the section heading to point out that the section only applies to ERDS platforms, not G2G platforms. (5) Updated Table Of Contents.        |
-| 07-27-2017    | 3.0     | Brett Zamora   | (1) Converted Workstation Installation Guide to a wiki format. Versioning will now be managed via wiki engine. (2) Updated content so that this single document contains the installation requirements for the ERDS, G2G, and APEX platforms. |