Taking the 2X Digi-Access™ Demonstration

Read these three steps to understand how the demonstration works

The 2X Digi-Access™ demonstration starts with the 2X Portal Login. Click on the Apply Now [4] button to start the demo:


1.You will be directed to the 2X Digi-Access™ enrolment page where you must complete a simple online web form [5]. This web form has a help button opposite every field to ensure that you correctly complete each field on the form, so use them as required:

In this form you must provide the following details:

• Registered Company Name - the legal name of your organisation
• Department - what department you work in
• Address - the address for the organisation
• Postal Code or area code for the organisation
• City - the city the organisation is located in
• Full Name - you first and last name
• Work Title - your job title or job description
• Email - your email address
• Telephone number - your direct dial phone number
• Fax number - a fax number (if you have one)
• Country - The country you are located in (e.g. KSA)

In addition you will also be asked to select a Secret Question and to provide your Secret Answer:

• Secret Question - make a selection
• Secret Answer - answer the question using something you'll easily remember

2. Once the above form is completed and submitted, your 2X Digi-Access™ certificate request will be confirmed

3. After some time you will receive an email approving your application and asking you to complete the application process by clicking on the unique URL provided in the email.

Important Note:- You must use the same browser and the same computer for ALL steps in the process.

Follow the on screen instructions to complete the process

Now that you have your 2X Digi-Access™ certificate you can go to the 2X Portal Login [4] page.

Installing the Digi-Access™ Error 403 Pages

Installing the Digi-Access™ error pages

Allow 10 Minutes

The 2X Application Server [6] runs on a Microsoft® IIS server where there are specific default error pages designed to work with Digi-Access™ certificates. To enhance the user experience you should replace these default error pages with the customised Digi-Access™ error 403 pages [7].

The error handlers within IIS display default error pages depending on the specific issue that occurs on the server. The error message on each of these pages and their purpose are explained below.

Most error pages on IIS can be customised [8]. The default 403 error pages that relate to the use of Digi-Access™ are stored in the C:\WINDOWS\help\iisHelp\common\ folder. The 2X Application Server Administrator should download the Digi-Access™ error 403 pages [7] and place them in a new folder: (e.g. C:\WINDOWS\help\iisHelp\digi-access\ ). The server should be configured to display these new error pages before being restarted to complete the setup procedure.

	Error		Description
	403.7 [9]		Access denied. SSL Client Certificate is Required
			The system is using Digi-Access™ two factor authentication and users must have a Digi-Access™ certificate to gain access
	403.12 [10]		Access denied due to certificate mapping configuration
			Digi-Access™ only uses mapping in highly integrated situations. In most instances, this error page will not display
	403.13 [11]		Access denied. The SSL Client Certificate was revoked or revocation status can not be established
			The specific Digi-Access™ certificate being used is invalid/out-of-date. The user must get a new Digi-Access™ certificate is required
	403.16 [12]		Access denied. The SSL Client Certificate is incorrect or is not trusted by the server
			The user has incorrectly selected a different type of digital certificate (i.e. not the required Digi-Access™ certificate)
	403.17 [13]		Access denied. The SSL Client Certificate has expired or is not yet valid
			The user's Digi-Access™ certificate has expired and they must request a new one from the Digi-Access™ system

Configuring the 2X Server

Read these instructions to configure Digi-Access™ [14] on the 2X Application Server

Configuring the 2X Application Server to Use Digi-Access™

Step-by-step instructions on how to enable Digi-Access™

Allow 30 Minutes

Enabling Digi-Access™ client certificates for two factor authentication will take 30 minutes (or less). Configure the 2X Application Server by following these simple steps (for full detailed instructions and screenshots, read the IIS Support [15] pages):

IIS [15]

1. Download and save these two certificates:    Digi-Sign Root CA [16]    Digi-Sign CA Digi-Access™ Xs [17] 2. On the server, click the Start button, select Run and type MMC, before clicking the 'OK' button 3. You should now be in the Microsoft Management Console and should follow these steps: Click File and select Add/Remove Snap-in Select Add, select Certificates from the Add Standalone Snap-in box and click Add Select Computer Account, then Local Computer and click Finish Close the Add Standalone Snap-in box and click OK in the Add/Remove Snap-in Return to the Microsoft Management Console 4. Now all you need to do is import the Digi-Access™ Root certificate, following these steps: Right click the Trusted Root Certification Authorities, select All Tasks, and then select Import After clicking Next > you should browse to the Digi-Sign Root CA [16] Ensure that the Digi-Sign Root CA certificate appears under Trusted Root Certification Authorities Then click Next > and then Finish 5. Then import the Digi-Access™ intermediate CA certificate, as follows: Right click the Intermediate Certification Authorities, select All Tasks, and then select Import After clicking Next > you should browse to the Digi-Sign CA Digi-Access Xs [17] Ensure that the Digi-Sign CA Digi-Access Xs appears under Intermediate Certification Authorities Then click Next > and then Finish Restart the IISAdmin service, or reboot the computer to complete the installation 6. Go to Windows Administrative Tools and open the properties window for the website that you have enabled SSL on. Open the Directory Security by right clicking on the Directory Security tab and then follow these steps: Click Edit in the Anonymous access and authentication control section. The Authentication Methods window will appear Make sure that all options (check boxes) in this section are disabled, including the Anonymous Access, Basic Authentication, Digest Authentication and Integrated Windows Authentication Click OK to apply changes Click Edit in Secure communications section and the Secure Communications window will appear Ensure that both the 'Require secure channel (SSL)' option and the 'Require 128-bit encryption' option are enabled Then ensure that the 'Enable client certificate mapping' option is enabled and that the 'Ensure that Enable certificate trust list' option is enabled Move to the 'Under Current CTL' and click New, followed by Next > and a Certificate Trust List Wizard window will appear Browse for the Digi-Sign_Root_CA.cer Certificate file and click Open, followed by Next> In the Friendly Name field enter: Digi-Access In the Description field enter: Digi-Access Two Factor Client Authentication Click Next > and then Finish You should now see your Certificate Trust List [CTL] List on the Secure Communications window Click OK and then OK again 7. Start Internet Services Manager, or open the MMC that contains the IIS snap-in. Right-click the Web site for which you want to configure authentication (for example, Default Web Site), and then click Properties Click the Directory Security tab, and then under Secure communications, click Edit Click to select the Enable client certificate mapping check box, and then click Edit Click the Many-to-1 tab, and then click Add In the General dialog box, type 'Digi-Access' as the name for the rule, and then Next In the Rules dialog box, click New In the Edit Rule Element dialog box that appears, configure the settings that you want for the rule There are two fields from client certificates that can be used as criteria for many-to-one rules: * Issuer - This field specifies information about the Certification Authority [CA] that issued the Digi-Access™ certificate * Subject - This field specifies information about the entity to whom the Digi-Access™ certificate was issued Each of these fields can contain common LDAP sub fields for example:        * CN = commonName (for example, "Bob Smith")        * OU = organizationalUnitName (for example, "Sales")        * OU = organizationalUnitName [18] (for example, "2xacme")        * OU = organizationalUnitName [18] (for example, "2x10003")        * O = organizationName (for example, "Acme, Inc.")        * L = localityName (for example, "Dublin")        * S = stateOrProvinceName (for example, "Dublin")        * C = countryName (for example, "IE") To create a mapping, you create a rule based on a field/subfield pair for a specific value. For example, you could create a rule that matched the Subject's O subfield with 'Acme' to allow access to all clients with certificates that were issued for the Acme organization. This effectively eliminates client connections from any clients that are not part of the Acme organization. When finished creating the rule settings, click OK, and then click Next IMPORTANT NOTE:- In addition to the above parameters you enter, two additional rule sets will be generated by the Registration Authority [RA] that will be used to distribute [19] the end users' Digi-Access™ certificates. These two rule sets are based on Organizational Unit Name [OU] fields and will be 'silently' pre-appended to each Digi-Access™ Certificate issued by the Digi-Access™ CA. These OU field values distinguish end users as belonging to your specific user domain. You must obtain these values from Digi-Access™ RA Certificate Management Console where these two rule sets can be found in the Certificate Manager's 'Distinguished Name' policy configuration. In the Mapping dialog box, click Accept this certificate for Logon Authentication, and then in the Account box, type, or click Browse to browse to the Windows user account that you want to map. Type the password of the user account in the Password box. Click OK three times, and then quit Internet Services Manager, or close the IIS snap-in

---

How to get the 2X Digi-Access™ OU Codes

Read these instructions to find the OU Codes [18] for your customer.

How to Get 2X Digi-Access™ Certificates to End Users

How to get your 2X Digi-Access™ certificate

There are three very simple steps to getting your 2X Digi-Access™ certificate and these are as follows:


1.You will be directed to the 2X Digi-Access™ enrolment page where you must complete a simple online web form [22]. This web form has a help button opposite every field to ensure that you correctly complete each field on the form, so use them as required:

In this form you must provide the following details:

• Registered Company Name - the legal name of your organisation
• Department - what department you work in
• Address - the address for the organisation
• Postal Code or area code for the organisation
• City - the city the organisation is located in
• Full Name - you first and last name
• Work Title - your job title or job description
• Email - your email address
• Telephone number - your direct dial phone number
• Fax number - a fax number (if you have one)
• Country - The country you are located in (e.g. KSA)

In addition you will also be asked to select a Secret Question and to provide your Secret Answer:

• Secret Question - make a selection
• Secret Answer - answer the question using something you'll easily remember

2. Once the above form is completed and submitted, your 2X Digi-Access™ certificate request will be confirmed

3. After some time you will receive an email approving your application and asking you to complete the application process by clicking on the unique URL provided in the email.

Important Note:- You must use the same browser and the same computer for ALL steps in the process.

Follow the on screen instructions to complete the process

Now that you have your 2X Digi-Access™ certificate you can go to the 2X Portal Login [23] page.

2X Digi-Access™ Enrolment Help for Microsoft® Internet Explorer®

2X Digi-Access™ Enrolment Messages & Explanations

The Digi-CA™ [24] Certificate Authority [CA] system that issues the Digi-Access™ end user certificates is compatible with most commonly used browsers. These support pages are provided for users that want to understand more about Microsoft® Internet Explorer® screen warnings and/or other browser events.

All Users

The most commonly reported error message is an 'Internal Server Error' or 'Error 404 Page Not Found'. The reason for this error message is that the URL is not correctly entered into the web browser's address bar.

To avoid this issue, copy the entire URL, without any breaks, and paste it into the browser's address bar.

Enrollment Warning Messages

If your browser does not have ActiveX [25] controls enabled, you will see the following warning messages. Ensure you read and follow these instructions carefully:

You need to authorize the "Microsoft Certificate Enrollment Control" to create a certificate request for you: • Click here to reload this webpage, then... • When you see a Security Warning popup, click Yes to install the "Microsoft Certificate Enrollment Control".

To get past the security warning shown above, you need to authorize this webpage to create a certificate request for you: • On the Tools menu, select Internet Options. • Click the Security tab, select the Trusted sites zone and click Sites. • Ensure that https://www.digi-sign.com is in the "Add this website to the zone:" box. • Click Add, then Close, then OK. • Finally, click here to continue...

Other Enrollment Pop Up Dialog Messages

When collecting your Digi-Access™ certificate, depending on what version of Microsoft® web browser you are using and how it is configured, you may see the following two dialogs:


1. This warning highlights potential concerns relating to Trusted certificates. It is both confusing and unclear. The Digi-Access™ certificate used for two factor authentication is of a specific configuration that Microsoft® is not 'familiar with'. You can ignore this message and should select and click Yes.

2. This message, may concern you as it uses strong language about 'security' and 'risk' but it is really about marketing Microsoft® (and Microsoft® approved) certificates. The last paragraph is the important one where it states: "Click Yes if you trust this Web site". You do trust the website, so select and click Yes.







In certain versions of Windows 7, or Internet Explorer®, you may still encounter certificate installation issues. If this occurs, email support@digi-sign.com [26] and your certificate can be delivered by alternative methods.


There are other warning messages in Mozilla Firefox [27], that you may wish to review also.

2X Digi-Access™ Enrolment Help for Mozilla Firefox

2X Digi-Access™ Enrolment Messages & Explanations

The Digi-CA™ [24] Certificate Authority [CA] system that issues the Digi-Access™ end user certificates is compatible with most commonly used browsers. These support pages are provided for users that want to understand more about Mozilla screen warnings and/or other browser events.

All Users

The most commonly reported error message is an 'Internal Server Error' or 'Error 404 Page Not Found'. The reason for this error message is that the URL is not correctly entered into the web browser's address bar.

To avoid this issue, copy the entire URL, without any breaks, and paste it into the browser's address bar.

Other Enrollment Pop Up Dialog Messages

When collecting your Digi-Access™ certificate, depending on what version of Mozilla browser you are using and how it is configured, you may see the following two dialogs:


1. This warning is simply a reminder to you to backup your certificate. Although this is good practice, the specific Digi-Access™ certificate used for two factor authentication does not permit backing up. This prevents users from sharing or copying certificates and protects the integrity of the security being offered. If you should ever loose your Digi-Access™ certificate, for any reason, you can request a new one. You can ignore this message and simply click OK.

2. This message, in addition to being unclear, is not relevant. As above, the Digi-Access™ certificate used for two factor authentication is of a specific configuration that Mozilla is not 'familiar with'. It interprets the Digi-Access™ certificate installation incorrectly and presents this dialog. Again, you can ignore this message and simply click OK.







There are other warning messages in Microsoft® Internet Explorer® [28] browsers because they use ActiveX controls.

Viewing Your 2X Digi-Access™ Certificate

How to view your Digi-Access™ Certificate

Depending on your operating system and browser version, you can view your Digi-Access™ two factor authentication certificate using the instructions below:

Microsoft® Internet Explorer®		Mozilla Firefox
1. To view your Digi-Access™ certificate in Microsoft® Internet Explorer®, use the Tools menu (you may have to press the 'Alt' button on your keyboard to view this menu) and then select Internet Options 2. In the Internet Options dialog box, select the Content tab and then click the Certificates button 3. In the Certificates dialog box, select the certificate you wish to examine and then click the View button 4. The chosen certificate will be displayed where you will be able to see: The name of the person the certificate was Issued To The fact that it is a Digi-Access™ certificate issued by Digi-Sign When the certificate was issued (Valid from) and when it will expire (Valid to) Here is an en example of a Digi-Access™ certificate as seen in the Microsoft® Internet Explorer® dialog:		1. To view your Digi-Access™ certificate in Mozilla Firefox, use the Tools menu and then select Options 2. In the Options dialog box, select the Encryption tab and then click the View Certificates button 3. In the Certificate Manager dialog box, select the certificate you wish to examine and then click the View button 4. The chosen certificate will be displayed where you will be able to see: The name of the person the certificate was Issued To The fact that it is a Digi-Access™ certificate issued by Digi-Sign The date the certificate was Issued on and the date it Expires on Here is an en example of such a Digi-Access™ certificate as seen in the Mozille Firefox dialog:

Deleting an Unwanted 2X Digi-Access™ Certificate

Instructions on how to delete an unwanted certificate

Depending on your operating system and browser version, you can delete your Digi-Access™ two factor authentication certificate using the instructions below:

Microsoft® Internet Explorer®		Mozilla Firefox
1. To view your Digi-Access™ certificate in Microsoft® Internet Explorer®, use the Tools menu (you may have to press the 'Alt' button on your keyboard to view this menu) and then select Internet Options 2. In the Internet Options dialog box, select the Content tab and then click the Certificates button 3. In the Certificates dialog box, select the certificate you wish to examine and then click the View button 4. The chosen certificate will be displayed where you will be able to see: The name of the person the certificate was Issued To The fact that it is a Digi-Access™ certificate issued by Digi-Sign When the certificate was issued (Valid from) and when it will expire (Valid to) Here is an example of a Digi-Access™ certificate as seen in the Microsoft® Internet Explorer® dialog: 5. Once you have viewed and confirmed this is the Digi-Access™ certificate you wish to remove, return to the Certificates dialog box, select the certificate and click the Remove button		1. To view your Digi-Access™ certificate in Mozilla Firefox, use the Tools menu and then select Options 2. In the Options dialog box, select the Encryption tab and then click the View Certificates button 3. In the Certificate Manager dialog box, select the certificate you wish to examine and then click the View button 4. The chosen certificate will be displayed where you will be able to see: The name of the person the certificate was Issued To The fact that it is a Digi-Access™ certificate issued by Digi-Sign The date the certificate was Issued on and the date it Expires on Here is an example of such a Digi-Access™ certificate as seen in the Mozilla Firefox dialog: 5. Once you have viewed and confirmed this is the Digi-Access™ certificate you wish to delete, return to the Certificate Manager dialog box, select the certificate and click the Delete button