Access Requirements: If your application requires a FIS Medium Level of Assurance (MLOA) Hardware Token, you will need the following below:
1. You will need a Managed Access Gateway (MAG) user account.
2. Purchase a MLOA Hardware Token via Exostar’s Web Store.
3. Complete an In-Person Proofing appointment with a trusted agent.
Please follow the steps below to purchase and setup your MLOA Hardware.
Step 1. Purchase MLOA Hardware
You have the option to complete a purchase for either one-year or three-year token access. Please note the start date for your MLOA Hardware is the day you download your certificate, not the day you purchase the token. (Please note Exostar ships tokens via FedEx).
To Purchase a MLOA Hardware certificate:
1. Navigate to and ensure you are logged into Exostar’s Web Store.
2. Click the Purchase Now link for FIS Medium Level of Assurance (MLOA) – Hardware. Choose the one (1) or three (3) year option.
3. Select the radio button to Buy PKI token For Yourself or Buy PKI token For Other(s).
4. Choose from the Country drop-down menu. Click the Add to Cart button.
5. Review your cart. Click the Proceed to Checkout button.
6. You are redirected to the Shipping Method page. You will notice the Ship to end user is the only option available and is already selected. Click Continue.
7. On the Payment Information page, select to pay via credit card or invoice. Fill out all required information. Click Continue.
NOTE: The invoice option requires you to complete payment in full before receiving any product.
8. On the Review and Submit Your Order page, click the Disclaimer link and review the information. Once you complete your review, select the checkbox next to I have read and acknowledged the following Disclaimer prior to purchase.
9. Click Submit Order.
NOTE: A confirmation page displays, providing your Sales Order Number (SO#####).
2. Click the Purchase Now link for FIS Medium Level of Assurance (MLOA) – Hardware. Choose the one (1) or three (3) year option.
3. Select the radio button to Buy PKI token For Yourself or Buy PKI token For Other(s).
4. Choose from the Country drop-down menu. Click the Add to Cart button.
5. Review your cart. Click the Proceed to Checkout button.
6. You are redirected to the Shipping Method page. You will notice the Ship to end user is the only option available and is already selected. Click Continue.
7. On the Payment Information page, select to pay via credit card or invoice. Fill out all required information. Click Continue.
NOTE: The invoice option requires you to complete payment in full before receiving any product.
8. On the Review and Submit Your Order page, click the Disclaimer link and review the information. Once you complete your review, select the checkbox next to I have read and acknowledged the following Disclaimer prior to purchase.
9. Click Submit Order.
NOTE: A confirmation page displays, providing your Sales Order Number (SO#####).
Step 2. Request FIS Access
Once you complete your MLOA Hardware purchase, you must request access to Federated Identity Service (FIS) through your MAG user account. Please ensure you make selections based off your purchase. Prior to your proofing appointment, an Exostar Trusted Agent will verify your request to the associated purchase and if it is incorrect, they will deny the request.
To request access to Federated Identity Service (FIS):
1. Login to your MAG account. At the top of your dashboard in the My 2FA Credentials section, under the Federated Identity Service (FIS) section, select Request Access.
2. In the FIS Certificate Information section, make selections from the drop-down menus provided.
NOTE: These selections must match your purchase.
3. In the User Information section, verify all data input. Click Next.
4. A confirmation screen will display. Your Organization’s FIS Administrator must approve your request.
5. Once your request is approved, the request is then routed to Exostar for review and approval. 6. You must complete an In-Person Proofing appointment prior to downloading your certificates.
2. In the FIS Certificate Information section, make selections from the drop-down menus provided.
NOTE: These selections must match your purchase.
3. In the User Information section, verify all data input. Click Next.
4. A confirmation screen will display. Your Organization’s FIS Administrator must approve your request.
5. Once your request is approved, the request is then routed to Exostar for review and approval. 6. You must complete an In-Person Proofing appointment prior to downloading your certificates.
Step 3. Complete In-Person Proofing
Before you can download your certificates, you must complete an In-Person Proofing appointment with a trusted agent.
- Users based inside United States: If you are a Supplier located in the United States, our vendor NotaryGo, will contact you to setup a proofing appointment with one of their Trusted Agents.
- Users based outside United States (International): For users outside the United States, a Trusted Agent from Verify Europe will contact you to setup a proofing appointment.
Please note the Trusted Agent completes a proofing packet for Exostar’s review. For additional information on the proofing process, please see the MLOA In-Person Proofing page.
To complete your In-Person Proofing appointment:
1. After you have purchased your MLOA Hardware, a Trusted Agent will contact you to schedule your In-Person Proofing appointment.
2. Prior to your appointment make sure you have the acceptable identification documents, as well as an Employment Verification letter. Please see the MLOA In-Person Proofing page for additional information on identification and a sample letter.
NOTES:
– If you complete a successful proofing appointment, the Trusted Agent provides a 16-digit passcode. This passcode is required during the download process.
– If you do not complete a successful proofing appointment (i.e., invalid identity documentation), you may incur a new proofing cost.
2. Prior to your appointment make sure you have the acceptable identification documents, as well as an Employment Verification letter. Please see the MLOA In-Person Proofing page for additional information on identification and a sample letter.
NOTES:
– If you complete a successful proofing appointment, the Trusted Agent provides a 16-digit passcode. This passcode is required during the download process.
– If you do not complete a successful proofing appointment (i.e., invalid identity documentation), you may incur a new proofing cost.
Supported Tokens
*Before you download the digital certificates, please make sure you choose the correct token (below) based on the assurance level you require*.
Exostar’s Medium Level of Assurance Hardware (MLOA) digital certificates currently support the following PKI hardware tokens:
- Thales eToken 5110 Series
- Thales eToken 5110+FIPS (FedRAMP and FIPS 140-2 Certified) – [Note that the eToken 5110 and the eToken 5110+FIPS look physically identical]
- NOTE: Legacy PKI hardware tokens such as the Aladdin eToken PRO are no longer supported and must be updated *(see image below).
The Properties of an eToken 5110+ should have the following parameters (obtained from the Exostar SafeNet Client tool (see token information below).
*Supported vs. Not Supported Tokens
Step 4. Download MLOA Certificates
To Download the MLOA Hardware Certificates, please make sure you have completed the following tasks first:
- After you have completed the In-Person Proofing session, make sure you have the 16-digit passcode the Agent provided to you. (If you lose this passcode, you are required to complete a reproofing purchase and go through the in-person proofing process again).
- Receive your MLOA Hardware token (Exostar ships your token via FedEx once you schedule your proofing appointment). If you have not received your token, please reach out to Customer Support with your Sales Order number.
- Install the necessary token PKI client middleware on your machine. In order for your token to be a recognized device in your computer, you need to install the following middleware in the order outlined below:
- (1) Exostar SafeNet Client (you must have Administrator rights to your computer)
- (2) Exostar Key Management Agent (KMA™) (you do not need Administrator rights to your computer)
- Change the initial token password. The default token password is 1234567890. During the certificate download process, you can enter a new password.
Step 4A: Change Default Token Password
To Change your Default Token Password:
1. Insert your new Token in your computer’s USB drive.
2. Launch Exostar SafeNet client tool.
3. A screen will display to change the token password. (If you are not automatically prompted, choose the “Change Token Password” option).
4. Enter the default token password, 1234567890. Enter a new password and then enter it again to confirm your new password. Please make sure you remember your password.
(NOTE: If you forget this Token Password you will be required to reinitialize your Token, reapply for certificates and complete the identity proofing process again at your expense).
Additional Notes:
– The passcode is a 16-digit number separated by hyphens, for example: 1234-5678-1234-5678. You must enter all characters, including the hyphens, OR leave the hyphens out completely. The passcode is NOT the same as your MAG login password.
– If you lose the passcode, you are required to complete a reproofing purchase and complete another in-person proofing appointment.
– The passcode is only valid for 30 days from the time of Exostar proofer approval
– The proofing approval process may take up to 1 business week
2. Launch Exostar SafeNet client tool.
3. A screen will display to change the token password. (If you are not automatically prompted, choose the “Change Token Password” option).
4. Enter the default token password, 1234567890. Enter a new password and then enter it again to confirm your new password. Please make sure you remember your password.
(NOTE: If you forget this Token Password you will be required to reinitialize your Token, reapply for certificates and complete the identity proofing process again at your expense).
Additional Notes:
– The passcode is a 16-digit number separated by hyphens, for example: 1234-5678-1234-5678. You must enter all characters, including the hyphens, OR leave the hyphens out completely. The passcode is NOT the same as your MAG login password.
– If you lose the passcode, you are required to complete a reproofing purchase and complete another in-person proofing appointment.
– The passcode is only valid for 30 days from the time of Exostar proofer approval
– The proofing approval process may take up to 1 business week
Step 4B: Authenticate Token with Exostar KMA™
To Authenticate your Token with Exostar KMA™:
1. Make sure Exostar KMA™ is not running (you can look at the System Tray on the far right side of your Desktop Taskbar).
2. Insert your token in your computer’s USB drive.
3. Then launch KMA™. You will be prompted to enter your token password, then click OK.
4. To verify your token is authenticated, click the About tab in KMA™. Your token will display as “true” if its authenticated.
5. Next install your MAG PKI Certificates on your token.
2. Insert your token in your computer’s USB drive.
3. Then launch KMA™. You will be prompted to enter your token password, then click OK.
4. To verify your token is authenticated, click the About tab in KMA™. Your token will display as “true” if its authenticated.
5. Next install your MAG PKI Certificates on your token.
Step 4C: Install MAG PKI Certificates on Token
Before you can download your certificates please complete the following tasks outlined below. Then you can follow the steps to install the certificates on your token.
BEFORE you Download your Certificates:
1. First launch Exostar SafeNet client.
2. Plug your token into your computer’s USB drive and make sure you are logged into your MAG user account.
3. Next launch Exostar KMA™.
4. Make sure your token is authenticated in KMA™. (If you are logged into MAG and your token is not authenticated to KMA™, this will result in a looping failure to sign certificates and you will receive an error).
2. Plug your token into your computer’s USB drive and make sure you are logged into your MAG user account.
3. Next launch Exostar KMA™.
4. Make sure your token is authenticated in KMA™. (If you are logged into MAG and your token is not authenticated to KMA™, this will result in a looping failure to sign certificates and you will receive an error).
To Install MAG PKI Certificates to your Token:
1. Login to your MAG user account. In the upper right corner under FIS, you will see a Download link. You can click this link or go to My Accounts, then Manage Certificates sub-tab to download your certificates. (NOTE: The Download Certificates link is only visible under the Manage Certificates tab when you have an approved FIS request pending certificate download. If no certificates are available for download, this sub-tab does not display).
2. Enter the 16-digit passcode, the Proofing Agent provided you with during your in-person proofing appointment.
NOTES:
– The passcode is a 16-digit number separated by hyphens, for example: 1234-5678-1234-5678. You must enter all characters, including the hyphens, OR leave the hyphens out completely. The passcode is NOT the same as your MAG login password.
– If you lose the passcode, you are required to complete a reproofing purchase and complete another in-person proofing appointment.
– The passcode is only valid for 30 days from the time of Exostar proofer approval
– The proofing approval process may take up to 1 business week
3. If your passcode is correct, a list will display of certificates to download. (The system will automatically select all of the certificates to download). Once selected, you are prompted to enter the Hardware Token Password that you previously created. Enter the Token Password and click OK.
4. Verify the Request ID, ensuring both numbers match before generating the RSA keys. Then click GENERATE.
5. Next your certificates are created and archived. This process may take a few minutes (once the process is complete, a View Certificates link will display).
6. Click Exit KMA to complete the process.
2. Enter the 16-digit passcode, the Proofing Agent provided you with during your in-person proofing appointment.
NOTES:
– The passcode is a 16-digit number separated by hyphens, for example: 1234-5678-1234-5678. You must enter all characters, including the hyphens, OR leave the hyphens out completely. The passcode is NOT the same as your MAG login password.
– If you lose the passcode, you are required to complete a reproofing purchase and complete another in-person proofing appointment.
– The passcode is only valid for 30 days from the time of Exostar proofer approval
– The proofing approval process may take up to 1 business week
3. If your passcode is correct, a list will display of certificates to download. (The system will automatically select all of the certificates to download). Once selected, you are prompted to enter the Hardware Token Password that you previously created. Enter the Token Password and click OK.
4. Verify the Request ID, ensuring both numbers match before generating the RSA keys. Then click GENERATE.
5. Next your certificates are created and archived. This process may take a few minutes (once the process is complete, a View Certificates link will display).
6. Click Exit KMA to complete the process.
