Access Requirements: In order to utilize an MLOA Hardware token, please ensure the application to which you want access requires MLOA Hardware access. If the application requires a hardware token, you must have an Exostar’s Managed Access Gateway (MAG) account, complete a token purchase, as well as complete an in-person proofing appointment with a trusted agent.
Please follow the steps below to purchase and set-up your MLOA Hardware Token.
Step 1. Purchase
Please note, you have the option to complete a purchase for either one-year or three-year token access. Please note the start date for your MLOA Hardware token is the day you download your certificate, not the day you purchase the token.
To Purchase a MLOA Hardware Certificate:
1. Navigate to and ensure you are logged into Exostar’s Web Store.
2. Click the purchase now link for FIS Medium Level of Assurance (MLOA) – Hardware. Choose the one or three year option.
3. Select the radio button to Buy PKI token For Yourself or Buy PKI token For Other(s).
4. Choose from the Country drop-down menu. Click the Add to Cart button.
5. Review your cart. Click the Proceed to Checkout button.
6. You are redirected to the Shipping Method page. Ship to end user is the only option available and is already selected. Click Continue.
7. On the Payment Information page, select to pay via credit card or invoice. Fill out all required information. Click Continue.
NOTE: The invoice option requires you complete payment before receiving any product.
8. On the Review and Submit Your Order page, click the Disclaimer link and review the information. Once you complete your review, select the checkbox next to I have read and acknowledged the following Disclaimer prior to purchase.
9. Click Submit Order.
NOTE: A confirmation page displays, providing your Sales Order Number (SO#####).
2. Click the purchase now link for FIS Medium Level of Assurance (MLOA) – Hardware. Choose the one or three year option.
3. Select the radio button to Buy PKI token For Yourself or Buy PKI token For Other(s).
4. Choose from the Country drop-down menu. Click the Add to Cart button.
5. Review your cart. Click the Proceed to Checkout button.
6. You are redirected to the Shipping Method page. Ship to end user is the only option available and is already selected. Click Continue.
7. On the Payment Information page, select to pay via credit card or invoice. Fill out all required information. Click Continue.
NOTE: The invoice option requires you complete payment before receiving any product.
8. On the Review and Submit Your Order page, click the Disclaimer link and review the information. Once you complete your review, select the checkbox next to I have read and acknowledged the following Disclaimer prior to purchase.
9. Click Submit Order.
NOTE: A confirmation page displays, providing your Sales Order Number (SO#####).
Step 2. Request FIS Access
Once you complete your MLOA Hardware Token purchase, you must request access through your MAG user account. Please ensure you make selections based off your purchase. An Exostar Trusted Agent will compare your request to the associated purchase, and if it is incorrect, they will deny the request.
To request FIS MLOA Hardware access:
1. Login to MAG. Select Request Access in the Federated Identity Service (FIS) section, bottom right corner, of the My 2FA Credentials section.
2. In the FIS Certificate Information section, make selections from the drop-down menus provided.
NOTE: These selections must match your purchase.
3. In the User Information section, verify all data input. Click Next.
A confirmation screen displays. Your Organization’s FIS Administrator must approve your request. Once your request is approved, the request is routed to Exostar for review and approval. You must complete an in-person proofing appointment prior to downloading your certificates.
2. In the FIS Certificate Information section, make selections from the drop-down menus provided.
NOTE: These selections must match your purchase.
3. In the User Information section, verify all data input. Click Next.
A confirmation screen displays. Your Organization’s FIS Administrator must approve your request. Once your request is approved, the request is routed to Exostar for review and approval. You must complete an in-person proofing appointment prior to downloading your certificates.
Step 3. Complete In-Person Proofing
In order to utilize MLOA Software certificates, you must complete an in-person proofing appointment with a verified agent. If you are a Supplier located in the United States, our vendor NotaryGo, will contact you to setup a proofing appointment with one of their Trusted Agents. For users outside the United States, a Trusted Agent from Verify Europe will contact you to set-up a proofing appointment. Please note, the Trusted Agent completes a proofing packet for Exostar’s review. For additional information on the proofing process, please see the MLOA In-Person Proofing page.
To complete your in-person proofing appointment:
1. Schedule proofing appointment with Trusted Agent.
NOTE: The Trusted Agent will contact you.
2. Complete a successful proofing appointment. You must provide acceptable identity documentation, as well as an employment verification letter. Please see the MLOA In-Person Proofing page for additional information on identification and a letter example.
NOTES:
– If you complete a successful proofing appointment, the Trusted Agent provides a 16-digit passcode. This passcode is required during the download process.
– If you do not complete a successful proofing appointment (i.e., invalid identity documentation), you may incur a new proofing cost.
NOTE: The Trusted Agent will contact you.
2. Complete a successful proofing appointment. You must provide acceptable identity documentation, as well as an employment verification letter. Please see the MLOA In-Person Proofing page for additional information on identification and a letter example.
NOTES:
– If you complete a successful proofing appointment, the Trusted Agent provides a 16-digit passcode. This passcode is required during the download process.
– If you do not complete a successful proofing appointment (i.e., invalid identity documentation), you may incur a new proofing cost.
Step 4. Download Certificates
To download the MLOA hardware certificates, complete the following tasks:
- Acquire the appropriate token. Exostar ships your token via FedEx once you schedule your proofing appointment. If you have not received your token, reach out to Customer Support.
- Install the token PKI Client middleware on your machine. Contact your token vendor for appropriate information, or your IT Support for organization specific information.
- Initialize the token in FIPS 140-2 mode. For more information on how to check for FIPS mode, refer to the Hardware Token FIPS Mode Review section below for details.
- Ensure you have been provided the initial token password to enable you to complete token installation. Contact your vendor to receive the initial password. You are required to enter a password for this token during the certificate download process.
- Complete the in-person proofing process and receive the 16-digit passcode from the proofing agent at the end of your appointment. If you lose this passcode, you are required to complete a reproofing purchase, and go through the in-person proofing process again.
Hardware Token FIPS Mode Review:
Exostar’s Medium Level of Assurance Hardware (MLOA) digital certificates are 2048 FIPS 140-2 compliant. To ensure the tokens also comply with the FIPS 140-2 compliance, review the token information. You must review this information BEFORE downloading the digital certificates.
1. If you completed the initial password change process for your token, plug the token into your USB drive. The eToken PKI Client Properties screen displays for the Aladdin eToken PRO (72K) Java. Click on View eToken Info to display the token details.
2. Scroll through the list, and search for FIPS Mode and Supported Key Size under the Name column. If the token does not display information on FIPS Mode, you must follow the steps below to initialize your token in the FIPS Mode.
NOTE: Make sure the Supported Key size is 2048. Any certificates on the token are invalid for FIPS 14-compliance. If you already have certificates installed on the tokens, re-initialize the token.
1. If you completed the initial password change process for your token, plug the token into your USB drive. The eToken PKI Client Properties screen displays for the Aladdin eToken PRO (72K) Java. Click on View eToken Info to display the token details.
2. Scroll through the list, and search for FIPS Mode and Supported Key Size under the Name column. If the token does not display information on FIPS Mode, you must follow the steps below to initialize your token in the FIPS Mode.
NOTE: Make sure the Supported Key size is 2048. Any certificates on the token are invalid for FIPS 14-compliance. If you already have certificates installed on the tokens, re-initialize the token.
Hardware Token FIPS Mode Initialization:
1. Click eToken Pro Java.
2. Select the Initialize eToken icon to display the initialize screen.
3. Click the Advance View icon on the PKI Client. If this button is unavailable, contact your IT Administrator or FISA (FIS Administrator) for additional information on how to set-up the token in the FIPS mode.
4. Check the box for FIPS mode, to set-up the FIS mode for the token. Click OK to complete.
5. On the Initialize eToken screen, click Start.
6. Select OK to start token initialization.
7. Once you successfully initialize your token, a confirmation screens displays. Click OK.
8. You are redirected to the PKI Client main screen. Select View eToken Info.
9. The FIPS Mode displays. Click OK.
2. Select the Initialize eToken icon to display the initialize screen.
3. Click the Advance View icon on the PKI Client. If this button is unavailable, contact your IT Administrator or FISA (FIS Administrator) for additional information on how to set-up the token in the FIPS mode.
4. Check the box for FIPS mode, to set-up the FIS mode for the token. Click OK to complete.
5. On the Initialize eToken screen, click Start.
6. Select OK to start token initialization.
7. Once you successfully initialize your token, a confirmation screens displays. Click OK.
8. You are redirected to the PKI Client main screen. Select View eToken Info.
9. The FIPS Mode displays. Click OK.
To download the certificates to your token:
1. Plug the token into your USB drive, and make sure you are logged into your Managed Access Gateway (MAG) user account.
2. Go to your My Account tab and then click the Manage Certificates sub-tab.
NOTE: The Download Certificates sub-tab is only visible under the Manage Certificates tab when you have an approved FIS request pending certificate download. If no certificates are available for download, this sub-tab does not display.
3. Enter your 16-digit passcode. At the time of in-person proofing appointment, the proofer provided you a passcode. This passcode is only valid after you receive a packet approval email from Exostar.
NOTES:
– The passcode is a 16-digit number separated by hyphens, for example: 1234-5678-1234-5678. You must enter all characters, including the hyphens, OR leave the hyphens out completely. The passcode is NOT the same as your Managed Access Gateway (MAG) log-in password.
– If you lose the passcode, you are required to complete a reproofing purchase and complete another in-person proofing appointment.
4. If your passcode is correct, a list of certificates to download displays. The system automatically selects all of them for download. Once selected, you are prompted to enter the hardware token password. Enter the token password and click OK.
5. Click OK. Certificates are created and archived.
NOTE: This activity allows Exostar to archive the encryption key for recovery at a later time. Refer to the Recover Encryption Keys section for details.
6. Once the archiving process is complete, click OK to complete the installation process.
7. You are prompted again for your token password. Enter your password, and click OK to import the certificates to your token.
8. Click OK to complete the process.
2. Go to your My Account tab and then click the Manage Certificates sub-tab.
NOTE: The Download Certificates sub-tab is only visible under the Manage Certificates tab when you have an approved FIS request pending certificate download. If no certificates are available for download, this sub-tab does not display.
3. Enter your 16-digit passcode. At the time of in-person proofing appointment, the proofer provided you a passcode. This passcode is only valid after you receive a packet approval email from Exostar.
NOTES:
– The passcode is a 16-digit number separated by hyphens, for example: 1234-5678-1234-5678. You must enter all characters, including the hyphens, OR leave the hyphens out completely. The passcode is NOT the same as your Managed Access Gateway (MAG) log-in password.
– If you lose the passcode, you are required to complete a reproofing purchase and complete another in-person proofing appointment.
4. If your passcode is correct, a list of certificates to download displays. The system automatically selects all of them for download. Once selected, you are prompted to enter the hardware token password. Enter the token password and click OK.
5. Click OK. Certificates are created and archived.
NOTE: This activity allows Exostar to archive the encryption key for recovery at a later time. Refer to the Recover Encryption Keys section for details.
6. Once the archiving process is complete, click OK to complete the installation process.
7. You are prompted again for your token password. Enter your password, and click OK to import the certificates to your token.
8. Click OK to complete the process.
To complete hardware token installation:
This section provides instructions on how to install the required software in order for your computer to properly communicate with the Aladdin token you purchased. This token is used to download/access Medium Level of Assurance (MLOA) hardware digital certificates. The software can be loaded by either clicking the links provided below, or by inserting the token into your computer which downloads the middleware automatically. The software required for download is the following: SafeNet Authentication Client and Exostar Certificate Issuance Software.
NOTE: Please close all open programs before starting the hardware token installation.
1. Choose one of the links listed below to start the software download process:
For computer environments that support 32Bit: https://portal.exostar.com/safenet/pkianywhere/ExostarSafeNetPKIClientX32v1.exe
For computer environments that support 64Bit: https://portal.exostar.com/safenet/pkianywhere/ExostarSafeNetPKIClientX64v1.exe
2. Please click Yes when the SafeNet Authentication Client Download screen displays to start the download process.
NOTES:
The Loading eToken PRO Anywhere dialog box displays when software files are being installed.
While Windows configures the SafeNet Authentication Client, a dialog box displays the remaining time.
After installation, note the SafeNet Icon in the bottom right corner of your desktop. You may need to click on the small arrow, show hidden icon.
After the SafeNet Authentication Client is installed, the Exostar Certificate Issuance Software Setup starts to download.
3. Click Next on the Welcome to the Exostar Certificate Issuance Software Setup Wizard screen to start the download process.
4. Click Next on the Select Installation Folder screen. We recommend you keep the pre-selected folder.
5. Click Next on the Confirm Installation screen and click Close on the Installation Complete screen.
6. Insert the token into your computer and install software components.
NOTES:
In order for your computer to properly communicate with the token, you must first install the token software, which is provided by the token manufacturer, SafeNet-Aladdin.
When you insert your token for the first time, it may install USB-related software, and request you restart your computer. In such cases, please proceed with a restart.
7. You are prompted to download and install required components (internet connection required). Click Run Launcher.exe and follow the prompts.
NOTE: If you are not automatically prompted, open Windows Explorer (right click on the Start menu, select Explorer), the token displays as a CD Drive. Double click on Launcher.exe.
8. Unplug the token and reinsert. After a few moments, the token is recognized.
9. You are prompted to change the Token Password.
Important: When you use the token going forward, you are required to enter this password. Choose a Token Password you will remember. If you forget this Token Password, you are required to reinitialize your Token and reapply for certificates, at your expense.
Default Token Password: 1234567890
Important During installation:
You must have Administrative rights to your computer.
You may be prompted by Windows to allow changes to your computer. Select Yes or Allow.
Click Next when prompted by the installer to accept default options.
Click Close when you see Installation Complete.
NOTE: Please close all open programs before starting the hardware token installation.
1. Choose one of the links listed below to start the software download process:
For computer environments that support 32Bit: https://portal.exostar.com/safenet/pkianywhere/ExostarSafeNetPKIClientX32v1.exe
For computer environments that support 64Bit: https://portal.exostar.com/safenet/pkianywhere/ExostarSafeNetPKIClientX64v1.exe
2. Please click Yes when the SafeNet Authentication Client Download screen displays to start the download process.
NOTES:
The Loading eToken PRO Anywhere dialog box displays when software files are being installed.
While Windows configures the SafeNet Authentication Client, a dialog box displays the remaining time.
After installation, note the SafeNet Icon in the bottom right corner of your desktop. You may need to click on the small arrow, show hidden icon.
After the SafeNet Authentication Client is installed, the Exostar Certificate Issuance Software Setup starts to download.
3. Click Next on the Welcome to the Exostar Certificate Issuance Software Setup Wizard screen to start the download process.
4. Click Next on the Select Installation Folder screen. We recommend you keep the pre-selected folder.
5. Click Next on the Confirm Installation screen and click Close on the Installation Complete screen.
6. Insert the token into your computer and install software components.
NOTES:
In order for your computer to properly communicate with the token, you must first install the token software, which is provided by the token manufacturer, SafeNet-Aladdin.
When you insert your token for the first time, it may install USB-related software, and request you restart your computer. In such cases, please proceed with a restart.
7. You are prompted to download and install required components (internet connection required). Click Run Launcher.exe and follow the prompts.
NOTE: If you are not automatically prompted, open Windows Explorer (right click on the Start menu, select Explorer), the token displays as a CD Drive. Double click on Launcher.exe.
8. Unplug the token and reinsert. After a few moments, the token is recognized.
9. You are prompted to change the Token Password.
Important: When you use the token going forward, you are required to enter this password. Choose a Token Password you will remember. If you forget this Token Password, you are required to reinitialize your Token and reapply for certificates, at your expense.
Default Token Password: 1234567890
Important During installation:
You must have Administrative rights to your computer.
You may be prompted by Windows to allow changes to your computer. Select Yes or Allow.
Click Next when prompted by the installer to accept default options.
Click Close when you see Installation Complete.