Access Requirements: To access the Northrop Grumman system, you must first obtain an Exostar’s Managed Access Gateway (MAG) account and complete the Federated Identity Service (FIS) Medium Level of Assurance (MLOA) Hardware process. This page reviews how to register for a MAG account and complete the FIS process.
Step 1. Register with Exostar
Register for MAG Account:
To obtain an FIS certificate, you must have a Managed Access Gateway (MAG) account.
1. Click here to complete organization registration.
2. After you complete your registration, view the MAG Get Started page.
3. Once you register your organization account and user account, an FIS Administrator for your organization must accept the FIS Terms and Conditions in MAG. For more information about FIS Administrator responsibilities, please see the FIS Administrator page.
1. Click here to complete organization registration.
2. After you complete your registration, view the MAG Get Started page.
3. Once you register your organization account and user account, an FIS Administrator for your organization must accept the FIS Terms and Conditions in MAG. For more information about FIS Administrator responsibilities, please see the FIS Administrator page.
Step 2. Purchase
You have the option to complete a purchase for either one-year or three-year token access. Please note, the start date for your MLOA Hardware token is the day you download your certificate, not the day you purchase the token.
To Purchase a MLOA Hardware Certificate:
1. Navigate to and login to Exostar’s Web Store.
2. Click the purchase now link for FIS Medium Level of Assurance (MLOA) – Hardware. Choose the one or three year option.
3. Select the radio button to Buy PKI token For Yourself or Buy PKI token For Other(s).
4. Choose from the Country drop-down menu. Click the Add to Cart button.
5. Review your cart. Click the Proceed to Checkout button.
6. You are redirected to the Shipping Method page. Ship to end user is the only option available and is already selected. Click Continue.
7. On the Payment Information page, select to pay via credit card or invoice. Fill out all required information. Click Continue.
NOTE: The invoice option requires you complete payment before receiving any product.
8. On the Review and Submit Your Order page, click the Disclaimer link and review the information. Once you complete your review, select the checkbox next to I have read and acknowledged the following Disclaimer prior to purchase.
9. Click Submit Order.
NOTE: A confirmation page displays, providing your Sales Order Number (SO#####).
2. Click the purchase now link for FIS Medium Level of Assurance (MLOA) – Hardware. Choose the one or three year option.
3. Select the radio button to Buy PKI token For Yourself or Buy PKI token For Other(s).
4. Choose from the Country drop-down menu. Click the Add to Cart button.
5. Review your cart. Click the Proceed to Checkout button.
6. You are redirected to the Shipping Method page. Ship to end user is the only option available and is already selected. Click Continue.
7. On the Payment Information page, select to pay via credit card or invoice. Fill out all required information. Click Continue.
NOTE: The invoice option requires you complete payment before receiving any product.
8. On the Review and Submit Your Order page, click the Disclaimer link and review the information. Once you complete your review, select the checkbox next to I have read and acknowledged the following Disclaimer prior to purchase.
9. Click Submit Order.
NOTE: A confirmation page displays, providing your Sales Order Number (SO#####).
Step 3. Request FIS Access
Once you complete your MLOA Hardware Token purchase, you must request access through your MAG user account. Please ensure you make selections based off your purchase. An Exostar Trusted Agent will compare your request to the associated purchase, and if it is incorrect, they will deny the request.
To Request FIS MLOA Hardware Access:
1. Login to MAG. Select Request Access in the Federated Identity Service (FIS) section, bottom right corner, of the My 2FA Credentials section.
2. In the FIS Certificate Information section, make selections from the drop-down menus provided.
NOTE: These selections must match your purchase.
3. In the User Information section, verify all data input. Click Next.
4. A confirmation screen displays. Your Organization’s FIS Administrator must approve your request.
5. Once your request is approved, the request is routed to Exostar for review and approval.
6. You must complete an in-person proofing appointment prior to downloading your certificates.
2. In the FIS Certificate Information section, make selections from the drop-down menus provided.
NOTE: These selections must match your purchase.
3. In the User Information section, verify all data input. Click Next.
4. A confirmation screen displays. Your Organization’s FIS Administrator must approve your request.
5. Once your request is approved, the request is routed to Exostar for review and approval.
6. You must complete an in-person proofing appointment prior to downloading your certificates.
Step 4. Complete In-Person Proofing
In order to utilize MLOA Software certificates, you must complete an In-Person Proofing appointment with a verified agent. If you are a Supplier located in the United States, our vendor NotaryGo, will contact you to setup a proofing appointment with one of their Trusted Agents. For users outside the United States, a Trusted Agent from Verify Europe will contact you to setup a proofing appointment. Please note, the Trusted Agent completes a proofing packet for Exostar’s review. For additional information on the proofing process, please see the MLOA In-Person Proofing page.
To Complete your In-Person Proofing Appointment:
1. Schedule proofing appointment with Trusted Agent.
NOTE: The Trusted Agent will contact you.
2. Complete a successful proofing appointment. You must provide acceptable identity documentation, as well as an employment verification letter. Please see the MLOA In-Person Proofing page for additional information on identification and a letter example.
NOTES:
– If you complete a successful proofing appointment, the Trusted Agent provides a 16-digit passcode. This passcode is required during the download process.
– If you do not complete a successful proofing appointment (i.e. invalid identity documentation), you may incur a new proofing cost.
NOTE: The Trusted Agent will contact you.
2. Complete a successful proofing appointment. You must provide acceptable identity documentation, as well as an employment verification letter. Please see the MLOA In-Person Proofing page for additional information on identification and a letter example.
NOTES:
– If you complete a successful proofing appointment, the Trusted Agent provides a 16-digit passcode. This passcode is required during the download process.
– If you do not complete a successful proofing appointment (i.e. invalid identity documentation), you may incur a new proofing cost.
Step 5. Download Certificates
To Download the MLOA Hardware Certificates, complete the following tasks:
- Acquire the appropriate token. Exostar ships your token via FedEx once you schedule your proofing appointment. If you have not received your token, reach out to Customer Support.
- Install the token PKI Client middleware on your machine. Contact your token vendor for appropriate information, or your IT Support for organization specific information.
- Initialize the token in FIPS 140-2 mode. For more information on how to check for FIPS mode, refer to the Hardware Token FIPS Mode Review section below for details.
- Ensure you have been provided the initial token password to enable you to complete token installation. Contact your vendor to receive the initial password. You are required to enter a password for this token during the certificate download process.
- Complete the in-person proofing process and receive the 16-digit passcode from the proofing agent at the end of your appointment. If you lose this passcode, you are required to complete a reproofing purchase, and go through the in-person proofing process again.
Hardware Token FIPS Mode Review:
Exostar’s Medium Level of Assurance Hardware (MLOA) digital certificates are 2048 FIPS 140-2 compliant. To ensure the tokens also comply with the FIPS 140-2 compliance, review the token information. You must review this information BEFORE downloading the digital certificates.
1. If you completed the initial password change process for your token, plug the token into your USB drive. The eToken PKI Client Properties screen displays for the Aladdin eToken PRO (72K) Java. Click on View eToken Info to display the token details.
2. Scroll through the list, and search for FIPS Mode and Supported Key Size under the Name column. If the token does not display information on FIPS Mode, you must follow the steps below to initialize your token in the FIPS Mode.
NOTE: Make sure the Supported Key size is 2048. Any certificates on the token are invalid for FIPS 14-compliance. If you already have certificates installed on the tokens, re-initialize the token.
1. If you completed the initial password change process for your token, plug the token into your USB drive. The eToken PKI Client Properties screen displays for the Aladdin eToken PRO (72K) Java. Click on View eToken Info to display the token details.
2. Scroll through the list, and search for FIPS Mode and Supported Key Size under the Name column. If the token does not display information on FIPS Mode, you must follow the steps below to initialize your token in the FIPS Mode.
NOTE: Make sure the Supported Key size is 2048. Any certificates on the token are invalid for FIPS 14-compliance. If you already have certificates installed on the tokens, re-initialize the token.
Hardware Token FIPS Mode Initialization:
1. Click eToken Pro Java.
2. Select the Initialize eToken icon to display the initialize screen.
3. Click the Advance View icon on the PKI Client. If this button is unavailable, contact your IT Administrator or FISA (FIS Administrator) for additional information on how to setup the token in the FIPS mode.
4. Check the box for FIPS mode, to setup the FIS mode for the token. Click OK to complete.
5. On the Initialize eToken screen, click Start.
6. Select OK to start token initialization.
7. Once you successfully initialize your token, a confirmation screens displays. Click OK.
8. You are redirected to the PKI Client main screen. Select View eToken Info.
9. The FIPS Mode displays. Click OK.
2. Select the Initialize eToken icon to display the initialize screen.
3. Click the Advance View icon on the PKI Client. If this button is unavailable, contact your IT Administrator or FISA (FIS Administrator) for additional information on how to setup the token in the FIPS mode.
4. Check the box for FIPS mode, to setup the FIS mode for the token. Click OK to complete.
5. On the Initialize eToken screen, click Start.
6. Select OK to start token initialization.
7. Once you successfully initialize your token, a confirmation screens displays. Click OK.
8. You are redirected to the PKI Client main screen. Select View eToken Info.
9. The FIPS Mode displays. Click OK.
To Download the Certificates to your Token:
1. Plug the token into your USB drive, and make sure you are logged into your Managed Access Gateway (MAG) user account.
2. Go to your My Account tab and then click the Manage Certificates sub-tab.
NOTE: The Download Certificates sub-tab is only visible under the Manage Certificates tab when you have an approved FIS request pending certificate download. If no certificates are available for download, this sub-tab does not display.
3. Enter your 16-digit passcode. At the time of in-person proofing appointment, the proofer provided you a passcode. This passcode is only valid after you receive a packet approval email from Exostar.
NOTES:
– The passcode is a 16-digit number separated by hyphens, for example: 1234-5678-1234-5678. You must enter all characters, including the hyphens, OR leave the hyphens out completely. The passcode is NOT the same as your Managed Access Gateway (MAG) login password.
– If you lose the passcode, you are required to complete a reproofing purchase and complete another in-person proofing appointment.
4. If your passcode is correct, a list of certificates to download displays. The system automatically selects all of them for download. Once selected, you are prompted to enter the hardware token password. Enter the token password and click OK.
5. Click OK. Certificates are created and archived.
NOTE: This activity allows Exostar to archive the encryption key for recovery at a later time. Refer to the Recover Encryption Keys section for details.
6. Once the archiving process is complete, click OK to complete the installation process.
7. You are prompted again for your token password. Enter your password, and click OK to import the certificates to your token.
8. Click OK to complete the process.
2. Go to your My Account tab and then click the Manage Certificates sub-tab.
NOTE: The Download Certificates sub-tab is only visible under the Manage Certificates tab when you have an approved FIS request pending certificate download. If no certificates are available for download, this sub-tab does not display.
3. Enter your 16-digit passcode. At the time of in-person proofing appointment, the proofer provided you a passcode. This passcode is only valid after you receive a packet approval email from Exostar.
NOTES:
– The passcode is a 16-digit number separated by hyphens, for example: 1234-5678-1234-5678. You must enter all characters, including the hyphens, OR leave the hyphens out completely. The passcode is NOT the same as your Managed Access Gateway (MAG) login password.
– If you lose the passcode, you are required to complete a reproofing purchase and complete another in-person proofing appointment.
4. If your passcode is correct, a list of certificates to download displays. The system automatically selects all of them for download. Once selected, you are prompted to enter the hardware token password. Enter the token password and click OK.
5. Click OK. Certificates are created and archived.
NOTE: This activity allows Exostar to archive the encryption key for recovery at a later time. Refer to the Recover Encryption Keys section for details.
6. Once the archiving process is complete, click OK to complete the installation process.
7. You are prompted again for your token password. Enter your password, and click OK to import the certificates to your token.
8. Click OK to complete the process.