Portal Help

You have reached a Restricted Computer System belonging to Scientific Systems Company, Inc. (SSCI). SSCI uses monitoring programs for security purposes to track and log all user access, user activity and to protect proprietary information on the system. By logging into this web site, you are expressly consenting to these monitoring activities. Unauthorized attempts to defeat or circumvent security features, to use the system for other than intended purposes, to deny service to authorized users, to access, obtain, alter, damage, or destroy information, or otherwise to interfere with the system or its operation is prohibited. Evidence of such acts may be disclosed to law enforcement authorities and will result in criminal prosecution under the Computer Fraud and Abuse Act of 1986 and the National Information Infrastructure Protection Act of 1996, codified at section 1030 of Title 18 of the United States Code, or other applicable criminal laws.

 

General Issues with SSL Certificates

Encryption to “HTTPS://”  websites is provided with SSL Certificates.       An server’s SSL certificate is usually signed by a Certificate Authority (CA) or CA Root Server.    The Certificate Authority effectively vouches for the legitimacy of the web sites for which it has signed certificates.     Many, but not all, sites on the Internet use certificates signed by commericial  certificate vendors such as Verisign or Thawte.    Many of the CA certificates are already bundled in current versions of IE, Firefox, Chrome and Safari.        Some sites will require that the user installs additional certificates first.      This may be the case where the site is only intended for a companies employees,  and the certificates are not provided by a commercial authority.  Additionally, some DOD sites require additional certificates to be downloaded from the commercial authority.

The process  for importing certificates will vary depending  on your operating system, browser and browser settings.     Certificates usually have a .cer or .crt extension.     Your computer and browsers  may be configured with a preferred default application when opening a .cer or .crt file.    Sometimes, your browser may incorrectly  change the file extension to .txt or try to open the file as a text page in a browser window.

 

Most SSCI servers use internal certificates signed by “asterix.ssci.com.”       This includes the secure webmail  installed accessible via the portal page.    You will need to install the asterix CA certificate.

The Citrix Gateway is secured by a commercial certificate from Thawte.  This is a 2048-bit certificate which may not work with older versions of Citrix client software.

 

 

SSL Certs and Windows

 

The assumption is that you are using Windows 7 with IE10 or IE11.

Windows and Internet explorer have a shared certificate repository.     Some apps on Windows , including Microsoft Outlook, Oracle Java, and  Citrix clients, will use that repository as well.    Typically you can install the certificate by either opening it IE, or downloading the file to your computer and double-clicking  the file to install it.       When installing CA  cert, click the URL (or download the file the double-click the file) -this will start the certificate import wizard.   Do NOT accept the default options.  Select the option “Place all certificates in the following store,” then click Browse to located “Trusted Root Certificate Authorities.”

 

Firefox  does NOT use the “Windows” certificate repository.            You can import a certificate into Firefox  in two ways

–  If you open the certificate as a URL, and the certificate has a .crt extension, Firefox should attempt to import the certificate into Firefox.    You should  receive the prompt that “You have been asked to trust a new Certificate Authority.” Select the checkboxes to enable the certificate to identify web sites.  However,  depending on the browser settings, the MS Windows Certificate Import Wizard may run instead.

–  Rt-click and save the file from the web browser.    In the firefox menu, select Tools -> Options -> Advanced -> Certificates-> View Certificates -> Authorities -> Import. You may receive the prompt that “You have been asked to trust a new Certificate Authority.” Select the checkboxes to enable the certificate to identify web sites.

 

 

SSL Certs and Mac

Mac and Safari have a shared certificate repository (the Keychain App.)       If you open certificate in Safari (or download and double-click to open) it should import it into the keychain app.   The Citrix client will also use this app.      Firefox does not share this certificate store.   The import procedure is similar to Firefox in Windows.   If you are using Citrix resources with Firefox, you will need to make sure the SSL certificates are installed in both Firefox and Safari/Keychain.

 

 

 

 

SSL Certs and Linux

The  procedure to import certificates into Firefox on Linux is similar to the procedure for Mac and Windows.

 

For the nativc Citrix client, the CA certs should be copied to /opt/Citrix/ICAClient/keystore/cacerts directory.

 

Valididating Certificates in your browser

 

Thawte has a tools to check if your browser has the required certs installed to communicate with a specific web site

https://ssltools.thawte.com/checker/views/certCheck.jsp

 

To verify that the certificates for the citrix gateway are working, test the “csg.ssci.com” url.

To verify that the certificates for the citrix gateway are working, test the url “msx .ssci.com” url.

 

SSCI Secure Webmail

Encryption is provided in conjunction with an internal corporate Certificate Authority root  SSL certificate (asterix.ssci.com) .     The Certificate Authority effectively vouches for the legitimacy of the web sites for which it has signed certificates.    In this case, the Asterix certificate has vouched for the validity of the webmail servers.     The certificate must be installed in your browser for secure webmail to work properly.    Accepting the certificate for the website (msx.ssci.com) is not sufficient.       Your browser will show warnings if a certificate is not installed properly.

 

Secure Webmail should work on all recent versions of Internet Explorer (Windows)  Firefox  (Windows, Mac, Linux), Google Chrome, and Safari (tested on Mac only.)      The process  for importing certificates will vary depending  on your operating system, browser and browser settings.     Certificates usually have a .cer or .crt extension.     Your computer and browsers  may be configured with a preferred default application when opening a .cer or .crt file.    Sometimes, your browser may incorrectly  change the file extension to .txt or try to open the file as a text page in a browser window.

 

 

  • IE users should install the following certificate: asterix-CA-20141005-20191004.cer. When you click on the link, you should be prompted to open the file. This will start the certificate import wizard. Select the option “Place all certificates in the following store,” then click Browse to located “Trusted Root Certificate Authorities.”
  • Firefox users on Windows (and possibly other platforms) should right-click and download the following certificate: asterix-CA-20141005-20191004.cer. In the firefox menu, select Tools -> Options -> Advanced -> Certificates-> View Certificates -> Authorities -> Import. You may receive the prompt that “You have been asked to trust a new Certificate Authority.” Select the checkboxes to enable the certificate to identify web sites.
  • Firefox users (non Windows) should install the following certificate: asterix-CA-20141005-20191004.crt. You may receive the prompt that “You have been asked to trust a new Certificate Authority.” Select the checkboxes to enable the certificate to identify web sites.

 

Firefox will let you trust a server certificate even if you don’t accept the CA certificate.

IE may also let you trust the server certificate, however it will still show SSL warnings and, since pop-ups may be blocked, you may have unexpected behavior like draft messages being lost.

 

 

Citrix Gateway

There are two general categories of the Citrix client-  native-clients (native for Windows, Linux and Mac), and java-based.    The SSCI citrix page includes client downloads but they may not be recent enough.   Updated clients are available from http://www.citrix.com/downloads.     Depending on the OS and Client version, the client software name may   Under the “Select Products” drop-down menu select “Citrix Receiver/ICA.”   Under the “Select download type” select the Receiver for Linux, Mac or Windows.

The Citrix Gateway is secured by a commercial certificate from Thawte.  This is a 2048-bit certificate which may not work with older versions of Citrix client software.

 

Windows

 

Remember that if you are using Firefox or Chrome, rather than IE, you  MAY need to install the Thawte certs.

 

Linux

For Linux on non-SSCI machines, you will need to upgrade to ICAClient 13.1.  ICAClient 13.0 and earlier do not work with the newer 2048-bit certificates.    The CA certs should be copied to /opt/Citrix/ICAClient/keystore/cacerts directory.

 

You can download the latest Linux Receiver client at:

 

http://www.citrix.com/downloads/citrix-receiver/linux/receiver-for-linux-131.html

You should be able to install the 32-bit client on a 64-bit machine but this has not been tested.

Remember that you MAY need to install the Thawte certs in your preferred browser (firefox or chrome.)

For the nativc Citrix client, the CA certs should be copied to /opt/Citrix/ICAClient/keystore/cacerts directory.    It is UNLIKELY that the citrix client has these installed by default.

 

If you are using the java client, the CA certificates need to be installed in the  java keystore.

 

 

Mac

You should have Citrix receiver 11.8.2 or later installed.

 

If you are using Firefox 33 you may need to adjust the plugin settings.

tools -> addons -> plugins

Citrix receiver plugin 11.8.2 shd be installed.  Change from “Ask to Activate” to “always activate”

 

Technical Excellence • Industry Partnerships • Customer Solutions