Operations Technical Checklist Shared Environments
This page provides an overview of known prerequisites that are required in order to be able to work with the Trust1Connector.
Last updated
This page provides an overview of known prerequisites that are required in order to be able to work with the Trust1Connector.
Last updated
The Trust1Connector is introduced to replace the current implementation of Belfius Web which makes use of Java Applets. These Java Applets are installed locally in the browser and execute logic with the rights of the current user. This is considered insecure behaviour and won't be supported in the future by browser manufacturers. The Trust1Connector doesn't require you to install an applet in the browsers, it is designed to be browser independent.
All supported operating systems require an administrator to install the software. It is advised to launch the installer as the current logged in user and enter the administrative password once requested (e.g. UAC popup on Windows).
Support from Windows 7 and later.
Support from macOS 10.9 (OS-X Mavericks) and later.
Supported. Requires a restart of the server after installation. It is advised to sync some folders as described at Persistence.
Supported. Requires a restart of the server after installation.
When using a virtual application, the Trust1Connector should be installed on the Citrix server. In addition the Windows SmartCard daemon and the smart card redirection should be enabled. It is advised to sync some folders as described at Persistence.
There is some configuration required to allow access to the smartcard reader from the virtual application.
More info about this can be found at https://helgeklein.com/blog/2013/04/getting-smart-card-readers-to-work-with-citrix-xendesktop/.
Create a belfiusweb.bat file (or any other name to your preference) on the server and add the following lines:
You can also specify another browser, just change the executable path accordingly.
This bat file should be used as the executable for the virtual application. Give the virtual application a descriptive name and logo (can be the Chrome or Belfius logo for example).
In order to properly close all resources when the users closes the Chrome browser, additional configuration must be done in the registry. Follow the guide at https://support.citrix.com/article/CTX891671. The value of the registry key should be:
If the registry already exists, just add these values prefixed with a comma (no spaces).
The Windows installation can be silently installed using the Windows command prompt
To uninstall the Trust1Connector through the Windows command prompt
The Trust1Connector is designed to be browser independent. However there are some browsers which require some extra information in order to be able to use the Trust1Connector.
If there is an error stating that TLS1.0 should be enabled (the error will be visible when browsing to https://localhost:10443/v2), configure the Windows 7 machine to allow a higher security protocol. Follow the steps described at https://manage.accuwebhosting.com/knowledgebase/3008/How-do-I-enable-TLS-12-on-Windows-7.html to configure this. If changing the settings for TLS 1.2 only do not resolve the issue, perform the same steps for TLS 1.1.
Firefox needs to be restarted after any installation/upgrade of the Trust1Connector.
In some cases we have observed Microsoft Edge blocking connections to localhost, making it unable to communicate with the installed GCL instance.
Microsoft runs as a modern Windows app, which means it has network isolation enabled by default for security reasons. However, by default an exception is made for loopback/localhost addresses. This means that on most Edge browsers, communication with the GCL instance will not be a problem.
In specific cases though (exact reasons as yet unknown), it seems that this exception is ignored or not applied correctly, blocking communication with localhost.
If you find yourself in this situation, try the following options to resolve:
A. Enable the loopback option
Open your browser and type about:flags
in the address bar. This will open a hidden browser settings menu. Locate the Developer settings and make sure the option to Allow localhost loopback
is checked.
The number of options under the Developer settings
heading can vary between the different versions of Microsoft Edge, but the localhost loopback option should always be there.
Once the option is enabled, fully close down Microsoft Edge and restart the browser.
If this option was already enabled, try disabling it, restarting the browser and then re-enabling.
Check if this has resolved the issue. If not, proceed to option B.
B. Use the command prompt
Open a command prompt as administrator(!) and execute the following command:
Windows will respond with the message OK.
Restart Microsoft Edge and check if the issue is resolved.
Additional info can be found here:
https://blogs.msdn.microsoft.com/msgulfcommunity/2015/07/01/how-to-debug-localhost-on-microsoft-edge/https://www.ibm.com/support/knowledgecenter/en/SSPH29_9.0.3/com.ibm.help.common.infocenter.aps/r_LoopbackForEdge.html
The Trust1Connector and some installation files are digitally signed. On some machines however the Trust1Connector is flagged/blocked by an antivirus. Disabling the antivirus temporary can allow the user to install the Trust1Connector for some antivirus tools. Below we provide procedures for some antivirus softwares to be able to install the Trust1Connector.
The Trust1Connector is whitelisted by Symantec.
If the user receives an notification that a script from the Trust1Connector is blocked as shown below:
The procedure at https://support.eset.com/kb2908/?locale=en_US&viewlocale=en_US can be used to solved the issue.
When using the Kaspersky and kaspersky web protection you can add an exclusion rule to the belfiusweb page. After you added this rule, restart the computer to make sure all settings are applied.
The Trust1Connector requires read and write access on some locations. The parent folders are automatically created if the permissions are correct.
On shared environments such as Citrix virtual desktop it is advised that some user folders are persisted after logout/reboot of the user.
In case of errors, it can be advised to provide logfiles to the support team. The location of these files depend on the OS.
If the application doesn't detect the Trust1Connector or keeps prompting to download the installation files, a couple of steps can be performed to check if the installation was successful.
On Windows, open the configuration screen and list the installed programs. The Trust1Connector should be listed with it's version.
Open a browser and navigate to https://localhost:10443/v2. The response should be similar to
The logfile can be used for diagnostics, these are located at Log files.
This error indicates that the certificate can not be created because the corresponding RSA key already exists. Normally the software detects if the key already exists but if doesn't work, perform the following steps:
Uninstall Trust1Connector
Delete the unused keys at C:\ProgramData\Microsoft\Crypto\Keys
the following windows command can be used to find which keys are still being used, do not delete those
Reinstall Trust1Connector (with the latest installer)
Reboot
Open the Windows services (Ctrl+R -> services.msc) and verify if the Trust1Connector service is running.
macOS
Open the terminal and enter (admin rights required)
The output should be similar to
The Trust1Connector has a secondary process active that run as the user rights
Open the taskmanager (Ctrl+Shift+Escape). In the active processes, check if there is a process "gcl-service.exe" active running as the current user and as System user.
Open the terminal and enter
The output should be similar to
The software installs a certificate on the OS certificate store. In the section below a description is given how to check if this certificate exists and if it's valid. If the certificate exists and is valid, don't remove it.
The Trust1Connector installs a local trusted certificate into the OS certificate store. The Trust1Connector is designed to automatically renew its certificate if expired, or re-create it if missing. Should the process of renewing an existing certificate fail however, the following steps can be undertaken to remedy it
Open the Windows Certificate Manager (certmgr.exe
)
Locate the expired Trust1Connector certificate by right-clicking on the top-level item Certificates - Local Computer
and searching for trust1connector
(depending on the installed version).
If the search yields multiple results, select the certificate past its expiration date.
Right-click the expire certificate, select Delete
and confirm the deletion action.
Once the certificate is deleted, restart your computer. At the next startup, a new certificate will have been generated.
Open the Mac OS Keychain Access by pressing ⌘ + space
and typing its name (Keychain)
Look under Certificates
and select the expired certificate with the name trust1connector
(depending on the installed version)
Right-click the certificate and select the Delete
action, enter your password when prompted
Restart your device
In case the above steps and checks do not resolve an issue, please contact you support channel with diagnostics of your system.
To have the maximum amount of diagnostic data, firstly increase the log level of the Trust1Connector. To do so, change the value of log_level to full in the t1c_config.json config file (admin rights required), the location of this config file depends on the operating system, more info here. Restart the machine and perform the task which has the issue in order to have some logging about it.
Now open a browser of you preference and navigate to https://rmc.t1t.be. In the upper right corner, click on admin panel. If for some reason a popup is preventing this, press the escape button to hide this popup.
Click the export button, this will generate a .json file which can be send to your support team.
For Citrix environments there are some diagnostic tools available provided by Citrix. Open https://support.citrix.com/article/CTX135075 and install the Citrix Diagnostic Toolkit (CDT). The Citrix Data Packager tool will create a .zip file with all kinds of information about the system and active processes. This .zip file can be send to the support team.
Location
Required permission
%APPDATA%\T1T\Trust1Connector
read + write
%TEMP%\T1T\Trust1Connector
read + write
Location
Required permission
~/.t1t
read + write
~/Library/Logs/T1T/Trust1Connector
read + write
Location
Required permission
%APPDATA%\T1T\Trust1Connector
read + write
Location
Required permission
~/.t1t
read + write
Location
Description
%PROGRAMDATA%\T1T\Trust1Connector
Log files of the main service
%TEMP%\T1T\Trust1Connector
User specific log files
Location
Description
/Library/Logs/T1T/Trust1Connector
Log files of the main service
~/Library/Logs/T1T/Trust1Connector
User specific log files