Last revised: 23.10.2012
INSTRUCTIONS
on installation and configuration
Continent-AP software

I. General provisions 2

II. Preparing to install Continent-AP 3 software

III. Continent-AP 3 software installation

IV. Configuring the Continent-AP 8 connection

V. Configuring readers in CIPF CryptoPro CSP 10

Vi. Generating Authentication Keys and Certification Request 13

Vii. Installing certificates 18

VIII. Checking a secure communication channel 22

IX. Setting up additional workplaces 30

Abbreviations

ASFK- automated system of the Federal Treasury.

Contract- an agreement on electronic document management concluded between a third-party organization and the UFK in the Udmurt Republic or geographically remote departments of the UFK in the Udmurt Republic.

Customer- a third-party organization that has entered into the Agreement.

ON- software.

PPO- application software.

SKZI- a means of cryptographic information protection.

SUFD- remote financial document management system.

SED- electronic document management system.

I. General Provisions

1.1. This "Instructions for installing and configuring the Continent-AP software" (hereinafter referred to as the Instructions) is intended for users of the Continent-AP software (hereinafter referred to as the Continent-AP or Subscriber station). It contains the information necessary for the user to install, configure and operate the Continent-AP software used to install a secure communication channel between the UFK in the Udmurt Republic and the Client.

1.2. The Continent-AP software is provided to the Client under the Agreement.

1.3. Continent-AP software is designed for secure data transmission over public (unprotected) networks. This technology is called "virtual private network" (VPN). Data protection is ensured by cryptographic methods, as a result of which data is transmitted in encrypted form over the public network. On the Client's computer, the Continent-AP software is installed, which for data transmission is connected to a specialized computer of the UFK in the Udmurt Republic - an access server that checks access authorizations and allows access to the resources of the secured UFK network in the Udmurt Republic.

1.4. The following certificates are used for interaction between the Subscriber Station and the Access Server:

- access server certificate - for authentication of the access server;

- user certificate - for user authentication on the access server (file user.cer) - hereinafter the authentication certificate;

- Root Certification Authority certificate - to confirm the authenticity of the user certificate and the access server certificate (file root.p7b).

1.5. This Instruction covers work with Continent-AP version 3.5.x.

II. Preparing to install Continent-AP software

2.1. Before installing the Continent-AP software version 3.5.x, the CryptoPro CSP version 3.6 must be installed on the computer. Within the framework of the Agreement, the CryptoPro CSP version 3.6 is provided to the Client for temporary use by the UFK in the Udmurt Republic. The procedure for obtaining the cryptographic information protection tool of CryptoPro CSP version 3.6 is posted on the official website of the UFK for the Udmurt Republic: www.udmurtia.roskazna. ru, section "Information for clients", subsection "Electronic signature". When installing the CryptoPro CSP version 3.6, use the custom installation of the components and additionally select the "Compatibility with CryptoPro CSP 3.0" component for installation, and also make sure that the "Revocation Provider" component is not selected for installation.

2.2. To install on a computer from an operating system (hereinafter referred to as OS) MS Windows XP, select the Continent-AP software version 3.5.67, and for MS Windows 7 OS, select the software version 3.5.68.

2.3. If the Continent-AP software is installed on a computer running MS Windows 2000, it may be necessary to install additional OS updates. To install, select the Continent-AP software version 3.5.67.

2.4. All software installation operations described in Section II on the computer must be performed by a user with administrator rights.

III. Continent-AP software installation

3.1. Installation of Continent-AP software on a computer must be carried out by a user with administrator rights.

3.2. To install the Continent-AP software version 3.5.x, find in the Continent-AP distribution kit, the file setup.exe and run it.

3.3. The installer will begin the preparatory steps and a message will appear on the screen. After completing the preparatory steps, the start-up dialog of the installation wizard will be displayed. Press the "Д a lee> ".

3.4. When the license agreement appears, you must read it and accept its terms (Fig. 1) and press the button "D a lee> ".

Rice. one

3.5. A window will appear for selecting the folder into which the Continent-AP will be installed (Fig. 2). The default folder for software installation can be changed using the button " AND change ... ". After selecting the folder, press the "Д a lee> ".

Attention! For the correct joint operation of the Continent-AP software and the PPO "SED", it is necessary to install the Continent-AP strictly in the default folder - " C: \ Program Files \ SecurityCode \ ClientContinent ".

Rice. 2

3.6. When the window for selecting the type of installation appears (Fig. 3), check the item " V Selective "and press the button" D a lee> ".

Rice. 3

3.7. A window for selecting installation components will open (Fig. 4). In this window it is necessary to exclude the "Firewall" component from the installation. For this, left-click on the icon next to the component name and check the "This component will be unavailable" item. As a result, the "Firewall" component will look like in fig. 5. Press the "Д a lee> ".

Rice. 4

Rice. 5

3.8. When prompted for the IP address of the access server (Fig. 6), leave the value "0.0.0.0" unchanged and press the button "D a lee> ".

Rice. 6

3.9. A window will appear with a warning about the need for affirmative answers to all warnings that may appear during the installation of the program (Fig. 7). Click the " Have become ".

Rice. 7

3.10. The installation of the program and the required drivers will begin. During the installation, windows may appear warning that the installed software has not been tested for compatibility with the operating system (Fig. 8). Be sure to press the button "Anyway P continue. "

Rice. eight

3.11. The completion of the installation of the program will be indicated by the window shown in Fig. 9. Press the " G ottovo ".

Rice. 9

3.12. After installing the Continent-AP software, you need to restart your computer. After loading the OS in the notification area (in the lower right corner of the screen) an icon of the Subscriber Station control program will be displayed in the form of a gray shield with the letters "AP" (Fig. 10).

Rice. 10

3.13. In order to correctly form applications for the production of authentication certificates, it is necessary to replace the application template file. To do this, copy the application template file request.xsl over the existing Continent-AP software installation folder (for software version 3.5.67, the folder “ C: \ Program Files \ SecurityCode \ ClientContinent \"). The template file is located in the folder with the Continent-AP software installation files.

IV. Configuring the Continent-AP connection

4.1. When you install the Continent-AP software, a connection with the same name "Continent-AP" is automatically created on your computer. For the correct operation of the Subscriber Station, it is necessary to configure the specified connection. The connection is configured by a user with administrator rights.

4.2. To configure the connection, right-click on the Subscriber Station control program icon (an icon in the form of a shield with the letters "AP" in the lower right corner of the screen) and in the context menu that appears, select the item "Settings → Continent-AP" (Fig. 11).

Rice. eleven

4.3. The "Continent-AP" connection properties window will open. In this window, on the "General" tab (Fig. 12). In field " N Phone number: "enter the IP address « 78.109.112.138 » or " 10.13.253.21 ", If the connection" ufkras "is additionally used to connect to the access server.

Rice. 12

4.4. Then select the "Network" tab (Fig. 13). In this tab, in the "Components used by this connection:" field, uncheck all the components except for "Internet Protocol (TCP / IP)", "QoS Packet Scheduler", "Continent3 Filter Driver". To complete the connection setup, click the "OK" button.

Rice. thirteen

V. Configuring readers in the cryptographic protection system of CryptoPro CSP

5.1. A set of readers and data carriers used when working with authentication keys for Continent-AP software is configured in the CryptoPro CSP cryptographic protection tool (hereinafter - CryptoPro software).

5.2. Before starting the generation of authentication keys, make sure that the required (planned for use) readers and media have been added to the CryptoPro software. To do this, open the control panel (Start → Settings → Control Panel) and in it open the CryptoPro CSP snap-in (Fig. 14).

Rice. 14

5.3. The "CryptoPro CSP" window will open (Fig. 15) (below are instructions for CryptoPro version 3.6). In this window, select the "Hardware" tab and click the "Configure With readers ... ". A window with a list of installed readers will appear (Fig. 16). If the required readers are not present in the list, you will need to add them. In this case, the addition must be made under a user account that has administrator rights on this computer.

Rice. 15 Fig. sixteen

5.4. To add the required reader in the "Manage Readers" window, click the " D add ... "(fig. 16). The "Reader Installation Wizard" window will open, in this click the " D more> ".

5.5. In the window that appears (Fig. 17) in the available readers select the required one and press the button " D more> ".

Rice. 17

5.6. In the window that appears (Fig. 18), the field “ AND Reader name: "leave unchanged and press the button" D more> ".

Rice. eighteen

5.7. As a result, a window will appear with a message about the completion of the reader installation wizard (Fig. 19). Click the Finish button. As a result, a new reader will be added to the list of installed readers (Fig. 16). Close the "Manage Readers" window (Fig. 16) by clicking the "OK" button. Close the "CryptoPro CSP" window (Fig. 15) by clicking the "OK" button.

Rice. nineteen

Vi. Generating Authentication Keys and Certification Request

6.1. To authorize on the access server of the UFK in the Udmurt Republic, the user must have a private authentication key and a public key certificate. All actions to create authentication keys and a certification request are carried out on a computer under the account of the user who will subsequently authorize on the access server of the UFK in the Udmurt Republic.

6.2. Right-click on the Subscriber Station control program icon (an icon in the form of a shield with the letters "AP" in the lower right corner of the screen) and in the context menu that appears, select "Certificates → Create a request for a user certificate ..." (Fig. 20).

Rice. twenty

6.3. The form shown in Fig. 21. All fields are required, except for the "Description" field, this field is not filled. In this form, a number of restrictions are imposed on the fields "Employee name:", "Organization:", "Department:". The line length of each field cannot exceed 64 characters. When filling in these fields, you cannot use quotes, commas, semicolons, "+" signs.

Rice. 21

6.4. In field "Employee name:" indicate the full name of the Client (this field corresponds to the field "conventional name of the organization" in the application). If the Client's name exceeds 64 characters, then shorten it using understandable abbreviations (for example, "Municipal educational institution" - MOU, "secondary school" - secondary school, "State government institution" - GKU, "Municipal entity" - MO, etc.). P.). If the Client has more than one Continent-AP workstation, for example, the Client acts as the “Receipt Administrator” and “Recipient of budgetary funds”, etc., then after the name it is necessary to add, respectively, “(AWP AP)”, “(AWP PBS )" etc.

6.5. In field "Organization:" indicate the full name of the Client, subject to the restrictions imposed on the field.

6.6. In field "Subdivision:" indicate the name of the subdivision (department) that exchanges electronic documents with the UFK in the Udmurt Republic. If there is no division into departments in the organization, then put a dash (“-” sign).

6.7. In field "Region:" indicate "Udmurt Republic".

6.8. In field "Town:" please enter the name of the city in question. For other settlements of the republic, it is required to indicate: the type and name of the settlement, the region of the republic through a dot.

6.9. In field "The country:" select "RU".

6.10. In field « e- mail:» enter the email address of the Client. It is advisable to indicate addresses related to the Client's corporate domains, for example, roskazna.ru, minfin.ru, etc., and not on public domains: gmail.com, mail.ru, rambler.ru, etc.

6.11. In field "Electronic form:" the file name of the request for the authentication certificate (file with the extension .req) and the folder in which it will be saved. The folder for saving the request file can be selected using the "Browse ..." button. It is recommended to create on a non-system disk (disk D, E, etc.) a folder "Continent-AP" and a subfolder for the current year (if necessary, additional folders can be created "AP", "PBS", etc.)

6.12. Necessarily put a check next to the box "Paper form:"... This field will show the file name of the application for the authentication certificate (file with the extension .html) and the folder in which it will be saved. The folder for saving the application file can be selected using the "Browse ..." button. It is recommended to save the application file in the same folder as the request file.

6.13. After filling in the required form fields, click the "OK" button.

6.14. A window for selecting a key medium will appear (Fig. 22), which will be used to store the private authentication key, and will later be used to establish a connection with the UFK access server in the Udmurt Republic. When using a USB flash drive as a key carrier, insert a blank USB flash drive into the computer, in the field Have device: "select" Drive: E "(if the" flash drive "is defined in the system under the letter" E ", in your case, any other letter can be) and press the" OK "button.

Attention! It must be remembered that key carriers are carriers of information for official use, and during their storage and use, it is necessary to comply with the requirements set forth in the Rules for the Use of the Continen-AP CIPF, as well as the requirements of the Instructions on the organization and security of storage, processing and transmission through channels communication with the use of means of cryptographic protection of information with limited access, which does not contain information constituting a state secret, approved by order of the Federal Agency for Government Communications and Information under the President of the Russian Federation No. 152 dated June 13, 2001.

Rice. 22

6.15. If a biological random number generator is installed in the CryptoPro software, then after selecting the key carrier, a random number generator window will appear (Fig. 23). Move the mouse freely and press the keys.

Rice. 23

6.16. A window will appear asking you to set a password for the created key container (Fig. 24). Set the desired password and click the "OK" button. The password must be remembered or written down and kept, without allowing its disclosure.

Rice. 24

6.17. As a result, a key container with a name in the format "username" _ "creation date" _ "creation time" ( ). A message will appear on the screen stating that the creation of the request was completed successfully. A request file will be created in the folder specified in clauses 6.11-6.12 ( username_DD_MM_YYYY__HH_MM_SS.req) and an application file for an authentication certificate ( ).

6.18. Print the Authentication Certificate Application (from file username_DD_MM_YYYY__HH_MM_SS.html) and fill it in.

6.19. The request file for the authentication certificate and the application, as well as other necessary documents, are transferred to authorized persons on the issues of secure electronic document management in the UFK in the Udmurt Republic in accordance with the established procedure.

6.20. After positive verification and processing of documents, the Client receives a custom authentication certificate (file user.cer) and the root certification authority certificate (file root.p7b). These files should be kept in case you need to reinstall the software and / or the certificates themselves. After receiving the certificates, it is recommended to save them to the folder specified in clause 6.11.

Vii. Installing certificates

7.1. The installation of certificates is carried out on a computer under the account of the user who will subsequently authorize on the access server of the UFK in the Udmurt Republic.

7.2. To install a user authentication certificate, right-click on the icon of the Subscriber Point control program (an icon in the form of a shield with the letters "AP" in the lower right corner of the screen) and in the context menu that appears, select the item "Certificates → Install User Certificate" (Fig. 25) ...

Rice. 25

7.3. A standard explorer window for file search will open (Fig. 26). In this window, find the folder where you copied the certificate files. select a file user.cer and press the button " O open ".

Rice. 26

7.4. A window for selecting a key container will appear (Fig. 27). If the key container was created on removable media and this media is not currently inserted into the computer, then insert it and click the "Refresh" button. All available key containers should be displayed in the container selection window. Select the container that was created in clause 6.17 ( username_DD_MM_YYYY__HH_MM_SS) and click the "OK" button.

Rice. 27

7.5. If an error message appears with the text "Incorrect provider public key" (Fig. 28), then you either selected the wrong certificate file in section 7.3, or selected the wrong key medium in section 7.4. In this case, press the "OK" button and repeat the steps described in clauses 7.2-7.4.

Rice. 28

7.6. If the certificate of the root certification authority of the UFC access server in the Udmurt Republic has never been installed at this workplace before, then a window will appear asking you to install the root certificate (Fig. 29), click the "Yes, automatically" button.

Rice. 29

7.7. This will start the installation of the root certification authority certificate from the file root.p7b found next to the user authentication certificate file user.cer... A security warning will appear on the screen (Fig. 30). Be sure to click the " D a".

Rice. thirty

7.8. The completion of the installation of the certificate will be indicated by a message about the successful completion of the import of the user certificate (Fig. 31). Click the OK button.

Rice. 31

7.9. If the Continent-AP was configured to permanently use one authentication certificate, then in the future it may be necessary to reconfigure the Continent-AP to use a different authentication certificate (in particular, when changing the authentication keys). In order for the window for selecting an authentication certificate to start appearing again, follow these steps.

7.9.1. Right-click on the icon of the Subscriber Station control program and in the context menu that appears, select Authentication Settings → Continent-AP (Fig. 32).

Rice. 32

7.9.2. Authentication settings window will appear (fig. 33). In this window, click the "Reset Stored Certificate" button and then the "OK" button. As a result, the next time you try to establish a connection with the access server, the window for selecting an authentication certificate will be displayed (Figure 34).

Rice. 33

Rice. 34

VIII. Checking a secure communication channel

8.1. If, during the network interaction between the Subscriber Station (hereinafter referred to as the AP) and the access server (hereinafter referred to as the SD), there are firewalls or other equipment that filters IP packets, it is necessary to allow the passage of packets for the following connections on the following ports:

8.2. Access to the SD can be carried out both with the use of an additional network connection "ufkras", and without it. If you use the “ufkras” connection for network interaction, then you need to connect it. For all questions related to the network connection "ufkras" (creation, configuration, etc.), please contact the information systems department.

8.3. Initially, it is necessary to check the open communication channel.

8.3.1. To do this, select the "Run ..." item in the "Start" menu (Fig. 35). The "Run the program" window will open (Fig. 36). In this window in the field " O open: "type the command" cmd"And click the" OK "button.

Rice. 35 Fig. 36

8.3.2. A command line application window will appear (Figure 36). In this window, type the command " ping78.109.112.138 " or « ping10.13.253.21 "(if the network connection "ufkras" is used) and press the key. If the UDF SD for the Udmurt Republic is available, then the command execution result will be approximately the same as in Fig. 37 (numerical values ​​may differ from those shown in the example). Close the command line application window by clicking the cross in the upper right corner of the window.

Rice. 37

8.4. After successfully checking the open communication channel, run the ChannelChecker.exe utility (Fig. 38). The utility is located in the folder with the Continent-AP software installation files, in the Tools folder.

Rice. 38

8.4.1. Leave the "Port" field unchanged (the default value is 7500).

8.4.2. In the Timeout, sec field, enter 10.

8.4.3. In the "Server IP-address" field, specify the address of the SD, the interaction with which is tested - 78.109.112.138 (10.13.253.21 - when connecting using "ufkras").

8.4.4. Leave the Server port field unchanged (the default value is 4433).

8.4.5. Test it. Testing is carried out with a broken Continent-AP connection. The test result will be displayed in a message box:

- if the connection between the AP and the SD was successfully established, the message "Check completed successfully" will appear;

- if no response has been received from the CD within the time period specified in the “Timeout” field, the message “Timeout expired” will appear;

- if during testing an error message “Error Usually one use of the socket address (protocol / network address / port) is allowed” appears, then you need to check if the Continent-AP software is currently trying to establish a connection - in this case, manually disconnect the connection and try testing again.

8.4.6. If the message "Timeout expired" appears:

1) check the correctness of filling in the fields;

2) if the fields are filled in correctly, change the value in the "Port" field to 7501 and test again - if the test is successful, go to paragraph 8.5. of this manual;

3) if the “Timeout expired” message reappears, test using port 7502 - if the test is successful, go to step 8.5. of this manual.

8.5. Open the "Device Manager" (Fig. 39) (right-click on the "My Computer" icon, select the "Computer Management" menu item), in the "Network Cards" find "Continent 3 PPP Adapter". In the adapter properties on the "Advanced" tab, change the default value in the "UDP port" field - 7500 - to the required value and click the "OK" button (Fig. 40).

Rice. 39

Rice. 40

8.6. You may also need to check the type of remote access server you are connecting. To do this, open the properties of the network connection "Continent-AP", the "Network" tab, "The type of remote access server to be connected:" should be "PPP: Windows 95/98 / NT 4/2000, Internet".

8.7. Upon successful check of the availability of the SD UFK in the Udmurt Republic, right-click on the icon of the AP control program (an icon in the form of a shield with the letters "AP" in the lower right corner of the screen) and in the context menu that appears, select the item "Establish / break connection → Establish connection Continent -AP "(Fig. 41).

Rice. 41
8.8. A window will appear for selecting a certificate that will be used when connecting (Fig. 34).

Rice. 34

8.9. In the "User Certificate:" field, click the drop-down icon. A list of all personal certificates installed on this workstation will be displayed. In this list, you must select the authentication key certificate issued to your organization (Fig. 42).

Rice. 42

8.10. To check if you have selected the correct certificate, click the "Properties" button in the certificate selection window (Fig. 34). The properties window of the selected certificate will open (Fig. 43). In this window, in the field "Issued to:" should indicate the code name of your organization, in the field "Issued by:" should indicate the name of the root certification authority of the UFK access server in the Udmurt Republic ( CA- SD13- root). In addition, the correct certificate expiration date must be specified. After checking the specified parameters, click the "OK" button in the certificate properties window.

Rice. 43

8.11. If the certificate is selected correctly, click the "OK" button in the certificate selection window (Fig. 34). If the connection is made for the first time, a warning will be displayed on the screen that the UFC access server is not in the allowed lists and a proposal to add it to the list will be displayed (Fig. 44). In this case, click the "Yes" button.

Rice. 44

8.12. After that, an attempt will be made to read the private authentication key from the key container. If the key container was created on removable media, and this media is not currently inserted into the computer, you will be prompted to insert the key media. Upon successful attempt to read the key and establish a connection, the AP control program icon (an icon in the form of a shield with the letters "AP" in the lower right corner of the screen) will change its color from gray to blue (Fig. 45). In the future, the blue color of the pictogram indicates that at the moment the connection with the SD UFK in the Udmurt Republic has been established.

Rice. 45

8.13. For successful work with PPO "ASFK (SUFD)" (hereinafter referred to as the SUFD-portal) or PPO "SED" through Continent-AP, after establishing a connection with the SD UFK in the Udmurt Republic (the icon of the AP control program in blue), the SUFD-portal must be available or FTP-server of the UFK in the Udmurt Republic. To check the availability of the SUFD-portal of the UFK in the Udmurt Republic, select the "Run ..." item in the "Start" menu (Fig. 35). The "Run the program" window will open (Fig. 36). In this window in the field " O open: "type the command" cmd"And click the" OK "button.

8.14. The command line application window will appear (Figure 46). In this window, type the command " ping 10.13.200.12 "To check the availability of the SUFD-portal or" ping 10.13.1.10 »To check if the FTP server is available and press the key. If the SUFD-portal or FTP-server of the UFK in the Udmurt Republic is available, then the result of executing the command will be approximately the same as in Fig. 46 (numerical values ​​may differ from those shown in the example). Close the command line application window by clicking the cross in the upper right corner of the window.

Rice. 46

8.15. After checking the availability of the SUFD-portal or FTP-server of the UFK in the Udmurt Republic, disconnect the connection with the SD, to do this, right-click on the icon of the AP control program and in the context menu that appears, select the item "Establish / break connection → Break Continent-AP connection" ( fig. 47). The AP control program icon will change its color from blue to gray.

Rice. 47

8.16. If the connection check was successful, it is recommended to configure the Continent-AP software to permanently use the selected authentication certificate. To do this, follow the steps described in clauses 8.7-8.10. After that, in the window for choosing a certificate (Fig. 48), check the box "always use this certificate when connecting" and click the "OK" button. A connection will be established with the SD UFK in the Udmurt Republic (the icon of the AP control program will change its color from gray to blue). As a result, in the future, when connecting to the SD UDF in the Udmurt Republic, the selected authentication certificate will always be used, and the certificate selection window will not appear.

Rice. 48

IX. Setting up additional jobs

9.1. When organizing more than one workstation to work with the SUFD-portal or PPO EDMS through one workstation (or server) with the Continent-AP software installed, additional settings are required.

9.2. Legend:

1) Server - an automated workstation (hereinafter - AWS) with installed Continent-AP software.

2) Client - an additional AWP with a SUFD-portal or PPO EDMS.

9.3. Server settings.

9.3.1. Check if the Windows Firewall / Internet Connection Sharing (ICS) service is running, if not, start it.

9.3.2. Open "Network connections", in the properties of the Continent-AP connection on the "Advanced" tab, check the box "Allow other network users to use the Internet connection of this computer".

9.4. Settings on the Client.

9.4.1. Add a route from the Client to the "SUFD-portal" (or FTP-server) through the Server using the command line (cmd.exe):

route add 10.13.200.12 mask 255.255.255.255 "Server_IP_address"

9.5. Check the connection from the Client (in this case, the Continent-AP connection must be established on the Server) using the command line (cmd.exe):

Ping 10.13.200.12.

9.6. If the connection check is successful, repeat the add route command with the "-p" switch using the command line (cmd.exe):

route add 10.13.200.12 mask 255.255.255.255 "Server_IP_address" -p.

9.7. When using several Clients, the corresponding settings - clause 9.4. - it is necessary to carry out on all workstations.

15. "Error" Insert the key carrier. The keyset does not exist.

15.1 Make sure the Continent key storage medium is inserted.

15.2 When establishing a connection at the stage of choosing a certificate, make sure that the correct certificate is selected.

15.1.3 Make sure that CryptoPro sees the given key.

16. "Error" Insert the key carrier (the "Devices" field is empty).

Make sure the storage medium with the Continent key is inserted;

Open CryptoPro and, on the "Hardware" tab, select "Configure readers";

In the field "The following readers are installed" delete all readers by selecting them in turn and pressing the "Delete" button;

Click "Add";

The Reader Installation Wizard window will appear. Click "Next";

At the next step of the Reader Installation Wizard, in the Manufacturers field, select All Manufacturers. And in the "Available readers" list, select "All removable drives". Click "Next";

In the window that appears, click "Finish";

Try to re-establish the connection.

17. "Error" The icon located in the tray is gone.

17.1 Go to "Start" => "All Programs" => "Security Code" => "Subscriber Point Continent" and select "Control Program".

17.2 If the icon does not appear, right-click on the Windows taskbar (or press ctrl + alt + delete) and select Task Manager.

Go to the Processes tab and select AP_Mgr.exe from the list and click the End Process button.

Then repeat point 17.1.

18. The server denied access to the user "Invalid key usage type".

18.1 Reinstall the certificate after clearing the "remembered passwords" in CryptoPro. Check the work.

18.2 It is necessary to “fix” the Continent-AP program through the Control Panel => Add or Remove Programs, or install a new version of the Continent-AP.

18.3 Reinstall Continent-AP (restart the computer). Reinstall the certificate.

18.4 Reinstall CryptoPro first (preferably through cspclean.exe), then Continent-AP (restart the computer). Reinstall certificates.

19. The server denied access to the user. "Client-Cert not found" (see Fig. 5).

Solution: Check the validity period of the license for CryptoPro CryptoPro, version 3.6. To do this, open the Start menu => Programs => Crypto-Pro => Manage CryptoPro PKI licenses (see Fig. 6).

Select the "CryptoPro CSP" menu item. In the right part of the "CryptoPro PKI License Management" window, the license validity period is indicated (see Figure 7).

If the license has expired, right-click on the CryptoPro CSP menu bar, select the All Tasks => Enter Serial Number menu item (see Figure 8). Enter the serial number of the license obtained from the FC authority.

If the license is valid for an unlimited period, close the "CryptoPro PKI License Management" window and try to establish a Continent-AP connection. If the problem persists, follow these steps.

It is required to remove the Continent-AP certificate from the computer settings and reinstall this certificate. To do this, open the Continent-AP menu by right-clicking on the icon in the lower right corner of the screen.

On the menu "Configuring Authentication" activate the command "Continent-AP"(see Figure 9).

The Continent-AP window will appear on the screen. Click the button "Reset Stored Certificate" press the button "OK"(see fig. 10).

Run the program certmgr.msc from the "Utilities" folder included in the distribution kit "Continent-AP 3.6 with support for Windows7 Distribution kit and user manual." The "Certificates" window will appear on the screen. Open the "Certificates - current user" list, then the "Personal" list, then the "Certificates" list (see Fig. 11).

Fig. 11

Remove all certificates for which the "Issued by" column indicates "UFK Access Server" or "OFK Access Server" (see Figure 12). Close the "Certificates" window.

Call the Continent-AP menu by right-clicking on the icon in the lower right corner of the screen.

On the menu "Certificates" activate the command "Install user certificate"(see fig. 13).

The "Open" window will appear on the screen. select a file user.cer and press the button "Open"(see fig. 14). File user.cer may be on a floppy disk or flash drive.

The "Continent-AP" window will appear on the screen with the offer "Select the key container of the user certificate". Select the required key container and click the button "OK"(see fig. 15). Usually, the initial characters of the name of the key container are the same as the TIN of the organization.

If a message appears on the screen, as in Figure 16, press the button "Yes, automatically"(see fig. 16). This message will not appear when you reinstall the certificate.

If a message appears on the screen, as in Figure 17, press the button "Yes"(see fig. 17) . This message will not appear when you reinstall the certificate.

Click the button "OK"(see fig. 18).

Try to establish a Continent-AP connection. If the problem persists, reinstall the Continent-AP. To do this, open the menu "Start => Settings => Control Panel" (see Fig. 19).

Open the "Add or Remove Programs" shortcut (see Figure 20).

Find the line "Continent-AP" in the list of installed programs and click the "Change" button (see Fig. 21).

The Continent-AP window will appear on the screen. Click the Next button (see Figure 22).

Check the box "Fix". Click the Next button (see Figure 23).

Click the "Install" button (see Fig. 24). Wait for the Continent-AP installation to complete. This may take a few minutes.

Rice. 24
Click the Finish Button (see Figure 25).

Press the button to restart the computer. "YES"(see fig. 26).

After restarting your computer, try to establish a Continent-AP connection.

20. "Error" When trying to establish a connection, the message “ The integrity of the Subscriber Station files has been violated. Contact your system administrator"(See fig. 27).

Run the start.bat file from the setup folder, which is located in the archive with the Continent-AP distribution kit. Try to establish a connection. If it does not connect, uninstall Continent-AP and install Continent-AP version 3.6 in accordance with the document "User Guide for installing and configuring CIPF Continent-AP 3.6.doc".

Some of the information is taken from the sourcetut- admin. ru/ 2014/06/11 / typical-mistakes-continent-up /

The Continent-AP information encryption system from the developer "Security Code" is a software and hardware complex that provides remote access to the networks of large municipal organizations, such as GAS "Vybory" and the Federal Treasury. To update the Continent-AP cryptographic protection system, it is necessary to completely remove the previous version of this program from the computer: otherwise, the installation of the new software will be impossible due to conflicts with the system.

Work in the program

Continent-AP provides users with such opportunities as:

• secure RDP access to computers and portable devices using a special cryptographic algorithm certified in accordance with GOST 28147/89 (operates in gamma mode with a reverse response);
• the creation of a multi-stage authentication algorithm for remote users based on X.509 standard public key certificates, which ensures a high degree of security for the data transmitted within the APC;
• support for external VPN clients for Linux and Windows OS, including electronic keys Token, iKey, iButton identifiers, floppy disks and flash drives;
• communication with the Continent system from mobile devices and stationary PCs at a speed of up to 16 Mb per second;
• much more.

To access the CIPF, you must use valid certificates of the root certification authority:

• cer - user certificate;
• p7b - root certificate.

In order to install root certificate, you need:

1. Unzip the file with certificates to the key drive - this can be a disk, flash drive and other removable media with a key container where private keys are stored, which are generated by employees of the relevant authorized department when a request for obtaining a user certificate is generated. By its content, a key container is a folder with attachments like "header.key", "masks.key", etc.
   
2. Install the certificate in the "Storage" on the PC. To do this - on the Windows taskbar in the tray, find the shield icon with the inscription "AP" - usually the specified object is located in the lower right corner of the monitor, next to the time and date settings.
3. If there is no application in the tray, you will need to launch it from the Start menu. Select the section of the opened menu “Start” - “Programs”, go to the subsection “Security Code”, to the folder “Subscriber Point Continent” and click on the icon “Control Program”.
4. In the context menu that opens, go to the "Certificates" section: in the drop-down list, select the "Install cert. user ".
   
5. Go to "Explorer" - press the Win + E combination and go to the removable media on which the certificates of the key container file are stored.
6. Select the file "user.cer" and click "Open".
7. In the dialog box that opens, the inscription "Select a key container ..." will appear - click on the name of the key container. After the element is highlighted in blue, tap on "OK".
   
8. When the CryptoPro CSP window appears, enter the access password for the specified container, and then click on "OK". Password is issued to the user who submitted an application for a certificate. If the password was forgotten or lost, you will need to generate a new application for obtaining a key, and the current certificate should be revoked.
9. A dialog box will appear in which you need to click on "Yes, manually".
10. Now you need to load the certificate called "root.p7b" - go to the explorer on the removable media, right-click on the object and select the "Open" context menu option.
11. Read the text presented in the "Security Warning" window, and then tap on the "Yes" interactive button.
12. The screen will display the message “Import user certificates. completed successfully. "
13. After pressing the "OK" button, you can connect to the access server.

To delete certificates in Continent-AP, you will need to perform the following operations:

1. Right-click on the shield icon in the tray on the bottom toolbar: go to the "Settings" context menu item and select the "CIPF Continent-AP" section.
2. In the opened dialog box "CIPF Continent-AP Properties" go to the "Security" tab.
3. In the "Additional (custom parameters)" section, click on the "Options ..." interactive key.
4. In the opened menu "Additional security settings" in the section "Secure login" activate "Properties".
5. A dialog box will open, on the left side of which there is an element “Server Dostupa”, and on the right side - “CA SD” (a particular user may have different names for the keys). To delete the specified certificates, you will need to click on the button located in the lower right part of the open window - "Reset the stored certificate", then tap on "OK" and exit "Settings".
   
6. Now you need to completely delete the Continent-AP ".cer" format file from the key storage. To do this, in Windows 7, you will need to call the Run window by pressing the Win + R keys or through the Start menu - Run. In version 10 of the operating system, you need to click on the magnifying glass icon located in the lower left corner of the display to the right of the Start menu, and enter the Run command or hold down the Win + R combination.
7. Type in the command "certmgr.msc" without quotes, then tap "Enter".
8. If an error like "Can't find .msc" appears, follow the next 7 steps, if there is no error, go directly to step 18 of the current instruction.
9. In the "Run" window, drive in the code word "mmc" without quotes and click on "OK".
10. In the "Console" window go to the leftmost item of the "File" menu, in the drop-down list select the fifth item - "Add or remove snap-in".
    
11. In the dialog box that opens, go to the "Isolated equipment" tab and click on the "Add" button located in the lower left corner of the screen.
12. The monitor will display a list of available snap-ins. Click on "Certificates", and at the bottom of the "Add standalone snap-in" window, click on the "Add" button.
13. In the "Certificate Manager Snap-in" check the box next to the "my account ..." option and click on "Finish".
14. Exit "Add Rig" by clicking "Close".
    
15. In the main part of the active window "Add / Remove ..." certificates of the current user will appear - click on the "OK" button.
16. The "Console" window will be displayed under the name "Certificates" - select the objects with "CA SD" in the "Issued by" column, located on the right side of the screen, and click on the "Delete" option.
17. In the left side menu, go to the "Trusted Root Authorities ..." - "Certificates" section and uninstall the object called "CA SD".
18. Exit Rig without saving.
19. You can reinstall the new ".cr" file.

Uninstalling the program

Before uninstalling Continent-AP from your computer, you need to create a system restore point, since in case of incorrect uninstallation of CIPF components, problems may arise when you try to install this hardware and software complex on a PC again. To do this, follow these steps:

Now you can safely remove Continent-AP 3.6 from your PC and clean the registry from residual files of this program.

Standard uninstall

In order to remove Continent-AP 3.6 from a PC, it is recommended to follow the instructions:

1. Exit the program in the tray - right-click on the icon in the form of a shield with the inscription "AP", and select the "Exit" option in the context menu.
2. Make sure that the software is not included in the list of background processes and in startup. Go to the "Task Manager". You can perform this operation by pressing the combination Ctrl + Alt + Delete and choosing the appropriate tool "Task Manager" or through the menu "Run: hold Win + R and enter the code phrase" taskmgr "without quotes, tap" Enter ".
3. In the "Processes" tab, finish the executable exe of the uninstalled CIPF - right-click on the object and activate the "End task" option.
   
4. Go to the "Startup" tab and disable the uninstalled software by pressing the right mouse button and selecting the "Disable" option.
5. Go to the "System Configurations" window. You can perform this action through the magnifying glass icon located to the right of the "Start" menu - enter the "Configuration" command or the "msconfig" key. You can also get into the configurator window in an alternative way: hold Win + R, in Run, type in the password "msconfig" without quotes - "Enter".
6. Go to the "Services" tab, click on "Do not display Microsoft services", tap "Disable all" (after completing this action, the entire list of startup programs will be cleared). You can disable only the uninstalled cryptographic protection tool - for this, find the specified object in the general list of services and uncheck the box to the left of its name.
   
7. In Windows 7, you will also need to go to the "Startup" tab and disable the executable process using the "Disable" option.
8. Close the "msconfig" window after pressing the "Apply" button.
9. Reboot the computer.
10. In OS 10 you need to go to the Start menu, click on the gear icon. In the window "Windows Settings" select the subsection "Applications".
11. Find the uninstalled Control Program in the "Applications and Features" using the built-in search bar - right-click on the found search result and initiate uninstallation.
    
12. Follow the prompts of the "Installation Wizard" - click "Finish" at the end of the uninstallation process.
13. Restart your PC.
14. After turning on the device - go to the tool "Registry Editor" - press Win + R and enter the command "regedit", tap on "OK".
15. In the "Registry Editor" window, select the leftmost item of the "File" menu - the "Export" section. Specify "All registry" as the export range, then enter any file name and click "Save" in the required directory. Subsequently, you can restore data from the specified source using the "Import" option.
16. Hold down the Ctrl + F combination and look for the residual components of the uninstalled application - click "Find Next".
    
17. The monitor will display a list of registry entries: clear individual entries located in "HKEY_CURRENT_USER" and "HKEY_LOCAL_MACHINE".

Note! It is better for inexperienced users to skip the step with a manual clean registry, as there is a high probability that their actions can break the OS. You can use a special tool for cleaning the registry from residual files called Reg Organizer. There is both a full-fledged version of this software solution and a portable exe that does not require installation.

In order to remove from the registry "garbage" keys and files left after uninstalling Continent-AP versions 3.5, 3.6 and 3.7 using RegOrganizer, you will need:

Alternative way to uninstall the program

If the user has little time and urgently needs to remove the Continent-AP program from his computer, then one of the specially designed uninstaller utilities will come in handy. Best solutions:

• CCleaner;
• Revo Uninstaller;
• Advanced SystemCare (iObit);
• Uninstall Tool.

All of these applications operate on approximately the same principle: they perform a standard removal of the application, after which they clean the file system and registry from residual software components. For example, in order to completely remove Continent-AP 3.7 using the free CCleaner software, you will need to follow the instructions:

I told you how to install the Continent AP program on Windows 7. The fact is that this program uses certificates in its work, with the help of which a secure connection and data exchange with the Continent AP access server is created. In this article I will try to tell you how to create a certificate issuance request for the AP Continent, as well as how to install this certificate into the program.

I will show, as always, with pictures, although they were made on a computer running Windows XP. So let's get started ...

After installing the Continent AP, you should see a "gray shield" icon in your system tray. If you click this "shield" with the right mouse button, a context menu will appear, as shown in the picture below:

Here you need to select the "Certificates" menu item, and then "Create a request for a user certificate". The following window will open (Fig. 2):

This form must be completed. Remember to insert a blank key carrier before doing this. After all, after filling out this form, the generation of private keys will begin, which occurs on the rejected key carrier. This can be, for example, a USB flash drive. If you use the Crypto PRO 3.6 or higher program on your computer, then the flash drives are enabled by default. And to be more precise, "All removable media". I do not consider generation on a key carrier of the "Registry" type. this is prohibited in our UFK.

So, back to filling out the form (Fig. 2). As you can see, it consists, as it were, of two blocks. I outlined them in yellow. If everything is intuitively clear with the upper block (you need to fill in all the fields), then I will dwell on the lower one in more detail. You must immediately check the "paper form" checkbox. It is not installed by default. Using the "Browse" buttons, you can select a location to save files. And there will be two of them. * .reg and * .html. The file names can be edited as you like, without changing, of course, the file extensions.

By default, the program offers to save under the following name: the name of the computer on the network (I circled it in blue), the date and time of the request. As you can see from the figure, the request was created on December 10, 2015 at 9 hours 51 minutes 46 seconds on a computer named "imyacompa". The last 3 characters are added randomly. They always consist of three digits and I did not notice any system in their generation.

It is worth noting that if you downloaded the Continent AP version 3.5.68.0 from my website, then most likely there is an old printable template. After installing this program, you need to change this template. This is relevant for our region, namely the Chelyabinsk region. Changing the template of the printable will affect only the printable in the * .html format, it will not have any effect on the * .req file.

If your region uses an old template, then you should follow the guidelines for your region. You can download the new template from the following link. If you are in our region, then before generating keys and a certificate request, change the template in accordance with the instructions in the attached file.

So, having decided on the name of the files, you can start generating a certificate request by clicking the "OK" button. As mentioned above, we will get 2 * .req and * .html files, as well as private keys on a USB flash drive or any other medium.

Next, you need to act in accordance with the procedure for submitting requests for a certificate, which is valid in your UFC. Here we print a * .html file on paper, sign it by the owner of the certificate and the head of the organization. Then we transfer to the Treasury a paper copy and a * .req file on removable media and in return we receive a certificate.

So, the request was sent to the UFK, we received a certificate. By the way, time may pass between sending a request and receiving a certificate, everyone has different ways, but the main thing is to wait for the certificate. What's next? And then right-click on the "shield" of the AP Continent and do what is shown in the picture below:

Namely: go back to "Certificates", and then "Install user certificate". The arrows in Figure 3 show what to do. Before that, insert the key carrier with the private keys obtained as a result of the generation, and also prepare the certificate received from the UFC. I copied it to a key carrier so that it was always at hand. You can do it your own way: rewrite it anywhere, the main thing is that during installation you can get to it. By the way, along with the user certificate, our UFK also issues the root certificate of the Continent AP. This certificate, when installed, must be located in the same directory as the user's one. In general, the figure below shows all this:

The root certificate of the Continent AP is the root. This certificate is required when installing Continent AP for the first time. After installing the custom certificate, the program installs the root certificate if it is not installed. Otherwise, it does nothing. But if the first time the program does not find the root, then there will be problems. Therefore, it is better to always be together with the user certificate in the same directory.

Here, Figure 4, during installation, you must, of course, select the user certificate. It is underlined by me in the picture. And the yellow folder is the private keys obtained when generating the request. There are six files with * .key extension. By the way, the keys are standard for the Crypto Pro 3.6 program. After all, it is she who generates these keys. So, having selected the user certificate, we press the "Open" button and get to the following picture:

The topmost line is the key container with private keys. And at this stage, we just have to indicate to the program the key container corresponding to our certificate. Namely, the one that was generated when creating the certificate request. In general, I will allow myself a small digression ... All EDS that are generated using Crypto Pro (you do not think that the keys are generated by the Continent AP), consist of two parts:

• a private key is a key container that is obtained upon generation;
• the public key is a certificate obtained from the treasury.

These parts are connected (again, with the help of Crypto Pro) only if they match. It is not difficult to conclude: if one of the parts is lost or damaged, then the entire EDS stops working. And it is impossible to correct this situation, except for the generation of a new EDS. There are ways to make a copy of an EDS, but I will not touch on this in this article.

So, back to "our rams". In Figure 5, be sure to click on the top line with the key container, and then click "OK". After all this has been done, you will receive the following window:

Well, here only "OK", there are no other ways ... Congratulations, the certificate is installed. It's time to test its performance. To do this, you need to do as the following picture tells us:

Right-click on the "shield", go to "Establish / break connection" -> "Establish connection Continent AP" and get into the following window:

Click where the red arrow shows (Fig. 8). If in the previous steps you followed this instruction, then you will get at least one certificate. You must choose exactly the one that you just installed (see Figure 9):

After selecting it, check the "always use this certificate when connecting" checkbox. In this case, your Continent AP will connect to the server using the specified certificate. Otherwise (if the checkbox is not checked), it will offer to select a certificate every time you connect. To find out if the correct certificate has been selected, you can use the "Properties" button. It will show everything about the selected certificate. At the end, as always, the "OK" button. The process of connecting the AP Continent to the access server will begin. If everything is done correctly, then as a result you will see in the tray how the "shield" changed color from gray to blue:

If you succeed the same as mine, then I am glad to congratulate you on the successful installation of the certificate for the AP continent. After you have connected to the access server, you can load the SUFMS and start working in it.

P.S. And one more thing: I think that I have stated everything in sufficient detail here. But still, some questions may arise. In this case, write them in the comments below. By the way, for registered users of my site, comments appear immediately, without moderation.

And finally ... If you liked this article and you learned something new from it for yourself, then you can always express your gratitude in monetary terms. The amount can be anything. This does not oblige you to anything, everything is voluntary. If you nevertheless decided to support my site, then click on the "Thanks" button, which you can see below. You will be redirected to the page of my website, where you can transfer any amount of money to my wallet. In this case, a gift awaits you. After a successful money transfer, you can download it.

Error messagesarising during the installation of communication at the Continent-AP subscriber station.

The subscriber station allows establishing remote secure connections using the Continent 3 PPP Adapter modem emulator. When connecting a Continent-AP subscriber station, error messages about their solutions, listed below, may appear.

Error 721 The remote computer is not responding.

1) You may not have an Internet connection.

2) Some programs are blocking ports. Disable antivirus, firewall.

3) Remove, if installed, the firewall that comes with the Continent-AP program.

4) If you are using a wired Internet, the provider may have blocked the ports required for the Continent-AP program to work. To check, establish an Internet connection via a USB modem.

Error 628 The connection was closed.

See Error 721

Error 629 The connection was closed by the remote computer.

See Error 721

This error occurs when a user manually enters an IP address in the properties of the TCP / IP protocol, while the server should automatically issue them. To fix this error, you need to go to the Continent-AP connection settings.

In the "Network" tab, select the line "Internet Protocol TCP / IP" and click the "Properties" button.

In the window that opens, put the following switches:

• "Obtain an IP address automatically";
• Obtain DNS Server Address Automatically.

Error 703: The connection requires some data from the user, but the application does not allow user interaction. "

Go to the settings of the AP Continent - on the "security" tab, the "parameters" button, the button - "properties", "reset the stored certificate".

Error 734 The PPP Link Control Protocol was terminated.

1. Focus on the error that appears before this one.

2. Check the system date.

Error. The server denied access to the user. Reason for rejection Multiple user logon is denied.

Wait a few minutes and re-establish the connection.

The server denied access to the user.Reason for refusal: Client-Cert not found.

Key signing error 0x8009001D (Vendor library not initialized correctly).

The license of the CryptoPro program has expired

Key signing error 0x80090019 (Keyset not defined).

1. Delete remembered passwords (CryptoPro => Service => Delete remembered passwords).
2. The certificate may have expired. Check the expiration date by opening the user.cer file.

Key signing error 0x8009001F (Invalid keyset parameter).

Key signing error 0x00000002 (The specified file cannot be found).

Remove this version of the Continent-AP program and install the Continent version 3.5.68.

The server denied access to the user. Reason for refusal: user login is blocked.

You have been blocked on the UFC server. Call and find out the reason for the blocking.

The integrity of the files is compromised. Contact your system administrator.

It is necessary to "fix" the Continent-AP program through the installation and removal of programs

Error 850: The protocol type is not installed on the computerEAP required to authenticate the dial-up connection.

It is necessary to "fix" the Continent-AP program through the installation and removal of programs

Insert the key carrier. The keyset does not exist.

1. Continent inserted.
2. When establishing a connection at the stage of choosing a certificate, make sure that the correct certificate is selected.

1. Make sure CryptoPro sees the given key

Insert the key carrier (The "devices" field is empty).

1. Make sure the flash drive with the key Continent inserted.
2. Open CryptoPro and, on the tab "Equipment", select "Configure readers ...".

1. In field "The following readers are installed:" delete all readers by selecting them one by one and pressing the button "Delete".

1. Click on "Add"
2. The Reader Installation Wizard window will appear. Click on "Further"

1. In the next step of the wizard to install the reader in the field "Producers" choose "All manufacturers"... And on the list "Available readers" choose All Removable Drives... Click the button "Further".

1. In the next window, press the button "Further"

1. In the window that appears, click "Ready".

1. Try to re-establish the connection.

The tray icon is gone.

1. Go to "Start" => "All Programs" => "Security Code" => "Subscriber Point Continent" and select "Control Program".
2. If the icon does not appear, right-click on the Windows taskbar (or press alt + ctrl + delete) and select Task Manager.

Go to the Processes tab and select AP_Mgr.exe from the list and click the End Process button.

Then repeat step 1.