Introduction

The ISAAC Secure Enclave is a special resource for use by University researchers. To request access to the Secure Enclave one needs to obtain and fill out a Secure Enclave Intake Form and obtain approval from the Office of Research. In addition, the Office of Research needs to be aware of, review, and authorize all sponsored and unsponsored research that may involve sensitive information that uses the ISAAC Secure Enclave.

The current Secure Enclave intake form is available for download here (requires University authentication to obtain).

Questions? Contact Chris Howard <chowar52@utk.edu>, Pankaj Kumar <pkumar25@utk.edu> or submit a Service Request (in the menu links to the left) to get any questions answered.

The steps to getting into the secure enclave is approximately like this:

1. Obtain the Secure Enclave intake form from the link above and review the requested information
2. Fill out the Secure Enclave intake form completely. If you need help filling out the form submit an HPSC Service Request (link in menu) or come to the ISAAC Office Hours (info in menu to left)
3. Submit the form in Word to the Office of Research and Engagement Research Integrity staff (their names are listed in item #6 on the form). You can email this to them or submit an HPSC Service Request and OIT HPSC staff will route the form to the appropriate staff.
4. Once the ORE staff convert it to PDF and sign the form, then submit an HPSC Service Request for Secure Enclave access and attach the completed form. If you already created a ticket for item 2 or 3 above then that service request ticket will be used to progress the form through the steps.
5. Start on your required project Security Plan. All projects that use the Secure Enclave resources need to have a project security plan. When a Secure Enclave intake form comes in via the ticketing system staff will create a blank project Security Plan for the project.

Login Host Info

Please note that the Secure Enclave Citrix environment is used to access the Secure Enclave. 

Prerequisites for Access

Please note that the Secure Enclave Citrix environment is used to access the Secure Enclave. Please view the video below for instructions on how to access the UT Secure Enclave. For text-based instructions, please review the steps outlined below the video player.

In addition to a web browser, you will need the Duo app on your mobile device. For iOS users, download the app from the Apple App Store. For Android users, download it from the Google Play store. For more information on Duo, please visit the 2FA website.

Connecting to the Secure Enclave

Follow these steps to access the UT Secure Enclave. The video above demonstrates the login process.

1. Open a browser of your choice and access the Citrix Secure Enclave website.
2. Login to the Secure Enclave with your NetID and NetID password, then authenticate with Duo TFA.
3. This will give you either a Virtual Machine (VM) via the Desktop Menu or SSH access to the Secure Enclave login nodes using the PuTTY application in the Citrix Apps Menu. (See the video for VM access instructions)
4. To access the HPC resources, open the putty app and provide the hostname for the Secure Enclave login node.  sip-login1-se.utk.tennessee.edu and  sip-login2-se.utk.tennessee.edu are available.
5. Authenticate with your NetID, NetID password, and Duo TFA using SSH via putty.

Troubleshooting Login Issues

Inactive Accounts

Accounts that are not used for one year are disabled. If you believe your account has been disabled due to inactivity, please contact the OIT Help Desk.

Password Changes

If you know your current NetID password and desire to change it, navigate to the password management page and log in. Once you authenticate with your username, password, and Duo, continue through the account protection prompt. Specify a new password that complies with UT’s password policies and accept the AUP (acceptable use policy) to change your NetID password.

If you do not know your current NetID password and desire to change it, navigate to the password reset page. Provide the necessary information to authenticate, then continue through the account protection prompt. Provide a new password that complies with UT’s password policies and accept the AUP to change your NetID password.

If you continue to have issues with your NetID password, please submit a ticket to the OIT HelpDesk.

Certificate Errors

In some instances, after connecting to Citrix and attempting to launch a remote desktop or app, you may encounter an error of the form:

Unable to connect to the server. Contact your system administrator with the following error: SSL Error 70: The server sent an expired security certificate. The certificate "USERTrust RSA Certification Authority" is valid from 30 May 2000 to 30 May 2020.

This typically occurs because of certain broken SSL implementations that fail to ignore expired intermediate certificates in a cross-signed chain in which only one of the signatories has expired. You are more likely to encounter this error if you connected to the Secure Enclave prior to May 30, 2020, or if you have recently connected to another UTK machine or website presenting an outdated certificate chain.

To workaround this issue, you will need to remove any expired copies of the following certificates from the Intermediate Certification Authorities section of your certificate store:

• UserTrust RSA Certification Authority (Expired 5/30/2020)
• AddTrust External CA Root (Expired 5/30/2020)

The procedure for modifying your client machine’s certificate store will vary by platform, but on Microsoft Windows can be performed by pressing the start button and typing certmgr.

Do not delete any current versions of the above certificates. It is not necessary to delete any expired certs other than the two named above. Following this, you may need to close the citrix app and clear your browser cache before reconnecting.

If you require any assistance with the above procedure, please submit a ticket to the OIT HelpDesk.

X11 Forwarding

At the time of this writing, the Secure Enclave does not support X11 forwarding.