Maintaining Server Certificates

To enable secure services, you must:

  • Store SSL certificates in a trusted certificate store.

  • Load all HTTPS and LDAP server certificates into the cacerts library for the version of java you are using.

  • Import server certificates into the security file in JRE (must be the same JRE you are using for the security.jar file on the av.biz server).

Enabling Server Certificates

The procedures in this section assume the following configurations:

  • The name of certificate is: 
    trustedCA.crt

  • The certificate alias must be unique

  • The certificate alias must include the name of your agency, for example: agency_trustedca_cert.

  • The Env Variable, JAVA_HOME, must point to the home directory of the JAVA installation that you use to run the environment variable.

  • The java certificate store location is: %AA_AS_HOME%\conf\certs\trusted_cacerts.

To make certificates available, run the following command:

%JAVA_HOME%\bin\keytool -import -alias agency_trustedca_cert -file "trustedCA.crt" -keystore "%AA_AS_HOME%\conf\certs\trusted_cacerts" -storepass "changeit"

ServerConfig. properties must contain the full path value for av.ssl.trustStore and truststore password.

For example, av.biz ServerConfig.properties must contain: 

av.ssl.trustStore=${jboss.server.home.dir}\\conf\\certs\\trusted_cacerts 
av.ssl.trustStorePassword=changeit

The default biz.server.properties must contain this additional information:

#HTTS and LDAPS require that you store the SSL Certificates in a trusted certificates store. 
av.ssl.trustStore=${jboss.server.home.dir}\\conf\\certs\\trusted_cacerts 
av.ssl.trustStorePassword=changeit

Sample Use Cases

Common certificate storage areas for use with Civic Platform include:

  1. Online payment processing systems (RBIZDOMAIN_VALUE: ONLINEPAYMENT_WEBSERVICE_URL pointing to the av.web.url)

    1. Extract the auto-generated av.web certificate by going to the conf directory for av.web and running these commands:

      1. accela\setenv.av.web.bat

      2. %JAVA_HOME%\bin\keytool -export -alias tomcatSSL -file "av.web.trustedCA.crt" -keystore "%AA_AS_HOME%\conf\server_keystore" -storepass "changeit"

    2. Add the av.web certificate to the av.biz server with this command:

      1. accela\setenv.av.biz.bat

      2. %JAVA_HOME%\bin\keytool -import -alias av_web_trustedca_cert -file "av.web.trustedCA.crt" -keystore "%AA_AS_HOME%\conf\certs\trusted_cacerts" -storepass "changeit"

        When asked: Trust This Certificate? [yes/no]:

        Enter: yes

  2. Secure LDAP processing: import is similar. Choose a unique alias and import the cert file from the ldap.

    You must import this certificate into trusted_cacerts after every new installation of the biz app server. You can also copy the trusted_cacerts file to each new biz app server installation.

    Civic Platform uses av.ssl.trust* to override any settings of av.net.ssl.trust* that you configured elsewhere.