Certificate Setup

Important info regarding this page

This page contains more generic certificate setup instructions as well as outdated references to GlassFish application server. For specific eHealth Exchange certificate setup instructions, refer to /wiki/spaces/CONNECTWIKI/pages/94306306


Generate Entrust Certificates

NOTE: Federal agencies or organizations who are sponsored by a federal agency under contract or have been awarded funds for the exchange of health information with a federal agency meet the requirements (as defined in the NHIN Onboarding Process) to use the following information to request a test certificate. Organizations that do not have a contract nor have been awarded funds for the exchange of health information with a federal agency can generate self signed certificates and utilize those for testing. Any entity that your gateway is tested with will need to trust the root of the self signed certificate.

The images included below are thumbnails.  Click on an image to enlarge.

1) The Entrust site is IE browser specific.  If an adopter's servers are Linux- or Solaris-based several files will need to be moved from and to an adopter's Windows machine to its server machine.

Go to:https://nfitestadmin.managed.entrust.com/cda-cgi/clientcgi.exe?action=start&reason=0
On the left – Select CA Certificates \ Install

2) When this pop-up window appears, select Open

3) The certificate details for the DComRootCA will be displayed. Select "Install Certificate..."

4) Navigate through the Wizard. Select Next

5) Select the option to "Place all certificates in the following store".
Then Browse to select "Trusted Root Certification Authorities"

6) The confirmation window will show your setting. Select Finish

7) Confirm the installation by selecting "Yes"

8) Then acknowledge the import by clicking "OK"

9) To verify the installation of the certificate, select the "Tools" drop down and then "Internet Options" to bring up the Internet Options pop-up window. Select the Content tab

10) Select the "Certificates" button to bring up the Certificates pop-up. Select the Trusted Root Certification Authorities tab and confirm the presence of the DComRootCA certificate in the list.
The adopter can now close and exit the pop-ups

11) To be able to generate a Web Certificate one will need to email ONC.ExchangeInfo@hhs.gov the full computer name to use as the domain name. This will be something like: "SC075311.cs.myharris.net". ONC will return, in 2 separate emails, an Authorization Code and a Reference Number that the adopter can then use to create a signed certificate

12) Create a work area, such as: C:\Sun\AppServer\certificaterequests
Create a gateway.jks keystore in this work directory. For the domain name, the adopter must use the Reference Number provided as the common name, "nhin-test" as the organizational unit, and "entrust" as the organization:

keytool -genkey -alias gateway -keyalg RSA -keypass changeit -storepass changeit -validity 365 -keystore gateway.jks -dname "cn=35005717 ou=nhin-test o=entrust"

13) Confirm the contents of the gateway.jks keystore:

keytool -list -v -keystore gateway.jks > gatewayList

Note: The adopter will be prompted for a keystore password (changeit)

14) Generate the certificate signing request:

keytool -certreq -keyalg RSA -alias gateway -storepass changeit -file server.csr -keystore gateway.jks

15) Verify this certificate request:

16) From the Entrust web site(https://nfitestadmin.managed.entrust.com/cda-cgi/clientcgi.exe?action=start&reason=0), select the "Create Certificate from PKCS#10 Request."
Enter in the Reference Number, Authorization Code, and the text from the Certificate Request (self-signed certificate that was created earlier) into the text box.  Select the complete text from "BEGIN NEW CERTIFICATE REQUEST" to "END NEW CERTIFICATE REQUEST".
Select "Submit Request"

17) This will generate the adopter's Web Server Certificate.
Select Download to save the servercert.bin file

18) Confirm your Web Server Certificate is a NetscapeCertType that provides both SSL Client and SSL Server capabilities

keytool -printcert -file servercert.bin > certDetails

19) On the left hand side of the window select "Install" in the CA Certificates area. Select "Trust this CA to identify web sites," then click "OK" to save the cacert.crt file

20) On the left hand side of the window select "Display list" in the Cross-Certificates area.

Select the complete text from "BEGIN CERTIFICATE" to "END CERTIFICATE". Copy this into a file called cross.crt

21) Create a backup of the cacerts.jks file. Make a copy of this file in the C:\Sun\AppServer\certificaterequests work directory. Then import the entrust root certificate, the intermediate cross certificate, and the web server certificate into the truststore:

keytool -import -v -trustcacerts -alias entrust -file cacert.crt -keystore cacerts.jks -keypass changeit -storepass changeit
keytool -import -v -trustcacerts -alias entrust-cross -file cross.crt -keystore cacerts.jks -keypass changeit -storepass changeit
keytool -import -v -trustcacerts -alias gateway -file servercert.bin -keystore cacerts.jks -keypass changeit -storepass changeit

After viewing the certificate and confirming that the Owner references DComRootCA, type yes to trust this certificate.
Continue to insert the intermediate certificate and then the machine-specific certificate

22) Confirm that the contents of the cacerts.jks keystore includes the gateway cert:

keytool -list -keystore cacerts.jks > cacertsList

Note: The adopter may not have 40 entries, it all depends on what certificates are in the truststore at that point in time

23) The gateway.jks keystore will need all three certificates added in order to form the Chain of Trust. First import the root certificate:

keytool -import -v -trustcacerts -alias entrust -file cacert.crt -keystore gateway.jks -keypass changeit -storepass changeit

Confirm the DComRootCA owner and type yes to accept this certificate

24) Next import the Intermediate certificate authority:

keytool -import -v -trustcacerts -alias entrust-cross -file cross.crt -keystore gateway.jks -keypass changeit -storepass changeit

25) Finally, import the Web Server Certificate:

keytool -import -v -trustcacerts -alias gateway -file servercert.bin -keystore gateway.jks -keypass changeit -storepass changeit

26) Verify the contents of the gateway.jks keystore:

keytool -list -keystore gateway.jks

27) Make sure the Glassfish Application Server is stopped, then navigate to the domain configuration directory (i.e. C:\Sun\AppServer\domains\domain1\config). Adopters should make sure that they have a backup of the domain.xml and the cacerts.jks files. Then they can copy the gateway.jks and the cacerts.jks from the certificate work directory into the domain configuration directory

28) Edit the domain.xml file to set up to use the new certificates
a. Find all occurrences of s1as and replace with gateway

b. Set the jvm-options to use the new keystores:

Windows:

<jvm-options>-Djavax.net.ssl.keyStore=${com.sun.aas.instanceRoot}/config/gateway.jks</jvm-options>
<jvm-options>-Djavax.net.ssl.trustStore=${com.sun.aas.instanceRoot}/config/cacerts.jks</jvm-options>
<jvm-options>-Djavax.net.ssl.keyStorePassword=changeit</jvm-options>
<jvm-options>-Djavax.net.ssl.trustStorePassword=changeit</jvm-options>
<jvm-options>-Djavax.net.ssl.keyStoreType=JKS</jvm-options>
<jvm-options>-Djavax.net.ssl.trustStoreType=JKS</jvm-options>
<jvm-options>-DSERVER_KEY_ALIAS=gateway</jvm-options>
<jvm-options>-DCLIENT_KEY_ALIAS=gateway</jvm-options>

Solaris:

<jvm-options>-Djavax.net.ssl.keyStore=/nhin/SUNWappserver/domains/domain1/config/gateway.jks</jvm-options>
<jvm-options>-Djavax.net.ssl.trustStore=/nhin/SUNWappserver/domains/domain1/config/cacerts.jks</jvm-options>
<jvm-options>-Djavax.net.ssl.keyStorePassword=changeit</jvm-options>
<jvm-options>-Djavax.net.ssl.trustStorePassword=changeit</jvm-options>
<jvm-options>-Djavax.net.ssl.keyStoreType=JKS</jvm-options>
<jvm-options>-Djavax.net.ssl.trustStoreType=JKS</jvm-options>
<jvm-options>-DSERVER_KEY_ALIAS=gateway</jvm-options>
<jvm-options>-DCLIENT_KEY_ALIAS=gateway</jvm-options>

c. Enable 2-way SSL and turn on extra logging if desired.

Enable mutual authentication of certificates in the domain.xml file by setting the client-auth-enabled attribute of the ssl element in the secure (port 8181) http-listener to true. This would appear as:

<http-listener acceptor-threads="1" address="0.0.0.0" blocking-enabled="false" default-virtual-server="server"
  enabled="true" family="inet" id="http-listener-2" port="8181" security-enabled="true"
  server-name="" xpowered-by="true">
    <ssl cert-nickname="gateway" client-auth-enabled="true" ssl2-enabled="false" ssl3-enabled="true"
      tls-enabled="true" tls-rollback-enabled="true"/>
</http-listener>

Extra logging can be enabled through these jvm-options:

<jvm-options>-Djavax.net.debug=ssl:handshake:verbose</jvm-options>
<jvm-options>-Djava.security.debug=certpath</jvm-options>

29) Restart Glassfish to verify jvm settings and keystores