Configure TLS-enabled notification server in Digital Access

With Smart ID Digital Access component 5.12 a new feature was introduced for the notification plugins. The purpose was to implement support for TLS (Transport Layer Security) as this was previously not supported.

As a consequence of this, some additional configuration is required. For proper TLS functionality the remote certificate (presented by the Notification server, for example, SMS gateway) must be trusted by Digital Access component. The Digital Access component trust is built up from scratch and there are no default trusts in a new system. Therefore all trusted Certificate Authorities and certificates must be explicitly trusted.

Prerequisites

The certificate of the Certificate Authority must be obtained. This can be done in several different ways and is not covered by these instructions. The certificate should be in PEM format.

Step-by-step instruction

Log in to Digital Access Admin

Log in to Digital Access Admin with an administrator account.

Add Certificate Authority (CA)

Go to Add certificates in Digital Access and follow the instructions under heading "Add certificate authority".
When finished, click Publish.

Troubleshooting

If there are problems with the certificate the logs will show messages like this when sending a notification:

WARNING “Failed to send SMS via channel SMS Notification,
IO Error/sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target/PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target/unable to find valid certification path to requested target"

WARNING "Failed to send SMS via any configured channel."

If this is the case, verify that the uploaded certificate is the correct one and that it corresponds to the SMS service.

Step-by-step instruction

Related information