Description of Issue

Where to find Time and Attendance SSL Configuration notes in the Time and Attendance server installation environment and install new certificate.

Context

Time and Attendance
ExecuTime
SSL

Cause

The SSL certificate for Time and Attendance is expired or nearing expiration.

Resolution

Note: Private/self-signed are not trusted by the Time and Attendance application java keystore, and public CA vendor certs are highly recommended.

Note: This certificate needs to be in PFX format with a private key password.

Note: Private key/Certificate passwords cannot contain the following special characters: <>"^;&'

Note: The SSL Configuration notes are found inside the Time and Attendance WildFly folder in for example, "C:\ET_prod\WildFly\ExecuTime_Config_Read_Me.txt"

Select Windows Start
Type File Explorer and select Enter
Place the copy of the new certificate in a permanent location
1. The .pfx SSL, needs to be placed outside the Time and Attendance environment folder in a path that the Tyler Deployment Tool can use when upgrading Time and Attendance. (i.e. <Drive>:TylerInstalls\Cert\ETCert.pfx)
Navigate to [DRIVE:\]{InstanceName}\WildFly\standalone\configuration
Place the copy of the new certificate in this folder
Rename the certificate to ETCert.pfx
Open the standalone.xml file in Notepad++
Search for <ssl> (it is right near the top)
Inside the <ssl> tag you have a keystore tag, by default it looks like this:
1. <keystore path="application.keystore" relative-to="jboss.server.config.dir" keystore-password="password" alias="server" key-password="password" generate-self-signed-certificate-host="localhost"/>
Change it to this:
1. <keystore path="ETCert.pfx" relative-to="jboss.server.config.dir" keystore-password="KeystorePassword" alias="server" key-password="KeystorePassword" generate-self-signed-certificate-host="localhost"/>
2. Note: Where 'ETCert.pfx' matches the name of the certificate and 'KeystorePassword' matches the password for the new certificate
Restart the ExecuTime service - How to restart the ExecuTime Service - OnPrem
Update the certificate for the IIS binding that Tyler Workflow uses - Update SSL Certificate in IIS
1. Tyler Workflow tends to be installed on the same server as Time and Attendance in most cases but can also be found on Infrastructure servers if it's not on the same server as Time and Attendance
2. If the certificate was already updated and bound on the default website in IIS where Tyler Workflow is installed, this step can be skipped
Access the Time and Attendance environment URLs and verify the certificate has been updated
Update certificate path and password in Tyler Deploy for Time and Attendance environments - How to update the SSL Certificate Path and SSL Password in Tyler Deploy for Time and Attendance environments
1. Note: Not updating the certificate in Tyler Deploy after new certificates have been applied to Time and Attendance environments will result in expired certificates being deployed on environments that receive upgrades.

Additional Information

There are potential issues that can arise from replacing the SSL Certificate.

The following articles can be referenced after replacing the SSL Certificate on Time and Attendance if the issues arise only from the result of replacing the SSL Certificate on the application:

ExecuTime Root URL cannot be reached in the Tyler Workflow connection after replacing SSL Certificate

TouchTime clocks are receiving Server Unreachable after replacing the Time and Attendance certificate

Versions prior to v2023 will have a different path to the configuration folder

Browser not supported