Important 9.0.0+ Security Information – Action Required
Starting with version 9.0.0, Civic Platform applications implement SHA-2 password encryption to comply with the Federal Information Security Management Act (FISMA) information security requirements.
Civic Platform applications have replaced SHA-1 password encryption with SHA-2 encryption (specifically, SHA-512+SALT hash functions) for FISMA compliance. When logging in Civic Platform, the user's password is automatically converted to the SHA-2 encryption.
-
Civic Platform back-office application
-
Citizen Access
-
Silverlight and JavaScript GIS
-
Accela mobile apps using the Automation REST API
-
Apps using Construct V4 API
Disabling SHA-1 on Accela-hosted Civic Platform environments
At a post-9.0.0 to-be-announced date, Accela-hosted environments will officially migrate to SHA-2 encryption. At that point, Accela will disable SHA-1 encryption so that only SHA-2 passwords are used across Civic Platform applications on the Accela-hosted environments.
 |
All users must log into their Civic Platform applications
before Accela disables SHA-1. If users do not log into their
Civic Platform applications before Accela disables SHA-1, their
passwords will continue to use the SHA-1 password encryption and
they will be permanently locked out of Civic Platform.
When Accela Customer Support has officially announced the SHA-2 migration date, it is absolutely important and mandatory for all Civic Platform 9.0.0+ users on an Accela-hosted environment to login before Accela disables SHA-1. |
Disabling SHA-1 on self-hosted Civic Platform environments
The following information describes how to disable the SHA-1 password encryption on a self-hosted Civic Platform environment. Note that this information only applies to self-hosted (or "on-premise") customers who intend to completely migrate their Civic Platform environment from SHA-1 to SHA-2 password encryption.
- Plan the SHA-2 migration date.
The self-hosted agency must determine a SHA-2 migration date that gives enough time for all Civic Platform users to log in Civic Platform 9.0.0+ (including Civic Platform, Citizen Access, and GIS applications and administration sites, Accela mobile apps, and any app using Construct APIs). Send out advanced notifications and reminders to ensure all Civic Platform users have logged in Civic Platform in a timely manner.
- All users MUST log into their Civic Platform 9.0.0+ application.
When users log into a Civic Platform 9.0.0+ application, their passwords are automatically converted to SHA-2 encryption.
All users must log into their Civic Platform 9.0.0+ applications before you disable SHA-1 on your Civic Platform environment. If users do not log into their Civic Platform 9.0.0+ applications before you disable SHA-1, their passwords will continue to use the SHA-1 password encryption and they will be permanently locked out of Civic Platform. If your agency plans to disable SHA-1, it is absolutely important and mandatory for all Civic Platform 9.0.0+ users on your self-hosted environment to login before you disable SHA-1.
- Disable SHA-1 encryption.
To disable the SHA-1 encryption for the following Civic Platform applications:
-
Civic Platform and Citizen Access:
- Connect to the Civic Platform database.
- Execute the following SQL:
UPDATE R1SERVER_CONSTANT SET REC_STATUS = 'A' WHERE SERV_PROV_CODE = 'STANDARDDATA' AND CONSTANT_NAME = 'DISABLE_SHA_1'
-
Civic Platform Silverlight GIS:
- Navigate to the
inetpub\wwroot\<agis>\data\GlobalConfigsdirectory on the IIS server. - Edit the
GlobalSettings.xmlfile. - Set the
DisableSHA1key toTrue. For example:
(Note that by default,<GlobalSettings> <add key=DisableSHA1" value="True" </GlobalSettings>DisableSHA1is set toFalse.) - Save your changes.
- Navigate to the
-
Civic Platform JavaScript GIS:
- Connect to the JavaScript GIS database.
- Execute the following SQL:
UPDATE GLOBALSETTING SET DISABLESHA1='True'
-