By default, Spotfire uses the HTTP protocol for communication between clients and the server. To achieve a higher level of security, it is possible to use the HTTPS proto-col instead, ensuring encryption between clients and the server.
In order to set up HTTPS, you must first have the following:
a public Certificate Authority (CA) certificate
a server certificate and private key issued by the CA
The server private key can be either in the PKCS#12 or JKS format.
You can obtain these objects from a commercial Certificate Authority or create them using CA software. Please refer to the documentation of your provider on how to obtain or create them. In this manual, there are also reference instructions on how to create a self-signed certificate in the section “Creating a Self-Signed Server Certifi-cate” on page 120
Procedure
1 Stop the Spotfire Server (if it is running).
2 Set the password for the JVM CA Certificate Database.
3 Import the CA Certificate.
4 Install the server certificate and private key.
5 Configure the Spotfire Server to use the HTTPS protocol.
To stop the Spotfire Server:
See “Start the Spotfire Server” on page 86.
To set the password for the JVM CA certificate database:
The default password for the JVM CA certificate database is changeit. Change it using the keytool command, located in the <installation dir>/jdk/jre/bin folder installed with the Spotfire Server. The certificate database is stored in the file cacerts located in the folder <installation dir>/jdk/jre/lib/security. Set a new password by executing the fol-lowing command from a command prompt or terminal:
> <installation dir>/jdk/jre/bin/keytool ‐storepasswd ‐keystore <installation dir>/jdk/
jre/lib/security/cacerts Example: Windows
C:\>c:\tibco\tss\4.5.0\jdk\jre\bin\keytool ‐storepasswd ‐keystore c:\tibco\tss\4.5.0 \ jdk\jre\lib\security\cacerts
You will be prompted for the current password (changeit) and twice for a new pass-word. After changing the password, review the access permissions for the cacerts file to make sure that no one is allowed to modify it.
To import the CA certificate:
To import a CA certificate into the JVM CA certificate database (cacerts file), execute the following command:
> <installation dir>/jdk/jre/bin/keytool ‐importcert ‐v ‐keystore <installation dir>/jdk/
jre/lib/security/cacerts ‐alias <aliasname> ‐file <certfile>
The <aliasname> must be a unique identifier that clearly identifies the CA certificate.
The <certfile> is the file containing the CA certificate to import.
Windows example where you will be prompted for the password set above:
C:\>c:\tibco\tss\4.5.0\jdk\jre\bin\keytool ‐importcert ‐v ‐keystore c:\tibco\tss\4.5.0 \ jdk\jre\lib\security\cacerts ‐alias exampleCA ‐file C:\TMP\example‐ca.cer
Note: If the CA certificate is stored in BASE 64 encoded DER format, make sure that the file starts with ‐‐‐‐‐BEGIN CERTIFICATE‐‐‐‐‐. Otherwise, the import will fail.
To verify a certain CA certificate in the JVM CA certificate database:
> <installation dir>/jdk/jre/bin/keytool ‐list ‐v ‐keystore c:\tibco\tss\4.5.0 \jdk\jre\
lib\security\cacerts ‐alias exampleCA
Windows example listing a preinstalled VeriSign CA certificate:
C:\>C:\tibco\tss\4.5.0\jdk\jre\bin\keytool ‐list ‐v ‐keystore c:\tibco\tss\4.5.0\jdk\\jre\
lib\security\cacerts ‐alias verisignclass1g2ca Enter keystore password:
Alias name: verisignclass1g2ca Creation date: Mar 25, 2004 Entry type: trustedCertEntry
Owner: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. ‐ For authorized u se only", OU=Class 1 Public Primary Certification Authority ‐ G2, O="VeriSign, I nc.", C=US
Issuer: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. ‐ For authorized use only", OU=Class 1 Public Primary Certification Authority ‐ G2, O="VeriSign, Inc.", C=US
Serial number: 4cc7eaaa983e71d39310f83d3a899192
Valid from: Mon May 18 02:00:00 CEST 1998 until: Wed Aug 02 01:59:59 CEST 2028
Certificate fingerprints:
MD5: DB:23:3D:F9:69:FA:4B:B9:95:80:44:73:5E:7D:41:83
SHA1: 27:3E:E1:24:57:FD:C4:F9:0C:55:E8:2B:56:16:7F:62:F5:32:E5:47 Signature algorithm name: SHA1withRSA
Version: 1
To install the Server certificate and private key:
The server certificate and its corresponding private key must be stored in either the PKCS#12 or the Java Keystore (JKS) format.
Install the server certificate and private key in the following directory:
<installation dir>/jdk/jre/lib/security/
To configure the Spotfire Server to use the HTTPS protocol:
To set the server to communicate using the HTTPS protocol, edit the configuration file
<installation dir>/tomcat/conf/server.xml. In the Spotfire service section locate the sec-tion that defines the Connector:
<!--<Connector port="443"
maxHttpHeaderSize="16384"
connectionTimeout="30000"
enableLookups="false"
URIEncoding="UTF-8"
disableUploadTimeout="true"
server="TIBCO Spotfire Server"
SSLEnabled="true"
scheme="https"
secure="true"
keystoreFile="../jdk/jre/lib/security/[ServerHostname].p12"
keystorePass="changeit"
keystoreType="pkcs12"
clientAuth="false"/>
-->
Remove the comment markers <!‐‐ and ‐‐>. Then, to disable unencrypted traffic (HTTP), add comment markers around the HTTP connector.
Be sure to replace [ServerHostname] with the actual hostname of the Spotfire Server, and changeit with the password to the keystore. If you have obtained the certificate from another place than Microsoft Certificate Services, the type may differ.
Note: The Apache Tomcat stores the password in clear text. You should secure the file and/or the server to prevent users from accessing it.
For a detailed view of the file server.xml, see the section “server.xml” on page 127.
To start the Spotfire Server:
When you have configured HTTPS you can start the Spotfire Server, for example by starting the Windows Service or running the startup script.
To use encryption in a clustered environment:
In a clustered environment, clients communicate using HTTP or HTTPS with the load balancer, which may then redirects traffic to the servers using the AJP protocol. The AJP protocol cannot be encrypted. It is therefore recommended that the load balancer and the Spotfire Servers reside on the same secure network, or that other security mea-sures, such as tunnel technology, are used.
To configure the load balancer to use HTTPS, follow the instructions in the section
“Setting up HTTPS” on page 142 in the Appendix.