Product:TIBCO Spotfire Web Player
Versions:All versions
Summary:
This article provides an explanation as to why webplayer/automation instance fails with an error "Could not find certificate in store CertificateAuthority when validating. Are the nodes certificates installed and do Worker process identity"
Details:
You may see the following entries in Spotfire.dxp.Worker.host.DEBUG.GUID.log when the Webplayer/Automation instance starts
INFO ;2023-03-29T15:54:39,921+08:00;2023-03-29 07:54:39,921;6dca8861-073b-4c68-aa96-0741711753d8;(null);WorkerStartup 1;;;Spotfire.Dxp.Worker.Utilities.TrustCertificateHandler;"Could not find certificate in store CertificateAuthority when validating. Are the nodes certificates installed and do Worker process identity 'WindowsIdentity, Name: NT AUTHORITY\SYSTEM, AuthenticationType: Negotiate, ImpersonationLevel: None, IsAnonymous: False, IsAuthenticated: True, IsGuest: False, IsSystem: True, Token: 2144, Owner: S-1-5-32-544 (BuiltinAdministratorsSid, ), User: S-1-5-18 (LocalSystemSid, )' have access to the certificates in the store."
DEBUG;2023-03-30T17:57:42,993+08:00;2023-03-30 09:57:42,993;2101c67f-730f-4c92-89cc-3c6ce6804d90;(null);WorkerStartup 1;Spotfire.Dxp.Worker.Utilities.TrustCertificateHandler;"Found duplicate key store certificate in for Root: Certificate information: Friendly Name: CN=TIBCO Spotfire Root CA,O=Spotfire, Name: TIBCO Spotfire Root CA, SubjectName: CN=TIBCO Spotfire Root CA, O=Spotfire, SerialNumber: 214E93C2CA5A97DF31B086AF2C19C40DEBBD8F5E, Issuer: CN=TIBCO Spotfire Root CA, O=Spotfire, Has private key: False, Verified: True, NotAfter: 2032-02-24T13:06:39,000+08:00, NotBefore: 2022-02-24T13:06:39,000+08:00, Thumbprint: 5C778E88D98E4DD18AEA0D868B6D22BD43EAF721, Version: 3, Signature algorithm: sha256RSA."
Resolution:
The reason behind the failure is due to the number of certificates and the total time it takes to verify them when the Webplayer instance starts. If this takes more then 60s the Node Manager will kill the Worker and try again keeping it in loop. Since the machines has no access to the internet, lower the timeout for getting the CRL (Certificate Revocation List) as much as possible. This will also speed up the same check for many other connections. See the below instructions:
Versions:All versions
Summary:
This article provides an explanation as to why webplayer/automation instance fails with an error "Could not find certificate in store CertificateAuthority when validating. Are the nodes certificates installed and do Worker process identity"
Details:
You may see the following entries in Spotfire.dxp.Worker.host.DEBUG.GUID.log when the Webplayer/Automation instance starts
INFO ;2023-03-29T15:54:39,921+08:00;2023-03-29 07:54:39,921;6dca8861-073b-4c68-aa96-0741711753d8;(null);WorkerStartup 1;;;Spotfire.Dxp.Worker.Utilities.TrustCertificateHandler;"Could not find certificate in store CertificateAuthority when validating. Are the nodes certificates installed and do Worker process identity 'WindowsIdentity, Name: NT AUTHORITY\SYSTEM, AuthenticationType: Negotiate, ImpersonationLevel: None, IsAnonymous: False, IsAuthenticated: True, IsGuest: False, IsSystem: True, Token: 2144, Owner: S-1-5-32-544 (BuiltinAdministratorsSid, ), User: S-1-5-18 (LocalSystemSid, )' have access to the certificates in the store."
DEBUG;2023-03-30T17:57:42,993+08:00;2023-03-30 09:57:42,993;2101c67f-730f-4c92-89cc-3c6ce6804d90;(null);WorkerStartup 1;Spotfire.Dxp.Worker.Utilities.TrustCertificateHandler;"Found duplicate key store certificate in for Root: Certificate information: Friendly Name: CN=TIBCO Spotfire Root CA,O=Spotfire, Name: TIBCO Spotfire Root CA, SubjectName: CN=TIBCO Spotfire Root CA, O=Spotfire, SerialNumber: 214E93C2CA5A97DF31B086AF2C19C40DEBBD8F5E, Issuer: CN=TIBCO Spotfire Root CA, O=Spotfire, Has private key: False, Verified: True, NotAfter: 2032-02-24T13:06:39,000+08:00, NotBefore: 2022-02-24T13:06:39,000+08:00, Thumbprint: 5C778E88D98E4DD18AEA0D868B6D22BD43EAF721, Version: 3, Signature algorithm: sha256RSA."
Resolution:
The reason behind the failure is due to the number of certificates and the total time it takes to verify them when the Webplayer instance starts. If this takes more then 60s the Node Manager will kill the Worker and try again keeping it in loop. Since the machines has no access to the internet, lower the timeout for getting the CRL (Certificate Revocation List) as much as possible. This will also speed up the same check for many other connections. See the below instructions:
- Open Local Group Policy Editor (for example, search for “Edit Group Policy” in the Start Menu)
- Go down the tree from “Computer Configuration” => “Windows Settings” => “Security Settings” => “Public Key Policies”
- On the right side, double-click on “Certificate Path Validation Settings”
- Go to “Network Retrieval” tab
- Select “Define these policy settings” checkbox
- Change both timeout values under “Default retrieval timeout settings” to 1 second
- Click “OK”