Date Posted:
Product: TIBCO Spotfire®
Product: TIBCO Spotfire®
Problem:
SSL Ciphers used for the Spotfire backend connector (9443) in Spotfire versions 7.5 - 7.14
Solution:
When the Web Player is contacting the Spotfire Server during startup to fetch the manifest it may fail due to SSL issues if the Windows Server running the Node/Web Player have a restricted set of cipher suites.
There are four cipher suites hardcoded for the Server backend connector (9443 default):
TLS_RSA_WITH_AES_256_CBC_SHA256 TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA
At least one of these must be presented by the Web Player when it tries to connect (so there is one common cipher that can be chosen in the handshake process).
Note: Starting with Spotfire version 10.0, those values are configurable. Read more about that in article Configure cipher suites used for backend trust in Spotfire 10.0 and higher. If the machine (running the Web Player) has internet access the cipher suites presented can be visualized by accessing e.g. https://www.ssllabs.com/ssltest/viewMyClient.html
If the machine is lacking internet access, a PowerShell command can be used:
Get-TlsCipherSuite -Name "AES"For more information about the command and what versions of Windows it will work for, please refer to https://docs.microsoft.com/en-us/powershell/module/tls/get-tlsciphersuite?view=win10-ps
A third alternative is to use Nmap (https://nmap.org). Included in NMap is a script called ssl-enum-ciphers, which will let you scan a target and list all SSL protocols and ciphers that are available on that server. You can also narrow it down by specifying a port number with the -p option.
This could thus be running from another PC, and the command will then look like:
nmap -p [port] --script ssl-enum-ciphers [target]Where [target] is the IP or hostname of the server you want to scan and [port] is the port number. If you do not specify a port number, it will scan all ports on the server and return the results for each port that is configured to use SSL.
The ciphers enabled can be restricted by settings in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL.
If there are issues related to SSL handshake, the first test can be to remove all custom settings for the SCHANNEL and then retry after a reboot. Exporting the setting before deleting them is a good idea. If this make things work the network team can now reapply some of their restrictions with the knowledge that at least one of these four ciphers needs to be enabled on the machines used as Spotfire Remote Nodes. Example error message:
ERROR;2018-03-26T10:48:14,683+02:00;2018-03-26 08:48:14,683;9b76303b-0528-4a43-8894-95fe5bdfd116;(null);WorkerStartup 1;;Spotfire.Dxp.Worker.Host.WorkerHost;"Failed to start worker because the Spotfire Server could not be reached. Spotfire.Dxp.Services.ManifestReader+ManifestWebException: Could not connect to server 'https://serveradress:9443/' to download manifest. The request was aborted: Could not create SSL/TLS secure channel (SecureFailure). Contact the administrator to make sure that the SSL certificate has been installed. ---> System.Net.WebException: The request was aborted: Could not create SSL/TLS secure channel (SecureFailure). Contact the administrator to make sure that the SSL certificate has been installed.
Article: Configure cipher suites used for backend trust in Spotfire 10.0 and higher
Comments
0 comments
Article is closed for comments.