Product: TIBCO Spotfire Server
Versions: 7.9 and higher
Summary:
This article describes how to configure HTTPS using a self signed certificate, CA issued certificate (without private key) or CA issued certificate (with private key) in TIBCO Spotfire Server
Details:
In order to set up the TIBCO Spotfire server to use HTTPS, you need a certificate. You can create a self-signed certificate or create a certificate signing request (CSR) to obtain a certificate from a certificate authority.
Resolution:
Option 1 - Creating a self-signed certificate and configuring HTTPS.
Please follow https://support.tibco.com/s/article/How-to-create-a-self-signed-Server-certificate-to-enable-HTTPS-connection-between-Spotfire-Server-7-9-x-and-Clients
Option 2 - Creating a CSR for CA issued certificate and importing the certificate(without the private key) into the Java Keystore.
1) Log in to the server where the Spotfire server is installed.
2) Open a command prompt and CD into "<server install dir>\jdk\bin"
3) Create the server store and certificate by running this command:
keytool -genkey -keyalg RSA -alias spotfire -keystore C:\tibco\tss\11.4.1\tomcat\certs\spotfire.jks -keypass KEYPASSWORD -storepass STOREPASSWORD -ext "SAN=IP:192.168.x.x,DNS:spotfire.domain.com"
- Change Spotfire to whatever alias you'd like your certificate to have.
- Note to only use lowercase in the alias. Due to an error in Tomcat <v7.0.62 you cannot use uppercase or a mix of lower and uppercase in the alias.
- Change the FQDN to the fully qualified domain name of the Windows server
- Change KEYPASSWORD to a desired keypassword (keypass is used to access the particular key pair's private key).
- Change STOREPASSWORD to a desired store password (storepass is used to access the key store).
- Important! If STOREPASSWORD and KEYPASSWORD are not the same, then you need to add "keyPass=KEYPASSWORD" to the server.xml configuration.
4) When you enter the above command it will prompt "What is your first and last name?" Enter the FQDN of the Spotfire server Eg. Spotfire.domain.com.
Then it will ask for OU, Name of Organization, City, State, Country code. You may enter anything as you like. These details are not important.
5) Then run below command to create a CSR
<server install dir>\jdk\bin\keytool -certreq -keyalg RSA -alias spotfire -file C:\tibco\tss\11.4.1\tomcat\certs\certreq.csr -keystore C:\tibco\tss\11.4.1\tomcat\certs\spotfire.jks
6) You then need to provide this CSR to the CA admin to generate the certificate using the CSR. Please advise adding the Subject Alternate name extension with DNS name as browsers like Google Chrome and edge validate the SAN entry.
7) Export the newly generated Certificate in preferably .p7b format as it exports the certificate chain. You may also export the certificate in CER/CRT format However Make sure all intermediate CA certificates are imported in order as per the Certificate chain hierarchy before importing the Spotfire server certificate.
8) Copy the certificate chain (Or server certificate +Intermediate certificates) on the Spotfire server and Import the certificate into the same Keystore created earlier.
<server install dir>\jdk\binkeytool -import -alias spotfire -file C:\tibco\tss\11.4.1\tomcat\certs\certificate.p7b -keystore C:\tibco\tss\11.4.1\tomcat\certs\spotfire.jks
Important Note- While importing the certificate use the same alias which was mentioned while creating the Keystore in step 3.
9) Open the file "<server install dir>\tomcat\conf\server.xml" in a text editor and locate the section containing the configuration template for an HTTPS connector.
10) Remove the lines with the comment markers <!-- and -->
11) Update below parameters
<Certificate certificateKeystoreFile="./certs/spotfire.jks"
certificateKeystorePassword="STOREPASSWORD"
certificateKeystoreType="jks"
certificateKeyAlias="spotfire" />
12) If you are not going to use Authentication method as X.509 then remove below parameters.
truststoreFile="./certs/spotfire.jks"
truststorePassword="changeit"
truststoreType="jks"
13) To disable unencrypted HTTP traffic, follow these steps:
Locate the section containing the default HTTP connector:
Add comment markers <!-- and --> around the HTTP connector configuration
If you do not want to enable client certificate authentication, then restart the Spotfire server.
14) In the case of CA issued certificate you don't need to Export and install the certificate on client machines. However, you need to install the Root CA and intermediate certificate under Trusted root Certification Authorities. Usually, these certificates are already installed via group policy in the AD domain environment.
Option 3: Import the CA-issued certificate into the Java Keystore when you obtain the certificate from the CA admin directly without providing a CSR.
1) Log in to the server where Spotfire server is installed.
2) Open a command prompt and CD into "<server install dir>\tibco\tss\11.4.1\jdk\bin"
3) To Import the certificate in Java keystore run below command. The below command will create a new Keystore.
keytool -import -alias spotfire -file C:\tibco\tss\11.4.1\tomcat\certs\certificate.p7b -keystore C:\tibco\tss\11.4.1\tomcat\certs\spotfire.jks
(replace the certificate name and name of Keystore as per the requirement)
In case the CA admin does not provide the alias then you can Import the certificate without an alias. (the default alias will be created as "mykey")
keytool -import -file C:\tibco\tss\11.4.1\tomcat\certs\certificate.p7b -keystore C:\tibco\tss\11.4.1\tomcat\certs\spotfire.jks
4) Follow Step 9 to step 13 from Option 2
Option 4: Obtaining both Certificate and private key from CA (PKCS12 Keystore).
1) The CA admin will provide a certificate along with its private key. The accepted Keystore type is PKCS12 and the certificate will be in PFX or p12 format.
2) Copy the P12/PFX certificate to <Installation directory>\tss\<version>\tomcat\certs.
3) Open the file "<server install dir>\tomcat\conf\server.xml" in a text editor and locate the section containing the configuration template for an HTTPS connector.
4) Remove the lines with the comment markers <!-- and -->
Update below parameters
<Certificate certificateKeystoreFile="./certs/spotfire.pfx"
certificateKeystorePassword="STOREPASSWORD"
certificateKeystoreType="PKCS12"
certificateKeyAlias="spotfire" />
5) If you are not going to use Authentication method as X.509 then remove below parameters.
truststoreFile="./certs/spotfire.jks"
truststorePassword="changeit"
truststoreType="jks"
6) To disable unencrypted HTTP traffic, follow these steps:
Locate the section containing the default HTTP connector:
Add comment markers <!-- and --> around the HTTP connector configuration
7) Restart the Spotfire server.
Comments
0 comments
Article is closed for comments.