It may be desirable to use the Windows Certificate Store to implement SSL connections in Spotfire server. This is an alternate method to that described in this article, and may be more convenient in some situations.
The steps below outline how this can be achieved.
This article does not cover how to generate certificates in Windows, it is assumed the system administrator will create these. Alternatively you may import an existing certificate that has been purchased or created previously.
1.) The spotfire server service must be running under a dedicated user account (service account). It is this account's personal certificate store that will contain the certificates for implementing SSL connections in Spotfire.
2.) Run the Microsoft Management Console (mmc) as the account used to run the Spotfire server.
3.) Click File -> Add/Remove Snap-in -> Certificates -> Add -> My User Account -> ok
4) Under "Personal", the system administrator may have already deployed a certificate here. Otherwise click All Tasks -> Import.
5) Browse to the certificate created for Spotfire and import it.
6) The certificate must then be referenced by Tomcat (Spotfire server) from the <installation root>\tomcat\conf\server.xml in a Connector configuration as follows:
The important items are highlighted in bold text.
<Connector port="443"
protocol="org.apache.coyote.http11.Http11NioProtocol"
sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation"
maxHttpHeaderSize="65536"
connectionTimeout="30000"
enableLookups="false"
URIEncoding="UTF-8"
disableUploadTimeout="true"
server="TIBCO Spotfire Server"
compression="on"
compressibleMimeType="text/html,text/xml,text/plain,text/css,application/json,application/javascript,image/svg+xml,application/xml"
acceptorThreadCount="2"
keepAliveTimeout="30000"
maxKeepAliveRequests="-1"
maxThreads="2000"
SSLEnabled="true"
scheme="https"
secure="true">
<SSLHostConfig certificateVerification="none"
sslProtocol="TLS"
protocols="TLSv1.2+TLSv1.3"
honorCipherOrder="true"
ciphers="TLS_AES_128_GCM_SHA256,(various other ciphers)">
<Certificate certificateKeystoreFile=""
certificateKeystoreType="Windows-My"
certificateKeyAlias="spotfire.example.com" />
</SSLHostConfig>
</Connector>
Windows-My is a certificate type that uses the users Personal Certificate Store.
Note that the certificateKeyAlias must match the Subject field in the Common Name of the certificate
7) Restart the Spotfire service to make the change effective.
8) Access the Spotfire server via https you should find that TLS connections are working correctly.
Comments
0 comments
Article is closed for comments.