July 16, 2021
How do I enable TLS connections on the Spotfire server?
The Spotfire server by default will only allow connections to it via HTTP. The following procedure explains how to enable secure communications to the Spotfire Server via HTTPS.
1) A PFX / PKCS12 format certificate for the Spotfire server. The certificate must have a Subject Alternative Name for at least the primary host, as well as any secondary names.
2) Any root CA certificates or intermediate certificates in PEM format.
Using existing certificates
Step 1 - Convert certificates (if necessary)
If a PFX / PKCS12 format certificate is already available, this may used directly by editing the server.xml
If only a PEM format certificate and private key pair is available then these must be merged into a PKCS12 certificate first. This can be accomplished via the command line.
On Linux enter the following command (e.g.)
On Windows certutil can accomplish the same task.
The private key must have a .key extension and have the same base file name. E.g. the directory may contain a spotfire.pem and spotfire.key file.
Step 2 - Edit the server.xml
Here is an example of the what SSLHostConfig section should look like for Spotfire Server version 10+. The certifcate path and password must be mentioned for
PFX certificates and the keystore type must be set to pkcs12
Important: If the private key in the PKCS12 certificate contains a password, then the keystore password must match that one.
Step 3 - Import the root CA and any intermediate certificates
Any root CA certificates or intermediate certificates should be imported into the global truststore "cacerts" which is located in (SPOTFIRE BASE DIRECTORY)/jdk/jre/lib/security/cacerts. The default password for this is "changeit"
This can be done via the keytool command as follows (e.g.): Repeat for each certificate that needs to be imported.
Note: keytool is located in (SPOTFIRE INSTALLATION ROOT)/jdk/jre/bin
Generating a CSR
If a certificate is not available, a CSR (Certificate Signing Request) must be generated which can then be signed to obtain certificates.
Under Linux, this can be achieved via the openssl command (e.g.):
Generating a CSR / private key under Windows is more complex, and beyond the scope of this document
Alternate method using Java keystores
An alternate approach is to use Java keystores. This is a propriety format to Java, and PKCS12 certificates should be used wherever possible to simply implementation and administration.
To use a Java keystore the following steps should be performed.
1) Generate a new private key: Note that it is essential to provide the SAN parameter to name at least the primary host.
2) Generate a new CSR based on this keystore
3) Import any root CA's or intermediary certificates into the global truststore (see step 3 above: Import the root CA and any intermediate certificates)
4) Once a new certificate is obtained, import the PEM format certificate as follows:
Enforcing TLS connections
It’s possible to make use of Tomcats rewrite engine to force clients to rewrite traffic destined to port 80 to port 443 instead.
1.) In the file server.xml add the following line after the ”<Context” section
This adds a new Valve which enables Tomcats rewrite engine.
2.) Create the following file (adjust the slashes for Windows)
3.) The content of this file is as follows (alter the hostname as appropriate to your environment.
4.) Restart the Spotfire server to make the changes effective