Key Takeaway: Remember that mod trust relies on certificate validation, not user permissions. Membership in the Script Author group does not grant mod trust. The mod must be digitally signed with a valid code-signing certificate. Refer to the Spotfire Community article about Spotfire Mods - Working with Trust and Certificates.

All

Use the following checklist to verify your Spotfire environment is correctly configured for mod trust:

1. Trusted Signer Group Configuration

- [ ] Confirm that the certificate used to sign the mod is added as a trusted signer within Spotfire Server. You add the certificate of the entity that signed the mod (e.g., Cloud Software Group) as a trusted signer. Follow these steps on How to Add Trusted Signers to a Group.
- [ ] Associate this trusted signer with the appropriate group (e.g., Everyone). This grants members of that group the ability to use mods signed by this trusted certificate. 

2. Internet Connectivity for Node Manager

Proper certificate validation requires the Node Manager to communicate with certificate authorities over the internet.

- [ ] Confirm the Node Manager machine has direct access to the internet.
- [ ] Ensure the following DigiCert URLs are whitelisted in the firewall and/or proxy: These URLs are essential for the Node Manager to verify the validity of the code-signing certificate used for the mod.
    - [ ] http://ocsp.digicert.com (Online Certificate Status Protocol for real-time revocation checks)
    - [ ] http://cacerts.digicert.com (Repository for DigiCert root and intermediate certificates).

3. Certificate Chain Verification

The complete chain of trust for the code-signing certificate must be present on both the Spotfire Server and Node Manager machines. This ensures that the mod's signature can be traced back to a trusted root authority.

- [ ] Open Certificate Manager (certmgr.msc) on all Spotfire Server and Node Manager machines.
    - [ ] Under "Trusted Root Certification Authorities", confirm the presence of "DigiCert Trusted Root G4"
    - [ ] Under "Intermediate Certification Authorities", confirm the presence of "DigiCert Trusted G4 Code Signing RSA"

By ensuring all items in this checklist are addressed, you can establish a robust and secure environment for deploying and utilizing custom mods within your Spotfire platform.

This article outlines the necessary steps to ensure proper mod trust and certificate validation within your Spotfire environment. Understanding these configurations is crucial for the successful deployment and operation of Spotfire mods.

Doc: Trusting custom content in the Spotfire environment

• https://docs.tibco.com/pub/spotfire_server/latest/doc/html/TIB_sfire_server_tsas_admin_help/server/topics/trusting_custom_content_in_the_spotfire_environment.html

Community: Spotfire Mods - Working with Trust and Certificates

• https://community.spotfire.com/articles/spotfire/spotfire-mods-working-with-trust-and-certificates/

KB: Newly signed mods by Cloud Software Group certificate do not stay trusted in Spotfire

• https://support.tibco.com/external/article?articleUrl=Newly-signed-mods-by-Cloud-Software-Group-certificate-do-not-stay-trusted-in-Spotfire

Community: Troubleshooting certificate verification issues in Spotfire

• https://community.spotfire.com/articles/spotfire/troubleshooting-certificate-verification-issues-in-spotfire/