Configure Spotfire Node Manager's Internal SSL Certificate Validity.

Products	Versions
Spotfire Server	All

Description

The Spotfire Node Manager services (web player, automation service, etc.) certificates are signed by an internal CA and may have a validity period exceeding one year, which can raise security concerns for some organizations because of their security policy.

These are internal Spotfire certificates signed by the Spotfire Server CA. They are critical for enabling secure HTTPS/TLS communication between the Node Manager and the Spotfire Server. Deleting these certificates will prevent the Node Manager from communicating with the server, potentially leading to an outage.

Node managers running Spotfire Web Player or Spotfire Automation Services on Windows install these three certificates into the Windows certificate store under the (<installation folder>\nodemanager\<version number>\nm\trust\keystore file). A node becomes trusted when a Spotfire administrator manually approves the request, enabling the Spotfire Server CA to issue server and client certificates to it.

Resolution

Do not delete the internal Spotfire Node Manager SSL certificates, as this will disrupt communication between the Node Manager and the Spotfire Server.
This setting only affects new certificates. To apply these changes to existing certificates, you must either untrust the nodes manually or run the reset-trust command from the command line.
Follow the steps below once the Node Manager is untrusted.
- To edit the configuration.xml file, first export the active configuration, edit the XML file directly(or run the following command), and then import it again.
- Export the Spotfire configuration using the export-config command, and run the following command.
- To change the validity period for newly issued certificates, use the set-config-prop command to modify the security.ca.validity-period-end-entity-certs property. For example, to set the validity to 365 days:
```
set-config-prop -n "security.ca.validity-period-end-entity-certs" -v "365"
```
- After running the command, you can verify the changes in the configuration.xmlfile.
```
    <ca>
      <validity-period-end-entity-certs>365</validity-period-end-entity-certs>
    </ca>
```
- Once you get the above successful message, then import the configuration using import-configcommand.
- A restart of the Spotfire services is required for the changes to take effect.
- After you reset trust for the Node Managers, you can check the changes by running the command config list-certificates

Issue/Introduction

Spotfire Node Manager services utilize internal SSL certificates signed by the Spotfire Server Certificate Authority (CA) for secure communication. These certificates are essential and cannot be deleted, but administrators can configure their validity period to comply with organizational security policies.

Additional Information

Doc: Node Manager Re-Trust

https://docs.tibco.com/pub/spotfire_server/latest/doc/html/TIB_sfire_server_tsas_admin_help/server/topics/reset-trust.html

Doc: Trusting Node Manager

https://docs.tibco.com/pub/spotfire_server/latest/doc/html/TIB_sfire_server_tsas_admin_help/server/topics/trusting_a_node.html

KBA: How to edit the configuration

https://support.tibco.com/external/article?articleUrl=Tibco-KnowledgeArticle-Article-4294

Welcome to "KB Articles"