TIBCO Spotfire Webplayer/Automation instances fails to start if the machine has no access to internet

TIBCO Spotfire Webplayer/Automation instances fails to start if the machine has no access to internet

book

Article ID: KB0071507

calendar_today

Updated On:

Products Versions
Spotfire Web Player All versions

Description

You may see the following entries in Spotfire.dxp.Worker.host.DEBUG.GUID.log when the Webplayer/Automation instance starts

INFO ;2023-03-29T15:54:39,921+08:00;2023-03-29 07:54:39,921;6dca8861-073b-4c68-aa96-0741711753d8;(null);WorkerStartup 1;;;Spotfire.Dxp.Worker.Utilities.TrustCertificateHandler;"Could not find certificate in store CertificateAuthority when validating. Are the nodes certificates installed and do Worker process identity 'WindowsIdentity, Name: NT AUTHORITY\SYSTEM, AuthenticationType: Negotiate, ImpersonationLevel: None, IsAnonymous: False, IsAuthenticated: True, IsGuest: False, IsSystem: True, Token: 2144, Owner: S-1-5-32-544 (BuiltinAdministratorsSid, ), User: S-1-5-18 (LocalSystemSid, )' have access to the certificates in the store."

DEBUG;2023-03-30T17:57:42,993+08:00;2023-03-30 09:57:42,993;2101c67f-730f-4c92-89cc-3c6ce6804d90;(null);WorkerStartup 1;Spotfire.Dxp.Worker.Utilities.TrustCertificateHandler;"Found duplicate key store certificate in for Root: Certificate information: Friendly Name: CN=TIBCO Spotfire Root CA,O=Spotfire, Name: TIBCO Spotfire Root CA, SubjectName: CN=TIBCO Spotfire Root CA, O=Spotfire, SerialNumber: 214E93C2CA5A97DF31B086AF2C19C40DEBBD8F5E, Issuer: CN=TIBCO Spotfire Root CA, O=Spotfire, Has private key: False, Verified: True, NotAfter: 2032-02-24T13:06:39,000+08:00, NotBefore: 2022-02-24T13:06:39,000+08:00, Thumbprint: 5C778E88D98E4DD18AEA0D868B6D22BD43EAF721, Version: 3, Signature algorithm: sha256RSA."
 

Issue/Introduction

This article provides an explanation as to why webplayer/automation instance fails with an error "Could not find certificate in store CertificateAuthority when validating. Are the nodes certificates installed and do Worker process identity"

Resolution

The reason behind the failure is due to the number of certificates and the total time it takes to verify them when the Webplayer instance starts. If this takes more then 60s the Node Manager will kill the Worker and try again keeping it in loop. Since the machines has no access to the internet, lower the timeout for getting the CRL (Certificate Revocation List) as much as possible. This will also speed up the same check for many other connections. See the below instructions:
  1. Open Local Group Policy Editor (for example, search for “Edit Group Policy” in the Start Menu)
  2. Go down the tree from “Computer Configuration” => “Windows Settings” => “Security Settings” => “Public Key Policies”
  3. On the right side, double-click on “Certificate Path Validation Settings”
  4. Go to “Network Retrieval” tab
  5. Select “Define these policy settings” checkbox
  6. Change both timeout values under “Default retrieval timeout settings” to 1 second
  7. Click “OK”

Additional Information

External: How to speed up SSL handshake in isolated environments
Powered by Wolken Software