How to create a self-signed Server certificate to enable HTTPS connection between Spotfire Server 7.9.x and Clients.

Products	Versions
Spotfire Server	7.9 and higher

Description

This consists of two parts. The first part describes how to create a certificate, whereas the second part describes how to enable HTTPS communication between Spotfire Server and Clients.

Environment

This guide works both for Windows and Linux, however it is written for Windows. If you are going to follow these steps on Linux you need to change path names to be in Unix format. For example, instead of "C:\ssl" it will be "/tmp/ssl". The default location in this guide to store Server certificates is "C:\tibco\tss\7.9.x\tomcat\certs", but it can be stored in any other reachable location. Paths in "\tomcat\conf\server.xml" have to be edited accordingly.

Resolution

Part One: Create a self-signed Server certificate to enable HTTPS connection between Spotfire Server 7.x.x and the client.

Open the command prompt and cd (change directory) to the Spotfire certificates directory, which is by default: "C:\tibco\tss\7.x.x\tomcat\certs". The following steps have to be executed from this directory

Generate the Server certificate:

<java-home dir>\bin\keytool -genkeypair -keystore keystore.p12 -storetype PKCS12 -storepass your_password -alias server_alias -keyalg RSA

- Replace "your_password" with a password of your choice.

- Optional: instead of "server_alias" you can use any other name.

IMPORTANT: In response to keytool's first prompt: "What is your first and last name" you must type your SERVER name (FQDN) in lower case letters. You can find it under Control Panel>System and Security>System>Full computer name .
You can hit Enter through the rest of the prompts until you reach the question "Is <your details> correct?", here type "yes" and hit Enter. This will create kyestore.jks file in your \certs\ directory .

Export the generated server certificate in keystore.p12 into the file server.cer:

<java-home dir>\bin\keytool -export -alias server_alias -storepass your_password -file server.cer -keystore keystore.p12

- Replace "your_password" with the password from the previous step.
- If you have chosen name instead of "server_alias" in step 1 replace "server_alias" here also with the same name.

Add the server certificate to the truststore file - cacerts.jks:

<java-home dir>\bin\keytool -import -v -trustcacerts -alias server_alias -file server.cer -keystore cacerts.jks -keypass your_password -storepass your_password

- Replace "your_password" with the password from step 1 above.
- If you have chosen name instead of "server_alias" in step 1 replace "server_alias" here also with the same name.
At this point you will see something that resembles the following.

Owner: CN=myserv, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
Issuer: CN=myserv, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
Serial number: 751751fc
Valid from: Wed Jun 21 16:27:34 CEST 2017 until: Tue Sep 19 16:27:34 CEST 2017
Certificate fingerprints:
         MD5:  FB:53:8E:40:36:41:98:E5:16:23:E7:BA:CE:3E:4F:BE
         SHA1: 09:A1:F8:DB:DB:54:EE:CB:C6:36:AD:CC:2C:1E:6F:9D:7A:C8:EB:3F
         SHA256: D2:65:67:E1:C8:92:6A:AB:46:5B:EF:1D:15:07:74:28:72:35:D1:25:48:0C:F3:35:99:C6:3A:78:95:10:73:FA
#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 11 BB D6 D7 89 3E C3 C3   4A F8 5A 49 7F E3
Trust this certificate?

Note: If you have made previous attempts to create a certificate, on Step 3 you may encounter an error stating "certificate reply and certificate in keystore are identical". At this point simply run the following command:

<java-home dir>\bin\keytool -delete -alias your_alias

and perform Step 3 one more time.

Type "yes" and press Enter. You should see a message similar to the following.

Certificate was added to keystore[Saving cacerts.jks]

Part two: Enable HTTPS communication between Spotfire Server and Clients

Prerequisites: All the files from Part one are stored under <server installation dir>/tomcat/certs location (e.g "C:\tibco\tss\7.9.x\tomcat\certs")

Stop the Spotfire Server.
Edit the configuration file <server installation dir>/tomcat/conf/server.xml and locate the section containing the configuration template for an HTTPS connector:

<!--
<Connector port="443"
           maxHttpHeaderSize="65536"
           connectionTimeout="30000"
           enableLookups="false"
           URIEncoding="UTF-8"
           disableUploadTimeout="true"
           server="TIBCO Spotfire Server"
           compression="on"
           compressableMimeType="text/html,text/xml,text/plain,text/css,application/json,application/javascript,image/svg+xml,application/xml"
           acceptorThreadCount="2"
           keepAliveTimeout="30000"
           maxKeepAliveRequests="-1"
           maxThreads="2000"
           SSLEnabled="true"
           scheme="https"
           secure="true">

  <SSLHostConfig certificateVerification="none"
                 truststoreFile="./certs/cacerts.jks"
                 truststorePass="your_password"
                 truststoreType="jks"
                 sslProtocol="TLS"
                 protocols="+TLSv1.2,+TLSv1.1,+TLSv1"
                 honorCipherOrder="true"
                 ciphers="TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA">

<Certificate certificateKeystoreFile="./certs/keystore.p12"
                 certificateKeystorePassword="your_password"
                 certificateKeystoreType="PKCS12"
                 certificateKeyAlias="server_alias" />
  </SSLHostConfig>
</Connector>
-->

Remove the lines with the comment markers
Update the truststoreFile parameter with the name of the truststore file - in our case "cacerts.jks".
Update the truststorePass with password from above Part one, Step 1 storepass value.
Update the certificateKeystoreFile parameter with the name of the keystore file containing the server certificate and private key- in our case "keystore.p12".
Update the certificateKeystorePassword with password from above Part one, Step 1 above keypass value.
Update the certificateKeystoreType with keystore type from above Part one, Step 1.
Update the certificateKeyAlias with server_alias from above Part one, Step 1.
Disable unencrypted HTTP traffic by locating {code}Connector port="[port number]"{code} section and enclosing it in comment tags  so it looks like the following.

<!-- 
<Connector port="80" 
               maxHttpHeaderSize="65536"
               connectionTimeout="30000"
               enableLookups="false"
               URIEncoding="UTF-8"
               disableUploadTimeout="true"
               server="TIBCO Spotfire Server" /> 
			   
               compression="on"
               compressableMimeType="text/html,text/xml,text/plain,text/css,application/json,application/javascript,image/svg+xml,application/xml"
               acceptorThreadCount="2"
               keepAliveTimeout="30000"
               maxKeepAliveRequests="-1"
               maxThreads="2000" /> 
                -->

Save the file and start the Spotfire Server.

Issue/Introduction

This KB article describes how to create a self-signed Server certificate and enable HTTPS between a Spotfire server and a client.

Additional Information

https://docs.oracle.com/cd/E19798-01/821-1841/gjrgy/
https://docs.tibco.com/products/tibco-spotfire-server-7-9-0

Welcome to "KB Articles"