How to create a self signed server and client certificate using Java keytool, which is included in the Java JDK in the Spotfire server installation.

How to create a self signed server and client certificate using Java keytool, which is included in the Java JDK in the Spotfire server installation.

book

Article ID: KB0083248

calendar_today

Updated On:

Products Versions
Spotfire Server 7.5, 7.6, 7.7, 7.8

Description

Description:
You can create self signed certificates to use for setting up the Spotfire server to use HTTPS and to use it when using the authentication method "X.509 client Certificates Over SSL/TLS)".

Note: For Spotfire Server version 7.9 and higher see 
https://support.tibco.com/s/article/How-to-create-a-self-signed-Server-certificate-to-enable-HTTPS-connection-between-Spotfire-Server-7-9-x-and-Clients

Resolution

While this guide works for both Linux and Windows, it is written for Windows. To make it work on Linux, you need to change the path names to be in the Linux format. Instead of "c:\ssl" it'll be "/tmp/ssl", and you do not need to open a command prompt, you just CD directly to the JDK folder. We are using the paths "C:\ssl\Server" and "C:\ssl\Client" to store the certificates and the certificate stores, but they can be stored anywhere as long as the Spotfire server has access to them.

The guide is split into two parts. Part one will show how to create a server certificate and enable HTTPS on the Spotfire server. It is a requirement to setup the Spotfire server to use HTTPS before enabling Client certificate authentication. Part two will show how to create client certificates and store and how to enable Client certificate authentication.
 

Part One - Enabling HTTPS on the Spotfire server

  1. Log in to the Windows server where Spotfire server is installed.
  2. Open a command prompt and CD into "<server install dir>\jdk\jre\bin"(default C:\tibco\tss\x.x.x\jdk\jre\bin).
  3. Create the server store and certificate by running this command: 
    keytool -genkeypair -alias serverkey -keyalg RSA -keysize 2048 -dname "CN=FQDN" -keypass KEYPASSWORD -storepass STOREPASSWORD -keystore c:\ssl\server\server.jks
     
    • Change serverkey to what ever alias you'd like you certificate to have.
      • Note to only use lowercase in the alias. Due to an error in Tomcat <v7.0.62 you cannot use uppercase or a mix of lower and uppercase in the alias.
         
    • Change the FQDN to the fully qualified domain name of the Windows server, e.g. "CN=myserver.domain.local".
    • Change KEYPASSWORD to a desired keypassword (keypass is used to access the particular key pair's private key).
    • Change STOREPASSWORD to a desired store password (storepass is used to access the key store).
      • Important! If STOREPASSWORD and KEYPASSWORD are not the same, then you need to add "keyPass=KEYPASSWORD" to the server.xml configuration.
         
    • Change c:\ssl\server\server.jks to the path where you would like to save your certificate store.
  4. Open the file "<server install dir>\tomcat\conf\server.xml" in a text editor and locate the section containing the configuration template for an HTTPS connector.
      
    <!--
<Connector port="443"
maxHttpHeaderSize="16384"
connectionTimeout="30000"
enableLookups="false"
URIEncoding="UTF-8"
disableUploadTimeout="true"
server="TIBCO Spotfire Server"
SSLEnabled="true"
scheme="https"
secure="true"
keystoreFile="./certs/[server hostname].jks"
keystorePass="changeit"
keystoreType="jks"
keyAlias="serverkey"
truststoreFile="./certs/[server hostname].jks"
truststorePass="changeit"
truststoreType="jks"
clientAuth="false"/>
-->
  5. Change the keyAlias to match what was given as alias in step 3.(Remember to only use lowercase in the alias when creating the certificate).
  6. Change the keystoreFile to match the path given in step 3.
  7. Change the keystorePass to match the STOREPASSWORD given in step 3.
  8. Remove the lines with the comment markers <!-- and -->.
  9. If you only want to enable HTTPS on the Spotfire server and do not want to use Client certificate authentication, then remove these lines: 
    truststoreFile="./certs/[server hostname].jks"
truststorePass="changeit"
truststoreType="jks"
  10. If you do not want the Spotfire server to listen on HTTP, then comment out the lines below by adding <!-- in front of the first line and --> after the last line: 
    <Connector port="80"
               maxHttpHeaderSize="16384"
               connectionTimeout="30000"
               enableLookups="false"
               URIEncoding="UTF-8"
               disableUploadTimeout="true"
               server="TIBCO Spotfire Server" />
  11. Save the file.
  12. If you do not want to enable client certificate authentication, then restart the Spotfire server.
  13. Done with setting up HTTPS.
 

Part Two - Enabling Client certificate authentication

  1. Make sure you have followed part one to enable HTTPS and that you have not removed the lines mentioned in step 9.
  2. In the command prompt opened in step 2 of Part One, run the following command to create a client certificate and store: 
    keytool -genkeypair -alias clientkey -keyalg RSA -keysize 2048 -dname "CN=USERNAME" -keypass KEYPASSWORD -storepass STOREPASSWORD -keystore c:\ssl\client\client.jks
     
    • Change clientkey to what ever alias you'd like you certificate to have.
    • Change the USERNAME to the username of the user that is to be logged into Spotfire when using this certificate.
    • Change KEYPASSWORD to a desired keypassword (keypass is used to access the particular key pair's private key).
    • Change STOREPASSWORD to a desired store password (storepass is used to access the key store).
    • change c:\ssl\client\client.jks to the path where you'd like to save your certificate store.
  3. Create a browser keystore most browsers can easily read. 
    keytool -importkeystore -srckeystore c:\ssl\client.jks -srcstorepass STOREPASSWORD -srcalias clientkey -destkeystore c:\ssl\client\client.p12 -deststoretype PKCS12 -deststorepass DESTPASSWORD -destalias DESTALIAS -noprompt
     
    • Change clientkey to what ever alias you would like your certificate to have.
    • Change STOREPASSWORD to a desired store password (storepass is used to access the key store).
    • Change c:\ssl\client\client.jks to the path specified in step 2.
    • Change c:\ssl\client\client.p12 to where you want to save your certificate.
    • Change DESTPASSWORD to a desired password. This needs to be entered when importing the certificate in the browser.
    • Change DESTALIAS to whatever alias you like.
  4. Open the file "<server install dir>\tomcat\conf\server.xml" in a text editor as in step 4 in Part One.
  5. Look at the last lines of the template configuration. 
    truststoreFile="./certs/[server hostname].jks"
truststorePass="changeit"
truststoreType="jks"
clientAuth="false"/>
     
    • Change truststoreFile to match what path you entered in step 2.
    • Change truststorePass to match the STOREPASSWORD entered in step 2.
    • Set clientAuth to true.
  6. Save the file.
  7. Copy the resulting .p12 file to your client and import it into your browser by double clicking on it.

Change the configuration of the Spotfire server and set the authentication method to "X.509 client Certificates Over SSL/TLS)". You can do this in two ways, either via the configuration GUI or via the command line.

To change the authentication method using the configuration tool GUI.

  1. Run the file "<server install dir>\tomcat\bin\uiconfig.bat"(default C:\tibco\tss\x.x.x\tomcat\bin\uiconfig.bat).
  2. Go to the "Configuration" tab and click on "Configuration Start" in the menu.
  3. Set "Authentication" to "X.509 client Certificates Over SSL/TLS)".
  4. Save the configuration the database.
  5. Restart the Spotfire server.

You can now log into Spotfire using the certificate.

To change the authentication method using the command line.

  1. Open a command prompt and CD into "<server install dir>\tomcat\bin"(default C:\tibco\tss\x.x.x\tomcat\bin).
  2. Export the current configuration from the database by running this command:
  3. config.bat export-config --force
  4. Set the configuration method by running the following command. 
  5. config.bat config-auth -a CLIENT_CERT
  6. Import the configuration to the database by running the following command. 
    config.bat import-config -c "Some comment"
  7. Restart the Spotfire server.
You can now log into Spotfire using the certificate.

Issue/Introduction

How to create a self signed server and client certificate using Java keytool, which is included in the Java JDK in the Spotfire server installation.

Additional Information

https://docs.tibco.com/pub/spotfire_server/7.8.0/doc/html/TIB_sfire_server_tsas_admin_help/GUID-58E436B3-A057-431C-B65C-92FCE34AB224.html Configuring HTTPS
https://docs.tibco.com/pub/spotfire_server/7.8.0/doc/html/TIB_sfire_server_tsas_admin_help/GUID-FA0E0B87-52A7-4E15-8B6C-4F6EA858681F.html Using X.509 Client certificate
https://support.tibco.com/s/article/How-to-create-a-self-signed-Server-certificate-to-enable-HTTPS-connection-between-Spotfire-Server-7-9-x-and-Clients Spotfire Server 7.9 and higher
Powered by Wolken Software