What role does clock synchronization play in SSL communcation (when troubleshooting Spotfire Node Manager and Spotfire Server trust issues)
Article ID: KB0077041
Updated On:
| Products | Versions |
|---|---|
| Spotfire Server | 7.5 and higher |
Description
There may be instances when Node Manager trust fails.
The NM.log shows the below errors:
---------------------------------------------
ERROR 2019-07-29T14:46:20,484+0700 [] nodemanager.trust.DelayUntilAuthorizedGate: Could not connect to supervisor Node [serverName=aap1.xxxx.com, port=9443]: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Certificate has been revoked, reason: UNSPECIFIED, revocation date: Sat Jul 27 15:34:46 ICT 2019, authority: CN=TIBCO Spotfire Signing CA, O=Spotfire, extension OIDs: []
Details: I/O error on POST request for "https://aap1.xxxx.com:9443/spotfire/nodemanager/ping/5dfd71dc-67bf-41e6-9338-c150f23a7d1a": sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Certificate has been revoked, reason: UNSPECIFIED, revocation date: Thu Oct 11 19:04:48 AEDT 2018, authority: CN=TIBCO Spotfire Signing CA, O=Spotfire, extension OIDs: []; nested exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Certificate has been revoked, reason: UNSPECIFIED, revocation date: Thu Oct 11 19:04:48 AEDT 2018, authority: CN=TIBCO Spotfire Signing CA, O=Spotfire, extension OIDs: []
----------------------------------------------
- The above issues/errors are seen if the System clocks of the Node Manager server and Spotfire server are not in sync.
All back-end communication in a Spotfire environment is secured by HTTPS/TLS, complying with current security standards and industry best practices.
Spotfire Servers listen to incoming traffic from installed clients and web clients on one HTTP or HTTPS port, the front-end communication port. Spotfire Servers listen to traffic from services on the nodes on another HTTPS port, the back-end communication port.
In SSL, clocks are used for certificate validation. The client needs to make sure that it talks to the right server; for that, the client will validate the server's certificate. Validation implies verifying a lot of things; two of them involve clocks:
The server's certificate (and all involved CA certificates) must include the present time in their validity time range.
The client is supposed to obtain the revocation status of each certificate, by obtaining (and validating) a CRL (Certificate Revocation List) from the appropriate issuers (the CA).
If the client's clock is off or not in sync then it will break either or both of these functionalities. For instance, the server's certificate will be considered as "long expired", or "not usable yet", leading to rejection.
The NM.log shows the below errors:
---------------------------------------------
ERROR 2019-07-29T14:46:20,484+0700 [] nodemanager.trust.DelayUntilAuthorizedGate: Could not connect to supervisor Node [serverName=aap1.xxxx.com, port=9443]: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Certificate has been revoked, reason: UNSPECIFIED, revocation date: Sat Jul 27 15:34:46 ICT 2019, authority: CN=TIBCO Spotfire Signing CA, O=Spotfire, extension OIDs: []
Details: I/O error on POST request for "https://aap1.xxxx.com:9443/spotfire/nodemanager/ping/5dfd71dc-67bf-41e6-9338-c150f23a7d1a": sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Certificate has been revoked, reason: UNSPECIFIED, revocation date: Thu Oct 11 19:04:48 AEDT 2018, authority: CN=TIBCO Spotfire Signing CA, O=Spotfire, extension OIDs: []; nested exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Certificate has been revoked, reason: UNSPECIFIED, revocation date: Thu Oct 11 19:04:48 AEDT 2018, authority: CN=TIBCO Spotfire Signing CA, O=Spotfire, extension OIDs: []
----------------------------------------------
- The above issues/errors are seen if the System clocks of the Node Manager server and Spotfire server are not in sync.
All back-end communication in a Spotfire environment is secured by HTTPS/TLS, complying with current security standards and industry best practices.
Spotfire Servers listen to incoming traffic from installed clients and web clients on one HTTP or HTTPS port, the front-end communication port. Spotfire Servers listen to traffic from services on the nodes on another HTTPS port, the back-end communication port.
In SSL, clocks are used for certificate validation. The client needs to make sure that it talks to the right server; for that, the client will validate the server's certificate. Validation implies verifying a lot of things; two of them involve clocks:
The server's certificate (and all involved CA certificates) must include the present time in their validity time range.
The client is supposed to obtain the revocation status of each certificate, by obtaining (and validating) a CRL (Certificate Revocation List) from the appropriate issuers (the CA).
If the client's clock is off or not in sync then it will break either or both of these functionalities. For instance, the server's certificate will be considered as "long expired", or "not usable yet", leading to rejection.
Issue/Introduction
This article addresses Node manager trust issues with the Spotfire Server
Environment
All supported Operating systems
Resolution
Date & Time settings can be matched manually. If the settings are greyed out/ disabled, one needs to contact the System Administrator/Windows IT team as these settings may be controlled/lock-down using Windows group policies (GPO).
Example:
If the machines (Node Manager server and Spotfire server) are in the same time zone, the difference in time should not be more than 5 minutes.
Example:
If the machines (Node Manager server and Spotfire server) are in the same time zone, the difference in time should not be more than 5 minutes.
Additional Information
Feedback
Yes
No
Powered by
