Node managers and Spotfire Server use encrypted HTTPS for communication. All endpoints are authenticated using either server or client certificates issued by the Spotfire Server root certificate, which acts as a certificate authority for a particular Spotfire environment.

Neither the Spotfire Server nor the client certificates used by the various components of the system are self-signed. They are all signed by the certificate authority that is part of the Spotfire Server. Each Spotfire Server installation generates its own unique root certificate. You cannot provide your own.

The node manager and Spotfire Server registration ports (9080/tcp) are used to establish the trust. These ports use plain HTTP and are used only when new nodes are added to the cluster. After trust is established, any further communication is done over a secured HTTPS connection using the communication port (9443/tcp). For a node to become trusted, a member with the role of Spotfire administrator must manually trust the node, enabling the Spotfire Server certificate authority to issue server and client certificates to it. If a node is untrusted by an administrator through the web administration interface, the Online Certificate Status Protocol (OCSP) is used to communicate that the certificate for the untrusted node has been revoked.

Node managers running a Spotfire service or Spotfire Automation Services install the three certificates into the Windows certificate store under the machine level.