Configuring HTTPS
HTTPS ensures that the communication between clients and Spotfire Servers is encrypted.
Before you begin
Procedure
- Stop Spotfire Server.
- Copy the keystore file to the <server installation dir>/tomcat/certs directory. We suggest using the server's hostname as keystore filename.
-
Open the configuration file
<server installation
dir>/tomcat/conf/server.xml in an XML editor or a text
editor and locate the section containing the configuration template for an
HTTPS connector:
(In your installation, [server hostname] is replaced with the actual hostname of your server.)<!-- <Connector port="443" maxHttpHeaderSize="65536" connectionTimeout="30000" enableLookups="false" URIEncoding="UTF-8" disableUploadTimeout="true" server="TIBCO Spotfire Server" compression="on" compressibleMimeType="text/html,text/xml,text/plain,text/css,application/json,application/javascript,image/svg+xml,application/xml" acceptorThreadCount="2" keepAliveTimeout="30000" maxKeepAliveRequests="-1" maxThreads="2000" SSLEnabled="true" scheme="https" secure="true"> <SSLHostConfig certificateVerification="none" truststoreFile="./certs/[server hostname].jks" truststorePass="changeit" truststoreType="jks" sslProtocol="TLS" protocols="TLSv1.2" honorCipherOrder="true" ciphers ... <Certificate certificateKeystoreFile="./certs/[server hostname].jks" certificateKeystorePassword="changeit" certificateKeystoreType="jks" certificateKeyAlias="[server hostname]" /> </SSLHostConfig> </Connector> -->
- Remove the lines with the comment markers <!-- and --> .
- Update the certificateKeystoreFile parameter with the name of the keystore file containing the server certificate and private key.
- Set the certificateKeystorePassword parameter to the password for the keystore file containing the server certificate and private key.
- Set the certificateKeystoreType parameter to jks for a Java keystore or pkcs12 for a PKCS #12 keystore.
- If the keystore contains more certificates than the server certificate, the certificateKeyAlias parameter must be set to the alias for the server certificate and private key.
- Unless you will enable X.509 client certificate authentication, remove the truststoreFile, truststorePass, and truststoreType parameters.
-
To disable unencrypted HTTP traffic, follow these steps:
- Locate the section
containing the default HTTP connector:
(In your installation, [HTTP port] is replaced with the HTTP port of your server.)<Connector port="[HTTP port]" maxHttpHeaderSize="65536" connectionTimeout="30000" enableLookups="false" URIEncoding="UTF-8" disableUploadTimeout="true" server="TIBCO Spotfire Server" compression="on" compressibleMimeType="text/html,text/xml,text/plain,text/css,application/json,application/javascript,image/svg+xml,application/xml" acceptorThreadCount="2" keepAliveTimeout="30000" maxKeepAliveRequests="-1" maxThreads="2000" />
- Add comment markers
<!-- and --> around the HTTP connector configuration:
<!-- <Connector port="[HTTP port]" maxHttpHeaderSize="65536" connectionTimeout="30000" enableLookups="false" URIEncoding="UTF-8" disableUploadTimeout="true" server="TIBCO Spotfire Server" compression="on" compressibleMimeType="text/html,text/xml,text/plain,text/css,application/json,application/javascript,image/svg+xml,application/xml" acceptorThreadCount="2" keepAliveTimeout="30000" maxKeepAliveRequests="-1" maxThreads="2000" /> -->
- Locate the section
containing the default HTTP connector:
- Start Spotfire Server.
Parent topic: HTTPS
Related concepts