Configuring HTTPS

HTTPS ensures that the communication between clients and Spotfire Servers is encrypted.

Prerequisites

Obtain a server certificate and private key, stored in a Java keystore (JKS) or PKCS #12 keystore (P12/PFX).

Procedure

  1. Stop Spotfire Server.
  2. Copy the keystore file to the <server installation dir>/tomcat/certs directory. We suggest using the server's hostname as keystore filename.
  3. Open the configuration file <server installation dir>/tomcat/conf/server.xml in an XML editor or a text editor and locate the section containing the configuration template for an HTTPS connector:
    <!-- 
          <Connector port="443"
                   maxHttpHeaderSize="65536"
                   connectionTimeout="30000"
                   enableLookups="false"
                   URIEncoding="UTF-8"
                   disableUploadTimeout="true"
                   server="TIBCO Spotfire Server"
                   compression="on"
                   compressableMimeType="text/html,text/xml,text/plain,text/css,application/json,application/javascript,image/svg+xml,application/xml"
                   acceptorThreadCount="2"
                   keepAliveTimeout="30000"
                   maxKeepAliveRequests="-1"
                   maxThreads="2000"
                   SSLEnabled="true"
                   scheme="https"
                   secure="true">
          <SSLHostConfig certificateVerification="none"
                         truststoreFile="./certs/[server hostname].jks"
                         truststorePass="changeit"
                         truststoreType="jks"
                         sslProtocol="TLS"
                         protocols="+TLSv1.2,+TLSv1.1,+TLSv1"
                         honorCipherOrder="true"
                         ciphers
    			...
            <Certificate certificateKeystoreFile="./certs/[server hostname].jks"
                         certificateKeystorePassword="changeit"
                         certificateKeystoreType="jks"
                         certificateKeyAlias="[server hostname]" />
          </SSLHostConfig>
        </Connector>
    -->
    (In your installation, [server hostname] is replaced with the actual hostname of your server.)
  4. Remove the lines with the comment markers <!-- and --> .
  5. Update the certificateKeystoreFile parameter with the name of the keystore file containing the server certificate and private key.
  6. Set the certificateKeystorePass parameter to the password for the keystore file containing the server certificate and private key.
  7. Set the certificateKeystoreType parameter to jks for a Java keystore or pkcs12 for a PKCS #12 keystore.
  8. If the keystore contains more certificates than the server certificate, the certificateKeyAlias parameter must be set to the alias for the server certificate and private key.
  9. Unless you will enable X.509 client certificate authentication, remove the truststoreFile, truststorePass, and truststoreType parameters.
  10. To disable unencrypted HTTP traffic, follow these steps:
    1. Locate the section containing the default HTTP connector:
      <Connector port="[HTTP port]"
      maxHttpHeaderSize="16384"
      connectionTimeout="30000"
      enableLookups="false"
      URIEncoding="UTF-8"
      disableUploadTimeout="true"
      server="TIBCO Spotfire Server" />
      (In your installation, [HTTP port] is replaced with the HTTP port of your server.)
    2. Add comment markers <!-- and --> around the HTTP connector configuration:
      <!--
      <Connector port="[HTTP port]"
      maxHttpHeaderSize="16384"
      connectionTimeout="30000"
      enableLookups="false"
      URIEncoding="UTF-8"
      disableUploadTimeout="true"
      server="TIBCO Spotfire Server" />
      -->
  11. Start Spotfire Server.