Node Trust and Back-End HTTPS Communication
Node managers and Spotfire Server use encrypted HTTPS for communication. All endpoints are authenticated using either server or client certificates issued by the Spotfire Server root certificate, which acts as a certificate authority for a particular Spotfire environment.
Neither the Spotfire Server nor the client certificates used by the various components of the system are self-signed. They are all signed by the certificate authority that is part of the Spotfire Server. Each Spotfire Server installation generates its own unique root certificate. You cannot provide your own.
SHA256withRSA
.
SHA256withRSA
, then you must generate new CA
certificates. If you generated certificates using a version earlier than
Spotfire Server
10.1.0 (which used the default
SHA1withRSA
), then you must revoke all certificates
using the
reset-trust
command, and then generate new CA
certificates, which use the new algorithm, and retrust all existing nodes.
2048
, in accordance with the current Mozilla
recommendations.
reset-trust
, generate new CA certificates, and retrust
all existing nodes.
Certificate configuration property | Description |
---|---|
security.ca.cert-signature-algorithm
|
Configuration property to set the signing
algorithm.
Default:
|
security.ca.rsa-key-strength
|
Configuration property key length.
Default:
|
The node manager and Spotfire Server registration ports (9080/tcp) are used to establish the trust. These ports use plain HTTP and are used only when new nodes are added to the cluster. After trust is established, any further communication is done over a secured HTTPS connection using the communication port (9443/tcp). For a node to become trusted, a member with the role of Spotfire administrator must manually trust the node, enabling the Spotfire Server certificate authority to issue server and client certificates to it. If a node is untrusted by an administrator through the web administration interface, the Online Certificate Status Protocol (OCSP) is used to communicate that the certificate for the untrusted node has been revoked.
Node managers running a Spotfire Web Player service or Spotfire Automation Services on Windows install the three certificates into the Windows certificate store under the machine level.