Node Trust and Back-End HTTPS Communication

Node managers and Spotfire Server use encrypted HTTPS for communication. All endpoints are authenticated using either server or client certificates issued by the Spotfire Server root certificate, which acts as a certificate authority for a particular Spotfire environment.

Neither the Spotfire Server nor the client certificates used by the various components of the system are self-signed. They are all signed by the certificate authority that is part of the Spotfire Server. Each Spotfire Server installation generates its own unique root certificate. You cannot provide your own.

The signing algorithm, which is used for both certificate authentication (CA) and end-entry certificates, is configurable. By default, it is set to SHA256withRSA.

Note: If want to get new CA certificates that use the default SHA256withRSA, then you must generate new CA certificates. If you generated certificates using a version earlier than Spotfire Server 10.1.0 (which used the default SHA1withRSA), then you must revoke all certificates using the reset-trust command, and then generate new CA certificates, which use the new algorithm, and retrust all existing nodes.

The key length is also configurable. The default is set to 2048, in accordance with the current Mozilla recommendations.

Note: Any changes to the configured value affects only new certificates, so first reconfigure, and then run reset-trust, generate new CA certificates, and retrust all existing nodes.


Certificate configuration property	Description
`security.ca.cert-signature-algorithm`	Configuration property to set the signing algorithm. Default: `SHA256withRSA`
`security.ca.rsa-key-strength`	Configuration property key length. Default: `2048`

The node manager and Spotfire Server registration ports (9080/tcp) are used to establish the trust. These ports use plain HTTP and are used only when new nodes are added to the cluster. After trust is established, any further communication is done over a secured HTTPS connection using the communication port (9443/tcp). For a node to become trusted, a member with the role of Spotfire administrator must manually trust the node, enabling the Spotfire Server certificate authority to issue server and client certificates to it. If a node is untrusted by an administrator through the web administration interface, the Online Certificate Status Protocol (OCSP) is used to communicate that the certificate for the untrusted node has been revoked.

Node managers running a Spotfire Web Player service or Spotfire Automation Services on Windows install the three certificates into the Windows certificate store under the machine level.