Configuring HTTPS
HTTPS ensures that the communication between clients and Spotfire Server is encrypted.
Before you begin
About this task
Note: Creating or obtaining certificates, private keys, or a standard Java or PKCS #12 keystore is outside of the scope of the Spotfire Server guidance. See one of the many available technical sources for generating these artifacts.
Procedure
- Stop Spotfire Server.
-
Copy the keystore file to the
<server installation
dir>/tomcat/certs directory.
We suggest using the server's hostname as keystore filename.
-
Open the configuration file
<server installation
dir>/tomcat/conf/server.xml in an XML editor or a text
editor and locate the section containing the configuration template for an
HTTPS connector:
(In your installation,<!-- <Connector port="443" maxHttpHeaderSize="65536" connectionTimeout="30000" enableLookups="false" URIEncoding="UTF-8" disableUploadTimeout="true" server="Spotfire Server" compression="on" compressibleMimeType="text/html,text/xml,text/plain,text/css,application/json,application/javascript,image/svg+xml,application/xml" keepAliveTimeout="30000" maxKeepAliveRequests="-1" maxThreads="2000" SSLEnabled="true" scheme="https" secure="true"> <SSLHostConfig certificateVerification="none" truststoreFile="./certs/[server hostname].jks" truststorePass="changeit" truststoreType="jks" sslProtocol="TLS" protocols="TLSv1.2" honorCipherOrder="true" ciphers ... <Certificate certificateKeystoreFile="./certs/[server hostname].jks" certificateKeystorePassword="changeit" certificateKeystoreType="jks" certificateKeyAlias="[server hostname]" /> </SSLHostConfig> </Connector> -->[server hostname]is replaced with the actual hostname of your server.) -
Remove the lines with the comment markers
<!--and-->. -
Update the
certificateKeystoreFileparameter with the name of the keystore file containing the server certificate and private key. -
Set the
certificateKeystorePasswordparameter to the password for the keystore file containing the server certificate and private key. -
Set the
certificateKeystoreTypeparameter for your type of keystore:Option Description jksJava keystore pkcs12PKCS #12 keystore - If the keystore contains more certificates than just the server certificate, then you must set the certificateKeyAlias parameter to the alias for the server certificate and private key.
-
If you do not plan on enabling X.509 client certificate authentication, then you must remove the trust store type parameters truststoreFile,
truststorePass, and
truststoreType.
If these artifacts are not removed, then Tomcat can fail to start. For more information about certificate configuration, see the Apache Tomcat documentation.
-
Disable unencrypted HTTP traffic, as follows:
- Locate the section
containing the default HTTP connector:
<Connector port="[HTTP port]" protocol="org.apache.coyote.http11.Http11NioProtocol" maxHttpHeaderSize="65536" connectionTimeout="30000" enableLookups="false" URIEncoding="UTF-8" disableUploadTimeout="true" server="Spotfire Server" compression="on" compressibleMimeType="text/html,text/xml,text/plain,text/css,application/json,application/javascript,image/svg+xml,application/xml" keepAliveTimeout="30000" maxKeepAliveRequests="-1" maxThreads="2000" />(In your installation,
[HTTP port]is replaced with the HTTP port of your server.) - Add comment markers
<!--and-->around the HTTP connector configuration:<!-- <Connector port="[HTTP port]" protocol="org.apache.coyote.http11.Http11NioProtocol" maxHttpHeaderSize="65536" connectionTimeout="30000" enableLookups="false" URIEncoding="UTF-8" disableUploadTimeout="true" server="Spotfire Server" compression="on" compressibleMimeType="text/html,text/xml,text/plain,text/css,application/json,application/javascript,image/svg+xml,application/xml" keepAliveTimeout="30000" maxKeepAliveRequests="-1" maxThreads="2000" /> -->
- Locate the section
containing the default HTTP connector:
- Start Spotfire Server.