Alternative 1: Commercial certificates

If you are using commercial certificates, then Java most likely trusts them already and you do not need any further configuration.

Alternative 2: Self-signed certificates stored in tomcat/certs (preferred when using self-signed certificates)

If you are using self-signed certificates with Spotfire Server, each certificate can have its own keystore file to handle trust for the SSL/TLS communication. In this alternative, the keystore files are stored in the tomcat/certs directory (of each computer in the cluster), where they are automatically copied and kept during server upgrades (Alternative 2).

All certificates used for LDAPS in the tomcat/certs directory must have the same password. The standard password for the Java cacert file can still be the default (changeit) but if you change the password, it should be the same one as used for the trust files in tomcat/certs. To a password other than changeit, add the additional Java startup parameter javax.net.ssl.trustStorePassword either to the start script or to the service. See "Virtual memory modification".

For each certificate that is to be trusted, go to the directory <installation dir>/tomcat/certs and add a .jks file. This must be done on every Spotfire Server in the cluster. Name the files with a descriptive name.

Alternative 3: Self-signed certificates stored in the default Java trust store

The default keystore provided by Java is located in <installation dir>/jdk/lib/security/cacerts. The default password for the included trust files is changeit . You can modify this file with additional certificates.

To add certificates to the Java trust store: