Configuring allowed issuers for code trust

When the certificate chain for a certificate is being verified by the Spotfire Server, a field in the Authority Information Access on the certificate is used to get hold of the issuing certificate. You can configure a list of URLs from which it is allowed to fetch certificates using the security.code-trust.allowed-issuers command.

Before you begin

You must have administrative credentials for Spotfire Server.

Procedure

Open a command-line interface and export the active configuration (the configuration.xml file) by using the export-config command. (For details on using the Spotfire command line, see Executing commands on the command line.)
In new installations, the allowlist is enabled by default, but you can switch it off by setting security.code-trust.use-only-allowed-issuers to false:
```
config set-config-prop --name="security.code-trust.use-only-allowed-issuers" --value="false"
```

If you want to use the allowlist the following command to configure the list of allowed issuers:

Example:

config set-config-list-prop -n "security.code-trust.allowed-issuers" -i issuer -V firstValue -V secondValue -V thirdValue

Import the configuration file back to the Spotfire database by using the import-config command.

Server configuration example

The following is an example of a server configuration where three URLs have been added to the allowlist:

<configuration>
  <security>
    <code-trust>
      <use-only-allowed-issuers>
         <enabled>true</enabled>
      </use-only-allowed-issuers>
      <allowed-issuers>
         <issuer>firstValue</issuer>
         <issuer>secondValue</issuer>
         <issuer>thirdValue</issuer>
      </allowed-issuers>
    </code-trust>
    ...
  </security>
  ...
</configuration>