Spotfire Server and Environment - Quick Start

Configuring allowed issuers for code trust

When the certificate chain for a certificate is being verified by the Spotfire Server, a field in the Authority Information Access on the certificate is used to get hold of the issuing certificate. You can configure a list of URLs from which it is allowed to fetch certificates using the security.code-trust.allowed-issuers command.

Before you begin

You must have administrative credentials for Spotfire Server.

Procedure

  1. Open a command-line interface and export the active configuration (the configuration.xml file) by using the export-config command. (For details on using the Spotfire command line, see Executing commands on the command line.)
  2. In new installations, the allowlist is enabled by default, but you can switch it off by setting security.code-trust.use-only-allowed-issuers to false:
    config set-config-prop --name="security.code-trust.use-only-allowed-issuers" --value="false"
  3. If you want to use the allowlist, use the following command to configure the list of allowed issuers:
    Example:
    config set-config-list-prop -n "security.code-trust.allowed-issuers" -i issuer -VfirstValue -VsecondValue -VthirdValue
    Note: You might need to add the issuer that issued the TIBCO or Cloud Software Group signing certificate (the intermediate certificate URL) as an allowed issuer, to be able to run mods from the Spotfire Community.

    Add the following issuer URLs if you see trust issues with Spotfire Community mods:

    http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt

    http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt

    Tip: To find URLs that you need for other mods, you can download the certificate and open it the Windows certificate viewer on a computer with internet access, go to the Details tab and select Authority Information Access. See the URL listed under Access Method=Certification Authority Issuer to find the certificate that issued the downloaded certificate.
  4. Import the configuration file back to the Spotfire database by using the import-config command.

Server configuration example

The following is an example of a server configuration where three URLs have been added to the allowlist:

<configuration>
  <security>
    <code-trust>
      <use-only-allowed-issuers>true</use-only-allowed-issuers>
      <allowed-issuers>
         <issuer>firstValue</issuer>
         <issuer>secondValue</issuer>
         <issuer>thirdValue</issuer>
      </allowed-issuers>
    </code-trust>
    ...
  </security>
  ...
</configuration>