When the certificate chain for a certificate is being verified by
the Spotfire Server, a field in the Authority Information Access on the
certificate is used to get hold of the issuing certificate. You can configure a
list of URLs from which it is allowed to fetch certificates using the
security.code-trust.allowed-issuers
command.
Before you begin
You must
have administrative credentials for Spotfire Server.
Procedure
-
Open a command-line interface and export the active configuration
(the configuration.xml file) by using the
export-config command. (For details on using
the
Spotfire
command line, see
Executing commands on the command line.)
-
In new installations, the allowlist is enabled by default, but you
can switch it off by setting
security.code-trust.use-only-allowed-issuers
to
false
:
config set-config-prop --name="security.code-trust.use-only-allowed-issuers" --value="false"
-
If you want to use the allowlist, use the following command to
configure the list of allowed issuers:
Example:
config set-config-list-prop -n "security.code-trust.allowed-issuers" -i issuer -VfirstValue -VsecondValue -VthirdValue
Tip: To find URLs that you need for other mods, you can
download the certificate and open it the Windows certificate viewer on a
computer with internet access, go to the
Details tab and select
Authority Information Access. See the URL
listed under
Access Method=Certification Authority Issuer
to
find the certificate that issued the downloaded certificate.
-
Import the configuration file back to the Spotfire database by
using the
import-config command.
Server configuration example
The following is an example of a server configuration where three URLs
have been added to the allowlist:
<configuration>
<security>
<code-trust>
<use-only-allowed-issuers>true</use-only-allowed-issuers>
<allowed-issuers>
<issuer>firstValue</issuer>
<issuer>secondValue</issuer>
<issuer>thirdValue</issuer>
</allowed-issuers>
</code-trust>
...
</security>
...
</configuration>