Spotfire Ideas Portal
Per Federal Information Security Management Act (FISMA), the US federal government must follow National Institute of Standards and Technology (NIST) guidelines when it comes to securing their IT systems. NIST policy released 9/28/2012 states that SHA-1 signed SSL certificates should not be used by federal agencies for generating digital signatures, http://csrc.nist.gov/groups/ST/hash/policy_Sept2012.html. To comply with this policy, TIBCO Spotfire server's self-signed SSL certificates for the backend on default port 9443 need to be signed with a SHA-2 algorithm (i.e., SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224 and SHA-512/256).
For future reference (and versions < 10.1):
The configuration property to set the signature algorithm is "security.ca.cert-signature-algorithm"
Example: set-config-prop -n "security.ca.cert-signature-algorithm" -v "SHA256withRSA"
The default signature algorithm has been changed to SHA256withRSA in 10.1 (since there is no longer a need to maintain compatibility with Windows Server 2008 R2).
After TIBCO support suggested I open this IDEA, support was able to provide the resolution to the issue. The key step is to include the -d (delete) option with the reset-trust command. Without this the CA signing and CA root certificates will not be revoked and reissued.
The customer can achieve this by setting the security.ca.cert-signature-algorithm configuration property to SHA256withRSA. After doing so the customer must reset the trust within the system using the reset-trust command and then re-trust the nodes using the Nodes & Services Administration Console app (all Spotfire Servers must first be restarted).
For the reset-trust command use the following:
config reset-trust -f -d
After the untrusted node manager was re-trusted, the certificate signature was update with SHA256withRSA in the nm.log