Spotfire Ideas Portal
When migrating mod signed by spotfire account from dev to prod, dev's root certificate must be exported and imported into prod in order to make mod's signagure be considered valid.
However since code signing certificate issued to spotfire account has ocsp information which points to dev's server url, so dev server must be kept online even after migration is done, otherwise ocsp validation would fail and certificate is considered invalid hence mod can not be used correctly.
Please add sub-command to config.bat to re-sign mods with spotfire account, so we can re-sign all mods in prod environment so we dont have to keep dev server alive.
Thanks.
One of the most important things we are trying to achieve is, to make all mods be trusted by everyone in the spotfire system in advance, so end user doesn't have to do the trust before using it. The admin takes full responsibity to verify every mod's intergrity and share them with others. This greatly reduces end user's workload and possible confusion. We want to make sure mod signature and certificate verification to be complete transparent to end users.
Is it possible to implement this ASAP, perferable in future 12.0.x LTS release?
Spotfire Server 12.0LTS enforces the prerequisite that Spotfire Server and Web Player must be able to access the internet in order to download intermediate certificate and validate revocation.
The fact is that lots of our customers, especially semiconductor manufactures don't allow Spotfire Server to access the internet. The server resides in the data centers or factories that have very strict security policy.
Without internet access, it's almost impossible to utilize mods that are published on TIBCO community. Disabling signature verification is possible one way to go but it requies every end user to trust every mod manually and it causes lots of extra work. By design, it's impossible to trust all mods to a group in advance so that everyone can use it.
If this sub-command is added, then we can re-sign all mods using a spotfire account so signature and certificate verification (including OCSP validation) are all done inside spotfire system so internet access is no longer required.
Issuing an internal CA certificate and re-signing all mods is another workaround to this but most customers can't do this either, because internal CA certificate could cause other security and management problems.
Mod functionality has been introduced since 11.0 and improved ever since, but we don't have many customer benifit from it yet, one of the reasons is the lack of internet access.