Jump to content

  • Configuring Spotfire Server to meet Apple's App Transport Security requirements

     Share
    Apple has increased the requirements for the network security between iOS? and servers. When Apple fully implements the requirements of App Transport Security (ATS), and they no longer grant exceptions to the requirements, communication between an iOS app and TIBCO Spotfire Server (TSS) versions 7.5 ? 7.8 will not meet the ATS requirements without additional configuration.

     

    Apple has increased the requirements for the network security between iOS and servers. When Apple fully implements the requirements of App Transport Security (ATS), and they no longer grant exceptions to the requirements, communication between an iOS app and TIBCO Spotfire Server (TSS) versions 7.5  7.8 will not meet the ATS requirements without additional configuration.

    Note   TSS version 7.9 supports the ATS requirements out of the box.

    See the following page to find the required cipher suites.

    https://developer.apple.com/library/content/documentation/General/Reference/InfoPlistKeyReference/Articles/CocoaKeys.html

    You can adopt one of two solutions to the ATS communication issue:

    • You can configure the Java installation to support the requirements of ATS.
    • You can use a secure socket layer (SSL) Termination reverse proxy fronting the TSS instances.

    This article describes the details for implementing these options.

    Solution 1:  Configuring the Java installation

    ATS requires using Transport Layer Security (TLS), so you must configure the server to use https. However, just configuring the server to use https is not enough: More advanced cipher suites are required, and you must perform the following steps to implement them on each TSS instance.

    Important   You must have the legal right to use such cryptography.

    1. Follow the instructions provided in the TIBCO Spotfire® Server Installation and Administration Guide to configure SSL.
    2. Install the Java Cryptography Extension (JCE) unlimited strength jurisdiction policy files on TSS. 
      1. Locate and open for editing the configuration file java.security.

        • Windows location:  <TSS installation directory>\jdk\jre\lib\security\java.security

        • Linux location:        <TSS installation directory>/jdk/jre/lib/security/java.security

      2. Enable Bouncy Castle by adding the following line to the java.security configuration file.

        In TSS 7.5 - 7.8, we bundle a cryptographic library from "The Legion of the Bouncy Castle" (http://www.bouncycastle.org). This library is used for other purposes, but can also be used to provide more cipher suites. 

            security.provider.N=org.bouncycastle.jce.provider.BouncyCastleProvider
         

        where N is a unique number larger than 1. (The number indicates the priority, but it can be one more than the last number in the list.)

      3. Copy the provider file so that Java uses it earlier.
        1. Go to the TSS installation directory.
        2. Copy the file tomcat/webapps/spotfire/WEB-INF/lib/bcprov-jdk15on.jar to the directory jdk/jre/lib/ext/.

      Example

      On Linux:

      cd <TSS installation directory>

      cp tomcat/webapps/spotfire/WEB-INF/lib/bcprov-jdk15on.jar jdk/jre/lib/ext/

      Note   Even if the file in <TSS installation directory>/tomcat/conf/server.xml Contains a long list of ciphers, not all of these are available unless other crypto providers are plugged in. If you want to use crypto not mentioned in this list, you must add it manually.

      Solution 2:  SSL Terminating Load Balancer and Reverse Proxy

      An alternative to configuring the Java installation to use JCE is to use a load balancer to terminate the TLS communication and run in clear text between the load balancer and the TSS instances.

      Note  Most load balancers should be able to comply with the ATS requirements.

      Every load balancer must have session affinity based on the cookie JSESSIONID. After a session is established, the load balancer can continue to route all requests from a particular client to a particular server.

      The load balancers can check the status of individual servers using the URL /spotfire/rest/status/getStatus. For configuration information, see "Enabling health check URL for load balanced servers" in the TIBCO Spotfire® Server Installation and Administration guide.

      Set the configuration options "x-forwarded-for", "x-forwarded-by", and "x-forwarded-proto". For more information, see the Tomcat documentation for RemoteIpValve at http://tomcat.apache.org/tomcat-8.0-doc/api/org/apache/catalina/valves/RemoteIpValve.html. This valve can provide more correct logging if the load balancer sets the correct headers.

      sxVerification

      If you have an Apple computer that is running the latest operating system, you can use the utility nscurl to see if a site fulfills the ATS requirements. Run the following command, providing the site to check. 

                        nscurl -v --ats-diagnostics "https://site.example.com"
       
     Share
    Go to articles

    User Feedback

    Recommended Comments

    There are no comments to display.


×
×
  • Create New...