Obtaining and installing SSL certificate and keys

The first steps you must follow to configure SSL support are:

  1. Obtain an SSL certificate and key file. There are various ways you can do this:
    • Purchase them from a public certificate authority (such as VeriSign, Thawte, or Entrust). The public certificate authority (CA) signs the certificate to verify the server that uses it.
    • Obtain the key and certificate files from a third-party certificate authority. If this approach is taken, the third-party CA's *.pfx root certificate must be imported into the server's keystore file (explained below).
    • Generate the key and certificate files with an internal self-signed certificate authority. The steps to do this are:
      1. Prepare a key database. See the topic Creating an SSL key database for more information.
      2. Create the self-signed certificate. See the topic Creating a self-signed SSL certificate for more information.
  2. For certificate authority (CA) or self-signed certificates, copy the .kdb and .sth files from step 1 into a directory to which the IBM® SPSS® Statistics Server has access and specify the path to that directory in the statisticsd.conf file. The statisticsd.conf file is located in <Statistics Server installation directory>/config/; for third-party certificates, copy the .pfx and .sth files from step 1.
  3. Set the following parameters in the statisticsd.conf file:

    For certificate authority (CA) or a self-signed certificates:

    • <gsk desc="0=GSKSSL Disabled; 1=GSKSSL Enabled" value="<value>"/>, where <value> is either 0 or 1 which indicates whether to enable GSKit.
    • <gsk-keystore desc="GSKSSL Key store database filename." value="<filename>.kdb"/>, where <filename> is the name of the key database file.
    • <gsk-keystore-stash desc="GSKSSL Key store stash filename." value="<filename>.sth"/>, where <filename> is the name of the key database password stash file.
    • <gsk-cert-label desc="GSKSSL certificate label." value=""/>, where <label> is the label of your certificate.

    For third-party certificates:

    • <gsk desc="0=GSKSSL Disabled; 1=GSKSSL Enabled" value="<value>"/>, where <value> is either 0 or 1 which indicates whether to enable GSKit.
    • <gsk-keystore ="<*.pfx_file_location>", where <*.pfx_file_location> is the location and name of *.pfx root certificate file.
    • <gsk-keystore-stash desc="GSKSSL Key store stash filename." value="<filename>.sth"/>, where <filename> is the name of the key database password stash file.
    • <gsk-cert-label desc="GSKSSL certificate label." value=""/>, where <label> is the label of your certificate.
  4. For third-party certificates:
    1. Extract the root.pem file from the *.pfx file, using the following GSK command as an example:
      gsk8capicmd_64.exe -cert -extract -db C:\SSL\<certificate_name>.pfx -stashed -label 
<cert-certificate_issuing_server.com> -target C:\SSL\root.pem
    2. Copy the root.pem to the C:\ProgramData\IBM\SPSS\certificates folder (Windows) or /Library/Application Support/IBM/SPSS/certificates (macOS) on the client.
    3. On the client, set the connection using the fully-qualified domain name (for example, cert-certificate_issuing_server.com)" in the Server Name field, and enable the SSL option.
  5. For self-signed certificates install the certificate on client systems. For purchased public CA or third-party certificates, this step is not required. Ensure that access permissions deny casual browsing of the directory that contains the certificate. See the topic Installing a self-signed SSL certificate for more information.