Connecting to a Server - Secure Authentication

When initially connecting your Studio to a remote server (single or cluster), you'll be prompted to verify the server's certificate fingerprint before entering credentials, and make explicit or one-time trust decisions. This represents enhanced security protocols during the verification flow in Clarify.

The dialog shown here appears from the Studio upon initial connection to a server.  Details include:

• Server
• Certificate Details
• Fingerprint

Trust & Remember

This option authenticates the server connection, and will not prompt the user for fingerprint verification going forward. The fingerprint will be saved. This action is permanent in nature (within the 5-year validity period of the certificate fingerprint).  For more information on managing expired certificates from Studio, please see Managing Expired Certificates.

Trust Once

Choosing this option reflects a more specialized or unique scenario where you are providing a one-time server authentication. This authentication is temporary and remains valid only for the duration of the connection between the Studio and the server. Once the connection is terminated or the Studio is disconnected from the server, the authentication process must be performed again to re-establish access. The fingerprint will not be saved. This approach is useful in situations where persistent authentication is not required or desired, ensuring that each session is independently verified for security purposes.

Changed Certificate Warning

If a previously trusted server presents a different certificate (e.g., after certificate rotation or a potential man-in-the-middle attack), a warning dialog appears. Users will need to revalidate as described above.

Managing Expired Certificates

When a certificate expires (or needs to be replaced for any reason), administrators should take these steps.

1. Stop the Clarify Server.
2. Delete the .keystore-initialized marker file located next to the keystore.p12 file.
3. Start the Clarify Server.  UniqueKeystoreInitializer detects the missing marker and generates a fresh certificate automatically.
4. Verify by checking the startup log for: Unique TLS certificate generated successfully for: <hostname>

After rotation, all Studio clients that previously trusted this server will see a Server Certificate Changed dialog and must re-verify and accept the new fingerprint (as described above). This is the expected behavior it ensures users are aware of the change and can confirm with the administrator that the rotation was intentional.

The expired/expiring log messages include these regeneration instructions inline, so administrators are guided to the fix directly from server logs.

Note: The Keystore Manager (Admin Console/Activity View) provides a storage facility for cryptographic keys and certificates. This utility enables you to view, import, export or delete trusted certificates.