+ All Categories
Home > Documents > TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and...

TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and...

Date post: 25-Jun-2018
Category:
Upload: phamkhuong
View: 228 times
Download: 0 times
Share this document with a friend
442
TIBCO Spotfire ® Server and Environment Installation and Administration Software Release 7.6 May 2016 Document Updated: 2/2/2018 Two-Second Advantage ®
Transcript
Page 1: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

TIBCO Spotfire® Server and EnvironmentInstallation and AdministrationSoftware Release 7.6May 2016Document Updated: 2/2/2018

Two-Second Advantage®

Page 2: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Important Information

SOME TIBCO SOFTWARE EMBEDS OR BUNDLES OTHER TIBCO SOFTWARE. USE OF SUCHEMBEDDED OR BUNDLED TIBCO SOFTWARE IS SOLELY TO ENABLE THE FUNCTIONALITY (ORPROVIDE LIMITED ADD-ON FUNCTIONALITY) OF THE LICENSED TIBCO SOFTWARE. THEEMBEDDED OR BUNDLED SOFTWARE IS NOT LICENSED TO BE USED OR ACCESSED BY ANYOTHER TIBCO SOFTWARE OR FOR ANY OTHER PURPOSE.

USE OF TIBCO SOFTWARE AND THIS DOCUMENT IS SUBJECT TO THE TERMS ANDCONDITIONS OF A LICENSE AGREEMENT FOUND IN EITHER A SEPARATELY EXECUTEDSOFTWARE LICENSE AGREEMENT, OR, IF THERE IS NO SUCH SEPARATE AGREEMENT, THECLICKWRAP END USER LICENSE AGREEMENT WHICH IS DISPLAYED DURING DOWNLOADOR INSTALLATION OF THE SOFTWARE (AND WHICH IS DUPLICATED IN THE LICENSE FILE)OR IF THERE IS NO SUCH SOFTWARE LICENSE AGREEMENT OR CLICKWRAP END USERLICENSE AGREEMENT, THE LICENSE(S) LOCATED IN THE “LICENSE” FILE(S) OF THESOFTWARE. USE OF THIS DOCUMENT IS SUBJECT TO THOSE TERMS AND CONDITIONS, ANDYOUR USE HEREOF SHALL CONSTITUTE ACCEPTANCE OF AND AN AGREEMENT TO BEBOUND BY THE SAME.

This document contains confidential information that is subject to U.S. and international copyright lawsand treaties. No part of this document may be reproduced in any form without the writtenauthorization of TIBCO Software Inc.

TIBCO, Two-Second Advantage, TIBCO Spotfire, TIBCO ActiveSpaces, TIBCO EMS, TIBCO SpotfireAutomation Services, TIBCO Enterprise Runtime for R, TIBCO Spotfire Server, TIBCO Spotfire WebPlayer, TIBCO Spotfire Statistics Services, S-PLUS, and TIBCO Spotfire S+ are either registeredtrademarks or trademarks of TIBCO Software Inc. in the United States and/or other countries.

Enterprise Java Beans (EJB), Java Platform Enterprise Edition (Java EE), Java 2 Platform EnterpriseEdition (J2EE), and all Java-based trademarks and logos are trademarks or registered trademarks ofOracle Corporation in the U.S. and other countries.

All other product and company names and marks mentioned in this document are the property of theirrespective owners and are mentioned for identification purposes only.

THIS SOFTWARE MAY BE AVAILABLE ON MULTIPLE OPERATING SYSTEMS. HOWEVER, NOTALL OPERATING SYSTEM PLATFORMS FOR A SPECIFIC SOFTWARE VERSION ARE RELEASEDAT THE SAME TIME. SEE THE README FILE FOR THE AVAILABILITY OF THIS SOFTWAREVERSION ON A SPECIFIC OPERATING SYSTEM PLATFORM.

THIS DOCUMENT IS PROVIDED “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSOR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OFMERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT.

THIS DOCUMENT COULD INCLUDE TECHNICAL INACCURACIES OR TYPOGRAPHICALERRORS. CHANGES ARE PERIODICALLY ADDED TO THE INFORMATION HEREIN; THESECHANGES WILL BE INCORPORATED IN NEW EDITIONS OF THIS DOCUMENT. TIBCOSOFTWARE INC. MAY MAKE IMPROVEMENTS AND/OR CHANGES IN THE PRODUCT(S)AND/OR THE PROGRAM(S) DESCRIBED IN THIS DOCUMENT AT ANY TIME.

THE CONTENTS OF THIS DOCUMENT MAY BE MODIFIED AND/OR QUALIFIED, DIRECTLY ORINDIRECTLY, BY OTHER DOCUMENTATION WHICH ACCOMPANIES THIS SOFTWARE,INCLUDING BUT NOT LIMITED TO ANY RELEASE NOTES AND "READ ME" FILES.

Copyright © 1996-2016 TIBCO Software Inc. All rights reserved.

TIBCO Software Inc. Confidential Information

2

TIBCO Spotfire® Server and Environment Installation and Administration

Page 3: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Contents

TIBCO Spotfire Server Documentation and Support Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17

Getting started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18

Introduction to the Spotfire environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Spotfire Server introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Spotfire database introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Nodes and services introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Spotfire clients introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Environment communication introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20

Authentication and user directory introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Users & groups introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

Licenses and preferences introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Deployment introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Spotfire library introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Routing introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Data sources introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .24

Logging introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Administration interface introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Example scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Upgrading to Spotfire 7.6 from 7.0 or earlier – an introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Basic installation process for Spotfire . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

Installation and configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Preparation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .31

Downloading required software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .31

Collecting required information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Setting up the Spotfire database (Oracle) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .34

Setting up the Spotfire database (SQL Server) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .37

Setting up the Spotfire database (SQL Server with Integrated Windows authentication) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

Running database preparation scripts manually . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .42

Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

Installing the Spotfire Server files (interactively on Windows) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

Installing the Spotfire Server files (silently on Windows) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

Installing the Spotfire Server files (RPM Linux) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .45

Installing the Spotfire Server files (Tarball Linux) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

Database drivers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

Installing the Oracle database driver . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .47

Installing database drivers for Information Designer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

3

TIBCO Spotfire® Server and Environment Installation and Administration

Page 4: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Applying hotfixes to the server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

Initial configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

Configuration using the graphical configuration tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

Opening the graphical configuration tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

Running the graphical configuration tool on a local computer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .48

Creating the bootstrap.xml file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

Setting up the Spotfire Server bootstrap file for Integrated Windows authentication . . . . . . . . . . . . . . . . . . . . . . . 50

Saving basic configuration data (authentication towards Spotfire database) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

Creating an administrator user . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

Configuration using the command-line configuration tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

Executing commands in the command-line configuration tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

Running the command-line configuration tool on a local computer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .52

Viewing help on configuration commands in the command-line tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

Configuration and administration commands by function . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .53

Manually creating a simple configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

Scripting a configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

Editing and running a basic configuration script . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

Script language . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

Configuration.xml file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .63

Manually editing the Spotfire Server configuration file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .63

Start or stop Spotfire Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

Starting or stopping Spotfire Server (as a Windows service) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64

Starting or stopping Spotfire Server (Windows, no service) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .64

Starting or stopping Spotfire Server (Windows, service exists, Integrated Authentication for SQL Server) . . . . . . . . . . .65

Starting or stopping Spotfire Server (Windows, no service, Integrated Authentication for SQL Server) . . . . . . . . . . . . . . 65

Starting or stopping Spotfire Server (Linux) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

Clustered server deployments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

Setting up a cluster of Spotfire Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

Using Hazelcast for clustering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

Using ActiveSpaces for clustering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68

Installing ActiveSpaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68

Configuring a cluster of Spotfire Servers to use ActiveSpaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

Enabling secure transport for ActiveSpaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

Sample as-policy.txt file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72

Configure NTLM for a cluster of Spotfire Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .75

Configuring a Spotfire Server cluster with a load balancer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .75

Enabling health check URL for load balanced servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .77

Kerberos authentication for clustered servers with load balancer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78

X.509 client certificates for clustered servers with load balancer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .78

4

TIBCO Spotfire® Server and Environment Installation and Administration

Page 5: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Configuring X.509 client certificates for clustered servers with load balancer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78

Setting up HTTPS for clustered servers with load balancer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .79

Configuring shared import and export folders for clustered deployments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .80

Deploying client packages to Spotfire Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80

User authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .81

User name and password authentication methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

Authentication towards the Spotfire database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82

Authentication towards LDAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82

Configuring LDAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .82

Configuring LDAPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

SASL authentication for LDAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .85

Configuring Spotfire Server for DIGEST-MD5 authentication of LDAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .85

Configuring Spotfire Server for GSSAPI authentication of LDAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .86

Authentication towards Windows NT Domain (legacy) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

Authentication towards a custom JAAS module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .87

Single sign-on authentication methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

NTLM authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

Downloading third-party components (JCIFS) for NTLM authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88

Creating a computer service account in your Windows domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88

Creating a computer service account manually . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89

Configuring NTLM authentication for a single server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90

Kerberos authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91

Setting up Kerberos authentication on Spotfire Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91

Creating a Kerberos service account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .91

Registering Service Principal Names . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92

Creating a keytab file for the Kerberos service account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94

Configuring Kerberos for Java . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .95

Copying the Kerberos service account’s keytab file to Spotfire Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .96

Selecting Kerberos as the Spotfire login method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .96

Disabling the username and password fields in the Spotfire Analyst login dialog . . . . . . . . . . . . . . . . . . . . . .97

Kerberos authentication for clustered servers with load balancer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .97

Setting up Kerberos authentication on nodes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

Enable Kerberos authentication in browsers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98

Enabling Kerberos for Internet Explorer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98

Enabling delegated Kerberos for Google Chrome . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .98

Enabling Kerberos for Mozilla Firefox . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .98

Using Kerberos to log in to the Spotfire database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99

Creating a Windows domain account for the Spotfire database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100

Configuring the Spotfire database account to the Windows domain account . . . . . . . . . . . . . . . . . . . . . . . . 100

5

TIBCO Spotfire® Server and Environment Installation and Administration

Page 6: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Keytab file for the Kerberos service account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .101

Creating a keytab file for the Kerberos service account (using the ktpass.exe command from Microsoft Support Tools). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101

Creating a keytab file for the Kerberos service account (using the ktpass.exe command from the bundled JDK). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101

Creating a keytab file for the Kerberos service account (using the ktutil command on Linux) . . . . 102

Creating a JAAS application configuration for the Spotfire database connection pool . . . . . . . . . . . . . . . . 103

Acquiring a Kerberos ticket by using a keytab file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104

Acquiring a Kerberos ticket by using a username and password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .104

Acquiring a Kerberos ticket by using the identity of the account running the Spotfire Server process. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104

Registering the JAAS application configuration file with Java . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105

Configuring the database connection for Spotfire Server using Kerberos (Oracle) . . . . . . . . . . . . . . . . . . . 105

Configuring the database connection for Spotfire Server using Kerberos (SQL Server) . . . . . . . . . . . . . 105

Authentication using X.509 client certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106

Installing CA certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106

Configuring Spotfire Server to require X.509 client certificates for HTTPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106

Configuring Spotfire Server to use X.509 client certificates to authenticate users . . . . . . . . . . . . . . . . . . . . . . . . 107

Configuring anonymous authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108

Two-factor authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108

Configuring two-factor authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108

Configuring two-factor authentication using the command-line tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .109

External authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109

Configuring external authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110

External directories and domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .111

LDAP synchronizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113

User synchronization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114

Group synchronization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114

Group-based and role-based synchronization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115

LDAP authentication and user directory settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117

Post-authentication filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124

HTTPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125

Configuring HTTPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125

Node manager installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .126

Installing a node manager interactively . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126

Installing a node manager silently . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128

Authorizing a node . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .130

Starting or stopping node manager (as a Windows service) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130

Login behavior configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .130

Service installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131

6

TIBCO Spotfire® Server and Environment Installation and Administration

Page 7: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Manually configuring a Spotfire Web Player service (optional) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .131

Installing Spotfire Web Player instances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132

Multiple service instances on one node . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .133

Manually configuring Spotfire Automation Services (optional) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133

Installing Spotfire Automation Services instances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .134

Client Job Sender . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135

Service configuration files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .136

Spotfire.Dxp.Worker.Automation.config . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136

Spotfire.Dxp.Worker.Core.config . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138

Spotfire.Dxp.Worker.Host.exe.config . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138

Spotfire.Dxp.Worker.Web.config . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143

Additional configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .156

Updating a server configuration in the graphical configuration tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .156

Updating a server configuration in the command-line tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157

Manually editing the Spotfire Server configuration file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .157

Configuring a specific directory for library import and export . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157

Enabling cached and precomputed data for scheduled update files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158

Disabling the attachment manager cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .158

Post-installation steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .160

Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .161

Opening Spotfire Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .161

Nodes, services, and resource pools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161

Creating a resource pool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .161

Adding or removing resources from a resource pool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162

Updating node managers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162

Rolling back a node manager update . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .163

Updating services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163

Rolling back a service update . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164

Shutting down a service instance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164

Revoking trust of a node . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164

User administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .165

Creating a new Spotfire user . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165

Adding a user to one or more groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .165

Removing a user from one or more groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166

Changing a user's name, password, or email . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166

Disabling a user account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .166

Deleting users from the system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167

Group administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167

Roles and special groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167

7

TIBCO Spotfire® Server and Environment Installation and Administration

Page 8: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Creating a new group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169

Adding users to a group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .169

Adding groups to a group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170

Assigning a primary group to a subgroup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .170

Assigning a deployment area to a group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .170

Renaming a group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171

Removing members from a group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171

Deleting groups from the system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171

Deployments and deployment areas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172

Creating a new deployment area . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172

Adding software packages to a deployment area . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173

Copying a distribution to another deployment area . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .174

Exporting a distribution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174

Changing the default deployment area . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174

Renaming a deployment area . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174

Removing packages from a deployment area . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .175

Clearing a deployment area . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .175

Deleting a deployment area . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175

Scheduled updates to analyses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .176

Creating a scheduled update by using Spotfire Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176

Additional settings for scheduled updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178

Setting the number of Spotfire Web Player instances to make available for a scheduled update . . . . . . . . . . 178

Switching the scheduled update method from automatic to manual . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178

Disallowing cached and precomputed data in individual scheduled update files . . . . . . . . . . . . . . . . . . . . . . . . . .178

Scheduled updates with prompted or personalized information links . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179

Editing a scheduled update . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .179

Creating a reusable schedule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .180

Manually updating a file outside of its update schedule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180

Disabling or deleting scheduled updates and routing rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .181

Deleting schedules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181

Creating a scheduled update by using TIBCO EMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .181

Creating a scheduled update by using a SOAP web service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182

Monitoring scheduled updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183

Changing the priority of a rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .184

Changing how often the scheduled update history is cleared . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .184

Disallowing cached and precomputed data in individual scheduled update files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .184

Routing rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .185

The default routing rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185

Creating a routing rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185

8

TIBCO Spotfire® Server and Environment Installation and Administration

Page 9: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Monitoring and diagnostics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186

Server monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .186

Instrumentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186

Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .188

Setting up JMX monitoring using JConsole . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189

Accessing Spotfire Server logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189

Spotfire Server logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .189

Server log levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191

Changing log level when server is running . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .191

Changing log level when server is not running . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192

Enabling Kerberos debug logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .192

Location of server logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .194

Basic troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195

Memory dumps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .195

Thread dumps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196

Troubleshooting bundle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196

Common issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197

Node manager monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198

Node manager logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198

Accessing node manager logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .198

Services monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .199

Monitoring open analyses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199

Analyses Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200

Web Player Service Performance Counters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .201

Troubleshoot performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203

Logging and exporting monitoring diagnostics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204

Viewing node information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .205

Viewing service configuration information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205

Viewing assemblies information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206

Viewing site information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206

Viewing scheduled updates information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .208

Accessing services logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208

Web Player service logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208

Log levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209

Customization of service logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210

Configuration of the Spotfire.Dxp.Worker.Web.config file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211

Configuration of the log4net.config file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .212

Logging properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212

Log to database example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .216

9

TIBCO Spotfire® Server and Environment Installation and Administration

Page 10: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Viewing routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .218

External monitoring tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218

Action logs and system monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218

What is logged? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .219

Action logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220

Action log measures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226

System monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228

System monitoring measures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228

Web service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229

Log to file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229

Log to database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .231

Enable the action logs and system monitoring feature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233

Some comments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234

Upgrade action logs and system monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .235

Spotfire Server and the different databases/schemas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236

Upgrading to Spotfire 7.6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237

Upgrading to 7.6 from 7.0 or earlier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237

Setting up the test environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237

Upgrading Spotfire Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238

Install Spotfire Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238

Run the Spotfire Server upgrade tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238

Running the Spotfire Server upgrade tool interactively . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238

Running the upgrade tool silently . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .239

Applying hotfixes to the server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .240

Start Spotfire Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240

Upgrading a cluster of Spotfire Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .240

Upgrading Spotfire Analyst clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .241

Deploy client packages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241

Upgrading Spotfire Web Player . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .241

Upgrading scheduled updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242

Upgrading Spotfire Automation Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242

Upgrading authentication method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243

Anonymous combined with other authentication method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .244

Different authentication methods for Spotfire Server and Web Player . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244

Upgrading load balancing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244

Upgrading analysis links . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244

Upgrading Web Services API clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245

Upgrading customizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .245

Upgrading custom visualizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .245

10

TIBCO Spotfire® Server and Environment Installation and Administration

Page 11: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Upgrading cobranding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .245

Upgrading to 7.6 from 7.5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245

Upgrading Spotfire Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246

Install Spotfire Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247

Run the Spotfire Server upgrade tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247

Running the Spotfire Server upgrade tool interactively . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247

Running the upgrade tool silently . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .248

Applying hotfixes to the server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .249

Start Spotfire Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249

Upgrading nodes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249

Install node manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249

Run the node manager upgrade tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .250

Running the node manager upgrade tool interactively . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .250

Running the node manager upgrade tool silently . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .250

Upgrading service configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .251

Applying hotfixes to the Spotfire environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .252

Upgrade between service pack versions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252

Applying hotfixes for services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .252

Backup and restore . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253

Backup of Spotfire database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .253

Backup of Spotfire Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253

Backup of services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254

Uninstallation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .255

Deleting services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .255

Revoking trust of nodes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255

Uninstall node manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255

Uninstall Spotfire Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .255

Remove the database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256

Advanced procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257

Temporary tablespace . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .257

Virtual memory modification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257

Modifying the virtual memory (server running as Windows service) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257

Modifying the virtual memory (server not running as Windows service) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .257

Library content storage outside of the Spotfire database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258

Configuring external library storage in AWS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258

Configuring external library storage in a file system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .259

Monitoring external library storage and fixing inconsistencies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259

Forcing Java to use Internet Protocol version 4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .260

Data source templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261

11

TIBCO Spotfire® Server and Environment Installation and Administration

Page 12: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Setting up MySQL5 vendor driver . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261

Data source template commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262

XML settings for data source templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262

JDBC connection properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .268

Advanced connection pool configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269

Kerberos authentication for JDBC data sources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270

Using Kerberos authentication with delegated credentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270

Enabling constrained delegation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271

Enabling unconstrained delegation for an account on a domain controller in Windows 2000 mixed or native mode. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271

Enabling unconstrained delegation on a domain controller in Windows Server 2003 mode . . . . . . . . . . . . . . 272

Creating an Information Services data source template using Kerberos login . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272

Verifying a data source template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273

Information Services settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273

Default join database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .275

Spotfire Server public Web Services API's . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275

Enabling the Web Services API . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275

Generating client proxies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .276

Optional security HTTP headers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276

X-Frame-Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277

X-XSS-Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .277

HTTP Strict-Transport-Security (HSTS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .278

Cache-Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278

X-Content-Type-Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279

Setting the maximum execution time for an Automation Services job . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .279

Setting the maximum inactivity time for an Automation Services job . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279

Idle session timeout and absolute session timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279

Setting idle session timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280

Setting absolute session timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280

Restarting a node manager to terminate its running jobs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281

Increase the number of available sockets on Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281

Switching from online to offline administration help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281

Contacting support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283

Reference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284

Spotfire Server files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284

The bootstrap.xml file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284

The server.xml file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285

The krb5.conf file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285

Server bootstrapping and database connection pool configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286

12

TIBCO Spotfire® Server and Environment Installation and Administration

Page 13: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Database connectivity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286

Database drivers and database connection URLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287

Command-line reference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290

add-ds-template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290

add-member . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .291

bootstrap . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292

check-external-library . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296

clear-join-db . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296

config-action-log-database-logger . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297

config-action-logger . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .299

config-action-log-web-service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300

config-anonymous-auth . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300

config-attachment-manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301

config-auth . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302

config-auth-filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303

config-basic-database-auth . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304

config-basic-ldap-auth . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305

config-basic-windows-auth . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 306

config-client-cert-auth . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .306

config-cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307

config-csrf-protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .308

config-external-auth . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .309

config-external-scheduled-updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314

config-import-export-directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .315

config-jmx . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316

config-kerberos-auth . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .317

config-ldap-group-sync . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .318

config-ldap-userdir . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .323

config-library-external-data-storage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324

config-library-external-file-storage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325

config-library-external-s3-storage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326

config-login-dialog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327

config-ntlm-auth . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328

config-persistent-sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332

config-post-auth-filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333

config-public-endpoint . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .334

config-two-factor-auth . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .334

config-userdir . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .335

config-web-service-api . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337

13

TIBCO Spotfire® Server and Environment Installation and Administration

Page 14: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

config-windows-userdir . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337

copy-library-permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339

create-default-config . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341

create-jmx-user . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .341

create-join-db . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .342

create-ldap-config . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343

create-user . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 360

delete-disabled-users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 360

delete-disconnected-groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .361

delete-library-content . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 362

delete-jmx-user . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363

delete-node . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363

delete-service-config . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 364

delete-user . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365

demote-admin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365

enable-user . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .366

export-config . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 367

export-ds-template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .368

export-groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 369

export-library-content . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 370

export-service-config . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371

export-users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373

help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 374

import-config . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 374

import-groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 375

import-jaas-config . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 376

import-library-content . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377

import-scheduled-updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 379

import-service-config . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 380

import-users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .381

invalidate-persistent-sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 382

list-active-service-configs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383

list-addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 384

list-admins . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .384

list-auth-config . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .385

list-auth-mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 385

list-certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 386

list-configs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .387

list-deployment-areas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 388

14

TIBCO Spotfire® Server and Environment Installation and Administration

Page 15: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

list-ds-template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 388

list-groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 389

list-jaas-config . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 389

list-jmx-users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 390

list-ldap-config . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391

list-ldap-userdir-config . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391

list-licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 392

list-nodes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .392

list-ntlm-auth . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393

list-online-servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .394

list-post-auth-filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 394

list-service-configs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .395

list-userdir-config . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 396

list-userdir-mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .396

list-users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 396

list-windows-userdir-config . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 397

manage-deployment-areas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .397

modify-db-config . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .399

modify-ds-template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 401

promote-admin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 402

remove-ds-template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 402

remove-jaas-config . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 403

remove-ldap-config . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 403

remove-license . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 404

reset-trust . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .405

run . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 405

s3-download . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .406

set-addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 407

set-auth-mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408

set-config . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .408

set-config-prop . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 409

set-db-config . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 409

set-license . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .411

set-server-service-config . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .411

set-service-config . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 412

set-user-password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 413

set-userdir-mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 414

show-basic-ldap-auth . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 414

show-config-history . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 415

15

TIBCO Spotfire® Server and Environment Installation and Administration

Page 16: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

show-deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 415

show-import-export-directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .416

show-join-database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 416

show-library-permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 417

show-licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 418

switch-domain-name-style . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 420

test-jaas-config . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 420

trust-node . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 421

untrust-node . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 422

update-deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 423

update-ldap-config . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .424

version . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 439

Mapping content of old configuration files to new service configuration files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 439

Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 441

16

TIBCO Spotfire® Server and Environment Installation and Administration

Page 17: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

TIBCO Spotfire Server Documentation and SupportServices

Documentation for this and other TIBCO products is available on the TIBCO Documentation site. Thissite is updated more frequently than any documentation that might be included with the product. Toensure that you are accessing the latest available help topics, please visit:

https://docs.tibco.com

TIBCO Spotfire Server Documentation

The following documents for this product can be found in the TIBCO Documentation Library:

● TIBCO Spotfire® Server and Environment - Basic Installation Guide

● TIBCO Spotfire® Server and Environment - Installation and Administration

● TIBCO Spotfire® Server Web Services API

● TIBCO Spotfire® Server Platform API Reference

● TIBCO Spotfire® Server Information Services API Reference

● TIBCO Spotfire® Server License Agreement

Product System Requirements

For a list of system requirements for this product and other TIBCO Spotfire® products, visit this site:

http://support.spotfire.com/sr.asp

How to Contact TIBCO Support

For comments or problems with this manual or the software it addresses, contact TIBCO Support:

● For an overview of TIBCO Support, and information about getting started with TIBCO Support,visit this site:

http://www.tibco.com/services/support

● If you already have a valid maintenance or support contract, visit this site:

https://support.tibco.com

Entry to this site requires a user name and password. If you do not have a user name, you canrequest one.

How to Join the TIBCO Community

The TIBCO Community is an online destination for TIBCO Spotfire customers, partners, and residentexperts. It is a place to share and access the collective experience of the TIBCO Spotfire community. Thecommunity site offers forums, blogs, and access to a variety of resources. To register, go to the followingweb address.

https://community.tibco.com/products/spotfire

17

TIBCO Spotfire® Server and Environment Installation and Administration

Page 18: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Getting started

New TIBCO Spotfire® administrators can begin by learning how a Spotfire implementation is puttogether and how it works, or go directly to the basic installation. For experienced Spotfireadministrators, the Release Notes describe new features and other changes.

Any updates to this documentation will be available on https://docs.tibco.com. To get the latest versionof this documentation, click the help button on the Spotfire Server start page or go to https://docs.tibco.com/products/tibco-spotfire-server.

Experienced Spotfire administrators:

● Spotfire Server has a new architecture, new functionality, and a new, centralized interface for theadministrator; for details, see the "New features" section of the Release Notes.

● For a description of the new environment, see Introduction to the Spotfire environment.

● To get started, see Upgrading to Spotfire 7.6 - an introduction and Upgrading.

New Spotfire administrators:

● For general information on Spotfire Server, see Spotfire Server introduction.

● For a description of the Spotfire environment, see Introduction to the Spotfire environment.

● The basic installation takes you through the required steps for a simple configuration of SpotfireServer: the server on one computer, the Spotfire Analyst client on another, the node managerinstalled, and the Spotfire web client and TIBCO Spotfire® Automation Services (if purchased)available on all network computers, user authentication through the Spotfire database.

You can also use the basic installation process to complete the initial installation for a morecomplex implementation. In most cases it is recommended that you have a working basicinstallation before you add additional servers, load balancers, authentication methods, andso on.

To begin installation, see Basic installation process for Spotfire.

18

TIBCO Spotfire® Server and Environment Installation and Administration

Page 19: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Introduction to the Spotfire environment

The Spotfire environment is installed and configured to enable users to analyze their data in theSpotfire clients.

The Spotfire Server is the central component of the Spotfire environment, to which all Spotfire clientsconnect. Multiple nodes are installed and connected to Spotfire Server. The Web Player service andAutomation Services are installed on nodes to enable the usage of Spotfire web clients and the runningof Automation Services jobs. The server is connected to a Spotfire database that contains a userdirectory and stores analyses and configuration files. From a Spotfire Server start page, entities in theSpotfire environment can be configured and monitored.

Spotfire Server introductionSpotfire Server, a Tomcat web application that runs on Windows and Linux operating systems, is theadministrative center of any Spotfire environment.

In addition to providing the tools for configuring and administering the Spotfire environment, theSpotfire Server, through the Spotfire clients, enables users to access their data, create visualizations, andshare them—with their co-workers or with the world.

Spotfire Server performs the following main functions:

● Authenticates and authorizes Spotfire users.

● Provides access to analyses and data stored in the Spotfire library.

● Provides access to external data sources, including Oracle and SQL Server databases and most JDBCsources, through information links.

● Makes sure that analyses are loaded with updated data according to schedules that are defined bythe administrator.

● Provides storage (in the Spotfire database) for configurations, preferences, analyses, and so on.

● Manages the traffic through the Spotfire environment to optimize performance, and in accordancewith rules that are defined by the administrator.

● Distributes software updates throughout the implementation.

19

TIBCO Spotfire® Server and Environment Installation and Administration

Page 20: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

● Monitors the health and activities of the Spotfire environment and provides diagnostic informationboth in the server interface and through downloadable logs.

Spotfire database introductionSpotfire Server requires access to a Spotfire database.

The Spotfire database stores the information that Spotfire Server needs to control the Spotfireenvironment, including users, groups, licenses, preferences, shared analyses, and system configurationdata.

You must have a database server up and running, preferably on a dedicated computer, before installingSpotfire Server. The Spotfire database can be installed on an Oracle Database server or a Microsoft SQLServer.

Nodes and services introductionInstall nodes in the environment to enable the use of Spotfire web clients and Spotfire AutomationServices.

With Spotfire Server installed, the installed Spotfire client, called Spotfire Analyst, can be used. Toenable the use of Spotfire web clients and Spotfire Automation Services, one or more nodes must alsobe configured, preferably on dedicated computers.

For each node, the administrator enables Web Player services, Automation Services, or both. The WebPlayer service allows users to perform analyses in a web browser. Automation Services can be used toautomate creation of analysis files, for example, with new data. The enabled services determine thefunctionality that the node provides to Spotfire end users, through the Spotfire Server. For failover andperformance purposes, multiple service instances can be added on each node.

You can scale your Spotfire environment by adding or removing nodes and service instances.

Spotfire clients introductionSpotfire end users connect to Spotfire Server using either an installed client or a web client.

Spotfire Analyst, a fully-featured client for working with data sources and creating complex analyses, isinstalled on a user's local computer.

To facilitate interactive analysis in a web browser, a Web Player service generates visualizations that aredisplayed in the web browser. Depending on which of two licenses a user has, the web client will havedifferent capabilities. With the Consumer license a user can view interactive analyses. With the BusinessAuthor license they can also create and edit simple analyses.

Environment communication introductionAll back-end communication in a Spotfire environment is secured by HTTPS/TLS, complying withcurrent security standards and industry best practices.

Spotfire Servers listen to incoming traffic from installed clients and web clients on one HTTP or HTTPSport, the front-end communication port.

Spotfire Servers listen to traffic from services on the nodes on another HTTPS port, the back-endcommunication port.

20

TIBCO Spotfire® Server and Environment Installation and Administration

Page 21: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

The secured back-end communication is based on certificates. After an administrator has approved thenew server or node, the certificates are issued automatically. Without a certificate, a server or a serviceon a node cannot make requests to, or receive requests from, other entities, except for when requiring acertificate.

After being installed, a node performs a join request to a specific, unencrypted HTTP Spotfire Serverport that only handles registration requests. The node remains untrusted until the administratorapproves the request by trusting the node. The Spotfire Server start page provides the tools to addnodes to the environment by explicitly trusting them, thereby issuing the certificates. When the nodereceives its certificate, it can send encrypted communication over the HTTPS/TLS ports and with this itcan start to send more than registration requests.

Authentication and user directory introductionInstalled clients, as well as web clients, connect to the Spotfire Server. When users of either client log into a Spotfire Server, two things happen before they get access: authentication and authorization.

Authentication is the process of validating the identity of a user. Once the identity is validated, the useris authorized in the user directory. Authorizing users determines what their access rights are within theSpotfire environment - in other words, what they are allowed to do.

21

TIBCO Spotfire® Server and Environment Installation and Administration

Page 22: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

If username and password is used for authentication, they can be checked against the internal Spotfireuser directory, a custom Java Authentication and Authorization Service module, or - the most commonoption - an external LDAP directory. Spotfire has built-in support for Microsoft Active Directory andthe Directory Server product family, which includes Oracle Directory Server, Sun Java Directory Server,and Sun ONE Directory Server. Other LDAP servers can also be used.

For single sign-on, Spotfire supports NTLM, Kerberos, and X.509 Certificates.

For anonymous, a preconfigured Spotfire user identity is used to authenticate with the Spotfire Server.

Regardless of how the user was authenticated, the process of authorization is the same. The SpotfireServer checks the Spotfire user directory to determine a user's privileges, which control which functionsand analyses they can access with the Spotfire clients.

Optionally, the user and group accounts in the Spotfire user directory can be configured to besynchronized from an external LDAP directory. Spotfire supports the same LDAP servers for directorysynchronization as it does for authentication.

In the user directory, it is possible to organize the users in groups. The user and group information canlater be used to assign permissions, licenses, preferences etc. to the different resources available withinthe Spotfire environment.

Users & groups introductionAll Spotfire users are registered in the Spotfire database, where they are organized in groups.

The authentication method of your Spotfire environment determines how users are added to thedatabase and where they are administered:

● If your Spotfire implementation is configured for authentication towards the Spotfire database, theadministrator adds and administers user accounts directly in the database by using Spotfire Serverand the Administration Manager tool. Administration Manager is accessed from Spotfire Analyst.

● If your implementation uses an external user directory such as LDAP, user accounts are added andadministered in that context rather than in the server, and changes are automatically copied to theSpotfire database during synchronization.

Spotfire settings, including access to Spotfire features, which are controlled by licenses, are set at thegroup level, so all users necessarily belong to at least one group. Any user who is entered into thesystem automatically becomes a member of the Everyone group; this group cannot be deleted and willalways contain all registered users.

22

TIBCO Spotfire® Server and Environment Installation and Administration

Page 23: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

In addition to the Everyone group, a user can belong to any number of groups, and has access to all ofthe features that are enabled for those groups. Groups can be created and managed locally in theSpotfire database, or synchronized from an external source such as an LDAP directory.

Licenses and preferences introductionLicenses determine which features a group of users should have access to, and preferences set thedefault behavior of the Spotfire clients.

Licenses determine which features and functionality are available to Spotfire users. License data isstored in the Spotfire database. When a user logs in to Spotfire, the user can only access the featuresthat are enabled for the groups to which the user belongs.

Spotfire administrators can set a wide variety of preferences for the members of a group, such as adefault color scheme for analyses or data optimization options.

Licenses and preferences are set in the Administration Manager in Spotfire Analyst. See theAdministration Manager documentation for details on license and preference administration.

Deployment introductionTo deploy Spotfire software, the administrator places software packages in a deployment area onSpotfire Server, and assigns the deployment area to particular groups.

If a new deployment is available when a user logs in to a Spotfire client, the software packages aredownloaded from the Spotfire Server to the client.

Deployments are used:

● To set up a new Spotfire environment.

● To install a product upgrade, extension, or hotfix provided by Spotfire.

● To install a custom tool or extension.

Administrators can create multiple deployment areas, such as "Production" and "Staging". This allowsadministrators to test new deployments before rolling them out to the entire client base, or to maintaindifferent deployments for different groups of users.

Spotfire library introductionThe Spotfire database contains the Spotfire library. The library is accessible to Spotfire Analyst, and webclients through the Spotfire Server, allowing users to easily share and reuse their work.

The library stores Spotfire analyses, Spotfire data files, custom Spotfire data functions, informationlinks, shared connections created with Spotfire connectors, and visualization color schemes.

The library is organized into hierarchical folders, which are also used to control access to folder content.The administrator creates the folder structure, and assigns groups with the appropriate read and writepermissions to the folders.

Routing introductionSpotfire provides routing capabilities within the environment.

A cluster of Spotfire Servers in an environment can be fronted by a load balancer to distribute the trafficto the servers. No load balancer is required between Spotfire Server and the nodes, since the routingcapability of Spotfire Server features built-in load balancing, enabling non-opened analyses to beloaded by the least utilized Web Player service instance.

23

TIBCO Spotfire® Server and Environment Installation and Administration

Page 24: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

By default, any Spotfire Server in a cluster can send requests from clients to any Web Player serviceinstance. Likewise, any Web Player service instance can access any Spotfire Server for library data or toexecute information links.

After an analysis has been opened in a client, all subsequent requests for the session are forwarded tothe instance that was used for the initialization; thus Spotfire Server routing maintains analysis sessionaffinity.

Default routing improves capacity utilization by forwarding requests for a specific analysis file to theinstance or instances of the Web Player service instance where it is already opened, thereby servingmultiple users with the same Web Player service instance. Analysis data is also shared between users,so additional users accessing the analysis file will have a low impact on performance.

In addition to the default routing, administrators can create named resource pools and assign any WebPlayer service instances to them. The resource pools abstraction enables default routing to be altered byspecific static routing rules. Rules can be specified for users, groups or specific analysis files, and aredefined and applied in priority order, similar to mail sorting rules. Rules can be sorted, enabled,disabled, and re-mapped to a different resource pool.

Also, administrators can attach schedules to routing rules that apply to analysis files, effectively turninga routing rule into a scheduled update. Thereby, the administrator can have the analysis pre-loaded onselected instances in a resource pool, and have it refreshed at specified intervals.

Data sources introductionThe Spotfire environment provides several ways for clients to connect to data. The most common onesare: opening a local file, connecting through the information services function of Spotfire Server, orusing a Spotfire connector. Users can combine data from multiple sources in a single Spotfire analysis.

Using information services is an option for connecting to enterprise data. In this case, the SpotfireServer makes connections to data sources on behalf of the client, using information links saved in theSpotfire library. The raw data sets are loaded into the memory of the server.

The data sources available are Oracle, Microsoft SQL Server, Teradata, Sybase, SAS/Share, MySQL,DB2, and custom JDBC source types.

Spotfire connectors provide a mechanism for installed clients and service instances to make a directconnection with enterprise data. Depending on the connector, users can choose to load the entire rawdata set in the memory of the computer where the client or service instance is installed, or only retrieveaggregated results and make new queries as needed for more detail.

24

TIBCO Spotfire® Server and Environment Installation and Administration

Page 25: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Logging introductionIn addition to the configurable logs for the Spotfire Server, the nodes and the service instances, theAction Logs and System Monitoring feature helps administrators keep an eye on the health of theirSpotfire environment.

The action logs collect information about system events that are sent through a web service fromSpotfire Analyst, Automation Services, and the Web Player service to the Spotfire Server. These eventlogs, along with those from the Spotfire Server itself, can be saved either to files or in a database.

System monitoring takes periodic snapshots of key metrics on the Spotfire Server and the Web Playerservices, and stores this information in the same location as the action logs. The logs can then beanalyzed in a Spotfire client.

Administrators have many options for how to configure this feature, including which events andsystem statistics should be logged, from which hosts logging information will be collected, and how thelogs are pruned or archived.

Administration interface introductionThe Spotfire Server start page provides access to most administrative tasks and diagnostic informationon your Spotfire environment.

● In Analytics you can create new analyses, and view and edit analyses that are in the Spotfire library.

● In Users & Groups you can create users and groups, add users or groups to groups (including thepredefined administrator ones), assign deployment areas to groups, change user names, passwords,and emails.

● In Scheduling & Routing, you can schedule updates and monitor their status, date, and time, andcreate routing rules applicable to groups, users, or specific analysis files.

● In Nodes & Services you can review the servers and services setup, add new nodes, services, andservice instances, upgrade or rollback existing ones, and create resource pools for routing rules.

● In Deployments & Packages you can manage products, upgrades, extensions, and hotfixes bycreating or altering deployment areas, adding distributions and packages, and so forth.

● In Monitoring & Diagnostics you can monitor the system status, set logging levels, review logs,troubleshoot and download troubleshooting bundle, create memory dumps, and more.

25

TIBCO Spotfire® Server and Environment Installation and Administration

Page 26: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

● In Server Tools you can download the configuration tool for Spotfire Server.

Library administration, licenses, and preferences are configured in the Administration Manager in theinstalled Spotfire Analyst client.

Example scenarioThis is an example scenario of what happens in the Spotfire environment when a user opens an analysisin a web client.

1. The Spotfire web client user receives an email with a link to an analysis that contains interestinginformation.

2. When the link is opened, an ordinary http (or https) connection is set up from the browser toSpotfire Server. Because the environment is configured for username and password authentication,a login dialog appears.

3. If the username and password are correct, the user also needs to be listed in the user directory.Spotfire Server compares the credentials towards the Spotfire database for verification.

4. A check is made to see that the user has the license privileges to see the analysis, which is stored inthe library.

5. The analysis is not already loaded on any Web Player service instance, so the routing logic ofSpotfire Server selects the least utilized instance to load the analysis. The request is forwarded tothis instance.

6. The Web Player service instance loads the analysis from the library.

7. Data in an analysis can be linked or embedded. This analysis contains linked data, loaded throughinformation services. A request for the data goes back from the Web Player service instance to aSpotfire Server.

8. After the analysis and its data are loaded, Spotfire Server acts as a proxy between the web browserand the Web Player service instance.

9. The user finds the analysis interesting and wants to add an extra visualization. Because the user hasthe Business Author license, the menu options to do so are visible.

10. After the user has updated and saved the analysis, the user can send a link to interested parties.

26

TIBCO Spotfire® Server and Environment Installation and Administration

Page 27: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Upgrading to Spotfire 7.6 from 7.0 or earlier – anintroduction

The biggest change from Spotfire 7.0 and earlier versions to Spotfire 7.6 is that Spotfire Server nowhandles all external communication and that Spotfire Web Player and Spotfire Automation Serviceshave become a set of scalable back-end services, installed on nodes.

That means that all web client users connect to Spotfire Server instead of a Spotfire Web Player server,and that Automation Services connect to Spotfire Server instead of to an Automation Services server.

A Spotfire 7.0 or earlier environment:

A Spotfire 7.6 environment:

27

TIBCO Spotfire® Server and Environment Installation and Administration

Page 28: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

When upgrading from Spotfire 7.0 or 6.5, this change mostly affects two things: Spotfire Server nowhandles all user authentication, regardless of which Spotfire client they use, and no load balancing isrequired in front of any Web Player servers.

Upgrading Spotfire Server is done the same way as in previous versions. You install Spotfire Server 7.6and use the Spotfire Server Upgrade tool to upgrade the Spotfire database to 7.6, and, if selected, copycertain files from the old installation of Spotfire Server to the Spotfire Server 7.6 installation directory.

To be able to upgrade to Spotfire Server 7.6, you must have Spotfire Server 6.5.3 HF-008 (or later) orSpotfire Server 7.0.0 HF-002 (or later) installed. If you have an earlier version of Spotfire Serverinstalled, you must first upgrade that server to one of these versions.

To upgrade to Spotfire Web Player 7.6 and Spotfire Automation Services 7.6, you apply your applicableexisting configurations, install the services on a node, and deploy any extensions.

It is recommended that you set up a Spotfire 7.6 staging environment for testing before upgrading.

Some specific things to take into consideration when upgrading are:

● CPU and memory: Since Spotfire Server performs more work than in previous versions, it consumesmore resources, I/O as well as CPU. All non-client computers in your environment (the computersthat host Spotfire Server, and the nodes) require at least 16 GB of memory.

● Geographically distributed environments: Spotfire 7.6 is not recommended for environments withhigh latency between servers; an example of this is latency resulting from widely separatedgeographical locations. If groups of users are spread out geographically, you want these users toaccess parts of the system as close to them as possible. You should install multiple Spotfire Server inthe different locations, and install the services needed on nodes connected to these servers. To avoidusers being routed to a service instance located far away, use Scheduling & Routing to configurerouting rules specifying that the group of users in location A only get routed to service instances inlocation A and so on.

● Centralized configuration: All configuration files are now stored in the Spotfire database. Thismeans that a Web Player service or Automation Services configuration can be centrally applied to allservices in your environment. However, this also means that names and content of configurationfiles have been changed and that old configurations must be copied manually.

● Authentication: In Spotfire 7.0 and 6.5, you configure authentication on the Spotfire Server forSpotfire Analyst users and on the Spotfire Web Player server for Spotfire web client users. InSpotfire 7.6 you set up the authentication for all users on Spotfire Server. This means that the sameauthentication method is used for Spotfire Analyst users as for Spotfire web client users. Therefore,it is no longer supported to use different authentication methods for Spotfire Analyst users andSpotfire web client users. However, Anonymous authentication can be combined with anotherauthentication method on the same Spotfire Server. If a custom authentication method was used,this is configured as an external authentication on Spotfire Server.

● Load Balancing: If your Spotfire 7.0 or 6.5 environment had multiple Spotfire Web Player serversand a load balancer, the load balancer in front of the Web Players is no longer needed. In Spotfire7.6, each Web Player service on each node can have multiple instances running. The load balancer infront of the Web Players is replaced by the routing capabilities of Spotfire Server in 7.6. A loadbalancer can still be used in front of multiple Spotfire Servers.

● Web Links: If you have old web links to analyses, these must be updated to work in 7.6. Since allusers connect to Spotfire Server in 7.6, the DNS entry to the former Web Player server must nowpoint to the Spotfire Server.

● Automation Services: Existing scheduled Automation Services jobs, using the Client Job Sender,must be updated, since the configurations have changed and the Client Job Sender now connects toSpotfire Server instead of an Automation Services Server.

● Extensions and customizations: API Extensions or customizations, such as custom visualizations orco-branding needs to be updated when upgrading to Spotfire 7.6.

28

TIBCO Spotfire® Server and Environment Installation and Administration

Page 29: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

For more information on changes needed, and instructions on how to upgrade your environment, see Upgrading to 7.6 from 7.0 or earlier.

29

TIBCO Spotfire® Server and Environment Installation and Administration

Page 30: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Basic installation process for Spotfire

To get Spotfire up and running in a simple configuration, follow these steps. The resulting simpleinstallation includes the following: the server on one computer, a few Spotfire Web Player instancesavailable for other computers, the Spotfire Analyst client on another computer, and the user directoryin the Spotfire database.

Prerequisite

A database server must be up and running, preferably on a dedicated computer. Spotfire supportsOracle Database server and Microsoft SQL Server.

If you are running an earlier version of Spotfire Server, see the "Upgrading" section of Spotfire Serverhelp.

Spotfire Server is no longer supported on 32-bit systems. To view the complete system requirements, goto http://support.spotfire.com/sr.asp.

1. Download the required software.

2. Collect the required information.

3. Set up the Spotfire database:

● On Oracle

● On SQL

4. Run the Spotfire Server installer.

5. Apply hotfix.

6. Create the bootstrap.xml file.

7. Create and save a basic Spotfire Server configuration.

8. Create an administrator user.

9. Start Spotfire Server.

10. Deploy client software packages to Spotfire Server.

11. Install a node manager.

12. Authorize the node manager.

13. Install Spotfire Web Player instances.

14. Install Spotfire Automation Services instances.

Alternatively, you can use the command-line configuration tool after step 5 above (see Manuallycreating a simple configuration) or run a script that invokes multiple commands (see Scripting aconfiguration).

30

TIBCO Spotfire® Server and Environment Installation and Administration

Page 31: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Installation and configuration

Spotfire Server requires that the preparation, installation, database configuration, and serverconfiguration happen in a specific order. Make sure you follow the steps as described.

See Basic installation process for Spotfire for the required sequence.

PreparationPrepare to install Spotfire Server by downloading the required software from the TIBCO eDelivery andSupport websites, recording the required system properties, and setting up the Spotfire database onyour database server.

Make sure that your system fulfills the requirements listed on the TIBCO Spotfire Server SystemRequirements page, http://support.spotfire.com/sr_spotfireserver.asp.

If you are upgrading, first read Upgrading.

Downloading required softwareThe first step in installing Spotfire Server is to download the required software to the computer thatwill run the server.

Prerequisites

You must have access to the required software on the TIBCO eDelivery web site and the SpotfireSupport web site. If you do not have access, contact your sales representative.

Procedure

1. From the TIBCO eDelivery web site, download the following zipped folders and then extract thefiles:

● The Spotfire Server installation kit for version 7.6.0 that corresponds to your operating system(search for the Product "TIBCO Spotfire Server").

Beginning with Spotfire Server 7.6, the server installation kit contains the Spotfire clientdeployment kit.

2. From the TIBCO Spotfire Server Hotfixes page, download the zipped folder containing the latesthotfix for Spotfire Server 7.6 and then extract the files.

The hotfixes are cumulative, so you only have to download the latest one.

What to do next

Collect required information

Collecting required informationTo set up the Spotfire database, and install and configure Spotfire Server, you must have certaininformation about the IT system at your site and how you want Spotfire Server to interact with theexisting system.

Prerequisites

● A database server must be up and running before you can install Spotfire Server, preferably on aseparate computer. The Spotfire Server installer will not install a database server. Spotfire supportsMicrosoft SQL Server and Oracle Database server.

31

TIBCO Spotfire® Server and Environment Installation and Administration

Page 32: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Procedure

1. Collect the following information about your database server:

You may need to contact your database administrator.

Required information Notes Your information

Database server type Either MSSQLor Oracle

Database server hostname

Administrator user name

Administrator password

Connection identifier For Oracleonly

Instance name For MSSQLonly

2. Decide on the following information for the Spotfire database:

Required information Notes Your information

Spotfire database name For MSSQL only. Thedefault isspotfire_server.

Spotfire database user name If the databases usesIntegrated Windowsauthentication, notethis user. If you useIntegratedauthentication,Spotfire Server mustrun as this WindowsDomain user.

Spotfire database password

3. Decide on the following for Spotfire Server:

32

TIBCO Spotfire® Server and Environment Installation and Administration

Page 33: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Required information Notes Your information

Spotfire Server front-end port Used forcommunication withSpotfire clients.

The default is 80. Ifanother application onthe same computeruses port 80, select adifferent port number.

Back-end registration port Used for key exchangeto set up trustedcommunicationbetween the SpotfireServer and nodes.

The default is 9080.

Back-end communication port(TLS)

Used for encryptedtraffic between nodes.

The default is 9443.

Spotfire Server login method Knowledge about yourorganization's ITinfrastructure isrequired to set up anylogin method otherthan Spotfire database.

Available loginmethods:

● Username andpassword:

Spotfire Database,LDAP, CustomJAAS, WindowsNT Domain

● Single sign-on:

NTLM, Kerberos,X.509 ClientCertificate

33

TIBCO Spotfire® Server and Environment Installation and Administration

Page 34: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Required information Notes Your information

Spotfire Server user directory Knowledge about yourorganization's ITinfrastructure isrequired to set up anyuser directory otherthan Spotfire database.

Valid options are:Spotfire database,LDAP, and WindowsNT Domain.

Spotfire Server operatingsystem

Spotfire Servers hostnames

Hostname of load balancer, ifapplicable

What to do next

Set up the Spotfire database (Oracle)

Set up the Spotfire database (SQL Server)

Set up the Spotfire database (SQL Server with Integrated Windows authentication)

Setting up the Spotfire database (Oracle)If you are running Oracle Database, follow these steps to set up the Spotfire database before you runthe Spotfire Server installer.

Prerequisites

● You have downloaded the Spotfire Server installation kit from the TIBCO eDelivery web site; forinstructions, see Downloading required software.

● The following settings must be configured on the Oracle Database server:

— User name and password authentication.

It is also possible to set up Spotfire Server to authenticate with an Oracle Databaseinstance using Kerberos; for instructions, see Using Kerberos to log in to the Spotfiredatabase. In this case, you must run the database preparation scripts manually; see Running database preparation scripts manually.

— National Language Support (NLS) to match the language of the data you will bring intoSpotfire.

If the database server NLS cannot be set to match the language of your data, Oracleprovides other methods of setting NLS to a specific database or user. For moreinformation, consult your database administrator or see the Oracle databasedocumentation.

● You must also have access to the Oracle Database server. You may need assistance from yourdatabase administrator to copy the install directory to the database and to provide the databasedetails for the script.

34

TIBCO Spotfire® Server and Environment Installation and Administration

Page 35: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

The command-line database tools (for example, sqlplus) must be in the system path of theOracle Database server.

Procedure

1. Extract the files from the TIB_sfire_server_7.6.0_win.zip orTIB_sfire_server_7.6.0_linux.tar file to a directory on your desktop.

2. Copy the oracle_install directory from the /scripts directory to the computer running OracleDatabase server.

3. On the Oracle Database computer, open the oracle_install directory, and then, in a text editor,open the create_databases script that corresponds to your platform:

● Windows: create_databases.bat

● Linux: create_databases.sh

● Windows (Oracle Database running on Amazon RDS): create_databases_rds.bat

● Linux (Oracle Database running on Amazon RDS): create_databases_rds.sh

4. In the section under "Set these variables to reflect the local environment", edit thecreate_databases script by providing the appropriate database server details.

Definitions of the variables in create_databases

Variable Description

ROOTFOLDER Location where the tablespaces will be created. It must be adirectory that is writable for the Oracle instance, usually<oracle install dir>/oradata/<SID> or <oracle install dir>/oradata/<PDBNAME>.

Do not add a slash or backslash after the <SID>.

This variable is not applicable for the Amazon RDScreate_databases scripts.

CONNECTIDENTIFIER Oracle TNS name/SID of the database/service name, forexample ORCL or //localhost/pdborcl.example.com.

ADMINNAME Name of a user with Oracle Database administratorprivileges for the database identified in theCONNECTIDENTIFIER, for example "system".

ADMINPASSWORD Password of the ADMINNAME user.

SERVERDB_USER Name of the user that will be created to set up the Spotfiredatabase.

SERVERDB_PASSWORD Password for SERVERDB_USER.

SERVER_DATA_TABLESPACE Name of the tablespace that will be created. The defaultvalue works for most systems.

35

TIBCO Spotfire® Server and Environment Installation and Administration

Page 36: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Variable Description

SERVER_TEMP_TABLESPACE Name of the temporary tablespace that will be created. Thedefault value works for most systems.

Conflicting tablespaces can occur if you arecreating the Spotfire tablespaces on a databaseserver that is already hosting an Analytics Serveror a previous version of Spotfire Server. Make surethat you do not select any names for the 7.6tablespaces and users that conflict with the alreadyhosted tablespaces and users.

INSTALL_DEMODATA Set to "yes" if you want to install the demonstration database.The demo database contains example data for learning aboutSpotfire. If you install the demo database, you must performadditional steps to make the data available to the users.

DEMODB_USER Name of the user who will access the demo database. If youchange the default user name, the corresponding informationlayer must be redirected in information designer.

DEMODB_PASSWORD Password for DEMODB_USER.

ExampleThis is an example of how the file section might look after modification:rem Set these variables to reflect the local environment:rem Where should the data be stored on the database server:set ROOTFOLDER=C:\oracle\app\orclrem A connect identifier to the container database or the pluggable databaserem for a pluggable database a service name like //localhost/pdborcl.example.comrem could be the SID for Oracle 11 or earlier, TNSNAME etc,rem see the documentation for sqlplusset CONNECTIDENTIFIER=//localhost/pdborcl.example.comrem a username and password for an administrator in this (pluggable) databaseset ADMINNAME=systemset ADMINPASSWORD=admin123rem Username and password for the Spotfire instance this user will be created,rem remember that the password is written here in cleartext,rem you might want to delete this sensitive info once the script is runset SERVERDB_USER=spotfire_dbset SERVERDB_PASSWORD=spotfire_db123rem The spotfire tablespaces, alter if you want to run multiple instances in the same databaseset SERVER_DATA_TABLESPACE=SPOTFIRE_DATAset SERVER_TEMP_TABLESPACE=SPOTFIRE_TEMPrem Demo data parameters, should it be installed at allset INSTALL_DEMODATA=norem Username and password for the demodataset DEMODB_USER=spotfire_demodataset DEMODB_PASSWORD=spotfire_demodata123

5. Save the file and close the text editor.

6. Open a command-line interface and go to the directory where you placed the scripts.

7. Type create_databases.bat or create_databases.sh and press Enter.If the parameters are correct, text that is similar to the following text appears in the command-lineinterface:

36

TIBCO Spotfire® Server and Environment Installation and Administration

Page 37: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

The log.txt file is created in the same directory as the create_databases file. Also, ifyou indicated that you want to download the demo database, log files from the creation ofthe Spotfire demo data are created. Examine these files to verify that no errors occurred,and retain the logs for future reference.

Because the scripts contain sensitive information, it is good practice to remove them afteryour Spotfire environment has been installed.

What to do next

Install Spotfire Server

Setting up the Spotfire database (SQL Server)If you are running Microsoft SQL Server, follow these steps to set up the Spotfire database before yourun the Spotfire Server installer.

Prerequisites

If you plan to configure Integrated Windows authentication (IWA) between Spotfire Server and theSpotfire database in SQL, see Setting up the Spotfire database (SQL Server with Integrated Windowsauthentication).

● You have downloaded the Spotfire Server installation kit from the TIBCO eDelivery web site; forinstructions, see Downloading required software.

● The following settings must be configured on SQL Server:

— TCP/IP communication.— A TCP/IP listener port (the default is 1433).— Case-insensitive collation (at least for the Spotfire database).

If your installation of SQL Server uses a case-sensitive collation by default, you mustedit the create_server_db.sql script before running the create_databases.batscript. See step 3.

— Collation must match the language of your data.● You must also have access to the SQL Server, or use any computer that can run Microsoft SQL tools

and can communicate with the SQL Server.

The command-line database tools (for example, sqlcmd) must be in the system path of theSQL Server.

Procedure

1. Extract the files from the TIB_sfire_server_7.6.0_win.zip orTIB_sfire_server_7.6.0_linux.tar file to a directory on your desktop.

2. Copy the mssql_install directory from the /scripts directory to the computer running SQLServer.

37

TIBCO Spotfire® Server and Environment Installation and Administration

Page 38: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

3. Optional: If your installation of SQL Server uses a case-sensitive collation by default, follow thesesteps to specify case-insensitivity for the Spotfire database:a) On the SQL Server computer, open the mssql_install directory, and then open the

create_server_db.sql script in a text editor.b) Locate the line --create database $ (SERVERDB_NAME) collate Latin1_General_CI_AS;c) Remove the leading dashes (--).d) Replace the case-insensitive (CI) collation Latin1_General_CI_AS with the name of another CI

collation. See the SQL Server documentation for information about available collations.e) Comment out the following line by inserting leading dashes (--), so that the line looks like this:

--create database $(SERVERDB_NAME)

f) Save the file and close the text editor.

4. On the SQL Server computer, open the mssql_install directory, and then open thecreate_databases.bat script in a text editor. If your SQL Server is running on Amazon RDS, openthe create_databases_rds.bat script in a text editor.

5. In the section under "Set these variables to reflect the local environment", edit thecreate_databases.bat script by providing the appropriate database server details.

Definitions of the variables in create_databases

Variable Description

CONNECTIDENTIFIER Replace SERVER with the name of the server running the SQLServer instance, and replace MSSQL_INSTANCENAME with thename of the SQL Server instance.

ADMINNAME Name of a user with SQL database administrator privileges,usually "sa".

ADMINPASSWORD Password of the ADMINNAME user.

SERVERDB_NAME Name of the Spotfire database that will be created;spotfire_server is the default.

SERVERDB_USER Name of the user that will be created to set up the Spotfiredatabase.

SERVERDB_PASSWORD Password for SERVERDB_USER.

INSTALL_DEMODATA Set to "yes" if you want to install the demo database. The demodatabase contains example data for learning about Spotfire. Ifyou install the demo database, you must perform additionalsteps to make the data available to the users.

DEMODB_NAME Name of the demo database. If you change the default databasename, the corresponding information layer needs to beredirected in information designer.

DEMODB_USER Name of the user that will access the demo database.

DEMODB_PASSWORD Password for DEMODB_USER.

Example

38

TIBCO Spotfire® Server and Environment Installation and Administration

Page 39: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

This is how the create_databases.bat file section might look after modification:rem Set these variable to reflect the local environment:set CONNECTIDENTIFIER=DBSERVER\MSSQL set ADMINNAME=saset ADMINPASSWORD=admin123set SERVERDB_NAME=spotfire_serverset SERVERDB_USER=spotfire_dbset SERVERDB_PASSWORD=spotfire_db123

rem Demo data parametersset INSTALL_DEMODATA=noset DEMODB_NAME=spotfire_demodataset DEMODB_USER=spotfire_demodataset DEMODB_PASSWORD=spotfire_demodata123

6. Save the file and close the text editor.

7. Open a command prompt as an administrator and go to the directory where you placed the scripts.

8. Type create_databases.bat and press Enter.If the parameters are correct, text that is similar to the following text is displayed at the commandline:

Log files are created in the same directory as the create_databases file. Examine thesefiles to verify that no errors occurred and retain the logs for future reference.

Because the scripts contain sensitive information, it is good practice to remove them afteryour Spotfire environment has been installed.

What to do next

Install Spotfire Server

Setting up the Spotfire database (SQL Server with Integrated Windows authentication)If you are running Microsoft SQL Server and plan to use Integrated Windows authentication betweenSpotfire Server and the Spotfire database in SQL, follow these steps to set up the database before yourun the Spotfire Server installer.

Prerequisites

● You have downloaded the Spotfire Server installation kit from the TIBCO eDelivery web site; forinstructions, see Downloading required software.

● The following settings must be configured on SQL Server:

— TCP/IP communication.

— A TCP/IP listener port (the default is 1433).

— Case-insensitive collation (at least for the Spotfire database).

39

TIBCO Spotfire® Server and Environment Installation and Administration

Page 40: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

If your installation of SQL Server uses a case-sensitive collation by default, you mustedit the create_server_db.sql script before running thecreate_databases_ia.bat script. See step 3.

— Collation must match the language of your data.● You must also have access to the SQL Server, or use any computer that can run Microsoft SQL tools

and can communicate with the SQL Server.

The command line database tools (sqlcmd, etc.) must be in the system path of the SQLServer.

The database must accept identities from Windows. The scripts will run as the current user, so thecurrent user must have administrative privileges on the database. Note that the created databases willget the 'dbo' user created with this login. So later the created databases will be possible to administratewith integrated authentication when running as the current user.

There must exist another Windows login in the domain. The Spotfire Server process should be startedwith this login to enable the integrated authentication.

The scripts will work out of the box under these assumptions.

If the login already exists on the database server, the "create_server_user_ia.sql" must be edited. Thefollowing rows should be commented out:

use master GO CREATE LOGIN [$(WINDOWS_LOGIN_ACCOUNT)] FROM WINDOWS WITH DEFAULT_DATABASE=[$(SERVERDB_NAME)],DEFAULT_LANGUAGE=[us_english] GO ALTER LOGIN [$(WINDOWS_LOGIN_ACCOUNT)] ENABLE GO DENY VIEW ANY DATABASE TO [$(WINDOWS_LOGIN_ACCOUNT)]

Setting "WINDOWS_LOGIN_ACCOUNT" to the user that is running the scripts creates a problembecause the user running the scripts will be associated with the dbo user in the created database. Theuser running the scripts also has high-level permissions, so this is not recommended. If you want to doit anyway, you must comment out the following lines from "create_server_user_ia.sql":CREATE USER [$(SERVERDB_USER)] FOR LOGIN [$(WINDOWS_LOGIN_ACCOUNT)]GO

And if you have enabled the creation of demodata, the following rows in "create_demo_user_ia.sql"must be commented out:CREATE USER [$(DEMODB_USER)] FOR LOGIN [$(WINDOWS_LOGIN_ACCOUNT)]GO

Procedure

1. Extract the files from the TIB_sfire_server_7.6.0_win.zip file to a directory on your desktop.2. Copy the mssql_install directory from the /scripts directory to the computer running SQL

Server.3. If your installation of SQL Server uses a case-sensitive collation by default, follow these steps to

specify case-insensitivity for the Spotfire database:a) On the SQL Server computer, open the mssql_install directory, and then open the

create_server_db.sql script in a text editor.b) Locate the line --create database $ (SERVERDB_NAME) collate Latin1_General_CI_AS;c) Remove the leading dashes (--).d) Replace the case-insensitive (CI) collation Latin1_General_CI_AS with the name of another CI

collation. See the SQL Server documentation for information about available collations.e) Comment out the line below it by inserting leading dashes (--), so that the line looks like this: --

create database $(SERVERDB_NAME)

40

TIBCO Spotfire® Server and Environment Installation and Administration

Page 41: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

f) Save the file and close the text editor.

4. On the SQL Server computer, open the mssql_install directory, and then opencreate_databases.ia.bat in a text editor.

5. In the section under "Set these variables to reflect the local environment", edit thecreate_databases_ia.bat script by providing the appropriate database server details. Thedefinitions of the variables are listed at the top of the script.

Definitions of the variables in create_databases.ia.bat

Variable Description

CONNECTIDENTIFIER Replace SERVER with the name of the server running the SQLServer instance, and replace MSSQL_INSTANCENAME with thename of the SQL Server instance.

WINDOWS_LOGIN_ACCOUNT The Windows Login Account that should be created as a loginon the database server. The server process must run as this user.

SERVERDB_NAME Name of the Spotfire database that will be created;spotfire_server is the default.

SERVERDB_USER Name of the user that will be created to set up the Spotfiredatabase.

INSTALL_DEMODATA Set to "yes" if you want to install the demo database. The demodatabase contains example data for learning about Spotfire. Ifyou install the demo database, you must perform additionalsteps to make the data available to the users.

DEMODB_NAME Name of the demo database. If you change the default databasename, the corresponding information layer needs to beredirected in information designer.

DEMODB_USER Name of the user that will access the demo database.

ExampleThis is how the create_databases_ia.bat file section might look after modification:rem Set these variable to reflect the local environment:set CONNECTIDENTIFIER=DBSERVER\MSSQLset WINDOWS_LOGIN_ACCOUNT=example.com\win_userset SERVERDB_NAME=spotfire_serverset SERVERDB_USER=spotfire_user

rem Demo data parametersset INSTALL_DEMODATA=noset DEMODB_NAME=spotfire_demodataset DEMODB_USER=spotfire_demodata

6. Save the file and close the text editor.

7. Open a command prompt as an administrator and go to the directory where you placed the scripts.

8. Type create_databases_ia.bat and press Enter.If the parameters are correct, text that is similar to the following text is displayed at the commandprompt:

41

TIBCO Spotfire® Server and Environment Installation and Administration

Page 42: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Log files are created in the same directory as the create_databases_ia file. Examine thesefiles to verify that no errors occurred, and retain the logs for future reference.

Because the scripts contain sensitive information, it is good practice to remove them afteryour Spotfire environment has been installed.

What to do next

Install Spotfire Server

Running database preparation scripts manuallyIf you plan to set up Kerberos authentication between your database and Spotfire Server, you must runthe database SQL preparation scripts manually.

Procedure

1. Read through the create_databases script to understand how the scripts work.

2. Run the following scripts:

● create_server_db.sql

● populate_server_db.sql

● create_server_env.sql

For Oracle, the create_databases script passes the following variables to these scripts.When you run the database Oracle scripts manually, make sure to pass these variablesalong to the scripts:● ROOTFOLDER

● CONNECTIDENTIFIER

● SERVER_DATA_TABLESPACE

● SERVER_TEMP_TABLESPACE

For SQL, the create_databases script passes the following variables to these scripts.When you run the database SQL scripts manually, make sure to pass these variables alongto the scripts:● SERVERDB_NAME

● DEMODB_NAME

3. If you want to install the demo database tables that are shipped with Spotfire Server, do thefollowing:

a) Run these scripts:

● create_demotables.sql

● create_demodata_env.sql

42

TIBCO Spotfire® Server and Environment Installation and Administration

Page 43: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

b) Using the appropriate load command for your database, load all of the SQL loader files that arein the demodata folder.

InstallationThe Spotfire Server installer adds three major components to your system: A Java environment (JDK), aTomcat application server, and a Spotfire Server web application.

The Spotfire Server should run in an English (United States) language setting, as stated on the TIBCOSpotfire Server System Requirements page, http://support.spotfire.com/sr_spotfireserver.asp.

If you are upgrading, first read Upgrading.

The JAVA_HOME of the Apache Tomcat is set to the path of the installed JDK.

For increased security, you may want to install the Java Cryptography Extension (JCE) unlimitedstrength jurisdiction policy files. It is the user's responsibility to verify that these files are allowed underlocal regulations.

Select the appropriate installation procedure for your system and level of experience.

Installing the Spotfire Server files (interactively on Windows)Running the Spotfire Server installer is the second step in the Spotfire Server installation process, aftersetting up the database.

Prerequisites

The Spotfire database has been set up on your Oracle or SQL Server database; for instructions, see Setting up the Spotfire database on Oracle or on SQL Server.

For security and product performance reasons, it is recommended that you install Spotfire Server on adifferent computer than the database.

This procedure is for an interactive installation, using the installation wizard. Alternatively, you can runa silent installation from the command line; for details, see Installing the Spotfire Server files (silentlyon Windows).

Procedure

1. In the server installation kit that you downloaded from the TIBCO eDelivery site, double-clicksetup-win64.exe.

If you use Microsoft SQL Server with Windows Integrated Authentication, install SpotfireServer as the Domain User that you set up with the script create_databases_ia.bat.Also make sure that Spotfire Server always runs as this Domain User. Confirm with thelogs that Spotfire Server starts.

2. In the installation wizard Welcome dialog, click Next.

3. In the License dialog, read the agreement, select the appropriate radio button, and then click Next.

4. In the Third Party Components dialog, if you plan to configure the system for NTLM and youcurrently have access to the internet, select Download and install and then click Next.

If you do not currently have access to the internet, you can install the third-partycomponents later; for instructions, see Downloading third-party components (JCIFS) forNTLM authentication.

5. In the Destination Folder dialog you can change the location if you want to, and then click Next.

6. In the Windows Service dialog, select the option you want and then click Next.

43

TIBCO Spotfire® Server and Environment Installation and Administration

Page 44: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

7. In the Spotfire Server Port dialog you can specify the front-end port, and then click Next.

To check whether a port is in use, open a command prompt, type netstat -na, and pressEnter.

The ports selected during installation for front-end, back-end communication, and back-end registration ports must be open in the firewall. (The defaults are 80, 9443, and 9080.)

8. In the Backend Communication Ports dialog you can specify the back-end ports, and then clickNext.

9. In the Node Manager Hosts dialog, select the computer names that can be used by back-end trust.In general you can leave all the listed names as they are.

10. In the Ready to Install dialog, click Install.The Installing dialog tracks the progress of the installation.

11. When the installation is completed, select Launch the configuration tool to open the configurationtool, or Launch the upgrade tool to open the upgrade tool.

What to do next

Apply any available hotfixes for Spotfire Server: Applying hotfixes

Installing the Spotfire Server files (silently on Windows)Instead of running the installation wizard, you can install the Spotfire Server files silently by runningthe installer from the command prompt.

Prerequisites

The Spotfire database has been set up within your Oracle or SQL Server database; for instructions, see Setting up the Spotfire database on Oracle or on SQL Server.

For security and product performance reasons, it is recommended that you install Spotfire Server on adifferent computer than the database.

To use the interactive installation wizard instead of the command prompt installation, see Installing theSpotfire Server files (interactively on Windows).

Procedure

1. Open a command prompt as an administrator.

2. If necessary, edit the default parameters. Make sure that none of the ports you select are already inuse. setup-win64.exe /s /v"/qn /l*vx TSS_install.log DOWNLOAD_THIRD_PARTY=YesINSTALLDIR=C:\tibco\tss\7.6.0 SPOTFIRE_WINDOWS_SERVICE=Create SERVER_FRONTEND_PORT=80SERVER_BACKEND_REGISTRATION_PORT=9080 SERVER_BACKEND_COMMUNICATION_PORT=9443 NODEMANAGER_HOST_NAMES="

Silent installation parameters

Parameter Description

DOWNLOAD_THIRD_PARTY

This parameter is casesensitive.

The available options are Yes and No. Thesecomponents are only needed to configure the systemfor NTLM.

44

TIBCO Spotfire® Server and Environment Installation and Administration

Page 45: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Parameter Description

INSTALLDIR The installation directory.

SPOTFIRE_WINDOWS_SERVICE The available options are Create and DoNotCreate.

SERVER_FRONTEND_PORT Used for communication with Spotfire clients. Thedefault is 80.

SERVER_BACKEND_REGISTRATION_PORT Used for key exchange to set up trustedcommunication between the Spotfire Server andnodes. The default is 9080.

SERVER_BACKEND_COMMUNICATION_PORT Used for encrypted traffic between nodes. Thedefault is 9443.

NODEMANAGER_HOST_NAMES A comma-separated list of IP addresses, hostnames,and fully qualified domain names ( FQDN ) thatidentify the computer(s) in your implementation thatwill run Spotfire Server.

Example:

If you do not enter any values, the installerautomatically provides values. Afterinstallation, confirm that these are correctin the [installation dir]\nm\config\nodemanager.properties file.

3. Specify /qn for quiet installation with no user interface, or /qb for quiet installation with basic userinterface.

4. Run the installation script.

What to do next

Apply any available hotfixes for Spotfire Server: Applying hotfixes

Installing the Spotfire Server files (RPM Linux)If you have root access to the Linux computer on which you want to install Spotfire Server, you can usethe RPM-based installer. If you do not have root access, use the Tarball installer instead.

Prerequisites

The Spotfire database has been set up within your Oracle or SQL Server database; for instructions, see Setting up the Spotfire database on Oracle or on SQL Server.

For security and product performance reasons, it is recommended that you install Spotfire Server on adifferent computer than the database.

Procedure

1. Open a command-line interface and run the following script: rpm -ivh tss-7.6.0.x86_64.rpmAs the script runs it prompts you for any missing arguments.

2. In the command-line interface, run the post-installation script: /user/local/bin/tibco/tss/7.6.0/configure [-d] [-s ] [-r ] [-b ] where -d disables the download of third-party

45

TIBCO Spotfire® Server and Environment Installation and Administration

Page 46: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

components, -s specifies the server front-end port, -r specifies the back-end registration port and -b specifies the back-end communication port.

What to do next

Apply any available hotfixes for Spotfire Server: Applying hotfixes

Installing the Spotfire Server files (Tarball Linux)If you do not have root access to the Linux computer on which you want to install Spotfire Server, usethe Tarball installer rather than the RPM installer. Both the installation script and a post-installationscript are run from the command line.

Prerequisites

The Spotfire database has been set up within your Oracle or SQL Server database; for instructions, see Setting up the Spotfire database on Oracle or on SQL Server.

For security and product performance reasons, it is recommended that you install Spotfire Server on adifferent computer than the database.

Procedure

1. Open a command-line interface, go to the directory where you want to install Spotfire Server, andunpack and run the tar file by running the following command: tar xzftss-7.6.0.x86_64.tar.gz

The directory must contain the string "tss" in order for start and stop scripts to work.

As the script runs it prompts you for any missing arguments.

2. In the command-line interface, run the post-installation script in the directory where the tar file wasunpacked: ./configure [-d] [-s ] [-r ] [-b ], where -d disables the download of third-party components, -s specifies the server front-end port, -r specifies the back-end registration port,and -b specifies the back-end communication port.

3. Optional: If you have root access to the computer, configure the server to start when the computerstarts by running this command: ./configure-boot

What to do next

Apply any available hotfixes for Spotfire Server: Applying hotfixes

Database driversDataDirect database drivers work well for test environments, but for production environments, driversfrom Oracle or Microsoft SQL are strongly recommended.

Spotfire Server ships with the following database drivers:

● DataDirect drivers for Oracle and Microsoft SQL

● Microsoft SQL Server driver

Spotfire supports the Oracle driver as well, available from the Oracle web site.

46

TIBCO Spotfire® Server and Environment Installation and Administration

Page 47: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Installing the Oracle database driverIf your implementation uses Oracle Database server, it is recommended that you install an Oracledriver (JDBC) for your production environments.

Procedure

1. Download the database driver from the Oracle website.

2. Place the driver in the following directory: <installation dir>/tomcat/lib.

Installing database drivers for Information DesignerThe Information Designer tool, available in Spotfire, allows users to create analyses based on dataretrieved from external JDBC sources. These external data sources are accessed using database drivers.

To connect to an external data source, you must also enable a data source template that matches thedatabase and the specific database driver.

The database connection URL, used by the server to connect to the database, may differ for differentdatabase drivers; see Database drivers and database connection URLs.

Procedure

1. Download the database driver.

2. Place the driver in the following directory: <installation dir>/tomcat/lib.

3. Restart Spotfire Server.

4. Enable a data source template that matches the database and a specific database driver, using eitherthe graphical configuration tool or the command add-ds-template.

Applying hotfixes to the serverBefore you begin configuring Spotfire Server, you must install any available hotfix for this version ofthe server.

Prerequisites

● You have installed Spotfire Server.

● You have downloaded the latest hotfix for your version of Spotfire Server; for instructions, see Downloading required software.

Procedure

● Follow the instructions in the Installation_Instructions.htm file that was included in the hotfixpackage that you downloaded.

What to do next

Configure Spotfire Server; see Initial configuration.

Initial configurationIt is recommended that Spotfire administrators configure a successful basic installation of SpotfireServer before configuring more advanced implementations.

Multiple configurations can be stored in the Spotfire database, but only one can be active

47

TIBCO Spotfire® Server and Environment Installation and Administration

Page 48: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Configuration using the graphical configuration toolThe Spotfire Server graphical configuration tool provides a clear path to a basic installation, and offersthe most frequently used configuration options.

The configuration tool must be run by a Spotfire administrator. If the Spotfire administrator does nothave access to the computer running Spotfire Server, or if the server cannot display graphics, theconfiguration tool can be run from a local computer.

Opening the graphical configuration tool

You can use the Spotfire Server graphical configuration tool for the initial configuration of your Spotfireimplementation, or for updating your configuration later on.

Procedure

● There are three ways to open the configuration tool:

● Select the Launch the Configuration Tool check box on the last screen of the Spotfire Serverinstallation wizard.

● On the computer running Spotfire Server, click Start, go to the Spotfire Server folder, and clickConfigure TIBCO Spotfire Server.

● Run the uiconfig.bat file (uiconfig.sh on Linux). These files are located in the<installation dir>\tomcat\bin directory.

If you cannot run the graphical configuration tool on the Spotfire Server computer, see Running the graphical configuration tool on a local computer.

Running the graphical configuration tool on a local computer

If running the graphical configuration tool on the Spotfire Server computer is impossible orinconvenient, you can run the tool on a local computer.

Prerequisites

Java 8 runtime must be installed on the local computer.

Procedure

1. From the computer where Spotfire Server is installed, copy the <installation dir>/tomcat/webapps/spotfire/tools/spotfireconfigtool.jar file to the local computer.

If Spotfire Server is up and running, you can also access the spotfireconfigtool.jar fileon the Server Tools page.

2. On the local computer, unpack the .jar file by doing one of the following:

● Double-click the spotfireconfigtool.jar file.

● If your system does not recognize the file type, follow these steps:

1. On the local computer, open a command-line interface and go to the directory that containsthe spotfireconfigtool.jar file.

2. On the command line, enter the following command:java -jar spotfireconfigtool.jar

A spotfireconfigtool directory is created in the same directory as the .jar file.

48

TIBCO Spotfire® Server and Environment Installation and Administration

Page 49: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

3. In the newly-created directory, double-click uiconfig.bat (Windows) or uiconfig.sh (Linux) toopen the configuration tool.

Creating the bootstrap.xml file

The bootstrap.xml file configures the database connection.

Prerequisites

Spotfire Server is installed.

For Integrated Windows authentication (IWA) between Spotfire Server and the Spotfire database, see Setting up the Spotfire Server bootstrap file for Integrated Windows authentication.

Procedure

1. If the graphical configuration tool is not open, open it; for instructions see Opening the graphicalconfiguration tool.The configuration tool opens to the System Status page, which lists the necessary configurationsteps.

2. Click Create new bootstrap file.The Bootstrap page is displayed.

3. Enter the following information in the fields:

Path You may leave the default path as is.

Driver template Select a template that is compatible with your database server. Hostname The Spotfire database host name (the address of the computer on which the

SQL or Oracle database is installed).

Port The Spotfire database port.

Identifier (SID/database/service)

The Server ID (for Oracle) or the database name (for MS SQL) of the Spotfiredatabase that was created; spotfire_server is the default.

Username The name of the database account used by Spotfire Server to connect to theSpotfire database. In the create_databases.bat file, this is the value forADMINNAME.

Password The password of the database account. Enter correct database login details, asspecified earlier. In the create_databases.bat file, this is the value forADMINPASSWORD

URL The JDBC connection URL. This field is pre-populated from selections madebut can be edited.

Driver class This field is pre-populated from selections made, and cannot be edited. To beable to select Oracle, you must also download the JDBC driver.

For details, see Database drivers and database connection URLs

Configuration toolpassword

Enter a configuration tool password of your choice. This will be used toprotect the server configuration from unauthorized access.

The configuration tool password will be required when running theconfiguration tool.

Server alias Enter any unique name for the Spotfire Server.

49

TIBCO Spotfire® Server and Environment Installation and Administration

Page 50: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Encryptionpassword(optional)

Enter an encryption password of your own choice. This will be used forencrypting other passwords stored in the Spotfire database. The passwordsare encrypted with a static key if no encryption password is specified here.

Addresses These values should match actual hostnames, fully qualified domain names( FQDN ), and IP addresses (IPv4 or IPv6) at which the Spotfire Server can bereached by other Spotfire Servers and nodes.

If any of these values do not describe the server, or are on a network that willnot be used for back-end communication, you should remove them.

If you changed the hostname, domain, or IP address, add the new values.

Valid hostnames may only contain alphabetic characters, numericcharacters, hyphen and period.

If you want to change these addresses after setting up yourenvironment, use the set-addresses command.

4. Click Save Bootstrap.The configuration tool checks that database drivers are installed and that the database is running. Italso checks that the database accepts the given credentials. A message indicates whether thebootstrap file was successfully created. After it is created, the Configuration page of theconfiguration tool is displayed.

Setting up the Spotfire Server bootstrap file for Integrated Windows authentication

To configure Integrated Windows authentication (IWA) between Spotfire Server and the Spotfiredatabase in SQL, follow these steps.

Prerequisites

You've followed the steps in Setting up the Spotfire database (SQL Server with Integrated Windowsauthentication).

Procedure

1. Check that the sqljdbc4.jar file with Microsoft's vendor JDBC drivers is in the following SpotfireServer folder: <installation dir>\tomcat\lib.

2. Copy the sqljdbc_auth.dll file from the <installation dir>\tomcat\bin folder to the c:\windows\SysWOW64 folder.

3. Change the login for the service to use the Windows account that has login rights to the Spotfiredatabase.

4. In the bootstrap command, use the following database connection string, substituting actual valuesfor <db_server>, <port>, and <instance>:jdbc:sqlserver://<db_server>:<port>;DatabaseName=<instance>;integratedSecurity=true

50

TIBCO Spotfire® Server and Environment Installation and Administration

Page 51: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Saving basic configuration data (authentication towards Spotfire database)

The Configuration tab of the graphical configuration tool contains the name of the authentication modeand the user directory for your installation. These instructions are for using the Spotfire database toauthenticate users.

Prerequisites

A bootstrap.xml file has been successfully saved in the configuration tool (for instructions, see Creating the bootstrap.xml file).

Procedure

1. On the Configuration page of the configuration tool, verify that BASIC Database is selected forAuthentication and that Database is selected for User directory.

2. In the left panel of the page click Domain, and then verify that SPOTFIRE is selected next to

Default domain.

3. At the bottom of the page, click Save configuration.

The Save Configuration wizard is displayed. Database is pre-selected as the destination for Spotfirefiles in the system.

4. Click Next.You are prompted to enter a comment.

51

TIBCO Spotfire® Server and Environment Installation and Administration

Page 52: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

5. Enter a comment, and then click Finish.

Creating an administrator user

To continue the installation process, the administrator must create an administrator user who has accessto all the functionality in the Spotfire implementation.

Prerequisites

Basic configuration data—the authentication mode and user directory for the system—have been savedon the Configuration tab of the graphical configuration tool.

Procedure

1. On the Administration tab of the configuration tool, under Create new user, enter a user name andpassword, and click Create.The new user is displayed in the Users column.

2. Select the new user name and then click Promote to add that user to the Administrators group.

What to do next

Start Spotfire Server

Configuration using the command-line configuration toolThe command-line tool provides greater flexibility and access to options that are not available in thegraphical tool. Most administrators use the graphical tool.

The command-line configuration tool can be used in two ways: either by executing commands one-by-one in a console, or by using a script containing several commands that are executed one after the other.

Executing commands in the command-line configuration tool

To configure Spotfire Server using the command-line tool, you run config.bat on Windows, orconfig.sh on Linux, followed by a command and any required parameters.

Running the command-line configuration tool on a local computer

If it is more convenient, you can execute command-line commands on a local computer rather than onthe server computer.

Prerequisites

Follow the steps in Running the graphical configuration tool on a local computer.

Procedure

1. On the local computer, on the System Status page of the graphical configuration tool, create a newbootstrap file or use an existing bootstrap file.

2. Copy the bootstrap.xml file from the server computer to the local computer.You can now run the command-line tool on this computer.

3. Each time that you run a command on the local computer, specify the location of the bootstrap fileby using the [-b value | --bootstrap-config=value] option.

52

TIBCO Spotfire® Server and Environment Installation and Administration

Page 53: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Example

To run the command export-config on a local computer, where the bootstrap.xml file wasplaced on the desktop:config export-config -b=C:\bootstrap.xml

Viewing help on configuration commands in the command-line tool

You can view information about commands and their parameters from within the command-line tool.

Procedure

1. Open a command-line interface and go to the folder that contains the command-line configurationtool, config.bat.

The default location is c:\tibco\tss\7.6.0\tomcat\bin.

2. Type config help <command name> and press Enter.

Configuration and administration commands by function

You can run the following commands in the command-line tool to configure and manage SpotfireServer.

These frequently-used commands are grouped by functional area for easy reviewing. Command detailsare available in the Command-line reference. You can also view command details by running the helpcommand in the command-line tool (see Viewing help on configuration commands in the command-line tool). The command parameters to use depend on your system setup and environment.

Most configuration commands work towards the configuration.xml file, which can be exportedusing the export-config command, and then edited. To upload the configuration file to the Spotfiredatabase, use the import-config command and database connection information from thebootstrap.xml file, which is created by the bootstrap command.

Administration commands

To perform one of these basic administration tasks, use the related command. All administrationcommands connect directly to the Spotfire database.

Add a user or group as a member of a specified group. add-member

Create a new user account. create-user

Delete disabled users. delete-disabled-users

Delete disconnected groups. delete-disconnected-groups

Delete a user account. delete-user

Revoke full administrator privileges from a user. demote-admin

Enable or disables a user in the Spotfire database. enable-user

Export groups from the user directory. export-groups

Export content from the library. export-library-content

53

TIBCO Spotfire® Server and Environment Installation and Administration

Page 54: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Export users from the user directory. export-users

Import groups to the user directory. import-groups

Import content into the library. import-library-content

Import users to the user directory. import-users

List the server administrators. list-admins

List the deployment areas. list-deployment-areas

List all groups. list-groups

List all online servers. list-online-servers

List all users. list-users

Manage the deployment areas. manage-deployment-areas

Assign full administrator privileges to a user. promote-admin

Remove a license from a group. remove-license

Set a license and license functions for a group. set-license

Show the current deployment. show-deployment

Show permissions for a specific directory in the library. show-library-permissions

Show licenses set on the server. show-licenses

Switch the domain names for all users and groups fromone style (DNS or NetBIOS) to the other (for allconfigured domains).

switch-domain-name-style

Update the current deployment. update-deployment

Authentication commands

To perform an authentication task, use the related command.

Configure authentication mode and default domain. config-auth

Configure the authentication filter. config-auth-filter

Configure the Spotfire database authentication source foruse with the basic authentication method.

config-basic-database-auth

Configure the LDAP authentication source for use withthe basic authentication method.

config-basic-ldap-auth

54

TIBCO Spotfire® Server and Environment Installation and Administration

Page 55: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Configure the Windows NT authentication source for usewith the basic authentication method.

config-basic-windows-auth

Configure the CLIENT_CERT authentication method. config-client-cert-auth

Configure the external authentication method. config-external-auth

Configure the authentication service used with theKerberos authentication method.

config-kerberos-auth

Configure the authentication service used with the NTLMauthentication method.

config-ntlm-auth

Configure the post-authentication filter. config-post-auth-filter

Configure two-factor authentication. config-two-factor-auth

Display the currently configured authentication mode. list-auth-mode

Display the current authentication configuration. list-auth-config

Display the NTLM authentication service configuration. list-ntlm-auth

Display the current post-authentication filterconfiguration.

list-post-auth-filter

Show the LDAP authentication source for use with thebasic authentication method.

show-basic-ldap-auth

Database connection commands

To perform a database connection task, use the related command.

Add a new data source template. add-ds-template

Clear the default join database configuration. clear-join-db

Configure the default join database. create-join-db

Export the definition of a data source template. export-ds-template

List the data source templates. list-ds-template

Modify a data source template. modify-ds-template

Remove a data source template. remove-ds-template

Show the configured default join database. show-join-database

JAAS commands

To perform a JAAS configuration task, use the related command.

55

TIBCO Spotfire® Server and Environment Installation and Administration

Page 56: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Import new JAAS application configurations into theserver configuration.

import-jaas-config

List the JAAS application configurations. list-jaas-config

Remove the specified JAAS application configurationsfrom the server configuration.

remove-jaas-config

Test a JAAS application configuration.

The test-jaas-config command connects tothe database in a read operation.

test-jaas-config

Client login command

To configure the login experience of end users connecting to Spotfire Server, use this command.

Configure the client login dialog behavior. config-login-dialog

Monitoring commands

To configure and administer JMX access to the monitoring component, use the related command. Allmonitoring commands connect directly to the database except for config-jmx.

Configure the user action database logger. config-action-log-database-logger

Configure the user action logger. config-action-logger

Configure the action log web service. config-action-log-web-service

Configure the JMX RMI connector. config-jmx

Create a new JMX user account. create-jmx-user

Delete a JMX user. delete-jmx-user

List all JMX users. list-jmx-users

LDAP commands

To manage LDAP configuration for both authentication and the user directory, use the relatedcommand.

Configure group synchronization for an LDAPconfiguration.

config-ldap-group-sync

Configure the LDAP user directory mode. config-ldap-userdir

Create a new LDAP configuration to be used forauthentication and/or the user directory LDAP provider.

create-ldap-config

Display LDAP configurations. list-ldap-config

56

TIBCO Spotfire® Server and Environment Installation and Administration

Page 57: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Remove LDAP configurations. remove-ldap-config

Set the authentication mode. set-auth-mode

Set the user directory mode. set-userdir-mode

Update LDAP configurations. update-ldap-config

Library commands

To configure and administer the Spotfire library, use the related command.

Check for inconsistencies between external storage andSpotfire database.

check-external-library

Configure the library import/export directory. config-import-export-directory

Configure the external library data storage. config-library-external-data-storage

Configure the file system storage of library item data. config-library-external-file-storage

Configure the Amazon S3 storage of library item data. config-library-external-s3-storage

Delete library content. delete-library-content

Download the data of library items in Amazon S3 storage. s3-download

Show the library import/export directory. show-import-export-directory

Server configuration commands

To perform basic server configuration tasks, use the related command. Server configuration commandsconnect directly to the database, except for create-default-config.

Create a new server configuration file containing the defaultconfiguration.

create-default-config

Export a server configuration from the server database to thecurrent working directory as a configuration.xml file.

export-config

Import a server configuration from a file to the serverdatabase.

import-config

List all available server configurations. list-configs

Set the current server configuration. set-config

Show the configuration history. show-config-history

57

TIBCO Spotfire® Server and Environment Installation and Administration

Page 58: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Server database commands

To manage the server database connection pool, use the related command. Server database commandsconnect directly to the database except for bootstrap, which can connect to the database to test thebootstrap configuration but does not change the database.

Create database connection information and stores it in thebootstrap.xml file. See The bootstrap.xml file.

bootstrap

Modify the common database connection configuration. modify-db-config

Set the common database connection configuration. set-db-config

User directory commands

To configure the user directory, use the related command.

Configure the LDAP user directory mode. config-ldap-userdir

Configure the user directory. config-userdir

Configure the Windows user directory mode. config-windows-userdir

List the configuration for the user directory LDAP mode. list-ldap-userdir-config

List the current user directory configuration. list-userdir-config

List the currently configured user directory mode. list-userdir-mode

List the configuration for the user directory Windows NTmode.

list-windows-userdir-config

Miscellaneous commands

Configure the Attachment Manager, which handles datatransfer to and from Spotfire Server.

config-attachment-manager

Display the help overview or a specific help topic. help

Run a configuration script. run

Display the current version of the server. version

Manually creating a simple configuration

You can configure Spotfire Server by executing a series of commands in the configuration command-line tool.

These instructions are for using the Spotfire database to authenticate users.

58

TIBCO Spotfire® Server and Environment Installation and Administration

Page 59: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Prerequisites

● The Spotfire database has been set up; see Setting up the Spotfire database (Oracle) or Setting up theSpotfire database (SQL Server).

● The Spotfire Server files have been installed; see Installation.

Procedure

1. Run the bootstrap command to create the connection configuration that Spotfire Server needs forconnecting to the database.

If you have already run the bootstrap command, there is no need to run it again unlessyou want to use different arguments.

a) In the following command block, replace the argument values with the appropriate values:> config bootstrap --driver-class="<DRIVER CLASS>" --database-url="<DATABASE URL>" --username="<DATABASE USERNAME>" --password="<DATABASE PASSWORD>" --tool-password="<CONFIG TOOL PASSWORD>"

Argument definitions

--driver-class The fully qualified class name of the JDBC driver

--database-url The JDBC connection URL

--username The name of the database account used by Spotfire Server to connectto the Spotfire database

--password The password of the database account

--tool-password Choose a command-line configuration tool password that will be usedto protect the server configuration from unauthorized access and/ormodification

Example> config bootstrap --driver-class="tibcosoftwareinc.jdbc.oracle.OracleDriver" --database-url="jdbc:tibcosoftwareinc:oracle://MyDBServer:1521;SID=XE" --username="dbuser" --password="dbpwd" --tool-password="configtoolpwd"

A bootstrap.xml file is created in the <installation directory>\tomcat\webapps\spotfire\WEB\INF folder. For more information about this file, see The bootstrap.xml file.

2. Create a default configuration by using the create-default-config command.A configuration.xml file is created.

3. Import the configuration to the database by using the import-config command.a) In the following command block, replace the argument values with the appropriate values:

> config import-config --tool-password="<CONFIG TOOL PASSWORD>" --comment="<DESCRIPTION>"

Example> config import-config --tool-password="configtoolpwd" --comment="First config"

4. Create a first user by using the create-user command. This account can be used to log in to SpotfireServer.

59

TIBCO Spotfire® Server and Environment Installation and Administration

Page 60: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

a) In the following command block, replace the argument values with the appropriate values:> config create-user --tool-password="<CONFIG TOOL PASSWORD>" --username="<SPOTFIRE ADMIN USERNAME>" --password="<SPOTFIRE ADMIN PASSWORD>"

Example> config create-user --tool-password="configtoolpwd" --username="SpotfireAdmin" --password="s3cr3t"

5. Add the first user to the Administrator group by using the promote-admin command.a) In the following command block, replace the argument values with the appropriate values:

> config promote-admin --tool-password="<CONFIG TOOL PASSWORD>" --username="<SPOTFIRE ADMIN USERNAME>"

Example> config promote-admin --tool-password="configtoolpwd" --username="SpotfireAdmin"

When Spotfire Server is running, the first administrator can create other users and add them to theAdministrator group.

What to do next

Start Spotfire Server

Deploy client packages to Spotfire Server

Scripting a configurationFor more experienced administrators, Spotfire Server includes two prepared configuration scripts thatyou can use to set up simple configurations. You can also create and run your own scripts.

● The simple-config.txt file sets up Spotfire database authentication and the user directory.

● The simple-config-ldap.txt file sets up LDAP authentication and the user directory.

These scripts are located in the <installation dir>/tomcat/bin folder.

60

TIBCO Spotfire® Server and Environment Installation and Administration

Page 61: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Example: The simple-config.txt file

The simple-config.txt file, shown below, is divided into three sections:

● The first two lines describe how the script is executed.

● The second section is a list of the variables that are used by the commands.

● The rest of the script contains the commands.

# Run this script from the command-line using the following command:# config run simple-config.txt

# Before using this script you need to set the variables below:set DB_DRIVER = "tibcosoftwareinc.jdbc.oracle.OracleDriver"set DB_URL = "jdbc:tibcosoftwareinc:oracle://<server>:<port>;SID=\ <SID>"#set DB_DRIVER = "tibcosoftwareinc.jdbc.sqlserver.SQLServerDriver"#set DB_URL = "jdbc:tibcosoftwareinc:sqlserver://<server>:<port>;DatabaseName=<database name>"set DB_USER = "<db username>"set DB_PASSWORD = "<db password>"set CONFIG_TOOL_PASSWORD = "<config tool password>"set ADMIN_USER = "<admin username>"set ADMIN_PASSWORD = "<admin password>"

echo Creating the database connection configurationbootstrap --no-prompt --driver-class="${DB_DRIVER}" --database-url=\ "${DB_URL}" \ --username="${DB_USER}" --password="${DB_PASSWORD}" --tool-password="${CONFIG_TOOL_PASSWORD}"echo

echo Creating the default configurationcreate-default-configecho

echo Importing the configurationimport-config --tool-password="${CONFIG_TOOL_PASSWORD}" --comment=\ "First config"echo

echo Creating the '${ADMIN_USER}' user to become administratorcreate-user --tool-password="${CONFIG_TOOL_PASSWORD}" --username=\ "${ADMIN_USER}" --password="${ADMIN_PASSWORD}"echo

echo Promoting the user '${ADMIN_USER}' to administratorpromote-admin --tool-password="${CONFIG_TOOL_PASSWORD}" --username=\ "${ADMIN_USER}"echo

Editing and running a basic configuration script

To use the simple-config.txt file to set up Spotfire database authentication and user directory, youmust modify the script so that it works in your environment.

Prerequisites

● The Spotfire database has been set up; for instructions, see Setting up the Spotfire database (Oracle), Setting up the Spotfire database (SQL Server), or Setting up the Spotfire database (SQL Server withIntegrated Windows authentication).

● The Spotfire Server files have been installed; see Installation.

61

TIBCO Spotfire® Server and Environment Installation and Administration

Page 62: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Procedure

1. Open <installation dir>/tomcat/bin/simple-config.txt in a text editor and edit thevariables:

● If you use SQL Server, comment out the Oracle variables (“#”) and uncomment the SQL Servervariables (remove “#”).

● For DB_URL, provide the specific values indicated by angle brackets.

● For DB_USER and DB_PASSWORD, provide the Spotfire database user name and passwordfrom the create_databases.bat script (described in Setting up the Spotfire database (Oracle)or Setting up the Spotfire database (SQL Server)).

● For the CONFIG_TOOL_PASSWORD, choose a command-line configuration tool password thatwill be used to protect the server configuration from unauthorized access and/or modification.

● For the ADMIN_USER and ADMIN_PASSWORD, first create a user and add it to theAdministrators group (see step 4 in Manually creating a simple configuration), and then providethe user name and password in the script.

2. Save the script. If you do not want to overwrite the existing script, use another name.

3. Open a command-line interface and navigate to <installation dir>/tomcat/bin.

4. Type config run simple-config.txt and press Enter.The script executes and creates a basic configuration for Spotfire Server.

The tool is conservative and does not overwrite the bootstrap.xml orconfiguration.xml files unless the --force flag is used.

it is recommended that you manually remove the configuration.xml file when you aredone. Do not remove bootstrap.xml because it is required to start and run the server.

The simple-config.txt file contains sensitive information.

Script language

Spotfire provides a script language that you can use to create a script that runs multiple commands.

#§ If a hash is the first character on a line, the line is a comment.

Example: # This is a comment that describes the next section.§

set§ Defines a variable. The variable name and the value must be separated by anequal character (=).

Example: set PASSWORD = "abc123"§

${Variable}§ Substitutes the dollar sign and curly braces with the variable value.

If there is no matching variable, there is no substitution.Example: --tool-password="${PASSWORD}"§

\§ The logical line continues on the next line.

Example: bootstrap --no-prompt --driver-class="${DB_DRIVER}" \ --database-url="${DB_URL}" §

62

TIBCO Spotfire® Server and Environment Installation and Administration

Page 63: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

echo§ Writes to console.

Example: echo This message will be posted echo§

§ Empty rows are allowed§

Paths and comments that include spaces must be enclosed in straight quotation marks ("). Moreadvanced text editors may change straight quotation marks to smart quotation marks, resulting inerrors when the commands are run.

Configuration.xml fileSpotfire Server configurations are stored in the Spotfire database and can be exported to aconfiguration.xml file for editing or sharing.

Certain configuration properties in the Spotfire system are rarely used and cannot be set usingcommands. To use these properties you must manually edit the configuration.xml file. You may alsowant to work in the configuration file to configure features that require complex commands, such asenabling several authentication options.

The configuration settings can also be exported to file for backup purposes, or to be imported intoanother cluster to set up multiple clusters with similar settings. In addition, you can send the file tosupport for inspection.

If you export the configuration file, make changes, and then import it back into the database, it becomesthe active configuration.

Manually editing the Spotfire Server configuration file

Before editing the Spotfire Server configuration file you must export its contents to an XML file.

Procedure

1. On the computer running Spotfire Server, open a command-line interface and go to the followingdirectory: <installation dir>/tomcat/bin.

2. Export the configuration to a configuration.xml file by using the export-config command.The configuration.xml file appears in your working directory.

3. Open configuration.xml in a text editor and make your changes.

4. When you've finished, save and close the file.

5. Import the configuration file back into Spotfire Server by using the import-config command.

6. Restart Spotfire Server; for instructions, see Start or stop Spotfire Server.

Result

The imported configuration becomes the active configuration for that server or cluster.

Start or stop Spotfire ServerYou must start Spotfire Server after completing initial configuration of the server, before deployingclient packages. In addition, you must restart Spotfire Server any time that you change itsconfiguration. The restart causes the server to retrieve a fresh copy of the configuration.xml file fromthe database.

63

TIBCO Spotfire® Server and Environment Installation and Administration

Page 64: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Starting or stopping Spotfire Server (as a Windows service)After configuring Spotfire Server, you must start it.

Prerequisites

You have successfully completed the initial configuration steps so that the System Status page of theconfiguration tool shows check marks before the following steps:

● Connect to Database

● Specify Configuration

● Configure Spotfire Server Settings

● Specify Server Administrator

Procedure

1. Log on to the Spotfire Server computer as an administrator.

2. Click Start > Control Panel > Administrative Tools > Services, and then locate and select the servicecalled TIBCO Spotfire Server.

3. To the left of the services list, click Start in the phrase "Start the service".

To stop the service, click Stop to the left of the services list.

"Started" appears in the Status column.

What to do next

● Deploy the latest client package to Spotfire Server; for instructions, see Deploying client packages toSpotfire Server.

Starting or stopping Spotfire Server (Windows, no service)If you did not install a Windows service you must start Spotfire Server manually.

Prerequisites

You have successfully completed the initial configuration steps so that the System Status page of theconfiguration tool contains four green check marks.

Procedure

1. Log in to the Spotfire Server computer as an administrator.

2. Open a command prompt and go to the following folder: <installation dir>/tomcat/bin.

3. Run the startuptomcat.bat file.

Result

Spotfire Server starts.

The server will stop running if you close the command prompt or log off from the computer.

64

TIBCO Spotfire® Server and Environment Installation and Administration

Page 65: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Starting or stopping Spotfire Server (Windows, service exists, Integrated Authenticationfor SQL Server)

If your database server uses Integrated Windows Authentication (IWA) for SQL Server, your SpotfireServer must run as a Windows Domain user that has permission to use the Spotfire database.

Prerequisites

You have successfully completed the initial configuration steps so that the System Status page of theconfiguration tool contains four green check marks.

Procedure

1. Click Start > Control Panel > Administrative Tools > Services.2. Double-click the service called TIBCO Spotfire Server.

The Properties dialog opens.3. In the Properties dialog, click the Log On tab.4. Select the This account radio button and enter the user credentials of the Domain User that was set

up with the database preparation script create_databases_ia.bat.5. Click OK.6. Start or stop the service.

Starting or stopping Spotfire Server (Windows, no service, Integrated Authentication forSQL Server)

If your database server uses Integrated Windows Authentication (IWA) for SQL Server, your SpotfireServer must run as a Windows Domain user that has permission to use the Spotfire database.

Prerequisites

You have successfully completed the initial configuration steps so that the System Status page of theconfiguration tool contains four green check marks.

Procedure

1. Log in to the Spotfire Server computer as the Domain User that was set up with the databasepreparation script create_databases_ia.bat.

2. Open a command prompt and go to the following folder: <installation dir>/tomcat/bin.3. Run the startuptomcat.bat file.

Result

Spotfire Server starts.

The server will stop running if you close the command prompt or log off from the computer.

Starting or stopping Spotfire Server (Linux)On Red Hat and SUSE systems, the Spotfire Server service starts on system startup. Only a user withroot user privileges can start and stop the server.

Prerequisites

You have successfully completed the initial configuration steps so that the System Status page of theconfiguration tool contains four green check marks.

65

TIBCO Spotfire® Server and Environment Installation and Administration

Page 66: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Procedure

1. Log in as root or run with sudo -s.

2. Enter the command /etc/init.d/tss-7.6.0 start.

To stop the server, enter the command /etc/init.d/tss-7.6.0 stop.

Clustered server deploymentsLarge companies often opt for clustered server deployments, where several Spotfire Servers share adatabase and work together to carry out the server tasks.

Clustered servers provide the following benefits:

● Failover protection if a server goes down.

● Scalability for the growing organization.

● Better performance in a system that handles a high volume of work.

Clustering is not enabled by default in Spotfire Server.

Usually a load balancer is added to the deployment to help distribute the workload, but this is notrequired. A cluster may also contain multiple Spotfire Servers that can be accessed individuallythrough their URLs, but share the same set of node managers. Companies must supply their own loadbalancer.

There are many configuration options for clustered server deployments; a typical installation features asingle load balancer between the Spotfire Servers and the users (on Spotfire Analyst or web client) tooptimize the distribution of requests from the clients to the servers.

You can implement clustering using one of the following data grid products:

● Hazelcast (the default) is easy to set up but it uses non-secure connections.

● TIBCO ActiveSpaces® requires more configuration but provides secure connections.

It is generally recommended that you have a working basic installation of a single Spotfire Serverbefore setting up the rest of the cluster; to begin installation, see Basic installation process for Spotfire.

Setting up a cluster of Spotfire ServersSome deployments that include clustered Spotfire Servers are very complex, and their installation andconfiguration are best left to a Spotfire consultant. However, if you plan to do it yourself, follow theseguidelines.

Prerequisites

● The Spotfire database has been set up on your Oracle or SQL Server database; for instructions, see Preparation.

Procedure

1. Install Spotfire Server on each computer; for instructions, see Installation.

For reasons of security and performance, do not install a Spotfire Server on the samecomputer as the database. (This is true for non-clustered systems as well.)

a) Ensure that all the clustered Spotfire Servers have the same:

● Version number

66

TIBCO Spotfire® Server and Environment Installation and Administration

Page 67: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

● Configuration● Database● Encryption password. This is an optional setting on the Bootstrap page of the graphicalconfiguration tool.

If you plan to use ActiveSpaces to secure the clustered environment, you must performthe following (new) step. If ActiveSpaces is already installed on the server computers,you may want to do it now.1. Copy the file [AS_HOME]\lib\as-common.jar to the directory [TSS_HOME]\tomcat

\webapps\spotfire\WEB-INF\lib.

2. On one of the Spotfire Servers, set your clustering parameters.

These instructions are for using the graphical configuration tool. Alternatively you can usethe config-cluster command in the command-line tool. For more information, see Manually editing Spotfire Server configuration files.

The following steps modify the shared Spotfire Server configuration, so it is onlynecessary to do this once.

1. If the graphical configuration tool is not open, open it; for instructions see Opening the graphicalconfiguration tool.

2. On the Configuration page, in the left pane, click Clustering.

3. Under Configure Clustering, next to Enabled, select Yes.

4. Next to Type, select ActiveSpaces or Hazelcast. For information on using ActiveSpaces versusHazelcast in a clustered implementation, see Using Hazelcast for clustering and UsingActiveSpaces for clustering.

5. Next to Port, enter the TCP/IP port that is used for clustering. This port is the same for all serversin the cluster. (The default is 5701.)

Make sure that this port is not protected by a firewall.

6. At the bottom of the page, click Save configuration.

7. Restart the Spotfire Server service. For instructions, see Start or stop Spotfire Server.An XML snippet similar to the following is added to the cluster's shared Spotfire Serverconfiguration file:<configuration>...<clustering> <enabled>true</enabled> <type>ACTIVE_SPACES</type><tcp-ip-port>5701</tcp-ip-port><active-spaces><secure-transport>false</secure-transport></active-spaces></clustering>...</configuration>

3. After you have enabled clustering, stop all of the servers in the cluster (do not restart them); forinstructions, see Start or stop Spotfire Server.

4. Start the servers in the cluster.

Using Hazelcast for clusteringBy default, clustered implementations of Spotfire Server use the Hazelcast distributed data gridproduct to support data clustering.

Hazelcast requires practically no configuration, and in most cases is a sufficient option for clustering.

67

TIBCO Spotfire® Server and Environment Installation and Administration

Page 68: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

However, Hazelcast is an unsecure option. To enable data exchange through Hazelcast, a port (bydefault, 5701) must be open on each Spotfire Server. These ports are not protected by any TLS;Hazelcast uses plain TCP/IP connections for the data exchange between servers.

If you do implement clustering with Hazelcast, the firewalls should be configured for maximumsecurity and, ideally, the ports should be open only to other Spotfire Server instances.

If your implementation requires secure connections between the servers in a cluster, you can installTIBCO ActiveSpaces® and configure Spotfire Server to use it for secure TCP/TLS transport. For details,see Using ActiveSpaces for clustering.

Using ActiveSpaces for clusteringTo enable secure TCP/TLS transport for the exchange of data between clustered Spotfire Servers, installActiveSpaces and configure the servers to use it as the underlying data grid.

ActiveSpaces is a separate product that must be deployed and configured separately. It is available free-of-charge to purchasers of Spotfire Server.

These instructions are for the baseline scenario of securing TCP/IP transport using TLS certificates/keys,without additional encryption of transmitted data. ActiveSpaces provides various means for securingthe cluster; for information on additional options, see the ActiveSpaces documentation.

Installing ActiveSpaces

To use ActiveSpaces to secure the connections between clustered Spotfire Servers, ActiveSpaces must beinstalled and configured on each Spotfire Server in the cluster. After installation, you reconfigure theservers to use ActiveSpaces as the underlying data grid.

ActiveSpaces is a separate product that is available free-of-charge to purchasers of Spotfire Server.

Procedure

1. From the TIBCO eDelivery web site, download the ActiveSpaces zipped folder for your operatingsystem and extract the files.

The following steps pertain to a Windows installation.

2. Double-click the ActiveSpaces installer to install the product.

3. After installation, make the following changes in the ActiveSpaces environment variables:

● Define AS_HOME, as shown in the following example:

68

TIBCO Spotfire® Server and Environment Installation and Administration

Page 69: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

● Add entries to the PATH for the lib folder and the bin folder, as shown in the followingexample:

4. Copy the file [AS_HOME]\lib\as-common.jar to the directory [TSS_HOME]\tomcat\webapps\spotfire\WEB-INF\lib.

5. Validate the ActiveSpaces installation by entering the connect command in the command-line tool.This creates the default cluster.

Configuring a cluster of Spotfire Servers to use ActiveSpaces

After setting up the cluster and installing ActiveSpaces, you must do additional configuration if youhave a Linux installation. Then ActiveSpaces must be validated on each server computer in the cluster.

Prerequisites

● You have set up the cluster of Spotfire Servers, and set the Type variable to ActiveSpaces; forinstructions, see Setting up a cluster of Spotfire Servers.

● You have installed ActiveSpaces on each server in the cluster; for instructions, see InstallingActiveSpaces.

69

TIBCO Spotfire® Server and Environment Installation and Administration

Page 70: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

ActiveSpaces is a separate product that is available free-of-charge to purchasers of SpotfireServer.

Procedure

1. For Linux installations only: Set the LD_LIBRARY_PATH variable to use the ActiveSpaces library. Doone of the following:

● (Recommended) To permanently set the variable for this computer, follow these steps:

1. Navigate to the etc directory.

2. Open the profile file by entering the following command: vi profile

3. Append the following lines to the end of the profile file:export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/local/bin/tibco/as/2.1/libexport AS_HOME=/usr/local/bin/tibco/as/2.1 export PATH=${PATH}:${AS_HOME}/bin:${AS_HOME}/lib

where .../tibco/as/2.1/lib specifies the path to ActiveSpaces.

4. Save the file and restart the session.● To set the variable for only the current session, enter the following command:

export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/local/bin/tibco/as/2.1/lib

where .../tibco/as/2.1/lib specifies the ActiveSpaces installation directory.

In this case the variable must be reset each time that someone logs in to Spotfire Serveron any computer in the cluster, including the current computer.

2. Start Spotfire Server and validate ActiveSpaces by using the ActiveSpaces administration console, asshown in the following example.

The discovery parameter should point to one of the Spotfire Servers in the cluster. Makesure that the clustering port matches the port that you defined in the clusteringconfiguration.

as-admin> connect name "spotfire" discovery "tcp://10.90.48.16:5701"[2015-07-10T15:47:15.428][11524][10356][INFO][transport] ip_address=10.98.48.27 port=50000[2015-07-10T15:47:25.455][11524][10356][INFO][spotfire.metaspace] Connected metaspace name=[spotfire], listen=[tcp://10.90.48.16:50000], discovery=[tcp://10.98.48.27:5701], member name=[a62301b-c350] version=2.1.4.011[2015-07-10T15:47:25.455][11524][8508][INFO][spotfConnected to metaspace spotfireias-admin> re.$members] member joined: member.mydomain.com (a62301b-1645-559fbd18-31d, 10.98.48.16:5701)[2015-07-10T15:47:25.455][11524][8508][INFO][spotfire.$members] member joined: a62301b-c350 (a62301b-c350-559fbed3-1ad, 10.90.48.16:50000)

The default (immutable) ActiveSpaces metaspace name is "spotfire".

The ActiveSpaces command-line interface should only be used to check that theActiveSpaces cluster is configured properly; therefore the interface should be launchedonly after all the Spotfire Servers in the cluster are initialized.

3. List all members of the cluster, as shown in the following example:as-admin> show membersShow Members for Metaspace 'spotfire' :_______________________________________________________________________________________________________________________Cluster Members:Member Name | IP:Port | Member Role | Member ID |-----------------------------------------------------------------------------------------------------------------member.mydomain.com | 10.90.48.16:5701 | manager | a62301b-1645-559fbd18-31d |

70

TIBCO Spotfire® Server and Environment Installation and Administration

Page 71: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

a62301b-c350 | 10.90.48.16:50000 | member | a62301b-c350-559fbed3-1ad |Total Cluster Members: 2

The total number of cluster members should equal the number of running Spotfire Serversplus one (the administration console also joins the cluster as a member).

4. Repeat these steps for each server in the cluster.

What to do next

After you validate the cluster in non-secure mode, enable transport security.

Enabling secure transport for ActiveSpaces

After configuring the Spotfire Servers in the cluster, you must enable ActiveSpaces to use securetransport for communication between the servers.

Prerequisites

You have configured each Spotfire Server in the cluster to use ActiveSpaces; see Configuring a cluster ofSpotfire Servers to use ActiveSpaces.

For additional information on this procedure, see the ActiveSpaces documentation.

Procedure

1. In the command-line tool, enter the following command:as-admin> create security_policy policy_name "as-policy" policy_file "as-policy.txt" encrypt false

Do not change the policy name or the policy file name because they are referenced in theSpotfire Server configuration and are immutable.

2. Edit the policy file that you created in the previous step:a) Under the "discovery" attribute of the metaspace_access policy key, list all the members of the

cluster.b) Alter the metaspace name.

The edited section of the policy file looks similar to this:metaspace_access=metaspace=spotfire;discovery=tcp://10.97.184.60:5701;10.97.184.65:5701

c) To use traditional, TLS-like transport protection, specify transport_security=integrity. Forinformation on additional options, see the ActiveSpaces documentation.

3. On each of the clustered Spotfire Servers, copy the as-policy.txt file to the folder where thekeystore file is located. Typically, the keystore file is located here: <installation dir>\nm\trust.

4. Start all of the servers.

5. To validate ActiveSpaces, execute the following commands by using the ActiveSpacesadministration console.

1. Create a security token by entering the following command:as-admin> create security_token domain_name "AS-DOMAIN" policy_file "C:/tibco/tss/7.6.0/nm/trust/as-policy.txt" token_file "C:/tibco/tss/7.6.0/nm/trust/mytoken.txt"

2. Connect to the metaspace with the security token by entering the following command, wherethe discovery parameter points to one of the Spotfire Servers in the cluster:as-admin> connect security_token "C:/tibco/tss/7.6.0/nm/trust/mytoken.txt" name "spotfire" discovery "tcp://10.97.120.65:5701"

6. To list the members of the cluster, enter the following command:as-admin> show members

71

TIBCO Spotfire® Server and Environment Installation and Administration

Page 72: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Sample as-policy.txt file

If you configure a clustered deployment of Spotfire Server and use ActiveSpaces to secure the dataexchange between servers, you create an as-policy.txt file.

This is a sample of the file:// ***************************************************************************************// ***** TIBCO ACTIVESPACES SECURITY POLICY *****// ***** *****// ***** WARNING: CONFIDENTIAL INFORMATION! *****// ***** *****// ***** TO BE ACCESSED ONLY BY TIBCO ACTIVESPACES CONTROLLER MEMBERS/PROCESSES *****// ***** AND THEIR ADMINISTRATION PERSONNEL THAT HAVE AUTHORITATIVE CONTROL OVER *****// ***** EACH SECURITY DOMAIN, INCLUDED IN THIS POLICY INSTANCE. PLEASE CONSULT *****// ***** THE USER MANUAL FOR MORE DETAILS. *****// *************************************************************************************** // policy instance [created 2015-07-10 16:21:54:420]policy as-policy { // domain instance #1domain AS-DOMAIN { // Metaspace Access List//// List each metaspace, and its discovery URL, which is to be covered by// the settings for this security domain.//// Format:// metaspace_access=metaspace=<metaspace name1>;discovery=<TCP discovery URL1>// metaspace_access=metaspace=<metaspace name2>;discovery=<TCP discovery URL2>// ...//// Note: Must specify at least one metaspace and discovery URL.//metaspace_access=metaspace=spotfire;discovery=tcp://10.97.184.60:5701;10.97.184.65:5701 // Transport Security// Specify the level of security to use when transmitting data within ActiveSpaces.//// Options:// encrypted_normal (default): use secure transport with 128 bit symmetric key encryption// encrypted_strong : use secure transport with 256 bit symmetric key encryption// integrity : use secure transport without encryption//transport_security=integrity // Restricted Transport Access//// Specify whether transport access should be restricted to only those// ActiveSpaces applications using a token file whose identity certificate// is contained in the given file. The file is a plain text file containing

72

TIBCO Spotfire® Server and Environment Installation and Administration

Page 73: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

// one or more identity certificates extracted (copied and pasted) from token// files.//// Format:// transport_access=<true|false(default)>;cert_file=<certificate file path>//transport_access=false;cert_file= // Data Encryption//// Specify whether data should be encrypted when it resides in memory and// is persisted on the local disk (shared-nothing persistence). Use the// field definitions to define encryptable fields in any space.//// Options:// false (default): do not encrypt the data// true : always encrypt the datadata_encryption=false // Authentication//// Specify the type of authentication to use for this security domain and// information for connecting to the authentication source.//// Format:// authentication=<none(default)|userpwd|x509>;[source=<system|ldap>;<source property>;...;hint=<string>//// Examples:// authentication=userpwd;source=system;service=login;hint=acme_server//// // searchUnder: <true|false (default)> search for objects under base DN, if objects may reside at different levels of the directory// // allowEmptyPassword: <true|false (default)> allow or reject empty passwords from clients// // objectClass: <* | string> define specific object class to look at during search, * denotes any object class. Only used when searchUnder is enabled.// authentication=userpwd;source=ldap;name=cn;host=ldapsvr.com;plainPort=389;baseDN=dc=users,dc=com;searchUnder=false;allowEmptyPassword=false;objectClass=*;hint=acme_dir// authentication=x509;source=ldap;name=uid;host=ldapsvr.com;securePort=636;baseDN=dc=users,dc=com;trustStore=ldap.p7b;hint=acme_dirauthentication=none // Security Domain Access Control//// Enable or disable access control for the security domain and what the// default behavior should be for users or groups for which no permissions are// either explicitly or implicitly defined.//// Format:// access_control=<true|false(default>;default=<deny|grant>//access_control=false;default=deny // Access Control Groups//// Define groups of users where each group will have a specific set of// permissions. The list of groups must be preceded by a line with 'groups'.// There can be zero or more group assignments in the list.// Single group assignment lines can be broken into two or more lines by// leaving a comma (,) at the end of the line.//// Format:// groups// <user defined name>=<user name>,<user name>,...//// Example:// group1 = user1, user2, user3// group2 = user4, group1, user5// group3 = user6, user7, My Ldap X509Cert CN, group2

73

TIBCO Spotfire® Server and Environment Installation and Administration

Page 74: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

// admins = admin1, admin2//groups // Access Control Permissions//// Assign permissions to users or groups and specify whether the permissions// should be limited to a particular metaspace or space. The list of permission// assignments must be preceded by a line with 'permissions'.// There can be zero or more permission assignment lines in the list. Permission// assignment lines can be broken into two or more lines by leaving a comma (,)// at the end of the line to be continued on the next line.//// Format:// permissions// <metaspace name>/<space name> <<user name>|<group name>>=<privilege>//// Wildcard: The asterisk (*) can be used as a wildcard for the metaspace name,// the space name or both.//// The available rights options in a privilege:// deny_all// grant_all// read// write// invoke// seeder// encrypt// admin//// Examples:// ms1/* group1=read, seeder// ms4/sp1 group2=write, encrypt// */sp2 group1=write, invoke// ms2/* admins=admin, encrypt//permissions // Domain Identity// /CN=AS-DOMAIN-EC447AE8-----BEGIN PRIVATE KEY-----MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDcL/tMY6slf85O5ryrmkUjPcsaR+qhwb4ZlSoru48XqGU1LKZWwQFmK7KnH+BnttFvmhrAe9pVkR3bH0iSJkdzWXw2XaScrDfSaxfES4fygMCImsbNxnwqBO2TmYP8Nu9vybX+UCJKF1aYkjpBsHLBNIB+LWOHWk6Ym/O5nh7R43lPgy6RrO/ThyUaX4l2JjR3rF0AcAp1RZtbxHS0FhL0c+nxJqglAQpEI491EduEQXKWG5TO5QjH/k7AfKT7wTxsNVok/3dxHlTNgTtmJirQZ5Lv8sMRCPgv1J7+nrOatGQ1K9ti84i+p0slp6PSg8ODOPGQT6JvDQ4tsHlaM9L3AgMBAAECggEATnJV0NhtoFWRdjDkpSq4WR7p3noi0PCKvuiS9rPC/kXDkRdQR/ZJflIxOzOzKqBKq702rL8zgWrLPUc+/rrel+0YwPHJ9Puyg6gd9pSGYdKXRdQG4kdF816AGicGi/QyiBxQV8PLA6Se+IqYcNDhgY4n/UxEenOlLt/ZDJeWGWaNme2jpgKyj5fm1alz0TbuCAl8kocazJAvsyyLACwr9EzQrNiEO2BG707q1S9aKWYKpOOztixZeML0/J/XMkMCg+YaD6oLZ+bhkerkjJs1QibdJpHR2TaXUq/EbGhjAFIglBv83mXC4/BZq4pWd1dOuGS9lXGQn6xX52vKrh/YmQKBgQDypJ/fcyaN5nwAv2epp/++jQU+D+b/X88BtAeLpP0w9j5GuNIRDgnnV91iUJmBUK6kI49x1qImAnNbga6vvXfGzpwrhSLhoAXEIlaPkdMAUxQpIxoarR3IPwUCEkcOkPVfJFWjmj44fN0i8RZSYwPRYzoxoD176kB0rku48GyOYwKBgQDoTuhhDKC2QiQ77AI9sbkinKuyeM+uYuRFWTuIUK6u9ghpPBxmBAZcsnkiwiRwx3n7utRnt0EwtsfK5CUA8NtARsRkVwmD5CBdyV4cB7ohifdP0lFVrVF8snJGUO3Faw0E7n26J0ygHJBkRIf/otujOxfeYgpuV3wuzEQWqx5TXQKBgQCyniViZG4ZP3ZBRqWU6qsFJuKZETPHAkxswI5dahNIm7y0axGYpHD98Fx0J0kZPL+S7OqHrqymtl8dGZXyoNMvcqDcGKHY3efgvjZiccKWFpJcxg5NXOrzohCZucK9IlC+vQyd5smu45wWQMth0qnY1ebc6UzZj1PrkPMFLVd8aQKBgQC7eLJfX2lyq/3BvbwxPXNCU1zcMlKnUHcW3+QDJdlSqIoxIqloSmc39296dWIjAVeXpjYzXNfnEBo7ydFy6OyG+pUSxIqRPVBBX3fq9vFmj4hdikTI942DLB68UCMR5kojaLNdvsk/jM2ZnRSDYFIPcGjathPk6AT3XzCzenSGoQKBgDdCJhuGYUoKinSbKEYTeJy/FgWyXYCvP7Da40sf+8Fxix4DLu92cCGOHTPx5wgn/RhR9/gvOmatO0WCbOSA/3MeEDWwYfLLQbNCkIctQep0IsQIRwH25znsL2WBuGNRvXlRp+6rWshJ4m7KMZLS3POmKGniI0p4JgdoZZZt7DMD-----END PRIVATE KEY----------BEGIN CERTIFICATE-----MIIC0jCCAbqgAwIBAgIJAO1MvFcJFCiRMA0GCSqGSIb3DQEBCwUAMB0xGzAZBgNV

74

TIBCO Spotfire® Server and Environment Installation and Administration

Page 75: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

BAMMEkFTLURPTUFJTi1FQzQ0N0FFODAeFw0xNTA3MTAxMjIxNTRaFw0xNjA3MDkxMzIxNTRaMB0xGzAZBgNVBAMMEkFTLURPTUFJTi1FQzQ0N0FFODCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANwv+0xjqyV/zk7mvKuaRSM9yxpH6qHBvhmVKiu7jxeoZTUsplbBAWYrsqcf4Ge20W+aGsB72lWRHdsfSJImR3NZfDZdpJysN9JrF8RLh/KAwIiaxs3GfCoE7ZOZg/w272/Jtf5QIkoXVpiSOkGwcsE0gH4tY4daTpib87meHtHjeU+DLpGs79OHJRpfiXYmNHesXQBwCnVFm1vEdLQWEvRz6fEmqCUBCkQjj3UR24RBcpYblM7lCMf+TsB8pPvBPGw1WiT/d3EeVM2BO2YmKtBnku/ywxEI+C/Unv6es5q0ZDUr22LziL6nSyWno9KDw4M48ZBPom8NDi2weVoz0vcCAwEAAaMVMBMwEQYJYIZIAYb4QgEBBAQDAgZAMA0GCSqGSIb3DQEBCwUAA4IBAQDD/n/Zodb5FodJ82EodrnRMUPFL95Ilc263L55Wkt1Yj3CA9PKq32iYqDfiw4MdoTMVRb3c2hCwiURmWgTP0YqjX64kEIJ3He9q+MXkE4WCZk7Z/QrX2yEPNLT0we39jiWTV3uYoOifV0uYvLSHzyqUF/zK54QnnIBvHcE7DjF+qZrJ43rDmDTBodK4Ct6hk+3z3b6QFme2fDmtliXvEFU6CN1csZshjYPEYHfdNlwUl8UB7b8Ob42eKvhWjJAIfaaRnrufsuYLlG5lmzlCB7dYirsHa7GAj7giYxxvyOsnChmICY9MZiD0veMzenudy9jI5Xv2hGpph7JZrdJOPF0-----END CERTIFICATE----- // Domain Data Key//// Used for encrypting memory and locally persisted data//-----BEGIN DOMAIN DATA KEY-----xPk9jokB3v4f7MOBGxSNSNW3NAzyJi9jmgA1nBjS/dLzo1Q1Ip1j6QZ/utiUQ8hTt2YI8gVJiH4rLiKmbW97H/aG/FtQtjIiUwlq0NbS+o3PeD8TgD9Ha1bhAmAvcYoLTmey1TtzElfBlAI/PHF71ODU5eemCrtXUyzC5JLNAKR7eGC/1TuUYoGWerFTvaHdAEZhm968GhMwp2O/rRqVkTCd3FCK2RbfjT538i2NGXcqEZcHYIZPjN+VjRLg6hcOOCIPerfw4nwxfO4jWBZSxIixCSdNwePduCf6/QbLWYMRtQhTVB4frO4c/+25yK7lOGlW0xuOvnMgxmhuLRsiOEyTCFpwXdMe7TqjgpucwNg=-----END DOMAIN DATA KEY-----

Configure NTLM for a cluster of Spotfire ServersNTLM is set up both with commonly used settings, and for each server in the cluster.

To set up NTLM for a cluster with multiple servers, start with configuring the options common to allservers in the cluster. This is performed according to the instructions in Configuring NTLMauthentication for a single server, with the following modifications.

Specify the DNS domain name (recommended) or a domain controller (not recommended) andpossibly also an AD site name. The account name and password options must be left out at this point(will be specified later). It is also very important that the server argument is not specified at this stage.

The common NTLM configuration now needs to be completed with account information for eachSpotfire Server in the cluster.

Run the command config‐ntlm‐auth again, once for each server in the cluster. This time, enter theaccount name and password options to specify the server's own NTLM account. You must also specifythe server argument so that it reflects the server name, as defined in the server’s bootstrap.xml file.The command will update Spotfire Server configuration with the cluster server’s specific configurationoptions.

Configuring a Spotfire Server cluster with a load balancerThis procedure explains how to configure a load balancing setup using Apache JServ Protocol (AJP)and a load balancer implementation using Apache HTTP Server with the mod_jk module. TIBCOSoftware Inc. does not support the Apache HTTP Server. If you intend to use a login method thatauthenticates users with an external directory, this may affect how the load balancer should be set up.

Prerequisites

● You have followed the steps in Setting up a cluster of Spotfire Servers.

● You have obtained a load balancer that supports session affinity. (This means that after a session hasbeen established, the load balancer can continue to route all requests from a particular client to aparticular server.)

75

TIBCO Spotfire® Server and Environment Installation and Administration

Page 76: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

● You have installed and enabled the Apache httpd and the mod_jk module. For details, see theApache httpd manual.

● If you are using NTLM authentication, also install and enable the mod_auth_sspi module.

Procedure

1. Edit the <installation dir>/tomcat/conf/server.xml file so that Spotfire Server cancommunicate with a load balancer:a) Uncomment the following section:

<!-- Enable this connector if you want to use a load balancer that supports the Apache JServ Protocol --> <!-- <Connector port="8009" protocol="AJP/1.3" packetSize="65536" URIEncoding="UTF-8"/>

b) Optional: To prevents clients from connecting to Spotfire Server directly, thereby forcing them touse the load balancer, you can turn off HTTP communication by commenting out the followingconnector section:<Connector port="80" maxHttpHeaderSize="16384" connectionTimeout="30000" enableLookups="false" URIEncoding="UTF-8" disableUploadTimeout="true" server="TIBCO Spotfire Server" compression="on" compressableMimeType="text/html,text/xml,text/plain,text/css,application/ json,application/javascript,image/svg+xml" acceptorThreadCount="2" keepAliveTimeout="30000" maxKeepAliveRequests="-1" maxThreads="2000" />

2. Configure the load balancer to find and communicate with Spotfire Servers.a) Add the following section to the workers.properties file. You may need to create this file.

# Define worker list# (All workers with additional exposed applications must also be added here,# and don't forget to add the corresponding JkMount option in mod_jk.conf!)worker.list=jkstatus, loadbalancer# Example: the /admin application on worker1 should be exposed through the load balancer#worker.list=jkstatus, loadbalancer, [Tomcat1Name], [Tomcat2Name]

# Set statusworker.jkstatus.type=status

# Set properties for the load balancerworker.loadbalancer.type=lbworker.loadbalancer.balance_workers=[Tomcat1Name], [Tomcat2Name]worker.loadbalancer.sticky_session=trueworker.loadbalancer.method=Session

# Set properties for worker1 (ajp13)worker.[Tomcat1Name].type=ajp13worker.[Tomcat1Name].host=[Hostname/IP]worker.[Tomcat1Name].port=8009worker.[Tomcat1Name].max_packet_size=65536worker.[Tomcat1Name].lbfactor=1worker.[Tomcat1Name].route=[Tomcat1Name]

# Set properties for worker2 (ajp13)worker.[Tomcat2Name].type=ajp13worker.[Tomcat2Name].host=[Hostname/IP]

76

TIBCO Spotfire® Server and Environment Installation and Administration

Page 77: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

worker.[Tomcat2Name].port=8009worker.[Tomcat2Name].max_packet_size=65536worker.[Tomcat2Name].lbfactor=1worker.[Tomcat2Name].route=[Tomcat2Name]

b) In the workers.properties file, change [Tomcat1Name] to the value of the "jvmRoute" attributein the Engine element of the first server's server.xml file. Set [Tomcat2Name] to the value of the"jvmRoute" attribute in the Engine element of the second server's server.xml file, and so on. SetHostname/IP to the actual hostname of the computer.

The name mentioned above should be used as the worker name instead of worker1,worker2, and so on, in every section of the workers.properties and mod_jk.conffiles.

The AJP route is automatically set to [Tomcat2Name]-srv on the Spotfire Server end atinstallation.

c) Add the following section to the mod_jk.conf file. You may need to create this file.# Load the mod_jk moduleLoadModule jk_module modules/mod_jk.so

# Load the workers configurationJkWorkersFile conf/workers.properties

# The mod_jk module's log fileJkLogFile logs/mod_jk.log

# The mod_jk module's log level (trace, debug, info, warn, error)JkLogLevel info

# Let the load balancer worker handle all requests to the TSS webapplicationsJkMount /spotfire loadbalancerJkMount /spotfire/* loadbalancer

# Define Apache environment variables to be exported by mod_jk toTomcat web applicationsJkEnvVar REMOTE_USERJkEnvVar SSL_CLIENT_CERT#JkEnvVar SSL_CLIENT_CERT_CHAIN#JkEnvVar SSL_CLIENT_S_DN#JkEnvVar SSL_CLIENT_S_DN_CN

d) Verify that the Apache httpd configuration includes the mod_jk.conf file.e) Restart the Apache httpd and check for startup errors.f) Verify that it is possible to connect to each server using both HTTP on the ports that weredefined during the installation process, and AJP on port 8009.

A higher level of security can be achieved by implementing HTTPS between the loadbalancer and Spotfire Servers; for details, see Setting up HTTPS for clustered servers withload balancer.

Enabling health check URL for load balanced serversWhen using a load balancer in front of a cluster of Spotfire Servers, a health check URL can be set up toshow the status of the servers.

Procedure

1. On the computer running Spotfire Server, on the command line, go to the following directory:<installation dir>/tomcat/bin.

2. Export the configuration to a configuration.xml file by using the export-config command.The configuration.xml file appears in your working directory.

3. Open configuration.xml in a text editor.

77

TIBCO Spotfire® Server and Environment Installation and Administration

Page 78: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

4. Add the following property: <status-controller> <enabled>true</enabled> </status-controller>

5. Save and close the file.

6. Import the configuration file by using the import-config command.

7. Restart the Spotfire Servers in your cluster.

Result

You can now use the URL /spotfire/rest/status/getStatus to health check the servers in yourcluster.

● If the health check URL hasn't been enabled, the HTTP code 404 is returned.

● If the server is up and running, the HTTP code 200 is returned along with the text RUNNING.

● If the server is currently starting or stopping, the HTTP code 503 is returned along with the textSTARTING or STOPPING.

Kerberos authentication for clustered servers with load balancerIn a clustered environment where Kerberos authentication is used to authenticate users, the loadbalancer forwards all Kerberos authentication information to the Spotfire Servers. No configuration onthe load balancer is needed, but there are certain considerations to take into account when Kerberosauthentication is set up.

These are the special considerations:

● Two Service Principal Names must be created for each Spotfire Server as well as for the loadbalancer.

● One keytab file must be created. This must use the fully qualified Service Principal Name of the loadbalancer.

● This keytab file must be copied to each Spotfire Server.

● When Kerberos authentication is set up, the fully qualified Service Principal Name of the loadbalancer must be provided.

X.509 client certificates for clustered servers with load balancerWhen using X.509 client certificate authentication in a clustered environment, the clients see the loadbalancer as the server. The load balancer must therefore be provided and configured with a servercertificate and its private key.

The load balancer also needs to be provided and configured with the CA certificate that was used toissue the server certificate. See Setting up HTTPS for clustered servers with load balancers and Configuring X.509 client certificates for clustered servers.

Configuring X.509 client certificates for clustered servers with load balancer

In a load balanced environment, where X.509 client certificate authentication is to be used, the loadbalancer must be configured to forward the client certificates to the Spotfire Servers.

The following instructions assume that you are acquainted with the Apache httpd and its configurationfiles. This is an overview of how HTTPS is set up for use in load balancing a Spotfire system, not as atutorial on Apache httpd. For more information, refer to the Apache httpd manual.

78

TIBCO Spotfire® Server and Environment Installation and Administration

Page 79: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Procedure

1. Configure the Spotfire system to use X.509 client certificate authentication; for details, see Authentication using X.509 client certificates.

2. Configure Apache httpd to communicate using the HTTPS protocol; for details, see Setting upHTTPS for clustered servers with load balancer.

3. Configure Apache httpd to require and forward X.509 client certificates by adding the followinglines to the Apache httpd configuration (for example, to the load balancer's virtual host, where theHTTPS configuration was added):# Configure client certSSLVerifyClient requireSSLVerifyDepth 1SSLUserName SSL_CLIENT_S_DN_CN# Configure mod_jk directivesJkMountCopy OnJkOptions +ForwardKeySize +ForwardSSLCertChain

4. Configure mod_jk to forward X.509 client certificates by adding the following line to the mod_jkconfiguration (typically, a file called mod_jk.conf that is included with httpd.conf or httpd-ssl.conf):JkEnvVar SSL_CLIENT_CERT

Setting up HTTPS for clustered servers with load balancerIn a clustered environment, the clients see the load balancer as the server. Therefore, in order to useHTTPS to secure the communication in the Spotfire system, the load balancer must be configured.

Procedure

1. Install Apache httpd with TLS support and the mod_ssl.so and mod_jk modules. For instructions,see the Apache manual.

If you are using an Apache installer, you may have the option of creating a self-signedserver certificate from within the installer, and have Apache automatically configured touse this server certificate. If this is the case, you can skip to step 6.

2. Obtain or create a server certificate to use with the Apache httpd. The certificate can be obtainedfrom a commercial Certificate Authority or you can create one yourself. After obtaining thecertificate, save it to file and transfer it to the load balancer.

3. If necessary, convert the certificate to a format that is readable by the load balancer. The certificatemust be in the Base 64-encoded DER format (PEM) format for Apache httpd to be able to read it. Ifthe certificate is created with Microsoft Certificate Services, it is in the PKCS #12 format. To convertit, use the openssl command on the load balancer. (If this is not installed, go to http://openssl.org oryour operating system manual for instructions on how to install it.)a) Run the following command on the load balancer: openssl pkcs12 -in server.pfx -out

server.pem

b) Extract the public key from the converted certificate by running the following command:openssl x509 -in server.pem -out server_cert.pem

c) Extract the private key from the converted certificate by running the following command:openssl rsa -in server.pem -out server_key.pem

These commands provide you with three files: server.pem, server_cert.pem, andserver_key.pem. You only need the two latter files.

79

TIBCO Spotfire® Server and Environment Installation and Administration

Page 80: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

You also need the CA certificate on the load balancer in the PEM format. If you are using aself-signed certificate, the CA certificate should be available for download from the samesource, usually under "Trusted Root Certification Authorities" or similar. If necessary,convert the CA certificate to PEM format using the convert command above. You do notneed to extract anything from it.

4. Copy all the files created in the previous step to the following directory: <apache httpd dir>/conf.

5. Configure Apache httpd to use the certificate files by adding the following lines to the Apache httpdconfiguration (for example, to the load balancer's virtual host:# Configure SSLSSLEngine OnSSLCertificateFile "conf/server_cert.pem"SSLCertificateKeyFile "conf/server_key.pem"SSLCACertificateFile "conf/cacert.pem"SSLOptions +StdEnvVars +ExportCertData

Your Apache httpd should now communicate using the HTTPS protocol.

6. If necessary, configure your clients to trust the CA certificate. If you have obtained a CA Certificatefrom a commercial CA, your clients probably already trust it. If you created it yourself, refer to yourCA software documentation on how to get clients to trust it.

Configuring shared import and export folders for clustered deploymentsFrom the Library Administration tool in Spotfire Analyst, you can import and export library content.The import and export files are stored in a folder specified in the Spotfire Server configuration. In aclustered environment, where the client could be communicating with any of the servers, steps must betaken to ensure that the import and export files are always stored in the same folder.

Procedure

● Select one of these methods:

● Using Windows shared folder technology, set the location of the import and export folder to afolder that is shared with all the Spotfire Servers in the cluster.

● To set this up using Apache httpd as a load balancer, follow these steps:

1. Add the following code to the mod_jk configuration (such as in the mod_jk.conf file):JkUnmount /spotfire/ws/LibraryImportExportService loadbalancerJkUnmount /spotfire/ws/LibraryImportExportService/* loadbalancerJkMount /spotfire/ws/LibraryImportExportService worker1JkMount /spotfire/ws/LibraryImportExportService/* worker1

where worker1 is the Spotfire Server where import and export files will be stored.

2. Add the worker1 to the list of workers in the workers.properties file:worker.list=jkstatus, loadbalancer, worker1

Result

All files that are imported to or exported from the library through the Library Administration tool arestored on the Spotfire Server worker1.

Deploying client packages to Spotfire ServerTo install and use the Spotfire Analyst client and Spotfire web client, you must first deploy thefollowing distribution file (.sdn file) to Spotfire Server: Spotfire.Dxp.sdn.

For more information about deployments, see Deployments and deployment areas.

80

TIBCO Spotfire® Server and Environment Installation and Administration

Page 81: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Prerequisites

● A Spotfire Server administrator has been created. For instructions, see Creating an administratoruser.

Procedure

1. Log in to Spotfire Server by going to http://servername:port/spotfire, where port is the server front-end port (specified in step 7 of Installing the Spotfire Server files (interactively on Windows)).

2. Click Deployments & Packages.

3. On the Deployments & Packages page, under Deployment areas, select the area you are currentlyusing.

4. In the Software packages pane, click Add packages.

5. In the Add packages dialog, click Choose File.

6. Browse to and then double-click the Spotfire.Dxp.sdn file. This file is included in the SpotfireServer software that you downloaded from the TIBCO eDelivery site.

7. In the Add Packages dialog, click Upload.A list of software packages is displayed in the Software packages pane.

8. At the top of the Software packages pane, click Validate to check the deployments, and then clickSave.

9. In the Save deployment dialog that opens, verify or edit the details and then click Save.

What to do next

Install a node manager

User authenticationSpotfire supports a variety of user authentication protocols for verifying the identities of users loggingin to the program.

To configure authentication, you select both an authentication method and a user directory.

Spotfire supports the two main types of authentication—user name and password, and single sign-on—as well as two-factor and external methods.

User name and password authentication methodsWhen users start a Spotfire Analyst client, they select which Spotfire Server to connect to. If that serveris configured for a user name and password based authentication method, the users are also promptedfor their user name and password.

The user name and password are then sent to Spotfire Server.

The login experience for the Spotfire Analyst client can be customized in several ways, includingwhether users have the option to save their login information, and whether the dialog contains an RSSfeed. For details, see Login behavior configuration .

The credentials that users enter are not encrypted when they are transferred to Spotfire Server unlessthe server uses TLS. To help counter the risks associated with unencrypted data, enable TLS whenconfiguring a user name and password authentication method.

For all the user name and password methods, an entry for each user is created in the Spotfire database.

● If you configure authentication towards an external user directory such as an LDAP directory, theuser list or group hierarchies from the external directory are automatically copied to the Spotfiredatabase.

81

TIBCO Spotfire® Server and Environment Installation and Administration

Page 82: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

● If you configure authentication towards the Spotfire database, the user and group information mustbe manually entered.

Authentication towards the Spotfire database

This authentication method requires that the Spotfire user directory be configured for Spotfire database.

When the user directory is set to Database, the administrator usually enters the user names andpasswords into the Spotfire database manually. The names and passwords can also be imported from aCSV file, or be automatically created as new users log in to the server. The option to automaticallycreate users is available through the post-authentication filter.

Authentication towards the Spotfire database is the default configuration for Spotfire Server, so nospecial configuration is required. It is easy and fast to set up and it is recommended for small sites.

Authentication towards LDAP

This authentication method integrates with an existing LDAP directory and delegates the actualauthentication responsibility to its configured LDAP servers.

The result is that only users with valid accounts in the LDAP directory can log in to Spotfire Server.This setup is recommended for larger sites.

Spotfire Server supports the following LDAP servers:

● Microsoft Active Directory

● The Directory Server product family (Oracle Directory Server, Sun Java System Directory Server,Sun ONE Directory Server, iPlanet Directory Server, Netscape Directory Server)

Other types of LDAP servers may also work with Spotfire Server, but require more advancedconfiguration.

When Spotfire Server is authenticating towards a Microsoft Active Directory server, it automaticallyuses the Fast Bind Control (also known as Concurrent Bind Control) option to minimize the consumedresources on the LDAP server.

LDAP authentication can be combined with either the LDAP user directory or the Spotfire databaseuser directory:

● When the user directory is set to LDAP, Spotfire Server can automatically import the user namesfrom the LDAP directory. Passwords remain in the external directory, and Spotfire Server contactsthis directory to validate users' passwords. You can set the frequency with which Spotfire Serverchecks the LDAP directory for updates.

When the user directory mode is set to LDAP, Spotfire Server also imports the groupnames and group membership information. For information on groups, see Users &groups introduction and Group administration.

● When the user directory mode is set to Database, the administrator usually enters the valid usernames and passwords into the Spotfire database manually. The names and passwords can also beimported from a CSV file, or be automatically created as new users log in to the server. The optionto automatically create users as they log in is available through the post-authentication filter.

Configuring LDAP

When user authentication is configured towards an LDAP directory, Spotfire Server delegatesauthentication responsibility to the configured LDAP servers. Therefore only users with valid accountsin the LDAP directory can log in to Spotfire Server.For information about supported LDAP servers and what you need to know about your organization'sserver, see Authentication towards LDAP.

82

TIBCO Spotfire® Server and Environment Installation and Administration

Page 83: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

For information about other LDAP implementations, including Kerberos, NTLM, X.509 clientcertificates, and external authentication, see User authentication.

Prerequisites

● Your organization stores user information in an LDAP directory.

● A bootstrap.xml file has been successfully saved in the graphical configuration tool; forinstructions, see Creating the bootstrap.xml File.

Procedure

1. On the Configuration tab of the configuration tool, next to Authentication, select BASIC LDAP.

The User directory field switches to LDAP along with the Authentication field. This is because inmost cases it is recommended that LDAP authentication be paired with the user directory in LDAPmode.

If your LDAP directory contains a very large number of users that are not divided intoconvenient sub-units (contexts), you may want to use the Spotfire database user directoryinstead. In this configuration, only users who log in to Spotfire Server are included in theuser directory, so there are fewer users for Spotfire Server to track.

2. In the left panel of the page, click Authentication: LDAP, and then click New.

83

TIBCO Spotfire® Server and Environment Installation and Administration

Page 84: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

3. In the Create configuration dialog, enter a name for your LDAP configuration, for example "LDAP

on TIBCO123", and then click OK.The LDAP configuration page is displayed.

4. Next to Enable for, select both the Authentication and User directory check boxes. This instructs

Spotfire Server to create a user account in the Spotfire database for each user (within the configuredscope) in the LDAP directory. When someone tries to log in to the Spotfire system, Spotfire Serveraccesses their account and then validates their password through the LDAP directory.

5. Next to LDAP username and LDAP password, enter the user name and password of an LDAPservice account with read access to Active Directory.

6. Next to LDAP server URL, enter the URL in the form LDAP://server/:port, for example LDAP://computer1.TIBCO.com:389

7. Next to Context names, enter the contexts you want to synchronize.8. Next to Synchronization schedule you can change the scheduled synchronization times between

the LDAP directory and the Spotfire database. The default is to synchronize whenever SpotfireServer is restarted, in addition to daily. For additional synchronization options, click Add.

9. Click Test connection to verify your entries.10. If you set the user directory to Database in step 1 above, click Post Authentication Filter in the left

panel and then, next to Default filter mode, select Auto-create.When users log in to Spotfire Server they are added to the Spotfire user directory.

84

TIBCO Spotfire® Server and Environment Installation and Administration

Page 85: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

11. When you're finished, click Save configuration.

Configuring LDAPS

In an LDAP environment, where the Spotfire system communicates with an LDAP directory server,administrators often secure the LDAP protocol using TLS, if the LDAP directory supports this.

Prerequisites

● The LDAP directory server has been set up to communicate using TLS.

Procedure

1. If you are using a self-signed certificate, set Spotfire Server to trust this certificate:a) Export the certificate to file and copy it to Spotfire Server.b) Open a command-line interface, navigate to the <installation dir>/jdk/jre/lib/security

directory, and run the following keytool command: ../../bin/keytool -import -fileldapserver.crt -keystore cacerts -alias spotfire_ldaps. Replace ldapserver.crtwith the name of the exported certificate.

c) When prompted, enter the password to the cacerts keystore. The default password is "changeit"(without quotation marks).

d) Verify that the certificate has been successfully added by using the followingcommand: ../../bin/keytool -list -keystore cacerts -alias spotfire_ldaps.

e) When prompted, enter the password to the cacerts keystore.

2. To activate LDAPS, use the create-ldap-config or the update-ldap-config command.

SASL authentication for LDAP

Spotfire Server supports two SASL (Simple Authentication Socket Layer) mechanisms forauthentication towards LDAP: DIGEST-MD5 and GSSAPI.

These mechanisms can provide secure authentication of Spotfire Server when it is connecting to LDAPservers by preventing clear text passwords from being transmitted over the network.

GSSAPI can provide secure authentication even over un-secure networks because it uses the Kerberosprotocol for authentication.

These instructions apply for Active Directory LDAP configurations. Spotfire Server does not supportGSSAPI for other LDAP configurations.

Configuring Spotfire Server for DIGEST-MD5 authentication of LDAP

These instructions apply for Active Directory LDAP configurations. Spotfire Server does not supportGSSAPI for other LDAP configurations.

Procedure

● When configuring SASL authentication with DIGEST-MD5, follow these guidelines:

● The distinguished name (DN) does not work for authentication; the userPrincipalName attributemust be used instead.

● Set the authentication attribute option to userPrincipalName.

● Set the username attribute option to sAMAccountName.

● All accounts must use reversible encryption for their passwords. This is typically not the defaultsetting for Active Directory.

85

TIBCO Spotfire® Server and Environment Installation and Administration

Page 86: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Configuring Spotfire Server for GSSAPI authentication of LDAP

These instructions apply for Active Directory LDAP configurations. Spotfire Server does not supportGSSAPI for other LDAP configurations.

Prerequisites

● Make sure that you have a fully working Active Directory LDAP configuration using clear-textpassword authentication (also known as simple authentication mechanism).

● Save this fully working Active Directory LDAP configuration to file.● Make a note of the LDAP configuration's ID.● Make sure that you have a fully working krb5.conf file. The content of the krb5.conf file must be the

same as when setting up Spotfire Server for Kerberos authentication. See Configuring Kerberos forJava.

Make sure to stop the entire service/Java process before installing the file. If the krb5.conffile is modified after Spotfire Server has been started, you must restart the Spotfire Serverprocess for the modifications to take effect.

Procedure

1. Stop Spotfire Server (see Start or stop Spotfire Server).

2. Copy the fully working krb5.conf file to the <install dir>/jdk/jre/lib/security directory oneach Spotfire Server in the cluster.

3. Open the graphical configuration tool and go to the LDAP Configuration panel.

4. Update the LDAP user name so that it is a proper Kerberos principal name. Usually it is sufficient toadd the name of the account's Windows domain in upper-case letters. Sometimes it is also necessaryto include the Windows domain name. Using a name based on a distinguished name (DN) orincluding a NetBIOS domain name does not work when using GSSAPI.Examples of correct names:

● ldapsvc@ RESEARCH.EXAMPLE.COM● [email protected]@ RESEARCH.EXAMPLE.COM

5. Select the specific LDAP configuration to be enabled for GSSAPI and then expand the Advancedsettings.

6. In the Advanced dialog, make the following changes:a) Set the security-authentication configuration property to GSSAPI.b) Set the authentication-attribute to sAMAccountName or userPrincipalName (whichever works

best for your configuration). The default value is empty.

If the krb5.conf file contains more than one Kerberos realm, the authentication-attribute must be set to userPrincipalName.

c) Add a custom property with the key kerberos.login.context.name and the valueSpotfireGSSAPI.

7. Click Save configuration.

8. Restart Spotfire Server.

What to do next

Procedure steps related to LDAP configurations must be performed for each LDAP catalogue that youwant to enable for GSSAPI. For multiple LDAP configurations, repeat these steps for eachconfiguration.

86

TIBCO Spotfire® Server and Environment Installation and Administration

Page 87: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Authentication towards Windows NT Domain (legacy)

With this authentication method, user authentication is delegated to Windows NT domain controllers.

Spotfire Server must be installed on a computer running Windows and there must be a workingWindows NT 4 Server domain controller or a Windows Server 2000 or later domain controller runningin mixed mode. This is a legacy solution that should only be used if LDAP cannot be used.

The Windows NT Domain authentication method can be combined with a user directory in eitherWindows NT Domain mode or in Spotfire database mode.

When combining this authentication method with a Spotfire database user directory mode, the post-authentication filter must be configured for auto-creating mode, so that the users will be automaticallyadded to the user directory. When combining it with a Windows NT Domain User Directory, thedefault blocking post-authentication filter is already correct.

Authentication towards a custom JAAS module

All the user name and password authentication methods that are supported by Spotfire Server areimplemented as Java Authentication and Authorization Service (JAAS) modules. Spotfire also supportsthird-party JAAS modules.

You may therefore use a custom JAAS module, provided that it does the following:

● Validates user name and password authentication.

● Uses JAAS' NameCallback and PasswordCallback objects for collecting the user names andpasswords.

When using a custom JAAS module, you must place the jar file in the <install dir>/tomcat/webapps/spotfire/WEB-INF/lib directory on all Spotfire Servers.

For more information about JAAS, consult the JAAS Reference Guide.

Single sign-on authentication methodsSpotfire Server can be integrated with certain single sign-on systems that are used in enterpriseenvironments.

Spotfire Server can use the NTLM or Kerberos single sign-on authentication methods, where theidentity information stored within the user's current Windows session is reused to authenticate the useron the server. Thus, when using these authentication methods, users are never prompted for user nameor password when they log in to Spotfire Server. The Kerberos and NTLM authentication methods arecommonly referred to as Integrated Windows Authentication.

Spotfire Server can also authenticate users based on X.509 certificates. This requires the server to beconfigured for mutual TLS, meaning HTTPS with X.509 client certificates.

NTLM authentication

The NTLM authentication method reuses the identity information associated with the user's currentWindows session. This identity information is gathered when the user initially logs in to Windows.

When both the client computer and the server computer belong to the same Windows domain or twoseparate Windows domains with established trust between them, this can provide a single sign-onexperience.

If the client computer belongs to a separate Windows domain (without trust established to the servercomputer's domain), the current Windows session is not valid in the Windows domain of the servercomputer and the user will be prompted for user name and password. The user must then enter theuser name and password of a valid account that belongs to the Windows domain of the servercomputer.

87

TIBCO Spotfire® Server and Environment Installation and Administration

Page 88: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

It is not possible to delegate NTLM authentication; Spotfire Server can not reuse the authenticationcredentials presented by the client, for example when authenticating against an Information Servicesdata source that also uses NTLM. If you need such functionality, use Kerberos instead.

The NTLM authentication method can be combined with a user directory of either type:

● LDAP (recommended)● Spotfire database, provided that the default post-authentication filter is configured in auto-creating

mode

The following instructions assume that either combination of authentication and user directory isalready fully working.

Setting up NTLM authentication involves two steps:

Creating a computer service account in your Windows domain

Configuring NTLM authentication

Downloading third-party components (JCIFS) for NTLM authentication

If you plan to use NTLM authentication and did not download the required JCIFS components duringserver installation, you can manually download them later.

Prerequisites

You have completed a basic installation of Spotfire Server.

Procedure

1. Go to http://public.tibco.com/pub/tibco_oss/jcifs/.

2. Download and extract jcifs_1.3.17.zip to the following directory: <installation directory>\tomcat\webapps\spotfire\WEB-INF\lib.The required jcifs.jar file appears in the ...\WEB-INF\lib directory.

Creating a computer service account in your Windows domain

To set up NTLM authentication, you first create a computer service account by running a Visual Basicscript that is distributed with Spotfire Server.

Prerequisites

● The script must be run on a Windows computer, but does not have to be run on the same computerthat the server is installed on.

● You must be logged in to your Windows domain as a member of the group Account Operators orAdministrators to run the SetupWizard.vbs script.

● If Spotfire Server is installed on a Linux computer, copy the SetupWizard.vbs script to a Windowscomputer first.

Alternatively, you can create the computer account manually; see Creating a computer service accountmanually.

Procedure

1. Double-click the following file: <installation dir>/tomcat/bin/setupwizard.vbs

2. In the Domain Controller Hostname panel, enter the hostname of one of your domain controllers.Click OK.

88

TIBCO Spotfire® Server and Environment Installation and Administration

Page 89: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

3. In the Account Name panel, enter the short name of the computer account to be created. The shortname must not exceed 15 characters. Click OK.

4. In the Distinguished Name panel, enter a distinguished name for the account to be created. Wesuggest that you use a distinguished name that is based on the short name entered in the previouspanel. You should edit this to match your Windows domain, with regards to parameters such as inwhich Organizational Units (OU) the account should be placed. Click OK.

5. In the Account Password panel, enter a password for the account to be created. Click OK.A dialog opens with text indicating if the tool was successful. Click OK.

If the tool was unsuccessful, make sure that the logged in user has the requiredpermissions to create accounts in the Windows Domain, and that the Domain Controllercan be reached.

6. The file SetupWizard.txt, created by the tool in the folder where the tool is located, opens. If itdoes not, open it manually. The information in the file is required to run the NTLM authenticationconfiguration commands.

Example of a SetupWizard.txt file

# Generated by the Jespa Setup Wizard from IOPLEX Software on 2011-04-07

jespa.bindstr = dc.example.research.comjespa.dns.servers = 192.168.0.1 jespa.dns.site = Default-First-Site-Name jespa.service.acctname = [email protected] jespa.service.password = Pa33w0rd

What to do next

Configure NTLM authentication using configuration commands

Creating a computer service account manually

If you are setting up NTLM authentication and you are unable to run the SetupWizard.vbs script, oryou prefer to create the account manually, follow these steps.

Prerequisites

If Spotfire Server is installed on a Linux computer, copy the SetComputerPassword.vbs script to aWindows computer first.

Procedure

1. Create the computer account by using the Microsoft Management Console snap-in Domain Usersand Computers. Refer to Microsoft documentation for details on how to use this tool.

Make sure to create a new computer account. A user account will not work. Reusing anexisting computer account will not work.

2. To set a password for this account, open a command-line interface and run this script with theaccount name and password as arguments to the command: <installation dir>/tomcat/bin/SetComputerPassword.vbs.SetComputerPassword.vbs jespa‐[email protected] Pa33w0rd

What to do next

Configure NTLM authentication using configuration commands

89

TIBCO Spotfire® Server and Environment Installation and Administration

Page 90: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Configuring NTLM authentication for a single server

These instructions are for configuring NTLM authentication by using the command-line tool.

Prerequisites

You have created a computer service account; see Creating a computer service account in yourWindows domain.

Procedure

1. Configure NTLM authentication by using the following commands: config-ntlm-auth and list-ntlm-auth.This is the information you must have to run the commands:

Server (optional) The name of the server instance to which the specified configurationoptions belong. If no server name is specified, then all parameters willbe shared, applying to all servers in the cluster. It is common to useserver-specific values for the account name and password configurationoptions.

Account name(required)

Specifies the fully qualified name of the Active Directory computeraccount that is to be used by the NTLM authentication service. Thisaccount must be a proper computer account, created solely for thepurpose of running the NTLM authentication service. It can neither bean ordinary user account, nor an account of an existing computer. Notethat the local part of an Active Directory computer account namealways ends with a dollar sign, and the local part of the account name(excluding the dollar sign) must not exceed 15 characters.

Example: [email protected]

Password (required) Specifies the password for the computer account used by the NTLMauthentication service.

DNS domain name(optional)

The DNS name of the Windows domain to which the Spotfire Servercomputer belongs. The specified domain name is automatically resolvedinto a domain controller hostname. As an alternative to specifying aDNS domain name, it is also possible to specify a domain controllerhostname directly.

The DNS domain name is recommended because you thenautomatically get the benefits of fail-over and load-balancing, providedthat you have more than one domain controller. The DNS domain nameand domain controller arguments are mutually exclusive.

Example: research.example.com

Domain controller(optional)

The DNS hostname of an Active Directory domain controller. It isrecommended that the DNS domain name option be used insteadbecause that option gives the benefits of fail-over and load-balancing.The domain controller and DNS domain name arguments are mutuallyexclusive.

Example: dc01.research.example.com

90

TIBCO Spotfire® Server and Environment Installation and Administration

Page 91: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

DNS servers(optional)

A comma-separated list of IP addresses of the DNS servers associatedwith the Windows domain. When no DNS servers are specified, theserver will fall back to use the server computer's default DNS serverconfiguration.

Example: 192.168.1.1,192.168.1.2

AD site (optional) Specifies the Active Directory site where the Spotfire system is located.Specifying an Active Directory site can potentially increase performancebecause the NTLM authentication service will then only communicatewith the local Windows domain controllers.

Example: VIENNA

DNS cache TTL(optional)

Specifies how long (in milliseconds) name server lookups should becached. The default value is 5000 ms.

Connection ID headername (optional)

This parameter specifies the name of an HTTP header containingunique connection IDs in environments where the server is locatedbehind a proxy or load-balancer that does not properly provide theserver with the client's IP address. The specified HTTP header mustcontain unique connection IDs for each client connection and is thustypically based on the client's IP address together with the connection'sport number on the client side.

2. Import the configuration using the set-auth-mode command and restart the server to activate theNTLM single sign-on authentication method.

Kerberos authentication

Kerberos is a protocol that allows for secure authentication even over unsecure networks. It can bedifficult to set up, but after it is fully working you have a very secure authentication system with thebenefits of single sign-on.

It is usually a good idea to first create a working setup where the server uses username and password/LDAP authentication and a user directory in LDAP mode, and then proceed with switching fromusername and password/LDAP to Kerberos.

Setting up Kerberos authentication on Spotfire Server

If you intend to use the Kerberos authentication method on your system, the first thing you must do isto set up Spotfire Server to use Kerberos.

The following steps are required to configure Spotfire Server for the Kerberos authentication method.Steps 1-3 are performed as a Domain Administrator. Steps 4-7 are performed in Spotfire Server. See step1 for a list of the prerequisites.

Creating a Kerberos service account

Creating a Kerberos service account is the first step in configuring Spotfire Server for the Kerberosauthentication method.

Prerequisites

● Windows Domain Controllers running Windows Server 2008 or later.

● A computer with the Microsoft Active Directory Users and Computers MMC snap-in.

● A computer with the Microsoft Support Tools installed.

91

TIBCO Spotfire® Server and Environment Installation and Administration

Page 92: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

● A domain administrator account or a user account which is a member of the built-in AccountOperators domain group, or any account with equivalent permissions.

● Windows Domain accounts for all Spotfire users.● A fully-working user directory, with either of the following options:

— LDAP (recommended)— Spotfire database, provided that the built-in post-authentication filter is auto-creating new

users.

Procedure

1. Log in to the computer as a domain administrator or a user who is a member of the built-in AccountOperators domain group.

2. Open the Active Directory Users and Computers MMC snap-in.

3. Create an ordinary user account with the following properties:Use the same identifier in the Full name and User logon name (pre-Windows 2000) fields and makesure to use only lower case characters and that there are no spaces in these fields.

● Use the same identifier in the Full name and User logon name (pre-Windows 2000) fields.

Use only lowercase characters and make sure that there are no spaces in these fields.

● Select the Password never expires check box.● Clear the User must change password at next logon check box.● If Kerberos unconstrained delegation is to be used for Information Services data sources, the

account option Account is trusted for delegation must also be selected.● If you want to use the crypto algorithm aes128-sha1 or aes256-sha1 the account option This

account supports Kerberos AES 128 bit encryption or This account supports Kerberos AES 256bit encryption must also be selected.

Kerberos constrained delegation can also be used for Information Services data sources,but this is set up on a service-by-service basis and is not described here.

Registering Service Principal Names

Registering Service Principal Names (SPN) is the second step in configuring Spotfire Server for theKerberos authentication method.

Procedure

1. Log in to the computer as a domain administrator or a user who is a member of the built-in AccountOperators domain group.

2. From the Microsoft Support Tools package, use the setspn.exe command-line tool to register twoSPNs for the Kerberos service account:

● Execute the following two commands, replacing the variables as indicated in the table below thecommands:> setspn -S HTTP/<fully qualified hostname>[:<port>] <service account name>

> setspn -S HTTP/<hostname>[:<port>] <service account name>

If the Spotfire Server is not listening on the default HTTP port 80 or the default HTTPS port 443, youshould execute the setspn commands both with and without the port specified:> setspn -S HTTP/<fully qualified hostname>[:<port>] <service account name>

92

TIBCO Spotfire® Server and Environment Installation and Administration

Page 93: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

> setspn -S HTTP/<hostname>[:<port>] <service account name>

> setspn -S HTTP/<fully qualified hostname> <service account name>

> setspn -S HTTP/<hostname> <service account name>

Variable Description

fully qualified hostname The fully qualified DNS hostname of thecomputer hosting Spotfire Server (in lowercasecharacters).

hostname The short DNS hostname, without domainsuffix, of the computer hosting Spotfire Server(in lowercase characters).

service account name The user login name of the previously createdKerberos service account (in lowercasecharacters).

port The TCP port number on which Spotfire Serveris listening. This is not required if using thedefault HTTP port 80 or the default HTTPSport 443.

You must use the name of a DNS A record for Spotfire Server. A CNAME record will notwork.

Avoid explicitly specifying the port number if Spotfire Server is using the default HTTPport 80.

It is recommended that you not have multiple Kerberos-enabled HTTP services on onecomputer.

Registering Service Principal Names for the "spotsvc" Kerberos service account to be used by aSpotfire Server installed on the "spotfireserver.research.example.com" computer and listening onthe default HTTP port 80 or the default HTTPS port 443:> setspn -S HTTP/spotfireserver.research.example.com spotsvc

> setspn -S HTTP/spotfireserver spotsvc

This creates the following two SPNs for the "spotsvc" service account:

● HTTP/spotfireserver.research.example.com

● HTTP/spotfireserver

To list the resulting Service Principal Names for a Kerberos service account, execute the followingcommand:> setspn -L <service account name>

For example, for the "spotsvc" Kerberos service account, the previous command looks like this:> setspn -L spotsvc

93

TIBCO Spotfire® Server and Environment Installation and Administration

Page 94: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Creating a keytab file for the Kerberos service account

Creating the keytab file is the third step in configuring Spotfire Server for the Kerberos authenticationmethod.

Procedure

1. Log in to the computer as a domain administrator or a user who is a member of the built-in AccountOperators domain group.

2. Execute the following command, replacing the variables with the appropriate values:> ktpass /princ HTTP/<fully qualified hostname> [:<port>]@<realm> /ptypekrb5_nt_principal /crypto <crypto algorithm> /mapuser <service account name> /outspotfire.keytab -kvno 0 /pass <service account password>

All values are case sensitive.

Older versions of the ktpass.exe tool will fail to create the keytab file when the tool is notrun on an actual domain controller.

Variable Description

fully qualified hostname The fully qualified DNS hostname of thecomputer hosting Spotfire Server, which mustexactly match the fully qualified hostnameused when registering the SPNs (in lowercasecharacters).

port The TCP port number on which Spotfire Serveris listening (only specified if the port numberwas explicitly included in the registeredService Principal Names (SPN)). This is notrequired if using the default HTTP port 80 orthe default HTTPS port 443.

realm The name of the Kerberos realm, which is theDNS domain name written in uppercasecharacters.

crypto algorithm Can be one of aes128-sha1, aes256-sha1 orrc4-hmac-nt. Make sure that the selectedcrypto algorithm is also specified in thekrb5.conf file.

service account name The user login name of the service accountwith the registered SPNs (written in lowercasecharacters).

service account password The password for the service account.

If you change the password of the Kerberos service account, you must re-create the keytabfile.

It is not critical to use the name "spotfire.keytab" for the keytab file, but the followinginstructions assume that this name is used.

94

TIBCO Spotfire® Server and Environment Installation and Administration

Page 95: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Creating a keytab file for the "spotsvc" Kerberos service account in the "research.example.com"domain for Spotfire Server listening on the default HTTP port 80, or the default HTTPS port 443on the "spotserver.research.example.com" computer:> ktpass /princ HTTP/[email protected] /ptype krb5_nt_principal /crypto rc4-hmac-nt /mapuser spotsvc /out spotfire.keytab -kvno0 /pass spotsvcpassword

Creating a keytab file for the "spotsvc" Kerberos service account in the "research.example.com"domain for Spotfire Server listening on the HTTP port 8080 on the"spotserver.research.example.com" computer:> ktpass /princ HTTP/spotfireserver.research.example.com:[email protected] /ptype krb5_nt_principal /crypto rc4-hmac-nt /mapuserspotsvc /out spotfire.keytab -kvno 0 /pass spotsvcpassword

Configuring Kerberos for Java

Configuring Kerberos for Java by editing the krb5.conf file is the fourth step in configuring SpotfireServer for the Kerberos authentication method.

Procedure

1. Open the file krb5.conf located in the directory <installation dir>/jdk/jre/lib/security(Windows) or /jdk/jre/lib/security (Unix) and edit the following values to reflect yourenvironment.

The arguments are case sensitive.

For more information, see The krb5.conf file.

● MYDOMAIN: The name of the Kerberos realm, usually the same as the name of the WindowsDomain, written in uppercase characters.

● mydomain: The name of the Windows Domain, written in lowercase characters.● mydc: The name of the domain controller, written in lowercase characters.Configuring Kerberos for Java in the "research.example.com" domain, with the two domaincontrollers "dc01.research.example.com" and "dc02.research.example.com":===============Krb5.conf===============[libdefaults]default_realm = RESEARCH.EXAMPLE.COMdefault_keytab_name = spotfire.keytabdefault_tkt_enctypes = aes128-cts rc4-hmacdefault_tgs_enctypes = aes128-cts rc4-hmac[realms]RESEARCH.EXAMPLE.COM = {kdc = dc01.research.example.comkdc = dc02.research.example.comadmin_server = dc01.research.example.comdefault_domain = research.example.com}[domain_realm].research.example.com = RESEARCH.EXAMPLE.COMresearch.example.com = RESEARCH.EXAMPLE.COM[appdefaults]autologin = trueforward = true

95

TIBCO Spotfire® Server and Environment Installation and Administration

Page 96: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

forwardable = trueencrypt = true

2. (Optional) If you want to use the crypto algorithm aes256-sha1, you must perform the followingtasks:a) Add aes256-cts as the first option in default_tkt_enctypes and default_tgs_enctypes.b) Install the Java Cryptography Extension (JCE) unlimited strength jurisdiction policy files on theSpotfire Server .

It is the user's responsibility to verify that these files are allowed under localregulations.

Copying the Kerberos service account’s keytab file to Spotfire Server

Copying the keytab file to Spotfire Server is the fifth step in configuring Spotfire Server for the Kerberosauthentication method.

Procedure

1. Copy the spotfire.keytab file to the directory <installation dir>\jdk\jre\lib\security(Windows) or <installation dir>/jdk/jre/lib/security (Unix) in Spotfire Server.

Because this file contains sensitive information, it must be handled with care. The file mustnot under any circumstances be readable by unauthorized users.

To list the contents of the keytab file, use the klist command-line tool. It lists the principal name,crypto algorithm, and security credentials. The tool is included in the bundled JDK and is onlyavailable when installed on Windows:> <installation dir>\jdk\jre\bin\klist.exe -k -t -e -K <keytab file>

To test the keytab file, use the kinit command-line tool which is also included in the bundled JDKon Windows platforms:> <installation dir>\jdk\jre\bin\kinit.exe -k -t <keytab file> HTTP/<fully qualified hostname>[:<port>]@<realm>

If the keytab file is correctly set up, a ticket cache file is created in the logged-in user's homedirectory. It can typically be found in the path C:\Users\<user>\krb5cc_<user>.

2. As soon as you have verified that the ticket cache was created, you must delete the ticket cache fileto prevent future problems.

Selecting Kerberos as the Spotfire login method

Selecting Kerberos as the Spotfire login method is the sixth step in configuring Spotfire Server for theKerberos authentication method. You can use the graphical configuration tool, or use the command-lineconfiguration tool as detailed in this procedure.

Procedure

1. Execute the config-kerberos-auth command. The command takes the following two parameters:

● Keytab file: The fully qualified path to the spotfire.keytab file. If the keytab file is named"spotfire.keytab" and has been copied to the recommended directory, the default path ${java.home}/lib/security/spotfire.keytab is already correct. The shorthand ${java.home} refers to the directory <installation dir>\jdk\jre (Windows) or<installation dir>/jdk/jre (Unix).

● Service Principal Name: Specify the same Service Principal Name that was used when creatingthe keytab file. Example: HTTP/spotfireserver.research.example.com

96

TIBCO Spotfire® Server and Environment Installation and Administration

Page 97: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

2. Use the set-auth-mode command to activate the Kerberos SSO authentication method.

3. Import the configuration and restart the server for the changes to take effect.

Disabling the username and password fields in the Spotfire Analyst login dialog

Because the Kerberos authentication method provides single sign-on capabilities, there is no need toprompt the end user for user name and password in the Spotfire Analyst login dialog.

This step is optional.

Procedure

1. Execute the config-login-dialog command: > config config-login-dialog --allow-user-provided-credentials=false

2. Import the new configuration and restart the server.

If you are using the graphical configuration tool, select the Never display login dialogcheck box for the Login dialog option.

Kerberos authentication for clustered servers with load balancer

In a clustered environment where Kerberos authentication is used to authenticate users, the loadbalancer forwards all Kerberos authentication information to the Spotfire Servers. No configuration onthe load balancer is needed, but there are certain considerations to take into account when Kerberosauthentication is set up.

These are the special considerations:

● Two Service Principal Names must be created for each Spotfire Server as well as for the loadbalancer.

● One keytab file must be created. This must use the fully qualified Service Principal Name of the loadbalancer.

● This keytab file must be copied to each Spotfire Server.● When Kerberos authentication is set up, the fully qualified Service Principal Name of the load

balancer must be provided.

Setting up Kerberos authentication on nodes

The account used to run the node manager service must be trusted for delegation, and you may need toregister Service Principal Names (SPN) for that account. All web client users must also be given modifypermissions to the node manager services folder.

If the node manager service is run using the local machine account, you must open the Active DirectoryUsers and Computers MMC snap-in, select the machine account and select Trust this computer fordelegation to any service.

If the node manager service is run using a specified user account, you must open the Active DirectoryUsers and Computers MMC snap-in, select the user account and select Trust this user for delegation toany service.

If the node manager service is run using a specified user account, you must also register ServicePrincipal Names (SPN) for that account.> setspn -S HTTP/<fully qualified node hostname>[:<port>] <node service account name>

> setspn -S HTTP/<node hostname>[:<port>] <node service account name>

For information on how to register SPNs, see Registering Service Principal Names.

97

TIBCO Spotfire® Server and Environment Installation and Administration

Page 98: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

All web client user accounts must be given modify permission to the folder nm\services. This is toallow the delegated users to read, write and delete temp files.

If Spotfire Connectors are used for the Web Player service, all delegated web client users must also haveaccess to the applicable connector drivers.

Enable Kerberos authentication in browsers

If you use Kerberos authentication, it must be enabled in the browsers of all end-user computers.

This is applicable both for administrators, to be able to access the Spotfire Server from a browser, andfor all users of the Spotfire web client.

Enabling Kerberos for Internet Explorer

Follow these steps on every computer using Internet Explorer.

Procedure

1. Go to Tools > Internet Options > Advanced and select Enable Integrated Windows Authentication(Requires Restart).

2. The Spotfire Server you are connecting to must be located in the Intranet security zone.

If the website is located in the Internet security zone, Internet Explorer will not evenattempt Kerberos authentication. This is because in most Internet scenarios a connectionwith a domain controller can not be established. The simple rule is that any URL thatcontains periods, such as an IP address or Fully Qualified Domain Name (FQDN), is in theInternet zone. If you are connecting to an IP address or FQDN then you can use thesettings in Internet Explorer or Group Policy to add this site to the Intranet security zone.For more information on how Internet Explorer evaluates the zone of a resource, see theMicrosoft knowledge base article KB 258063.

Enabling delegated Kerberos for Google Chrome

Follow these instructions on every computer using Google Chrome.

You must create and set a registry key for Google Chrome.

1. The Spotfire Server you are connecting to must be located in the Intranet security zone.

2. In the Registry Editor, go to [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome].

3. Add the String Value AuthNegotiateDelegateWhitelist.

4. Modify AuthNegotiateDelegateWhitelist and add the URL to the Spotfire Server.

For more information, see the Chromium Projects developer page at http://dev.chromium.org/administrators/policy-list-3#AuthNegotiateDelegateWhitelist

Enabling Kerberos for Mozilla Firefox

Follow these steps on every computer using Mozilla Firefox.

Procedure

1. In the Firefox browser address box, type about:config.

2. For the following parameters, set the values to the Spotfire Server URL for which you want toactivate Negotiate.

98

TIBCO Spotfire® Server and Environment Installation and Administration

Page 99: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

● network.negotiate-auth.delegation-uris

● network.negotiate-auth.trusted-uris

Using Kerberos to log in to the Spotfire database

To increase security in your Spotfire implementation, you may want to set up Spotfire Server toauthenticate with the Spotfire database using the Kerberos protocol.

This only affects how the database connections are authenticated and is not required for SpotfireAnalyst clients or web clients to connect to Spotfire Server using the Kerberos authentication method.

Prerequisites

● Windows Domain Controllers running Windows Server 2008 or later.● A computer with the Microsoft Active Directory Users and Computers MMC snap-in.● A computer with the Microsoft Support Tools installed.● A domain administrator account or a user account which is a member of the built-in Account

Operators domain group, or any account with equivalent permissions.● The database server must already be installed and configured for both Kerberos authentication and

user name/password authentication.● Microsoft Active Directory is used as Kerberos environment.● If the database is an Oracle database, then download Oracle's latest JDBC driver (ojdbc7.jar) from

Oracle's web page.● If the database is a Microsoft SQL Server database, use the bundled Microsoft JDBC driver

(sqljdbc4.jar). Version 4.0 of the sqljdc4.jar driver introduced the newauthenticationScheme=JavaKerberos directive, which is required.

Procedure

1. Create a Windows domain account for the Spotfire database.

2. Create the Spotfire database.

● If you are using SQL Server database: Edit and run the create_databases_ia.bat script. Thiscreates a SQL Server database account and connects it to the previously created Windowsdomain account. For instructions, see Setting up the Spotfire database (SQL Server withIntegrated Windows authentication).

● If you are using Oracle database: Edit and run the create_databases.bat script. This willcreate a normal Oracle database account that authenticates with user name and password; forinstructions on creating the database account, see Setting up the Spotfire database (Oracle).

3. Oracle database only: Configure the Spotfire database account to the Windows domain account.

4. Install Spotfire Server.

5. Install a vendor database driver; see Database drivers.

6. Configure Kerberos for Java.

7. Optional: Create a keytab file for the Kerberos service account.

8. Create a JAAS application configuration for the Spotfire database connection pool.

9. Register the JAAS application configuration file with Java.

10. Connect to the Spotfire database by running the bootstrap command or by using the graphicalconfiguration tool; see Configuring the database connection for Spotfire Server using Kerberos(Oracle) or Configuring the database connection for Spotfire Server using Kerberos (SQL Server).

99

TIBCO Spotfire® Server and Environment Installation and Administration

Page 100: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Creating a Windows domain account for the Spotfire database

Creating a Windows domain account for the database is the first step in setting up Kerberosauthentication for database connections.

Prerequisites

See Using Kerberos to log in to the Spotfire database for the list of prerequisites.

Procedure

1. Log in to Windows with one of the following accounts:

● A domain administrator

● A user who is a member of the built-in Account Operators domain group

● A user with equivalent privileges

2. Launch the Active Directory Users and Computers MMC snap-in and create a normal user accountwith the following properties:

● Use the same identifier in the Full name, User logon name, and User logon name (pre-Windows 2000) fields.

Make sure to use only lowercase characters, and leave no spaces in these fields.

● Select the Password never expires check box.

● Clear the User must change password at next logon check box.

● Recommended: Select the Account is sensitive and cannot be delegated check box.

What to do next

● SQL Server database: Edit and run the create_databases_ia.bat script. This creates a SQL Serverdatabase account and connects it to the previously created Windows domain account. Forinstructions, see Setting up the Spotfire database (SQL Server with Integrated Windowsauthentication).

● If you are using Oracle database: Edit and run the create_databases.bat script. This will create anormal Oracle database account that authenticates with user name and password; for instructionson creating the database account, see Setting up the Spotfire database (Oracle).

Configuring the Spotfire database account to the Windows domain account

If you are using an Oracle database, this is the third step in setting up Kerberos to log in to the Spotfiredatabase.

Procedure

1. Log in to the Oracle database instance with SYSDBA privileges to manage accounts.Connecting to a database with connection identifier ORCL as sysdbasqlplus sys@ORCL as sysdba

2. Alter the Spotfire database account so that it is identified externally by running the followingcommand:SQL> alter user <SERVERDB_USER> identified externally as '<SERVERDB_USER>@REALM>';

100

TIBCO Spotfire® Server and Environment Installation and Administration

Page 101: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Replace <SERVERDB_USER> and <REALM> with the Spotfire database account name and theKerberos realm. Make sure to use uppercase letters when specifying the Kerberos realm.SQL> alter user spotuser identified externally as'[email protected]';

3. Test the Kerberos-enabled Spotfire database account by opening a command prompt running as thecreated Windows domain account. It should now be possible to connect to the database using thefollowing command, assuming the connection identifier is ORCL: > sqlplus /@ORCL

It is assumed that Kerberos authentication is already set up for the Oracle client.

Keytab file for the Kerberos service account

There are several methods for creating the keytab file for the Kerberos service account.

Creating a keytab file for the Kerberos service account (using the ktpass.exe command from Microsoft SupportTools)

This method of creating a keytab file uses the ktpass.exe command that is included with MicrosoftSupport Tools.

Procedure

1. On a computer with the Microsoft Support Tools installed (it is not necessary to be logged in as aprivileged user), execute the following command, replacing the <database account name>,<REALM>, <crypto algorithm> and <database account password> with the appropriate values.<crypto algorithm> can be one of , aes128-sha1, aes256-sha1 or rc4-hmac-nt. Make sure thatthe selected crypto algorithm is also specified in the krb5.conf file.

All values are case sensitive.

> ktpass /princ <database account name>@<REALM> /ptype krb5_nt_principal /crypto <crypto algorithm> /out spotfire-database.keytab -kvno 0 /pass <database account password>

It is not critical to use the name "spotfire-database.keytab" for the keytab file, but thefollowing instructions assume that this name is used.

Example of creating a keytab file for the Spotfire database account named "spotuser" in theresearch.example.com domain:> ktpass /princ [email protected] /ptype krb5_nt_principal / cryptorc4-hmac-nt /out spotfire-database.keytab -kvno 0 /pass spotuserpassword

2. Copy the spotfire-database.keytab file to the directory <installation dir>\jdk\jre\lib\security (Windows) or <installation dir>/jdk/jre/lib/security (Unix) in Spotfire Server.

Because this file contains sensitive information, it must be handled with care. The file mustnot under any circumstances be readable by unauthorized users.

If you change the password of the Kerberos service account, you must re-create the keytabfile.

Creating a keytab file for the Kerberos service account (using the ktpass.exe command from the bundled JDK)

101

TIBCO Spotfire® Server and Environment Installation and Administration

Page 102: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

This method of creating a keytab file uses the ktpass.exe command that is included with the bundledJDK.

Procedure

1. On the computer where Spotfire Server is installed, execute the following command: > ktab -kspotfire-database.keytab -a <database account name>, replacing the <database accountname> with the user login name of the Spotfire database account, written in lowercase letters.

All values are case sensitive.

It is not critical to use the name "spotfire-database.keytab" for the keytab file, but thefollowing instructions assume that this name is used.

The tool prompts you for the password of the service account.

2. Enter the password that you used when creating the Spotfire database account.

3. Verify the created keytab by running the klist and kinit utilities:> klist -k spotfire-database.keytab

> kinit -k -t spotfire-database.keytab <database account name>@<realm>

If you change the password of the Kerberos service account, you must re-create the keytabfile.

Creating and verifying a keytab file for the "serverdb_user" Spotfire database account in theresearch.example.com domain:> ktab -k spotfire-database.keytab -a serverdb_user

> klist -k spotfire-database.keytab

> kinit -k -t spotfire-database.keytab [email protected]

4. Copy the spotfire-database.keytab file to the Spotfire Server directory <installation dir>\jdk\jre\lib\security (Windows) or <installation dir>/jdk/jre/lib/security (Unix).

Because this file contains sensitive information, it must be handled with care. The file mustnot under any circumstances be readable by unauthorized users.

If you change the password of the Kerberos service account, you must re-create the keytabfile.

Creating a keytab file for the Kerberos service account (using the ktutil command on Linux)This method of creating a keytab file on Linux uses the ktutil command.

Prerequisites

● Kerberos is installed on the Linux host where Spotfire Server is installed.● The tools ktutil, klist, and kinit are available on the Linux host.

Procedure

1. Start the ktutil tool by invoking it from the command line without any arguments. Execute thecommands below, replacing <database account name> with the user login name of the Spotfiredatabase account, written in lowercase letters:> ktutil

ktutil: add_entry -password -p <database account name> -k 0 -e aes128-sha1

Password for <database account name>:

102

TIBCO Spotfire® Server and Environment Installation and Administration

Page 103: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

ktutil: write_kt spotfire-database.keytab

ktutil: quit

All values are case sensitive.

It is not critical to use the name "spotfire-database.keytab" for the keytab file, but thefollowing instructions assume that this name is used.

The tool prompts you for the password of the service account.

2. Enter the password that you used when creating the Spotfire database account.

3. Verify the created keytab by running the klist and kinit utilities:> klist -k spotfire-database.keytab

> kinit -k -t spotfire-database.keytab <database account name>@<realm>

If you change the password of the Kerberos service account, you must re-create the keytabfile.

Creating and verifying a keytab file for the "serverdb_user" Spotfire database account in theresearch.example.com domain:> ktutil

ktutil: add_entry -password -p serverdb_user -k 0 -e rc4-hmac-nt

Password for serverdb_user:

ktutil: write_kt spotfire-database.keytab

ktutil: quit

> klist -k spotfire-database.keytab

> kinit -k -t spotfire-database.keytab [email protected]

4. Copy the spotfire-database.keytab file to the following Spotfire Server directory:<installation dir>/jdk/jre/lib/security.

Because this file contains sensitive information, it must be handled with care. The file mustnot under any circumstances be readable by unauthorized users.

If you change the password of the Kerberos service account, you must re-create the keytabfile.

Creating a JAAS application configuration for the Spotfire database connection pool

Follow these instructions to create a JAAS application configuration for the Spotfire databaseconnection pool.

Procedure

1. Acquire a Kerberos ticket in one of the following ways, and name the file "spotfire-database.login":

● By using a keytab file; see Acquiring a Kerberos ticket using a keytab file.

● By using a username and password; see Acquiring a Kerberos ticket using a username andpassword.

● By using the identity of the account running the Spotfire Server process; see

2. In Spotfire Server, create the file <install directory>\jdk\jre\lib\security\spotfire-database.login (Windows) or <install directory>/jdk/jre/lib/security/spotfire-database.login (Unix) and populate it with the spotfire-database.login file.

103

TIBCO Spotfire® Server and Environment Installation and Administration

Page 104: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Acquiring a Kerberos ticket by using a keytab fileThis method of acquiring a Kerberos ticket uses a keytab file.

Procedure

● In the following code, replace <service account name> and <realm> with the name of theSpotfire database account and the Kerberos realm. Make sure to

Use lowercase letters for the account name and uppercase letters for the realm name.

DatabaseKerberos{ com.sun.security.auth.module.Krb5LoginModule required debug=true storeKey=true useKeyTab=true keyTab="${java.home}/lib/security/spotfire-database.keytab" principal="<SERVERDB_USER>@<REALM>";};

Acquiring a Kerberos ticket by using a username and passwordThis method of acquiring a Kerberos ticket uses a username and password.

Procedure

● In the following code, replace <service account name> and <password> with the name and thepassword of the Spotfire database account:DatabaseKerberos{ com.sun.security.auth.module.Krb5LoginModule required debug=true storeKey=true useKeyTab=false doNotPrompt=false;};

Acquiring a Kerberos ticket by using the identity of the account running the Spotfire Server processTo make it possible to log in to the Spotfire database as the user currently running the server, theconnection pool must be able to acquire the initial Ticket-Granting-Ticket (TGT) from the native TicketCache of the Spotfire Server host.

Procedure

● Modify the following registry key so that the TGT session can be exported:[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters]"allowtgtsessionkey"=dword:00000001

DatabaseKerberos{ com.sun.security.auth.module.Krb5LoginModule required debug=true storeKey=true useTicketCache=true doNotPrompt=false;};

104

TIBCO Spotfire® Server and Environment Installation and Administration

Page 105: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Registering the JAAS application configuration file with Java

After you have created the spotfire-database.login file, it must be registered in Java.

Procedure

● Open the file <install directory>/jdk/jre/lib/security/java.security in a text editor andadd the following lines to the end of the file:# Register Java Authentication & Authorization Services (JAAS)configurationslogin.config.url.1=file:${java.home}/lib/security/spotfire-database.login

Configuring the database connection for Spotfire Server using Kerberos (Oracle)

If you use an Oracle database, follow these instructions to configure the database connection forSpotfire Server.

Procedure

● To bootstrap Spotfire Server, execute the following bootstrap command, replacing <database-url>with the JDBC connection URL.

When using a username and a password to request the Kerberos ticket, make sure to alsospecify the ‐username and ‐password arguments.

> config bootstrap --test -driver-class=oracle.jdbc.OracleDriver --database-url=<databaseurl> --kerberos-login-context=DatabaseKerberos -Coracle.net.authentication_services=(KERBEROS5)

> config bootstrap --test --driver-class=oracle.jdbc.OracleDriver --database-url=jdbc:oracle:thin:@research.example.com:1521:orcl --kerberos-login-context=DatabaseKerberos -Coracle.net.authentication_services=(KERBEROS5)

Configuring the database connection for Spotfire Server using Kerberos (SQL Server)

If you use an SQL Server database, follow these instructions to configure the database connection forSpotfire Server.

Procedure

● To bootstrap Spotfire Server, execute the following bootstrap command, replacing <databaseurl> with the JDBC connection URL. This URL mustinclude ;integratedSecurity=true;authenticationScheme=JavaKerberos options.> config bootstrap --test --driver-class=com.microsoft.sqlserver.jdbc.SQLServerDriver--database-url=<database url> --kerberos-login-context=DatabaseKerberos

> config bootstrap --test --driver-class=com.microsoft.sqlserver.jdbc.SQLServerDriver--database-url=jdbc:sqlserver://db.research.example.com:1433;DatabaseName=spotfire_server;integratedSecurity=true;authenticationScheme=JavaKerberos--kerberos-login-context=DatabaseKerberos

105

TIBCO Spotfire® Server and Environment Installation and Administration

Page 106: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Authentication using X.509 client certificates

When Spotfire Server is set up with HTTPS and is configured to require client certificates, theinformation from the certificates can also be used for login purposes.

This method authenticates users by using an X.509 client certificate from the Spotfire client to SpotfireServer.

These are the general steps to configure Spotfire to use X.509 client certificates for authentication:

1. Configure Spotfire Server for HTTPS; see Configuring HTTPS.

2. Install client certificates on each client. For details, see the documentation provided by youroperating system vendor.

3. If you have not already done so, import the Certification Authority (CA) certificate(s) to thekeystore; see Installing CA certificates.

4. Configure Spotfire Server to require client certificates for HTTPS; see Configuring Spotfire Server torequire X.509 client certificates for HTTPS.

5. Configure Spotfire Server to use X.509 client certificates to authenticate users; see ConfiguringSpotfire Server to use X.509 client certificates to authenticate users.

Installing CA certificates

To use X.509 client certificates for authentication, a keystore with CA certificate(s) must be placed in theinstallation directory.

Procedure

1. If you do not yet have a keystore, follow these steps:a) Create a keystore and import the CA certificate(s) by executing the following command:.

><installation dir>/jdk/bin/keytool -importcert -alias cacert -keystore <installation dir>/tomcat/certs/<keystore filename> -file <certificate filename>

CA certificates can be in either PEM format or DER format.Example for Windows:

> C:\tibco\tss\<version>\jdk\bin\keytool -importcert -alias cacert -keystore C:\tibco\tss\<version>\tomcat\certs\example.jks -file cacert.cer

where "example" in example.jks is the server hostname.b) Repeat the previous step for each additional CA certificate.

2. When you have a keystore containing the CA certificate(s), copy the keystore file to the<installation dir>/tomcat/certs directory.

The keystore containing the CA certificate(s) can be in either PKCS #12 or JKS format.

Configuring Spotfire Server to require X.509 client certificates for HTTPS

This procedure configures the server to require a valid user certificate for all connections. This is doneby editing the server.xml file.

Prerequisites

You have performed the first three steps in the topic Authentication using X.509 client certificates.

106

TIBCO Spotfire® Server and Environment Installation and Administration

Page 107: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Procedure

1. Open the following configuration file in an XML editor or a text editor: <installation dir>/tomcat/conf/server.xml.

2. Locate the section containing the configuration for the HTTPS connector:<Connector port="443" maxHttpHeaderSize="16384" connectionTimeout="30000" enableLookups="false" URIEncoding="UTF-8" disableUploadTimeout="true" server="TIBCO Spotfire Server" SSLEnabled="true" scheme="https" secure="true" keystoreFile="./certs/[server hostname].jks" keystorePass="changeit" keystoreType="jks" keyAlias="[server hostname]" truststoreFile="./certs/[server hostname].jks" truststorePass="changeit" truststoreType="jks" clientAuth="false"/>

3. Update the truststoreFile parameter with the name of the keystore file containing the CAcertificate(s).

4. Set the truststorePass parameter to the password for the keystore file containing the CAcertificate(s).

5. Set the truststoreType parameter to "jks" for a Java keystore or "pkcs12" for a PKCS #12 keystore.

6. Set the clientAuth paramater to "true".

Configuring Spotfire Server to use X.509 client certificates to authenticate users

This procedure configures the server process for authenticating users with client certificates.

This configuration is done on the command line.

Prerequisites

You have performed the first four steps in the topic Authentication using X.509 client certificates.

Procedure

1. Use the command config-client-cert-auth to configure the client certificates authentication. For moreinformation, see Executing commands on the command line.

2. Use the command config-auth to apply the X.509 client certificates single sign-on authenticationmethod.

If you intend to use an LDAP user directory, an attribute in the certificate's DistinguishedName (DN) must match an LDAP account name. By default, the server will use theCommon Name (CN) attribute as account name. Use the configuration tool or the config-client-cert-auth command to configure the server to use another attribute as account name.

Examples

● Using the entire DN as account name:config config-client-cert-auth --name-attribute="DN"

This will use the entire DN as account name.

107

TIBCO Spotfire® Server and Environment Installation and Administration

Page 108: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

● Using the Subject Alternative Name of type rfc822Name as account name:config config-client-cert-auth --name-attribute="subjectAltName:rfc822Name"

This will use a Subject Alternative Name as account name.

Configuring anonymous authentication

Anonymous authentication allows anyone to access public information that is available for viewing onthe Spotfire web client without prompting them for a user name or password.

Procedure

1. Export the Spotfire Server basic configuration from the Spotfire database to an XML file, and thenopen the file in a text editor; for instructions on exporting the file, see Manually editing SpotfireServer configuration files.

2. Set the "security.anonymous-auth.enabled" configuration property to "true".

3. Save and close the file.

4. Import the file back into Spotfire Server; for instructions, see Manually editing Spotfire Serverconfiguration files.

5. Enable the guest account by using the enable-user command in the following form: configenable-user --username=ANONYMOUS\guest

Two-factor authenticationSpotfire Server supports one form of two-factor authentication. It is possible to combine the chosenprimary authentication method with X.509 client certificates.

Typically, the primary authentication method in the two-factor authentication is Basic, but it is alsopossible to use the other authentication methods.

When two-factor authentication is enabled, the server requires the name of the authenticated user tomatch the user name in the provided X.509 certificate. For instructions, see Configuring two-factorauthentication.

Configuring two-factor authentication

You can configure authentication through X.509 client certificates in addition to your primaryauthentication method.

Procedure

1. Configure the server to use the chosen primary authentication method.

2. In the graphical configuration tool, on the Configuration tab, in the Configuration Start panel,select Enable two-factor authentication.A second Authentication panel is added.

3. In the second Authentication panel, configure the server to use client certificates.

108

TIBCO Spotfire® Server and Environment Installation and Administration

Page 109: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Configuring two-factor authentication using the command-line tool

You can set up two-factor authentication by using the command-line tool or the graphical configurationtool.

Procedure

1. Use the command-line tool to set up the primary authentication method and the client certificates.

2. In the command line, run this command: config-two-factor-auth --enabled=true

External authenticationSpotfire clients may access Spotfire Server through an external authentication mechanism, usually aproxy or a load balancer.

When using an external authentication mechanism, Spotfire Server gets the external user name from anHTTP header or a cookie. Getting the external user name from an HTTP header or a cookie couldpotentially be a security risk and it is strongly recommended that you restrict the permissions to usethis feature. It is also recommended to use the external authentication method only when using a loadbalancer or proxy.

When configuring external authentication, you can add several constraints:

● You can configure Spotfire Server to allow external authentication only when using a secure (TLS)connection.

● You can specify allowed hostnames and/or IP addresses of the client computers that are permitted tolog in using external authentication. You can list allowed IP addresses and/or write regularexpressions; if you specify both, Spotfire Server first checks in the list and then the regularexpression.

In some cases, the proxy or load balancer has already forced the client to authenticate itself. Someproxies and load balancers are capable of forwarding the name of the authenticated user to SpotfireServer. By enabling external authentication on Spotfire Server, the server can extract the identity of theclient so that the client does not have to authenticate twice. Any proxy or load balancer that canpropagate the user name so that it is available in the HTTP request to the server as a request attribute, iscompatible

Typical scenarios are:

● When both the Spotfire Server cluster and its load balancer are configured for NTLM authentication.

● When the load balancer is configured for X.509 client certificate authentication and propagates theuser names extracted from the certificates.

External authentication may be used as a supplementary authentication method that can be usedtogether with the main authentication method, but it can also be used as the main and onlyauthentication method.

● If external authentication is to be used as the only authentication method, this must be specified inthe Authentication panel.

● If clients are to always go through a load balancer to reach Spotfire Server, configure external as themain authentication method. In this case it is not possible to access a Spotfire Server directly.

● Even if a load balancer is used in front of a set of Spotfire Servers, accessing the server directly maybe desired. If this is the case, configure another authentication mechanism (any mechanism isallowed) as the main authentication method, and configure external as a supplementaryauthentication method.

109

TIBCO Spotfire® Server and Environment Installation and Administration

Page 110: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Configuring external authentication

You can configure external authentication by using the graphical configuration tool or the command-line configuration tool.

Procedure

● Use the graphical configuration tool or the config-external-auth command to set up and enable theexternal authentication method.

In Spotfire Server 6.0, the config-delegate-auth command was replaced by the config-external-auth command. Old scripts using config-delegate-auth will still work.

Use the following information to set options:

Enable External Authentication (required) Specifies whether the external authenticationmethod should be enabled.

Source Attribute: Enter the name of the HTTP requestattribute that contains the name of theauthenticated user.

Header: Enter the name of the HTTP requestheader that contains the name of theauthenticated user

Cookie: Enter the name of the HTTP requestcookie that contains the name of theauthenticated user.

Authentication Filter: Retrieves the user namefrom the getUserPrincipal() method ofjavax.servlet.http.HttpServletRequest.

Require TLS Select yes for external authentication to beavailable for TLS connections only.

Allowed host (hostname or IP address) A list of hostnames and/or IP addresses of theclient computers that are allowed to performexternal authentication. If no allowed hosts arespecified, all client computers are permitted toperform external authentication.

Allowed IP:s (regular expression) Add a regular expression that matches the IPaddresses of remote hosts that are permitted toperform external authentication. The regularexpression shall be written in the syntaxsupported by java.util.regex.Pattern.

110

TIBCO Spotfire® Server and Environment Installation and Administration

Page 111: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Name filter expression (optional) A regular expression that can be used to filterthe user name that is extracted from thespecified request attribute. The value of theregular expression's first capturing group willbe used as the new user name.

One use of this feature is to removethe domain names in cases whereSpotfire Server is configured tocollapse the domains into one singledomain within the server.

For example, if the attribute contains"domainname\username", you can use theregular expression ".*\\(.*)" to remove"domainname\".

Lower case conversion (optional) Specifies whether to convert the propagateduser name to lowercase. The default is not toconvert to lowercase.

External directories and domainsYou can configure Spotfire Server to integrate with external directories such as LDAP directories orWindows domains.

Spotfire Server keeps track of which domain every user belongs to. Users who are created by anadministrator directly within Spotfire Server belong to the SPOTFIRE domain. When the user directoryis configured for Database, this is the domain being used.

External users keep their domain name from the external directory, and the domain name appears aspart of their user name throughout the Spotfire interface.

The supported external directories can have domain names in two forms:

● DNS domain names, for example "research.example.com". A complete user name looks like this:[email protected].

● NetBIOS domain names, for example "RESEARCH". A complete user name looks like this:RESEARCH\someone.

When configuring Spotfire Server, the desired domain name style must be set before the server isstarted for the first time. The domain name style to use is dependent on the combination ofauthentication method and user directory of your Spotfire implementation.

Be careful when selecting a domain name style for your system; it will affect what information SpotfireServer stores within the Spotfire database. The domain name style can be changed using the switch-domain-name-style command if the user directory is in LDAP mode and is synchronizing with anActive Directory Server. For other user directory modes, there are no tools to alter that information ifthe domain name style later needs to be changed.

Below is a matrix showing which domain name style to use for different combinations of authenticationmethod and user directory. Combinations that are not supported are marked " — ".

Spotfire Server will warn and even refuse to start if you try to set up an authentication method and auser directory with incompatible domain name styles. If you for some reason need to go ahead with anofficially incompatible configuration, you will need to set the allow incompatible domain name stylesconfiguration property to make the server start at all. One way to handle this could be a custom post-authentication filter that creates a bridge between the two originally incompatible domain name styles.(The allow incompatible domain name styles option can be set using the config-userdir command. Forinformation about custom post-authentication filters, see Post-authentication filter.)

111

TIBCO Spotfire® Server and Environment Installation and Administration

Page 112: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Collapse Domains Configuration Property Enabled

User directory type

Authenticationmethod Database LPAD/AD LDAP/other Windows NT

Basic database NetBIOS(DNS) — — —

Basic/LDAP/AD NetBIOS(DNS) NetBIOS(DNS) NetBIOS(DNS) —

Basic/LDAP/other

NetBIOS(DNS) NetBIOS(DNS) NetBIOS(DNS) —

Basic/WindowsNT

— — — NetBIOS(DNS)

NTLM NetBIOS(DNS) NetBIOS(DNS) NetBIOS(DNS) —

Kerberos NetBIOS(DNS) NetBIOS(DNS) NetBIOS(DNS) —

X.509 ClientCerts.

NetBIOS(DNS) NetBIOS(DNS) NetBIOS(DNS) —

— Unsupported combination of authentication method and user directory.

Collapse Domains Configuration Property Not Enabled

User directory type

Authenticationmethod Database LPAD/AD LDAP/other Windows NT

Basic database NetBIOS, DNS — — —

Basic/LDAP/AD NetBIOS, DNS NetBIOS, DNS # —

Basic/LDAP/other

NetBIOS, DNS # DNS —

Basic/WindowsNT

— — — NetBIOS, DNS

NTLM NetBIOS, DNS NetBIOS, DNS # —

Kerberos NetBIOS, DNS NetBIOS, DNS DNS —

X.509 ClientCerts.

NetBIOS, DNS NetBIOS, DNS DNS —

NetBIOS is the recommended domain name style, but DNS will also work.

— Unsupported combination of authentication method and user directory.

112

TIBCO Spotfire® Server and Environment Installation and Administration

Page 113: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

# For this combination of authentication method and user directory, enable the collapse domainsoption.

A consequence of the new domain tracking is that users may have to provide the domain names as partof their user names when logging in to Spotfire Server. For the Basic/LDAP and Basic/Windows NTauthentication methods, the setting of the wildcard domain configuration property decides how theserver maps a user to a domain during authentication. When the wildcard domain configurationproperty is enabled (this is the default), Spotfire Server checks whether the user name contains adomain name, and if it does, that domain name is used. If not, the server attempts to authenticate theuser with the provided user name and password in every domain it knows about, until the combinationof domain name, user name, and password results in a successful authentication, or until there are nomore domain names to try. If the wildcard domain configuration property is turned off, the domainname must be specified by the user unless it belongs to the configured default domain. This can beconfigured in the graphical configuration tool.

If the wildcard domain configuration property is enabled and two identically named users in differentdomains have the same password, there is a risk that the wrong account will be selected when one ofthese users logs in. Thus, if security has a higher priority than user convenience, make sure to turn offthe wildcard domain configuration property. There is also the risk that multiple authentication attemptswill lock out the "correct" user.

Spotfire Server provides a configuration property that reverts to the behavior from previous releases.The configuration property is called collapse-domains and enabling this means that the externaldomain of a user is essentially ignored, and that different users with the same user name, but indifferent domains, will share an account on Spotfire Server. When the collapse domains configurationproperty is enabled, all external users and groups will be associated with the SPOTFIRE domain,regardless of which domain they belong to in the external directory.

If you want to keep running Spotfire Server without ever caring about domain names, enable both thecollapse-domains and wildcard-domain configuration properties. Doing so will ensure that all usersbelong to the internal SPOTFIRE domain, and no users will have to enter a domain name when loggingin. (The collapse-domains configuration property can be set in the graphical configuration tool or byusing the config-userdir command).

All users will belong to one domain when the collapse-domains configuration property is enabled. Ifthere are multiple users with the same account name in different external domains, they will noweffectively share the same account within Spotfire Server. If security has a higher priority than userconvenience, make sure not to enable the collapse domain configuration property.

It is not recommended to change the collapse-domains configuration property after once havingsynchronized Spotfire Server with an external directory. This creates double accounts with differentdomain names for every synchronized user and group in the user directory. The new accounts do notinherit the permissions of the old accounts.

LDAP synchronizationsYou can schedule when Spotfire Server synchronizes its user directory with LDAP directories. Bothusers and groups are synchronized in the background, and user and group look-ups query the Spotfiredatabase rather than the LDAP directory.

There are two algorithms that can be used when configuring the recurrence of synchronization tasks:one is based on cron schedules and the other on sleep time between synchronizations.

Sleep time is only used when no cron schedule exists for the LDAP configuration. The sleeping periodis configurable and by default it is set to 60 minutes.

New configurations have two default cron schedules: "restart" and "daily". "Restart" runssynchronization at each restart of Spotfire Server; "daily" runs synchronization once a day (at midnightserver time). Upgraded configurations may not have these default cron schedules.

Each LDAP configuration has its own schedules. It is possible to use cron schedules for one LDAPconfiguration and sleep time for another.

113

TIBCO Spotfire® Server and Environment Installation and Administration

Page 114: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

User synchronization

By default, the user directory only synchronizes users (not groups) from the LDAP directories.

After an LDAP user has been synchronized and imported to the user directory, the user accountbecomes a permanent part of the user directory. If the LDAP user is later removed from the LDAPdirectory, the corresponding user account in the user directory is disabled. Disabled accounts remainvisible in the Spotfire system but the user cannot log in.

To prevent user accounts from being disabled by failed synchronization attempts, for example causedby network errors, the safe-synchronization option can be enabled. When this option is enabled, nouser accounts are disabled solely because they could not be found during synchronization. By default,this option is not enabled because of the potential security issues.

It is usually not possible to log in as a removed LDAP user anyway because the LDAP directory blocksthe authentication attempt if it is also responsible for authenticating users.

User accounts may also be explicitly disabled in the LDAP directories. In this case the user accounts aredisabled in the user directory, regardless of the safe synchronization setting.

Group synchronization

Group synchronization mirrors in the user directory the group hierarchies that are in the LDAPdirectory.

When you set the group-sync-enabled option (in the config-ldap-group-sync), the user directorysynchronizes groups from the LDAP directory. Synchronizing groups relieves the administrator of theresponsibility of managing group memberships. Assigning licenses and privileges to Spotfire groups isstill accomplished in the Administrator Manager in Spotfire Analyst.

Synchronized LDAP groups cannot be manually modified in the user directory. Synchronized groupscan be placed into manually created groups in the user directory, and thereby be granted permissions.If an LDAP group has been synchronized and it is removed from the list of groups to synchronize, itkeeps the members from the last synchronization, but becomes an ordinary group that can be modifiedin Spotfire.

The user directory does not support cyclic group memberships, where the ancestor of a group is also adescendant of the same group. If the user directory detects a group membership cycle, it will be brokenup arbitrarily.

When configuring the groups to be synchronized, specify either the group account names or thedistinguished names. The account names and the distinguished names may contain an asterisk (*) as awildcard character. This wildcard behaves just like the asterisk wildcard in standard LDAP searchfilters.

It is also possible to specify the distinguished name of an LDAP container containing one or moregroups. All those groups will then be synchronized. It is possible to mix all variants.

If the Group synchronization enabled configuration property is set and no groups or group contextnames are configured, the user directory synchronizes all groups that it can find in the configuredcontext names.

The synchronized groups can also be used to filter the set of users that are synchronized with the userdirectory. By enabling the filter-users-by-groups option, only users that are members of at leastone of the synchronized groups are synchronized with the user directory.

114

TIBCO Spotfire® Server and Environment Installation and Administration

Page 115: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Group-based and role-based synchronization

For Active Directory servers, Spotfire Server can synchronize groups. For the Directory Server productfamily, Spotfire Server can synchronize either groups or roles.

Here are examples of the default behavior of group-based and role-based group synchronization. Theexamples are based on the following figure:

Group-based synchronization:

● If you only specify the group "Europe" to be synchronized in your LDAP configuration, the userdirectory synchronizes according to the figure below. The groups England and London will not bevisible because they are automatically replaced with their members:

● If you specify the groups "Europe" and "England" to be synchronized in your LDAP configuration,the user directory will synchronize according to the figure below. The group London will not bevisible, but will automatically be replaced with its members:

● If you specify the groups "Europe", "England", and "London" explicitly to be synchronized in yourLDAP configuration, the user directory will synchronize according to the figure below:

115

TIBCO Spotfire® Server and Environment Installation and Administration

Page 116: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Role-based synchronization:

● If you only specify the role "Europe" to be synchronized in your LDAP configuration, the userdirectory will synchronize according to the figure below. The roles England and London will not bevisible, but will automatically be replaced with their members:

● If you specify the roles "Europe" and "England" to be synchronized in your LDAP configuration, theuser directory will synchronize according to the figure below. The role London will not be visible.Due to the nature of roles in the Directory Server product family, every role will automaticallyinclude all direct members as well as all members of sub roles:

● If you specify the roles "Europe", "England" and "London" explicitly to be synchronized in yourLDAP configuration, the user directory synchronizes according to the figure below. Due to thenature of roles in the Directory Server product family, every role automatically includes all directmembers as well as all members of sub-roles:

116

TIBCO Spotfire® Server and Environment Installation and Administration

Page 117: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

There are two algorithms to choose from when configuring group synchronization: the memberOf andthe member algorithms.

● The memberOf algorithm relies on a calculated attribute in the LDAP directory and may induce moreload on the LDAP servers. Not all LDAP directories support the memberOf algorithm.

● The member algorithm performs significantly more LDAP queries, but with much smaller result setsthan the memberOf algorithm. See the recommendations below for group synchronization ondifferent LDAP servers.

Recommendations

For Microsoft Active Directory server:

● Configure group-based synchronization with the memberOf algorithm.

For Sun Java System Directory Server (version 6 and later), do one of the following:

● Configure group-based synchronization with the memberOf algorithm.

● Configure role-based synchronization with the memberOf algorithm.

For Sun ONE Directory Server (version 5 and earlier), do one of the following:

● Configure role-based synchronization with the memberOf algorithm.

● Configure group-based synchronization with the member algorithm.

The following combinations do not work on Sun ONE Directory Servers:● Configuring group-based synchronization with the memberOf algorithm.

● Configuring role-based synchronization with the member algorithm.

LDAP authentication and user directory settingsThe following information is required to set up LDAP authentication and user directory mode,including LDAP group synchronization. Contact the LDAP directory administrator if you do not havethe required information.

The following table provides an overview of LDAP settings and their applicability. Detaileddescriptions of the settings are provided below the table.

● A: Applicable to LDAP as authentication mechanism

● UD: Applicable to LDAP User Directory mode

● GS: Applicable to LDAP User Directory mode with group synchronization

● M: Mandatory

117

TIBCO Spotfire® Server and Environment Installation and Administration

Page 118: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

● **: Required by configurations with LDAP server type Custom. These options have template valuesfor the non-predefined LDAP server types. The template values can be overridden when necessary.

A Authentication Attribute

Specifies the name of the LDAP attribute containing a user identity that can be used forauthenticating with the LDAP server.

A UD

M LDAP Server Type

Specifies the type of LDAP server: ActiveDirectory, SunOne, SunJavaSystem, or Custom.

A UD

M LDAP Server URLs

A white-space separated list of LDAP server URLs.

A UD

M Context Names

A list of distinguished names (DNs) of the containers holding the user accounts to bevisible within Spotfire Server.

A UD

Username

The name of the LDAP service account to be used when searching for users and groupsin the LDAP directory.

A UD

Password

The password for the LDAP service account.

A UD

Security Authentication

Specifies the security level to use when binding to the LDAP server. The default value issimple.

A UD

**

User Search Filter

Specifies an LDAP search expression filter to be used when searching for users.

A UD

Referral Mode

Specifies how LDAP referrals should be handled.

A UD

**

Username Attribute

Specifies the name of the LDAP attribute containing the user account names.

A UD

Custom LDAP Properties

Multiple key-value pairs specifying additional JNDI environment properties to be usedwhen connecting to the LDAP server.

UD

Request Control

Specifies the type of LDAP controls to be used when executing search queries to theLDAP server: Probe, PagedResultsControl, VirtualListViewControl or none.

118

TIBCO Spotfire® Server and Environment Installation and Administration

Page 119: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

UD

Page Size

Specifies the page size to be used with the paged results control or the virtual list viewcontrol when performing search queries to the LDAP server. The page size valuedefaults to 1000 for both the paged results control and the virtual list view control.

UD

Import Limit

Specifies a threshold that limits the number of users that can be imported from an LDAPserver to Spotfire Server in one query.

UD

Synchronization Schedules

Specifies a list of schedules for when the synchronization task should be performed.

GS

Group Synchronization Enabled

Specifies whether or not group synchronization should be enabled for this LDAPconfiguration.

GS

Group Names

Specifies a list of distinguished names (DNs) of either individual groups to besynchronized or a context name where all groups are to be synchronized. If the groupsynchronization enabled option is set and the list of group names is empty, then allgroups that can be found in the LDAP directory will be synchronized.

GS

**

Group Search Filter

Specifies an LDAP search expression filter to be used when searching for groups.

GS

**

Group Name Attribute

Specifies the name of the LDAP attribute containing the group account names

GS

**

Supports memberOf

Specifies whether or not the LDAP servers support a memberOf-like attribute on theuser accounts that contain the names of the groups or roles that the users are membersof. In general, this is true for all Microsoft Active Directory servers and all types of Sundirectory servers.

GS

**

Member Attribute

For all LDAP servers with support for a memberOf-like attribute, this option specifiesthe name of the LDAP attribute on the user account that contains the names of thegroups or roles that the user is a member of.

GS

**

Ignore Member Groups

Specifies whether or not the group synchronization mechanism should recursivelytraverse the synchronized groups' non-synchronized subgroups and include theirmembers in the search result.

Authentication Attribute

Specifies the name of the LDAP attribute containing a user identity that can be used for authenticatingwith the LDAP server. This attribute fills no purpose in most common LDAP configurations, but can beuseful in more advanced setups, where the distinguished name (DN) does not work for authenticationor where users should be able to log in using a user name that does not map directly to an actual LDAP

119

TIBCO Spotfire® Server and Environment Installation and Administration

Page 120: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

account. A typical case for using this option is when setting up SASL, see SASL Authentication forLDAP.

LDAP Server Type

Specifies the type of LDAP server. There are four valid types: ActiveDirectory, SunOne, SunJavaSystem,and Custom.

When specifying one of the predefined server types, we will assume that default values will be appliedfor the most fundamental configuration options. It is possible to override the default values. Whenspecifying a Custom LDAP server type, there is no configuration template and all fundamentalconfiguration options must be specified explicitly. The table above shows which configuration optionsare required for a Custom LDAP server type.

LDAP Server URLs

A whitespace-separated list of LDAP server URLs. An LDAP server URL has the format<protocol>://<server>[:<port>]

● <protocol>: Either LDAP or LDAPS

● <server>: The fully qualified DNS name of the LDAP server

● <port>: An optional number indicating the TCP port the LDAP service is listening on. When usingthe LDAP protocol, the port number defaults to 389. When using the LDAPS protocol, the portnumber defaults to 636. Active Directory LDAP servers also provides a Global Catalog containingforest-wide information, instead of domain-wide information only. The Global Catalog LDAPservice by default listens on port number 3268 (LDAP) or 3269 (LDAPS).

Spotfire Server does not expect any search base, scope, filter, or other additional parameters after theport number in the LDAP server URLs. Such properties are specified using other configuration optionsfor this command.

Examples of LDAP server URLs:

LDAP://myserver.example.com

LDAPS://myserver.example.com

LDAP://myserver.example.com:389

LDAPS://myserver.example.com:636

LDAP://myserver.example.com:3268

LDAPS://myserver.example.com:3269

Context Names

A list of distinguished names (DNs) of the containers holding the LDAP accounts to be visible withinSpotfire Server. When specifying more than one DN, the DNs must be separated by pipe characters (|).If the specified containers contain a large number of users, but only a few should be visible in SpotfireServer, a custom user search filter can be specified to include only the filtered users; see "User SearchFilter", below.

Username

The name of the LDAP service account to be used when searching for users and groups in the LDAPdirectory. This service account does not need to have any write permissions, but it needs to have readpermissions for all configured context names (LDAP containers). For most LDAP servers, the accountname is the account's distinguished name (DN). For Active Directory, the account name can also bespecified in the forms ntdomain\name or name@dnsdomain.

Examples

CN=spotsvc,OU=services,DC=research,DC=example,dc=COM

RESEARCH\spotsvc (Active Directory only)

120

TIBCO Spotfire® Server and Environment Installation and Administration

Page 121: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

[email protected] (Active Directory only)

Password

The password for the LDAP service account.

Security Authentication

Specifies the security level to use when binding to the LDAP server. The default value is simple. Onlyuse this parameter in special cases, and use it with care in production environments.

● To enable anonymous binding, it should be set to none.

● To enable plain user name/password authentication, it should be set to simple.

● To enable SASL authentication, it should be set to the name of the SASL mechanism to be used.Spotfire Server supports the two SASL mechanisms DIGEST-MD5 and GSSAPI. You can set multiple-C flags to set the additional JNDI environment properties that the SASL authentication mechanismtypically requires

A typical case for using this option is when setting up SASL; see SASL authentication for LDAP.

User Search Filter

This parameter specifies an LDAP search expression filter to be used when searching for users.

If only a subset of all the users in the specified LDAP containers should be allowed access to SpotfireServer, a restrictive user search filter can be specified. For instance, the search expression can beconfigured so that it puts restrictions on which groups the users belong to, or which roles they have.

● For Active Directory servers, the parameter value defaults to objectClass=user

● For Active Directory servers, access can be restricted to only those users belonging to a certaingroup by using a search expression with the pattern &(objectClass=user)(memberOf=<groupDN>)where <groupDN> is to be replaced by the real DN of the group to which the users must belong. Ifthe users are divided among multiple groups, use the pattern &(objectClass=user)(|(memberOf=<firstDN> )(memberOf=<secondDN>)). Add extra (memberOf=<groupDN>) sub-expressions as needed.

Example: &(objectClass=person)(isMemberOf=cn=project-x,dc=example,dc=com)

● For any version of the Sun Directory Servers, it defaults to objectClass=person.

● For a Sun Java System Directory Server version 6 and later, the same effect can be achieved by usinga search expression with the pattern &(objectClass= person)(isMemberOf=<groupDN>). If the usersare divided among multiple groups, use the pattern &(objectClass=person)(|(isMemberOf=<firstDN> )(isMemberOf=<secondDN>)). Add extra (isMemberOf=<groupDN>) sub-expressions as needed.

Example: &(objectClass=person)(isMemberOf=cn=project-x,dc=example,dc=com)

● For the Directory Server product family, access can be restricted to only those users having certainspecific roles. The search expression for role filtering must match the pattern &(objectClass=person)(nsRole=<roleDN>). If multiple roles are of interest, use the pattern &(objectClass=person)(|(nsRole=<firstDN>))(nsRole=<secondDN>) ). Add extra (nsRole=<roleDN>)) sub-expressions asneeded.

Example: &(objectClass=person)(isMemberOf=cn=project-x,dc=example,dc=com)

The syntax of LDAP search expression filters is specified by RFC 4515. Consult this specification forinformation about more advanced filters.

Referral Mode

This argument specifies how LDAP referrals should be handled. Valid arguments are follow(automatically follow any referrals), ignore (ignore referrals) and throw (fail with an error). The defaultand recommended value is follow.

121

TIBCO Spotfire® Server and Environment Installation and Administration

Page 122: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Username Attribute

Specifies the name of the LDAP attribute containing the user account names. For Active Directoryservers the value defaults to sAMAccountName. For the Directory Server product family with a defaultconfiguration, it defaults to uid.

Custom LDAP Properties

Multiple key-value pairs specifying additional JNDI environment properties to be used whenconnecting to the LDAP server. For instance, specifying the key java.naming.security.authentication andthe value simple have the same result as setting the Security Authentication option to simple.

Request Control

This option determines the type of LDAP controls to be used when executing search queries to theLDAP server. Valid controls are Probe, PagedResultsControl, VirtualListViewControl and none.

The default behavior is to probe the LDAP server for the best supported request control. The pagedresults control is always preferred, since it provides the most efficient way of retrieving the result of thequery. The virtual list view control can also be used to retrieve a large number of users, if the pagedresults control is not supported. The virtual list view control will automatically be used together with asort control. Both the paged results control and the virtual list view control support a configurable pagesize, as specified by the page size option.

Page Size

This argument specifies the page size to be used with the paged results control or the virtual list viewcontrol when performing search queries to the LDAP server. The page size value defaults to 1000 forboth the paged results control and the virtual list view control.

Import Limit

This argument specifies a threshold that limits the number of users that can be imported from an LDAPserver to Spotfire Server in one query. This can be used to prevent accidental flooding of SpotfireServer's User Directory when integrating with an LDAP server with tens or even hundreds ofthousands of users. By setting an import limit, the administrator can be sure that an unexpected highnumber of users won't affect the server's performance. By default, there is no import limit. To explicitlyrequest unlimited import, set the parameter value to -1. All positive numbers are treated as an importlimit. Leave this parameter untouched. in most cases.

Group Synchronization Enabled

Specifies whether or not group synchronization should be enabled for this LDAP configuration.

Group Names

Specifies the groups to be synchronized. Groups can be specified with either their account names ortheir distinguished names (DNs). The account names and the distinguished names may contain anasterisk (*) as a wildcard character. This wildcard behaves just like the asterisk wildcard in standardLDAP search filters. Wildcards work for both account names and distinguished names.

It is also possible to specify the distinguished name of an LDAP container containing multiple groupsand thereby synchronizing all those groups. Wildcards can also be used for specifying groupcontainers.

It is possible to mix all variants above. Consider the following when specifying a group to besynchronized:

● Specify either the group's account name or its distinguished name (DN). The account name mustmatch the value of the configured group name attribute.

● It is possible to use an asterisk (*) as a wildcard character s in the account names when specifyinggroup names. If a configured group name contains wildcard characters and matches multiplegroups in the directory, all those groups will be synchronized.

122

TIBCO Spotfire® Server and Environment Installation and Administration

Page 123: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

● It is also possible to specify the distinguished name of an LDAP container containing one or moregroups. All those groups will then be synchronized.

● It is possible to mix all variants.

If the enable group synchronization configuration property is set and the list of group names is empty,then all groups that can be found in the configured context names in the LDAP directory will besynchronized.

Synchronization Schedules

Specifies a list of schedules for when the group synchronization task should be performed. Theschedules are specified in the cron format, where each schedule consists of either five fields or oneshorthand label.

The five fields are, from left to right, with their valid ranges:

● minute (0-59)

● hour (0-23)

● day of month (1-31)

● month (1-12)

● day of week (0-7, where both 0 and 7 indicate Sunday)

A field may also be configured with the wildcard character (*), indicating that any moment in timematches this field. A group synchronization is triggered when all fields match the current time. If bothday of month and day of week have non-wildcard values, then only one of them has to match.

There are also the following shorthand labels that can be used instead of the full cron expressions:

@yearly or @annually: run once a year (equivalent to 0 0 1 1 *)

@monthly: run once a month (equivalent to 0 0 1 * *)

@weekly: run once a week (equivalent to 0 0 * * 0)

@daily or @midnight: run once a day (equivalent to 0 0 * * *)

@hourly: run once an hour (equivalent to 0 * * * *)

@minutely: run once a minute (equivalent to * * * * *)

@reboot or @restart: run every time Spotfire Server is started

Refer to the Wikipedia overview article on the cron scheduler.

Group Search Filter

This parameter specifies an LDAP search expression filter to be used when searching for groups.

● For Active Directory servers, the parameter value defaults to objectClass=group

● For Oracle Directory Servers and Sun Java System Directory Servers, it defaults toobjectClass=groupOfUniqueNames

● For Sun ONE Directory Servers, it defaults to &(|(objectclass= nsManagedRoleDefinition)(objectClass=nsNestedRoleDefinition))(objectclass= ldapSubEntry)

Group Name Attribute

Specifies the name of the LDAP attribute containing the group account names:

● For Active Directory servers the value defaults to sAMAccountName

● For any version of the Sun directory servers with a default configuration, it defaults to cn

Supports memberOf

123

TIBCO Spotfire® Server and Environment Installation and Administration

Page 124: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Specifies whether or not the LDAP servers support a memberOf-like attribute on the user accounts thatcontain the names of the groups or roles that the users are members of. In general, this is true for allMicrosoft Active Directory servers and the Directory Server product family.

For some LDAP servers with configurations of type Custom, there is no memberOf-like attribute. Thisis declared by setting the supports memberOf configuration property to false.

Member Attribute

This parameter value can be set to: memberOf, nsRole, or isMemberOf.

For LDAP configurations with the supports memberOf option set to false, the member attribute optionspecifies the name of the LDAP attribute on the group accounts that contains the distinguished names(DNs) of its members. In general, this includes LDAP servers with configurations of type Custom andany Sun ONE Directory Servers (version 5 and earlier) when used with group-based synchronization.

For LDAP configurations with the supports memberOf option set to true, the member attribute optionspecifies the name of the LDAP attribute on the user accounts that contains the names of the groups orroles that the users are members of. In general, this includes all Microsoft Active Directory server andall types of Sun Directory Servers version 6 and later. For Sun ONE Directory Servers (version 5 andolder), this also applies for roles.

● For Microsoft Active Directory servers, the member attribute value defaults to memberOf● For Sun ONE Directory Servers, the member attribute option defaults to nsRole● For Sun Java System Directory Server version 6.0 or later, the member attribute option defaults to

isMemberOf. To use the roles with the Sun Java System Directory Server or later, it is recommendedto use the SunONE configuration template instead.

All configurations with the memberOf option set to false will use a far less efficient groupsynchronization algorithm that will generate more traffic to the LDAP servers, because Spotfire Serverwill first have to search for the distinguished names (DNs) of the group members within the groups,and then perform repeated lookups to translate the member DN to the correct account name.

Ignore Member Groups

This argument determines whether or not the group synchronization mechanism should recursivelytraverse the synchronized groups' non-synchronized subgroups and include their members in thesearch result.

For Microsoft Active Directory servers, the parameter value defaults to false so that all inherited groupmemberships are correctly reflected. For any version of the Sun Directory Servers, it defaults to truebecause the role and groups mechanisms in those servers automatically include those members.

Post-authentication filterAfter a user's identity is validated, Spotfire Server performs an additional check using the post-authentication filter.

This filter has two built-in modes:

● Block. When the post-authentication filter is set to Block, it blocks all users who are not alreadypresent in the Spotfire Server user directory. This is the default mode, and the appropriate mode touse with an LDAP user directory.

● Auto-create. When the post-authentication filter is set to Auto-create, it automatically creates newaccounts for any user who logs in to the server for the first time. This mode is valid only when theuser directory mode is set to Database.

The blocking mode is the default mode. When it is used with a user directory in LDAP/Active Directorymode, it automatically transforms to the domain name of the authenticated user to match theconfigured domain name style.

The auto-creating mode is typically applied when using an LDAP directory or X.509 certificates forauthentication together with the User Directory set up in database mode. The Post-authentication filter

124

TIBCO Spotfire® Server and Environment Installation and Administration

Page 125: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

will create users with their external domain names, even though the user directory is in database mode,unless the collapse domains configuration property is enabled. This makes it possible to later switch toLDAP or Windows NT mode. If the collapse domains configuration property is enabled, the users willbe created within the internal SPOTFIRE domain and it will not be possible to later switch to LDAP orWindows NT mode.

It is also possible to use the Spotfire Server API to create a custom post-authentication filter to performadditional validation. This filter must be installed in the /tomcat/webapps/spotfire/WEB-INF/libdirectory on all servers. It is enabled using the config-post-auth-filter command. If a custom filter isused, it will be combined with the built-in filter, meaning that the filters will work together.

HTTPSBy default, Spotfire uses the HTTP protocol for communication between clients and Spotfire Server. Toachieve a higher level of security, use the HTTPS protocol instead, ensuring encryption between clientsand server.

HTTPS also includes a mechanism for clients to authenticate the server. To have the server authenticatethe clients as well, you can enable X.509 client certificate authentication.

To enable encrypted communication using HTTPS, see Configuring HTTPS.

To enable X.509 client certificate authentication, start with Configuring HTTP and then proceed to Authentication using X.509 client certificates.

Configuring HTTPSHTTPS ensures that the communication between clients and Spotfire Server is encrypted.

Prerequisites

Obtain a server certificate and private key, stored in a Java keystore (JKS) or PKCS #12 keystore (P12/PFX).

Procedure

1. Stop Spotfire Server.

2. Copy the keystore file to the <installation dir>/tomcat/certs directory. We suggest using theserver's hostname as keystore filename.

3. Open the configuration file <installation dir>/tomcat/conf/server.xml in a text editor andlocate the section containing the configuration template for an HTTPS connector:<!-- Enable this connector if you want to use HTTPS --><!-- -->

(In your installation, [server hostname] is replaced with the actual hostname of your server.)

4. Remove the lines with the comment markers <!-- and --> .

5. Update the keystoreFile parameter with the name of the keystore file containing the servercertificate and private key.

6. Set the keystorePass parameter to the password for the keystore file containing the servercertificate and private key.

7. Set the keystoreType parameter to "jks" for a Java keystore or "pkcs12" for a PKCS #12 keystore.

8. If the keystore contains more certificates than the server certificate, the keyAlias parameter must beset to the alias for the server certificate and private key.

9. Unless you will enable X.509 client certificate authentication, remove the truststoreFile,truststorePass, and truststoreType parameters.

125

TIBCO Spotfire® Server and Environment Installation and Administration

Page 126: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

10. To disable unencrypted HTTP traffic, follow these steps:

1. Locate the section containing the default HTTP connector:<Connector port="[HTTP port]"maxHttpHeaderSize="16384"connectionTimeout="30000"enableLookups="false"URIEncoding="UTF-8"disableUploadTimeout="true"server="TIBCO Spotfire Server" />

(In your installation, [HTTP port] is replaced with the HTTP port of your server.)

2. Add comment markers <!-- and --> around the HTTP connector configuration:<!--<Connector port="[HTTP port]"maxHttpHeaderSize="16384"connectionTimeout="30000"enableLookups="false"URIEncoding="UTF-8"disableUploadTimeout="true"server="TIBCO Spotfire Server" />-->

11. Start Spotfire Server.

Node manager installationTo be able to run services, you must first install and trust a node manager on each node in your system.

Currently the node is capable of running two different services: Spotfire Web Player and SpotfireAutomation Services.

The installation of the node manager creates a Windows service that runs as the LocalSystem account.

If you change the node manager service account, make sure that the account is a local administratorand that it has read and write access to the node manager installation directory and subdirectories.

For more information, see Nodes and services introduction.

Installing a node manager interactivelyEach node in your system must have a node manager installed.

Prerequisites

● Spotfire Server is installed and running.

● In the firewall of the computer on which you're installing the node manager, open the ports that willbe used for the node manager and the services. (See step 5 below for information on how these portsare used.)

This procedure is for an interactive installation, using the installation wizard. Alternatively, you can runa silent installation from the command line; for details, see Installing a node manager silently.

Procedure

1. Double-click nm-setup.exe.

You may be prompted to install Microsoft .NET Framework at this point.

2. In the installation wizard Welcome dialog, click Next.

3. In the License dialog, read the agreement, select I accept, and then click Next.

126

TIBCO Spotfire® Server and Environment Installation and Administration

Page 127: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

4. In the Destination Folder dialog you can change the location if you want to, and then click Next.The Node Manager Ports dialog opens.

5. In the Node Manager Ports dialog, enter numbers (or leave the defaults) for the following ports:

● Node Manager registration port–The port that is used to set up secure internal communicationchannels.

If you are installing the node manager on the same computer as Spotfire Server, thisport must be different than the Spotfire Server back-end registration port. The defaultfor the Spotfire Server port is 9080.

● Node Manager communication port (TLS)–The port used for secure (TLS) communicationwithin the implementation.

If you are installing the node manager on the same computer as Spotfire Server, thisport must be different than the Spotfire Server back-end communication port. Thedefault for the Spotfire Server port is 9443.

The selected ports must be available and not blocked by a firewall.

To check whether a port is in use, on a command line enter netstat -na.

6. Click Next.The Spotfire Server dialog opens.

7. In the Spotfire Server dialog, enter the following information, and then click Next.

These values must match the values you used when installing the Spotfire Server files.

● Server name–The hostname of Spotfire Server.

Valid hostnames may contain only alphabetic characters, numeric characters, hyphen,and period.

● Server backend registration port–The registration port that you specified during Spotfire Serverinstallation.

● Server backend communication port (TLS)–The back-end communication port that youspecified during Spotfire Server installation.

8. In the Windows Service dialog, indicate that you want the node manager service to startautomatically when you finish the installation and click Next.

9. In the Network Names dialog, select the computer names that can be used by back-end trust. Ingeneral you can leave all the listed names as they are.

10. In the Ready to Install dialog, click Install.

Result

When the installation is done, the node manager service starts.

What to do next

After the installation wizard finishes running, you must authorize the new node manager.

See Authorizing a node manager.

127

TIBCO Spotfire® Server and Environment Installation and Administration

Page 128: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Installing a node manager silently

Instead of running the installation wizard, you can install the node manager files silently by runningthe installer from the command prompt.

Prerequisites

● Spotfire Server is installed and running.

● In the firewall of the computer on which you're installing the node manager, open the ports that willbe used for the node manager and the services.

To use the interactive installation wizard instead of the command-prompt installation, see Installing anode manager.

Procedure

1. Open a command-line interface as an administrator.

2. Replace the parameters in the following code:${Installer_Name} /s /v"/qn /l*vx TSS_NM_install.log INSTALLDIR=\"${INSTALLDIR}\"NODEMANAGER_REGISTRATION_PORT=${NODEMANAGER_REGISTRATION_PORT} NODEMANAGER_COMMUNICATION_PORT=${NODEMANAGER_COMMUNICATION_PORT} SERVER_NAME=${SERVER_NAME} SERVER_BACKEND_REGISTRATION_PORT=${SERVER_BACKEND_REGISTRATION_PORT} SERVER_BACKEND_COMMUNICATION_PORT=${SERVER_BACKEND_COMMUNICATION_PORT}NODEMANAGER_HOST_NAMES=${HOSTNAME}"

Examplenm-setup.exe /s /v"/qn /l*vx TSS_NM_install.log INSTALLDIR=\"C:\tibco\tsnm\" NODEMANAGER_REGISTRATION_PORT=83NODEMANAGER_COMMUNICATION_PORT=84 SERVER_NAME=<SpotfireServerName> SERVER_BACKEND_REGISTRATION_PORT=81SERVER_BACKEND_COMMUNICATION_PORT=82 NODEMANAGER_HOST_NAMES=<NodeManagerHostNames>"

Silent installation parameters

Parameter Description

INSTALLDIR The installation directory.

NODEMANAGER_REGISTRATION_PORT Node manager registration port (Default: 9080)

nodemanager.properties: nodemanager.cleartext.port

● Port used for initial setup of internal securecommunication channels.

● Needs only be accessible from Spotfire Server(s).

If you are installing the node manager on thesame computer as Spotfire Server, this portmust be different than the Spotfire Serverback-end registration port.

128

TIBCO Spotfire® Server and Environment Installation and Administration

Page 129: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Parameter Description

NODEMANAGER_COMMUNICATION_PORT Node manager communication port (TLS) (Default:9443)

nodemanager.properties: nodemanager.port

● Port used for secure (TLS) internal communicationwithin the environment.

● Needs only be accessible from Spotfire Server(s).

If you are installing the node manager on thesame computer as Spotfire Server, this portmust be different than the Spotfire Serverback-end communication port.

SERVER_NAME nodemanager.properties: nodemanager.supervisor

● Must match the host name of the Spotfire Server.

Valid hostnames may only containalphabetic characters, numeric characters,hyphen and period.

SERVER_BACKEND_REGISTRATION_PO

RT

Server backend registration port (Default: 9080)

nodemanager.properties:nodemanager.supervisor.cleartext.port

● Must match the registration port specified in theSpotfire Server installation.

SERVER_BACKEND_COMMUNICATION_P

ORT

Server backend communication port (TLS): (Default:9443)

nodemanager.properties: nodemanager.supervisor.port

● Must match the back-end communication portspecified in the Spotfire Server installation.

NODEMANAGER_HOST_NAMES A comma-separated list of IP addresses, hostnames, andFQDN names that can be used by back-end trust. Theseshould be for the interface(s) on the computer where thenode manager is installed.

Valid hostnames may only contain alphabeticcharacters, numeric characters, hyphen andperiod.

If you do not enter any values, the installerautomatically provides values. Afterinstallation, confirm that these are correct inthe [installation dir]\nm\config\nodemanager.properties file.

3. Run the installation script.

129

TIBCO Spotfire® Server and Environment Installation and Administration

Page 130: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Authorizing a nodeAfter installing the node manager, you must indicate in Spotfire Server that you trust the node.

Prerequisites

● You have followed the procedure Installing a node manager.● Both Spotfire Server and the newly-installed node manager are running.

Procedure

1. Log in to Spotfire Server. (For instructions on accessing the server, see Starting Spotfire Server.)

2. Click Nodes & Services, and then click the Untrusted nodes tab.

3. Under Untrusted nodes, select the check box next to the new node manager and then click Trustnodes.

4. In the Trust node dialog, click Trust.

Result

The new node manager appears on the Your network page when you select the Nodes view.

What to do next

Set up services on the node

Starting or stopping node manager (as a Windows service)Start or stop the node manager Windows service from the Control Panel on the node managercomputer.

Procedure

1. Log on to the node manager computer as an administrator.

2. Click Start > Control Panel > Administrative Tools > Services, and then locate and select the servicecalled TIBCO Spotfire Node Manager.

3. To the left of the services list, click Start in the phrase "Start the service" to start the node managerWindows service. Click Stop to the left of the services list to stop a running node manager Windowsservice.

Login behavior configurationYou can configure various aspects of the Spotfire login dialog.

These are the behaviors that are configurable:

● If the login dialog should be displayed.● If users should be allowed to work offline or if they always must log in.● If users can select "Save my login information" in the login dialog and store the login information for

future automatic login.● If users should be forced to log in after working offline for a certain number of days.● If you want an RSS feed to be shown in the login dialog.● If users should be able to enter their own credentials in the login dialog.To configure the login dialog, use the command config-login-dialog.

130

TIBCO Spotfire® Server and Environment Installation and Administration

Page 131: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

To change the look and feel of the login dialog and other Spotfire windows, see the TIBCO SpotfireCobranding Manual.

Service installationAfter installing and trusting a node manager on a node, you configure and install services and serviceinstances.

Manually configuring a Spotfire Web Player service (optional)To prepare a Spotfire Web Player configuration that you plan to use repeatedly or that you want to saveas a template, you can manually edit a service configuration and then apply the configuration to new orexisting services. You can also use this procedure at any time to make changes to the configuration. Youcan create and save as many service configurations as needed.

Prerequisites

The Spotfire client distribution file (.sdn file) has been deployed to the server; for instructions see Deploying client packages to Spotfire Server.

Procedure

1. Open a command-line interface and export the service configuration from Spotfire Server by usingthe export-service-config command. Specify the Web Player capability and the deployment area:export-service-config --capability=WEB_PLAYER --deployment-area=Production

The following configuration files are exported. By default, these files are located in the <installdir>\tomcat\bin\config\root directory.

● Spotfire.Dxp.Worker.Core.config

● Spotfire.Dxp.Worker.Host.exe.config

● Spotfire.Dxp.Worker.Web.config

2. Edit the exported configuration files in a text editor or XML editor.For information on the configuration files, see Service configuration files.

3. In the command-line interface, import the configuration file back into Spotfire Server, and name theconfiguration by using the import-service-config command.import-service-config --config-name=WebPlayerConfiguration

4. In the command-line interface, assign the created Spotfire Web Player configuration to the SpotfireServer to make it possible to use for the service:set-service-config --service-id=value --config-name=WebPlayerConfiguration

Result

When you install a new Spotfire Web Player service or edit an existing one, you can select the editedconfiguration.

Changing the configuration of a Spotfire Web Player service causes its web clients to restart.

131

TIBCO Spotfire® Server and Environment Installation and Administration

Page 132: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Installing Spotfire Web Player instancesAfter installing and authorizing a node manager, you install the Spotfire Web Player service andindicate the number of Spotfire Web Player instances that you want to make available. The Spotfire WebPlayer instances can then be accessed on any computer in the network.

Prerequisites

● You have installed and authorized a node manager; for instructions, see Installing a node managerand Authorizing a node manager.

● Spotfire Server and the node manager are up and running.

● You have deployed client packages to Spotfire Server; for instructions, see Deploying clientpackages to Spotfire Server.

● By default TLS 1.2 is not enabled on Windows Server 2008 R2. For communication to work betweena service and Spotfire Server this must be enabled. To enable TLS 1.2 on Windows Server 2008 R2see section "For later versions of Windows" on https://support.microsoft.com/en-us/kb/245030. Formore information about TLS settings in windows see https://technet.microsoft.com/en-us/library/dn786418.aspx.

Procedure

1. Log in to Spotfire Server and click Nodes & Services.

2. Under Select a view, select Nodes, and then select the node to which you want to add the SpotfireWeb Player service. There should be a green circle with a check mark next to the selected node.

3. In the lower-right pane, click Install new service.

4. Make your selections in the Install new service dialog:a) Under Deployment area, select the area you are using.

Administrators generally create a Test deployment area to use as a staging server.

b) Under Capability select WEB_PLAYER.c) Under Configuration, select the service configuration that you want to apply to the service.

Spotfire Server contains a default service configuration that you can select and changelater. If you want to prepare a configuration file ahead of time, see Manuallyconfiguring a Web Player service.

d) Under Number of instances, enter the number of instances of the service that you want to makeavailable. For more information, see Multiple service instances on one node.

e) Under Port, you can change the default of 9501 if you want to.f) Enter a name for this service.

5. Click Install and start.To view the progress of the installation, click the Activity tab.

What to do next

● If applicable, install Spotfire Automation Services; for instructions, see Installing SpotfireAutomation Services instances.

● For information on the remaining setup tasks, see Post-installation steps.

132

TIBCO Spotfire® Server and Environment Installation and Administration

Page 133: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Multiple service instances on one nodeAdding more than one web player service instance could be beneficial, particularly on large computerswith NUMA architecture.

For failover reasons, it is recommended to have more than one instance in your environment. However,for failover reasons the instances do not have to be on the same node.

These are the two main reasons for adding more service instances on the same node:

● If there are unstable analyses that are suspected to result in issues for the process, these can berouted to one dedicated service instance using file routing rules. This isolates the analyses fromother instances.

● A very large .NET heap may lead to long duration blocking garbage collections. By distributinganalyses that lead to a large .NET memory footprint over more than one service instance, the .NETheap becomes smaller, which leads to quicker garbage collections.

These are two reasons to avoid using too many service instances:

● Each service instance requires some overhead, mostly in terms of memory usage but also some CPUusage.

● There is no data or document sharing between service instances.

You may want to experiment with fewer or more service instances, especially on large computers.

Manually configuring Spotfire Automation Services (optional)To prepare a TIBCO Spotfire® Automation Services configuration that you plan to use repeatedly orthat you want to save as a template, you can manually edit a service configuration and then apply theconfiguration to new or existing services. You can also use this procedure at any time to make changesto the configuration. You can create and save as many service configurations as needed.

Prerequisites

● The Spotfire client distribution file (.sdn file) has been deployed to the server; for instructions see Deploying client packages to Spotfire Server.

Procedure

1. Open a command-line interface and export the service configuration from Spotfire Server by usingthe export-service-config command. Specify the Automation Services capability, and thedeployment area:export-service-config --capability=AUTOMATION_SERVICES --deployment-area=Production

The following configuration files are exported. By default, these files are located in the <installdir>\tomcat\bin\config\root directory.

● Spotfire.Dxp.Worker.Automation.config

● Spotfire.Dxp.Worker.Core.config

● Spotfire.Dxp.Worker.Host.exe.config

● Spotfire.Dxp.Worker.Web.config

2. Edit the exported configuration files in a text editor or XML editor.For information on the configuration files, see Service configuration files.

133

TIBCO Spotfire® Server and Environment Installation and Administration

Page 134: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

3. In the command-line interface, import the configuration file back into Spotfire Server, and name theconfiguration by using the import-service-config command.import-service-config --config-name=AutomationServicesConfiguration

4. In the command-line interface, assign the created Spotfire® Automation Services configuration toSpotfire Server:set-service-config --service-id=value --config-name=AutomationServicesConfiguration.

Result

When you install a new Spotfire Automation Services service or edit an existing one, you can select theedited configuration.

Installing Spotfire Automation Services instancesAfter installing and authorizing a node manager, you can install TIBCO Spotfire® Automation Servicesand indicate the number of instances of this service that you want to make available. SpotfireAutomation Services can then be accessed on any computer in the network.

All users that execute automation services jobs on the server, using the Job Builder or the Client JobSender, must be members of the group Automation Services Users.

Prerequisites

● You have installed and authorized a node manager; for instructions, see Installing a node managerand Authorizing a node.

● Spotfire Server and the node manager are up and running.

● You have deployed client packages to Spotfire Server; for instructions, see Deploying clientpackages to Spotfire Server.

● In Administration Manager in Spotfire Analyst you have assigned licenses required by theAutomation Services jobs to the automationservices@SPOTFIRESYSTEM user, which is the accountused to execute the jobs on the service instance.

For a description of the licenses, see the Administration Manager help.

● By default TLS 1.2 is not enabled on Windows Server 2008 R2. For communication to work betweena service and Spotfire Server this must be enabled. To enable TLS 1.2 on Windows Server 2008 R2see section "For later versions of Windows" on https://support.microsoft.com/en-us/kb/245030. Formore information about TLS settings in windows see https://technet.microsoft.com/en-us/library/dn786418.aspx.

Procedure

1. Log in to Spotfire Server and click Nodes & Services.

2. In the Nodes view, select the node to which you want to add the Spotfire Automation Servicesservice. There should be a green circle with a check mark next to the selected node manager.The words Installed services followed by the name of the node manager are displayed in the lower-right pane of the window.

3. Click Install new service.

4. Make your selections in the Install new service dialog:a) Under Deployment area, select the area you are using.

Administrators generally create a Test deployment area to use as a staging server.

b) Under Capability select AUTOMATION_SERVICES.

134

TIBCO Spotfire® Server and Environment Installation and Administration

Page 135: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

c) Under Configuration, select the service configuration that you want to apply to the service.

Spotfire Server contains a default service configuration that you can select and changelater. If you want to prepare a configuration file ahead of time, see Manuallyconfiguring Automation Services.

d) Under Number of instances, enter the number of instances of the service that you want to makeavailable.

e) Under Port, select Random unless you want to specify a different port.f) Enter a name for this service.

5. Click Install and start.To view the progress of the installation, click the Activity tab.

What to do next

For information on the remaining setup tasks, see Post-installation steps.

Client Job SenderSpotfire Automation Services includes the Client Job Sender tool that you can use to automate jobs thatare created by the job builder.

The Client Job Sender tool and associated configuration file can be installed on any computer withHTTP or HTTPS (if configured) connectivity to the Spotfire Server and the .NET Framework versionrequired for the Spotfire Analyst client installed. Make sure that both files are in the same directory.

Client Job Sender File name

Executable Spotfire.Dxp.Automation.ClientJobSender.exe

Configuration file Spotfire.Dxp.Automation.ClientJobSender.exe.config

The Spotfire Automation Services Client Job Sender returns a code reporting if a job succeeded orfailed. If the job failed, the return code also returns a message indicating how it failed. The returnvalues are stored in the ERRORLEVEL environment variable. The valid return codes are as follows:

Returncodevalue Return code Message

0 Success The job succeeded.

1 CommandLineParameterError An incorrect command-lineparameter was supplied.

2 ServerExecutionError The job failed on the server.

3 ClientExecutionError The client failed to send the job tothe server.

For information about how to use the Client Job Sender, see the TIBCO Spotfire® Automation ServicesUser's Manual.

135

TIBCO Spotfire® Server and Environment Installation and Administration

Page 136: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Service configuration filesThere are four files that are used to configure the Spotfire Web Player service and Spotfire AutomationServices.

For information on working with these files, see Manually configuring a Spotfire Web Player service or Manually configuring Spotfire Automation Services.

● Spotfire.Dxp.Worker.Automation.config

● Spotfire.Dxp.Worker.Core.config

● Spotfire.Dxp.Worker.Host.exe.config

● Spotfire.Dxp.Worker.Web.config

Spotfire.Dxp.Worker.Automation.config

This configuration file is used for Automation Services specific configurations.

SettingDefaultvalue Description

<Spotfire.Dxp.Automation

>

<automation>

maxWaitTimeForTaskBackgr

oundJobToFinishSeconds

180 The number of seconds to wait for background threadexecution to finish after the task finished executing.

maxConcurrentJobs -1 Number of jobs that are allowed to execute in parallel. If0 or less, this is set to the number of cpu cores on themachine.

The number of executing jobs can be less thanthe specified value if the service instance isexhausted. For more information, seeWebPlayer_AverageCpuLoadExhaustedLimit

in Spotfire.Dxp.Worker.Host.exe.config.

</automation>

</

Spotfire.Dxp.Automation>

<spotfire.dxp.automation

.tasks>

<smtp>

port 25 The port to use when connecting to the SMTP server.

useTls False Set to True to use Transport Layer Security (TLS) whenconnecting to the SMTP server.

136

TIBCO Spotfire® Server and Environment Installation and Administration

Page 137: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

SettingDefaultvalue Description

timeoutSeconds 100 Maximum number of seconds before the send commandtimes out.

useWindowsDefaultCredent

ials

False Set to True to use the windows credentials of theaccount that executes the Node Manager whenaccessing the SMTP server. If username and password isset, this is not used.

username The username to use when authenticating with theSMTP server.

password The password to use when authenticating with theSMTP server.

useCertificates False Set to True to use client certificates when accessing theSMTP server.

storeLocation The store location to take the certificate from[CurrentUser|LocalMachine].

storeName The name of the store to take the certificate from[AddressBook|AuthRoot|CertificateAuthority|Disallowed|My|Root|TrustedPeople|TrustedPublisher].

serialNumber The serial number of the certificate.

</smtp>

<saveAnalysis>

forceUpdateBehaviorManua

lWhenEmbeddingData

True Set to True force embedding of data function based datasources, such as On-demand.

</saveAnalysis>

<preferences>

Spotfire.Automation.Send

Mail.SMTPHost

Specify the SMTP Host for Email Notification.

Spotfire.Automation.Send

Mail.FromAddress

Specify the From Address for Email Notification

Spotfire.Automation.Libr

aryImport.TimeoutInSecon

ds

300 Specify the timeout (seconds) for the library importoperation for the Import Library task.

Spotfire.Automation.Libr

aryExport.TimeoutInSecon

ds

300 Specify the timeout (seconds) for the library exportoperation for the Export Library task.

137

TIBCO Spotfire® Server and Environment Installation and Administration

Page 138: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

SettingDefaultvalue Description

</preferences>

</

spotfire.dxp.automation.

tasks>

Spotfire.Dxp.Worker.Core.config

This configuration file specifies settings for the service's communication with the Spotfire Server, and ifsections in configuration files should be encrypted.

Setting Default Value Description

cookies

autoTransfer=""

Specify the cookies fromthe Spotfire Server thatshould be sent back on allrequests in the format ofa ; separated list, forexample:"ARRAffinity;myCookie;myCookie2".

<cryptography>

encryptConfigurationS

ections

True Set to true to encryptsections of configurationfiles containing sensitiveinformation.

protectSectionEncrypt

ionProvider

DataProtectionConfigurationProvider Name of the algorithmused when sections areencrypted.

</cryptography>

Spotfire.Dxp.Worker.Host.exe.config

Settings in this configuration file affect both Web Player services and Automation Services.

Setting Default Value Description

<Spotfire.Dxp.Web.Propert

ies.Settings>

TibcoSpotfireStatisticsSe

rvicesURLs

A list of URLs to SpotfireStatistics Services.

TibcoSpotfireStatisticsSe

rvicesUsernames

A list of user names for each ofthe URLs.

138

TIBCO Spotfire® Server and Environment Installation and Administration

Page 139: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Setting Default Value Description

TibcoSpotfireStatisticsSe

rvicesPasswords

A list of passwords for each ofthe user names and URLs.

DataAdapterCredentials If WebConfig is selected asauthentication method for dataconnectors, you must specifythe user name and passwordfor a credentials profile, that allusers will use forauthentication. You can addmultiple profiles with differentcredentials.

Each entry should be in thisformat:<entry profile="profile_name"><username>user</username><password>password</password></entry>

WebPlayer_AverageCpuLoadE

xhaustedLimit

90 If a service instance isexhausted, no new users willbe routed to that instance.Specify the CPU load limit, inpercent, that sets the state ofthe instance to exhausted.

Set to -1 to disable theexhausted limit.

Note that this setting isapplicable to both Web Playerservices and AutomationServices.

WebPlayer_AverageCpuLoadN

otExhaustedLimit

85 Specify the CPU load, inpercent, that the instance mustget below to leave theexhausted state.

Note that this setting isapplicable to both Web Playerservices and AutomationServices.

139

TIBCO Spotfire® Server and Environment Installation and Administration

Page 140: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Setting Default Value Description

WebPlayer_AverageCpuLoadS

trainedLimit

50 If a service instance is strained,new users will be routed toother instances that are notstrained or exhausted. If allinstances are strained, newusers will be routed to thestrained instance. Specify theCPU load limit, in percent, thatsets the state of the instance tostrained.

Set to -1 to disable the strainedlimit.

Note that this setting isapplicable to both Web Playerservices and AutomationServices.

WebPlayer_AverageCpuLoadN

otStrainedLimit

45 Specify the CPU load, inpercent, that the instance mustget below to leave the strainedstate.

Note that this setting isapplicable to both Web Playerservices and AutomationServices.

WebPlayer_AverageCpuLoadC

ountOnlyCurrentProcess

False Set to true to only measure theCPU load created by theinstance a user is routed to. Ifset to false, the CPU load willbe measured for all instanceson the node.

Note that this setting isapplicable to both Web Playerservices and AutomationServices.

</

Spotfire.Dxp.Web.Properti

es.Settings>

<Spotfire.Dxp.Internal.Pr

operties.Settings>

These settings should not beedited, unless instructed bySpotfire Support.

<Spotfire.Dxp.Application

.Properties.Settings>

Bookmarks_MinimumSynchron

izationIntervalSeconds

60 Specify the minimumsynchronization interval forbookmarks, in seconds.

140

TIBCO Spotfire® Server and Environment Installation and Administration

Page 141: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Setting Default Value Description

</

Spotfire.Dxp.Application.

Properties.Settings>

<Spotfire.Dxp.Data.Proper

ties.Settings>

DataBlockStorage_MemoryLo

adExhaustedLimit

98 If a service instance isexhausted, no new users willbe routed to that instance.Specify the memory load limit,in percent, that sets the state ofthe instance to exhausted.

Set to -1 to disable theexhausted limit.

DataBlockStorage_

MemoryLoadNotExhaustedLim

it

93 Specify the memory load, inpercent, that the instance mustget below to leave theexhausted state.

DataBlockStorage_MemoryLo

adStrainedLimit

75 If a service instance is strained,new users will be routed toother instances that are notstrained or exhausted. If allinstances are strained, newusers will be routed to thestrained instance. Specify thememory load limit, in percent,that sets the state of theinstance to strained.

Set to -1 to disable the strainedlimit.

DataBlockStorage_MemoryLo

adNotStrainedLimit

70 Specify the memory load, inpercent, that the instance mustget below to leave the strainedstate.

DataBlockStorageStorageIO

SizeKB

64 This setting should not beedited, unless instructed bySpotfire Support.

DataOnDemand_MaxCacheTime 01:00:00 Specify the length of time, inthe format HH:MM:SS, for dataon demand to be cached. Thissetting is only used if youconfigured data on demand tobe cached on the web clients.

141

TIBCO Spotfire® Server and Environment Installation and Administration

Page 142: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Setting Default Value Description

AllowedFilePaths Provide the full path todirectories or files on a localdisk that you want to access inthe web clients.

Specify each file or directory ina separate <string> tag.

</

Spotfire.Dxp.Data.Propert

ies.Settings>

<Spotfire.Dxp.Data.Access

.Properties.Settings>

AllowCustomQueries True Enables custom queries forusers on this service.

</

Spotfire.Dxp.Data.Access.

Properties.Settings>

<Spotfire.Dxp.Data.Access

.Adapters.Settings>

WebAuthenticationMode Prompt Specify the authenticationmethod to use for connectors.Valid options are:

WebConfig – select this to makeall users connect with thecredentials specified in theSpotfire.Dxp.Web.

Properties.Settings/

DataAdapterCredentials

section.

Kerberos – select this if yoursystem is configured toauthenticate users withKerberos.

Prompt – select this to promptthe users for a username andpassword for the external datasource.

ServiceAccount – select this tomake all users connect to theexternal data source using thecomputer account or dedicateduser account that is used to runthe node manager.

142

TIBCO Spotfire® Server and Environment Installation and Administration

Page 143: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Setting Default Value Description

<runtime> These settings should not beedited, unless instructed bySpotfire Support.

<startup> These settings should not beedited, unless instructed bySpotfire Support.

<system.web> These settings should not beedited, unless instructed bySpotfire Support.

<system.serviceModel> These settings should not beedited, unless instructed bySpotfire Support.

Spotfire.Dxp.Worker.Web.config

This configuration file specifies Web Player service configurations, some Automation Servicesconfigurations, and UI elements applicable to both the web clients and the library browser on SpotfireServer.

The settings in the sections <application>, <userInterface><pages>,<userInterface><closedAnalysis>, and <userInterface><errorPage>, and the settingmaxReceivedMessageSizeMb, which sets the maximum size for file upload, are applicable both to theweb client and the library browser on Spotfire Server. If these settings are changed, you must run thecommand set-service-config to apply the settings in the web client, and the command set-server-service-config to apply the settings in the library browser on Spotfire Server.

Setting Default Value Description

<spotfire.dxp.web>

<setup>

<javaScriptApi enabled> True Enables or disables the Spotfire Web PlayerJavascript API. Enable this setting to allowusers to share and view embedded analysisfiles using the Copy Link or Embed Codetools in the web client.

<errorReporting> This section is applicable for both WebPlayer services and Automation Services.

enableMiniDumpCreationOnE

rror

True Create a mini dump file if the service goesdown unintentionally.

miniDumpSizeLarge False Set to true to create a full dump. Note thatthis can create a very large dump file. Thissetting should not be edited, unlessinstructed by Spotfire Support.

143

TIBCO Spotfire® Server and Environment Installation and Administration

Page 144: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Setting Default Value Description

miniDumpPath " " Specify the location where the mini dumpfile should be saved on the computer withthe node manager installed. Leave thisempty to save the mini dump file to thefolder that contains the node manager logfiles.

includeDetailedErrorInfor

mation

False Set to true to enable detailed errorinformation, like call stacks in messages toend users. For security reasons this shouldnot be enabled by default.

</errorReporting>

<languages> This section is applicable for both WebPlayer services and Automation Services.

<installedLanguages> This section should not be edited. The list ofinstalled languages will be populatedautomatically.

<languageMappings> You can define a mapping from a languagepreference configured by users in thebrowser to one of the languages installed onthe service. For example, if your users haveFrench (Canada) [fr-CA] as the highestpreference language in their web browser,but the service uses French (France) [fr-FR],you can specify that [fr-FR] should be usedeven if the end users have not added [fr-FR]to their list of supported languages in thebrowser.

add browserLanguage For each mapping from a browser languagethat is not directly supported, add a settingin the <languageMappings> section in theformat:

<add browserLanguage="en-GB"

installedLanguageToUse="en-US"/>

</languageMappings>

</languages>

144

TIBCO Spotfire® Server and Environment Installation and Administration

Page 145: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Setting Default Value Description

<sbdfCache> In order to quickly create and share mapchart visualizations that uses geocodingtables, and to quickly open SBDF files fromthe library, it is possible to cache andpreload the SBDF files stored in the library.The cache is an in-memory cache that keepsrecently opened SBDF files from the libraryopen. If files have not been accessed for aspecified time, or if memory is low, they willbe removed from memory.

This section is applicable for both WebPlayer services and Automation Services.

enabled True Set to true to enable the cache.

cacheTimeoutMinutes Specify the minimum time an SBDF file isstored in the cache. If the preload service isused, this should be a bit longer than thelibraryCheckInterval setting.

<preloadSettings>

enabled False Set to true to enable the preload service ofSBDF files.

The cache must also be enabledfor the preload service to work.

libraryCheckIntervalMinut

es

10 Specify how often the preloading servicewill check the library for new content.

librarySearch MapChart.IsGeocodingTable::trueANDMapChart.IsGeocodingEnabled::true

The search string that specifies which SBDFfiles to cache. The default search stringspecifies all geocoding tables in the library,you might want to restrict this in order toreduce memory consumption.

</preloadSettings>

</sbdfCache>

<scheduledUpdates>

concurrentUpdates 2 The maximum number of concurrentupdates that can be executed at the sametime. This is used to limit resources used bythe update mechanism. Min value is 1 andmax value is 10.

145

TIBCO Spotfire® Server and Environment Installation and Administration

Page 146: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Setting Default Value Description

updateIntervalSeconds 60 How often the service should check if anyupdates should be run. This is set inseconds. Min value is 30, and max value3600 (=one hour).

<forcedUpdate>

enabled True It is possible to force updates upon userseven though the analysis is set to notify theusers. This is useful if someone has left ananalysis open for a long time and you wantto avoid numerous versions of the analysisto be kept simultaneously. To enable forcedupdates set this key to true.

maximumRejectedUpdates 2 Specify the number of times a user can benotified of new updates without acceptingthem, before the update is forced on theuser.

</forcedUpdate>

<stopUpdatesAfterRepeated

Fail>

enabled False Set this to true to limit the number of timesscheduled updates tries to update ananalysis if it has failed to do so. If false,scheduled updates will retry to update theanalysis until it succeeds.

failsBeforeStop 3 Specify the number of tries to update theanalysis before stopping.

stopOnlyWhenCached True Set to true to override failsBeforeStop ifthe analysis has not been cached. If theanalysis has not been cached, scheduledupdates will retry to update the analysisuntil it succeeds.

If set to false, scheduled updates will stoptrying to update the analysis, as specified infailsBeforeStop, regardless of if theanalysis is cached or not.

alwaysRetryWhenScheduled True Set to true to reset the counter forfailsBeforeStop each time the analysis isscheduled to be updated.

</

stopUpdatesAfterRepeatedF

ail>

146

TIBCO Spotfire® Server and Environment Installation and Administration

Page 147: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Setting Default Value Description

<externalUpdate> For information on setting up externalupdates, see Creating a scheduled updateby using TIBCO EMS and Creating ascheduled update by using a SOAP webservice.

keepAliveMinutes 10 If a schedule has not been set up for when afile is to be pre-loaded, specify the numberof minutes the file should be kept alive.

</externalUpdate>

<cacheSettings>

enabled False If the Web Player service is restarted,analyses that are scheduled to be pre-loadedwill need to be reloaded. If the data used inthe analyses take a long time to load, so willthe analyses. Therefore, it is possible tocache data from scheduled analyses on diskto be able to reload the analyses faster onrestart.

Set this to true to enable caching of data ondisk.

path Specify the path on disk where data is to bestored.

maxDiskSizeMb 0 Specify the maximum disk space used forthe cached data. Set this to “0” (zero) tocache data without an upper limit.

maxAgeMinutes 1440 Specify how long a cache entry should bekept on disk if it has not been reloaded byscheduled updates.

</cacheSettings>

</scheduledUpdates>

<application>

useDefaultHelpUrl True Set this to false and specify a locally storedhelp in the helpUrl setting to change thetarget of the help link in the web client. Toswitch back to the default online web clienthelp, set this to true again.

147

TIBCO Spotfire® Server and Environment Installation and Administration

Page 148: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Setting Default Value Description

helpUrl You can change the default help link for webclient users to point to a locally stored help.Specify the location of the locally storedhelp here. To use this specified help link,you must also set the useDefaultHelpUrlsetting to False.

</application>

</setup>

<userInterface>

<pages>

showLogout True Specify if the Log out menu item isdisplayed. If true, the menu item isdisplayed in the top right menu of the webclient.

showAbout True Specify if the About menu item is displayed.If true, the menu item is displayed in thetop right menu of the web client.

showHelp True Specify if the Help menu item is displayed.If true, the menu item is displayed in thetop right menu of the web client.

showUserName True Specify if the user name should appear inthe web clientuser interface, for instance inthe Modified By section in the librarybrowser and the Analysis Informationdialog.

</pages>

<diagnostics> This section is applicable for both WebPlayer services and Automation Services.

errorLogMaxLines 2000 Specify the maximum number of lines fromthe error log files to display in Monitoringand diagnostics. The range is 1000 - 50000.

</diagnostics>

<analysis>

showToolTip True Specify if highlighting tooltips should beshown in visualizations in the web client.Setting this value to false will increaseperformance.

148

TIBCO Spotfire® Server and Environment Installation and Administration

Page 149: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Setting Default Value Description

showClose True Specify if the Close menu item is displayed.If true, the menu item is displayed in thetop right menu of the web client.

showToolBar True Specify if the tool bar containing the menuand other controls is displayed in the webclient.

showAnalysisInformationTo

ol

True Specify if the Analysis Information menuitem is displayed. If true, the menu item isdisplayed in the top right menu of the webclient.

showExportFile True Specify if the Download as DXP file menuitem is displayed. If true, the menu item isdisplayed in the top right menu of the webclient.

showExportVisualization True Specify if the Export Visualization Imagemenu item is displayed. If true, the menuitem is displayed in the top right menu ofthe web client.

showUndoRedo True Specify if the Undo and Redo menu itemsare displayed and if undo is available in thevisualization. If true, the menu item isdisplayed in the top right menu of the webclient.

showDodPanel "" Specify the behavior of the Details-on-Demand (DoD) panel.

If empty (""), the DoD panel is displayed ifthe author of the analysis file chooses todisplay the DoD panel.

If true, the DoD panel is always displayed.

If false, the DoD panel is never displayed.

showFilterPanel "" Specify the behavior of the Filter panel.

If empty (""), the Filter panel is displayed ifthe author of the analysis file chooses todisplay the Filter panel.

If true, the Filter panel is always displayed.

If false, the Filter panel is never displayed.

showPageNavigation True Specify if the Page tabs (or page links) inanalyses are displayed. If you set this tofalse only the currently active Page assaved in the analysis will be displayed.

showStatusBar True Specify if the status bar is displayed.

149

TIBCO Spotfire® Server and Environment Installation and Administration

Page 150: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Setting Default Value Description

showPrint True Specify if the Print menu item is displayed.If true, the menu item is displayed in thetop right menu of the web client.

allowRelativeLinks False Specify if incomplete links in the SpotfireWeb Player should be treated as relative tothe library root directory. If false,incomplete links will be prepended withhttp://.

showShareWithTwitter True Specify if users should be able to shareanalyses on Twitter.

</analysis>

<customHeader>

enabled False Specify if a custom header is used in theweb client or not. Set this to true to enablethe custom header.

fileName Header.htm If you do not use cobranding in yourenvironment, but still want to use a customheader in the web client, you must specifythe name of the file that contains the customheader here. The name must match acustom header file that is placed in the <nminstallation dir>\nm\services\<service specific folder>\Resources directory.

Height 40 Specify the pixels for the height of thecustom header.

</customHeader>

<closedAnalysis>

showOpenLibrary True Specify if the Open Library link is displayedon the Closed Analysis page.

showReopenAnalysis True Specify if the Reopen Analysis link isdisplayed on the Closed Analysis page.

redirectToLibrary True Specify if the Closed Analysis page isdisplayed after an analysis is closed.

</closedAnalysis>

<errorPage>

showOpenLibrary True Specify if the Open Library link is displayedon an error page.

150

TIBCO Spotfire® Server and Environment Installation and Administration

Page 151: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Setting Default Value Description

showReopenAnalysis True Specify if the Reopen Analysis link isdisplayed on an error page.

</errorPage>

</userInterface>

<performance>

<gcConfiguration> This section is applicable for both WebPlayer services and Automation Services.

sustainedLowLatencyMode True Enabling sustainedLowLatencyModeshould lead to fewer pauses during blockingGC, it may also lead to higher memoryusage since GC now becomes lessaggressive. When this setting is disabled, theInteractive latency mode is used.

</gcConfiguration>

<recoverMemory> This section is applicable for both WebPlayer services and Automation Services.

enabled True Enabling recoverMemory will help thesystem in the case where memory isexhausted and the last user session isremoved. This state may occur if GC wasnot triggered by the system when freeing uplarge resources.

The action can be specified with an integerdepending on the service's memory status:

0. Do nothing.

1. Run garbage collection GC2.

2. Recycle the process.

actionWhenOk 0 Specify action when memory is ok.

actionWhenStrained 0 Specify action when memory is strained.

actionWhenExhausted 1 Specify action when memory is exhausted.

minMinutesBetweenGc 60 Specify the minimum number of minutesbetween garbage collections.

minMinutesBeforeRecycle 300 Specify the minimum number of minutesbefore the process is recycled.

</recoverMemory>

151

TIBCO Spotfire® Server and Environment Installation and Administration

Page 152: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Setting Default Value Description

<documentCache>

purgeInterval 300 Specify the number of seconds betweensearches to identify unused, opendocuments (templates) to be purged. Therange is 60 to 3600.

itemExpirationTimeout 00:00:00 Specify the length of time, in the formatHH:MM:SS, that a document can remain inthe cache when no open analysis is usingthat document template. Maximum value is23:59:59.

</documentCache>

<analysis>

antiAliasEnabled True Specify if anti-aliasing is enabled. It isrecommended that you leave anti-aliasingenabled in order to produce visualizationsthat are clear and sharp.

All graphics in the web client are renderedwith anti-aliasing enabled. However, anti-aliasing does impose a slight performanceimpact. The performance impact maybecome noticeable for visualizations thatconsist of a very large amount of graphicalobjects.

useClearType True Specify if ClearType is enabled. It isrecommended that you leave ClearTypeenabled in order to produce clear and sharptext in visualizations.

All graphics in the Spotfire Web Player arerendered with ClearType enabled. However,ClearType does impose a slight performanceimpact. The performance impact maybecome noticeable for certain visualizations.

documentStateEnabled True Specifies that the state of files is maintainedbetween sessions. If this value is set to true,when users resume working on a file, thefile will be in the state in which that user leftthe file.

closedTimeout 120 Specify how long, in seconds, an analysissession will stay alive when a ping fails. Therange is 60 to 600.

152

TIBCO Spotfire® Server and Environment Installation and Administration

Page 153: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Setting Default Value Description

checkClosedInterval 60 Specify how often, in seconds, a checkshould be made if an analysis has beenclosed in the web client. The range is 60 to300.

inactivityTimeout 02:00:00 Specify the length of time, in the formatHH:MM:SS, that an analysis session can bealive when no user activity has beendetected, excluding pings. The range is00:01:00 to Infinite.

checkInactivityInterval 300 Specify how often, in seconds, a checkshould be made if an analysis session hashad no user activity, excluding pings. Therange is 60 to 12*3600.

regularPollChangesInterva

l

500 Specify the base interval, in microseconds,from when a change is made on the webclient to when the client polls for a statusupdate. The range is 200 to 1000.

maxPollChangesInterval 3000 Specify the maximum value, inmicroseconds, by which the poll interval inregularPollChangesInterval is increasedfor each try until this value is reached. Therange is 1000 to 10000.

pollLoadInterval 1000 Specify the interval, in microseconds,between polls when an analysis file isloading. The range is 1000 to 10000.

needsRefreshInterval 15 Specify the frequency, in seconds, withwhich the web client should ping or poll tokeep the analysis alive. The range is 10 to 60.

privateThreadPoolEnabled True This setting should not be edited, unlessinstructed by TIBCO Spotfire Support.

privateThreadPoolWorkerCo

unt

1 This setting should not be edited, unlessinstructed by TIBCO Spotfire Support.

toolTipDelay 1000 Specify the length of time, in microseconds,that the client must wait before requesting avisualization highlighting tooltip from theserver. The range is 200 to 3000.

undoRedoEnabled True Specify if the Undo and Redo functionalityis enabled.

153

TIBCO Spotfire® Server and Environment Installation and Administration

Page 154: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Setting Default Value Description

maxRenderTimeMs 60000 Specify the time limit, in milliseconds, foreach request or render job is allowed tocreate an image on the web client for avisualization. You can use this setting toprevent long running requests or jobs frommaking the web client unresponsive.

maxAnalysisShutdownInform

ations

1024 When an analysis is closed, the reasons whyit was closed are stored and used when theanalysis is re-opened. This value specifiesthe maximum number of entries stored.

This setting should not bechanged.

</analysis>

<application> This section is applicable for both WebPlayer services and Automation Services.

checkUserSessionTimeoutIn

tervalSeconds

120 How often to check if a user has timed outon the service.

userSessionTimeout 00:20:00 How long a user is cached on the service.

maxConcurrentWebServiceCa

llsPerCall

16 Specify how many active web service callsare allowed per CPU core on the serviceinstance.

maxReceivedMessageSizeMb 64 Specify the maximum size of files uploadedto the service (Mb).

maxReaderQuotasSizeKb 256 Specify the maximum size of request andresponse messages sent to and from theservice.

requestTimeoutSeconds 300 Specify the timeout, in seconds, for requestsbetween the Spotfire Server and the service.This might need to be increased if large filesor data sets are uploaded to the service.

</application>

<performanceCounterLoggin

g>

This section is applicable for both WebPlayer services and Automation Services.

enabled True Enable or disable the logging of thespecified performance counters. The resultof this logging can be found in thePerformanceCounterLog.txt file specifiedin the log4net.config file.

154

TIBCO Spotfire® Server and Environment Installation and Administration

Page 155: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Setting Default Value Description

cpuAverageTimeSpan 120 Specify the number of seconds to use for arolling average when calculating the CPUload. The calculated CPU load is used todetermine if the service instance isexhausted, strained, or ok.

logInterval 120 Specify the number of seconds between eachperformance counter logging at INFO level.

counters Add performance counters you wish to log,at both INFO and DEBUG level, separated by acomma “,”. Each counter consists of threeparts: category, counter, and instance,separated by a semi-colon “;”. Bothstandard Windows performance counters,as well as a set of internal TIBCO counters,may be included.

debugLogInterval 15 Specify the number of seconds between eachperformance counter logging at DEBUG level.

debugCounters Add additional performance counters youwish to log at DEBUG level, separated by acomma “,”.

</

performanceCounterLogging

>

<statistics> This section is applicable for both WebPlayer services and Automation Services.

flushInterval 60 Specify the number of seconds between eachlogging.

enabled True When true, enables logging of all the otherstatistics for the service. The result of thislogging can be found in the other log filesspecified in the log4net.config file.

</statistics>

<hierarchicalClustering> This section is applicable for both WebPlayer services and Automation Services.

maxInteractiveElements 2000 Specify the maximum number of rows orcolumns of a hierarchical clustering that canbe started interactively in the web client.

155

TIBCO Spotfire® Server and Environment Installation and Administration

Page 156: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Setting Default Value Description

maxElements 30000 Specify the maximum number of rows orcolumns of a hierarchical clustering that canrun on the web client. Scheduled updatescan run hierarchical clustering up to thissize.

maxInteractiveJobs 2 Specify the maximum number of interactiveclustering jobs running in parallel.

cpuFactorInteractiveJobs 0.8 Specify an estimate of the number of threadsthat clustering will use for interactive jobson a multi-core server running the WebPlayer service.

cpuFactorLargeJobs 0.5 Specify an estimate of the number of threadsthat clustering will use for scheduled updatejobs on a multi-core server running the WebPlayer service.

nativeMemory 500 Specifies a memory limit, in MBytes, for theclustering algorithm. The default value 500(MBytes) matches maxElements = 30000.

</hierarchicalClustering>

</performance>

</spotfire.dxp.web>

Additional configurationYou can add to or change your Spotfire configuration by using the graphical configuration tool or thecommand-line tool, or by working directly in the configuration file.

Updating a server configuration in the graphical configuration toolYou can change a Spotfire Server configuration by using the configuration tool.

If you cannot run the graphical configuration tool on the Spotfire Server computer, see Running thegraphical configuration tool on a local computer.

Procedure

1. Open the configuration tool and sign in.

2. On the Configuration tab, make your changes.

3. Click Save.

4. Restart Spotfire Server.

156

TIBCO Spotfire® Server and Environment Installation and Administration

Page 157: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Updating a server configuration in the command-line toolYou can change a Spotfire Server configuration by running a series of commands in the command-linetool.

Procedure

1. Open a command-line interface.

2. Run the export-config command to export the configuration from the Spotfire database to aconfiguration file.> config export-config configuration.xml where "configuration.xml" is optional and the -f(--force) option is not applied.

3. Update the configuration in the configuration file using selected commands.> config config-auth --configuration=configuration.xml --auth-method=BASIC --

jaas-database where "--configuration=configuration.xml" is optional.

4. Run the import-config command to import the updated configuration file into the Spotfire database.> config import-config --comment="Switched to BASIC authentication using the Spotfire Database authentication source" configuration.xml

where "configuration.xml" is optional.

5. Optional: Restart the server(s).

6. Remove the configuration.xml file or restrict access to it.

Do not remove the bootstrap.xml file.

Manually editing the Spotfire Server configuration fileBefore editing the Spotfire Server configuration file you must export its contents to an XML file.

Procedure

1. On the computer running Spotfire Server, open a command-line interface and go to the followingdirectory: <installation dir>/tomcat/bin.

2. Export the configuration to a configuration.xml file by using the export-config command.The configuration.xml file appears in your working directory.

3. Open configuration.xml in a text editor and make your changes.

4. When you've finished, save and close the file.

5. Import the configuration file back into Spotfire Server by using the import-config command.

6. Restart Spotfire Server; for instructions, see Start or stop Spotfire Server.

Result

The imported configuration becomes the active configuration for that server or cluster.

Configuring a specific directory for library import and exportYou can change the directory that Spotfire uses for library import and export if the default directory isinconvenient. For most purposes this setting does not need to be changed.

Procedure

● You can set a new library directory by using either the graphical configuration tool or thecommand-line tool:

157

TIBCO Spotfire® Server and Environment Installation and Administration

Page 158: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

● In the graphical configuration tool, the Library Directory panel is at the bottom of theConfiguration tab.

● In the command-line tool, use the config-import-export-directory command.

Enabling cached and precomputed data for scheduled update filesDisk caching and precomputations of data shorten the time it takes for an updated analysis to reopen ina Spotfire Web Player after the analysis is closed. This feature is disabled by default. It is enabled at theservice level by editing the Spotfire.Dxp.Worker.Web.config file for each installed web clientservice.

You then have the option of turning the feature off for individual files (see Disallowing cached andprecomputed data in individual scheduled update files).

Procedure

1. Open a command line and export the service configuration by using the export-service-configcommand.

2. Open the Spotfire.Dxp.Worker.Web.config file in a text editor or XML editor and locate thefollowing section. By default, this file is located in the <install dir>\tomcat\bin\config\rootdirectory.<scheduledUpdates concurrentUpdates="2" updateIntervalSeconds="60"> <forcedUpdate enabled="true" maximumRejectedUpdates="2"/> <externalUpdate keepAliveMinutes="10"/> <stopUpdatesAfterRepeatedFail enabled="false" failsBeforeStop="3" stopOnlyWhenCached="true" alwaysRetryWhenScheduled="true"/> <cacheSettings enabled="false" path="" maxDiskSizeMb="0" maxAgeMinutes="1440"/> </scheduledUpdates>

3. In the line <cacheSettings enabled="false" path="" maxDiskSizeMb="0"maxAgeMinutes="1440"/>, make these changes:

● Set cacheSettings enabled to "true".● Set path to the path on disk where the data is to be stored.For information on the other settings, see Spotfire.Dxp.Worker.Web.config.

4. Import the configuration back into Spotfire Server by using the import-service-config command.

5. Assign the edited service configuration to the Spotfire Server by using the set-service-configcommand.Example:set-service-config --service-id=6610a31b-1a2a-4497-b146-cee797f9b6a7

Disabling the attachment manager cacheBy default the Spotfire attachment manager caches library content and the results of information linkexecutions when downloading or saving large amounts of data. You can disable the attachmentmanager cache by editing the configuration.xml file

Procedure

1. See Manually editing the Spotfire Server configuration file for general instructions.

2. In the configuration.xml file, locate the following section and set <content-caching-enabled>to "false":<library> <import-export-path>default</import-export-path> <content-caching-enabled>true</content-caching-enabled> <max-number-concurrent-imports-and-exports>3</max-number-concurrent-imports-

158

TIBCO Spotfire® Server and Environment Installation and Administration

Page 159: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

and-exports> </library>

3. Then locate the <information services> section and set <result-caching-enabled> to "false".

159

TIBCO Spotfire® Server and Environment Installation and Administration

Page 160: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Post-installation steps

After Spotfire Server is installed and configured, the Spotfire administrator must complete these setuptasks before end users can access and work in Spotfire.

1. Install Spotfire Analyst on a computer for the administrator to use.

Steps 3 and 4 in this list require Spotfire Analyst.

2. Set up users and groups; see User administration and Group administration for details.

3. Assign licenses and preferences to groups; use the Administration Manager in Spotfire Analyst toaccomplish these tasks.

For a description of the licenses and preferences, see the Administration Manager help.

4. Set up the Spotfire library using Spotfire Analyst.

160

TIBCO Spotfire® Server and Environment Installation and Administration

Page 161: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Administration

Administrators can perform most management tasks in Spotfire Server, including creating users andgroups, deploying software updates, and managing and monitoring software configurations.

To set licenses and preferences, however, and to manage the library, use Spotfire Analyst.

Spotfire Analyst currently offers the same administrative functionality as its previous version, but as ofthe 7.5 version, Spotfire Server offers a new, streamlined interface and easy access to both new andexisting features.

Opening Spotfire ServerYou can access Spotfire Server through a browser on any computer in the domain.

There are two ways to open Spotfire Server:

● On the computer running Spotfire Server, click Start, go to the Spotfire Server folder, and clickTIBCO Spotfire Server.

● On any computer in the domain, go to http://servername:port/spotfire.

If you work in a clustered environment, it does not matter which server in the cluster you use. Changesmade to one server are stored in the Spotfire database and are available to all servers. If your clustereddeployment includes a load balancer, use the load balancer hostname in place of servername in thesecond method.

Nodes, services, and resource poolsIn Spotfire Server you can enlarge or scale down your implementation as needed, as well as create andmanage resource pools. Resource pools are used in routing rules to direct Spotfire traffic to specific serviceinstances.

For more information, see Nodes and services introduction, Installation of node managers, services,and service instances, and Routing rules.

Creating a resource poolIf you want a certain analysis, or all analyses requested by certain users, to open on specific instances ofthe Spotfire Web Player, create a resource pool that contains the selected instances and use it in arouting rule.

Procedure

1. Log in to Spotfire Server and click Nodes & Services.

2. Under Select a view, select Resource pools.

3. Click Create resource pool.

4. In the Create new resource pool dialog, enter a name for the pool and click Save.The new resource pool is displayed in the list on the left.

5. To add Spotfire Web Player instances to the pool, under Select a view, select Nodes.

6. In the list on the left, select the service or instance that you want to add to the pool. Selecting aservice selects all the instances of that service.

7. In the upper-right pane, click Edit.

8. In the Edit dialog that opens, do one of the following:

161

TIBCO Spotfire® Server and Environment Installation and Administration

Page 162: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

● In the Edit service dialog, under Resource pool, select the pool you want to use.

● In the Edit instance dialog, under Resource pool, select Specify resource pool, click Selectresource pool, and then select the pool you want to use.

9. Click Save.

Adding or removing resources from a resource poolTo respond to changing needs in your organization, you can adjust the contents of resource pools at anytime.

Procedure

1. Log in to Spotfire Server and click Nodes & Services.

2. Under Select a view, select Nodes.

3. In the list on the left, select the service or instance that you want to add to or remove from the pool.Selecting a service selects all the instances of that service.

4. In the upper-right pane, click Edit.

5. In the Edit dialog that opens, do one of the following:

● In the Edit service dialog, under Resource pool, either select the pool to which you want to addthe service, or select [None] to remove the service from the pool.

● In the Edit instance dialog, under Resource pool, select Specify resource pool, click Selectresource pool, and then either select the pool to which you want to add the instance, or select[None] to remove the instance from the pool.

6. Click Save.

Updating node managersWhen you add a node manager software update (hotfix) to the appropriate deployment area, anUpdate button is displayed in the information pane for each affected node.

Not all node manager hotfixes are implemented in this way. Make sure to follow the instructions thatare included with every hotfix download.

Prerequisites

The software update is in the node manager's deployment area; for instructions, see Adding softwarepackages to a deployment area.

Procedure

1. Log in to Spotfire Server and click Nodes & Services.

2. On the Your network page, under Select a view, click Nodes, and then select the node you want toupdate.The Update button is visible in the upper-right pane.

3. Click Update, and then in the confirmation dialog, click Update again.

It may take a while for the check mark to reappear next to the name of the node manager,and the Roll back button to appear in the upper-right pane. During this time, any servicesrunning on that node manager are stopped, and the users of that service are interrupted.

You can view the status of the current activity and details about recent activity on theActivity page of Nodes & Services.

162

TIBCO Spotfire® Server and Environment Installation and Administration

Page 163: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Rolling back a node manager updateAfter updating a node manager, you have the option of undoing the update and returning to theprevious version of the node manager.

Procedure

1. Log in to Spotfire Server and click Nodes & Services.

2. On the Your network page, under Select a view, click Nodes, and then select the node manager thatwas updated.The Roll back button is visible in the upper-right pane.

3. Click Roll back, and then in the confirmation dialog, click Roll back again.

It may take a while for the check mark to reappear next to the name of the node.

Updating servicesWhen you add a software update for a service (Spotfire Web Player or Spotfire Automation Services) tothe appropriate deployment area, an Update option becomes available in the information pane for eachaffected service.

Prerequisites

The software update is in the service's deployment area; for instructions, see Adding software packagesto a deployment area.

Procedure

1. Log in to Spotfire Server and click Nodes & Services.

2. On the Your network page, under Select a view, click Nodes, and then select the service that youwant to update.

3. In the upper-right pane, click More actions and then click Update service. When prompted, clickUpdate.

The existing service continues running while the new installation is added to a newdirectory on the node.

● The status "DEPRECATED" appears for each service instance that is running under the existingservice. This means that no further requests will be routed to the service.

● A new service containing the new deployment is created, in parallel to the one you selected.Wait for it to become active, indicated by the green icon next to it.

4. When the new service is active, make sure that the original service is still selected (the service youselected in step 2). To move the old service instances to the updated service, click Migrate, andwhen prompted click Migrate again.

The new service duplicates the settings of the old service, including its name, resourcepools, and ports.

You can view the status of the current activity and details about recent activity on theActivity page of Nodes & Services.

Result

In the left pane, the new, updated service appears under the service that you are updating. Its name isthe same as the old service, followed by "(NEW)". The service instances have been moved to this

163

TIBCO Spotfire® Server and Environment Installation and Administration

Page 164: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

service, but the old service and service instances are still running. To remove the old service instancesfrom the implementation, see Shutting down a service instance.

If you delete the old service you will not be able to roll back the service to its previous version.

Rolling back a service updateAfter updating a service, you have the option of undoing the update and returning to the previousversion of the service.

The old version of the service is still visible on the Nodes & Services page.

Procedure

1. Log in to Spotfire Server and click Nodes & Services.

2. On the Your network page, under Select a view, click Nodes, and then select the service that wasupdated (its name ends with "(NEW)".

3. In the upper-right pane, click More actions and then click Roll back.Spotfire Server moves the service instances back to the previous version of the service. The newversion remains in the list until you delete it.

The rollback may take a while.

Shutting down a service instanceIf you want to shut down a service instance because it is not needed, for example, or because you wantto run it on a different node, you can shut the service down without disturbing the work of end users.You can also shut it down immediately.

Procedure

1. Log in to Spotfire Server and click Nodes & Services.

2. On the Your network page, under Select a view, select Nodes.

3. In the left pane, expand the entries under the node manager and select the service instance that youwant to shut down.

4. In the right pane, click Shut down and then do one of the following:

● If you want the instance to continue running for awhile, click Schedule and then enter thenumber of hours and minutes you want Spotfire Server to wait before shutting it down.

Before the shutdown, any users on that service instance are notified that the instancewill be shutting down; this gives them time to save their work.

● If you want the instance to shut down immediately, click Immediately.

End users who are on this service instance will lose any unsaved work.

Revoking trust of a nodeYou may want to remove the authorization of a node because you are upgrading your hardware, forexample, or down-scaling your network, or if you see an unusual error and want to reset the computer.

164

TIBCO Spotfire® Server and Environment Installation and Administration

Page 165: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

This immediately shuts down any services that are running on the node, and disables all managementoptions for the node except re-trusting it.

Procedure

1. Log in to Spotfire Server and click Nodes & Services.

2. On the Your network page, under Select a view, select Nodes.

3. In the left pane, select the node whose trust you want to revoke, and in the upper-right pane clickRevoke trust.

Result

The node moves from the Your network page to the Untrusted nodes page.

User administrationIf the user accounts for your Spotfire implementation are manually added to the database (rather thansynchronized with an external directory such as LDAP), user administration takes place in SpotfireServer.

User accounts that are automatically created by Spotfire Server, such asautomationservices@SPOTFIRESYSTEM, cannot be deleted and their names cannot be changed.

For more information about users, see Users & groups introduction.

Creating a new Spotfire userIf your Spotfire implementation is configured for Spotfire database authentication, you can add newusers in Spotfire Server. (To import and export users, use the Administrator Manager in SpotfireAnalyst.)

Externally synchronized users are managed in that context and not within the Spotfire system..

Procedure

1. Log in to Spotfire Server. (For instructions on accessing the server, see Opening Spotfire Server.)

2. Click Users & Groups.

3. Under Select a category, select Users.

4. At the top of the pane, click Create new user.

5. In the New user dialog, enter the user name and password.

6. Re-type the password, enter an email address (optional), and click Save.

Result

The new user is displayed in the Users list, and the Groups list in the lower right pane indicates thatthe user belongs to the Everyone group.

Adding a user to one or more groupsA user can belong to one or many groups. A user who is an explicit member of a group is also, byinheritance, a member of that group's parent groups.

Procedure

1. Log in to Spotfire Server and click Users & Groups.

165

TIBCO Spotfire® Server and Environment Installation and Administration

Page 166: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

2. Under Select a category, select Users.

3. Highlight the name of the user that you want to add to groups.

4. In the Groups pane on the right, click Add.

5. In the Select groups for user to join dialog, select the check box next to the groups to which youwant to add the user.

6. Click Save.

Result

The selected groups are displayed in the user's Groups list.

Removing a user from one or more groupsYou can remove a user from a group to remove the user's access to the licenses that are enabled for thatgroup.

Procedure

1. Log in to Spotfire Server and click Users & Groups.

2. Under Select a category, select Users.

3. In the left pane of the Users page, highlight the user who you want to remove from a group.

4. In the lower right pane, under Groups, select the check box of the groups from which you want toremove the user.

5. Click Remove.

Result

The selected groups no longer appear in the user's Groups list.

Changing a user's name, password, or emailYou can change user properties in Spotfire Server.

Externally synchronized users are managed in that context and not within the Spotfire system.

Procedure

1. Log in to Spotfire Server and click Users & Groups.

2. Under Select a category, select Users.

3. Highlight the name of the user whose properties you want to change.

4. In the upper-right corner of the page, click Edit.

5. In the Edit user dialog, make your changes. (Select the Change password check box to create a newpassword.)

6. When you've finished, click Save.

Disabling a user accountDisabling a user account makes it impossible for the user to log in to Spotfire, but keeps their record inthe system for reference or for enabling them again in the future.

Externally synchronized users are managed in that context and not within the Spotfire system..

166

TIBCO Spotfire® Server and Environment Installation and Administration

Page 167: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Procedure

● In the command-line configuration tool, use the enable-user command.For more information about the command-line tool, see Configuration using the command-lineconfiguration tool.

Deleting users from the systemTo permanently remove users from your Spotfire implementation, delete them. However, if you want todeny them access to Spotfire but keep their records in the system, you can disable their accountsinstead.

Externally synchronized users are managed in that context and not within the Spotfire system..

Procedure

1. Log in to Spotfire Server and click Users & Groups.

2. Under Select a category, select Users.

3. Select the check box next to the user or users that you want to delete.

4. Click the Delete checked users button.

Group administrationMost group administration takes place in Spotfire Server. Managing licenses and preferences, however,takes place in the Administration Manager in Spotfire Analyst.

For groups that are synchronized from an external source such as an LDAP directory, certain tasksincluding adding and removing members of the synchronized group, take place in the externalenvironment and not within the Spotfire system.

For more information about groups, see Users & groups introduction.

Roles and special groupsSpotfire includes a number of special groups that are present at installation and cannot be removed.They define standard roles for administering and using Spotfire.

Each special group enables a set of licenses that correspond to an administrative or user role. To assigna role to a user, simply add the user to one of the special groups. Note that some roles require not onlymembership in the special group, but also that a specific license be enabled for the group. Licenses areset in the Administration Manager in Spotfire Analyst.

Role Description

Administrator All users who need administrator privileges on Spotfire Server, includingthe ability to manage users and groups, must belong to this group.Membership in this group grants all permissions described below inaddition to administration of preferences, licenses, and the user directory.

This group must also have the Spotfire Administrator licenseenabled to fully administer the Spotfire system (to access theAdministration Manager tool in Spotfire Analyst as well as allareas of Spotfire Server).

167

TIBCO Spotfire® Server and Environment Installation and Administration

Page 168: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Role Description

Library Administrator Membership in this group grants full permission to the library. Itoverrides all folder permissions set in the library, granting full controlover content. It also includes the permission to import and export librarycontent. All users and groups that need administrative privileges in thelibrary must belong to this group or the Administrator group.

This group must also have the Spotfire Library Administratorlicense enabled to be able to administer the library (to getaccess to the Library Administration tool in Spotfire Analyst).

DeploymentAdministrator

Membership in this group grants permission to deploy packages to theserver. Note that these users can deploy to any area on the server, as wellas delete any existing deployment.

Members of this group can access the Deployments & Packages area ofSpotfire Server.

DiagnosticsAdministrator

Membership in this group grants permission to view server logs anddiagnostics, as well as to set logging configurations.

Members of this group can access the Monitoring & Diagnostics area ofthe server.

Scheduling and RoutingAdministrator

Membership in this group grants permission to create scheduled updatesand routing rules.

Members of this group can access the Scheduling & Routing area of theserver.

Scheduled UpdatesUsers

The account that executed scheduled updates must be a member of thisgroup. By default, the account scheduledupdates@SPOTFIRESYSTEM isa member of this group.

Automation ServicesUsers

Membership in this group grants permission to execute AutomationServices jobs on the server, using the Job Builder or the Client Job Sender.

Custom Query Author Membership in this group grants permission to create and sign customqueries for data access using data connections.

Script Author Membership in this group grants permission to author scripts.

The user must also have the Author Scripts license in order toauthor scripts.

Scripts that are executed by Spotfire Server can essentially doanything that deployed packages can do. Therefore you shouldonly grant this permission to trusted users.

API User All users who require access to the Spotfire Server public Web ServiceAPI must be members of the API User group.

Everyone This group always contains all users in the Spotfire implementation. Nousers can be removed from this group, but you can set licenses for thegroup if you want to.

168

TIBCO Spotfire® Server and Environment Installation and Administration

Page 169: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Role Description

System Account This group cannot be edited. It contains the system accounts that areused internally in the Spotfire environment.

Creating a new groupYou can create a group at the top level of the groups hierarchy, or as a subgroup of an existing group. Asubgroup inherits all the settings of its parent group or groups. (To import and export groups, use theAdministrator Manager in Spotfire Analyst.)

Procedure

1. Log in to Spotfire Server and click Users & Groups.

2. Under Select a category, select Groups.

3. At the top of the pane, click Create new group.

4. In the Create group dialog, enter a name for the group.

5. Do one of the following:

● To create a group at the top level, click Save.

● To create a subgroup, select the Add new group to existing groups check box, select the checkbox for the group or groups to which you want to add the new group, and then click Save.

Result

The new group is displayed in the Groups list. When you highlight the group, any groups to which itbelongs are displayed under Parent groups in the right pane.

What to do next

Assign licenses to the group.

Licenses and preferences are set in the Administration Manager in Spotfire Analyst.

Adding users to a groupYou can add any number of Spotfire users to a group at the same time.

Externally synchronized groups are managed in that context and not within the Spotfire system..

Procedure

1. Log in to Spotfire Server and click Users & Groups.

2. Under Select a category, select Groups.

3. In the left pane of the Groups page, highlight the group to which you want to add members.

4. In the Members pane on the right, click Add users.

5. In the Select users to add to group dialog, select the check box next to the user or users that youwant to add to the group, and then click Save.

Result

The added users are displayed in the Members list.

169

TIBCO Spotfire® Server and Environment Installation and Administration

Page 170: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Adding groups to a groupAdding one group to another group creates a hierarchy of groups where a user who is an explicitmember of the child group is also, by inheritance, a member of the parent group.

Externally synchronized groups are managed in that context and not within the Spotfire system.

Procedure

1. Log in to Spotfire Server and click Users & Groups.

2. Under Select a category, select Groups.

3. In the left pane of the Groups page, highlight the group to which you want to add other groups.

4. In the Members pane on the right, click Add groups.

5. In the Select groups to add to group dialog, select the check box next to the group or groups thatyou want to add to the group, and then click Save.

Result

The added groups are displayed in the Members list.

Assigning a primary group to a subgroupWhen a group has several parent groups, different values may be set for the same license or preferenceitem in two or more parent groups. To ensure that the child group inherits the default settings of aparticular parent group, set that group as the primary group.

Procedure

1. Log in to Spotfire Server and click Users & Groups.

2. Under Select a category, select Groups.

3. Highlight the name of the group to which you want to assign a primary group.

4. In the upper-right pane, click Edit.

5. In the Edit group dialog, under Assign primary group, select the primary group for the highlightedsubgroup.

6. Click Save.

Result

In the upper-right pane, the selected group is listed as the primary group.

Assigning a deployment area to a groupFor users to have access to a deployment, you must assign the deployment area that contains thedeployment to the appropriate groups. If no deployment area is set for a group, the group members areassigned the default deployment area.

Procedure

1. Log in to Spotfire Server and click Users & Groups.

2. Under Select a category, select Groups.

3. Highlight the name of the group to which you want to assign a deployment area.

170

TIBCO Spotfire® Server and Environment Installation and Administration

Page 171: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

4. In the upper-right pane, click Edit.

5. In the Edit group dialog, under Assign deployment area, select the deployment area for the group.

6. Click Save.

Result

The selected deployment area is displayed under Deployment area in the upper-right pane.

Renaming a groupYou can rename only those groups that were added to Spotfire Server after installation. The groups thatSpotfire creates automatically, such as Administrator and Script Author, cannot be renamed. Also,externally synchronized groups cannot be renamed in the server.

Procedure

1. Log in to Spotfire Server and click Users & Groups.

2. Under Select a category, select Groups.

3. Highlight the name of the group that you want to rename.

4. In the upper-right pane, click Edit.

5. In the Edit group dialog, under Name, enter the new name.

6. Click Save.

Removing members from a groupMembers of a Spotfire group can be either users or other groups.

Externally synchronized groups are managed in that context and not within the Spotfire system.

Procedure

1. Log in to Spotfire Server and click Users & Groups.

2. Under Select a category, select Groups.

3. In the left pane of the Groups page, highlight the group from which you want to remove members.

4. In the right pane, under Members, select the check box of the users or groups that you want toremove.

5. Click Remove.

Result

The members you removed no longer appear in the Members list.

Deleting groups from the systemDeleting a group does not delete any of its members from Spotfire; only the group itself is deleted. Allusers and groups that are members of the deleted group remain in the system. Subgroups that losetheir parent group are automatically placed at the top level of the group hierarchy.

There is no recursive delete function that deletes an entire branch of the hierarchy.

You cannot delete any of the roles and special groups that Spotfire creates automatically at installation.

171

TIBCO Spotfire® Server and Environment Installation and Administration

Page 172: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Externally synchronized groups are managed in that context and not within the Spotfire system.

Procedure

1. Log in to Spotfire Server and click Users & Groups.

2. Under Select a category, select Groups.

3. In the left pane of the Groups page, select the check box next to the group or groups that you wantto delete.

4. At the top of the left pane, click Delete checked groups.

Result

The deleted groups no longer appear in the Groups list.

Deployments and deployment areasTo deploy Spotfire software, the administrator places software packages in a deployment area and assignsthe deployment area to particular groups.

If a new deployment is available when a user logs in to a Spotfire client, the software packages aredownloaded from the server to the client.

Deployments are used:

● To set up a new a new Spotfire system.

● To install a product upgrade, extension, or hotfix provided by Spotfire.

● To install a custom tool or extension.

A group of software packages (.spk files) can be bundled together into a distribution (.sdn file). Adistribution can be copied to create a new deployment area, or downloaded for deployment to anotherSpotfire Server.

Every user is associated with at least one deployment area; by default, this is the Production area that iscreated when you install Spotfire Server, but you can designate any area as the default.

Some users have access to more than one deployment area because they belong to several groups thatare associated with different deployment areas. In this case, users are prompted to choose adeployment area when they log in to the Spotfire client.

Whether a user has access to a particular feature contained in a distribution depends on the licensesthat are assigned to that user's groups. For more information, see Licenses and preferencesintroduction.

Administrators usually create a Test deployment area to use as a staging server; when the new softwarehas been thoroughly tested in their Spotfire environment, the distribution is copied to a productionarea.

Creating a new deployment areaDeployment areas contain software packages that you make available to certain groups. You can createa new deployment area for a Spotfire update or extension, for custom tools created in yourorganization, and so on.

Procedure

1. Log in to Spotfire Server. (For instructions on accessing the server, see Opening Spotfire Server.)

2. Click Deployments & Packages.

172

TIBCO Spotfire® Server and Environment Installation and Administration

Page 173: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

3. In the Deployment areas pane, click Add.

4. In the Add area dialog, enter a name for the new area.

Deployment area names are case insensitive and have a maximum length of 25 characters.These are the valid characters:● a - z

● 0 - 9

● The underline character _

● The dash character -

5. Click Add area.

Result

The new deployment area is displayed in the Deployment areas list.

Adding software packages to a deployment areaWhen Spotfire releases updates, or if your company creates custom tools or other software elements,the administrator adds these to a deployment area so that they can be uploaded to Spotfire Server. Thenthe server distributes the new software to the appropriate groups, as selected by the administrator.

Procedure

1. Log in to Spotfire Server and click Deployments & Packages.

2. In the left pane, under Deployment areas, select a deployment area.

It is recommended that you first test the software on a deployment area that is not inproduction.

3. Optional: If the deployment area contains any software packages that are not currently needed,delete them. (For instructions, see Removing software packages from a deployment area.)

4. In the Software packages pane, click Add packages.

5. In the Add packages dialog, click Choose File, locate and select the file you want to add, and clickOpen.

6. In the Add packages dialog, click Upload.The added packages are displayed in the Software packages pane.

If you want to start over again, you can return to the last saved version of the deploymentarea by clicking Revert all.

7. To confirm that the packages are error-free, in the Software packages pane click Validate.

8. To save the new packages, click Save.

9. In the Save deployment dialog, if you want the Spotfire clients to automatically accept the updatewhen they are opened (rather than having the user decide when to accept the update), select theForce client update check box.

10. Click Save.

173

TIBCO Spotfire® Server and Environment Installation and Administration

Page 174: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Copying a distribution to another deployment areaYou can copy a distribution from one deployment area to another when you are ready to move it from atest area to a production area, or if you want to create a new deployment based on an existing one.

Procedure

1. Log in to Spotfire Server and click Deployments & Packages.

2. Under Deployment areas, select the deployment area that contains the distribution you want tocopy.

3. In the Information pane to the right, click Copy distribution.

4. In the Copy distribution dialog, do one of the following:

● Select the existing deployment area to which you want to add the distribution, and then clickCopy.

● Create a new deployment area to hold the distribution by clicking the To new area tab, enteringa name for the area, and clicking Copy.

Result

When you select the deployment area in the Deployment areas pane, the copied software packages aredisplayed under Software packages.

Exporting a distributionYou can download a local copy of a distribution (.sdn file) for deployment to another Spotfire Server.

Procedure

1. Log in to Spotfire Server and click Deployments & Packages.

2. Under Deployment areas, select the area that contains the distribution that you want to export.

3. In the Information pane to the right, click Export distribution.

Changing the default deployment areaThe default deployment area is available to all groups for which no deployment area has been set.During installation, Spotfire Server adds a "Production" deployment area and sets it as the default, butyou can change the default area to give users access to new software packages.

Procedure

1. Log in to Spotfire Server and click Deployments & Packages.

2. In the Deployment areas pane, select the deployment area you want to set as the default.

3. In the upper-right pane, click Make default.

Renaming a deployment areaYou can rename any deployment area in your system.

Procedure

1. Log in to Spotfire Server and click Deployments & Packages.

174

TIBCO Spotfire® Server and Environment Installation and Administration

Page 175: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

2. In the Deployment areas pane, select the deployment area you want to rename.

3. In the Information pane to the right, click Rename.

4. In the Rename deployment area dialog, enter a new name.

Deployment area names are case insensitive and have a maximum length of 25 characters.These are the valid characters:● a-z

● 0-9

● The underline character _

● The dash character -

5. Click Rename.

Removing packages from a deployment areaYou can edit the contents of any of your deployment areas.

Procedure

1. Log in to Spotfire Server and click Deployments & Packages.

2. In the Deployment areas pane, select the deployment area from which you want to removepackages.

3. In the Software packages pane, select the check boxes for the packages you want to remove, andthen click Remove packages.

Clearing a deployment areaIf you want to create a new deployment in an existing deployment area, you can clear the area of itscontents.

Procedure

1. Log in to Spotfire Server and click Deployments & Packages.

2. In the Deployment areas pane, select the deployment area that you want to clear.

3. In the Software packages pane, click Clear area.

Deleting a deployment areaYou can delete a deployment area that is no longer needed. The software packages in that area will beremoved as well.

Procedure

1. Log in to Spotfire Server and click Deployments & Packages.

2. In the Deployment areas pane, select the check box in front of the deployment area you want todelete.

It is not possible to delete the area that is set as the default deployment area.

3. In the Deployment areas pane, click Delete.

175

TIBCO Spotfire® Server and Environment Installation and Administration

Page 176: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Scheduled updates to analysesFor analyses that contain links to large amounts of data, downloading fresh data can take a significantamount of time. Scheduled updates save time by downloading the latest data before users need it.

Based on settings in Spotfire Server, or on messages that the server receives from an external source,selected analyses can be pre-loaded with fresh data, stored on specific Spotfire Web Player instances,and then made available to users as needed.

For example, in the case of sales data that is tallied at the end of the day, you could schedule the updateto occur overnight so that users can quickly access the analysis first thing in the morning, when they login. Or, in the case of a large analysis that users tend to refer to several times during the day, you couldschedule an update every 20 minutes.

You can trigger updates in two ways:

● In Spotfire Server you can create rules that specify the analysis to pre-load, when to do it, whetherthe new data is automatically displayed to the end user, and so on.

● Using TIBCO Enterprise Message Service™ (EMS) or a web service, you can create "event-drivenupdates" that are triggered by an external process. For more information about event-drivenupdates, see Creating a scheduled update by using TIBCO EMS or Creating a scheduled update byusing a web service.

When scheduling an update in Spotfire Server, you can configure the following options:

● The days of the week that the update runs.● The times of day between which it runs.● The amount of time between each update.● The resource pool on which to open the analysis, and the number of Spotfire Web Player instances

that should be available for users opening the analysis.● Whether the updated data is automatically displayed in the user's copy of the analysis, or the user

decides when to refresh the information.● Whether to allow cached and pre-computed data when the analysis is reopened.

In the Rules list, you can identify scheduled updates (as opposed to routing rules) by their Type (File)and the fact that a schedule is displayed under Schedule in the list.

You can also view the Activity and Notifications pages in Scheduling & Routing to monitor job status.

Creating a scheduled update by using Spotfire ServerIn Spotfire Server, you can configure and run automated data updates to existing analyses. This savestime for end users because they do not have to wait for the new data to download when they open theanalysis.

Prerequisites

● The analysis file to be updated must be in the Spotfire library.● The scheduled updates user service account (scheduledupdates@SPOTFIRESYSTEM) must have the

following library permissions:

— Browse & Access permissions to the analysis.— Permissions to access the folder(s) that hold the information link object.— Permission to access the data source object.

To set library permissions, use the tools in Spotfire Analyst.

176

TIBCO Spotfire® Server and Environment Installation and Administration

Page 177: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Alternatively, you can use the copy-library-permissions command to copy librarypermissions from another user or group.

The following tasks are optional, but you may want to complete them before creating the scheduledupdate:● If you want this update to run according to a schedule (or several schedules) that you plan to reuse,

create the schedules first; for instructions, see Creating a schedule.

● If you want the updated file to open on specific instances of the Spotfire Web Player, create a resourcepool containing those instances; for instructions, see Creating a resource pool.

If you are creating a scheduled update for an analysis that is based on data from a prompted orpersonalized information link, see Scheduled updates with prompted or personalized informationlinks.

Procedure

1. Log in to Spotfire Server and click Scheduling & Routing.

2. In the Rules pane, click Create rule.

3. Under Type, select File, and then click Next.

4. Enter a name for the rule and select the file that you want to update.

5. Under Select resource pool, do one of the following:

● If you do not want to set a specific resource pool on which to open the analysis, leave the defaultrouting selected.

● If you want the analysis to open on a specific resource pool, select it.

If a scheduled update rule indicates that a file should open on a specific resource pool,this rule overrides any routing rules (for a group or an individual user) that specify adifferent resource pool for the user who opens the updated file.

6. Optional: Set a priority. This setting comes into effect if two or more scheduled updates arescheduled to occur at the same time. 0 is the highest priority.

7. To set a schedule, do one of the following:

● To update the analysis based on a schedule that has already been created or several schedules,select Use existing schedule and then, in the Select schedule dialog, select the schedule orschedules that you want to use.

● To create a "unique schedule" for this rule (a schedule that will not be available for reuse), selectCreate new schedule. For instructions on setting up the schedule, see Creating a schedule.

8. If you want the rule to be disabled initially, select the Disable rule check box in the bottom right ofthe dialog. You can enable the rule later on the Scheduling & Routing page.

9. Optional: If you want to set the number of Spotfire Web Player instances for this rule, switch theclient update method from automatic to manual, or disallow cached and pre-computed data, clickAdditional properties. (For details, see Setting additional properties for scheduled updates.)

10. In the Create rule dialog, click Save.

If you are unable to save the information you entered, and your library files are storedexternally on Amazon Web Services S3 (AWS), see Forcing Java to use IPv4.

Result

The rule is displayed in the Rules list.

177

TIBCO Spotfire® Server and Environment Installation and Administration

Page 178: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Additional settings for scheduled updates

In addition to basic information about the analysis that you want to update and when you want theupdate to occur, several additional property settings are available in Spotfire Server.

Setting the number of Spotfire Web Player instances to make available for a scheduled update

By default Spotfire Server uses one of the available Spotfire Web Player instances when users open ascheduled update file. To load balance or to change the resource load of a particular analysis, theadministrator can set the number of instances on which the updated analysis can open.

Procedure

1. Log in to Spotfire Server and click Scheduling & Routing.

2. Do one of the following:

● If you want to change this property for an existing scheduled update, under Rules select theupdate and click Edit.

● If you are creating a new scheduled update, at the bottom of the second Create rule dialog, clickAdditional properties.

3. In the Additional properties dialog, under Number of instances select a number.

4. Click Update and then Save.

Switching the scheduled update method from automatic to manual

When the scheduled update method is set to manual, users decide when to incorporate new data in theanalysis.

Procedure

1. Log in to Spotfire Server and click Scheduling & Routing.

2. Do one of the following:

● If you want to set this property for an existing scheduled update, under Rules select the checkbox next to the update rule and click Edit.

● If you are creating a new scheduled update, at the bottom of the second Create rule dialog, clickAdditional properties.

3. In the Additional properties dialog, under Update method, indicate how users should receive theupdated data:

● Automatic—The new data is automatically displayed in the analysis when a user opens it.

● Manual—A Refresh icon on the title bar of the analysis indicates that an updated version isavailable. When the user clicks the icon, the analysis is updated.

4. Click Update and then Save.

Disallowing cached and precomputed data in individual scheduled update files

If your Spotfire environment is set up to use disk caching and precomputations of data to shorten thetime it takes for an updated analysis to reopen in a Spotfire Web Player after the analysis closes, this

178

TIBCO Spotfire® Server and Environment Installation and Administration

Page 179: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

setting may prevent the latest data from appearing in the reopened analysis. You can turn this settingoff for individual scheduled update files.

By default, cached and precomputed data is not enabled. To enable this feature, see Enabling cachedand precomputed data for scheduled update files.

Procedure

1. Log in to Spotfire Server and click Scheduling & Routing.

2. Do one of the following:

● If you want to change these properties for an existing scheduled update, under Rules select theupdate, click Edit, and then click Additional Properties.

● If you are creating a new scheduled update, at the bottom of the second Create rule dialog, clickAdditional Properties.

3. In the Additional properties dialog, under Caching, clear the check boxes of the settings you wantto turn off.

4. Click Update and then Save.

Result

The analysis will always reflect the latest data but it may reopen more slowly.

Scheduled updates with prompted or personalized information links

Scheduled updates are intended mainly for use with analyses that were set up using ordinaryinformation links to load data. If you set up scheduled updates for an analysis that is based on datafrom a prompted or personalized information link, there are special issues to consider.

When a user opens an analysis that is based on a prompted information link, the user selects a certainview of the data to be loaded. In the same way, when a user opens an analysis that is based on apersonalized information link, the data loaded is determined by the permissions of the user who logsin.

However, when a scheduled update of this file occurs, the update causes the analysis to reload based onthe prompted values that were specified when the file was originally saved, and the permissions of theuser that the administrator set up to programmatically run the scheduled update. This means that userswith an analysis already open will see a different selection of data the next time that they update theanalysis because the scheduled update has in fact updated the underlying data on the server.

You should be especially careful when setting up scheduled updates for analyses with personalizedinformation links. If the user you specify for the scheduled updates has access to more data than theintended end users of the analyses, these end users may see more data than they have access to; theywill see all the data that is available to the user specified for scheduled updates.

Editing a scheduled update

You can edit most properties of a scheduled update at any time. To change the analysis file or theresource pool in a scheduled update, however, you must first disable the rule.

Procedure

1. Log in to Spotfire Server and click Scheduling & Routing.

2. In the Rules pane, select the scheduled update that you want to edit.

3. Optional: If you want to change the rule's analysis file or resource pool, click Disable.

179

TIBCO Spotfire® Server and Environment Installation and Administration

Page 180: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

4. In the Rules pane, click Edit and make your changes.

5. Click Save.

6. Optional: If you disabled the rule in step 3, click Enable to make it active again.

Creating a reusable schedule

You can create and save schedules that you plan to reuse in scheduled updates to analyses. If aschedule will only be used once, you can set it when you create the update rule.

Procedure

1. Log in to Spotfire Server and click Scheduling & Routing.

2. In the Saved schedules pane, click Create schedule.

3. In the Create schedule dialog, enter a name for the schedule.

4. Under Repeat, indicate the days on which you want the update to run by selecting the appropriatecheck boxes.

5. Under Start and End, enter the times between which the update should run (on the days that youindicated in the previous step).

6. Under Time zone, select the time zone for the times that you entered in the previous step.

7. Under Reload every, select how often you want Spotfire Server to check if the analysis file or itsunderlying data has changed, and if so, update the pre-loaded file. If you leave the value as 0, theanalysis will load once a day (on the days you selected in step 4), at the beginning of the scheduledtime.

8. Click Create.

Result

The new schedule is displayed in the Saved schedules list.

Manually updating a file outside of its update schedule

If you do not want to wait for a file to be updated according to its schedule, you can trigger an updatemanually.

Prerequisites

There is a scheduled update for the file that you want to manually update.

Procedure

1. Log in to Spotfire Server and click Scheduling & Routing.

2. On the Overview page, under Rules, select the file.

3. Click Reload.

180

TIBCO Spotfire® Server and Environment Installation and Administration

Page 181: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Disabling or deleting scheduled updates and routing rules

Disabling a scheduled update or other rule makes the rule inactive until you activate it again. Deletinga rule removes it from the database.

Procedure

1. Log in to Spotfire Server and click Scheduling & Routing.

2. Select the check box next to the rule or rules that you want to disable or delete.

3. Click Disable or Delete.If you disabled a rule, it appears grayed out in the list.

Deleting schedules

Deleting a schedule removes it from the database and cancels any scheduled updates that use theschedule.

Procedure

1. Log in to Spotfire Server and click Scheduling & Routing.

2. Select the check box next to the schedule or schedules that you want to delete.

3. Click Delete.

If deleting the schedule will cancel any scheduled updates, Spotfire Server lists theaffected rules.

Creating a scheduled update by using TIBCO EMSYou can create scheduled updates that are triggered by messages from TIBCO Enterprise MessageService (EMS). In Spotfire Server, the external updates configuration takes place in the server, and theupdates are sent to the server. Spotfire Server then sends the updates to the appropriate web playerservice(s).

Prerequisites

● EMS is installed on a computer.

● The following files, which are located in your TIBCO EMS installation in the lib folder, must becopied to the Spotfire Server classpath on the server computer. If your implementation is clusteredthe files must be copied to each computer in the cluster:

— jms.jar or jms-2.0.jar (depending on the version)

— tlbjms.jar

— tibcrypt.jar

Procedure

1. In the Spotfire Server command-line tool, use the config-external-scheduled-updates command toconfigure the server to accept the EMS messages. Include the following parameters:

● Set the ems-enabled value to true.

● Set the server and port to the computer and port on which EMS is currently running. Use thisconfiguration: <server-url>tcp://localhost:7222,tcp://localhost:7222</server-url>

181

TIBCO Spotfire® Server and Environment Installation and Administration

Page 182: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

This enables the reconnect parameters. For more information about this value, see "FaultTolerance" in the EMS help.

● Set the client-id to a unique value in the cluster.

Example of the resulting section in the server configuration file (configuration.xml):<external-scheduled-updates> <ems-enabled>true</ems-enabled> <server-url>tcp://localhost:7222</server-url> <username>spotfire</username> <password>A$i1GEDcoiplGYYVaG1si7cH6zOMHzl+N9g1PzBXGWA /Q=$hX0JDjPLF7Q=$1966$6gLK1Yz8+lyH4+et0xAszA==</password> <client-id>client_id</client-id> <topic>scheduled_updates</topic> <reconnect-attempt-count>10</reconnect-attempt-count> <reconnect-attempt-delay-milliseconds>1000</reconnect- attempt-delay-milliseconds> <reconnect-attempt-timeout-milliseconds>1000</reconnect- attempt-timeout-milliseconds></external-scheduled-updates>

2. In EMS, create the message. Include the following parameters:

● Path (required)

● ClientUpdate

● KeepAliveMinutes

● ResourcePoolName

You now have the option of setting the resource pool (a set of specific services and/orinstances on which to preload the updated analysis file). However, if the followingstatements are true, the resource pool value in the existing rule takes precedence:● There is an existing rule for the same file.

● The existing rule was created in Spotfire Server.

● The existing rule specifies a resource pool.

● The existing rule is enabled.

For the ClientUpdate parameter, the value (manual or automatic) that is defined in theexternal rule takes precedence. If the external update does not specify a value, or if thespecified value is invalid, the value from an enabled rule is used, if available.

3. Send the EMS request. For details, see the TIBCO EMS documentation.

Creating a scheduled update by using a SOAP web serviceYou can create scheduled updates that are triggered by messages from a SOAP web service. In SpotfireServer, the external updates configuration takes place in the server, and the updates are sent to theserver. Spotfire Server then sends the updates to the appropriate web player service(s).

Prerequisites

The user calling the web service must have the following:

● Administrator privileges.

● One of the following:

— Membership in the API User group.

— The "External updates of analysis in Spotfire web clients" (under "TIBCO Spotfire Consumer")license enabled.

182

TIBCO Spotfire® Server and Environment Installation and Administration

Page 183: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Procedure

1. Edit the Spotfire Server configuration file to enable public web service API access:<public-api> <web-services> <enabled>true</enabled> </web-services> </public-api>

2. Configure the SOAP request using these parameters:

● Web service address: http://<servername_and_port>/spotfire/ws/pub/UpdateAnalysisService

● WSDL located at: http://<servername_and_port>/spotfire/ws/pub/UpdateAnalysisService?wsdl

You now have the option of setting the resource pool (a set of specific services and/orinstances on which to preload the updated analysis file). However, if the followingstatements are true, the resource pool value in the existing rule takes precedence:● There is an existing rule for the same file.

● The existing rule was created in Spotfire Server.

● The existing rule specifies a resource pool.

● The existing rule is enabled.

For the ClientUpdate parameter, the value (manual or automatic) that is defined in theexternal rule takes precedence. If the external update does not specify a value, or if thespecified value is invalid, the value from an enabled rule is used, if available.

Sample request<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ext="http://spotfire.tibco.com/ws/2015/08/externalScheduledUpdate.xsd"> <soapenv:Header/> <soapenv:Body> <ext:loadAnalysis> <!--Optional:--> <updateAnalysis> <!--Optional:--> <path>/A121-02 BostonMatrix</path> <!--Optional:--> <clientUpdate>manual</clientUpdate> <keepAliveMinutes>5</keepAliveMinutes> <!--Optional:--> <!--resourcePool>Main</resourcePool--> </updateAnalysis> </ext:loadAnalysis> </soapenv:Body></soapenv:Envelope>

3. Send the request with the user that was configured for this purpose.

Monitoring scheduled updatesYou can view the status, date and time, and any messages that were generated for each file updateattempt.

Procedure

1. Log in to Spotfire Server and click Scheduling & Routing.

2. Click the Activity tab.

3. To limit the list to certain days, enter the starting and ending dates in the date fields in the upper-right section of the page.

183

TIBCO Spotfire® Server and Environment Installation and Administration

Page 184: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Changing the priority of a ruleSpotfire Server uses rule priorities if two or more rules are executed at the same time.

Procedure

1. Log in to Spotfire Server and click Scheduling & Routing.On the Overview page, under Rules, the scheduled updates and routing rules are listed in priorityorder.

2. Select the rule whose priority you want to change and then do one of the following:

● Drag the rule to a new position in the list.

● Click the three dots at the end of the row and then click Move to top or Move to bottom.

● Click Edit and then, in the Edit rule dialog, enter a new priority number under Set a priority.

Changing how often the scheduled update history is clearedIf your organization runs many scheduled updates, history records can quickly pile up in the database.Spotfire Server automatically purges the history once a week, but you can change how often this occursby editing the main configuration.xml file.

Procedure

1. Open the main Spotfire Server configuration file in a text editor; for instructions, see Manuallyediting Spotfire Server configuration files.

2. Do one of the following:

● If you are editing a new Spotfire Server 7.6 configuration file, change the number "7" (whichindicates 7 days) in the following section:<scheduled-updates> <!-- All scheduled updates details older than the specified number of days will be automatically deleted. Default: one week, value must be strictly positive.--> <purge-history-older-than>7</purge-history-older-than> </scheduled-updates>

● If you are updating an existing configuration file from a previous version of Spotfire Server, addthe entire <scheduled-updates> section to the file and then change the number of daysbetween history purges.

3. Save the configuration file and import it back to the server; for instructions, see Manually editingSpotfire Server configuration files.

Disallowing cached and precomputed data in individual scheduled update filesIf your Spotfire environment is set up to use disk caching and precomputations of data to shorten thetime it takes for an updated analysis to reopen in a Spotfire Web Player after the analysis closes, thissetting may prevent the latest data from appearing in the reopened analysis. You can turn this settingoff for individual scheduled update files.

By default, cached and precomputed data is not enabled. To enable this feature, see Enabling cachedand precomputed data for scheduled update files.

Procedure

1. Log in to Spotfire Server and click Scheduling & Routing.

184

TIBCO Spotfire® Server and Environment Installation and Administration

Page 185: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

2. Do one of the following:

● If you want to change these properties for an existing scheduled update, under Rules select theupdate, click Edit, and then click Additional Properties.

● If you are creating a new scheduled update, at the bottom of the second Create rule dialog, clickAdditional Properties.

3. In the Additional properties dialog, under Caching, clear the check boxes of the settings you wantto turn off.

4. Click Update and then Save.

Result

The analysis will always reflect the latest data but it may reopen more slowly.

Routing rulesA routing rule specifies the resource pool on which an analysis opens. You can create routing rules to seta resource pool on which to open analyses that are requested by members of a specific group, or by aspecific user. You can also set a resource pool for a specific analysis, regardless of who requests it.

You can use routing rules to fine-tune resource management, but their use is optional.

Specific reasons for creating routing rules include the following:

● Define an exclusive resource pool for a critical analysis so that it can be updated and viewedwithout interference from other analyses and user requests.

● Define a resource pool for management so that they can view and work with analyses withoutwaiting.

● Define a resource pool for users who are trying out a new version of Spotfire.● Load an analysis on several Spotfire Web Player instances to handle a large number of users.

The default routing ruleThe default routing rule indicates the resource pools on which all analyses are opened, unless theanalysis itself, or the user who is requesting it, is subject to another routing rule. By default, the defaultrouting rule includes all the services and instances that are available in your Spotfire implementation.

You can edit default routing to include only certain services and instances, but the rule cannot bedeleted.

The default routing rule is always displayed at the bottom of the Rules list on the Scheduling &Routing page.

Creating a routing ruleYou can create routing rules that apply to user groups, individual users, or specific analysis files.

Prerequisites

● Create the resource pool that you want to specify for the rule; see Creating a resource pool.● If you are creating a rule for an analysis file, the file must be in the Spotfire library.

Procedure

1. Log in to Spotfire Server and click Scheduling & Routing.

2. In the Rules pane, click Create rule.The Create rule dialog opens.

185

TIBCO Spotfire® Server and Environment Installation and Administration

Page 186: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

3. Under Type, do one of the following and then click Next:

● If you want to set a resource pool on which to open analyses that are requested by members of aspecific group, select Group.

● If you want to set a resource pool on which to open analyses that are requested by an individualuser, select User.

● If you want to set a resource pool on which to open a specific analysis file, select File.

4. Enter a name for the rule and then do one of the following:

● Select the group to which the rule applies.● Select the user to which the rule applies.● Select the file to which the rule applies.

5. Under Select resource pool, select the resource pool on which the analyses that are affected by thisrule should open.

If a scheduled update rule indicates that a file should open on a specific resource pool, thatrule overrides any routing rules (for a group or an individual user) that specify a differentresource pool for the user who opens the updated file.

6. Optional: Set a priority. This setting comes into effect if two or more rules occur at the same time. 0is the highest priority.

7. If you want the rule to be disabled initially, select the Disable rule check box in the bottom right ofthe dialog. You can enable the rule later on the Scheduling & Routing page.

8. Click Save.

Result

The rule is displayed in the Rules list.

Monitoring and diagnosticsSpotfire Server provides a wide range of information to help you manage and troubleshoot yourimplementation.

Server monitoringReasons for monitoring Spotfire Server include detecting problems with the server itself, problems withexternal systems such as databases and LDAP servers, network problems, misconfigured clients, and insome cases malicious behavior. The purpose is typically to reduce downtime, detect and fix problemsbefore users notice them, and eliminate performance bottle necks.

Spotfire Server can be monitored using TIBCO Hawk® or any other Java Management Extensions(JMX) compliant monitoring tool, like JConsole, a part of the Java JDK. JMX is a Java framework formonitoring and managing applications and devices. It is part of the Java Platform Standard Editionsince version 5.0.

See Action logs and system monitoring for information about how to log actions running on SpotfireServer, and also events from Spotfire, Spotfire Web Player, and Spotfire Automation Services.

Instrumentation

JMX consists of three levels:

1. Instrumentation level

- provides monitoring information and management operations

186

TIBCO Spotfire® Server and Environment Installation and Administration

Page 187: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

2. Agent level

- server that provides applications access to the instrumentation level

3. Remote Management level

- connectors and adaptors providing access to the agent

Spotfire Server runs within the Tomcat application server, which provides the basic functionalityneeded, the server (Agent level), and a Java Remote Method Invocation (Java RMI) connector (RemoteManagement level).

Tomcat provides a rich instrumentation set for monitoring and managing the application server. Forexample, it monitors Tomcat configuration parameters and basic usage statistics. The Java shipped withSpotfire Server is also heavily instrumented using JMX, providing information about CPU and memoryusage, garbage collection, and thread pools.

Spotfire Server is instrumented with the following measures

Also see Action logs and system monitoring.

Server

● Server address (IP)

● Server hostname

● Server version

● Date and time the server was started

● Uptime time since the server was started, both as a formatted string and in milliseconds sinceJanuary 1, 1970, 00:00:00 GMT

Logging

● Current log configuration file (configurable)

● Available log configuration files (read only)

- Lists all log configuration files in <installation dir>\tomcat\webapps\spotfire\WEB-INF

● Number of logging events on warn, error, and fatal levels

Logger

There may be several of these or none at all, depending on the log configuration.

● Log appender name

● Notifications

- Outputs all log statements from a configured log4j appender as JMX notifications

Server metrics

● Number of attachments on the server

● Number of running Information Services jobs

● Number of authenticated HTTP sessions

HTTP status codes

● Number of HTTP response codes representing client or server errors, meaning the 4xx and 5xxranges returned from the server.

Responses in these series may be common, even in a system that works well.

187

TIBCO Spotfire® Server and Environment Installation and Administration

Page 188: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Data source

One entry for each currently running data source on the server, including the server’s own data source:

● Name

● URL

● Configured minimum number of connections

● Configured maximum number of connections

● Current number of active connections

● Current number of idle connections

● The maximum number of concurrently active connections seen

Configuration

Because sensitive information may be provided through JMX, and Java, Tomcat, and Spotfire Serverprovide some management capabilities, it is important to restrict access.

The JMX RMI connector is disabled by default; the administrator must enable it. Also consider theauthentication, authorization, and encryption security features.

Authentication

Spotfire Server solution applies the existing database authentication mechanism using a separatedatabase table. Passwords are hashed, and the same principals may be used across an entire SpotfireServer cluster.

Authentication is enabled by default.

Authorization

Each user has either read, or read and write, permissions. This means that the user can either only readattribute values or, in addition, read and modify the attributes if they are writable.

Authorization is enabled by default. Authorization only works with the default authenticationimplementation.

JMX accounts and credentials are separated from Spotfire accounts and credentials. The JMX accountsare only used for monitoring, since ordinary Spotfire login does not work.

Encryption

The RMI connector can be configured to encrypt the traffic using TLS. This is recommended since usernames and passwords are otherwise transmitted in plain text.

TLS is not enabled by default. It requires a certificate.

Firewalls

A firewall can be configured to allow traffic to the desired ports. By default the RMI registry and theRMI connector share a common port (1099) to simplify firewall configuration.

JMX configuration commands

The following commands are used to configure and administrate JMX access to the monitoringcomponent.

config-jmxConfigures the JMX RMI connector

create-jmx-userCreates a new JMX user account

delete-jmx-user

188

TIBCO Spotfire® Server and Environment Installation and Administration

Page 189: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Deletes a JMX user

list-jmx-usersLists all JMX users

Setting up JMX monitoring using JConsole

This example shows how to set up JMX monitoring using JConsole. It does not use TLS.

Prerequisites

You must have access to JConsole.

Procedure

1. Run the config-jmx command: config config‐jmx ‐‐enabled=true2. Import the configuration: config import‐config ‐‐comment=”Enabling JMX”

configuration.xml

3. Provide the configuration tool password.4. Create a JMX user: config create‐jmx‐user ‐‐username=MyJMXUser5. Provide the MyJMXUser password.6. Provide the configuration tool password to write the user and password to database.7. Restart Spotfire Server.8. Launch the JConsole application.9. In the JConsole New Connection dialog, select Remote Process, enter the <hostname>:1099, and

provide the JMX user name and password.Comment: To view the Spotfire specifics, see the MBeans tab and the com.spotfire.server domain.

Accessing Spotfire Server logs

You can access various types of Spotfire Server logs.For more information about the different logs, see Spotfire Server logs.

Procedure

1. Log in to Spotfire Server, and click Monitoring & Diagnostics.2. On the Overview page, under Spotfire Servers, locate the server for which you want to access

server logs, and click the View logs link.The Log files section is opened.

3. In the Select log file to view drop-down list, select the type of log you want to view.The selected log file is shown in the View logs section.

You can export the log file by clicking Download full log file.

Spotfire Server logs

The server logs store important diagnostic information about the Spotfire Server. The information canhelp in troubleshooting and resolving issues.

The Spotfire Server runs by default at the minimal logging level. This can be elevated, when needed.

The most important log is the "server.log" (previously named as dss.log in 3.x versions). This log filestores information about all activities on the server and can be very handy in troubleshooting issues.

189

TIBCO Spotfire® Server and Environment Installation and Administration

Page 190: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

If you encounter an issue with Spotfire Server, provide the server logs to Spotfire Support when you logthe support request.

The following log files are available:

Log file Description

access.log Information about client access and accessattempts to the server and files in the library.

catalina.<date>.log Tomcat log file

commons-daemon.<date>.log Tomcat log file

impex.log Information about Spotfire Library imports andexports.

isusage.log Information about Information Services usage.

library.log Information about Spotfire Library usage.

localhost.<date>.log Tomcat log file

performance.monitoring.log Information about Spotfire Server performancemetrics.

s3request.log Information about Amazon S3 storage.

server-diagnostics.log Diagnostic information about server measures.

server.log Information about all activity on the serverexcept those events recorded in access.log.

soap.log Information about SOAP communication.

sql.log Information about executed SQL queriesperformed when an information link is executed.

startup.log Information about JAR files loaded on serverstartup.

tools.log Information about activity of the configurationtool / Configuration Command Line Tool. Forexample, if you run any configurationcommands at the command prompt or use theUI, this is the log that captures that information.

tss750-stderr.<date>.log Tomcat log file

tss750-stdout.<date>.log Tomcat log file

usage.log Information about client access and accessattempts to the server.

190

TIBCO Spotfire® Server and Environment Installation and Administration

Page 191: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Log file Description

user-interface.log Information about errors generated byAdministration Console web client.

actionslogs\actionlog.log Information about user actions.

Server log levels

There are different logging methods for troubleshooting Spotfire server issues.

The following are the most commonly used methods:

● log4j.properties

The default log level set in Spotfire Server. It captures the events at INFO level.

● log4j-debug.properties

When this log level is set, the Server Log (server.log) logs detailed debug information as well aswarnings, errors, and other information. The SQL Log (sql.log) logs detailed SQL information. If theserver is started from a command prompt or shell, the output to the command prompt or shell isalso included in the Server Log.

● log4j-trace.properties

This level gives more detailed information than the DEBUG level. That this, the logging level is verycomprehensive and should be used carefully.

Spotfire Server runs by default at INFO (log4j.properties) logging level. This level should be used, whenthe server is running fine. Elevated logging is useful for troubleshooting, and the logging level can beelevated to capture more information about issues, errors, etcetera. You can do this in two ways:

● Changing log level when server is running

● Changing log level when server is not running

Changing log level when server is running

Different log methods have different log levels. You can change the log level method to use.How to change log method when the server is up and running is described below.

Procedure

1. Log in to Spotfire Server, and select Monitoring & Diagnostics.

2. On the Overview page, under Spotfire Servers, select the check box for the server of interest.

3. Click Set log configuration.The Set log configuration dialog opens.

4. In the Log configuration drop-down list, select the log method you want to use, and click OK.

Enabling debug this way does not require a server restart.

To export the log file, see Accessing Spotfire Server logs.

191

TIBCO Spotfire® Server and Environment Installation and Administration

Page 192: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Changing log level when server is not running

Different log methods have different log levels. You can change the log level method to use.How to set debug level when the server is not working is described below. Thecom.spotfire.logging.config.file parameter in web.xml file located under <Spotfire ServerInstall Dir.>\tomcat\webapps\spotfire\WEB- INF\ folder is modified.

Procedure

1. Back up and open the web.xml file from <Spotfire Server Install Dir.>\tomcat\webapps\spotfire\WEB-INF folder in a text editor (for example pad).

Always take a backup of the web.xml file before making any modifications.

2. Find the log4j.properties parameter in this file.

An example on how this parameter looks like the web.xml file:

3. Replace it with log4j-debug.properties and save the file.

Here is how the changed parameter should look like:

4. Save the file.5. Restart the "Spotfire Server Service" from "Windows Services" for the changes to take effect.

Use any text editor (for example pad) to modify the XML files. Do not use applications such asWordpad, which can change the file encoding and result in corrupted XML files.

Disable Debug logging after the troubleshooting is completed. We do not recommend running theserver in debug mode for longer periods.

It is a good practice to back up the existing logs and clear the logs folder before capturing the debuglogs.

Enabling Kerberos debug logging

You can troubleshoot issues with the Kerberos authentication by enabling Kerberos debug logging.How to enable Kerberos debug logging on the Spotfire Server is described in the following. SpotfireServer.

Procedure

1. Open the configuration.xml file from <Spotfire Server Install Dir.>\tomcat\bin folder ina text editor (for example pad).

2. In the configuration.xml file, locate the configuration block:

192

TIBCO Spotfire® Server and Environment Installation and Administration

Page 193: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

3. Change the value for debug key from false to true.

4. Save the file.

193

TIBCO Spotfire® Server and Environment Installation and Administration

Page 194: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

5. Launch a Command prompt on Spotfire Server, and browse to the <Spotfire Server installDir.>\tomcat\bin folder.

6. Import the configuration using import‐config command. For example: config import‐config ‐comment="Enabled Kerberos Debug Logging"

7. Open the web.xml file from <Spotfire Server Install Dir.>\tomcat\webapps\spotfire\WEB-INF\ folder in a text editor (for example pad).

8. Find the log4j.properties parameter in this file.

An example on how this parameter looks like in the web.xml file:

9. Replace it with log4j-debug.properties and save the file. Here is how the changed parameter should

look like:

Here is how the changed parameter should look like:

10. Save the file.11. Restart the “Spotfire Server Service” from 'Windows Services” for the changes to take effect.

Use any text editor (for example pad) to modify the XML files. Do not use applications such asWordpad, which can change the file encoding and result in corrupted XML files.

Disable Debug logging after the troubleshooting is completed. We do not recommend running theserver in debug mode for longer periods.

It is a good practice to back up the existing logs and clear the logs folder before capturing the debuglogs.

Location of server logs

You find server logs at different locations.

Spotfire Server logs are located under <Spotfire Server Install Dir.>\tomcat\logs folder.

Example:

C:\tibco\tss\7.6.0\tomcat\logs

Spotfire Server Upgrade logs are located under <Spotfire Server Install Dir.>\ tools\upgrade\logs folder.

Example:

C:\tibco\tss\7.6.0\tools\upgrade\logs

Logs default directory location can be changed by modifying the following parameter in the <SpotfireServer Install Dir.>\tomcat\webapps\spotfire\WEB-INF\web.xml file.<context-param> <param-name>log.dir</param-name> <param-value>/../../logs</param-value></context-param>

194

TIBCO Spotfire® Server and Environment Installation and Administration

Page 195: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Basic troubleshooting

If there are any issues with Spotfire Server, you can perform some basic troubleshooting.

A few aspects that need to be checked are listed below.

Spotfire database

● Make sure that the Spotfire database is up and running.● Validate the database credentials specified in the bootstrap.xml file.

Ensure that the database user has access to all the required Spotfire database tables and procedures.That is, if the user logs in to the Spotfire Server database with those credentials, the user should beable to browse and access all the contents of the Spotfire database.

● Make sure there is communication between the Spotfire Server computer and the Spotfire databaseserver. For example, ping the database server from Spotfire Server.

Spotfire Server

● Make sure that Spotfire Server has network connectivity.● Make sure that the Spotfire Server service is up and running.

If a custom user account is used to run the Spotfire Server service, ensure that the accountcredentials are valid and not locked.

● Verify that no port conflicts with the Spotfire Server ports.● Verify that the Spotfire Server administration pages can be accessed outside of the Spotfire Server

computer.

If it works correctly on the server machine but is not accessible outside the server, make sure thatthere is no firewall or proxy blocking server access.

● If “Spotfire Administration Console” comes up but fails to authenticate, check the server logs formore clues.

Memory dumps

Creating memory dumps can be useful, for example, to examine problems with exhausted memories.

An exhausted memory usually shows as an out-of-memory exception in the log, but can also manifestitself as a deadlock if you are using Microsoft SQL Server. The first step is to increase memory, see Virtual memory modification.

If the problem still exists, Spotfire Support might want to get a dump of the memory to see if there isany memory leak. When you are running the server as a Windows service, it is complicated to create amemory dump. For a simpler alternative, you can navigate to a page that creates a memory dump, seebelow.

When a memory dump is created, the Java Virtual Machine halts for a short period. Therefore, there aresome extra steps required to enable this, it can only be done and read by someone who has access to theserver's file system and also is a member of the Administrator group. It is not sufficient to be part of theDiagnostics Administrator group.

1. On the Overview page in Monitoring & Diagnostics, select the server you want to create the dumpfor, click the menu on the right hand side and select Create memory dump.

Memory dumps contain the entire state of the running server and can thus containsensitive information.

2. You need to prove that you have access to the server itself by creating a “proof file” with a specificrandom name on the file system of the server. A new name is generated every time the server is

195

TIBCO Spotfire® Server and Environment Installation and Administration

Page 196: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

restarted or when a memory dump has been made. The name of the “proof file” is shown on thepage and it does not proceed until the file exists. The file does not have to have any content. Thepurpose is only to show that the user not only is Administrator but also has write access to the filesystem on the sever.

3. After the “proof file” is in place, the heap dump can be done by navigating back to the page, or byclicking the Reload link. A memory dump is created. This can take some time. Any previous dumpfile is overwritten. When it is completed, the path to the file on the server's file system is displayed.You must go to the server to retrieve the file; there is no download functionality on the page. Afteryou have analyzed the file, delete it, because it can contain sensitive information. On normaltermination of the server, the generated heap dump file is deleted automatically.

There is an advanced setting to disable the functionality altogether. This requires you to manually editconfiguration.xml and enter a new node in the configuration.xml (tools > enable-memory-dumpwith the value “false”) and then make sure that the configuration is uploaded and made active.

Thread dumps

Creating thread dumps can be useful, for example, to examine problems with servers that seem to behanging, or examine reasons why an unusual amount of time is used.

To help troubleshoot such cases, a dump of thread activity can help Spotfire Support to determine whatis happening. When the server is running as a Windows service, it is somewhat complicated to createthis thread dump. For a simpler alternative, navigate to the page that can create a thread dump:

● On the Overview page in Monitoring & Diagnostics, select the server you want to download thedump for, click the menu on the right hand side and select Download thread dump.

The dump displays a short stack trace of all the running threads, along with information about whetherthey are waiting for something.

Troubleshooting bundle

To facilitate troubleshooting, it is possible to create a zip archive of different types of logginginformation.

Then the archive can be sent to Spotfire Support. It provides Spotfire support with useful informationwhen working with the support case. The zip archive contains for example:

● The entire logs directory

● A thread dump

● The results of diagnostics

● The full configuration history (but not the actual configurations)

● A list of all server startup and shutdown events

● A list of all nodes in the collective

● A list of all certificates issued by the internal CA

To create the troubleshooting bundle:

● On the Overview page in Monitoring & Diagnostics, under Spotfire Servers, click Downloadglobal Spotfire troubleshooting bundle.

Depending on connection speed, this could take several minutes.

There may be times though where a partial set of the global troubleshooting bundle provides sufficientinformation. On the Overview page, you can for example Download global Spotfire node managertroubleshooting bundle, or Download troubleshooting bundle for selected servers or nodes.

196

TIBCO Spotfire® Server and Environment Installation and Administration

Page 197: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Common issues

Symptoms and resolutions to issues you may encounter are described.

Spotfire Server fails to start

Spotfire Server can fail to start with the following error message:

Error initializing the Spotfire web application. Please contact the server administrator.

The following errors are captured in the server logs:

SEVERE: Catalina.start

LifecycleException: service.getName(): "Spotfire"; Protocol handler start failed: java.net.BindException:Address already in use: JVM_Bind <null>:

Resolution:

This is an indication of a port conflict. You can check if any of the Spotfire Server ports are blocked byother processes on the Spotfire Server machine. Either stop those services so that Spotfire Server cangrab these ports or assign a different port by modifying the server.xml file located under \tomcat\conf folder.

Spotfire Server runs out of JVM memory

Spotfire Server can run out of JVM memory, which can cause Spotfire Server failure or hanging, makenew connections impossible, and opening any files may fail.

The following errors can be captured in the server logs:

Caused by: java.lang.OutOfMemoryError: GC overhead limit exceeded

......

SEVERE: Exception invoking periodic operation:

java.lang.OutOfMemoryError: Java heap space

Resolution:

This exception is thrown by the garbage collector in the underlying Java and is not specific to Spotfire.This error essentially means that you need to add more memory. See Virtual memory modification.

Users cannot log in

Issue 1

Users are not able to log in to Spotfire Professional or WebPlayer clients. Administrators can fail to loginto Spotfire Administration Console. Server logs can indicate the following LDAP error code:

javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090334,comment: AcceptSecurityContext error, data 52e, vece ]

Resolution:

The LDAP error code indicates that the login credentials used for LDAP binding are invalid. One of themain reasons this can happen is if the password of the LDAP Service Account is expired. To resolve thisissue, modify the LDAP configuration with the updated credentials.Issue 2

Users can not be able to log into Spotfire Professional or WebPlayer clients. Administrators can fail tolog into Spotfire Administration Console. Server logs can indicate the following LDAP error code:

javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9,comment: AcceptSecurityContext error, data 533, v1db1 ]

197

TIBCO Spotfire® Server and Environment Installation and Administration

Page 198: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Resolution:

The LDAP error code indicates that the Service Account that is used for LDAP binding can be lockedout/disabled. To resolve this issue, enable the Service Account and then try again.

Node manager monitoringStatistical information about the node managers is available.

Node manager logs

The node manager logs store important diagnostic information. The information can help introubleshooting and resolving issues.

To view node manager logs, see Accessing node manager logs.

The most important node manager log files are listed below. For information on the other logs, see Spotfire Server logs and Web Player service logs.

Log file Description

jetty.log The output from the jetty container that the nodemanager runs within (similar to catalina.log).

nm.log, nm.log.n (n is a number between 1 andthe maximum number of logs that is configuredto roll through)

Information about all activity on the node.

nodemanager.txt Generated when downloading troubleshootingbundles. It may contain old data later, and it willbe overwritten when another troubleshootingbundle is requested.

service-<guid>.log STDOUT from the service with the specific guid.This is a service instance log, and not aninstallation log.

wpnmremote750-stderr.<date>.log STDERR output captured by the windowsservice.

wpnmremote750-stdout.<date>.log STDOUT output captured by the windowsservice.

If you have an issue with the node manager, the nm.log generally provides the needed details.

Accessing node manager logs

You can access various types of node manager logs.For more information about the different logs, see Node manager logs.

Procedure

1. Log in to Spotfire Server, and click Monitoring & Diagnostics.

2. On the Overview page, under Node managers, locate the node for which you want to access nodelogs, and click the View logs link.The Log files section is opened.

198

TIBCO Spotfire® Server and Environment Installation and Administration

Page 199: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

3. In the Select log file to view drop-down list, select the type of log you want to view.The selected log file is shown in the View logs section.

Services monitoringStatistical information about services is provided.

Monitoring open analyses

Statistics can be found for open analyses.The purpose of this is to make it possible to find problematic analyses, for example, find out whichanalyses cause problem by consuming too much memory or CPU.

Procedure

1. Log in to Spotfire Server, and click Monitoring & Diagnostics.

2. On the Services page, under Network diagnostics, click the instance you want to monitor.

3. Under Diagnostics, select Analyses and Diagnostics in the drop-down list.

Result

Under Information, the Overview and Details tabs list information about the open analyses.

The Performance Counters section lists various performance measures.

199

TIBCO Spotfire® Server and Environment Installation and Administration

Page 200: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Analyses Information

The table lists the type of information that is available about open analyses on the Overview andDetails tabs in the Information section.

To access the table, see Monitoring open analyses.

You click Refresh in the Diagnostics section to update the list of open analysis.

Option Description

Close Analysis Close the selected analysis.

If Overview is selected, all instances of the analysis will beclosed.

The user is not notified when the administrator closes theanalysis.

Open Analysis Open a new instance of the selected analysis.

Show Document Nodes andView Sizes

Select whether to show Document Nodes and View Sizes in the listof open analyses or not. These calculation may take a substantialtime when enabled. Disabling them can make the refresh faster.

Title The title of the analysis. The path of the analysis file is shown in thetooltip.

Instances (Overview tabonly)

The number of open instances of the analysis file.

User Name (Details tabonly)

The name of the user that uses the analysis.

Loading Time The loading time (in seconds) for the analysis.

Execution Time The execution time (in seconds) measures the time spent executingrequest for the analysis. It is a measure of the CPU load this analysisputs on the server.

200

TIBCO Spotfire® Server and Environment Installation and Administration

Page 201: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Option Description

Data Table Size The memory size of the data tables in the analysis. For the Overviewview, the total memory size is displayed. For the Details view onecolumn shows the memory size shared between instances of theanalysis and one shows the memory size of the data tables that arenot shared between instances.

Data Table Cells The number of cells in the data tables. For the Overview view, thetotal number is displayed. For the Details view one column showsthe number of cells shared between instances of the analysis and oneshows the number of cells that are not shared between instances.

Data View Size The data view size is a measure of the memory required forgenerating the visualizations of the analysis. It varies depending onthe complexity of the data needed for the visualization. For theOverview view, the total memory size is displayed. For the Detailsview, one column shows the memory size shared between instancesof the analysis and one shows the memory size of the data views thatare not shared between instances.

Document Node Count The amount of document nodes. For the Overview view, the totalamount is displayed. For the Details view one column shows theamount shared between instances of the analysis and one shows theamount that is not shared between instances.

The document node count is a measure of the complexity of theanalysis. More visualizations, pages, columns, filtering schemes,markings, etc. will lead to a higher value. If .NET memory is aproblem, it is likely that the analyses that use much more documentnodes than the others are an issue.

Idle Time The time elapsed since the last user interaction.

Scheduled Yes if the analysis is scheduled for automatic updates.

Running Jobs The total number of currently running internal analysis jobs.

Web Player Service Performance Counters

The table in the Performance Counters section lists different performance measures that are availableabout open analyses. All memory values are shown in MB.

To access the table, see Monitoring open analyses.

You can click Clear cache for all data connections to reset the number of cached queries to externaldata sources. Clicking Run a full (GC(2) will run a full garbage collection twice to get rid of memorythat is not in use any more. However, a full garbage collection may take time and the service will beunresponsive during the running.

Performance Counter Description

Process Private MBytes The amount of memory that the process hasasked for.

201

TIBCO Spotfire® Server and Environment Installation and Administration

Page 202: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Performance Counter Description

Available MBytes Total MBytes available, based on standardperformance counter in category Memory.

Webplayer total working memory The amount of memory used by the web clientprocess.

Data Engine memory The amount of memory used by the data engine.This includes all data views and data tables.

Data Engine Cache memory The amount of memory used by the data enginecache. This can be paged out if necessary.

MBytes in all .NET heaps Total MBytes in all .NET heaps, based on .NETCLR Memory.

Number of shared document nodes The total number of document nodes that can beshared.

Webplayer cached documents The number of cached analyses.

Webplayer open documents Number of open document instances (if manyusers have the same document opened, eachcopy will be counted here).

Webplayer number of users Number of logged in users.

Webplayer image render executions Number of image render executions. Typicallyone image corresponds to one visualization.

Data Engine queries finished Number of finished low level data enginequeries.

Thread pool queue length The queue length for the thread pool (in .NET).

Active threads in thread pool Number of active threads in thread pool(in .NET).

Idle threads in thread pool Number of idle threads in thread pool (.NET)that are ready to be used.

Total thread pool requests finished Total number of thread pool jobs finished (.NETthread pool).

Webplayer current processor % The processor usage for the web client process.

Total processor % The total processor usage (not just the webclient).

Webplayer accumulated processor time The total number of CPU seconds consumed bythe web client.

202

TIBCO Spotfire® Server and Environment Installation and Administration

Page 203: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Performance Counter Description

Webplayer average processor % The average processor usage recently. Timeperiod is specified by the setting"cpuAverageTimeSpan" in"performanceCounterLogging".

% Time In GC Percentage of processor time spent in GC, thisis .NET CLR Memory.

# .NET Induced GC Number of times that an induced GC has beenperformed. This is .NET CLR Memory.

Memory exhausted status According to configured memory limits, theservice instance is either Ok, Strained orExhausted. Corresponding values for thecounter is 0, 5 and 8. This status is sent to theTSS to be used for routing decisions.

Processor exhausted status Same as Memory exhausted status above, but forCPU load.

Web Player Uptime seconds Number of seconds since the service instancewas started.

May be recycled Depending on settings for "recoverMemory" andthe current system status, the service instancemay send an event to the server that it mayrecycle the service instance.

Current Time The time (in UTC) when the page was updatedlast time.

Troubleshoot performance

The Performance Counters provide details about the current CPU and memory utilization.

● If Webplayer % processor time is constantly high, CPU is an issue.

● If Webplayer total working memory is high and Available MBytes is low, then RAM is an issue.

Troubleshoot CPU

If CPU is constantly high, look at the Loading Time and Execution Time columns in Informationsection. The analyses with the highest values are consuming the most CPU.

Troubleshoot memory consumption

If the memory consumption is very high, it is important to find out which type of memory that is thebottleneck.

● If the Data Engine memory is a large portion of the Webplayer total working memory, the DataTable and Data View columns in the Information section are the most important. Are there anyanalyses that hold a lot of data table and view memory?

203

TIBCO Spotfire® Server and Environment Installation and Administration

Page 204: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

● If, on the other hand, Data Engine memory is only a small portion of the Webplayer total workingmemory, then the .NET memory is an issue, and now the Document Node Count is the column tolook at. Document nodes are a bit more complicated since they may be of different sizes. However,it is likely that the analyses that use much more document nodes than the others, are an issue.

To get rid of a possible error source when measuring the MBytes in all .NET heaps, it isrecommended to run a full GC(2), two times to give the system a chance to reclaim memory that isreleased. Be careful if the server is very busy since the system may be unresponsive for a whileduring the GC.

Conclusions

The result of the troubleshooting above will hopefully give you information on which analyses thatactually consume the memory. It is possible to get statistics for a single analysis in the desktop client tofind out which pages or visualizations that use most of the resources. Open the analysis in the desktopclient and go to Help > Support Diagnostics and Logging, the Diagnostics Information tab, to getdetailed resource usage information. Temporarily removing pages, plots or tables may give some morehints.

● If the data table size is big, it is the raw data that is the problem. Are there tables or columns that arenot used? Otherwise, more RAM is needed.

● If the data view size is high or it seems like the number of document nodes is high, the foundanalyses might be too complicated. Note that unused columns, pages and visualizations willgenerate more document nodes.

Logging and exporting monitoring diagnostics

Monitoring diagnostics can be logged, and the logged results can be exported as a Spotfire analysis filethat shows the information found in the log files.The following options are available:

Option Description

Enable Monitoring Logging Start logging to the logs needed for the monitoring analysis ondebug level.

Enable Full MonitoringLogging

Start logging, with enabled performance diagnostics, to the logsneeded for the monitoring analysis on debug level.

Restore Monitoring Logging Restore logging levels to what is specified in the log4net.config file.

Export Monitoring Logs andAnalysis

Export a snapshot of the log files together with a Spotfire analysisfile used to analyze them.

In Spotfire, the Missing File dialog may open. Beforeclicking OK in the dialog, select the Apply to allmissing files in the analysis check box, since Use thefile found in the same directory is selected.

Export Monitoring Analysis Export the monitoring analysis file without the logs. Use this if thelogs have been copied in another way.

Export Information Export diagnostics information to a text file.

204

TIBCO Spotfire® Server and Environment Installation and Administration

Page 205: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Procedure

1. Log in to Spotfire Server, and click Monitoring & Diagnostics.

2. On the Services page, under Network diagnostics, click the instance for which you want to log andexport monitoring diagnostics.

3. Under Diagnostics, select Analyses and Diagnostics in the drop-down list.

4. In the Logging drop-down list to the right, select one of the options described above.

Viewing node information

Information about the node environment can be displayed.

Procedure

1. Log in to Spotfire Server, and click Monitoring & Diagnostics.

2. On the Services page, under Network diagnostics, click the instance for which you want to viewnode information.

3. Under Diagnostics, select Node in the drop-down list.

Viewing service configuration information

Information about the service can be displayed.The configurations and settings specified in the Spotfire.Dxp.Worker.Web.config file of the serviceare listed.

205

TIBCO Spotfire® Server and Environment Installation and Administration

Page 206: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Procedure

1. Log in to Spotfire Server, and click Monitoring & Diagnostics.

2. On the Services page, under Network diagnostics, click the instance for which you want to viewservice configuration information.

3. Under Diagnostics, select Service Configuration in the drop-down list.

Viewing assemblies information

Information about the assemblies that are loaded by the service can be displayed.

Procedure

1. Log in to Spotfire Server, and click Monitoring & Diagnostics.

2. On the Services page, under Network diagnostics, click the instance for which you want to viewassemblies information.

3. Under Diagnostics, select Loaded Assemblies in the drop-down list.

Viewing site information

Information about the current activity on the web site can be displayed.

206

TIBCO Spotfire® Server and Environment Installation and Administration

Page 207: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Name Description

Uptime How long the Web Player service has beenrunning.

Concurrent users The number of currently logged in users.

Number of cached queries for data connections The number of cached queries to external datasources. This can be reset by clicking Clear cachefor all data connections, see Web Player ServicePerformance Counters.

Cached analyses The number of currently cached analyses.

Open analyses The number of currently open analyses.

Numbers within parentheses indicate the maximum number of concurrent users/analyses that wasmeasured during this uptime.

Current sessions

In the Current sessions part, the currently active sessions are listed. The information shows theusername, the number of open analyses, the sessionID, the IP number of the client, the browser used,and the time the session started.

The open analyses are also listed for each session.

Current analyses

The Current analyses part shows a list of the currently open analyses, and which users are accessingthem. The information shows the path to the file, the time it was opened, the analysisID, any pendingHttp requests, the time since the last ping, and the idle time of the analysis.

Procedure

1. Log in to Spotfire Server, and click Monitoring & Diagnostics.

2. On the Services page, under Network diagnostics, click the instance for which you want to viewsite information.

3. Under Diagnostics, select Site in the drop-down list.

207

TIBCO Spotfire® Server and Environment Installation and Administration

Page 208: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Viewing scheduled updates information

Information about any scheduled updates can be viewed.The information contains the path and name of all scheduled files and also information about the timeof the last update and the duration of the last update.

Procedure

1. Log in to Spotfire Server, and click Monitoring & Diagnostics.

2. On the Services page, under Network diagnostics, click the instance for which you want to viewscheduled updates information.

3. Under Diagnostics, select Scheduled Updates in the drop-down list.

Accessing services logs

You can access various types of services logs.For more information about the different logs, see Web Player service logs.

Procedure

1. Log in to Spotfire Server, and click Monitoring & Diagnostics.

2. On the Services page, under Network diagnostics, click the instance for which you want to accesslogs.

3. In the top section to the right, under the selected instance, click the View logs link.The Log files section is opened.

4. In the Select log file to view drop-down list, select the type of log you want to view.The selected log file is shown in the View logs section.

Web Player service logs

Different services logs are available.

To track the resource usage for services, you can enable logging and monitoring of them by adding andenabling performance counters in the web.config file and by adding the settings for the log files youwant to create in the log4net.config file, located in the webroot\App_data directory of theinstallation.

The following log files can be enabled in the log4net.config file:

Log file Description

AuditLog.<ID>.txt At INFO level, for example, user login andlogout, and analysis open and close are logged.

At DEBUG level, state changes (apply and save)are also logged.

DateTimesLog.<ID>.txt All time points from the services logs collectedin one file to simplify joins between tables.

DocumentCacheStatisticsLog.<ID>.txt The cached analyses sampled regularly.

208

TIBCO Spotfire® Server and Environment Installation and Administration

Page 209: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Log file Description

MemoryStatisticsLog.<ID>.txt Writes resource usage per document. Logs theamount of memory used by tables and views,the number of internal document nodes, and theexecution time. On INFO level, the total valuesper document are logged, and on DEBUG level,detailed information per table is recorded.

MonitoringEventsLog.<ID>.txt At INFO level, the start up and shut down of theservice are logged.

At DEBUG level, session create and remove,analyses open and close, and cached analysesadd and remove are also logged.

OpenFilesStatisticsLog.<ID>.txt The open analyses sampled regularly.

PerformanceCounterLog.<ID>.txt Standard and custom performance counterslogged regularly.

PerformanceDiagnostics.<ID>.log Detailed data engine performance diagnosticsinformation.

service.<ID>.log Information about the service instance startupand close down.

Spotfire.Dxp.Worker.Host.Debug.<ID>.log

Spotfire.Dxp.Worker.Host.<ID>.log

The general purpose log files for all logginglevels and logging levels down to INFO,respectively.

TimingLog.<ID>.txt Logs similar information as the AuditLog, but allevents have a start time, an end time and aduration logged as well.

UserSessionStatisticsLog.<ID>.txt The existing sessions sampled regularly.

You can log to a database instead of log files. For more information, see Configuration of thelog4net.config file.

Log levels

Logs can contain information on various levels.

Possible log levels are: DEBUG, INFO, WARN, ERROR, and FATAL. You can specify the minimum level youwant to be logged; every event for that level and above will be logged.

The DEBUG log level creates the most detailed log of events. Due to the number of events, this level willcreate a separate log file.

The default logging configuration will create one log file with DEBUG level and one log file with INFOlevel. This ensures that important information on INFO level will not be lost due to large amounts ofDEBUG logging.

209

TIBCO Spotfire® Server and Environment Installation and Administration

Page 210: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Customization of service logs

The severity of events to be logged can be customized.

The service log files are located at <Installdir>/Logfiles/Spotfire.Dxp.Web.log on the server.You customize the severity of events to be logged by changing the following section in thelog4net.config file, located in the webroot\App_data directory of the installation. <appender name="FileAppender" type="log4net.Appender.RollingFileAppender"> <PreserveLogFileNameExtension value="true" /> <file value="Logs\Spotfire.Dxp.Web.log" /> <appendToFile value="true" /> <rollingStyle value="Size" /> <maxSizeRollBackups value="4" /> <maximumFileSize value="500MB" /> <staticLogFileName value="false" /> <layout type="log4net.Layout.PatternLayout"> <conversionPattern value="%-5level %date [%property{pid}, %thread, %property{user}] %logger - %message%newline" /> </layout> <filter type="log4net.Filter.LoggerMatchFilter"> <param name="AcceptOnMatch" value="false" /> <param name="LoggerToMatch" value="WebLogger." /> </filter> <filter type="log4net.Filter.LevelRangeFilter"> <levelMin value="INFO" /> <acceptOnMatch value="true" /> </filter> </appender> <appender name="FileAppenderDebug" type="log4net.Appender.RollingFileAppender"> <PreserveLogFileNameExtension value="true" /> <file value="Logs\Spotfire.Dxp.Web.Debug.log" /> <appendToFile value="true" /> <rollingStyle value="Size" /> <maxSizeRollBackups value="10" /> <maximumFileSize value="500MB" /> <staticLogFileName value="false" /> <layout type="log4net.Layout.PatternLayout"> <conversionPattern value="%-5level %date [%property{pid}, %thread, %property{user}] %logger - %message%newline" /> </layout> <filter type="log4net.Filter.LoggerMatchFilter"> <param name="AcceptOnMatch" value="false" /> <param name="LoggerToMatch" value="WebLogger." /> </filter> <!-- An example how to filter out logging rows from a specific logger.--> <!--<filter type="log4net.Filter.LoggerMatchFilter"> <loggerToMatchvalue= "Spotfire.Dxp.Framework.Utilities.ServerLoggerManager" /> <acceptOnMatch value="false" /> </filter>--> </appender>

<root> <appender-ref ref="FileAppender" /> <!-- Use this to get logging on DEBUG level. Two separate log files will be created: --> <!-- FileAppenderDebug for all levels down to DEBUG and FileAppender with levels down to INFO --> <level value="DEBUG" /> <appender-ref ref="FileAppenderDebug" /> <!-- Replace with this to get INFO logging --> <!-- <level value="INFO" />

210

TIBCO Spotfire® Server and Environment Installation and Administration

Page 211: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

--> </root>

Only log information that is logged with the appender type FileAppender is shown.

More information about the log system can be found at http://logging.apache.org/log4net/.

Configuration of the Spotfire.Dxp.Worker.Web.config file

You can configure the collection of user and session statistics, and performance counters in theSpotfire.Dxp.Worker.Web.config file.

<spotfire.dxp.web> ... <performance> ... <performanceCounterLogging enabled="true" ... logInterval="120" counters=" ... " debugLogInterval="15" debugcounters=" ... " /> ...statistics flushInterval="300" enabled="true" />

Key Description

performanceCounterLogging

enabled Set this to true (default) to enable the logging ofthe specified performance counters. The result ofthis logging can be found in thePerformanceCounterLog.txt file specified inthe log4net.config file.

logInterval Specify the number of seconds between eachperformance counter logging at INFO level.Default value is 120.

counters Add performance counters you wish to log, atboth INFO and DEBUG level, separated by acomma “,”. Each counter consists of three parts:category, counter, and instance, separated by asemi-colon “;”. Both standard Windowsperformance counters, as well as a set of internalTIBCO counters, may be included.

debugLogInterval Specify the number of seconds between eachperformance counter logging at DEBUG level.Default value is 15.

debugcounters Add additional performance counters you wishto log at DEBUG level, separated by a comma “,”.

211

TIBCO Spotfire® Server and Environment Installation and Administration

Page 212: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Key Description

statistics

flushInterval Specify the number of seconds between eachlogging. Default value is 300.

enabled When true, logging of all the other statistics forthe service is enabled. The result of this loggingcan be found in the other log files specified inthe log4net.config file.

Configuration of the log4net.config file

You can configure the log4net.config file to create log files. The file is located in the webroot\App_data directory of the installation.

The different log files are described in Services logs.

Each section in the configuration file corresponds to a log file. The file paths in each appender have tobe set correctly. For example, they should be set to the same directory as the default log fileSpotfire.Dxp.Web.log, which can be found in the installed log4net.config.

There are two levels for logging, INFO and DEBUG. Select for each log which level to use, and specify theperformance counters at both INFO and DEBUG levels in the Spotfire.Dxp.Worker.Web.config file.See Configuration of the Spotfire.Dxp.Worker.Web.config file.

You can log to a database instead of log files. This is done by writing AdoNetAppenders instead of theRollingFileAppenders in the log4net.config file.

The logging specified in the log4.net.config file can be switched on or off while the service isrunning. This is done by setting the level value to DEBUG, INFO, or OFF.

Logging properties

To extract all information to a log file, the default format %message is used. However, for most log filesit is also possible to specify which properties to write to the log files.

This is especially important if you log to a database instead of a log file because this makes it easier toget the properties in separate columns in the database.

General properties

These properties are logged for all log files.

Property Description

hostName The node name.

timeStamp The local timestamp of the event.

timeStampUtc The Coordinated Universal Time of the event.

instanceId The unique ID of the running instance.

serviceId The unique ID of the running service.

212

TIBCO Spotfire® Server and Environment Installation and Administration

Page 213: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Auditlog properties

Default level: INFO.

Property Description

sessionId The internal Spotfire session ID.

ipAddress The IP address of the web client.

userName The name of the logged on user.

operation The audit operation, for example “Login”.

analysisId The document id (GUID) of the currently opendocument.

argument An argument for the operation, for example thepath of the analysis.

status Failure or Success.

DateTimesLog properties

DateTimesLog only supports the %message format.

Default level: OFF.

DocumentCacheStatisticsLog properties

Default level: OFF.

Property Description

path The path of the currently open document.

modifiedOn The date the document was modified.

referenceCount The count of concurrent open references to thecurrent document.

MemoryStatisticsLog properties

Default level: OFF.

Property Description

sessionId The internal Spotfire session ID.

userName The name of the logged on user.

analysisId The unique ID for the analysis.

213

TIBCO Spotfire® Server and Environment Installation and Administration

Page 214: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Property Description

tableId The unique ID for the table. This will be empty ifthe value is a total.

analysisPath The library path for the analysis.

title The title of the analysis.

type The type of information, one of:

SharedApproximateTotalTableSize

SharedApproximateTotalViewSize

DocumentNodeCount

SharedDocumentNodeCount

ApproximateExecutionTime

value The number of bytes, nodes, or millisecondsdepending on type.

MonitoringEventsLog properties

Default level: INFO.

Property Description

eventType The type of event.

argument Arguments related to the event.

information Information related to the event.

OpenFilesStatisticsLog properties

Default level: OFF.

Property Description

sessionId The internal Spotfire session ID.

filePath The path of the currently open document.

modifiedOn The date the document was modified.

fileId The file ID.

elapsedTime The time since opened.

inactiveTime The inactivity time.

214

TIBCO Spotfire® Server and Environment Installation and Administration

Page 215: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

PerformanceCounterLog properties

Default level: INFO.

Property Description

counterCategory The category of the performance counter.

counterName The name of the performance counter.

counterInstance The instance of the performance counter.

counterValue The value the performance counter returns.

Spotfire.Dxp.Worker.Host and Spotfire.Dxp.Worker.Host.Debug properties

Property Description

pid The Process ID.

user The name of the logged on user.

windowsUser The Windows user.

sessionId The internal Spotfire session ID.

Except for those properties, the standard Apache log4net pattern strings can be used.

TimingLog properties

Default level: INFO.

Property Description

endTime The time the event ends.

duration The duration of the event.

sessionId The internal Spotfire session ID.

ipAddress The IP address of the web client.

userName The name of the logged on user.

operation The audit operation, for example “Login”.

analysisId The document id (GUID) of the currently opendocument.

argument An argument for the operation, for example, thepath of the analysis.

215

TIBCO Spotfire® Server and Environment Installation and Administration

Page 216: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Property Description

status Failure or Success.

UserSessionStatisticsLog properties

Default level: OFF.

Property Description

sessionID The internal Spotfire session ID.

ipAddress The IP address of the web client.

userName The name of the logged on user.

browserType The name and (major) version number of thebrowser.

cookies Returns true if cookies are enabled.

loggedInDuration The duration of time the user has been logged in.

maxOpenFilesCount The maximum number of open files.

openFileCount The number of currently open files.

Log to database example

The example shows how to log the AuditLog to a database.

The connectionString should specify a database that contains a table with columns that match theSQL statement specified in commandText. For the other logs, replace the relevant properties, names, andsettings.<!-- Audit log appender to database --><appender name="AuditLogAdoNetAppender" type="log4net.Appender.AdoNetAppender"><bufferSize value="1" /><connectionType value=" System.Data.SqlClient.SqlConnection, System.Data, Version=1.0.3300.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" /><connectionString value=" Data Source=db_server; Initial Catalog=spotfire_logging; User ID=spotfire; Password=spotfire" /><commandText value=" INSERT INTO AuditLog_Webserver ([hostName],[level],[sessionId],[ipAddress],[userName],[operation],[analysisId],[argument],[status],[timeStamp]) VALUES (@hostName,@level,@sessionId,@ipAddress,@userName,@operation,@analysisId,@argument,@status,@timeStamp)" />

216

TIBCO Spotfire® Server and Environment Installation and Administration

Page 217: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

<parameter> <parameterName value="@level" /> <dbType value="String" /> <size value="10" /> <layout type="log4net.Layout.PatternLayout"> <conversionPattern value="%level" /> </layout> </parameter> <parameter> <parameterName value="@timeStamp" /> <dbType value="String" /> <size value="50" /> <layout type="log4net.Layout.PatternLayout"> <conversionPattern value="%property{timeStamp}" /> </layout> </parameter> <parameter> <parameterName value="@hostName" /> <dbType value="String" /> <size value="50" /> <layout type="log4net.Layout.PatternLayout"> <conversionPattern value="%property{hostName}" /> </layout> </parameter> <parameter> <parameterName value="@sessionId" /> <dbType value="String" /> <size value="50" /> <layout type="log4net.Layout.PatternLayout"> <conversionPattern value="%property{sessionId}" /> </layout> </parameter> <parameter> <parameterName value="@ipAddress" /> <dbType value="String" /> <size value="50" /> <layout type="log4net.Layout.PatternLayout"> <conversionPattern value="%property{ipAddress}" /> </layout> </parameter> <parameter> <parameterName value="@userName" /> <dbType value="String" /> <size value="50" /> <layout type="log4net.Layout.PatternLayout"> <conversionPattern value="%property{userName}" /> </layout> </parameter> <parameter> <parameterName value="@operation" /> <dbType value="String" /> <size value="50" /> <layout type="log4net.Layout.PatternLayout"> <conversionPattern value="%property{operation}" /> </layout> </parameter> <parameter> <parameterName value="@analysisId" /> <dbType value="String" /> <size value="50" /> <layout type="log4net.Layout.PatternLayout"> <conversionPattern value="%property{analysisId}" /> </layout> </parameter> <parameter> <parameterName value="@argument" /> <dbType value="String" /> <size value="50" /> <layout type="log4net.Layout.PatternLayout"> <conversionPattern value="%property{argument}" /> </layout> </parameter>

217

TIBCO Spotfire® Server and Environment Installation and Administration

Page 218: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

<parameter> <parameterName value="@status" /> <dbType value="String" /> <size value="10" /> <layout type="log4net.Layout.PatternLayout"> <conversionPattern value="%property{status}" /> </layout> </parameter></appender>

Viewing routing

You can, from both analyses and instances perspectives, get overviews of the routing, that is, whichinstances are utilized for the different resource pools.

● In Monitoring & Diagnostics, select the Routing: Analyses or Routing: Instances page. Click thearrows for the analysis or resource pool you are interested in to get more detailed information aboutthe routing.

External monitoring tool

It is possible to monitor the services using an external monitoring tool.

There are two sources of information for such a tool.

● General Windows performance counters

● A dedicated monitoring events log file

For information on the monitoring log file MonitoringEventsLog.txt, see the general description in Services logs, and for details on the log file, see Configuration of the log4net.config file.

Action logs and system monitoringThe Action logs feature collects information about what the users are doing and the system monitoringcollects information on the performance of the Spotfire Server, and the services. As these differentlogging events are written to the same file or database, it is possible to correlate the usage with thesystem performance.

The log events can be written to files, to a database, or to both. In contrast to the other log files, these logfiles will not be pruned; instead a new file will be created every day, thus some extra administration isneeded to ensure that there is room in the file system. For the database logging there is an option toautomatically remove entries which are older than a certain number of hours.

It is possible to analyze the gathered data using Spotfire. For the database there is an InformationModel and an analysis file which can be used to start analyzing usage patterns. With the collected datait should be possible to answer many more questions on how the system is used.

The action logs and system monitoring feature is turned off by default.

Action logs

The action logs feature collects information about what the users are doing, for example, if a user opensa file from the library, when a user logs in, etcetera. It will answer questions on “who did what”, but notstatic questions like “who can do what”, but you see when someone gives more rights to someone. Itdoes not only log actions running on the server, but also events from Spotfire Analyst, Spotfire BusinessAuthor, and Spotfire Automation Services. All events are collected on Spotfire Server. The events thatdo not originate from the server are sent to Spotfire Server through a web service.

The web service must be enabled and configured for these other events to be logged. Do not forget torestart all service instances after the web service has been enabled.

After changing action logging settings related to web player, the services have to be restarted. If theweb player services are not restarted, the logging change will not work.

218

TIBCO Spotfire® Server and Environment Installation and Administration

Page 219: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

System monitoring

The system monitoring saves information on the performance of Spotfire Server and the services in thesame database or files as the action logs.

In contrast to the action logs, where events are logged when an action is performed, the systemmonitoring collects information at regular intervals. To reduce the number of measurements in thedatabase over time, measurements older than a specified amount of time will be replaced with average,minimum, and maximum values for a period of time. The general pruning for the database will alsoaffect the monitoring values. If you log to file, no pruning or averaging will be done.

What is logged?

Various information is logged when enabling action logs and the system monitoring.

The log points are separated into different categories, and for the categories, there are different actions.For example, when a user changes his password, it belongs to the “admin” category and the action is“change_passwd”.

For the log points, some generic fields are shared. These are:

logged_time The time the event was logged.

machine The machine that did the logging.

user_name The name of the authenticated user thatperformed the logged action.

original_time The time the event originally was created. Thismight differ from the logged time, because it cantake time for the log event to be written.

original_ip Where the call originates. It is checked on TCPlevel, so it might be a proxy that shows up.

category The category of the event, for example admin.

action The action within the category, for examplechange_passwd.

success Tells if the operation succeeded or not.

session_id A (unique) id for the session.

service_instance_id A (unique) id for the service instance. This isonly applicable for categories with suffix _wp,and is listed as arg5 for those categories.

There are also some specific measures for every log point. For example, when it is logged that a userchanges password, uName is logged meaning the user name.

In addition, there are some variable fields. In the data base, these will fill out id1, id2, arg1, arg2,etcetera. For the database there are also database views which will have the generic column namesaltered to the ones shown in Action logs.

For the change password, there is a specific view, which for Oracle is defined as:

219

TIBCO Spotfire® Server and Environment Installation and Administration

Page 220: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

CREATE OR REPLACE VIEW ADMIN_CHANGE_PASSWD AS SELECT LOGGED_TIME, MACHINE,

USER_NAME, ORIGINAL_TIME, ORIGINAL_IP, SUCCESS, SESSION_ID, ID1 AS UNAME FROM

ACTIONLOG WHERE LOG_CATEGORY = 'admin' AND LOG_ACTION = 'change_passwd'

For details, see Action logs.

Action logs

The table lists log points in the action logs.

If the category has the suffix _pro it means that the operation is coming from Spotfire Analyst (formerlycalled Spotfire Professional), _wp means that it is coming from the Spotfire Business Author (formerlycalled Spotfire Web Player), and _as means that it is coming from the Spotfire Automation Services.The operations without a suffix all originate on the server.

It is possible to configure the monitor so that only certain categories are logged.

Category Action id1 id2 arg1 arg2 arg3

admin change_passwd

uName

admin create_group

gName

displayName

email

admin create_user uName

displayName

email

admin group_add_member

name gName sort groupingId

admin group_remove_member

name gName sort groupingId

admin remove_license

gName

licenseName

admin remove_principal

name sort groupingId

admin rename_principal

oldName

newName sort

admin set_license gName

licenseName

excludingFunction

admin set_preference

name prefType category id

analysis_as apply_bookmark

libraryId

path bookmarkName

analysis_pro

apply_bookmark

libraryId

libraryPath

bookmarkName

220

TIBCO Spotfire® Server and Environment Installation and Administration

Page 221: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Category Action id1 id2 arg1 arg2 arg3

arg4:analysisId

analysis_pro

set_page libraryId

libraryPath

pageName

arg4:analysisId

analysis_wp

apply_bookmark

libraryId

path bookmarkName

webplayerSessionId

arg4:analysisId

analysis_wp

set_page libraryId

path pageName webplayerSessionId

arg4:analysisId

auth impersonate uName

auth login clientType

clientVer displayName

email

auth logout uName

auth_as login uName

auth_as logout uName

auth_pro login uName

auth_pro logout uName

auth_wp login uName

webplayerSessionId

auth_wp logout uName

webplayerSessionId

automation_job_as

job_finished libraryId

libraryPath

jobId status executionTime

221

TIBCO Spotfire® Server and Environment Installation and Administration

Page 222: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Category Action id1 id2 arg1 arg2 arg3

arg4:message

automation_job_as

job_started libraryId

libraryPath

jobId status executionTime

arg4:message

automation_task_as

task_finished

libraryId

libraryPath

jobId status executionTime

arg4:message

automation_task_as

task_started libraryId

libraryPath

jobId taskClass unused

arg4:taskName

dat_con_pro

create_connection

libraryId

libraryPath

dataSourceType

dataSourceInformation

dataSourceLibraryId

dat_con_pro

create_source

libraryId

libraryPath

dataSourceType

dataSourceInformation

dat_con_pro

get_data libraryId

libraryPath

dataSourceType

dataSourceInformation

internalQuery

arg4:NumRows

arg5: duration arg6:externalQuery

dat_con_pro

load_connection

libraryId

libraryPath

dataSourceType

dataSourceInformation

dataSourceLibraryId

dat_con_pro

load_source libraryId

libraryPath

dataSourceType

dataSourceInformation

dat_con_pro

synch_connection

libraryId

libraryPath

dataSourceType

dataSourceInformation

dataSourceLibraryId

dat_con_pro

update_connection

libraryId

libraryPath

dataSourceType

dataSourceInformation

dataSourceLibraryId

dat_con_pro

update_source

libraryId

libraryPath

dataSourceType

dataSourceInformation

dat_con_wp

create_connection

libraryId

libraryPath

dataSourceType

dataSourceInformation

dataSourceLibraryId

222

TIBCO Spotfire® Server and Environment Installation and Administration

Page 223: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Category Action id1 id2 arg1 arg2 arg3

dat_con_wp

create_source

libraryId

libraryPath

dataSourceType

dataSourceInformation

dat_con_wp

get_data libraryId

libraryPath

dataSourceType

dataSourceInformation

internalQuery

arg4:NumRows

arg5: duration arg6:externalQuery

dat_con_wp

load_connection

libraryId

libraryPath

dataSourceType

dataSourceInformation

dataSourceLibraryId

dat_con_wp

load_source libraryId

libraryPath

dataSourceType

dataSourceInformation

dat_con_wp

synch_connection

libraryId

libraryPath

dataSourceType

dataSourceInformation

dataSourceLibraryId

dat_con_wp

update_connection

libraryId

libraryPath

dataSourceType

dataSourceInformation

dataSourceLibraryId

dat_con_wp

update_source

libraryId

libraryPath

dataSourceType

dataSourceInformation

datafunction_pro

execute unused

path params duration

datafunction_wp

execute unused

path params duration

datasource_pro

execute unused

path title params duration

arg4:NumRows

datasource_wp

execute unused

path title params duration

arg4:NumRows

file_pro load unused

path

file_wp load unused

path

info_link create_il libraryId

path

223

TIBCO Spotfire® Server and Environment Installation and Administration

Page 224: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Category Action id1 id2 arg1 arg2 arg3

info_link get_data libraryId

path duration sizeb groupingId

info_link load_il libraryId

path groupingId

info_link update_il libraryId

path

library copy libraryId

path libraryType destLibraryId destPath

arg4:groupingId

library create libraryId

path libraryType preSize postSize

library delete libraryId

path libraryType groupingId

library export libraryId

path destPath groupingId

library import libraryId

path destPath groupingId

library load_content

libraryId

path libraryType duration sizeb

arg4:groupingId

library move libraryId

path libraryType destLibraryId destPath

arg4:groupingId

library remove_perm

libraryId

path name sort

library save_content

libraryId

path libraryType preSize postSize

library set_group_perm

libraryId

path gName permission groupingId

library set_user_perm

libraryId

path uName permission groupingId

224

TIBCO Spotfire® Server and Environment Installation and Administration

Page 225: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Category Action id1 id2 arg1 arg2 arg3

library_as load libraryId

path

library_pro close libraryId

path

library_pro load libraryId

path

library_wp clone libraryId

path webplayerSessionId

arg4:analysisId

library_wp close libraryId

path webplayerSessionId

arg4:analysisId

library_wp load_start libraryId

path webplayerSessionId

arg4:analysisId

library_wp load libraryId

path webplayerSessionId

arg4:analysisId

library_wp update_start

libraryId

libraryPath

webplayerSessionId

arg4:analysisId

library_wp update libraryId

libraryPath

webplayerSessionId

arg4:analysisId

See Action log measures for more information.

When logging to file, the user “john” has changed password, can look something like:

2013-05-07T11:55:36.356+0200;10.100.33.227;john;

2013-05-07T11:55:36.355+0200;0:0:0:0:0:0:0:1;admin;change_passwd;true;b549dfcf-0059-

4d63-b7d0-f710cc10a3cc;john;null

Another example, where a file originally opened from the library has been closed on Spotfire, can looklike this:

225

TIBCO Spotfire® Server and Environment Installation and Administration

Page 226: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

2013-05-07T11:55:36.356+0200;10.100.33.227;sfal;

2013-04-08T16:20:14.203+0200;null;library_pro;close;true;22154702-8e44-4a26-a102-

f1a63121f763;4447a4f7-2c33-43f0-9ed7-edafa152969f;/Demo/Baseball Deb

Every log event will be placed on a new row; in the log file the semicolon is used as separator; in thedatabase the information is placed in different columns. Some columns are generic and some columnswill have different meaning depending on the category and action.

When logging to database, there is one more category, “dblogging”. It has three actions:

● pruned, when things are removed as a result of the pruning action

● startup, when we are starting to log (meaning when the server is started)

● shutdown, when the server is shut down (there is a risk that this is lost if the grace period is tooshort, but normally it should be there).

Action log measures

The table lists action log measures.

Measure Description

analysisId A (unique) id for the instance of the analysis.

category The category of the preference.

clientType The type of client is it, for example “TIBCOSpotfire Analyst”.

clientVer The version of the client that is connecting.

dataSourceInformation Connector-specific information about the datasource. Typically the location of the database.

dataSourceLibraryId The library identifier of the connected datasource, if applicable.

dataSourceType The type of external data source.

destLibraryId The destination library id.

destPath The destination library path.

displayName The display name for a user, for example “JohnSmith”.

duration The amount of time the operation/operationstook (in ms).

email The e-mail address.

excludingFunction For licenses, this is a subfunction within a licensewhich is not turned on.

externalQuery The external query, as generated by the adapter.

226

TIBCO Spotfire® Server and Environment Installation and Administration

Page 227: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Measure Description

gName The group name.

groupingId Operations related to the same operation canshare a common groupingId. For someoperations this is the same as the job-id seen inthe other logs.

id The name of the preference.

internalQuery The Spotfire query.

libraryId The id of the library item.

libraryPath The library path.

libraryType The type of library, for example dxp. query.

licenseName The license name.

name The name of the entity.

newName The new name.

numRows The number of rows returned.

oldName The old name.

pageName The name of the page.

params For certain operations we do not have the exactfunctionality, but this information can help todecide what has happened.

path The path.

permission The permission.

postSize The size afterwards (in bytes).

prefType The type of the preference.

preSize The size before (in bytes).

sizeb The size (in bytes).

sort The type it is (user or group).

title The document title.

uName The user name.

227

TIBCO Spotfire® Server and Environment Installation and Administration

Page 228: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Measure Description

unused This is currently not used.

System monitoring

The table lists system monitoring actions.

Category Action id1 id2 arg1 arg2 arg3

monitoring average measure unused mean min max

monitoring measurement

measure unused value

monitoring_wp

average measure unused mean min max

monitoring_wp

counter measure wp_id value countercategory

countername

arg4:counterinstance

monitoring_wp

start_instance

monitoring_wp

stop_instance

wp_id is a unique id that identifies the currently running instance of the Web Player service instance.

System monitoring measures

There are different measures for Spotfire Server and the Spotfire Web Player service instance.

The tables lists the different measures (id1):

Spotfire Server

Measure Description

cpu Average CPU load, in percent.

mem Heap memory used, in megabytes.

sessions The number of authenticated HTTP sessions.

228

TIBCO Spotfire® Server and Environment Installation and Administration

Page 229: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Spotfire Web Player service instance

Measure Description

available bytes The available number of bytes on the ???.

cached docs The number of cached documents.

cpu Average CPU load, in percent.

disk queue The length of the disk queue.

mem The number of bytes used by the ???

network The total number of bytes transferred persecond.

open docs The number of open documents.

scheduled updates docs The number of documents controlled by thescheduled updates feature.

uptime The time in seconds since the ??? was started.

Web service

To be able to capture log points from Spotfire Analyst, the web client, and Spotfire AutomationServices, there is a web service.

It is possible to decide that only certain categories should be logged through the web service. To ensurethat no unnecessary SOAP traffic is generated, the clients will check with the server during startup forthe active categories. If the feature is not enabled then no extra SOAP calls will be generated.

There are three settings on the server:

● If it should be turned on at all

● Which categories should be enabled (“all” will turn on all categories)

● A regular expression to decide if logging requests should be accepted or not (“.*” will accept fromany host).

Log to file

Action logging can be directed to a file.

In contrast to the other logs, a new file will be created every day. You can see in the log4jconfiguration files (located in <installation directory>/tomcat/webapps/spotfire/WEB-INF)that it uses the DailyRollingFileAppender. Files will never be automatically removed; thus, if it isenabled, you need to make sure that there is room for these files.

Fields are separated by a semicolon, and any semicolon in the measures will be replaced with sentencespacing. The file can be opened directly in Spotfire. An example of a log file follows. Explanatorycomments are added:

2015-11-05T09:36:00.381+0100;10.100.32.118;Diophantus;

2015-11-05T09:36:00,381+0100;10.98.45.199;auth;login;true;7583cdc4-

a6b8-40d4-88e6-90f5d499ff79;;;Diophantus;;;;;

Comment: The user "Diophantus" logs in to the TSS.

229

TIBCO Spotfire® Server and Environment Installation and Administration

Page 230: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

2015-11-05T09:36:12.152+0100;10.100.32.130;Diophantus;

2015-11-05T09:36:12,140+0100;10.98.45.199;auth_wp;login;true;

21dc38aa-3ec7-4938-8b7e-1dfe218f8655;Diophantus;;;;

1b15369d63bbed3a64b576b29d0a34a26f2871b8;;;

Comment: Diophantus" logs in to the Web player. Note the webplayerSessionId "1b153...".

2015-11-05T09:36:12.268+0100;10.100.32.118;Diophantus;

2015-11-05T09:36:12,267+0100;10.100.32.130;library;load_content;true;

21dc38aa-3ec7-4938-8b7e-1dfe218f8655;79c727c3-d70d-43f5-b681-360cee89a821;/drafts/

Arithmetica - first version;dxp;0000000036;0001145557;;;

Comment: He loads the dxp contents for his analysis "/drafts/Arithmetica - first version" from thelibrary.

2015-11-05T09:36:12.722+0100;10.100.32.130;Diophantus;

2015-11-05T09:36:12,717+0100;10.98.45.199;library_wp;load;true;

21dc38aa-3ec7-4938-8b7e-1dfe218f8655;79c727c3-d70d-43f5-b681-360cee89a821;/drafts/

Arithmetica - first version;AnalysisDxp;;

1b15369d63bbed3a64b576b29d0a34a26f2871b8;bwHPZisVZUeE_Nxj5ybYn-0414411f61_jf2;;

Comment: The analysis is loaded into the web player. The webplayerSessionId shows that the session isthe same that he logged in to above: "1b153...", and we can see the analysisId for the analysis instance:"bwHPZ...".

2015-11-05T09:36:12.739+0100;10.100.32.130;Diophantus;

2015-11-05T09:36:12,733+0100;10.98.45.199;analysis_wp;set_page;true;

21dc38aa-3ec7-4938-8b7e-1dfe218f8655;79c727c3-d70d-43f5-b681-360cee89a821;/drafts/

Arithmetica - first version;Intro;;

1b15369d63bbed3a64b576b29d0a34a26f2871b8;bwHPZisVZUeE_Nxj5ybYn-0414411f61_jf2;;

2015-11-05T09:36:16.408+0100;10.100.32.130;Diophantus;

2015-11-05T09:36:16,399+0100;10.98.45.199;analysis_wp;set_page;true;

21dc38aa-3ec7-4938-8b7e-1dfe218f8655;79c727c3-d70d-43f5-b681-360cee89a821;/drafts/

Arithmetica - first version;Algebra;;

1b15369d63bbed3a64b576b29d0a34a26f2871b8;bwHPZisVZUeE_Nxj5ybYn-0414411f61_jf2;;

2015-11-05T09:36:22.044+0100;10.100.32.130;Diophantus;

2015-11-05T09:36:22,031+0100;10.98.45.199;analysis_wp;set_page;true;

21dc38aa-3ec7-4938-8b7e-1dfe218f8655;79c727c3-d70d-43f5-b681-360cee89a821;/drafts/

Arithmetica - first version;Intro;;

1b15369d63bbed3a64b576b29d0a34a26f2871b8;bwHPZisVZUeE_Nxj5ybYn-0414411f61_jf2;;

Comment: He flips through the pages. Note that webplayerSessionId and analysisId match the valuesabove.

2015-11-05T09:36:22.528+0100;10.100.32.130;Diophantus;

2015-11-05T09:36:22,514+0100;10.98.45.199;analysis_wp;apply_bookmark;true;

21dc38aa-3ec7-4938-8b7e-1dfe218f8655;79c727c3-d70d-43f5-b681-360cee89a821;/drafts/

Arithmetica - first version;geometrics;;

1b15369d63bbed3a64b576b29d0a34a26f2871b8;bwHPZisVZUeE_Nxj5ybYn-0414411f61_jf2;;

Comment: He applies a bookmark.

2015-11-05T09:36:27.279+0100;10.100.32.118;Diophantus;

2015-11-05T09:36:27,279+0100;10.100.32.130;library;create;true;

21dc38aa-3ec7-4938-8b7e-1dfe218f8655;dbfc821b-0e02-494c-8360-cf8c9c3e07fe;/

RelatedItems/AnalysisStates/092a7424-fa68-4179-b762-7f16a5c11e18;analysisstate;

0000000000;0000028364;;;

Comment: The state is saved to library as a part of him closing the analysis.

2015-11-05T09:36:27.288+0100;10.100.32.130;Diophantus;

2015-11-05T09:36:27,288+0100;10.98.45.199;library_wp;close;true;

230

TIBCO Spotfire® Server and Environment Installation and Administration

Page 231: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

21dc38aa-3ec7-4938-8b7e-1dfe218f8655;79c727c3-d70d-43f5-b681-360cee89a821;/drafts/

Arithmetica - first version;AnalysisDxp;;

1b15369d63bbed3a64b576b29d0a34a26f2871b8;bwHPZisVZUeE_Nxj5ybYn-0414411f61_jf2;;

Comment: He closes the analysis.

2015-11-05T09:36:30.884+0100;10.100.32.118;;2015-11-05T09:36:30,884+0100;10.98.45.19

9;auth;logout;true;7583cdc4-a6b8-40d4-88e6-90f5d499ff79;Diophantus;;;;;;;

2015-11-05T09:36:30.897+0100;10.100.32.130;Diophantus;

2015-11-05T09:36:30,892+0100;10.100.32.112;auth_wp;logout;true;15966a47-aafd-460e-

a649-a80c020a9ca2;Diophantus;;;;1b15369d63bbed3a64b576b29d0a34a26f2871b8;;;

Comment: He logs out from the TSS and the Web Player.

The log files will show up in a subdirectory of the usual logging directory:

<installation dir>/tomcat/logs/actionlogs

Another logging option is to log to database.

Log to database

Action logging can be directed to a database.

There are many configuration options available for the database logging, which will make it possible totailor the system for your needs. To see how this functionality works it is illustrative to follow how anevent is logged.

1. An event is created.

2. A check is done to see if logging is turned on.

3. A check is performed to see if this category should be logged.

4. It is fed to one or two of the loggers.

5. If file logging is enabled it will be written to the file.

6. A check is made to see if logging should be done towards the database.

7. The database logger will put the event in a fixed size queue (the size is fixed in runtime, but can beconfigured). It is also possible to configure the prioritization of events so that only certain eventswill be put in the queue if the queue is more than half full.

231

TIBCO Spotfire® Server and Environment Installation and Administration

Page 232: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

8. If the queue is full it can be configured to wait until there is room in the queue or wait for aconfigurable time.

9. The chunk worker will wait until there are a configurable number of events available or a certainconfigurable time has passed.

10. The chunk worker will start up an insert worker. The number of simultaneous insert workers can beconfigured. If the limit of simultaneous workers is reached it will wait for an insert worker to finish.

11. The insert worker will do a batch insert into the database.

As you can see there are several possibilities here to configure the system. If it is very important thateverything be logged, you should block for a place in the queue.

If some elements are more important to log than others, they can be set as prioritized. This means that ifthe queue is more than half full, only events set as prioritized will be added to the queue. Other eventswill be discarded.

To ensure that important elements are never discarded, you must also configure the queue to wait if itis full.

If there is a high load, you should configure many simultaneous insert workers. On the other hand ifyou just want to sample the system and you do not want to load a database instance, you could set thenumber of insert workers to a low number.

There is an optional pruner thread which, if enabled, will check every hour for events older than aconfigurable number of hours. The events which are older will be removed. By default the system willdelete events older than 48 hours. If the value is set to 0, no pruning will take place and your DBA mustadminister the growth through some other means, for example by partitioning the table.

If there still are events in the queue when the server is about to be stopped, there will be an attempt towrite remaining items in the queue to the database during a grace period. The grace period is alsoconfigurable.

As mentioned above, many parameters of the machinery are configurable. This should make it possibleto tune the system for different environments and loads. To help tune the system there is a JMX (see Monitoring for more information about JMX). This JMX bean can answer the following questions:

● How many more events can be queued? (getRemainingQueueCapacity())

● How many events are in the queue? (getCurrentQueueSize())

● How many events have tried to be logged? (getNumberOfLogged())

● How many events have not been put in the database? (getNumberOfFailedLogs())

● How many more insert workers can be started? (getCurrentNumberOfSpareWorkers())

● What is the minimum number of spare insert workers since the server was started? 0 indicates thatall possible workers were started at some point. (getMinimumFreeWorkers())

● How many SQL Exceptions have been encountered? (getNumberOfSQLExceptions())

● How many items have been pruned from the database? (getNumberOfPrunedEntries())

During startup the database logger will try to connect to the database. If it fails it will try to reconnect atincreasing intervals. If no database is available after the start attempts, the server will not run. Thus, ifthe functionality is enabled, there is another system dependency.

If you want to send information to a database, you need to run additional database scripts. These willcreate a new schema/database for the action logs to make it simpler to, for example, partition the datatable. Everything is logged to the table “ACTIONLOG”. Then some indices are created. If you do not dosearches, you can omit the indices. If you have them turned on and also have pruning, then your DBAshould consider rebuilding the indices periodically. Then there are views created for categories andactions; these will help to interpret the generic columns. If you do not use the views you can omit themfrom the database creation script.

232

TIBCO Spotfire® Server and Environment Installation and Administration

Page 233: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

For the database there is also an Information Services model and an analysis file, which can be used togain insight into the usage of the system.

Enable the action logs and system monitoring feature

By default the action logs and system monitoring feature is not turned on. To turn it on you need toconfigure it. If you want to run database logging, you also need to run additional installation scripts.

If you turn on database logging, you can also import a library file, which will provide an informationmodel and analysis file.

The configuration of this feature has three commands: config‐action‐logger, config‐action‐log‐database‐logger, and config‐action‐log‐web‐service.

config‐action‐logger

The config‐action‐logger command controls whether the feature is enabled. Default is that it isturned off. If it is on, it controls which categories should be logged, and if logging should be directedtowards file and/or database.

An example where all categories are enabled and logging is made both to file and database:

config-action-logger --file-logging-enabled=false --database-logging-enabled=true

config‐action‐log‐database‐logger

The config‐action‐log‐database‐logger command controls the different tuning parameters of thedatabase logger as well as the database connection information.

An example if you only want to run with the default parameters:config-action-log-database-logger --database-url="jdbc:tibcosoftwareinc:oracle://

some.oraserver.com:1521;ServiceName=pdborcl.example.com" --driver-

class="tibcosoftwareinc.jdbc.oracle.OracleDriver" --username="spotfire_actionlog" --

password="xxxxx"

If you want to log to a database, you need to run scripts, which will create a new database/schema.These are available in the installation kit in these folders:./scripts/mssql_install/actionlog

./scripts/oracle_install/actionlog

Here the create_actionlog_db.bat or create_actionlog_db.sh script needs to be edited. If yourdatabase is running on Amazon RDS you should edit the create_actionlog_db_rds.bat orcreate_actionlog_db_rds.sh script. The information is the same as for the ordinary creation scripts.For Oracle a new schema is created for the “spotfire_actionlog” user. For Microsoft SQL-server thedatabase will be called “spotfire_actionlog”. If you want to use the information layer later, you shouldnot change this user/name, unless you use the Redirect dependent elements functionality inInformation Designer.

In the same folder there is a library logged_user_actions_ora.part0.zip (for Oracle) orlogged_user_actions_mssql.part0.zip (for Microsoft SQL Server). This file needs be copied to thelibrary import folder (<installation dir>/tomcat/application‐data/library/) and thenimported into the library using the library manager. This library export contains an information layer aswell as an analysis file. To be able to use the file you need to edit the datasource with the connectioninformation to the schema/database. Use Information Designer and select the Datasource tab, right-click the logged_user_actions_datasource, and select Edit. Then edit the connection information.

config‐action‐log‐web‐service

The config‐action‐log‐web‐service command controls which categories are logged and also limits theclients that can log using the web service.

233

TIBCO Spotfire® Server and Environment Installation and Administration

Page 234: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

An example showing enabling all categories from all hosts:config-action-log-web-service --allowedHosts=".*" --categories="all"

Then the configuration needs to be uploaded to the database and the server should be recycled.

It is also possible to configure the functionality through the Configuration Tool.

Some comments

Some additional information about the logging and monitoring is found below.

● The information about log categories, actions, and measures should not be considered as a stableAPI which will remain unchanged between releases. All things can change, but it is more likely thatwe will add more actions and add measurement columns to existing log points

234

TIBCO Spotfire® Server and Environment Installation and Administration

Page 235: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

● The log points represents what is happening on the system. There might be a couple of cases wherewhat is shown in the log can feel counterintuitive, for example when using NTLM you will see morelogins. If you see what is happening on the network you will see that there are actually severallogins happening during a normal session. Another case is when a session dies. There is a maximumlife span for a session. Here you will see an event even if the user has not actively made anyoperation. You can also see that there might not be a session when these events are logged, becausethe session has died.

● If you are logging to a database then it might be a good idea to involve your DBA to regularlymonitor the usage and see if indices should be rebuilt or dropped. If pruning is not turned on thenmanual pruning or partitioning must eventually take place.

● If you are logging to a database, times will be logged as GMT by default. To change this to the localtime, select Log in local time in the Configuration Tool.

● Files from a previous release take a certain path through the code. For certain older files the cloneoperation on the web player might not be logged.

Upgrade action logs and system monitoring

When upgrading, a few things need to be considered.

If you have been running action logging in a previous release, then logging will run out of the box, butyou might not be able make full use of the new functionality.

The new functionality includes further measurements for some log points, and new measures, forexample, CPU usage. Depending on which categories that were enabled earlier, you might want toreview these (also for the web service). If you are using the configuration tool it should be easier tochoose categories, since there are check boxes to select categories. If you previously had "all" selectedthe new categories will show up.

If you are only logging to file then there is nothing more that needs to be done.

If you are logging to database, however, there are some things to note. As before, all measures arelogged to one single table "ACTIONLOG", so without any alterations your logging should continue towork and you should not lose any measurements. This "ACTIONLOG" table is the only thing requiredto run the logging, but as before we have some utilities that will help you to analyze the data.

There is no SQL that is run automatically during upgrade related to this logging functionality. This is togive full control to you and your DBA, if you have chosen to do something advanced, for example,partitioned the "ACTIONLOG" table.

The database scripts have basically the following functionality.

1. Create user, schema/database. After an upgrade you can continue to log to the same place so there isno need to create these anew.

2. Create the ACTIONLOG table. This table is still used, and the structure is not altered.

3. Indices are created to help searches on the ACTIONLOG table. If you chose to omit the creation ofthe indices before and you are happy with that, then there is no need to create them this time either.With pruning enabled, the ACTIONLOG table will have rows both added and deleted, so indicesmight benefit from being rebuilt regularly. Discuss this with your DBA.

4. Views are created for the different categories and actions with column names which are moreinformative, with the same information as in the table in What is logged?. The views are neededonly if you use them for analysis. During an upgrade, these are the only things that need to beupdated in the database.

The view creation information exists in the database installation scripts, they can be found in theinstallation kit under

./scripts/oracle_install/actionlog

./scripts/mssql_install/actionlog

235

TIBCO Spotfire® Server and Environment Installation and Administration

Page 236: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Oracle

If you are a familiar with SQL utilities, it is probably fastest to log in to the schemaspotfire_actionlog and run the SQL found in create_actionlog_db.sql. SQL will see if the tableexists and will then only create the views.

You can also edit the .bat or .sh files. In this file, remove the section which creates the tablespace anduser, and enter the information for: CONNECTIDENTIFIER, ACTIONDB_USER, andACTIONDB_PASSWORD. Then run the script.

Microsoft SQL Server

Edit the file create_actionlog_db.sql.

Remove the lines above “use $(ACTIONDB_NAME)”, and change this line to ”use spotfire_actionlog”.The script will only create the views if the table exists.

If you are a familiar with SQL tools, it is probably fastest to log in to the database spotfire_actionlog andrun the SQL in your edited create_actionlog_db.sql.

You can also run the bat script. Here you need to edit the bat script. In this file, remove the section“Create the Spotfire Action log database user” then enter the information where the placeholders are,for example the CONNECTIDENTIFIER, and run the script.

To help to analyze the content of the table and the views, there is an information layer. This has beenupdated with the new views. In the same folder as the database script, there is a library import file,logged_user_actions_ora.part0.zip (for Oracle) or logged_user_actions_mssql.part0.zip (forMicrosoft SQL Server). This file needs to be copied to the library import folder (<installation dir>/tomcat/application?data/library/) and then imported into the library using the library manager.When importing this you should select to replace existing items. This library export contains aninformation layer as well as an example analysis file. To be able to use the file, you need to edit thedatasource with the connection information to the database/schema. Use Information Designer, andselect the Datasource tab. Right-click logged_user_actions_datasource, and select Edit. Then editthe connection information. Check the permissions on the imported folder so that only the proper userscan view the content.

Spotfire Server and the different databases/schemas

The server connects to several kinds of databases or schemas.

● The server's own database which stores all the information like preferences, library items, etcetera.

● The data sources to which the server makes JDBC connections to retrieve data for analysis, throughInformation Services. One of the possible data sources is the demo data source, which can be createdat the same time as the Spotfire database.

● The new action log database/schema, which is created if you want to direct the action logs to adatabase. It is a very simple structure with basically one table and different views, which can help toanalyze the content. It is separate from the Spotfire database to allow for custom storing andpruning of Action Log data in accordance with your business needs.

236

TIBCO Spotfire® Server and Environment Installation and Administration

Page 237: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Upgrading to Spotfire 7.6

There were fundamental architectural changes introduced in Spotfire 7.5. This means that the process ofupgrading your Spotfire environment will differ depending on if you are upgrading from Spotfire 7.0or earlier, or if you are upgrading from Spotfire 7.5.

If you are upgrading from Spotfire 7.0 or earlier, see: Upgrading to 7.6 from 7.0 or earlier.

If you are upgrading from Spotfire 7.5, see: Upgrading to 7.6 from 7.5.

Upgrading to 7.6 from 7.0 or earlierTo upgrade to Spotfire 7.6 from Spotfire 7.0 or 6.5, perform the upgrade tasks applicable to your system.

There are some fundamental changes in the new architecture that affect how you must set up yoursystem to make it behave as it did in the old architecture. The biggest change is that Spotfire Server nowhandles all external communication. That means that all web client users connect to Spotfire Serverinstead of a Spotfire Web Player server, and that Automation Services jobs are run on Spotfire Serverinstead of on an Automation Services server.

In the 7.6 architecture, Spotfire Web Player and Spotfire Automation Services are installed as serviceson nodes, and Spotfire Server handles the traffic to all instances of these services. When upgrading toSpotfire 7.6, these changes mostly affect how authentication and load balancing are set up, as comparedto the old architecture.

It is recommended that you set up a Spotfire 7.6 staging environment for testing before upgrading. See Setting up the test environment.

Related links

Upgrading to Spotfire 7.6 from 7.0 or earlier introduction

Upgrading a cluster of Spotfire Servers

Upgrade between service pack versions

Setting up the test environmentThese are the general steps for setting up the Spotfire 7.6 test environment and running tests.

Procedure

1. Clone the pre-7.5 production Spotfire database.

2. Install Spotfire 7.6 servers and node managers.

For more information, see Basic installation process for Spotfire Server.

3. Upgrade the cloned Spotfire database to version 7.6 using the Spotfire Server upgrade tool.

For more information, see Run the upgrade tool.

Make sure that it is the cloned database that is upgraded, not the production database.

4. Test the system, preferably under conditions similar to production, including any scheduledupdates.

5. After testing is complete, upgrade your pre-7.5 Spotfire environment to Spotfire 7.6.

237

TIBCO Spotfire® Server and Environment Installation and Administration

Page 238: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Upgrading Spotfire ServerUpgrading Spotfire Server is done the same way as in previous versions. You install Spotfire Server 7.6and use the Spotfire Server upgrade tool to upgrade to Spotfire Server 7.6.

The Upgrade tool upgrades the Spotfire database to the current version and, if selected, copies certainfiles from an old installation of Spotfire Server to the Spotfire Server 7.6 installation directory.

If you are upgrading from a pre-7.5 Spotfire Server, you must have Spotfire Server 6.5.3 HF-008 (orlater) or Spotfire Server 7.0.0 HF-002 (or later) installed. If you have an earlier version of Spotfire Serverinstalled, you must first upgrade that server to one of these versions.

After the Spotfire database is upgraded, older versions of Spotfire Server will not be able to connect toit. Therefore, stop any older Spotfire Server connected to the Spotfire database before beginning anupgrade. If you intend to copy information from the old version, do not uninstall it until Spotfire Server7.6 is in place.

The upgrade will perform a validation of LDAP configurations. If an invalid LDAP configuration isfound, the upgrade will fail. If so, go back to your previous installation, correct the error and performthe upgrade again.

After the upgrade, make sure that the Administrator group has all licenses, including new ones,assigned to it. Use the Administration Manager in Spotfire Analyst to assign licenses. For a descriptionof the licenses, see the Administration Manager help.

Install Spotfire Server

The Spotfire Server Upgrade tool is installed with the Spotfire Server.

For instructions on how to install Spotfire Server, see Installation.

Do not start or configure the newly installed server before running the upgrade tool.

If you are using LDAPS, and if the CA certificate is not included in the cacert file by default, you mustimport the CA certificate used to issue the LDAP server's certificate before running the upgrade tool.See Configuring LDAPS.

Run the Spotfire Server upgrade tool

You can run the upgrade tool interactively, or silently by using the command-line interface.

Before you run the upgrade tool, make a working backup of your Spotfire database.

For information on how to run the upgrade tool, see Running the upgrade tool interactively or Runningthe upgrade tool silently.

Running the Spotfire Server upgrade tool interactively

When you run the Spotfire Server upgrade tool interactively, you will be prompted for informationabout your older installation and your 7.6 installation.In the Spotfire Server 7.6 installation directory <7.6 install directory>\tools\upgrade you findthe files upgradetool.bat (Windows) and upgradetool.sh (Unix). Run the tool for your operatingsystem from a command-line prompt, or launch it in the last step of the Spotfire Server installer.

If you are upgrading a cluster of Spotfire Servers, run the upgrade tool on each server. The Spotfiredatabase will be updated the first time you run the upgrade tool.

If Spotfire Server is set up to authenticate with the Spotfire database using Windows IntegratedAuthentication, it is important that you run the upgrade tool as the same user that Spotfire Serverauthenticates as. Otherwise, the upgrade tool will not be able to authenticate with the database.

238

TIBCO Spotfire® Server and Environment Installation and Administration

Page 239: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Prerequisites

● You have installed Spotfire Server 7.6.● You have a working backup of your Spotfire database.

Procedure

1. The Spotfire Server 7.6 Upgrade panel is displayed. It provides a reminder to back up or clone theSpotfire database. Click Next.The File Locations panel is displayed. It provides new information and the choice to copy, or not tocopy, an existing configuration.

2. If you have file access to an old installation, you can select the X.X.X installation option and enterthe path to its installation directory, for example: C:\tibco\tss\X.X or /opt/tss/X.X. Click Next.If there are changes needed after the upgrade, for example, port configuration or the location of TLScertificate, manually edit the server.xml file, located in the <Spotfire Server Install Dir>\tomcat\conf folder.

3. If you did not copy an existing configuration, the Database Type and Driver panel is displayed.Here, specify the database and database driver you are using, and click Next.If you select a database driver type that is not installed in the old installation directory, the message“The selected driver must be installed manually” is displayed. Install the driver manually byplacing it in the <7.6 install directory>/tomcat/lib directory and restart the upgrade tool.If you select a database driver type that is not installed and click Next, the Database Drivers NotInstalled panel is displayed. If this occurs, click Done to exit the upgrade tool, then install thedatabase driver and start the upgrade tool again.The Database Connection Information panel is displayed.

4. Here, provide the Spotfire database Connection string, Username and Password. If your databaseserver uses integrated login, like Windows authentication, select the Integrated login check box, todisable the Username and Password fields. Click Next.

5. If you did not copy an existing configuration, the Additional Information panel is displayed. Here,specify the configuration tool password, the encryption password, and the server name to use whenconfiguring the Spotfire Server, and click Next.

6. If LDAP User Directory mode or Windows NT User Directory mode is used, the User DirectoryConfiguration panel is displayed. Here, select a domain name style (DNS or NetBIOS) and adefault domain.

Make sure to select an accurate domain name style for your system. For more information,see External directories and domains.

The Summary panel is displayed.7. Click Upgrade.

The Spotfire Server 7.6 Upgrade panel is displayed.8. Here you can see if the upgrade was successful. If there were problems with the upgrade, click Next

to get information on where the issues have been logged. When the upgrade has been successfullycompleted, click Finish.

Running the upgrade tool silently

As an alternative to running the upgrade tool interactively, you can run it silently using a commandline interface.

Prerequisites

You have installed Spotfire Server 7.6.

239

TIBCO Spotfire® Server and Environment Installation and Administration

Page 240: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

You have a working backup of your Spotfire database.

Procedure

1. Go to the directory <7.6 install directory>/tools/upgrade.

2. Open the file silent.properties in a text editor or XML editor.

3. Follow the instructions in the file and specify the values of the parameters.The from parameter is the only parameter you are required to specify.

4. Save the silent.properties file.

5. Open a command prompt.

6. To see the parameters the upgrade tool will use:

● On Windows, type upgradetool.bat -h● On Linux, type upgradetool.sh -h

The parameters are listed in the command prompt.

7. To run the upgrade tool silently:

● On Windows, type upgradetool.bat -silent silent.properties● On Linux, type upgradetool.sh -silent silent.properties

8. Press Enter.The upgrade tool is run silently.

Applying hotfixes to the server

After you run the upgrade tool, you must install any available hotfix for this version of the server.

Prerequisites

● You have installed Spotfire Server.

● You have downloaded the latest hotfix for your version of Spotfire Server; for instructions, see Downloading required software.

Procedure

● Follow the instructions in the Installation_Instructions.htm file that was included in the hotfixpackage that you downloaded.

Start Spotfire Server

When the upgrade tool has completed without issues, you should start the Spotfire Server.

For information on how to start the Spotfire Server, see Starting Spotfire Server.

To verify that Spotfire Server has been installed and started, launch a browser and go to the SpotfireServer start page: http://<hostname>:<port>/spotfire.

Upgrading a cluster of Spotfire ServersIn Spotfire 7.6, clustering is disabled by default. Therefore, during the update process, you must enableclustering and reconfigure your cluster-related options.

For general information on upgrading, see Upgrading. For general information on clustering, see Clustered server deployments.

240

TIBCO Spotfire® Server and Environment Installation and Administration

Page 241: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

If you have a load balancer that routes based on the jvmRoute part of the session id, note that thedefault value has changed from uppercase to lowercase. If needed, update the load balancerconfiguration accordingly.

These are the basic steps for upgrading a clustered implementation of Spotfire:

1. Download the required software; see Downloading required software.2. Install the Spotfire Servers in your cluster; see Install Spotfire Server.3. Apply the latest hotfix for your version of Spotfire Server (if one is available) to all of the servers; see

Applying hotfixes to the server.4. On only one of the servers, run the upgrade tool; see Run the upgrade tool.5. On the same server, set your clustering parameters; see Setting up a cluster of Spotfire Servers.6. Start the same server; see Start or stop Spotfire Server.7. Start the other servers in the cluster.8. If you are using ActiveSpaces to secure the connections between clustered servers, you must install

and configure ActiveSpaces on every server in the cluster; for details, see Using ActiveSpaces forclustering.

Upgrading Spotfire Analyst clientsSpotfire Analyst clients will be upgraded when users connect to a 7.6 Spotfire Server with the 7.6Spotfire client packages deployed.

If you use any custom visualizations, these extensions must be modified before you deploy them to the7.6 Spotfire Server. For more information, see Upgrading custom visualizations.

Deploy client packages

Deploy the 7.6 Spotfire client packages to the server.

For information on how to deploy the client packages, see Deploying client packages to Spotfire Server.

After deploying the packages, start a Spotfire client and log in to the 7.6 Spotfire Server. Make sure thatthe client is upgraded with the new deployment. Verify that the Spotfire library and information modelare accessible and work as they did before the upgrade.

Upgrading Spotfire Web PlayerUpgrade Spotfire Web Player by installing the Web Player service on a node and applying yourconfigurations.In the 7.6 architecture, you no longer install a Spotfire Web Player server that web client users connectto. In the 7.6 architecture, all web client users connect to a Spotfire Server that has a Web Player serviceinstalled on a node. Besides this, upgrading to Spotfire Web Player 7.6 is done in the same way as forprevious versions. You install the Web Player service on a node, apply your Web Player configurations,and deploy any extensions.

Since all web client users connect to the Spotfire Server in 7.6, authentication is now set up on theSpotfire Server. For more information, see Upgrading authentication method.

Prerequisites

You have a 7.6 Spotfire Server up and running.

Procedure

1. Make a copy of your old Web Player server installation directory. This is likely to be located in adefault directory such as: C:\Program Files\Tibco\Spotfire Web Player\7.0\. This willcontain your web.config file, which contains the configuration of your old Web Player server.

241

TIBCO Spotfire® Server and Environment Installation and Administration

Page 242: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

If you are using scheduled updates, make sure that you also have a copy of theScheduledUpdates.xml file. For more information, see Upgrading scheduled updates.

2. Deploy the Spotfire distribution to Spotfire Server. For more information, see Deploying clientpackages to Spotfire Server.

3. Open a command line interface and export the service configuration files from Spotfire Server,specifying the Web Player capability, and the deployment area: export-service-config --capability=WEB_PLAYER --deployment-area=Production.The configuration files Spotfire.Dxp.Worker.Core.config,Spotfire.Dxp.Worker.Host.exe.config, and Spotfire.Dxp.Worker.Web.config are exported.

4. Edit the configuration files in a text editor or XML editor. Use your old web.config file as areference to replicate your old configuration.For information on the configuration files, see Service configuration files.For information on which service configuration files contain the settings from your old web.configfile, see Mapping content of old configuration files to new service configuration files.

5. In the command line interface, import the configuration files to Spotfire Server and give theconfiguration a name. For example: import-service-config --config-name=WebPlayerConfiguration.

6. In the command line interface, assign the created Web Player configuration to Spotfire Server tomake it possible to use for the service: set-server-service-config --capability=WEB_PLAYER--config-name=WebPlayerConfiguration.

7. Install the Web Player service on a node as described in Installing Spotfire Web Player instances.In the Install new service dialog, select the configuration you imported.

8. Use the Administration Manager in Spotfire Analyst to assign licenses.

For a description of the licenses, see the Administration Manager help.

Upgrading scheduled updates

In Spotfire 7.6 scheduled updates are set up using Scheduling & Routing on Spotfire Server.

Old ScheduledUpdates.xml files can be imported from a file or the library to the Spotfire database.This is done by running the import-scheduled-updates command on the command line. Old, and new,scheduled updates are then configured using Scheduling & Routing on Spotfire Server.

In Spotfire 7.6 scheduled updates are run by a pre-defined user account,scheduledupdates@SPOTFIRESYSTEM. Make sure that the accountscheduledupdates@SPOTFIRESYSTEM is a member of the same groups as the old scheduled updatesaccount. If any explicit library permissions were assigned to the old account these can be copied. Tocopy library permissions of any old account used for scheduled updates to the accountscheduledupdates@SPOTFIRESYSTEM, use the copy-library-permissions command.

For more information, see Scheduled updates to analyses. For information on setting up externalupdates using TIBCO Enterprise Message Service (EMS), see Creating a scheduled update by usingTIBCO EMS and config-external-scheduled-updates.

Upgrading Spotfire Automation ServicesUpgrade Spotfire Automation Services by installing Automation Services on a node and applying yourconfigurations.In the 7.6 architecture, you no longer install a Spotfire Automation Services server. In the 7.6architecture, all Automation Services jobs are executed on the node where Automation Services isinstalled as a service. To upgrade, you install Automation Services as a service on a node, apply yourconfigurations and deploy any extensions.

242

TIBCO Spotfire® Server and Environment Installation and Administration

Page 243: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Prerequisites

You have a 7.6 Spotfire Server up and running.

Procedure

1. Make a copy of your old Automation Services server installation directory. Navigate to the<installation directory>\webroot\bin directory. This will contain yourSpotfire.Dxp.Automation.Launcher.exe.config file, that contains the configuration of your oldAutomation Services.

2. Deploy the Spotfire distribution to the Spotfire Server. For more information, see Deploying clientpackages to Spotfire Server.

3. Open a command line interface and export the service configuration files from the Spotfire Server ,specifying the Automation Services capability, and the deployment area: export-service-config--capability=AUTOMATION_SERVICES --deployment-area=Production.The configuration files Spotfire.Dxp.Worker.Automation.config,Spotfire.Dxp.Worker.Core.config, Spotfire.Dxp.Worker.Host.exe.config andSpotfire.Dxp.Worker.Web.config are exported.

4. Edit the configuration files in a text editor or XML editor. Use your oldSpotfire.Dxp.Automation.Launcher.exe.config file as a reference to replicate your oldconfiguration.For more information on the configuration files, see Service configuration files.For information on which service configuration files contain the settings from your oldSpotfire.Dxp.Automation.Launcher.exe.config file, see Mapping content of old configurationfiles to new service configuration files.

5. In the command line interface, import the configuration files to the Spotfire Server and give theconfiguration a name. For example: import-service-config --config-name=AutomationServicesConfiguration.

6. In the command line interface, assign the created Automation Services configuration to the SpotfireServer to make it possible to use for service: set-server-service-config --capability=AUTOMATION_SERVICES --config-name=AutomationServicesConfiguration.

7. Install Automation Services as a service on a node as described in Installing Spotfire AutomationServices instances.In the Install new service dialog select the configuration you imported.

8. Use the Administration Manager in Spotfire Analyst to assign licenses required by the AutomationServices jobs to the automationservices@SPOTFIRESYSTEM user, which is the account used toexecute the jobs on the service instance.

For a description of the licenses, see the Administration Manager help.

9. Make sure that all users who should execute automation services jobs are members of the groupAutomation Services Users.

10. Existing scheduled jobs using the Client Job Sender must be updated, since the configurations havechanged and the Client Job Sender now connects to the Spotfire Server instead of an AutomationServices Server. For more information see the Automation Services User's Manual.

Upgrading authentication methodIn Spotfire 7.6 the Spotfire Server is used for all authentication.

In the old architecture, you set up authentication on the Spotfire Server for Spotfire Analyst users andon the Spotfire Web Player server for Spotfire web client users. In the 7.6 architecture you set up theauthentication for all users on the Spotfire Server.

243

TIBCO Spotfire® Server and Environment Installation and Administration

Page 244: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

This means that the same authentication method is used for Spotfire Analyst users and Spotfire webclient users.

For information on how to set up the authentication method on the Spotfire Server, see Userauthentication.

Impersonation is no longer applicable for single sign-on authentication methods as users nowauthenticate towards Spotfire Server directly.

If you used custom authentication on the Spotfire Web Player server, see External authentication.

There are, however, some special cases where different authentication methods have been used. See Anonymous combined with other authentication method and Different authentication methods forSpotfire Server and Web Player.

Anonymous combined with other authentication method

Anonymous authentication can be combined with another authentication method on the same SpotfireServer.

If you previously had a system with multiple Spotfire Web Player servers, where some usedAnonymous authentication and some used another authentication method, this is now done on thesame Spotfire Server.

To do this, first set up the authentication method you want to use. For more information, see Userauthentication.

Then also enable Anonymous authentication on the Spotfire Server. For more information, see Configuring anonymous authentication.

Different authentication methods for Spotfire Server and Web Player

It is no longer supported to use different authentication methods for the Spotfire Server and the SpotfireWeb Player.

Since all users connect to the Spotfire Server in Spotfire 7.6, it is not possible to use differentauthentication methods for Spotfire Analyst users and Spotfire web client users. If you previously useddifferent authentication methods, you must now decide on one authentication method for all users.

Upgrading load balancingIn the 7.6 architecture, you no longer need to use a load balancer between the Spotfire Server andSpotfire Web Players.

If you have a system with multiple Spotfire Web Player servers and a load balancer, the load balancer isno longer needed. In the new architecture each Web Player service on each node can have multipleinstances running. The load balancer is replaced by the routing capabilities in the new architecture. Forinformation on how to set up routing of users, see Creating a resource pool and Routing rules.

If you have a cluster of Spotfire Servers, you can still use a load balancer in front of them. For moreinformation, see Clustered server deployments.

Upgrading analysis linksIf you have web links to analyses, these must be updated to work in 7.6.

In the 7.6 architecture, you no longer install a Spotfire Web Player server that web client users connectto. In the 7.6 architecture, all web client users connect to a Spotfire Server that has a Web Player serviceinstalled on a node. Therefore, to make old links to web player analysis files continue to work aspreviously, the DNS entry to the former Web Player server must now point to the Spotfire Server.

If a custom virtual directory (other than the default SpotfireWeb) was previously used an additionalmapping must be added to the file

244

TIBCO Spotfire® Server and Environment Installation and Administration

Page 245: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

<server installation directory>/tomcat/webapps/ROOT/WEB‐INF/web.xml.

Locate the following section and add all custom directory remappings as a semicolon separated string:

The target part of the mappings should always be "spotfire/wp".

<filter> <filter-name>RedirectFilter</filter-name> <filter-class>com.spotfire.server.security.RedirectFilter</filter-class> <init-param> <param-name>rules</param-name> <param-value>SpotfireWeb=spotfire/wp;MyCustomVirtualDirectory=spotfire/wp</param-value> </init-param> </filter>

Upgrading Web Services API clientsIf you have created clients to the Spotfire Server Web Services API and you plan to activate the CSRFprotection that is now available, the clients must be modified to work properly in 7.6.

If you do not plan to activate the CSRF protection for the public Web Service API, nothing needs to bedone.

For more information about the CSRF protection and how the clients should be updated, see the WebServices API documentation on https://docs.tibco.com/products/tibco-spotfire-server.

Upgrading customizationsIf you have any custom extensions they must be deployed to the Spotfire Server. Some of them must beedited before deploying to work in 7.6.

Upgrading custom visualizations

If you are using the custom visualization extension in the Spotfire web client, the extension needs to bemodified to work properly in 7.6.

Both the C# code and the JavaScript code requires changes. For instructions on how to update the code,see the section "The Custom Visual View API" in the document "TIBCO Spotfire DeveloperDocumentation" on https://docs.tibco.com.

After the changes have been made, you must rebuild the custom visualization extension package anddeploy it to the Spotfire Server. For more information, see Adding software packages to a deploymentarea.

Upgrading cobranding

If you have cobranded an earlier version of Spotfire, the cobranding must be updated and deployed tothe server.

For information on the changes and how to cobrand Spotfire 7.6, see the TIBCO Spotfire 7.6 CobrandingManual.

Upgrading to 7.6 from 7.5Follow these steps to upgrade your Spotfire 7.5 environment to Spotfire 7.6.The Spotfire Server and node manager upgrade tools will copy all relevant settings, such asconfigurations and node manager trust to your Spotfire 7.6 environment.

Prerequisites

Before upgrading to 7.6 you should create a working backup of your 7.5 Spotfire database.

245

TIBCO Spotfire® Server and Environment Installation and Administration

Page 246: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Procedure

1. Stop your 7.5 Spotfire Servers and node managers. For information on how to stop them, see Startor stop Spotfire Server and Starting or stopping node manager (as a Windows service) on page 130.

2. Upgrade the Spotfire Servers by installing the 7.6 Spotfire Server and running the Spotfire Serverupgrade tool on each server. For more information, see Upgrading Spotfire Server.

3. Apply any hotfixes for the Spotfire Server. For more information, see Applying hotfixes to theSpotfire environment on page 252.

4. Start the 7.6 Spotfire Servers. For information on how to start the Spotfire Server, see Start or stopSpotfire Server.

5. Deploy the Spotfire 7.6 client packages (Spotfire.Dxp.sdn) and node manager packages(Spotfire.Dxp.NodeManager.sdn) to the Spotfire Server. For more information on how to deploypackages to the Spotfire Server, see Deploying client packages to Spotfire Server on page 80.

6. Upgrade the nodes by installing the 7.6 node manager and running the node manager upgrade toolon each node. For more information, see: Upgrading nodes.

When installing the new node managers, you should specify the same ports that wereused by the old node managers.

7. Apply any hotfixes for the node managers. For more information, see Applying hotfixes to theSpotfire environment on page 252.

8. Start the 7.6 node managers. For information on how to start the node managers, see Starting orstopping node manager (as a Windows service) on page 130.

9. OPTIONAL: Verify or edit changes to configuration files. Your existing 7.5 configurations will workin Spotfire 7.6, but some settings have been added or changed and must be updated manually if youdo not want to use their default values. For more information, see: Upgrading service configurationon page 251.

10. Update all services on all nodes in your environment. For information on how to update theservices, see Updating services on page 163.

Upgrading Spotfire ServerUpgrading Spotfire Server is done the same way as in previous versions. You install Spotfire Server 7.6and use the Spotfire Server upgrade tool to upgrade to Spotfire Server 7.6.

The Upgrade tool upgrades the Spotfire database to the current version and, if selected, copies certainfiles from an old installation of Spotfire Server to the Spotfire Server 7.6 installation directory.

If you are upgrading from a pre-7.5 Spotfire Server, you must have Spotfire Server 6.5.3 HF-008 (orlater) or Spotfire Server 7.0.0 HF-002 (or later) installed. If you have an earlier version of Spotfire Serverinstalled, you must first upgrade that server to one of these versions.

After the Spotfire database is upgraded, older versions of Spotfire Server will not be able to connect toit. Therefore, stop any older Spotfire Server connected to the Spotfire database before beginning anupgrade. If you intend to copy information from the old version, do not uninstall it until Spotfire Server7.6 is in place.

The upgrade will perform a validation of LDAP configurations. If an invalid LDAP configuration isfound, the upgrade will fail. If so, go back to your previous installation, correct the error and performthe upgrade again.

After the upgrade, make sure that the Administrator group has all licenses, including new ones,assigned to it. Use the Administration Manager in Spotfire Analyst to assign licenses. For a descriptionof the licenses, see the Administration Manager help.

246

TIBCO Spotfire® Server and Environment Installation and Administration

Page 247: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Install Spotfire Server

The Spotfire Server Upgrade tool is installed with the Spotfire Server.

For instructions on how to install Spotfire Server, see Installation.

Do not start or configure the newly installed server before running the upgrade tool.

If you are using LDAPS, and if the CA certificate is not included in the cacert file by default, you mustimport the CA certificate used to issue the LDAP server's certificate before running the upgrade tool.See Configuring LDAPS.

Run the Spotfire Server upgrade tool

You can run the upgrade tool interactively, or silently by using the command-line interface.

Before you run the upgrade tool, make a working backup of your Spotfire database.

For information on how to run the upgrade tool, see Running the upgrade tool interactively or Runningthe upgrade tool silently.

Running the Spotfire Server upgrade tool interactively

When you run the Spotfire Server upgrade tool interactively, you will be prompted for informationabout your older installation and your 7.6 installation.In the Spotfire Server 7.6 installation directory <7.6 install directory>\tools\upgrade you findthe files upgradetool.bat (Windows) and upgradetool.sh (Unix). Run the tool for your operatingsystem from a command-line prompt, or launch it in the last step of the Spotfire Server installer.

If you are upgrading a cluster of Spotfire Servers, run the upgrade tool on each server. The Spotfiredatabase will be updated the first time you run the upgrade tool.

If Spotfire Server is set up to authenticate with the Spotfire database using Windows IntegratedAuthentication, it is important that you run the upgrade tool as the same user that Spotfire Serverauthenticates as. Otherwise, the upgrade tool will not be able to authenticate with the database.

Prerequisites

● You have installed Spotfire Server 7.6.

● You have a working backup of your Spotfire database.

Procedure

1. The Spotfire Server 7.6 Upgrade panel is displayed. It provides a reminder to back up or clone theSpotfire database. Click Next.The File Locations panel is displayed. It provides new information and the choice to copy, or not tocopy, an existing configuration.

2. If you have file access to an old installation, you can select the X.X.X installation option and enterthe path to its installation directory, for example: C:\tibco\tss\X.X or /opt/tss/X.X. Click Next.If there are changes needed after the upgrade, for example, port configuration or the location of TLScertificate, manually edit the server.xml file, located in the <Spotfire Server Install Dir>\tomcat\conf folder.

3. If you did not copy an existing configuration, the Database Type and Driver panel is displayed.Here, specify the database and database driver you are using, and click Next.

247

TIBCO Spotfire® Server and Environment Installation and Administration

Page 248: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

If you select a database driver type that is not installed in the old installation directory, the message“The selected driver must be installed manually” is displayed. Install the driver manually byplacing it in the <7.6 install directory>/tomcat/lib directory and restart the upgrade tool.If you select a database driver type that is not installed and click Next, the Database Drivers NotInstalled panel is displayed. If this occurs, click Done to exit the upgrade tool, then install thedatabase driver and start the upgrade tool again.The Database Connection Information panel is displayed.

4. Here, provide the Spotfire database Connection string, Username and Password. If your databaseserver uses integrated login, like Windows authentication, select the Integrated login check box, todisable the Username and Password fields. Click Next.

5. If you did not copy an existing configuration, the Additional Information panel is displayed. Here,specify the configuration tool password, the encryption password, and the server name to use whenconfiguring the Spotfire Server, and click Next.

6. If LDAP User Directory mode or Windows NT User Directory mode is used, the User DirectoryConfiguration panel is displayed. Here, select a domain name style (DNS or NetBIOS) and adefault domain.

Make sure to select an accurate domain name style for your system. For more information,see External directories and domains.

The Summary panel is displayed.

7. Click Upgrade.The Spotfire Server 7.6 Upgrade panel is displayed.

8. Here you can see if the upgrade was successful. If there were problems with the upgrade, click Nextto get information on where the issues have been logged. When the upgrade has been successfullycompleted, click Finish.

Running the upgrade tool silently

As an alternative to running the upgrade tool interactively, you can run it silently using a commandline interface.

Prerequisites

You have installed Spotfire Server 7.6.

You have a working backup of your Spotfire database.

Procedure

1. Go to the directory <7.6 install directory>/tools/upgrade.

2. Open the file silent.properties in a text editor or XML editor.

3. Follow the instructions in the file and specify the values of the parameters.The from parameter is the only parameter you are required to specify.

4. Save the silent.properties file.

5. Open a command prompt.

6. To see the parameters the upgrade tool will use:

● On Windows, type upgradetool.bat -h● On Linux, type upgradetool.sh -h

The parameters are listed in the command prompt.

248

TIBCO Spotfire® Server and Environment Installation and Administration

Page 249: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

7. To run the upgrade tool silently:

● On Windows, type upgradetool.bat -silent silent.properties● On Linux, type upgradetool.sh -silent silent.properties

8. Press Enter.The upgrade tool is run silently.

Applying hotfixes to the server

After you run the upgrade tool, you must install any available hotfix for this version of the server.

Prerequisites

● You have installed Spotfire Server.

● You have downloaded the latest hotfix for your version of Spotfire Server; for instructions, see Downloading required software.

Procedure

● Follow the instructions in the Installation_Instructions.htm file that was included in the hotfixpackage that you downloaded.

Start Spotfire Server

When the upgrade tool has completed without issues, you should start the Spotfire Server.

For information on how to start the Spotfire Server, see Starting Spotfire Server.

To verify that Spotfire Server has been installed and started, launch a browser and go to the SpotfireServer start page: http://<hostname>:<port>/spotfire.

Upgrading nodesTo upgrade the nodes, install the 7.6 node manager on the computer with the old node managerinstalled, and run the node manager upgrade tool.

Install node manager

The node manager upgrade tool is installed with the new node manager.

For instructions on how to install the node manager, see Node manager installation.

If the computer where the node manager is installed has UAC (User Account Control) turned on, youmust start the node manager installer from the command prompt, running the command prompt as anadministrator. Alternatively, you can turn UAC off by selecting Never notify in the Control Panel >User Account Control Settings dialog. To verify that UAC has been turned off, go to the Registry Editorand verify that the registry key "EnableLUA" is turned off.

Do not start or the newly installed node manager before running the upgrade tool.

249

TIBCO Spotfire® Server and Environment Installation and Administration

Page 250: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Run the node manager upgrade tool

You can run the node manager upgrade tool interactively, or silently by using the command-lineinterface.

If the computer where the node manager is installed has UAC (User Account Control) turned on, andyou do not launch the upgrade tool from the installer, you must start the node manager upgrade toolfrom the command prompt, running the command prompt as an administrator. Alternatively, you canturn UAC off by selecting Never notify in the Control Panel > User Account Control Settings dialog. Toverify that UAC has been turned off, go to the Registry Editor and verify that the registry key"EnableLUA" is turned off.

For information on how to run the node manager upgrade tool, see Running the node managerupgrade tool interactively on page 250 or Running the node manager upgrade tool silently on page250.

Running the node manager upgrade tool interactively

When you run the node manager upgrade tool interactively, you will be prompted for the installationdirectory of your older node manager installation and your 7.6 installation.The easiest way to run the node manager upgrade tool, that will copy all relevant information, such astrust, from your old node manager installation, is to launch it directly from the installer, when installingthe 7.6 node manager. If you do not launch the upgrade tool from the installer, run the fileupgradetool.bat from the location <7.6 node manager install directory>\nm\upgrade.

Prerequisites

You have installed a 7.6 node manager.

Procedure

1. In the Upgrade to path: field, specify the location of your 7.6 node manager installation directory.2. In the Upgrade from: field, specify the location of your old node manager installation directory.3. Select if you want the upgrade tool to start the node manager Windows service after upgrade, or

not. If you do not start it after upgrade, see Starting or stopping node manager (as a Windowsservice) on page 130 for information on how to start the node manager Windows service manually.

4. Click Run Upgrade.The result of the node manager upgrade will be shown in the text field below the controls.

5. When the node manager is successfully upgraded, close the node manager upgrade tool window.6. After verifying that the new node manager installation is working, the old node manager should be

uninstalled.

Running the node manager upgrade tool silently

As an alternative to running the node manager upgrade tool interactively, you can run it silently fromthe command-line.

Prerequisites

You have installed a 7.6 node manager.

Procedure

1. On the command-line, go to the directory <7.6 node manager installation directory>/nm/upgrade.

250

TIBCO Spotfire® Server and Environment Installation and Administration

Page 251: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

2. Run the command upgradetool.bat --cmd --from<the old node manager installationdirectory> --to<the 7.6 node manager installation directory>.The node manager upgrade tool is run silently.

3. After upgrading the node manager, you should start the node manager Windows service, for moreinformation, see Starting or stopping node manager (as a Windows service) on page 130.

4. After verifying that the new node manager installation is working, the old node manager should beuninstalled.

Upgrading service configurationSome service configuration changes require manual updates if you do not want to use their defaultvalues.In Spotfire 7.6 additional service configuration settings have been added for the mini dump creation if aservice goes down unintentionally. If you are not using the default configurations, you must add theseto your configuration if you want to specify the location where the mini dump files should be saved, orif you want to create a full dump.

Procedure

1. Open a command-line interface and export the service configuration from Spotfire Server by usingthe export-service-config command. Specify the name of your configuration:export-service-config --config-name=value

2. Open the exported configuration file Spotfire.Dxp.Worker.Web.config in a text editor or XMLeditor.

3. Locate the section <errorReporting>.

4. Add the following settings in the <errorReporting> section: miniDumpSizeLarge="false" andminiDumpPath="".

The miniDumpSizeLarge setting can create a very large dump file and that it shouldn't beedited unless instructed by Spotfire Support.

5. Specify the location where the mini dump file should be saved on the computer with the nodemanager installed. Leave this empty to save the mini dump file to the folder that contains the nodemanager log files.

6. Save the configuration file.

7. In the command-line interface, import the configuration file back into Spotfire Server by using the import-service-config command.import-service-config --config-name=value

251

TIBCO Spotfire® Server and Environment Installation and Administration

Page 252: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Applying hotfixes to the Spotfire environment

Any available hotfixes for parts of your Spotfire environment should be downloaded and installed.

All hotfixes for your Spotfire environment can be found here http://support.spotfire.com/patches.asp.

Make sure to follow the installation instructions that are included in each hotfix package.

Upgrade between service pack versionsService packs are installed by applying the latest hotfix.

If you already have Spotfire Server 7.6.0 installed and want to upgrade to a later service pack version,for example 7.6.x, you should not run the installer for that service pack version. The service pack isinstalled by applying the latest hotfix.

Go to http://support.spotfire.com/patches_spotfireserver.asp to download the latest hotfix for theSpotfire Server.

Installation instructions for each hotfix are included in the package.

Applying hotfixes for servicesAny available hotfixes for your Automation Services or Web Player services should be downloaded andinstalled.

Procedure

1. Go to http://support.spotfire.com/patches_spotfire.asp to download the latest hotfix for yourservices.

2. Deploy the downloaded Spotfire distribution to the Spotfire Server. For instructions, see Deployingclient packages to Spotfire Server.

3. Update the services. For instructions, see Updating services.

252

TIBCO Spotfire® Server and Environment Installation and Administration

Page 253: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Backup and restore

To enable recovery after a crash or disaster in your Spotfire environment, it is important thatinformation stored in the system is backed up. Most of this information is stored in the Spotfiredatabase, but some of it is stored on the Spotfire Server.

This manual will not describe how to perform backups, only what to back up. It is assumed that youhave some sort of backup software for files and computers, and that you use the backup tools providedwith the database. Refer to the database documentation for instructions on how to perform backups.

One can only restore to a machine running the same operating system as the backed up system, sincethere is a bundled Java runtime with binaries for a specific architecture.

Back up each server in the cluster.

The following sections describe what needs to be backed up.

Backup of Spotfire databaseThe most important part of the Spotfire environment to back up is the Spotfire database.

It contains tables which store the state of the server, for example the library, preferences, anddeployments. Most of the server and service configuration files are also stored in the database. Even ifonly the database has been backed up, it is still possible to restore most of the functionality after acrash. It is therefore vital that you have a valid and current backup of the Spotfire database.

Verify your backups.

Backup of Spotfire ServerA small set of configuration is unique for each Spotfire Server and is stored on the actual Spotfire Serverrather than in the database.

This includes information about how Spotfire Server connects to the Spotfire database, which ports theserver should listen to, authentication methods such as Kerberos etc.

During installation the server files are essentially all placed in the installation directory. It should besufficient to back up this directory, of course it is possible to back up the entire file system.

Once a server has been configured or hotfixed there are no further persistent changes. Log files andother temporary files will change, but a restored backup will have the same functionality.

The configuration which is not in the database includes:

● Listening ports configuration. See The server.xml file for more information.

● Database connection and database drivers. See Database drivers and database connection URLs formore information.

● Logging configuration. See Monitoring and diagnostics for more information.

● Memory configuration. See Virtual memory modification for more information.

● HTTPS. See HTTPS for more information.

● Authentication such as Kerberos or Client Certificates.

● Any other advanced configuration performed in Advanced procedures. When performing advancedconfiguration, you should always take backup into consideration.

The bootstrap.xml file is not stored in the database either. However, since the bootstrap.xml filecontains a unique server ID, it can not be re-used if a server is restored on another machine. Therefore,in the event of a server crash where the server is restored on another machine, it is recommended tobootstrap the server again.

253

TIBCO Spotfire® Server and Environment Installation and Administration

Page 254: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Whenever you make any configuration changes or have applied a server hotfix, you should alsoperform a backup of the Spotfire Server installation directory.

Windows Installations

On Windows installations, there is functionality which will not be restored by only recovering theSpotfire Server installation directory:

● Windows Service

● Uninstall functionality

● Start Menu shortcuts

The Windows Service can be (re-)installed using the bat file service.bat located in the<installation dir>\tomcat\bin directory. Run it on the command line with the followingarguments: C:\tibco\tss\7.6.0\tomcat\bin>service.bat install.

Uninstallation can be done by removing the service and simply remove the installation directory.

The Start Menu shortcuts can be backed up by copying them to the server installation directory, backthat up, and when restoring, copying these files to the start menu directory.

Unix and Linux Installations

On Unix and Linux installations, no essential data is placed outside the installation directory bySpotfire Server. If you have a startup script for the server, it will need to be recreated.

Network Considerations

If you are using Kerberos you should note that configuration needed for this to work is tied to a specificmachine and cannot be copied easily to a new one.

You should also consider any other conditions in your environment and their implications, such as IPaddresses and firewall rules, LDAP restrictions, and anything else that might affect getting a systemback up and running.

Backup of servicesThe service configuration files are stored in the Spotfire database, so there is no need to make additionalbackups for the services.

If a node or service must be restored, install it again and select the configuration used for the oldservice.

Information on which resource pools the service instances should be used for is not stored in thedatabase. The new service instances must be assigned to the old resource pools manually.

254

TIBCO Spotfire® Server and Environment Installation and Administration

Page 255: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Uninstallation

To perform a complete uninstallation of your Spotfire environment, the following steps must becompleted, in order.

Deleting servicesThe first step of uninstalling the Spotfire environment is to delete the installed services.

Procedure

1. Go to the Spotfire Server start page and log in as an administrator.2. Click Nodes & Services.3. On the Your network page, under Select a view, select Nodes.4. In the left pane, expand the entries under the node and select the service.5. In the right pane, click Delete for each installed service.

Revoking trust of nodesThe second step of uninstalling the Spotfire environment is to revoke the trust for all installed nodes.For instructions on how to revoke the trust of a node, see Revoking trust of a node.

This must be done for each node in your Spotfire environment.

Uninstall node managerThe third step of uninstalling the Spotfire environment is to uninstall all node managers.

Uninstallation of the node manager is performed through the regular Windows procedure. On eachmachine with a node manager installed, select:

Start > Control Panel > Programs and Features > Uninstall or change a program, right-click TIBCOSpotfire Node Manager 7.6 and select Uninstall.

Uninstall Spotfire ServerThe fourth step of uninstalling the Spotfire environment is to uninstall the Spotfire Server(s).

If you have placed any additional files in the installation directory or any of its subdirectories, such asSpotfire Library export files, you should move these files to a secure location before uninstalling. Theinstaller will remove the installation directory and all its subdirectories.

Windows

Uninstallation of Spotfire Server is performed through the regular Windows procedure. On eachmachine with a Spotfire Server installed, select:

Start > Control Panel > Programs and Features > Uninstall or change a program, right-click TIBCOSpotfire Server 7.6 and select Uninstall.

After successful uninstallation, only user modified files remain on the machine (such as custom JDBCdrivers).

RPM Linux

On each machine with a Spotfire Server installed, uninstall the server by running the command:

rpm -e tss-7.6.0.

255

TIBCO Spotfire® Server and Environment Installation and Administration

Page 256: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

After a successful uninstallation, only modified files in tomcat/conf remain.

Tarball Linux

On each machine with a Spotfire Server installed, uninstall the server by running the followingcommands:

If the Spotfire Server was configured to start on boot, it must be stopped and removed.

To stop the server, run the command:

service tss-7.6.0 stop

To remove the server, run the command:

chkconfig --del tss-7.6.0

Delete added scripts by running the following commands:

rm /etc/init.d/tss-7.6.0

rm /etc/sysconfig/tss-7.6.0

To be able to do this, you must have root access.

The final step is to remove the folder with Spotfire Server files. Do this by running the command:

rm -rf <the folder where the tarball was installed>

Remove the databaseThe final step of uninstalling the Spotfire environment is to remove the database.

Removing the database deletes all user data and most Spotfire Server configurations permanently.

In the scripts/oracle_install/utilities and scripts/mssql_install/utilities directories inthe Spotfire Server installation kit, there are a number of scripts that can be used to remove the Spotfireand Demo databases. Before you run the script, open it in a text editor and edit the variables set duringdatabase preparation.

For more information on the variables, see Setting up the Spotfire database (Oracle) or Setting up theSpotfire database (SQL Server).

For more information on the scripts, see the REAMDE.txt file in the respective directories.

256

TIBCO Spotfire® Server and Environment Installation and Administration

Page 257: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Advanced procedures

These manual procedures are for setting up various features that are supported by Spotfire. Many ofthe procedures assume prior knowledge of technologies such as LDAP, Kerberos, Apache httpd, and soon.

Temporary tablespaceBy default, the tablespaces/database files for Spotfire Server with either an Oracle or SQL database usesautoextend/autogrowth. If this does not meet your needs, alter the settings.

You may want to alter the amount that the files are extended with each increment.

For Oracle, review the maxsize for each table space. For SQL, review the unlimited growth property.

Virtual memory modificationIf many simultaneous users intend to perform heavy data pivoting via Information Services or in otherways stress the server, you may need to modify the amount of memory available to the virtualcomputer.

Modifying the virtual memory (server running as Windows service)If Spotfire Server is running as a Windows service, you can modify the virtual memory by followingthese steps to set up the start script.

Procedure

1. Stop the Spotfire Server service.

2. In the command-line tool, go to the <installation dir>/tomcat/bin directory.

3. Enter the following command: service.bat remove

4. Open the <installation dir>/tomcat/bin/service.bat file in a text editor.

5. Locate the following entries and change the numbers to suitable memory values (in MB):

● --JvmMs 512

● --JvmMx 1536

6. Save and close the file.

7. Enter the following command: service.bat install

8. Start the Spotfire Server service.

Modifying the virtual memory (server not running as Windows service)If Spotfire Server is not running as a Windows service, you can modify the virtual memory byfollowing these steps to set up the start script.

Procedure

1. Open the file <installation dir>/tomcat/bin/setenv.bat/.sh in a text editor.

2. Locate the line that sets the variable JAVA_OPTS. It will be one of the following:

● set JAVA_OPTS=-server -XX:+DisableExplicitGC -XX:MaxPermSize=256M -Xms512M -

Xmx1536M

257

TIBCO Spotfire® Server and Environment Installation and Administration

Page 258: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

● JAVA_OPTS="-server -XX:+DisableExplicitGC -XX:MaxPermSize=256M -Xms512M -

Xmx1536M"

3. Set the following values to the amount of memory you want to allocate:

● -Xms512M

● -Xmx1536M

4. Restart the server.

Library content storage outside of the Spotfire databaseTo minimize the size of your Spotfire database, you can store your organization's Spotfire librarycontent (analyses and analysis data) in the cloud using Amazon Web Services S3 (AWS), or in a filesystem elsewhere.

In a typical Spotfire installation, the largest part of database storage consists of the library content.When you move the library content to external storage, only the metadata about the library filesremains in the database. The other items in database storage (system configuration data, permissions,licenses, and so on) remain where they are.

In this scenario, all library content is stored externally; it isn't possible to split storage between theserver database and the external site.

Currently there are three main drawbacks to this option:

● Referential integrity is not guaranteed; there is the possibility that content referenced in the Spotfiredatabase will not exist in external storage, and vice versa.

● Your system may run more slowly, such as when loading files.

● A database backup will not back up the library content.

Configuring external library storage in AWSYou can configure external library storage in the cloud using Amazon Web Services S3 (AWS).

Prerequisites

● You must have an Amazon S3 account.

● You must have a bucket name. Every server database (or database cluster) should have its ownbucket. (Items stored in S3 are identified by their GUIDs. If different servers use the same bucket,importing files to Cluster B—when the files already exist in Cluster A—will overwrite the files inCluster A.)

Procedure

1. Back up the database.

2. In the command-line tool, export the library using the export-library-content command.

3. Remove the content from the library.

Do not use the truncate command in the database because there are hidden folders thatshould not be removed.

4. To enable external storage and select the type of external storage, use the command config-library-external-data-storage.

5. To configure AWS storage, use the command config-library-external-s3-storage.

258

TIBCO Spotfire® Server and Environment Installation and Administration

Page 259: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

You can set the following options when using this command:● Which AWS regional datacenter the server should connect to.

● Whether large files should be uploaded in chunks, and the details of this behavior.

6. Import the library.

The external library storage system uses the Spotfire library globally unique identifiers(GUIDs) to identify files.

For information on monitoring the external system, see Monitoring external library storage andfixing inconsistencies.

Configuring external library storage in a file systemYou can configure external library storage in a file system using the command-line tool.

Procedure

1. Back up the database.

2. In the command-line tool, export the library using the export-library-content command.

3. Remove the content from the library.

Do not use the truncate command in the database because there are hidden folders thatshould not be removed.

4. To enable external storage and select the type of external storage, use the command config-library-external-data-storage.

5. To specify the path to the storage root, use the command config-library-external-file-storage.Subdirectories for the content files are created under this root.

6. Import the library.

The external library storage system uses the Spotfire library globally unique identifiers(GUIDs) to identify files.

For information on monitoring the external system, see Monitoring external library storage andfixing inconsistencies.

Monitoring external library storage and fixing inconsistenciesBecause there is no guarantee of referential integrity when using external library storage, theadministrator should regularly check for inconsistencies between the metadata in the Spotfire databaseand the files in external storage.

Procedure

1. In the command-line tool, enter the command check-external-library to check for discrepancies.A discrepancy report is generated, including where discrepancies occur and any availableinformation to help identify the "orphan" files. This is an excerpt from a report:

2. If a file is found in external storage that is not referenced in the Spotfire database, you can downloadthe file. If it is an analysis file, you can then manually save it to the Spotfire library. If metadata isfound for a file that does not exist, you can delete the metadata.

259

TIBCO Spotfire® Server and Environment Installation and Administration

Page 260: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

If you want to Do this

Retrieve an orphan file from Amazon WebServices S3 (AWS)

Download it using the command s3-download.

Retrieve an orphan file from an external filesystem

Manually copy it from the file system.

Delete files from AWS Use the command delete-library-content.

Delete files from an external file system Manually delete the files.

Delete metadata from Spotfire Server Use the command delete-library-content.

Forcing Java to use Internet Protocol version 4

If your library files are stored on Amazon Web Services S3 (AWS) and you discover instances of thefollowing event in the server logs, you should force Java to use Internet Protocol version 4 (IPv4):java.net.UnknownHostException: <your bucket name>.s3.amazonaws.com at

java.net.Inet6AddressImpl.lookupAllHostAddr(Native Method)

This parameter is set manually in a Spotfire Server configuration file.

Procedure

1. Open the appropriate file in a text editor:

● If you are running Spotfire Server as a Windows service, open the <installation dir>/tomcat/bin/service.bat file.

● If you are not running Spotfire Server as a Windows service, open the <installation dir>/tomcat/bin/setenv.bat file.

2. Locate the variable named JAVA_OPTS.

3. Enter the following parameter in the JAVA_OPTS section: -Djava.net.preferIPv4Stack=trueThe file will look similar to this (the new parameter is highlighted in yellow):

4. Save and close the file.

5. Restart Spotfire Server.

260

TIBCO Spotfire® Server and Environment Installation and Administration

Page 261: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Data source templatesData source templates are used when creating information links. Using the Information Designer toolfound in Spotfire Analyst, a database administrator can create custom data source templates to definethe data sources that are available to users when they create information links.

For more information about the Information Designer, see the Spotfire Analyst help.

Spotfire Analyst includes two data source templates:

● Oracle (DataDirect driver)

● Microsoft SQL Server (DataDirect driver)

Custom data source templates can be based on the following data sources:

● Teradata

● Sybase (JTDS)

● Sybase (DataDirect)

● Sybase

● SQL Server 2005

● SQL Server (JTDS)

● SQL Server (DataDirect)

● SQL Server

● SAS/SHARE

● Composite

● Oracle (delegated Kerberos)

● Oracle (DataDirect)

● Oracle

● MySQL5

● MySQL (DataDirect)

● MySQL

● DB2 (DataDirect)

● DB2

If you add a data source template that does not use the pre-installed DataDirect driver, you mustmanually install this driver on each Spotfire Server in the cluster before you restart the cluster.Download the appropriate driver JAR file and place it in the /tomcat/lib folder of each server.

Setting up MySQL5 vendor driverFor the MySQL5 vendor driver to work with MySQL data sources that include TIMESTAMPS that canpotentially be null, you must edit the template.

Procedure

1. In the MySQL5 data source template, locate the following section:<connection-properties> <connection-property> <key>useDynamicCharsetInfo</key> <value>false</value>

261

TIBCO Spotfire® Server and Environment Installation and Administration

Page 262: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

</connection-property></connection-properties>

2. Within the connection-properties tag, add the following code:<connection-property> <key>noDatetimeStringSync</key> <value>true</value></connection-property><connection-property> <key>zeroDateTimeBehavior</key <value>convertToNull</value></connection-property>

Data source template commandsYou can use these command-line commands to handle data source templates.

If you want to Use this command Notes

Add a new data sourcetemplate

add-ds-template

Enable, modify, or disable adata source template

modify-ds-template For a data source template tobecome available in theInformation Designer, it mustbe enabled.

Remove a data source template remove-ds-template Verify that no data sources usethe data source template beforeyou remove it. If a data sourcetemplate is removed, all datasources using that templatestop working.

XML settings for data source templatesThe following table defines all the available XML settings for data source templates; only the first threeare required. All other settings use their default values if not specified.

Setting Description Default value

type-name A unique name for theconfiguration.

driver The JDBC driver Java classused for creatingconnections.

connection-url-pattern A pattern for theconnection URL. The URLsyntax is driver specific.

ping-command A dummy command totest connections.

SELECT 1

connection-properties JDBC connectionproperties.

262

TIBCO Spotfire® Server and Environment Installation and Administration

Page 263: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Setting Description Default value

metadata-provider Java class that providesdatabase metadata.

BasicJDBCMetadataProvider

sql-filter Java class that generatesSQL.

BasicSQLFilter

sql-runtime Java class that handlesSQL execution.

BasicSQLRuntime

fetch-size A fetch size specifies theamount of data fetchedwith each database roundtrip for a query. Thespecified value is shownas the default value inInformation Designer.May be changed atinstance level.

10000

batch-size A batch size specifies theamount of data in eachbatch update. Thespecified value is shownas the default value inInformation Designer.May be changed atinstance level.

100

max-column-name-length The maximum length of adatabase column name.This limit is used whencreating temporary tables.

30

table-types Specify which table typesto retrieve.

TABLE, VIEW

supports-catalogs Tells if the driver supportscatalogs.

true

supports-schemas Tells if the driver supportsschemas.

true

supports-procedures Tells if the driver supportsstored procedures.

false

supports-distinct Tells if the driver supportsdistinct option in SQLqueries.

true

supports-order-by Tells if the driver supportsorder-by option in SQLqueries.

true

263

TIBCO Spotfire® Server and Environment Installation and Administration

Page 264: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Setting Description Default value

column-name-pattern Determines how a columnname is written in the SQLquery.

"$$name$$"

table-name-pattern Determines how a tablename is written in the SQLquery.

"$$name$$"

schema-name-pattern Determines how a schemaname is written in the SQLquery

"$$name$$"

catalog-name-pattern Determines how a catalogname is written in the SQLquery.

"$$name$$"

procedure-name-pattern Determines how aprocedure name is writtenin the SQL query.

"$$name$$"

column-alias-pattern Determines how a columnalias is written in the SQLquery.

"$$name$$"

string-literal-quote The character used asquote for string literals.

SQL-92 standard

max-in-clause-size The maximum size of anSQL IN-clause. Larger listsare split into severalclauses that are OR:edtogether.

1000

condition-list-threshold A temporary table is usedwhen executing an SQLquery, where total size of acondition list is larger thanthis threshold value. AData Base Administratormay prefer a lower valuethan the default. Dependson the maximum SQLquery size.

10000

expand-in-clause If true, an SQL IN-clausewill be expanded into ORconditions.

false

table-expression-pattern Determines how a tableexpression is written in theSQL query; catalog andschema may be optional(surrounded by brackets).

[$$catalog$$.][$$schema$$.]$$table$$

264

TIBCO Spotfire® Server and Environment Installation and Administration

Page 265: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Setting Description Default value

procedure-expression-pattern

Determines how aprocedure expression iswritten in the SQL query.

[$$catalog$$.][$$schema$$.]$$procedure$$

procedure-table-jdbc-type Integer representing thejdbc type identifying atable returned form aprocedure as defined byjava.sql.Types.

0

procedure-table-type-name

Display name for tablesfrom procedure. This iscurrently not visible to theuser in any UI.

null

date-format-expression An expression thatconverts a date field to astring value on the format:YYYY-MM-DD, for example,2002-11-19. Used in WHEREand HAVING clauses. Thetag $$value$$ is aplaceholder for the datefield.

$$value$$

date-literal-format-expression

An expression thatconverts a date literal onthe format YYYY-MM-DD toa date field value. Used inWHERE and HAVING clauses.The tag $$value$$ is aplaceholder for the dateliteral.

'$$value$$'

time-format-expression An expression thatconverts a time field to astring value on the format:HH:MM:SS, for example14:59:00. Used in WHEREand HAVING clauses. Thetag $$value$$ is aplaceholder for the timefield.

$$value$$

time-literal-format-expression

An expression thatconverts a time literal onthe format HH:MM:SS to atime field value. Used inWHERE and HAVING clauses.The tag $$value$$ is aplaceholder for the timeliteral.

'$$value$$'

265

TIBCO Spotfire® Server and Environment Installation and Administration

Page 266: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Setting Description Default value

date-time-format-expression

An expression thatconverts a datetime fieldto string value on theformat: YYYY-MM-DDHH:MM:SS, for example2002-11-19 14:59:00. Usedin WHERE and HAVINGclauses. The tag $$value$$ is a placeholder for thedate-time field.

$$value$$

date-time-literal- format-expression

An expression thatconverts a date-time literalon the format YYYY- MM-DD HH:MM:SS to a date-time field value. Used inWHERE and HAVINGclauses. The tag $$value$$is a placeholder for thedate-time literal.

'$$value$$'

java-to-sql-type-conversions:

● String

● Integer

● Long

● Float

● Double

● Date

● Time

● DateTime

Type conversions neededwhen a join data sourcecreates a temporary tablefor result from a subquery.For String conversion %swill be replaced by thesize of the string. A match-length attribute may bespecified (see MySQL).Different String types maybe needed dependant ofthe length of the string.Note that there must be aVARCHAR conversion forwhen the length of thestring is unknown (255 inthe example here). Whenseveral VARCHARmappings are specified,the mapping that firstmatches the match-lengthis used.

VARCHAR($$value$$) VARCHAR(255)INTEGER BIGINT REAL DOUBLEPRECISION DATE TIME TIMESTAMP

temp-table-name-pattern Determines how to formata temporary table name inan SQL command.

$$name$$

266

TIBCO Spotfire® Server and Environment Installation and Administration

Page 267: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Setting Description Default value

create-temp-table-command

SQL commands forcreating a temporary table.This is used to store filtervalues (when more thancondition-list-

threshold) and to storeresult from subqueries.The syntax may varybetween databases. $$name$$ is a placeholderfor the table name. $$column_list$$ is aplaceholder for a columnlist on the format (nametype, name type, ...).

CREATE TEMPORARY TABLE $$name$$ $$column_list$$

drop-temp-table-command

SQL commands fordeleting a temporarytable. The syntax may varybetween databases. $$name$$ is a placeholderfor the table name

DROP TABLE $$name$$

data-source-authentication

Default value data sourceauthentication. (boolean).This value can be set(overridden) in theInformation InteractionDesigner.

false

lob-threshold Threshold when LOBvalues used as parametersin a WHERE clause, mustbe written in temporarytables. The default meansno limit.

-1

use-ansi-join The default generated SQLcreates joins with wherestatements.

If this setting is set to true,an attempt is made torewrite it to standardANSI format.

If this setting is set to false,no attempt to rewriteinner joins will be madeand outer joins depend onthe value set for use-ansii-style-outer-

join.

false

267

TIBCO Spotfire® Server and Environment Installation and Administration

Page 268: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Setting Description Default value

use-ansii-style-outer-join The default generated SQLuses the Oracle way with"(+)" to indicate joins. Ifthis setting is set to true anattempt is made to rewriteit to standard ANSIformat, making it possibleto run on non Oracledatabases.

If use-ansi-join is set totrue, then thissetting has noeffect.

false

credentials-timeout Defines the time inseconds user credentialsare cached on the serverfor a particular datasource. Value must bebetween 900 (15 minutes)and 604800 (1 week).Applicable only if data-source-authentication

is set to true.

86400 (24 hours)

JDBC connection properties

The optional <connection-properties > parameter block in the configuration can be used to defineJDBC connection properties parameters to be used when connecting to the data sources of the giventype. A typical use case is to specify encryption and integrity checksum algorithms for secure databaseconnections.

Each connection property consists of a key-value pair. The syntax for specifying JDBC connectionproperties for a connection pool is shown in the configuration example below.

If you need different JDBC connection properties for different data sources of the same type, justduplicate the <jdbc-type-setting> configuration, rename the configurations for each variant needed,and define the proper JDBC connection properties. Make sure to update any already existing datasources so that they are of the correct type.

Example: Defining JDBC connection Properties for data source of type oracle. This example creates anencrypted connection to the database.<jdbc-type-settings> <type-name>oracle</type-name> <driver>oracle.jdbc.OracleDriver</driver> <connection-urlpattern>jdbc:oracle:thin:@&lt;host&gt;:&lt;port1521&gt;:&lt;sid&gt;</connection-url-pattern> <ping-command>SELECT 1 FROM DUAL</ping-command> <connection-properties> <connection-property> <key>oracle.net.encryption_client</key> <value>REQUIRED</value> </connection-property><connection-property> <key>oracle.net.encryption_types_client</key>

268

TIBCO Spotfire® Server and Environment Installation and Administration

Page 269: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

<value>( 3DES168 )</value> </connection-property> <connection-property> <key>oracle.net.crypto_checksum_client</key> <value>REQUIRED</value> </connection-property> <connection-property> <key>oracle.net.crypto_checksum_types_client</key> <value>( MD5 )</value> </connection-property> </connection-properties> ...</jdbc-type-settings>

Advanced connection pool configuration

Information Services uses the same underlying connection pool implementation as Spotfire Server usesfor connecting to its own database. The following special parameters are available to configure some ofthe aspects of that connection pool.

Special parameter Corresponding common parameter

spotfire.pooling.data.source.scheme pooling-scheme

spotfire.pooling.data.source.connection.

timeout

connection-timeout

spotfire.pooling.data.source.login.timeo

ut

login-timeout

spotfire.kerberos.login.context kerberos-login-context

For more information, see Database connectivity.

All these parameters should be added as JDBC connection properties. However, they are never used asreal JDBC connection properties and are never sent to a database server.

Example: Configuring a connection pool for Oracle databases<jdbc-type-settings> <type-name>oracle</type-name> <driver>oracle.jdbc.OracleDriver</driver> <connection-urlpattern>jdbc:oracle:thin:@&lt;host&gt;:&lt;port1521&gt;:&lt;sid&gt;</connection-url-pattern> <ping-command>SELECT 1 FROM DUAL</ping-command> <connection-properties> <connection-property> <key>spotfire.pooling.data.source.scheme</key> <value>WAIT</value> </connection-property> <connection-property><key>spotfire.pooling.data.source.connection.timeout</key> <value>1800</value> </connection-property> <connection-property> <key>spotfire.pooling.data.source.login.timeout</key> <value>30</value> </connection-property> </connection-properties> ...</jdbc-type-settings>

269

TIBCO Spotfire® Server and Environment Installation and Administration

Page 270: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Kerberos authentication for JDBC data sources

Configuring Kerberos authentication for JDBC data sources is similar to configuring Kerberos for theconnection to the Spotfire database.

For more information, see Using Kerberos to log in to the Spotfire database.

This is an example of configuring a connection pool for Oracle databases:<jdbc-type-settings> <type-name>oracle</type-name> <driver>oracle.jdbc.OracleDriver</driver> <connection-urlpattern>jdbc:oracle:thin:@&lt;host&gt;:&lt;port1521&gt;:&lt;sid&gt;</connection-url-pattern> <ping-command>SELECT 1 FROM DUAL</ping-command> <connection-properties> <connection-property> <key>spotfire.kerberos.login.context</key> <value>DatabaseKerberos</value> </connection-property> <connection-property> <key>oracle.net.authentication_services</key> <value>( KERBEROS5 )</value> </connection-property> </connection-properties> ...</jdbc-type-settings>

Using Kerberos authentication with delegated credentials

To have users authenticate to different data sources with their own single sign-on login information, theserver can delegate the user authentication to the data source. This is only possible if you use theKerberos single sign-on method.

Prerequisites

For delegation to work, no client user account in the domain can have the setting Account is sensitiveand cannot be delegated. By default, this is not set.

Procedure

1. Set up Kerberos authentication as described in Kerberos authentication. Make sure that users canlog in with this method.

2. Grant the right to delegate client credentials to the Spotfire Server service account that is used forclient authentication.

Only the specified accounts can be delegated by the service account.

● If your Windows domain is using Windows Server 2003 or later, grant constrained delegationrights to the service account; see Enabling constrained delegation.

● If you are using an earlier version of Windows Server or cannot use this method, grantunconstrained delegation rights; see Enabling unconstrained delegation for an account on adomain controller in Windows 2000 mixed or native mode or Enabling unconstraineddelegation on a domain controller in Windows Server 2003 mode.

3. Create a JDBC data source template using Kerberos login; see Creating an Information Services datasource template using Kerberos login.

4. Verify the new template; see Verifying a data source template.

270

TIBCO Spotfire® Server and Environment Installation and Administration

Page 271: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Enabling constrained delegation

This is the second step in the process of setting up Kerberos authentication with delegated credentialsfor your Spotfire implementation.

Procedure

1. On the domain controller, select Start > Programs > Administrative Tools.

2. Select Active Directory Users and Computers.

3. Locate the account.

4. To open the account properties, right-click the account name and then click Properties.

5. On the Delegation tab, select Trust this user for delegation to specified services only.

The Delegation tab is visible only for accounts to which SPNs are mapped.

6. Select Use any authentication protocol, and then click Add.

7. Click Users or Computers and select the account for which Spotfire Server has a keytab, and towhich the SPNs are mapped.

8. Select all services that apply, and then click OK.

9. Click Apply.

What to do next

Creating an Information Services data source template using Kerberos login

Enabling unconstrained delegation for an account on a domain controller in Windows 2000 mixed ornative mode

This is the second step in the process of setting up Kerberos authentication with delegated credentialsfor your Spotfire implementation.

Procedure

1. On the domain controller, select Start > Programs > Administrative Tools.

2. Select Active Directory Users and Computers.

3. Locate the account.

4. To open the account properties, right-click the account name and then click Properties.

5. On the Account tab, in the Account Options list, select Account is trusted for delegation.

6. Click Apply.

What to do next

Creating an Information Services data source template using Kerberos login

271

TIBCO Spotfire® Server and Environment Installation and Administration

Page 272: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Enabling unconstrained delegation on a domain controller in Windows Server 2003 mode

This is the second step in the process of setting up Kerberos authentication with delegated credentialsfor your Spotfire implementation.

Procedure

1. On the domain controller, select Start > Programs > Administrative Tools.

2. Select Active Directory Users and Computers.

3. Locate the account.

4. To open the account properties, right-click the account name and then click Properties.

5. On the Delegation tab, select Trust this user for delegation to any service (Kerberos only).

The Delegation tab is visible only for accounts to which SPNs are mapped.

6. Click Apply.

What to do next

Creating an Information Services data source template using Kerberos login

Creating an Information Services data source template using Kerberos login

The default Information Services Data Source templates that are included with Spotfire Server are notconfigured to use Kerberos. You must therefore create a new data source template based on one of thedefault templates.

Procedure

1. Use the list-ds-template command to list the existing data source templates and select one thatmatches the database you are setting up, for example Oracle.

2. Use the export-ds-template command to export the definition of the selected data source template.

3. Open the exported definition file in a text editor.

4. Add the JDBC connection property key spotfire.connection.pool.factory.data.source withthe value kerberos.data.source within the connection-properties element. If there is noconnection-properties element, create one.There may also be other connection properties you must add; consult the documentation of thedatabase server for more information. For general instructions about adding connection properties,see JDBC connection properties.Example:<jdbc-type-settings> <type-name>oracle</type-name> <driver>oracle.jdbc.OracleDriver</driver> <connection-urlpattern>jdbc:oracle:thin:@&lt;host&gt;:&lt;port1521&gt;:&lt;sid&gt;</connection-url-pattern> <ping-command>SELECT 1 FROM DUAL</ping-command><connection-properties> <connection-property> <key>spotfire.connection.pool.factory.data.source</key> <value>kerberos.data.source</value> </connection-property><connection-property> <key>oracle.net.authentication_services</key> <value>(KERBEROS5)</value>

272

TIBCO Spotfire® Server and Environment Installation and Administration

Page 273: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

</connection-property></connection-properties>

5. Use the add-ds-template command to add the new data source template with a suitable name, suchas "oracle_kerberos", using the modified template definition.

6. Import the configuration and restart the server.

What to do next

Verify the data source template

Verifying a data source template

Procedure

1. Log in to Spotfire Analyst as an administrator.

2. Select Tools > Create Information Link

3. Click Setup Data Source.

4. Enter a name for the data source connection.

5. Specify the type of data source.

6. Enter the connection URL and max/min-values for the connection pool.

7. Enter a username and a password to connect to the database.

This does not apply to Kerberos.

8. Click Save.

9. In the left pane, click the Data sources tab.

Result

The data source name should appear in the tree to the left, ready for use.

Information Services settingsInformation Services provides end users with the ability to access and pivot data from multipledatabases simultaneously, without having to know anything about installing database drivers,underlying data schemas or SQL.

End users' access to data from multiple sources can be configured and controlled through settings inInformation Services. Below is a list of common settings and short descriptions. See Manually editingSpotfire Server configuration files for instructions on how to change the settings.

Setting Description

information‐services.jdbc.oracle.use‐faster‐schema‐listing

List all Oracle users as schema list.

information‐services.dat.no‐sbdf Use Spotfire text data format or Spotfire binarydata format when transferring data fromSpotfire Server to a Spotfire client.

273

TIBCO Spotfire® Server and Environment Installation and Administration

Page 274: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Setting Description

information‐services.runtime‐query‐validation

Validate information link prior to execution.

information‐services.dat.data‐block‐queue‐size

Maximum number of queued (not yet consumedby client) data blocks per job.

information‐services.dat.idle‐limit Maximum idle time in seconds before a job isgarbage collected.

information‐services.dat.max‐field‐size Maximum size (in Megabytes) for a data cell.

information‐services.dat.max‐jobs Maximum number of concurrent jobs.

information‐services.dat.max‐timeout Maximum value of timeout parameters; must beat least 60 seconds less than the idle limit.

information‐services.dat.pivot.thread‐pool‐size

Maximum number of pivot worker threads.

information‐services.dat.reshape.max‐memory‐usage

Maximum memory available to a reshapeoperation.

information‐services.dat.retrieve‐timeout Maximum time allowed for retrieve requests, inseconds.

information‐services.dat.thread‐pool‐size Maximum number of job worker threads.

information‐services.ds.credentials‐cache‐timeout

The default expiration time in seconds forcached data source authentication credentials.

information‐services.ds.credentials‐provider

The class used to provide credentials fordatasources that require authentication.

information‐services.jdbc.connection‐login‐timeout

Login timeout for JDBC database connections.

information‐services.jdbc.oracle.temp‐table‐grantee

Selecting priviliges on temporary tables usedduring query execution will be granted to thisuser or role. The temporary tables are only validduring the query transaction.

information‐services.jdbc.use‐inner‐select‐in‐clause

This setting affects the behaviour when thenumber of filter values sent to a jdbc data sourceexceeds the condition-list-threshold.

If set to false (default): all data rows matchingany duplicate filter values will be duplicated,

If set to true: data rows matching any duplicateswill not be duplicated (the same behaviour aswhen the number of filter values is below thecondition-list-threshold limit), but there is alarge performance penalty.

274

TIBCO Spotfire® Server and Environment Installation and Administration

Page 275: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Default join databaseThe default join database is used for creating temporary tables and joining the final result whenrunning an information link.

Most often using the standard Spotfire database for the default join database will work fine. However,in certain situations you may want to configure another database to be used. For example, if you preferto run these operations as a specific user on the database, or if you want to use a database that isspecifically optimized for temporary tables.

To set up a default join database use the command create-join-db.

Default join database settings

Option Description

Type Sets the type of database and driver you want touse as the default join database. Refers to a datasource template.

Connection URL The connection URL to the database.

Number of Connections A minimum and maximum number ofconnections to use when accessing the database.

Username and Password The username and password that will be used toaccess the database.

Spotfire Server public Web Services API'sIt is possible to build specific functionality that can call Spotfire Server through a set of public WebServices API's.

These can be accessed at:

● http[s]://<tss_host>[:<port>]/spotfire/ws/pub/LibraryService

● http[s]://<tss_host>[:<port>]/spotfire/ws/pub/SecurityService

● http[s]://<tss_host>[:<port>]/spotfire/ws/pub/UserDirectoryService

A description of each web service (a WSDL file) can be retrieved by appending ?wsdl to each webservice URL. The WSDL files can be used to generate client proxies which will contain all types andmethods that may be used. The implementing classes may not be called directly from Java code.

All user accounts that are going to use the API must be members of the API User group.

For more information on the Web Services API, see the Web Services API reference on https://docs.tibco.com/products/tibco-spotfire-server.

Enabling the Web Services APIBefore the Web Services API can be used, it must be enabled.To do this, export the server configuration from the database, run the config-web-service-api commandand import the updated configuration to the database.

275

TIBCO Spotfire® Server and Environment Installation and Administration

Page 276: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Procedure

1. On the command line, go to the <server installation folder>\tomcat\bin directory, and runthe following commands:

2. config.bat export-config --force (config.sh on Linux)

3. config.bat config-web-service-api --enabled=true (config.sh on Linux)

4. config.bat import-config -c "Enabled the public Web Service API" (config.sh on Linux)

Generating client proxiesProxies can be generated using a tool of your choice.Here is an example on how to do it using the wsimport tool that is included with the Oracle JDK 8.

Procedure

1. Create an authentication file containing the URL of each web service, including a valid user nameand password of a user that is a member of the API User group.

Examples of authentication files:

● http://user:[email protected]:8080/spotfire/ws/pub/LibraryService?wsdl

● http://user:[email protected]:8080/spotfire/ws/pub/SecurityService?wsdl

● http://user:[email protected]:8080/spotfire/ws/pub/

UserDirectoryService?wsdl

2. Generate the proxies by running wsimport for each web service (specifying the authentication filecreated in the previous step).

Examples on how to generate the proxies, using the authentication files above:

● wsimport ‐d bin ‐s src ‐Xauthfile auth.txt http://tss.example.com:8080/spotfire/ws/pub/LibraryService?wsdl

● wsimport ‐d bin ‐s src ‐Xauthfile auth.txt http://tss.example.com:8080/spotfire/ws/pub/SecurityService?wsdl

● wsimport ‐d bin ‐s src ‐Xauthfile auth.txt http://tss.example.com:8080/spotfire/ws/pub/UserDirectoryService?wsdl

Optional security HTTP headersThe Spotfire Server can be configured to include some extra security-oriented HTTP headers in itsresponses.

These headers are optional and the only one included by default is the X-Content-Type-Options header.Make sure to only enable them if you know exactly how they work and what effects they have.

● X-Frame-Options

● X-XSS-Protection

● Strict-Transport-Security

● Cache-Control

● X-Content-Type-Options

276

TIBCO Spotfire® Server and Environment Installation and Administration

Page 277: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

X-Frame-OptionsThe X-Frame-Options HTTP header provides basic protection against some clickjacking attacks (alsoknown as UI redress attacks).

The feature can be switched on by running the following command in the <server installationdirectory>\tomcat\bin directory on the command line:config set-config-prop -n security.x-frame-options.enabled -v true

The feature can be switched off by running the following command:config set-config-prop -n security.x-frame-options.enabled -v false

When this feature is enabled, the server includes the HTTP header "X-Frame-Options: SAMEORIGIN"in all responses.

The directive can also be customized by running the following command:config set-config-prop -n security.x-frame-options.directive -v <value>

<value> can be set to any of the following values:

● DENY: Prevents the rendering of the server web page within a frame.

● SAMEORIGIN: Prevents the rendering of the server web page within a frame if origin mismatch.

● ALLOW-FROM: The server web page will be rendered only when framed from the specifiedlocation.

● ALLOWALL: Allows rendering within a frame from any location. (This is a non-standard valuewhich is not supported by all browsers.)

X-XSS-ProtectionThe X-XSS-Protection HTTP header provides basic protection against some XSS attacks, by indicating tothe browser clients how they should use their built-in XSS protection filter.

This functionality is enabled by default for new Spotfire Server 7.6 installations, and for installationsupgraded from 7.5, but not for installations upgraded from earlier versions than 7.5.

The feature can be switched on by running the following command in the <server installationdirectory>\tomcat\bin directory on the command line:config set-config-prop -n security.x-xss-protection.enabled -v true

The feature can be switched off by running the following command:config set-config-prop -n security.x-xss-protection.enabled -v false

When this feature is enabled, the server will include the HTTP header "X-XSS-Protection: 1;mode=block" in all responses.

The directive can also be customized by running the following command:config set-config-prop -n security.x-xss-protection.directive -v <value>

<value> can be set to any of the following values:

● "0"

● "1"

● "1; mode=block"

Make sure to put quotation marks around the last argument on the command line.

277

TIBCO Spotfire® Server and Environment Installation and Administration

Page 278: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

HTTP Strict-Transport-Security (HSTS)The Strict-Transport-Security HTTP header provides support for the HTTP Strict Transport Security(HSTS) standard, as specified by RFC 6797.

It helps to protect against protocol downgrade attacks and cookie hijacking by declaring that useragents, such as web browsers or Spotfire Analyst clients, must interact with the Spotfire Server usingsecure HTTPS connections.

The feature can be switched on by running the following command in the <server installationdirectory>\tomcat\bin directory on the command line:config set-config-prop -n security.hsts.enabled -v true

The feature can be switched off by running the following command:config set-config-prop -n security.hsts.enabled -v false

When this feature is enabled, the server will include the HTTP header "Strict-Transport-Security: max-age=0" in all responses.

Use the following command to customize the max-age directive:config set-config-prop -n security.hsts.max-age-seconds -v <value>

<value> can be any positive integer value, representing the number of seconds the HSTS policy shouldremain in effect.

The includeSubDomains directive is by default not included in the HTTP header, but it can be enabledby running the following command:config set-config-prop -n security.hsts.include-sub-domains -v true

The includeSubDomains directive can be excluded from the HTTP header by running the followingcommand:config set-config-prop -n security.hsts.include-sub-domains -v false

Cache-ControlThe Cache-Control header controls how the browser caches web resources. To make sure that nosensitive files are ever stored on the file system, enable the Cache-Control header to prevent the filesfrom being cached by the browser.

The feature can be switched on by running the following command in the <server installationdirectory>\tomcat\bin directory on the command line:config set-config-prop -n security.cache-control.enabled -v true

The feature can be switched off by running the following command:config set-config-prop -n security.cache-control.enabled -v false

When this feature is enabled, the server will include the HTTP header "Cache-Control: no-cache, no-store, must-revalidate" in all responses.

Use the following command to customize the header directive:config set-config-prop -n security.cache-control.directive -v <value>

Replace <value> with any valid cache-control header directive.

You cannot customize the Cache-Control header for files ending with ".html" or attachments withcontent type "text/html" or "text/plain". These files will always have the value "no-cache, no-store, must-revalidate". They will also get the "Pragma" header set to "no-cache" and the "Expires" header set to "0".The Pragma headers are legacy HTTP 1.0 headers and serve the same purpose as the "Cache-Control"header in HTTP 1.1.

278

TIBCO Spotfire® Server and Environment Installation and Administration

Page 279: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

X-Content-Type-OptionsThe X-Content-Type-Options HTTP header can be used to prevent user agents, such as web browsers orSpotfire Analyst clients, from guessing the MIME content type. Instead, they will always use thedeclared content type.

The X-Content-Type-Options header is enabled by default.

The feature can be switched off by running the following command in the <server installationdirectory>\tomcat\bin directory on the command line:config set-config-prop -n security.x-content-type-options.enabled -v false

If switched off, the feature can be switched on again by running the following command:config set-config-prop -n security.x-content-type-options.enabled -v true

Setting the maximum execution time for an Automation Services jobThis Spotfire Server property indicates how long an Automation Services job can run before the servercancels the job. The default setting for this property is 259,200 seconds (72 hours).

Procedure

1. Open a command-line interface and export the active configuration (the configuration.xml file)by using the export-config command.

2. Enter the following command:set-config-prop --name="automation-services.max-job-execution-time" --value="X"

where "X" is the length of time, in seconds, that an Automation Services job is permitted to run.3. Import the configuration file back to the Spotfire database by using the import-config command.4. Restart Spotfire Server.

Setting the maximum inactivity time for an Automation Services jobThis Spotfire Server property indicates how long an Automation Services job can remain inactive beforethe server cancels the job. The default setting for this property is 259,200 seconds (72 hours).

Procedure

1. Open a command-line interface and export the active configuration (the configuration.xml file)by using the export-config command.

2. Enter the following command:set-config-prop --name="automation-services.job-inactivity-timeout" --value="X"

where "X" is the time period, in seconds, after which the server will cancel an inactive AutomationServices job.

3. Import the configuration file back to the Spotfire database by using the import-config command.4. Restart Spotfire Server.

Idle session timeout and absolute session timeoutSession timeout is a security and resource management feature that automatically logs a user out ofSpotfire under certain conditions.

Idle session timeout, which is set in the <install directory>\tomcat\webapps\spotfire\WEB-INF\web.xml configuration file, ends the user session and destroys the data associated with the session ifthe computer is idle for the configured amount of time. The default is 30 minutes, and the settingapplies to the resources on a single server.

279

TIBCO Spotfire® Server and Environment Installation and Administration

Page 280: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

However, idle session timeout is ineffective at maintaining security because many applications,including the Spotfire web client, make periodic background requests to the server; a session is neverconsidered idle until the user shuts down or disconnects the computer. At that point the resourcesassociated with the session are released and become available for other sessions.

On the other hand, absolute session timeout, which is set in the configuration.xml file, requires the userto log in again even if the user has been active the whole time. This is a recommended security feature.The data associated with the session remains available, so if the user signs in again before the idlesession timeout is reached, the user may continue working as before. The default is 1,440 minutes (24hours), and in a clustered implementation the setting applies to all the resources in the cluster.

Setting idle session timeoutThe primary function of the idle session timeout is to release the resources that are associated with auser session when the user shuts down the computer. The default is 30 minutes.

This configuration must be done on each Spotfire Server in your Spotfire environment because theconfiguration is not stored in the Spotfire database.

Procedure

1. Open the file <install directory>\tomcat\conf\web.xml in a text or XML editor.

2. Locate the following section: <web-app ...> <session-config> <session-timeout>30</session-timeout> </session-config> </web-app>

3. Specify the session-timeout value. The timeout is specified in minutes.

4. Save the file.

5. Restart the Spotfire Server.

Setting absolute session timeoutThe absolute session timeout indicates the number of minutes after which a user must log in to Spotfireagain. You can set this value either by using the command-line tool as described here, or in thegraphical configuration tool (on the Configuration page, in the Security section).

Procedure

1. Open a command-line interface and export the active configuration (the configuration.xml file)by using the export-config command.

2. Enter the following command to specify the absolute session timeout:set-config-prop --name="security.absolute-session-timeout" --value="XX"

where XX is the number of minutes after which a user must log in again.

3. Import the configuration file back to the Spotfire database by using the import-config command.

4. Restart the Spotfire Server.

280

TIBCO Spotfire® Server and Environment Installation and Administration

Page 281: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Restarting a node manager to terminate its running jobsUse this procedure to "refresh" a node when its service instances appear to be running jobs that shouldhave terminated.

Procedure

1. Log on with administrator credentials to the computer on which the node manager was installed.2. Open the Windows Services list and stop the "TIBCO Spotfire Node Manager 7.6" service.3. Open Windows Task Manager and end all the "Spotfire.Dxp.Worker.Host.exe" processes.4. Restart the "TIBCO Spotfire Node Manager 7.6" service.

Increase the number of available sockets on LinuxThe Spotfire Server will open many connections, and each will require a file descriptor. Forperformance and security reasons Linux has a cap on how many connections that can be opened by aprocess per default. This limit might need to be increased.

To change this limit, edit the /etc/security/limits.conf file as root and make the following changesor add the following lines, respectively:spotuser soft nofile 8192spotuser hard nofile 65000

Where spotuser is the account that is running the Spotfire Server.

In this example, 8192 files (which includes sockets) can be opened. The setting should be high enoughfor the system, but not too high. To test the limit without editing the file one can run, for exampleulimit -n 32000

With a value up to to the hard limit to see what the suitable limit is.

The hard limit might be increased if needed but not to more than is given by /proc/sys/fs/file-max.

Switching from online to offline administration helpBy default, the help button on the administration pages of Spotfire Server opens the online version ofthis documentation. If you are unable to use the online version, you can switch to an offline versioninstead.

Any updates to this documentation will be available on https://docs.tibco.com . To get the latest versionof this documentation, you must access the online version on https://docs.tibco.com/products/tibco-spotfire-server.

Procedure

1. On the computer running Spotfire Server, open a command-line interface and go to the followingdirectory: <installation dir>/tomcat/bin.

2. Export the configuration to a configuration.xml file by using the export-config command.The configuration.xml file appears in your working directory.

3. Open configuration.xml in a text editor.4. Locate the following section:

<general> <applications> <admin> <!-- To switch from the online version of the installation and administration help to the locally stored help installed with the server change use the

281

TIBCO Spotfire® Server and Environment Installation and Administration

Page 282: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

nodes below instead. <help-base-url>/spotfire/resources/help/en-US/administration/</help-base-url> <use-default-help-base-url>false</use-default-help-base-url> --> <help-base-url></help-base-url> <use-default-help-base-url>true</use-default-help-base-url> </admin> </applications> </general>

5. Set the value of the setting <help-base-url> to /spotfire/resources/help/en-US/administration/ and change the value of the setting <use-default-help-base-url> to false.To switch back to the online version of the help, set the <use-default-help-base-url> value totrue again.

6. Save and close the file.

7. Import the configuration file by using the import-config command.

8. Restart Spotfire Server.

282

TIBCO Spotfire® Server and Environment Installation and Administration

Page 283: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Contacting support

If you encounter an issue that requires assistance from TIBCO Support, consider including thefollowing information (where applicable to your specific issue) when reporting the issue, to help ensurea quick resolution.

● Describe the issue in detail, including any error messages.

● List all products/components and exact versions involved in the issue.

● When was the issue first observed? Has it ever worked in the past? How often does it occur?

● Were any changes made in the environment (on the Spotfire side or externally, such as changes tothe operating system/web browser/database/anti-virus software, and so on) around the time that theissue started?

● Are the steps needed to reproduce/trigger the issue known? If so, describe them and, if possible,provide any objects (such as analysis files) that are needed to reproduce it.

● Is the extent of the issue known? For example, does it only affect one/some objects (such as specificservers/analysis files/users), while others work? If so, list any objects that are affected, and also stateif there are any known differences between those that work and those that do not.

● Provide logs from the time of the issue. (It is always strongly recommended to submit all availablelogs). A convenient way to gather the server-side logs is by generating a troubleshooting bundle. Formore information, see Troubleshooting bundle.

If you have a way to reproduce the issue, it is recommended to set the logging level toDEBUG (for more information, see Server log levels), reproduce the issue, and thenprovide the captured logs. Don't forget to reset the logging level after you are done.

After you have gathered the information, submit your issue to TIBCO Support on TIBCO SupportCentral: https://support.tibco.com.

283

TIBCO Spotfire® Server and Environment Installation and Administration

Page 284: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Reference

Spotfire Server files

The bootstrap.xml fileThe bootstrap configuration file contains the basic information that Spotfire Server requires to bootstrapitself so that it can connect to the Spotfire database and retrieve its configuration.

The bootstrap configuration file is created by running the bootstrap command (or using the graphicalconfiguration tool) . The file must be created in the <installation directory>\tomcat\webapps\spotfire\WEB-INF directory (Windows) or the <installation directory>/tomcat/webapps/spotfire/WEB-INF directory (Unix). When specifying an alternative bootstrap configuration file pathto the bootstrap command, the generated file must be manually copied to this directory before it can beaccessed by the server. The file must also be named bootstrap.xml.

This is the format of the bootstrap configuration file:<bootstrap> <server-name>...</server-name> <server> <driver-class>...</driver-class> <database-url>...</database-url> <username>...</username> <password>...</password> </server> <config-tool> <driver-class>...</driver-class> <database-url>...</database-url> <username>...</username> <password>...</password> </config-tool> <server-name>...</server-name> <encryption-password>...</encryption-password></bootstrap>

● The <config-tool> section

This section is optional and not required for running the server itself. It is only required for usingthe configuration commands to access the database. If the commands are not to be used on a specificserver, they can easily be disabled by removing this section.

The database password stored in this section is protected by a special configuration tool passwordthat is specified when creating the bootstrap.xml file. This tool password must be specifiedwhenever running a command that accesses the database.

The tool password is not related to any administrator user account within the serverapplication itself.

● The <server-name> section

This section contains the server name, which is used for identifying the server, for example whenspecifying server-specific configuration.

● The <encryption-password> section

This section is optional. If specified, it contains a password to be used for encrypting otherpasswords that are stored in the database. If not set, a static password is used.

The same password must be configured for all servers in a cluster.

284

TIBCO Spotfire® Server and Environment Installation and Administration

Page 285: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

The server.xml fileSpotfire Server is implemented as a Tomcat web application. For this reason, it uses a standard Tomcatweb application configuration file, server.xml, to store information it needs when starting. This file isstored in <installation dir>/tomcat/conf/.

In general, there are two reasons that an administrator might edit this file:

● To change port numbers after installation.● To tweak Tomcat behavior.

Note that each Spotfire Server in a cluster has a server.xml file.

The variable [SpotfirePort] is set when running the Spotfire Server installer. The variable[ServerHostname]-srv is automatically set by the installer by adding the strings -srv to the server'shostname. This variable must not contain any characters that need escaping, such as "."

For details about the server.xml syntax, see Apache Tomcat documentation at http://tomcat.apache.org/.

Server hostname example

spotfireserver1.example.com

By default Spotfire Server has three pre-configured connectors. Connectorswith connectorType="registration" and connectorType="backend" shouldnot be touched. The public connector (it has no connectorType specifiedexplicitly) can be modified or commented out for load balancing and otherpurposes.

The krb5.conf fileThe krb5.conf file contains settings for Kerberos. The unmodified version of the file is presented first,followed by a version with example values.

This is the unmodified file:[libdefaults] default_realm = MYDOMAIN default_keytab_name = spotfire.keytab default_tkt_enctypes = aes128-cts rc4-hmac default_tgs_enctypes = aes128-cts rc4-hmac

[realms] MYDOMAIN = { kdc = mydc.mydomain admin_server = mydc.mydomain default_domain = mydomain }

[domain_realm] .mydomain = MYDOMAIN mydomain = MYDOMAIN

[appdefaults] autologin = true forward = true forwardable = true encrypt = true

This is the file with example values:[libdefaults] default_realm = RESEARCH.EXAMPLE.COM default_keytab_name = spotfire.keytab default_tkt_enctypes = aes128-cts rc4-hmac default_tgs_enctypes = aes128-cts rc4-hmac

285

TIBCO Spotfire® Server and Environment Installation and Administration

Page 286: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

[realms] RESEARCH.EXAMPLE.COM = { kdc = example-dc.research.example.com admin_server = example-dc.research.example.com default_domain = research.example.com}[domain_realm] .research.example.com = RESEARCH.EXAMPLE.COM research.example.com = RESEARCH.EXAMPLE.COM[appdefaults] autologin = true forward = true forwardable = true encrypt = true

Server bootstrapping and database connection pool configurationThe Spotfire database holds all user data and most of the configuration for the Spotfire system. Toconnect to the Spotfire database, Spotfire Server uses a database connection pool.

The bootstrap.xml file contains the information that the server needs to connect to the Spotfiredatabase and retrieve the configuration; refer to The bootstrap.xml file. After the server has retrievedthe configuration from the database, it re-initializes its database connection pool using informationfrom both the bootstrap.xml file, which is present on each server, and any database configuration setfor the entire cluster, which is stored as part of the database persisted server configuration.

For the common database configuration tasks, use the commands modify-db-config and set-db-config.

Database connectivityThe Spotfire Server database connection pool implementation is used for two things: connecting to theSpotfire database and connecting to JDBC compliant data sources through Information Services.

Each connection pool (either for Spotfire Server itself or for fetching data) has many parameters; thefollowing are of general interest:

● The driver-class parameter contains the JDBC driver class name; see Database drivers anddatabase connection URLs.

● The url parameter contains the JDBC connection URL; see Database drivers and databaseconnection URLs.

● The username parameter contains the name of the database user to connect as, if applicable.

● The password parameter contains the password for the specified database user, if applicable. Thepassword is always encrypted and must therefore be set using the bootstrap command. It cannot beset manually.

● The min-connections parameter contains the minimum number of allocated connections.

● The max-connections parameter contains the maximum number of allocated connections.Depending on the pooling scheme, the total number of connections created by the server may behigher than the value of this parameter during high load, but all such extra connections willautomatically be closed when the load decreases. By setting this parameter to zero or a negativevalue, connection pooling is effectively disabled and new connections will be continuously createdas needed.

● The pooling-scheme parameter defines the connection pooling algorithm to be used. There are twopossible connection pooling algorithms that determine the way the connection pool operates,"DYNAMIC" and "WAIT". The "WAIT" algorithm is the default.

When initialized, the connection pool creates a number of idle database connections equal to themin-connections parameter. When the connection pool receives a request for a databaseconnection, it checks if the pool contains any idle connections and uses one of those, if available.

286

TIBCO Spotfire® Server and Environment Installation and Administration

Page 287: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

— The "DYNAMIC" pooling scheme—If there are no idle connections in the pool, it automaticallycreates a new database connection. There is no upper limit for how many connections aconnection pool can have open at the same time.

— The "WAIT" pooling scheme—If there are no idle connections in the pool and the number ofalready open connections is less than the max-connections parameter, it creates a newdatabase connection.

If the number of already open connections is equal to the max-connections parameter, it waitsfor an active connection to be returned to the pool. If the request cannot be fulfilled within anumber of seconds equal to the login-timeout parameter, the request times out. In the serverlogs entries similar to this appear, "Timeout while waiting for database connection after 10seconds".

Thus, in WAIT mode, the connection pool can never have more open (active or idle) connectionsthan the value of the max-connections parameter. Whenever a database connection isreturned, it is put in the pool of idle connections, unless it is used immediately to fulfill analready waiting request.

Idle connections in the database connection pool eventually time out if they are not used. Theconnection-timeout parameter defines how long (in seconds) a connection can remain idle in theconnection pool before being closed and discarded.

Database drivers and database connection URLsThe following details and examples show how the database connection URL is constructed.

Supported databases and JDBC drivers

Database Driver name

Oracle (DataDirect Driver) tibcosoftwareinc.jdbc.oracle.OracleDriver

Oracle (Oracle JDBC Thin Driver, ojdbc7.jar) oracle.jdbc.OracleDriver

Microsoft SQL Server (DataDirect Driver) tibcosoftwareinc.jdbc.sqlserver.SQLServerDriver

Microsoft SQL Server (Microsoft JDBC Driver,sqljdbc4.jar)

com.microsoft.sqlserver.jdbc.SQLServerDriver

Database connection URL components

Component Description

API Specifies which API to use. This is always jdbc.

Database Driver Specifies which database driver to use to connect to the database. Defaulttibcosoftwareinc, which will use the Spotfire DataDirect driver. If you haveinstalled a different driver, you may provide this here.

Server Type Specifies the type of database server. Either sqlserver or oracle.

Server Type is only applicable when using the DataDirect driver.

Hostname Specifies the hostname of the database server.

287

TIBCO Spotfire® Server and Environment Installation and Administration

Page 288: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Component Description

Port Specifies the port which the database server listens to; for example 1433.

Database name, SID,or service name

Specifies the name (MSSQL), SID (Oracle) or Service Name (Oracle) thatdefines your Spotfire database.

Options Specifies further options, separated with semicolons. Only necessary ifyou want to set something specific for your database server, such as anamed Instance in an MSSQL server. See the following examples.

Database connection URL examples

Database driver URL structure Examples

Oracle (DataDirect Driver) [API]:[DBDriver]:[ServerType]://[Hostname]:[Port];SID=[SID]

jdbc:tibcosoftwareinc:oracle://dbsrv.example.com:1433;SID=spotfire_server

Oracle (DataDirect Driver) [API]:[DBDriver]:[ServerType]://[Hostname]:[Port];ServiceName=[ServiceName]

jdbc:tibcosoftwareinc:oracle://dbsrv.example.com:1433;ServiceName=pdborcl.example.com

Oracle (Vendor Driver,ojdbc7.jar)

[API]:[DBDriver]:[DriverType]://[Hostname]:[Port]:SID

jdbc:oracle:thin:@dbsrv.example.com:1521:orcl

Oracle (Vendor Driver,ojdbc7.jar)

[API]:[DBDriver]:[DriverType]://[Hostname]:[Port]/[ServiceName]

jdbc:oracle:thin:@//dbsrv.example.com:1521/pdborcl.example.com

Microsoft SQL Server(DataDirect Driver)

[API]:[DBDriver]:[ServerType]://[Hostname]:[Port];DatabaseName=[DBName]

jdbc:tibcosoftwareinc:sqlserver://dbsrv.example.com:1433;DatabaseName=spotfire_server

Example using IntegratedAuthentication:

jdbc:tibcosoftwareinc:sqlserver://dbsrv.example.com:1433;DatabaseName=spotfire_server;AuthenticationMethod=ntlm;LoadLibraryPath=c:/tibco/tss/7.6.0/tomcat/ lib

Make sure that theLoadLibraryPath hasthe correct path tothe tomcat/libdirectory in SpotfireServer installationdirectory.

288

TIBCO Spotfire® Server and Environment Installation and Administration

Page 289: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Database driver URL structure Examples

Microsoft SQL Server (VendorDriver, sqljdbc4.jar)

[API]:[DBDriver]://[Hostname]:[Port];DatabaseName=[DBName]

jdbc:sqlserver://dbsrv.example.com:1433;DatabaseName=spotfire_server;selectMethod= cursor

Example: Making sure that thedriver always returns preventsinfinite waits during adverseconditions

jdbc:sqlserver://dbsrv.example.com:1433;DatabaseName=spotfire_server;lockTimeout= <X, whereX is a good value>

Due to a restriction in thevendor Microsoft SQL Serverdriver, you may need to addthe optionresponseBuffering=adaptive

to your connection string. Thisis necessary if you are going tostore large analysis files in thelibrary.

Example: UsingresponseBuffering=adaptiv

e

jdbc:sqlserver://dbsrv.example.com:1433;databaseName=spotfire_server;selectMethod=cursor;responseBuffering=adaptive

Example: Using IntegratedAuthentication

jdbc:sqlserver://dbsrv.example.com:1433;DatabaseName=spotfire_server;selectMethod=cursor;integratedSecurity=true;

For IntegratedAuthentication towork, you mustplace the filesqljdbc_auth.dll

in a folder in thesystem path, such asC:\Windows\System32. This fileis included with the

289

TIBCO Spotfire® Server and Environment Installation and Administration

Page 290: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Database driver URL structure Examples

vendor drivers fromMicrosoft.

Command-line referenceThe command-line commands are listed alphabetically here.

Refer to Configuration and administration commands by function for an easily reviewed functionalcommand grouping, and Configuration using the command-line configuration tool for information onusing the command-line tool.

In this reference we use the following symbols:

● Angle brackets (< >) indicate mandatory arguments.

● Square brackets ([ ]) indicate optional arguments.

Arguments can normally be specified in two different formats. For example, the max cache sizeargument may be entered as --max-cache-size=<value> or -m <value>.

A negative value must be preceded by a backslash in the second argument format, for example -m \-7.

add-ds-templateAdds a new data source template.add-ds-template [-c value | --configuration=value] [-b value | --bootstrap-config=value] <-n value | --name=value> [-e <true|false> | --enabled=<true|false>] <template definition file>

Overview

Use this command to add a new data source template used by Information Services. The name of thetemplate must be unique.

Options

OptionOptional orRequired

DefaultValue Description

-c value--configuration=value

Optional configuration.xml

The path to the server configuration file.

-b value--bootstrap-config=value

Optional none The path to the bootstrap configurationfile. See The bootstrap.xml file for moreinformation about this file.

-n value--name=value

Required none The name of the data source template toadd.

-e <true|false>--enabled=<true|false>

Optional false Indicates whether the newly created datasource template should be enabled.

290

TIBCO Spotfire® Server and Environment Installation and Administration

Page 291: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

OptionOptional orRequired

DefaultValue Description

<template definition file>

Required none The path to the file containing the datasource template definition.

add-memberAdds a user or group as a member of a specified group.add-member [-b value | --bootstrap-config=value] [-t value | --tool-password=value] <-g value | --groupname=value> [-u value | --member-username=value] [-m value | --member-groupname=value]

Overview

Use this command to add an existing user or group as a member of another existing group.

Options

OptionOptional orRequired

DefaultValue Description

-b value--bootstrap-config=value

Optional none The path to the bootstrapconfiguration file. See Thebootstrap.xml file for moreinformation about this file.

-t value--tool-password=value

Optional none The configuration tool passwordused to decrypt the databasepassword in the file bootstrap.xml.If the tool password is omitted, thecommand prompts the user for it inthe console. See The bootstrap.xmlfile.

-g value--groupname=value

Required none The name of the group to which themember should be added. Unless thegroup is part of the internalSPOTFIRE domain, the name of thegroup must include the group'sdomain name, for example"RESEARCH\group" or"[email protected]".

291

TIBCO Spotfire® Server and Environment Installation and Administration

Page 292: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

OptionOptional orRequired

DefaultValue Description

-u value--member-username=value

Required none Required unless the --member-groupname argument is specified.The --member-username and --member-groupname arguments aremutually exclusive. The name of theuser to add as a member of thespecified group.

Unless the user is part of theconfigured default domain, the nameof the user must include the user'sdomain name: For example,"RESEARCH\user" or"[email protected]".

-m value--member-groupname=value

Required none Required, unless the --member-username argument is specified. The--member-username and --member-groupname arguments are mutuallyexclusive. The name of the group toadd as a member of the specifiedgroup.

Unless the group is part of theinternal SPOTFIRE domain, thename of the group must include thegroup's domain name: For example,"RESEARCH\group" or"[email protected]".

bootstrapBootstraps the server by creating a new bootstrap.xml file containing the information needed toconnect to the database.bootstrap [-f | --force] [-T | --test] [-n | --no-prompt] [-c value | --driver-class=value] [-d value | --database-url=value] [-u value | --username=value] [-p value | --password=value] [-k value | --kerberos-login-context=value] {-Ckey=value} [-E <true|false> | --enable-config-tool=<true|false>] [-t value | --tool-password=value] [-e value | --encryption-password=value] [-a value | --server-alias=value] {-Avalue} [bootstrap configuration file]

Overview

Use this command to create a new bootstrap configuration file.

292

TIBCO Spotfire® Server and Environment Installation and Administration

Page 293: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Options

OptionOptional orRequired Default Value Description

-f--force

Optional none Indicates that the tool shouldoverwrite any existingbootstrap configuration file.

-T--test

Optional none Specifies that the tool shouldtest the created configurationby attempting to connect tothe database using thespecified connectioninformation.

-n--no-prompt

Optional none Specifies that the tool shouldnot prompt for missingpassword arguments.

-c value--driver-class=value

Optional tibcosoftwareinc.jdbc.oracle.OracleDriver

The name of the JDBC driverclass.

-d value--database-url=value

Optional jdbc:tibcosoftwareinc:oracle://localhost:1521;SID=orcl

The JDBC URL to thedatabase. Because thisargument usually containsspecial characters, make sureto escape those characters orenclose the values betweenquotes.

-u value--username=value

Optional none The database account username.

-p value--password=value

Optional none The database accountpassword.

293

TIBCO Spotfire® Server and Environment Installation and Administration

Page 294: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

OptionOptional orRequired Default Value Description

-k value--kerberos-login-context=value

Optional none If you use the Kerberosprotocol to log in to thedatabase, use this argument tospecify the name of the JAASapplication configuration tobe used for acquiring theKerberos TGT. This JAASapplication configurationmust be registered with Javausing a login.config.urlparameter in the <TSSinstallation directory>

\jdk\jre\lib\security

\java.security (Windows)or <TSS installationdirectory>/jdk/jre/lib/

security/java.security

(Unix) file.

The Spotfire Serverimport-jaas-

config commandcannot be used forthis purposebecause the JAASapplicationconfigurations thatare imported usingthis command arestored in thedatabase, whichprevents SpotfireServer from usingthem for creatingthe initialconnection to thedatabase.

-Ckey=value Optional none A JDBC connection property.Can be specified multipletimes with different keys.

-E <true|false>--enable-config-tool=<true|false>

Optional true If true, the <config-tool>section should be created.Without this section, theconfiguration tool cannot beused on this computer. See The bootstrap.xml file.

294

TIBCO Spotfire® Server and Environment Installation and Administration

Page 295: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

OptionOptional orRequired Default Value Description

-t value--tool-password=value

Optional true The configuration toolpassword used to decrypt thedatabase password in the filebootstrap.xml. Can bespecified if and only if apassword is given and theargument --enable-config-tool is set to true.

-e value--encryption-password=value

Optional none The password for encryptingpasswords stored in thedatabase. If you do not set thisoption, a static password isused. Note that the samepassword must be configuredfor all servers in a cluster.

-a value--server-alias=value

Optional The fully qualifiedhost name asdetermined whenthis command isrun, but it is onlyever used as aunique identifier.

The server alias. Used foridentifying the server, forexample when specifyingserver-specific configuration.

-Avalue Optional The host name(s)and IP address(es)as determinedwhen thiscommand is run.The addresses willbe used in theorder they areprovided (in caseswhere there is aneed for ordering).

The possible node backendaddresses (host names and IPaddresses). Used for internalcommunication within theSpotfire collective. The defaultvalue is the host name(s) andIP address(es) as determinedwhen this command is run.The addresses will be used inthe order they are provided(in cases where there is a needfor ordering). This argumentmay be specified multipletimes with different values.

[bootstrap configuration file]

Optional none The path to the bootstrapconfiguration file to create.See The bootstrap.xml file.

Examples

Bootstrap the server to use an Oracle database with the bundled DataDirect JDBC driver:bootstrap --driver-class=tibcosoftwareinc.jdbc.oracle.OracleDriver --database-url="jdbc:tibcosoftwareinc:oracle://server:1521;SID=spotfire" --username=spotuser --password=spotuser

295

TIBCO Spotfire® Server and Environment Installation and Administration

Page 296: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Bootstrap the server to use an Oracle database with the Oracle thin JDBC driver:bootstrap --driver-class=oracle.jdbc.OracleDriver --database-url="jdbc:oracle:thin:@server:1521:spotfire" --username=spotuser --password=spotuser

Bootstrap the server to use a Microsoft SQL Server database with the bundled DataDirect JDBC driver:bootstrap --driver-class=tibcosoftwareinc.jdbc.sqlserver.SQLServerDriver --database-url="jdbc:tibcosoftwareinc:sqlserver://server:1433;DatabaseName=spotfire_server" --username=spotuser --password=spotuser

Bootstrap the server to use a Microsoft SQL Server database with the Microsoft JDBC driver:bootstrap --driver-class=com.microsoft.sqlserver.jdbc.SQLServerDriver --database-url="jdbc:sqlserver://server:1433;DatabaseName=spotfire_server" --username=spotuser --password=spotuser

Specify multiple back-end addresses for the server:bootstrap -Ahostname.example.com -Ahostname -Aip.x.y.z

check-external-libraryChecks for inconsistencies between external storage and the Spotfire database.check-external-library[-b value | --bootstrap-config=value] [-t value | --tool-password=value]

Overview

Use this command to check the consistency between what is stored in external storage (for example,Amazon S3 or a file system), and what is stored in the Spotfire database.

Options

OptionOptional orRequired

DefaultValue Description

-b value--bootstrap-config=value

Optional none The path to the bootstrap configurationfile. See The bootstrap.xml file for moreinformation about this file.

-t value--tool-password=value

Optional none The configuration tool password used todecrypt the database password in the filebootstrap.xml. If the tool password isomitted, the command prompts the userfor it in the console. See The bootstrap.xmlfile.

clear-join-dbClears the default join database configuration.clear-join-db [-c value | --configuration=value] [-b value | --bootstrap-config=value]

Overview

Use this command to clear the default join database configuration, which means that the Spotfiredatabase is used as the default join database (the default behavior).

296

TIBCO Spotfire® Server and Environment Installation and Administration

Page 297: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Options

OptionOptional orRequired

DefaultValue Description

-c value--configuration=value

Optional configuration.xml

The path to the server configuration file.

-b value--bootstrap-config=value

Optional none The path to the bootstrap configurationfile. See The bootstrap.xml file for moreinformation about this file.

config-action-log-database-loggerConfigures the user action database logger.config-action-log-database-logger [-c value | --configuration=value] [-b value | --bootstrap-config=value] [--driver-class=value] [-dvalue | --database-url=value] [-u value | --username=value] [-p value | --password=value] [--commit-period=value] [--wait-on-full-queue-time=value] [--wait-on-empty-queue-time=value] [--grace-period=value] [--pruning-period=value] [--queue-size=value] [--batch-size=value] [--thread-pool-size=value] [--workers=value] [--block-on-full-queue=<true|false>][--prioritized-categories=value] [--monitoring-retention-span=value] [--monitoring-average-period=value] [--log-local-time=<true|false>]

Overview

Use this command to configure the user action database logger.

Options

OptionOptional orRequired

DefaultValue Description

-c value--configuration=value

Optional configuration.xml

The path to the server configuration file.

-b value--bootstrap-config=value

Optional none The path to the bootstrap configurationfile. See The bootstrap.xml file for moreinformation about this file.

--driver-class=value Optional none The name of the JDBC driver class.

-d value--database-url=value

Optional none The JDBC URL to the database. Becausethis argument usually contains specialcharacters, be sure to escape thosecharacters or enclose the values betweenquotes.

-u value--username=value

Optional none The database account user name.

297

TIBCO Spotfire® Server and Environment Installation and Administration

Page 298: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

OptionOptional orRequired

DefaultValue Description

-p value--password=value

Optional none The database account password.

--commit-period=value Optional none The frequency (in seconds) that logevents should be committed from thequeue to the database when the queue isnot full.

--wait-on-full-queue-time=value

Optional none The time (in milliseconds) to wait beforeretrying to place a new log event on thequeue after being rejected by a fullqueue.

--wait-on-empty-queue-time=value

Optional none Sets the time (in milliseconds) to waitbefore trying to create a batch from thequeue after an empty queue has beenencountered.

--grace-period=value Optional none The grace period for the database logger(in seconds). This is the period that thedatabase logger is given at servershutdown to move all items from thequeue to the database.

--pruning-period=value Optional 48 hours The maximum time (in hours) thatlogged items are kept in the database.Pruning takes place at server startup,and then at one hour intervals, when allitems older than the here-specifiednumber of hours are deleted. To disablepruning, set this argument to 0.

--queue-size=value Optional none The maximum number of log events inthe queue.

--batch-size=value Optional none The number of log events that should bemoved from the queue to the database ineach batch insert.

--thread-pool-size=value

Optional none The number of threads available for thebatch insert workers.

--workers=value Optional none The maximum number of batch insertworkers at any given time.

--block-on-full-queue=<true|false>

Optional none Specifies whether placing a log event onthe queue should be allowed to beblocked indefinitely if the queue is full.

--prioritized-categories=value

Optional none A comma-separated list of log categoriesthat should have higher priority in thequeue.

298

TIBCO Spotfire® Server and Environment Installation and Administration

Page 299: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

OptionOptional orRequired

DefaultValue Description

--monitoring-retention-span=value

Optional none The length of time monitoring entriesshould be saved before they getcrunched into averages.

--monitoring-average-period=value

Optional none The period between two averagedmeasurements.

--log-local-time=<true|false>

Optional If false, ornot set,timestamps will be inUTC time.

Sets whether timestamps should be inlocal time or not.

config-action-loggerConfigures the user action logger.config-action-logger [-c value | --configuration=value] [-b value | --bootstrap-config=value] [--categories=value] [--file-logging-enabled=<true|false>] [--database-logging-enabled=<true|false>][--monitoring-period=value]

Overview

Use this command to configure the user action logger.

Options

OptionOptional orRequired

DefaultValue Description

-c value--configuration=value

Optional configuration.xml

The path to the serverconfiguration file.

-b value--bootstrap-config=value

Optional none The path to the bootstrapconfiguration file. See Thebootstrap.xml file for moreinformation about this file.

--categories=value Optional none A comma-separated list of thecategories that should belogged by the user actionlogger. To enable logging for allcategories, specify all.

--file-logging-enabled=<true|false>

Optional none Specifies whether the useraction logger should log to file.

--database-logging-enabled=<true|false>

Optional none Specifies whether the useraction logger should log todatabase.

299

TIBCO Spotfire® Server and Environment Installation and Administration

Page 300: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

OptionOptional orRequired

DefaultValue Description

--monitoring-period=value Optional none Specifies how often monitoringmeasures are reported.

config-action-log-web-serviceConfigures the action log web service.config-action-log-web-service [-c value | --configuration=value] [-b value | --bootstrap-config=value] [--categories=value] [--allowedHosts=value]

Overview

Use this command to configure the action log web service.

Options

OptionOptional orRequired

DefaultValue Description

-c value--configuration=value

Optional configuration.xml

The path to the server configuration file.

-b value--bootstrap-config=value

Optional none The path to the bootstrap configurationfile. See The bootstrap.xml file for moreinformation about this file.

--categories=value Optional none A comma-separated list of categoriesthat should be allowed to log throughthe web service. To enable all categories,specify all.

--allowedHosts=value Optional none A regular expression that sets the hostsallowed to use the logger web service. Toenable all hosts, specify .*

config-anonymous-authConfigures the anonymous authentication method.config-anonymous-auth [-c value | --configuration=value] [-b value | --bootstrap-config=value] [-e <true|false> | --enabled=<true|false>]

Overview

Use this command to configure anonymous authentication. Anonymous authentication is alwayscombined with another main authentication method, as configured by the set-auth-mode command.Note that you also must enable the ANONYMOUS\guest account, using the enable-user command, foranonymous authentication to work.

300

TIBCO Spotfire® Server and Environment Installation and Administration

Page 301: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Options

OptionOptional orRequired Default Value Description

-c value--configuration=value

Optional configuration.xml The path to the serverconfiguration file.

-b value--bootstrap-config=value

Optional none The path to the bootstrapconfiguration file. See Thebootstrap.xml file for moreinformation about this file.

-e <true|false>--enabled=<true|false>

Optional false Specifies whether anonymousauthentication should beenabled.

config-attachment-managerConfigures the Attachment Manager.config-attachment-manager [-c value | --configuration=value] [-b value | --bootstrap-config=value] [-e value | --max-cache-expiration-time=value] [-m value | --max-cache-size=value] [-E <true|false> | --encryption-enabled=<true|false>] [-k value | --encryption-key-size=value]

Overview

Use this command to configure the Attachment Manager, which handles data transfer (for instanceLibrary downloads and uploads) to and from Spotfire Server.

Options

OptionOptional orRequired

DefaultValue Description

-c value--configuration=value

Optional configuration.xml

The path to the serverconfiguration file.

-b value--bootstrap-config=value

Optional none The path to the bootstrapconfiguration file. See Thebootstrap.xml file for moreinformation about this file.

-e value--max-cache-expiration-time=value

Optional 86400 The maximum idle time (inseconds) after which cache entriesare evicted. Setting this parameterto a negative value disables thecache.

-m value--max-cache-size=value

Optional 10240 The maximum amount of diskspace (in megabytes) used by thecache. Setting this parameter to anegative value disables the cache.

301

TIBCO Spotfire® Server and Environment Installation and Administration

Page 302: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

OptionOptional orRequired

DefaultValue Description

-E <true|false>--encryption-enabled=<true|false>

Optional true Specifies whether the encryptionof temp files is enabled.

-k value--encryption-key-size=value

Optional 128 The size of the encryption keyused when encrypting temp files.

config-authConfigures authentication mode and default domain.config-auth [-c value | --configuration=value] [-b value | --bootstrap-config=value] [-a value | --auth-method=value] [-d | --jaas-database] [-l | --jaas-ldap] [-w | --jaas-windows] [-j value | --jaas-custom=value] [-D value | --default-domain=value] [-p <true|false> | --parse-user-and-domain-name=<true|false>]

Overview

Use this command to configure the authentication mode and to set the default domain.

Options

OptionOptional orRequired

DefaultValue Description

-c value--configuration=value

Optional configuration.xml

The path to the server configurationfile.

-b value--bootstrap-config=value

Optional none The path to the bootstrapconfiguration file. See Thebootstrap.xml file for moreinformation about this file.

-a value--auth-method=value

Optional none The authentication method to use. Thefollowing methods are supported:BASIC, CLIENT_CERT, NTLM, Kerberos,and External. The names can bespecified in either uppercase orlowercase.

-d--jaas-database

Optional none Use the Spotfire databaseauthentication source, as configuredin the Spotfire-DBLogin JAASapplication configuration. This optionis permitted only when using theBASIC authentication method. Also, itis mutually exclusive with all otheroptions related to BASICauthentication sources.

302

TIBCO Spotfire® Server and Environment Installation and Administration

Page 303: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

OptionOptional orRequired

DefaultValue Description

-l--jaas-ldap

Optional none Use the LDAP authentication source,as configured in the SpotfireLDAPJAAS application configuration. Thisoption is permitted only when usingthe BASIC authentication method.Also, it is mutually exclusive with allother options related to BASICauthentication sources.

-w--jaas-windows

Optional none Use the Windows NT authenticationsource, as configured in theSpotfireWindows JAAS applicationconfiguration. This option is permittedonly when using the BASICauthentication method. Also, it ismutually exclusive with all otheroptions related to BASICauthentication sources.

-j value--jaas-custom=value

Optional none Use the custom JAAS applicationconfiguration with the specified name.This option is permitted only whenusing the BASIC authenticationmethod. Also, it is mutually exclusivewith all other options related toBASIC authentication sources.

-D value--default-domain=value

Optional SPOTFIRE The name of the default domain. Auser belonging to the default domainneed not specify domain name as partof his or her user name when loggingin to the server.

-p <true|false>--parse-user-and-domain-name=<true|false>

Optional true Indicates whether the user nameconsists of both a user and a domainpart that should be parsed. it isrecommended that you avoidchanging the default value of true,except when you are running the UserDirectory in database mode, and theuser names are in either NetBIOSname format (domain\user) or emailname format (user@domain).

config-auth-filterConfigures the authentication filter.config-auth-filter [-c value | --configuration=value] [-b value | --bootstrap-config=value] [-f value | --filter-class=value] {-Ikey=value} [-s <true|false> | --skip-analyst=<true|false>]

303

TIBCO Spotfire® Server and Environment Installation and Administration

Page 304: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Overview

Use this command to configure a custom authentication filter.

Options

OptionOptional orRequired Default Value Description

-c value--configuration=value

Optional configuration.xml

The path to the server configuration file.

-b value--bootstrap-config=value

Optional none The path to the bootstrap configurationfile. See The bootstrap.xml file for moreinformation about this file.

-f value--filter-class=value

Optional none The fully-qualified name of a classimplementing the javax.servlet.Filterinterface.

-Ikey=value Optional none The initialization parameters provided tothe filter when the init(FilterConfig)method is called. Can be specifiedmultiple times with different keys.

-s <true|false>--skip-analyst=<true|false>

Optional false Indicates whether the Spotfire Analystclient should be handled by the customauthentication filter.

Example

To set the initialization parameter 'debug' to 'true': -Idebug=true

config-basic-database-authConfigures the Spotfire database authentication source to use the BASIC authentication method.config-basic-database-auth [-c value | --configuration=value] [-b value | --bootstrap-config=value] [-p <true|false> | --parse-user-and-domain-name=<true|false>]

Overview

Use this command to configure the Spotfire database authentication source to use the BASICauthentication method. The configuration is stored in the SpotfireDatabase JAAS applicationconfiguration.

Options

OptionOptional orRequired

DefaultValue Description

-c value--configuration=value

Optional configuration.xml

The path to the server configurationfile.

304

TIBCO Spotfire® Server and Environment Installation and Administration

Page 305: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

OptionOptional orRequired

DefaultValue Description

-b value--bootstrap-config=value

Optional none The path to the bootstrapconfiguration file. See Thebootstrap.xml file for moreinformation about this file.

-p <true|false>--parse-user-and-domain-name=<true|false>

Optional none This argument is deprecated and isignored. Use the config-authcommand to set the globalconfiguration property.

config-basic-ldap-authConfigures the LDAP authentication source for use with the BASIC authentication method.config-basic-ldap-auth [-c value | --configuration=value] [-b value | --bootstrap-config=value] [-l value | --ldap-configs=value] [-w <true|false> | --enable-wildcard-domain=<true|false>]

Overview

Use this command to configure the LDAP authentication source to use the BASIC authenticationmethod. The configuration is stored in the SpotfireLDAP JAAS application configuration.

Options

OptionOptional orRequired

DefaultValue Description

-c value--configuration=value

Optional configuration.xml

The path to the server configurationfile.

-b value--bootstrap-config=value

Optional none The path to the bootstrapconfiguration file. See Thebootstrap.xml file for moreinformation about this file.

-l value--ldap-configs=value

Optional none A comma-separated list of LDAPconfiguration references. Allreferenced LDAP configurations mustalready exist. To create a new LDAPconfiguration, use the create-ldap-config command. When specifyingmore than one reference, make sure toenclose the list of references in doublequotes.

-w <true|false>--enable-wildcard-domain=<true|false>

Optional none Indicates whether the server shouldattempt to authenticate the user in alldomains until an authenticationattempt succeeds whenever the useromits the domain name in the accountname credential.

305

TIBCO Spotfire® Server and Environment Installation and Administration

Page 306: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

config-basic-windows-authConfigures the Windows NT authentication source to use the BASIC authentication method.config-basic-windows-auth [-c value | --configuration=value] [-b value | --bootstrap-config=value] [-d value | --domains=value] [-w <true|false> | --enable-wildcard-domain=<true|false>]

Overview

Use this command to configure the Windows NT authentication source to use the BASIC authenticationmethod. The configuration is stored in the Spotfire Windows JAAS application configuration.

Options

OptionOptional orRequired

DefaultValue Description

-c value--configuration=value

Optional configuration.xml

The path to the server configurationfile.

-b value--bootstrap-config=value

Optional none The path to the bootstrapconfiguration file. See Thebootstrap.xml file for moreinformation about this file.

-d value--domains=value

Optional none A comma-separated list of domainnames. When specifying more thanone domain name, make sure toenclose the list of names in quotes.

-w <true|false>--enable-wildcard-domain=<true|false>

Optional none Indicates whether the server shouldattempt to authenticate the user in alldomains until an authenticationattempt succeeds whenever the useromits the domain name in the accountname credential.

config-client-cert-authConfigures the CLIENT_CERT authentication method.config-client-cert-auth [-c value | --configuration=value] [-b value | --bootstrap-config=value] <-n value | --name-attribute=value> [-d <true|false> | --name-attribute-contains-domain=<true|false>]

Overview

Use this command to configure the X.509 certificate name attribute used for the CLIENT_CERTauthentication method.

Options

OptionOptional orRequired

DefaultValue Description

-c value--configuration=value

Optional configuration.xml

The path to the server configurationfile.

306

TIBCO Spotfire® Server and Environment Installation and Administration

Page 307: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

OptionOptional orRequired

DefaultValue Description

-b value--bootstrap-config=value

Optional none The path to the bootstrapconfiguration file. See Thebootstrap.xml file for moreinformation about this file.

-n value--name-attribute=value

Required none The name of the attribute used toextract user names from X.509certificates.

Supported attributes are:

● Any attribute that can occur in thecertificate subject’s distinguishedname (for instance "CN")

● "DN" (use the whole distinguishedname)

● Any subject alternative name oftype "rfc822Name", "dNSName","directoryName","uniformResourceIdentifier","iPAddress", or "registeredID".

To use a subject alternative name,make sure the name attribute hasthe prefix "subjectAltName:". Ifmore than one subject alternativename is present in the certificates,you can add an index prefixedwith a pound sign (#).

d <true|false>--name-attribute-contains-domain=<true|false>

Optional false Indicates whether the specified nameattribute contains a fully-qualifiedaccount name, with both a user namepart and a domain name part.

config-clusterConfigures clustering.config-cluster[-c value | --configuration=value] [-b value | --bootstrap-config=value] [-e <true|false> | --enabled=<true|false>] [-t value | --type=value] [-p value | --port=value] [-s <true|false> | --as-secure-transport=<true|false>]

Overview

Use this command to configure clustering.

307

TIBCO Spotfire® Server and Environment Installation and Administration

Page 308: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Options

OptionOptional orRequired Default Value Description

-c value--configuration=value

Optional configuration.xml The path to the serverconfiguration file.

-b value--bootstrap-config=value

Optional none The path to the bootstrapconfiguration file. See Thebootstrap.xml file for moreinformation about this file.

-e <true|false>--enabled=<true|false>

Optional false Specifies whether clusteringshould be enabled.

-t value--type=value

Optional HAZELCAST Clustering type: HAZELCASTor ACTIVE_SPACES.

For information about theseoptions, see Using Hazelcastfor clustering and UsingActiveSpaces for clustering.

-p value--port=value

Optional 5701 The new value for TCP/IPport used for clustering.Shared among all nodes incluster.

-s <true|false>--as-secure-transport=<true|false>

Optional none The ActiveSpaces securetransport flag.

Example

To enable clustering in Hazelcast mode with a TCP/IP port of 5701:config-cluster --enabled=true --type=HAZELCAST

config-csrf-protectionConfigures the CSRF protection.config-csrf-protection [-c value | --configuration=value] [-b value | --bootstrap-config=value] [-p <true|false> | --public-web-services=<true|false>] [-l <true|false> | --legacy-soap=<true|false>]

Overview

Use this command to configure the CSRF protection. When neither the -p/--public-web-servicesargument nor the -l/--legacy-soap argument is provided, the command displays the currentconfiguration.

308

TIBCO Spotfire® Server and Environment Installation and Administration

Page 309: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Options

Option

Optional orRequired Default Value Description

-c value--configuration=value

Optional configuration.xml The path to the serverconfiguration file.

-b value--bootstrap-config=value

Optional none The path to the bootstrapconfiguration file. See Thebootstrap.xml file for moreinformation about this file.

-p <true|false>--public-web-services=<true|false>

Optional none Specifies whether the CSRFprotection should be enabledfor the public Web ServiceAPI.

-l <true|false>--legacy-soap=<true|false

Optional none Specifies whether the CSRFprotection should be enabledfor the legacy SOAP clients.This argument is optional

config-external-authConfigures the external authentication method.config-external-auth [-c value | --configuration=value] [-b value | --bootstrap-config=value] [-e <true|false> | --enabled=<true|false>] [-a value | --request-attribute=value] [-r value | --request-header=value] [-o value | --request-cookie=value][-n value | --custom-authenticator-class-name=value] [-f <true|false> | --use-authentication-filter=<true|false>] [-x value | --expression=value] [-d <true|false> | --downcase=<true|false>] [-s <true|false> | --require-tls=<true|false>] [-h value | --allowed-hosts=value] {-Rvalue}{-Ikey=value}

Overview

Use this command to configure external authentication. The authentication method can either be usedas the main authentication method, as configured by the set-auth-mode command, or as acomplementary authentication method where it is combined with the main method.

● Typically, this is used as the main method when the clients can access the server(s) only through aproxy or a load-balancer. To use it as the main authentication method, first configure and enable themethod using this command, and then set it to the main method using the set-auth-modecommand.

● Typically, this is used as a complementary method when the clients can access the server(s) bothdirectly and through a proxy or a load-balancer. To use it as a complementary method, simplyconfigure and enable the method using this command.

309

TIBCO Spotfire® Server and Environment Installation and Administration

Page 310: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Options

OptionOptional orRequired

DefaultValue Description

-c value--configuration=value

Optional configuration.xml

The path to the server configurationfile.

-b value--bootstrap-config=value

Optional none The path to the bootstrapconfiguration file. See Thebootstrap.xml file for moreinformation about this file.

-e <true|false>--enabled=<true|false>

Optional true Specifies whether the externalauthentication method should beenabled.

-a value--request-attribute=value

Optional REMOTE_USER

The name of the HTTP requestattribute containing the name of theauthenticated user. The --request-attribute, --request-header, --request-cookie, --custom-authenticator-class-

name, and --use-authenticationfilter arguments are mutuallyexclusive.

-r value--request-header=value

Optional none The name of the HTTP headercontaining the name of theauthenticated user. The --request-attribute, --request-header, --request-cookie, --custom-authenticator-class-name, and--use-authentication filter

arguments are mutually exclusive.

-o value--request-cookie=value

Optional none The name of the HTTP cookiecontaining the name of theauthenticated user. The --request-attribute, --request-header, --request-cookie, --custom-authenticator-class-name, and--use-authentication filter

arguments are mutually exclusive.

310

TIBCO Spotfire® Server and Environment Installation and Administration

Page 311: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

OptionOptional orRequired

DefaultValue Description

-n value --custom-authenticator-class-name=value

Optional none The name of a class implementingthecom.spotfire.server.security.CustomAuthenticator interface that shouldbe used for authentication.Initialization parameters for theCustom Authenticator may bespecified using the -I argument.The --request-attribute, --request-header, --request-cookie, --custom-authenticator-class-name, and--use-authentication-filter

arguments are mutually exclusive.

-f <true|false>--use-authentication-filter=<true|false>

Optional false Specifies that the name of theauthenticated user is provided by acustom authentication filter (as thevalue of the getUserPrincipal<>method ofjavax.servlet.http.HttpServletRequest).

This is an advancedoption, consider using aCustom Authenticatorinstead.

The --request-attribute, --request-header, --request-cookie, --custom-authenticator-class-name, and--use-authentication-filter

arguments are mutually exclusive.

311

TIBCO Spotfire® Server and Environment Installation and Administration

Page 312: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

OptionOptional orRequired

DefaultValue Description

-x value--expression=value

Optional none A regular expression that can beused to filter the usernameextracted from the specified HTTPrequest attribute. The value of theregular expression's first capturinggroup will be used as the newusername. A typical scenario is toextract the username from acomposite name containing bothusername and domain name whenusing the "collapse domains"option.

For example, the regular expression"\S+\\<\S+>" can be used to extractthe username from a value in theformat "domain\username".

Make sure to enclose the specifiedexpression in quotes and to quoteall special characters that mightotherwise be consumed by thecommand-line shell.

-d <true|false>--downcase=<true|false>

Optional false Specifies whether the usernameshould be converted to lower case.

-s <true|false>--require-tls=<true|false>

Optional false Specifies whether a secure HTTPSconnection is required to performexternal authentication.

312

TIBCO Spotfire® Server and Environment Installation and Administration

Page 313: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

OptionOptional orRequired

DefaultValue Description

-h value--allowed-hosts=value

Optional none A comma-separated list ofhostnames and/or IP addresses ofthe client computers that arepermitted to perform externalauthentication. If this, or at least one-R argument, is not specified, thenall client computers are permitted toperform external authentication.

Because this is a potential securityrisk, it is strongly recommended torestrict the permissions to use thisfeature. Typically, this feature islocked down so that only proxies orload balancers are permitted to useit.

A scenario where all clientcomputers can be allowed to usethis feature is when a custom post-authentication filter is also in use.Then this filter would beresponsible for performing the finalauthorization, for example byvalidating additional HTTPheaders.

-Rvalue Optional none A regular expression (in the syntaxsupported byjava.util.regex.Pattern) that shouldmatch IP addresses of remote hoststhat are permitted to performexternal authentication. See also the--allowed-hosts argument. Thisargument can be specified multipletimes with different values.

-Ikey=value Optional none Specifies initialization parametersthat will be provided to the CustomAuthenticator when theinit(Map<String, String>) method iscalled. This argument may only bespecified together with the --custom-authenticator-class-

name argument, and may bespecified multiple times withdifferent keys.

Example: To set the CustomAuthenticator initializationparameter "debug" to "true":-Idebug=true

313

TIBCO Spotfire® Server and Environment Installation and Administration

Page 314: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

config-external-scheduled-updatesConfigures external scheduled updates.config-external-scheduled-updates [-c value | --configuration=value] [-b value | --bootstrap-config=value] [-e <true|false> | --ems-enabled=<true|false>] [-s value | --server-url=value] [-u value | --username=value] [-p value | --password=value] [-i value | --client-id=value] [-t value | --topic=value] [-C value | --reconnect-attempt-count=value] [-D value | --reconnect-attempt-delay-milliseconds=value] [-T value | --reconnect-attempt-timeout-milliseconds=value] [-k value | --keep-alive-minutes=value

Overview

Use this command to configure external scheduled updates via web service or TIBCO EMS.

Options

OptionOptional orRequired

DefaultValue Description

-c value--configuration=value

Optional configuration.xml

The path to the server configurationfile.

-b value--bootstrap-config=value

Optional none The path to the bootstrapconfiguration file. See Thebootstrap.xml file for moreinformation about this file.

-e <true|false>--ems-enabled=<true|false>

Optional false The value should be true if updatestriggered by a message sent fromTIBCO Enterprise Message Service isenabled.

-s value--server-url=value

Optional,unless --ems-

enabled istrue

none The URL and, if applicable, the port tothe EMS server.

-u value--username=value

Optional none The name of the user that will be usedto access the EMS server.

-p value--password=value>

Optional none The password of the user that will beused to access the EMS server.

-i value--client-id=value

Optional,unless --ems-

enabled istrue

none A unique value to identify the EMSconnection.

314

TIBCO Spotfire® Server and Environment Installation and Administration

Page 315: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

OptionOptional orRequired

DefaultValue Description

-t value--topic=value

Optional,unless --ems-

enabled istrue

none The topic that the EMS durablesubscriber should listen to.

-C value--reconnect-attempt-count=value

Optional 10 The number of reconnect attempts tobe made if a connect fails.

-D value--reconnect-attempt-delay-milliseconds=value

Optional 1000 The delay for the reconnect attempts.

-T value--reconnect-attempt-timeout-milliseconds=value

Optional 1000 The timeout for the reconnectattempts.

-k value--keep-alive-minutes=value

Optional 10 If a schedule has not been set up forwhen a file will be pre-loaded, specifythe number of minutes the file shouldbe kept alive.

config-import-export-directoryConfigures the library import/export directory.config-import-export-directory [-c value | --configuration=value] [-b value | --bootstrap-config=value] [-p value | --path=value]

Overview

Use this command to configure the library import/export directory. All library import and exportoperations are performed from or to this directory. It can be a local directory, or it can reside on ashared disk.

Options

OptionOptional orRequired Default Value Description

-c value--configuration=value

Optional configuration.xml

The path to the server configurationfile.

-b value--bootstrap-config=value

Optional none The path to the bootstrapconfiguration file. See Thebootstrap.xml file for moreinformation about this file.

315

TIBCO Spotfire® Server and Environment Installation and Administration

Page 316: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

OptionOptional orRequired Default Value Description

-p value--path=value

Optional <installation

directory>/

tomcat/

application-

data/library

The path to the import/exportdirectory.

config-jmxConfigures the JMX RMI connector.config-jmx [-c value | --configuration=value] [-b value | --bootstrap-config=value] [-e <true|false> | --enabled=<true|false>] [-a <true|false> | --authentication-enabled=<true|false>] [-A <true|false> | --authorization-enabled=<true|false>] [-s <true|false> | --tls-enabled=<true|false>][-n <true|false> | --need-client-auth=<true|false>] [-R value | --registry-port=value] [-p value | --connector-port=value] [-j value | --jaas-config=value]

Overview

Use this command to configure the JMX RMI connector. This connector can be used for connecting toSpotfire Server for monitoring and management purposes.

Options

OptionOptional orRequired Default Value Description

-c value--configuration=value

Optional configuration.xml

The path to the server configurationfile.

-b value--bootstrap-config=value

Optional none The path to the bootstrapconfiguration file. See Thebootstrap.xml file for moreinformation about this file.

-e <true|false>--enabled=<true|false>

Optional false Specifies whether the RMIconnector is enabled.

-a <true|false>--authentication-enabled=<true|false>

Optional true Specifies whether authentication isenabled for the RMI connector.

-A <true|false>--authorization-enabled=<true|false>

Optional true Specifies whether authorization isenabled for the RMI connector.Authorization requiresauthentication to be enabled andworks only with the default valueof jaas-config.

316

TIBCO Spotfire® Server and Environment Installation and Administration

Page 317: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

OptionOptional orRequired Default Value Description

-s <true|false>--tls-enabled=<true|false>

Optional false Specifies whether TLS is enabledfor the RMI connector.

-n <true|false>--need-client-auth=<true|false>

Optional false Specifies whether TLS clientauthentication is required.

-R value--registry-port=value

Optional 1099 The port for the RMI registry.

-p value--connector-port=value

Optional 1099 The port for the RMI connector.

-j value--jaas-config=value

Optional SpotfireJmx The JAAS configuration entry touse for authentication. Requiresauthentication to be enabled. Useraccounts for the defaultauthentication implementation arecreated by the create-jmx-usercommand.

config-kerberos-authConfigures the authentication service used with the Kerberos authentication method.config-kerberos-auth [-c value | --configuration=value] [-b value | --bootstrap-config=value] [-S value | --server=value] <-p value | --service-principal-name=value> [-k value | --keytab-file=value] [-d <true|false> | --enable-debug=<true|false>]

Overview

Use this command to configure the authentication service used with Kerberos authentication method.

Options

OptionOptional orRequired Default Value Description

-c value--configuration=value

Optional configuration.xml The path to the server configurationfile.

-b value--bootstrap-config=value

Optional none The path to the bootstrapconfiguration file. See Thebootstrap.xml file for moreinformation about this file.

-S value--server=value

Optional none The name of the cluster server towhich the specified configurationparameters should be applied. If noname is specified, the parametersapply to all servers in the cluster.

317

TIBCO Spotfire® Server and Environment Installation and Administration

Page 318: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

OptionOptional orRequired Default Value Description

-p value--path=value

Required none The Kerberos service principalname (SPN) used by the server.

-k value--keytab-file=value

Optional ${java.home}/lib/security/spotfire.keytab

The path to the Kerberos filecontaining the keytab entry for thespecified SPN. If the specified pathcontains any Java system properties(for example, as in the default valuefor this argument), they areautomatically expanded.

-d <true|false>--enable-debug=<true|false>

Optional false Specifies whether extra debuglogging should be enabled for theKerberos authentication service.

config-ldap-group-syncConfigures group synchronization for an LDAP configuration.config-ldap-group-sync [-c value | --configuration=value] [-b value | --bootstrap-config=value] <--id=value> [--group-sync-enabled=<true|false>] [--schedules=value] [--clear-schedules] [--group-names=value] [--clear-group-names] [--clear-all] [--filter-users-by-groups=<true|false>] [--group-search-filter=value] [--group-name-attribute=value] [--supports-member-of=<true|false>] [--member-attribute=value] [--ignore-member-groups=<true|false>]

Overview

Use this command to configure group synchronization for an LDAP configuration used with the UserDirectory LDAP provider.

Options

OptionOptional orRequired Default Value Description

-c value--configuration=value

Optional configuration.xml The path to theserver configurationfile.

-b value--bootstrap-config=value

Optional none The path to thebootstrapconfiguration file.See Thebootstrap.xml filefor moreinformation aboutthis file.

318

TIBCO Spotfire® Server and Environment Installation and Administration

Page 319: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

OptionOptional orRequired Default Value Description

--id=value Required none Specifies theidentifier of theLDAP configurationfor which toconfigure groupsynchronization.

--group-sync-enabled=<true|false>

Optional true Specifies whethergroupsynchronization isenabled for thisLDAPconfiguration.

--schedules=value This argument wasdeprecated fromversion 5.0 andreplaced by thesimilarly-namedarguments for the create-ldap-configand update-ldap-config commandsbecause thesynchronizationschedules are nowused for both userand groupsynchronization.

--clear-schedules This argument wasdeprecated fromversion 5.0 andreplaced with thesimilarly namedargument for the update-ldap-configcommand becausethe synchronizationschedules are nowused for both userand groupsynchronization.

--group-names=value Optional none Specifies the accountnames or thedistinguished names(DNs) of the groupsto be synchronized.

319

TIBCO Spotfire® Server and Environment Installation and Administration

Page 320: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

OptionOptional orRequired Default Value Description

--clear-group-names Optional none If you specify thisargument, the list ofgroup namessynchronized arecleared from theLDAPconfiguration. Thisargument can beused with the --group-names

argument to removeall old group namesbefore adding thenew.

--clear-all Optional none Clears from theLDAP configurationall groupsynchronization-relatedconfigurationoptions.

As of Spotfire Server5.0 and later, thisoption does not clearthe LDAPsynchronizationschedules.

--filter-users-by-groups=<true|false>

Optional none Specifies whetherusers should befiltered by groups,so that only userswho are members ofthe synchronizedgroups aresynchronized.

320

TIBCO Spotfire® Server and Environment Installation and Administration

Page 321: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

OptionOptional orRequired Default Value Description

--group-search-filter=value

Optional,unless theLDAP servertype is set toCustom usingthe --typeparameter.

For Active Directory servers,the parameter value defaultsto objectClass=group.

For Sun ONE DirectoryServers, it defaults to &(|(objectclass=nsManagedRo

leDefinition)

(objectClass=nsNestedRol

eDefinition))

(objectclass=ldapSubEntr

y).

For Sun Java System DirectoryServers, it defaults toobjectClass=groupOfUniqu

eNames..

Specifies an LDAPsearch expressionfilter to use whensearching forgroups.

--group-name-attribute=value

Optional,unless theLDAP servertype is set toCustom usingthe --typeparameter.

For Active Directory servers,the value defaults tosAMAccountName.

For any version of the SunDirectory Servers with adefault configuration, itdefaults to cn.

Specifies the nameof the LDAPattribute containingthe group accountnames.

--supports-member-of=<true|false>

Optional,unless theLDAP servertype is set toCustom usingthe --typeparameter.

none Specifies whetherthe LDAP serverssupport a memberOf-like attribute on theuser accounts thatcontain the names ofthe groups or rolesthat the users aremembers of. Ingeneral, this is truefor all MicrosoftActive Directoryservers and all typesof Sun DirectoryServers.

321

TIBCO Spotfire® Server and Environment Installation and Administration

Page 322: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

OptionOptional orRequired Default Value Description

--member-attribute=value

Optional,unless theLDAP servertype is set toCustom usingthe --typeparameter.

For Microsoft ActiveDirectory servers, theparameter value defaults tomemberOf.

For Sun ONE DirectoryServers, it defaults to nsRole.

For Sun Java System DirectoryServer version 6.0 or later, itdefaults to isMemberOf. Touse the roles with the Sun JavaSystem Directory Server,override the default value bysetting this argument tonsRole.

For all LDAPservers with supportfor a memberOf-likeattribute, thisargument specifiesthe name of theLDAP attribute onthe user account thatcontains the namesof the groups orroles that the user isa member of. Ingeneral, thisincludes allMicrosoft ActiveDirectory serversand all types of SunDirectory Servers.

For some LDAPservers withconfigurations oftype Custom, thereis no memberOf-likeattribute. In thosecases, this argumentspecifies the LDAPattribute on thegroup account thatcontains the namesof its members.

All configurations ofthis type use a farless efficient groupsynchronizationalgorithm thatgenerates moretraffic to the LDAPservers becauseSpotfire Server firsthas to search for thedistinguished names(DNs) of the groupmembers within thegroups, and thenperform repeatedlook-ups to translatethe member DN tothe correct accountname.

322

TIBCO Spotfire® Server and Environment Installation and Administration

Page 323: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

OptionOptional orRequired Default Value Description

--ignore-member-groups=<true|false>

Optional,unless theLDAP servertype is set toCustom usingthe --typeparameter.

For Microsoft ActiveDirectory servers, theparameter value defaults tofalse so all inherited groupmemberships are correctlyreflected. For any version ofthe Sun Directory Servers, itdefaults to true because therole and groups mechanismsin those servers automaticallyinclude those members.

Determines whetherthe groupsynchronizationmechanism shouldrecursively traversethe synchronizedgroups’ non-synchronizedsubgroups andinclude theirmembers in thesearch result.

config-ldap-userdirConfigures the LDAP User Directory mode.config-ldap-userdir [-c value | --configuration=value] [-b value |--bootstrap-config=value] [-l value | --ldap-configs=value] [-s<true|false> | --group-sync-enabled=<true|false>] [-t value |--sleep-time=value]

Overview

Use this command to configure the LDAP user directory mode. If no arguments are specified, thecommand displays the current configuration.

Options

OptionOptional orRequired

DefaultValue Description

-c value--configuration=value

Optional configuration.xml

The path to the server configuration file.

-b value--bootstrap-config=value

Optional none The path to the bootstrap configurationfile. See The bootstrap.xml file for moreinformation about this file.

-l value--ldap-configs=value

Optional none A comma-separated list of LDAPconfiguration references. All referencedLDAP configurations must alreadyexist. To create a new LDAPconfiguration, use the create-ldap-config command. When specifyingmore than one reference, make sure toenclose the list of references in quotes.

-s <true|false>--group-sync-enabled=<true|false>

Optional none This argument is deprecated and isignored. Use the config-ldap-group-sync command to enable or disablegroup synchronization for each LDAPconfiguration instead.

323

TIBCO Spotfire® Server and Environment Installation and Administration

Page 324: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

OptionOptional orRequired

DefaultValue Description

-t value--sleep-time=value

Optional 60 The number of minutes between eachsynchronization. The sleep time settingis used only for LDAP configurationentries without group synchronizationschedules. If an LDAP configurationentry has a synchronization scheduledefined, then this value is ignored.

config-library-external-data-storageConfigures the external library data storage.config-library-external-data-storage [-c value | --configuration=value] [-b value | --bootstrap-config=value] [-t value | --tool-password=value] <-e <true|false> | --enabled=<true|false>> [-s value | --external-storage=value] [-f | --force]

Overview

Use this command for general configuration of the external library data storage.

When this feature is enabled, the structure of the library is stored in the Spotfire database, while theactual data of library items is stored elsewhere.

The library must be empty when you switch to or from an external data storage. The prescribedprocedure for switching is to export the entire library, empty the library, change the configuration, andthen import the library. Switching storage modes with items in the library causes data to be lost.

When you change the external library data storage configuration with this command, a query is madeto the Spotfire database to make sure that the library is empty. This check can be overridden by usingthe --force argument.

Currently, Spotfire supports two options for external data storage: storing on the server's file system, orstoring on Amazon S3. After enabling this feature, you must configure the storage using the config-library-external-file-storage or config-library-external-s3-storage command.

Options

OptionOptional orRequired Default Value Description

-c value--configuration=value

Optional configuration.xml The path to the serverconfiguration file.

-b value--bootstrap-config=value

Optional none The path to the bootstrapconfiguration file. See Thebootstrap.xml file for moreinformation about this file.

324

TIBCO Spotfire® Server and Environment Installation and Administration

Page 325: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

OptionOptional orRequired Default Value Description

-t value--tool-password=value

Optional none The configuration toolpassword used to decryptthe database password inthe file bootstrap.xml. Ifthe tool password is omitted,the command prompts theuser for it in the console.Refer to The bootstrap.xmlfile.

-e <true|false>--enabled=<true|false>>

Required none Specifies whether externallibrary data storage shouldbe enabled.

-s value--external-storage=value

Optional none The external storage to use.The following names arevalid: FILE_SYSTEM andAMAZON_S3.

-f--force

Optional none Indicates that the toolshould change the libraryconfiguration even if thelibrary is not empty.

config-library-external-file-storageConfigures the file system storage of library item data.config-library-external-file-storage [-c value | --configuration=value] [-b value | --bootstrap-config=value] <-p value | --path=value>

Overview

Use this command for configuring file system storage of library data.

Options

OptionOptional orRequired Default Value Description

-c value--configuration=value

Optional configuration.xml

The path to the serverconfiguration file.

-b value--bootstrap-config=value

Optional none The path to the bootstrapconfiguration file. See Thebootstrap.xml file for moreinformation about this file.

-p value--path=value

Required none The path to the directory wherelibrary data is stored. Supply thevalue DEFAULT to use the SpotfireServer default location for storinglibrary data on file system.

325

TIBCO Spotfire® Server and Environment Installation and Administration

Page 326: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

config-library-external-s3-storageConfigures the Amazon S3 storage of library item data.config-library-external-s3-storage [-c value | --configuration=value] [-b value | --bootstrap-config=value] [--bucket-name=value] [--access-key=value] [--secret-key=value] [--region=value] [--threads=value] [--chunk-size=value] [--threshold=value]

Overview

Use this command for configuring the Amazon S3 storage of library data.

Options

OptionOptional orRequired Default Value Description

-c value--configuration=value

Optional configuration.xml

The path to the serverconfiguration file.

-b value--bootstrap-config=value

Optional none The path to the bootstrapconfiguration file. See thebootstrap.xml topic for moreinformation about this file.

--bucket-name=value Optional none The Amazon S3 bucket wherelibrary data is stored.

--access-key=value Optional none The access key for connecting toAmazon S3.

-secret-key=value Optional none The secret key for connecting toAmazon S3.

--region=value Optional If notconfiguredexplicitly,server uses thedefault region.

The Amazon S3 region to connectto.

--threads=value Optional none The maximum number of threadsused for uploading to Amazon S3.

--chunk-size=value Optional none The maximum number of bytes ina chunk when the data is chunkedbefore transfer to Amazon S3.

--threshold=value Optional none The number of bytes above whichthe transferred data is split intoconfigurable-sized chunks, andthen transferred separately toAmazon S3.

326

TIBCO Spotfire® Server and Environment Installation and Administration

Page 327: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

config-login-dialogConfigures the client login dialog behavior.config-login-dialog [-c value | --configuration=value] [-b value | --bootstrap-config=value] [-s value | --show-login-dialog=value] [-o <true|false> | --allow-work-offline=<true|false>] [-d value | --offline-days-permitted=value] [-r <true|false> | --allow-remember-me=<true|false>] [-u <true|false> | --allow-user-provided-credentials=<true|false>] [-R value | --rss=value]

Overview

Use this command to configure the behavior of the client login dialog.

Options

OptionOptional orRequired Default Value Description

-c value--configuration=value

Optional configuration.xml

The path to the serverconfiguration file.

-b value--bootstrap-config=value

Optional none The path to the bootstrapconfiguration file. See Thebootstrap.xml file for moreinformation about this file.

-s value--show-login-dialog=value

Optional standard Controls whether the log in dialogshould be displayed. Valid valuesare:

● always: Show the dialog even ifthe user selected Save my logininformation.

● never: Never show the dialog.

Use this option only with one ofthe single sign-on methods:NTLM, Kerberos, or X.509Client Certificates.

● standard: Show the dialogonly if the user did not selectSave my login information.

-o <true|false>--allow-work-offline=<true|false>

Optional true Controls whether users should beallowed to work offline or if theymust always log in.

-d value--offline-days-permitted=value

Optional -1 Controls how long users canchoose to work offline before theyare forced to log in. Setting thevalue to -1 means that users arenever forced to connect to SpotfireServer.

327

TIBCO Spotfire® Server and Environment Installation and Administration

Page 328: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

OptionOptional orRequired Default Value Description

-r <true|false>--allow-remember-me=<true|false>

Optional true Controls whether a user can selectto store the log in information forfuture automatic login, or if he orshe must always provide username and password when loggingin.

-u <true|false>--allow-user-provided-credentials=<true|false>

Optional true Controls whether users should beable to enter their own credentialsin the login dialog.

-R value--rss=value

Optional none The URL to an RSS feed to beshown in the login dialog. TheURL may be either an absoluteURL or a relative URL on theSpotfire Server. The feed must beRSS 2.0 compliant. Note thatHTML in the RSS feed is notsupported.

config-ntlm-authConfigures the authentication service used with the NTLM authentication method.config-ntlm-auth [-c value | --configuration=value] [-b value | --bootstrap-config=value] [-S value | --server=value] [-d value | --domain-name=value] [-D value | --domain-controller=value] [-a value | --account-name=value] [-p value | --password=value] [-n value | --dns-servers=value] [-s value | --ad-site=value] [-t value | --dns-cache-ttl=value] [-i value | --connection-id-header-name=value] [-L value | --log-level=value] {-Pkey=value} [-C value | --domain-trust-cache-values=value]

Overview

Use this command to configure the authentication service used with NTLM authentication method.

Options

OptionOptional orRequired

DefaultValue Description

-c value--configuration=value

Optional configuration.xml

The path to the server configurationfile.

-b value--bootstrap-config=value

Optional none The path to the bootstrapconfiguration file. See Thebootstrap.xml file for moreinformation about this file.

328

TIBCO Spotfire® Server and Environment Installation and Administration

Page 329: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

OptionOptional orRequired

DefaultValue Description

-S value--server=value

Optional none The name of the cluster server towhich the specified configurationparameters should be applied. If noname is specified, the parametersapply to all servers in the cluster. Itis typically used to add a server-specific account name (see the --account-name option).

-d value--domain-name=value

Required,unless the --domain-

controller

argument isspecified, or ifthe --serverargument isspecified andthis parameteris alreadyspecified for theglobalconfiguration.

none The DNS name of the Windowsdomain. The specified domain nameautomatically resolves into domaincontroller hostnames. It is alsopossible to use the --domain-controller argument to specify adomain controller hostnamedirectly. The --domain-name and --domain-controller arguments aremutually exclusive.

-D value--domain-controller=value

Required,unless the --domain-

controller

argument isspecified, or ifthe --serverargument isspecified andthis parameteris alreadyspecified for theglobalconfiguration.

none The DNS hostname of an ActiveDirectory domain controller. It isalso possible to use the --domain-name argument to specify a domainname that automatically resolves todomain controller hostnames. The--domain-name and --domain-controller arguments aremutually exclusive.

329

TIBCO Spotfire® Server and Environment Installation and Administration

Page 330: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

OptionOptional orRequired

DefaultValue Description

-a value--account-name=value

Required,unless the --server

argument isspecified andthis parameteris alreadyspecified for theglobalconfiguration.

none Specifies the fully qualified name ofthe Active Directory computeraccount to be used by the NTLMauthentication service. This accountmust be a proper computer accountcreated solely for the purpose ofrunning the NTLM authenticationservice. It can neither be an ordinaryuser account, nor an account of anexisting computer. Note that thename of an Active Directorycomputer account always contains adollar sign; for example, [email protected]. The localpart of the account name (excludingthe dollar sign) must not exceed 15characters. Also, because of thedollar sign, always make sure toenclose this parameter value inquotes and possibly also escape thedollar sign. If there is more than oneserver in the cluster, each servermust use its own account.

-p value--password=value

Required,unless the --server

argument isspecified andthis parameteris alreadyspecified for theglobalconfiguration.

none Specifies the password for thecomputer account that is to be usedby the NTLM authenticationservice.

-n value--dns-servers=value

Optional none A comma-separated list of IPaddresses for the DNS serversassociated with the Windowsdomain. When no DNS servers arespecified, the NTLM authenticationservice falls back to the servercomputer default DNS serverconfiguration.

-s value--ad-site=value

Optional none The Active Directory site where theSpotfire system is located.Specifying an Active Directory sitecan potentially improveperformance because the NTLMauthentication service thencommunicates only with the localdomain controllers.

330

TIBCO Spotfire® Server and Environment Installation and Administration

Page 331: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

OptionOptional orRequired

DefaultValue Description

-t value--dns-cache-ttl=value

Optional 5000 ms. The length of time (in milliseconds)name server lookups should becached.

-i value--connection-id-header-name=value

Optional none The name of an HTTP headercontaining unique connection IDs inenvironments where the server islocated behind a proxy or load-balancer that does not properlyprovide the server with the client IPaddress.

The specified HTTP header mustcontain unique connection IDs foreach client connection and is thustypically based on the client IPaddress and the connection portnumber on the client side.

-L value--log-level=value

Optional 1 Specifies the level of logging donefor NTLM authentication, an integervalue ranging from 0 (no logging) to4 (debug logging).

-Pkey=value Optional none Specifies additional properties forthe Jespa component, in the form ofkey-value-pairs. For example: -Pjespa.key=value. This argumentmay be specified multiple timeswith different keys.

-C value--domain-trust-cache-values=value

Optional none Specifies a mapping betweenNetBIOS and DNS domain namesused for canonicalizing domainnames when sufficient informationis not provided by the localNETLOGON service. The mappingis given as a comma-separated listof NetBIOS:DNS entries, forexample"RESEARCH:research.example.com,HR:hr.example.com", and is usedfor turning a NetBIOS name into aDNS name, or vice versa.

331

TIBCO Spotfire® Server and Environment Installation and Administration

Page 332: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Examples

Configuring the NTLM authentication service for the research.example.comWindows domain:config.bat config-ntlm-auth --domain-name research.example.com --account-name "ntlm-svc\[email protected]" --password 53cr3t

Configuring the NTLM authentication service for using the Active Directory domaincontroller dc.research.example.com:config-ntlm-auth --domain-controller dc.research.example.com --account-name "ntlm-svc\[email protected]" --password 53cr3t

Configuring the NTLM authentication service for the Active Directory Site VIENNAwithin the research.example.com Windows domain:config-ntlm-auth --domain-name research.example.com --account-name "ntlm-svc\[email protected]" --password 53cr3t --ad-site=VIENNA

config-persistent-sessionsConfigures the persistent sessions ("remember me") feature.config-persistent-sessions [-c value | --configuration=value] [-b value | --bootstrap-config=value] [-e <true|false> | --enabled=<true|false>] [-t value | --expiration-time=value] [-s <true|false> | --sliding-expiration=<true|false>]

Overview

Use this command to configure the persistent sessions feature. Persistent sessions allows users to beremembered after a successful login. This means that the user will not have to log in again for a periodof time (even if the user, for example, closes the browser).

This feature is only applicable when using username and password based authentication.

This feature is currently only applicable for users (such as Spotfire Web Player users) logging inthrough a web browser. To configure the behavior of the Spotfire client, use the config-login-dialogcommand.

Persistent sessions can be invalidated using the invalidate-persistent-sessions command.

Options

OptionOptional orRequired

DefaultValue Description

-c value--configuration=value

Optional configuration.xml

The path to the server configurationfile.

-b value--bootstrap-config=value

Optional none The path to the bootstrapconfiguration file. See Thebootstrap.xml file for moreinformation about this file.

-e <true|false>--enabled=<true|false>

Optional false Specifies whether the persistentsessions feature should be enabled.

332

TIBCO Spotfire® Server and Environment Installation and Administration

Page 333: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

OptionOptional orRequired

DefaultValue Description

-t value--expiration-time=value

Optional 2592000 Specifies the time in seconds until apersistent session will expire and theuser will have to re-authenticate.

-s <true|false>--sliding-expiration=<true|false>

Optional false Specifies whether the expiration timeshould be reset each time the user isauthenticated using the persistentsession cookie. Note that setting this to'true' means that the user may actuallynever have to log in again.

config-post-auth-filterConfigures the post-authentication filter.config-post-auth-filter [-c value | --configuration=value] [-b value | --bootstrap-config=value] [-f value | --filter-class=value] [-s value | --filter-config=value] [-d value | --default-filter-config=value]

Overview

Use this command to configure the post-authentication filter. If no argument is provided, the commandsimply lists the current configuration and exits.

Options

OptionOptional orRequired

DefaultValue Description

-c value--configuration=value

Optional configuration.xml

The path to the server configurationfile.

-b value--bootstrap-config=value

Optional none The path to the bootstrapconfiguration file. See Thebootstrap.xml file for moreinformation about this file.

-f value--filter-class=value

Optional none The fully-qualified name of the classimplementing thecom.spotfire.server.security.PostAuthenticationFilter API. If the argument isnone, the current value of thisconfiguration option is cleared.

-s value--filter-config=value

Optional none The filter configuration. The semanticsof the configuration argument isspecific to the actual filterimplementation. For example, it couldbe a configuration name, a file name,or a list of key/value pairs. If theargument is none, the current value ofthis configuration option is cleared.

333

TIBCO Spotfire® Server and Environment Installation and Administration

Page 334: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

OptionOptional orRequired

DefaultValue Description

-d value--default-filter-config=value

Optional none The configuration for the default filterthat is always in place. Validarguments are block andautocreate.

config-public-endpointConfigures the public endpoint.config-public-endpoint [-c value | --configuration=value] [-b value | --bootstrap-config=value] <-e <true|false> | --enabled=<true|false>> [-u value | --endpoint-url=value]

Overview

Use this command to configure the public endpoint that should be used when generating absoluteURLs and should be configured and enabled if Spotfire Server is used through a load balancer orreverse proxy.

Options

OptionOptional orRequired Default Value Description

-c value--configuration=value

Optional configuration.xml The path to the serverconfiguration file.

-b value--bootstrap-config=value

Optional none The path to the bootstrapconfiguration file. See Thebootstrap.xml file for moreinformation about this file.

-e <true|false>--enabled=<true|false>

Required none Sets whether the configuredvalue for the public endshould be used.

-u value--endpoint-url=value

Optional, unless --enabled is trueand no endpointURL has beenconfiguredpreviously.

none The public endpoint URL touse.

config-two-factor-authConfigures two-factor authentication.config-two-factor-auth [-c value | --configuration=value] [-b value | --bootstrap-config=value] [-e <true|false> | --enabled=<true|false>]

334

TIBCO Spotfire® Server and Environment Installation and Administration

Page 335: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Overview

Use this command to configure two-factor authentication. If no argument is provided, the commandsimply lists the current configuration and exits.

Options

OptionOptional orRequired

DefaultValue Description

-c value--configuration=value

Optional configuration.xml

The path to the server configuration file.

-b value--bootstrap-config=value

Optional none The path to the bootstrap configurationfile. See The bootstrap.xml file for moreinformation about this file.

-e <true|false>--enabled=<true|false>

Optional none Specifies whether or not two-factorauthentication should be enabled.

config-userdirConfigures the user directory.config-userdir [-c value | --configuration=value] [-b value | --bootstrap-config=value] [-m value | --mode=value] [-C <true|false> | --collapse-domains=<true|false>] [-S <true|false> | --safe-synchronization=<true|false>] [-s value | --domain-name-style=value] [-u <true|false> | --unsafe-domain-name-style-allowed=<true|false>]

Overview

Use this command to configure the user directory.

Options

OptionOptional orRequired

DefaultValue Description

-c value--configuration=value

Optional configuration.xml

The path to the serverconfiguration file.

-b value--bootstrap-config=value

Optional none The path to the bootstrapconfiguration file. See Thebootstrap.xml file for moreinformation about this file.

-m value--mode=value

Optional database The name of the user directorymode to use. Supported valuesare database, ldap, andWindows. The current value willnot be changed unless theargument is explicitly specified.

335

TIBCO Spotfire® Server and Environment Installation and Administration

Page 336: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

OptionOptional orRequired

DefaultValue Description

-C value--collapse-domains=value

Optional false Indicates whether or not externaldomains should be collapsed intothe internal SPOTFIRE domain,which is the domain used whenrunning the user directory indatabase mode. The currentvalue will not be changed unlessthe argument is explicitlyspecified.

When this feature isenabled, all users willbelong to the samedomain. If there aremultiple users with thesame account namefrom different externaldomains, they willnow share a singleSpotfire account.Because this couldpose a securityproblem, this featureshould be used withcare.

-S <true|false>--safe-synchronization=<true|false>

Optional false When this option is set to true,the user directory will not disableusers that it cannot find duringLDAP or Windows NTsynchronization. This flag has noeffect if the User Directory isrunning in Database mode. Thecurrent value will not be changedunless the argument is explicitlyspecified.

-s value--domain-name-style=value

Optional dns The domain name style used bythe server. Supported values aredns and netbios. The currentvalue will not be changed unlessthe argument is explicitlyspecified.

336

TIBCO Spotfire® Server and Environment Installation and Administration

Page 337: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

OptionOptional orRequired

DefaultValue Description

-u <true|false>--unsafe-domain-name-style-allowed=<true|false>

Optional false When this option is set to true,the server will allowincompatible domain name stylesettings, instead of refusing tostart. This option should be usedwith care; it can potentially leadto many users and groups beingimported to the user directorywith invalid domain names.

config-web-service-apiConfigures the public Web Service API.config-web-service-api [-c value | --configuration=value] [-b value | --bootstrap-config=value] [-e <true|false> | --enabled=<true|false>

Overview

Use this command to configure the public Web Service API. When the -e/--enabled argument is notprovided, the command displays the current configuration.

Options

OptionOptional orRequired Default Value Description

-c value--configuration=value

Optional configuration.xml The path to the serverconfiguration file.

-b value--bootstrap-config=value

Optional none The path to the bootstrapconfiguration file. See Thebootstrap.xml file for moreinformation about this file.

-e <true|false>--enabled=<true|false>

Optional none Specifies whether the publicWeb Service API should beenabled.

config-windows-userdirConfigures the Windows user directory mode.config-windows-userdir [-c value | --configuration=value] [-b value |--bootstrap-config=value] [-d value | --domains=value] [-t value |--sleep-time=value] [--schedules=value]

Overview

Use this command to configure the Windows user directory mode. If no arguments are specified, thecommand displays the current configuration.

337

TIBCO Spotfire® Server and Environment Installation and Administration

Page 338: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Options

OptionOptional orRequired

DefaultValue Description

-c value--configuration=value

Optional configuration.xml

The path to the server configurationfile.

-b value--bootstrap-config=value

Optional none The path to the bootstrap configurationfile. See The bootstrap.xml file for moreinformation about this file.

-d value--domains=value

Optional none A comma-separated list of domainnames. When specifying more than onedomain name, make sure to enclose thelist of names in quotes.

-t value--sleep-time=value

Optional 60 minutes The number of minutes between eachsynchronization. The --sleep-timeand --schedules arguments aremutually exclusive. If neither the --sleep-time argument nor the --schedules argument is specified, thesynchronization is performed with asleep time of 60 minutes.

338

TIBCO Spotfire® Server and Environment Installation and Administration

Page 339: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

OptionOptional orRequired

DefaultValue Description

--schedules=value

Optional none A comma-separated list of schedulesfor when the synchronization shouldbe performed. The --sleep-time and--schedules arguments are mutuallyexclusive. The schedules are given in acron-compatible format, where eachschedule consists of either five fields orone shorthand label. Make sure toenclose the value in double quotes.

The five fields are, from left to right,with their valid ranges: minute (0-59),hour (0-23), day of month (1-31),month (1-12) and day of week (0-7,where both 0 and 7 indicate Sunday).You can configure a field with thewildcard character *, indicating thatany moment in time matches this field.An LDAP synchronization is triggeredwhen all fields match the current time.If both day of month and day of weekhave non-wildcard values, then onlyone of them has to match.

You can use the following shorthandlabels instead of the full cronexpressions:

@yearly or @annually: run once a year(equivalent to 0 0 1 1 *)

@monthly: run once a month(equivalent to 0 0 1 * *)

@weekly: run once a week (equivalentto 0 0 * * 0)

@daily or @midnight: run once a day(equivalent to 0 0 * * *) @hourly: runonce an hour (equivalent to 0 * * * *)

@minutely: run once a minute(equivalent to * * * * *)

@reboot or @restart: run every timeSpotfire Server is started

Consult the Wikipedia article for anoverview of the cron scheduler: http://en.wikipedia.org/wiki/Cron.

copy-library-permissionsCopy library permissions from one principal to another.copy-library-permissions [-b value | --bootstrap-config=value] [-t value | --tool-password=value] [-u value | --oldusername=value] [-g value | --oldgroupname=value] [-n value | --newusername=value] [-p value | --newgroupname=value]

339

TIBCO Spotfire® Server and Environment Installation and Administration

Page 340: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Overview

Use this command to copy library permissions from an existing user or group to another existing useror group. Only one existing principal to copy from should be given and only one principal to copy toshould be given. The principal will only get permissions that it does not already have.

This will not be logged to the Action Log.

A permission entry, for example "Browse + Access", counts as two permission entries when summingup how many new permissions have been added.

Only explicit permissions will be copied (permissions explicitly set for a certain principal, and notpermissions given through group membership).

Options

OptionOptional orRequired Default Value Description

-b value--bootstrap-config=value

Optional none The path to the bootstrapconfiguration file. See Thebootstrap.xml file for moreinformation about this file.

-t value--tool-password=value

Optional none The configuration tool passwordused to decrypt the databasepassword in the filebootstrap.xml. If the toolpassword is omitted, thecommand prompts the user for itin the console. See Thebootstrap.xml file.

u value--oldusername=value

Optional none The name of an existing user tocopy library permissions from.Unless the user is part of theconfigured default domain, thename of the user must include theuser's domain name ('DOMAIN\user' or 'user@domain').

g value--oldgroupname=value

Optional none The name of an existing group tocopy library permissions from.Unless the group is part of theconfigured default domain, thename of the group must includethe group's domain name('DOMAIN\group' or'group@domain').

340

TIBCO Spotfire® Server and Environment Installation and Administration

Page 341: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

OptionOptional orRequired Default Value Description

n value--newusername=value

Optional none The name of an existing user tocopy library permissions to.Unless the user is part of theconfigured default domain, thename of the user must include theuser's domain name ('DOMAIN\user' or 'user@domain').

p value--newgroupname=value

Optional none The name of an existing group tocopy library permissions to.Unless the group is part of theconfigured default domain, thename of the group must includethe group's domain name('DOMAIN\group' or'group@domain').

create-default-configCreates a new server configuration file containing the default configuration.create-default-config [-f | --force] [export file]

Overview

Use this command to export a default server configuration to a file. The configuration in the file can beedited and then imported into the server database using the import-config command.

Options

OptionOptional orRequired Default Value Description

-f--force

Optional none Indicates that the tool shouldoverwrite an existing destinationfile.

[export file] Optional configuration.xml

The path to the configuration filethat will be created.

create-jmx-userCreates a new JMX user account.create-jmx-user [-b value | --bootstrap-config=value] [-t value |--tool-password=value] <-u value | --username=value> [-p value |--password=value] [-l value | --access-level=value]

Overview

Use this command to create a new JMX user account. The account can be used only to access statusinformation for the server through the JMX protocol. It cannot be used by users logging in to the serverusing a Spotfire client or an HTML browser.

341

TIBCO Spotfire® Server and Environment Installation and Administration

Page 342: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Options

OptionOptional orRequired

DefaultValue Description

-b value--bootstrap-config=value

Optional none The path to the bootstrap configurationfile. See The bootstrap.xml file for moreinformation about this file.

-t value--tool-password=value

Optional none The configuration tool password usedto decrypt the database password inthe file bootstrap.xml. If the toolpassword is omitted, the commandprompts the user for it in the console.Refer to The bootstrap.xml file.

-u value--username=value

Required none The name of the JMX user to create.

-p value--password=value

Optional none The new JMX user password.

-l value--access-level=value

Optional r The access level for the new user. Canbe either r or rw. A user with the rwaccess level can read and modify anywritable attributes.

create-join-dbConfigures the default join database.create-join-db [-c value | --configuration=value] [-b value |--bootstrap-config=value] <-t value | --type=value> <-d value |--database-url=value> <-u value | --username=value> [-p value |--password=value] [-i value | --min-connections=value] [-a value |--max-connections=value] [-v | --validate]

Overview

Use this command to configure the default join database.

Options

OptionOptional orRequired

DefaultValue Description

-c value--configuration=value

Optional configuration.xml

The path to the server configurationfile.

-b value--bootstrap-config=value

Optional none The path to the bootstrap configurationfile. See The bootstrap.xml file for moreinformation about this file.

342

TIBCO Spotfire® Server and Environment Installation and Administration

Page 343: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

OptionOptional orRequired

DefaultValue Description

-t value--type=value

Required none The database type and the driver touse. Must match the type name of oneof the enabled data source templates.

-d value--database-url=value

Required none The JDBC URL to the database.Because this argument usually containsspecial characters, be sure to escapethose characters or enclose the valuesin quotes.

-u value--username=value

Required none The database account username.

-p value--password=value

Optional none The database account password.

-i value--min-connections=value

Optional 0 The minimum number of connectionsto keep in the connection pool.

-a value--max-connections=value

Optional 0 The maximum number of connectionsto keep in the connection pool.

-v--validate

Optional none Indicates whether the createdconfiguration should be validated byattempting to connect to the databaseusing the specified connectioninformation.

create-ldap-configCreates a new LDAP configuration for authentication and/or the user directory LDAP provider.create-ldap-config [-c value | --configuration=value] [-b value |--bootstrap-config=value] <--id=value> [--discover] [-t value |--type=value] [-s value | --servers=value] [-n value |--context-names=value] [-u value | --username=value] [-p value |--password=value] [--schedules=value] [--user-search-filter=value][--user-name-attribute=value] [--authentication-attribute=value][--security-authentication=value] [--referral-mode=value][--request-control=value] [--page-size=value] [--import-limit=value][--user-display-name-attribute=value][--group-display-name-attribute=value] {-Ckey=value}{-Rvalue}{-Svalue}

343

TIBCO Spotfire® Server and Environment Installation and Administration

Page 344: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Overview

Use this command to create a new LDAP configuration for authentication and/or user directory mode.

Options

Option

OptionalorRequired Default Value Description

-c value--configuration=value

Optional configuration.xm

l

The path to the serverconfiguration file.

-b value--bootstrap-config=value

Optional none The path to the bootstrapconfiguration file. See Thebootstrap.xml file for moreinformation about this file.

--id=value Required none Specifies the identifier for theLDAP configuration to create.

--discover Optional none Specifies whether to attempt toautomatically create an LDAPconfiguration based on theinformation available from theDNS service. The discover modeworks only when the desiredLDAP server has registered SRVrecords in the DNS service usedby the computer where thiscommand is being invoked. Thisis typically the case for ActiveDirectory LDAP servers. Thisargument is mutually exclusivewith the -t/ --type, -s/--servers, and -n/--context-names arguments.

344

TIBCO Spotfire® Server and Environment Installation and Administration

Page 345: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Option

OptionalorRequired Default Value Description

-t value--type=value

Required,unless the--

discover

option isused

none The type of LDAP server. Thefollowing names are valid types:

● ActiveDirectory

● SunOne

● SunJavaSystem

● Custom

If you specify any of the firstthree types, a type-specificconfiguration template isautomatically applied inruntime, so that the mostfundamental configurationoptions are automaticallyconfigured.

If you specify a Custom LDAPserver type, there is no suchconfiguration template, and youmust specify explicitly all theconfiguration options. When youuse a custom LDAPconfiguration for authenticationor with the User Directory LDAPprovider, you must specify thearguments --user-search-filter and --user-name-attribute. If you use such anLDAP configuration for groupsynchronization, you must alsospecify additional parameterswhen running the config-ldap-group-sync command.See config-ldap-group-sync.

345

TIBCO Spotfire® Server and Environment Installation and Administration

Page 346: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Option

OptionalorRequired Default Value Description

-s value--servers=value

Required,unless the--

discover

option isused

The LDAP protocolport numberdefaults to 389.

The LDAPS protocolport numberdefaults to 636.Active DirectoryLDAP servers alsoprovide a GlobalCatalog containingforest-wideinformation, insteadof domain-wideinformation only. Bydefault, the GlobalCatalog LDAPservice listens onport number 3268(LDAP) or 3269(LDAPS).

A whitespace-separated list ofLDAP server URLs. An LDAPserver URL has the format<protocol>://

<server>[:<port>]:

● <protocol>: Either LDAP orLDAPS

● <server>: The fully qualifiedDNS name of the LDAPserver.

● <port>: Optional. Indicatesthe port number that theLDAP service is listening on.

Spotfire Server does not expectsearch base, scope, filter, or otheradditional parameters after theport number in the LDAP serverURLs. Such properties arespecified using otherconfiguration options for thiscommand.

Examples: LDAP server URLs

● LDAP://myserver.example.com

● LDAPS://myserver.example.com

● LDAP://myserver.example.com:389

● LDAPS://myserver.example.com:636

● LDAP://myserver.example.com:3268

● LDAPS://myserver.example.com:3269

346

TIBCO Spotfire® Server and Environment Installation and Administration

Page 347: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Option

OptionalorRequired Default Value Description

-n value--context-names=value

Required,unless the--

discover

option isused

none A list of distinguished names(DNs) of the containers holdingthe LDAP accounts to be visiblewithin Spotfire Server. Whenyou specify more than one DN,you must separate the DNsusing pipe-characters (|). If thespecified containers contain alarge number of users, of whichonly a few should be visible inSpotfire Server, you can specify acustom user search filter toinclude only the designatedusers (see the --user-search-filter argument).

Examples:

● CN=users,DC=example,DC=c

om

● OU=project‐x,DC=research,DC=example

,DC=com

347

TIBCO Spotfire® Server and Environment Installation and Administration

Page 348: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Option

OptionalorRequired Default Value Description

-u value--username=value

Required none The name of the LDAP serviceaccount to use when searchingfor users (and optionally alsogroups) in the LDAP server. Thisservice account does not need tohave write permissions, but itmust have read permissions forall configured context names(LDAP containers). For mostLDAP servers, the account nameis the account's distinguishedname (DN). For ActiveDirectory, the account name canalso be specified in the formsntdomain\name andname@dnsdomain.

Examples:

● CN=spotsvc,OU=services,D

C=research,DC=example,dc

=COM

● RESEARCH\spotsvc (note:Active Directory only)

[email protected]

.com (note: Active Directoryonly)

-p value--password=value

Optional none The password for the LDAPservice account.

348

TIBCO Spotfire® Server and Environment Installation and Administration

Page 349: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Option

OptionalorRequired Default Value Description

--schedules=value Optional @daily, @restart A comma-separated list ofschedules for when the LDAPsynchronization should beperformed. The schedules aregiven in a cron-compatibleformat, where each scheduleconsists of either five fields orone shorthand label. Make sureyou enclose the value in doublequotes.

The five fields are, from left toright, with their valid ranges:minute (0-59), hour (0-23), day ofmonth (1-31), month (1-12) andday of week (0-7, where both 0and 7 indicate Sunday). You canalso configure a field with thewildcard character *, indicatingthat any moment in timematches this field. A groupsynchronization is triggeredwhen all fields match the currenttime. If both day of month andday of week have non-wildcardvalues, then only one of themhas to match.

You can also use followingshorthand labels instead of thefull cron expressions:

● @yearly or @annually: runonce a year (equivalent to 0 01 1 *)

● @monthly: run once a month(equivalent to 0 0 1 * *)

● @weekly: run once a week(equivalent to 0 0 * * 0)

● @daily or @midnight: runonce a day (equivalent to 0 0* * *)

● @hourly: run once an hour(equivalent to 0 * * * *)

● @minutely: run once aminute (equivalent to * * * * *)

● @reboot or @restart: runevery time Spotfire Server isstarted

349

TIBCO Spotfire® Server and Environment Installation and Administration

Page 350: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Option

OptionalorRequired Default Value Description

Refer to the Wikipedia overviewarticle on the cron scheduler.

350

TIBCO Spotfire® Server and Environment Installation and Administration

Page 351: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Option

OptionalorRequired Default Value Description

--user-search-filter=value

Usuallyoptional;requiredfor customLDAPconfigurations, eitherwhenrunningthiscommandor theupdate-

ldap-

config

command.

For Active Directoryservers, theparameter valuedefaults toobjectClass=user.

For any version ofthe Sun DirectoryServers, it defaultstoobjectClass=pers

on.

Specifies an LDAP searchexpression filter to use whensearching for users.

If you need to identify a subsetof users in the specified LDAPcontainers who should beallowed access to SpotfireServer, you can specify a moredetailed user search filter. Forexample, the search expressioncan be expanded so that it alsoputs restrictions on whichgroups the users belong to, orwhich roles they have.

● For Active Directory servers,access can be restricted toonly those users belonging toa certain group by using asearch expression with thepattern&(objectClass=user)

(memberOf=<groupDN>)

where <groupDN> is replacedby the real DN of the groupto which the users mustbelong. If the users aredivided among multiplegroups, use the pattern&(objectClass=user)(|

(memberOf=<firstDN>)

(memberOf=<secondDN>)).Add extra(memberOf=<groupDN>) sub-expressions as needed.

Active Directory Example:

&(objectClass=person)

(isMemberOf=cn=project‐x,dc=example,dc=com)

● For a Sun Java SystemDirectory Server version 6and later, you can achieve thesame effect by using a searchexpression with the pattern&(objectClass= person)

(isMemberOf=<groupDN>). Ifthe users are divided amongmultiple groups, use thepattern

351

TIBCO Spotfire® Server and Environment Installation and Administration

Page 352: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Option

OptionalorRequired Default Value Description

&(objectClass=person)(|

(isMemberOf=<firstDN> )

(isMemberOf=<secondDN>))

. Add extra(isMemberOf=<groupDN>)

sub-expressions as needed.

Sun Java System DirectoryServer Example:

&(objectClass=person)

(isMemberOf=cn=project‐x,dc=example,dc=com)

● For Sun ONE DirectoryServers and newer Sun JavaSystem Directory Servers orthe older iPlanet DirectoryServer, you can restrict accessto only those users havingcertain specific roles. Thesearch expression for rolefiltering must match thepattern&(objectClass=person)

(nsRole=<roleDN>). Ifmultiple roles are of interest,use the pattern&(objectClass=person)(|

(nsRole=<firstDN>)

(nsRole=<secondDN>). Addextra (nsRole=<roletDN>)sub-expressions as needed.

Sun ONE Directory ServersExample:

&(objectClass=person)

(isMemberOf=cn=project‐x,dc=example,dc=com)

The syntax of LDAP searchexpression filters is specified bythe RFC 4515 document. Consultthis documentation forinformation about moreadvanced filters.

352

TIBCO Spotfire® Server and Environment Installation and Administration

Page 353: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Option

OptionalorRequired Default Value Description

--user-name-attribute=value

Optional,unless theLDAPserver typeis set toCustom

using the--type

parameter.

For Active Directorservers, the valuedefaults tosAMAccountName.

For a Sun JavaSystem DirectoryServer or any olderSun ONE DirectoryServer or iPlanetDirectory Serverwith a defaultconfiguration, itdefaults to uid.

Specifies the name of the LDAPattribute containing the useraccount names.

353

TIBCO Spotfire® Server and Environment Installation and Administration

Page 354: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Option

OptionalorRequired Default Value Description

--authentication-attribute=value

Optional;use onlyforadvancedsetups.

none Specifies the name of the LDAPattribute containing a useridentity that can be used forbinding (authenticating) to theLDAP server. This attribute fillsno purpose in most commonLDAP configurations, but it canbe useful in more advancedsetups where the distinguishedname (DN) does not work forauthentication, or where usersshould be able to log in using ausername that does not mapdirectly to an actual LDAPaccount.

● If you set up SASL withDIGEST-MD5 in an ActiveDirectory environment, theDN does not work forauthentication, and theuserPrincipalName

attribute must be usedinstead. The --authentication-attribute

argument should then be setto userPrincipalName andthe --user-name-attributeargument should be set tosAMAccountName. (The lattervalue is the default value foran Active Directory LDAPconfiguration, so there is noneed to set it explicitly.) Seealso the --security-authentication argument.

● When you set up SASL withGSSAPI in an ActiveDirectory environment, theDN does not work forauthentication and thesAMAccountName oruserPrincipalName

attribute must be usedinstead. The --authentication-attribute

argument should be set tosAMAccountName oruserPrincipalName, and the--user-name-attribute

argument should be set to'sAMAccountName'. (The latter

354

TIBCO Spotfire® Server and Environment Installation and Administration

Page 355: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Option

OptionalorRequired Default Value Description

value is the default value foran Active Directory LDAPconfiguration, so there is noneed to set it explicitly.) Seealso the --security-authentication argument.

Example:

If you set the --user-name-attribute argument to cn andthe --authentication-attribute argument touserPrincipalName in anActive Directory environment,the users can log in to SpotfireServer using their CN attributevalues, but underneath the hood,Spotfire Server actually uses theuserPrincipalName attributevalue of the LDAP account withthe matching CN for the actualauthentication.

355

TIBCO Spotfire® Server and Environment Installation and Administration

Page 356: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Option

OptionalorRequired Default Value Description

--security-authentication=value

Optional;use only inadvancedsetups.

simple Specifies the security level to usewhen binding to the LDAPserver:

● To enable anonymousbinding, it should be set tonone.

● To enable plain username/password authentication, itshould be set to simple.

● To enable SASLauthentication, it should beset to the name of the SASLmechanism to be used, forinstance DIGEST‐MD5 orGSSAPI. Use multiple -Carguments to set theadditional JNDI environmentproperties that the SASLauthentication mechanismtypically requires.

If you set up SASL with DIGEST-MD5 in an Active Directoryenvironment, all accounts mustuse reversible encryption fortheir passwords. This is typicallynot the default setting for thedomain controller. The --authentication-attribute

argument must also be used tospecify the userPrincipalNameattribute for the actualauthentication to work correctly.

If you set up SASL with GSSAPIin an Active Directoryenvironment, the --authentication-attribute

argument must be used tospecify either thesAMAccountName or theuserPrincipalName attributeand the custom propertykerberos.login.context.name

must be mapped to the JAASapplication configurationSpotfireGSSAPI. This, in turn,requires a fully workingKerberos configuration file

356

TIBCO Spotfire® Server and Environment Installation and Administration

Page 357: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Option

OptionalorRequired Default Value Description

at /jdk/jre/ lib/security/krb5.conf.

--referral-mode=value Optional follow Specifies how LDAP referralsshould be handled. Validarguments are as follows:

● follow (automatically followany referrals).Recommended.

● ignore (ignore referrals)

● throw (fail with an error)

--request-control=value

Optional probe Determines the type of LDAPcontrols to be used for executingsearch queries to the LDAPserver. The default behavior is toprobe the LDAP server for thebest supported request control.The paged results control isalways preferred, because itprovides the most efficient wayof retrieving the query result set.

You can use the virtual list viewcontrol for the same purpose ifthe paged results control is notsupported. The virtual list viewcontrol is used automatically,together with a sort control. Boththe paged results control and thevirtual list view control supporta configurable page size, set bythe --page-size argument.

● To explicitly configure theserver for probing, set theargument value to probe.

● To configure the server forthe paged results control, setthe argument value toPagedResultsControl.

● To request the virtual listview control, set theargument value toVirtualListViewControl.

● To completely disable requestcontrols by setting theargument value to none.

357

TIBCO Spotfire® Server and Environment Installation and Administration

Page 358: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Option

OptionalorRequired Default Value Description

--page-size=value Optional 2000 for both thepaged resultscontrol and thevirtual list viewcontrol.

Specifies the page size to be usedwith the paged results control orthe virtual list view controlwhen performing search queriesto the LDAP server.

--import-limit=value Optional No import limit. Specifies a threshold that limitsthe number of users that can beimported from an LDAP serverto Spotfire Server in one query.This can be used to preventaccidentally flooding theSpotfire user directory when youintegrate with an LDAP serverwith tens or even hundreds ofthousands of users. By setting animport limit, you can be surethat an unexpected high numberof users does not affect serverperformance.

To request unlimited importexplicitly, set the parametervalue to -1. All positive numbersare treated as an import limit.For most cases it isrecommended that you leavethis parameter untouched.

--user-display-name-attribute=value

Optional none Specifies the name of the LDAPattribute containing the userdisplay names.

--group-display-name-attribute=value

Optional none Specifies the name of the LDAPattribute containing the groupdisplay names.

-Ckey=value Optional;can bespecifiedmultipletimes withdifferentkeys.

none Specifies additional JNDIenvironment properties to usewhen connecting to the LDAPserver.

Example: The equivalent ofspecifying the --security-authentication=DIGEST-MD5

argument is -Cjava.naming.security.authe

ntication=DIGEST-MD5.

358

TIBCO Spotfire® Server and Environment Installation and Administration

Page 359: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Option

OptionalorRequired Default Value Description

-Rvalue Optional;can bespecifiedmultipletimes withdifferentvalues.

If this argument isnot specified, theJava defaults areused.

Specifies the protocols to be usedfor LDAPS when connecting tothe LDAP server.

Example: To enable only TLSv1.2> -RTLSv1.2

-Svalue Optional;can bespecifiedmultipletimes withdifferentvalues.

If this argument isnot specified, theJava defaults areused.

Specifies the cipher suites to beused for LDAPS whenconnecting to the LDAP server.

Example: To enable only thesetwo cipher suites> -STLS_DHE_RSA_WITH_AES_128_GCM_SHA256 -STLS_DHE_RSA_WITH_AES_256_GCM_SHA384

EXAMPLES

Create an LDAP configuration for Active Directory:create-ldap-config --id="ldap1" --type="ActiveDirectory"--servers="ldap:// dc01.research.example.com:3268ldap://dc02.research.example.com:3268"--context-names="OU=project-x,DC=research,DC=example,DC=com|OU=phbs,DC=management,DC=example,DC=com"--username="[email protected]" --password="s3cr3t"--schedules="@daily"

Create an LDAP configuration for SunONE:create-ldap-config --id="ldap1" --type="SunONE" --servers="ldap://directory.research.example.com:389" --context-names="OU=project-x,DC=research,DC=example,DC=com|OU=phbs,DC=management,DC=example,DC=com" --username="ldapadmin" --password="s3cr3t" --schedules="@daily"

Create an LDAP configuration for Sun Java System Directory:create-ldap-config --id="ldap1" --type="SunJavaSystem" --servers="ldaps://directory.research.example.com:636" --context‐names="OU=project-x,DC=research,DC=example,DC=com|OU=phbs,DC=management,DC=example,DC=com" --username="ldapadmin" --password="s3cr3t" --schedules="@daily"

Create an LDAP configuration for a custom LDAP server:create-ldap-config --id="ldap1" --type="Custom" --servers="ldap://directory.research.example.com"--context-names="OU=project-x,DC=research,DC=example,DC=com|OU=phbs,DC=management,DC=example,DC=com" --user-name-attribute="cn" --search-filter="&(objectClass=person)(isMemberOf=cn=projectX,dc=example,dc=com)" --username="ldapadmin" --password="s3cr3t"--schedules="@daily"

Create an LDAP configuration using the discover mode:create-ldap-config --id="ldap1" --discover --username="[email protected]" --password="s3cr3t" --schedules="@daily"

359

TIBCO Spotfire® Server and Environment Installation and Administration

Page 360: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

create-userCreates a new user account.create-user [-b value | --bootstrap-config=value] [-t value | --tool-password=value] <-u value | --username=value> [-p value | --password=value] [-d value | --display-name=value] [-e value | --email=value]

Overview

Use this command to create a new user account. This user can then be promoted to administrator usingthe promote-admin command.

Options

OptionOptional orRequired

DefaultValue Description

-b value--bootstrap-config=value

Optional none The path to the bootstrap configurationfile. See The bootstrap.xml file for moreinformation about this file.

-d value--display-name=value

Optional none The new user's display name.

-e value--email=value

Optional none The new user's email address.

-t value--tool-password=value

Optional none The configuration tool password used todecrypt the database password in the filebootstrap.xml. If the tool password isomitted, the command prompts the userfor it in the console. Refer to Thebootstrap.xml file.

u value--username=value

Required none The name of the new user.

-p value--password=value

Optional none The new user's password.

delete-disabled-usersDeleted disabled user accounts.delete-disabled-users [-b value | --bootstrap-config=value] [-t value | --tool-password=value] [-a <true|false> | --keep-once-active-users=<true|false>] [-m <true|false> | --keep-group-members=<true|false>] [-p <true|false> | --keep-users-with-library-permissions=<true|false>] [-l <true|false> | --keep-library-authors=<true|false>] [-f | --force]

Overview

Use this command to delete disabled user accounts from the user directory.

360

TIBCO Spotfire® Server and Environment Installation and Administration

Page 361: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Options

Option

Optional orRequired

DefaultValue Description

-b value--bootstrap-config=value

Optional

none The path to the bootstrap configurationfile. See The bootstrap.xml file for moreinformation about this file.

-t value--tool-password=value

Optional

none The configuration tool password used todecrypt the database password in the filebootstrap.xml. If the tool password isomitted, the command prompts the userfor it in the console. Refer to Thebootstrap.xml file.

-a <true|false>--keep-once-active-users=<true|false>

Optional

true Indicates whether all users who havelogged in at least once should be kept.

-m <true|false>--keep-group-members=<true|false>

Optional

true Indicates whether all users who aremembers of at least one group should bekept.

-p <true|false>--keep-users-with-library-permissions=<true|false>

Optional

true Indicates whether all users who haveexplicit library permissions should be kept.

-l <true|false>--keep-library-authors=<true|false>

Optional

true Indicates whether all users who havecreated or modified any library itemshould be kept.

-f--force

Optional

none Indicates that users should be deletedwithout need for further confirmation.

delete-disconnected-groupsDeletes disconnected groups.delete-disconnected-groups [-b value | --bootstrap-config=value] [-t value | --tool-password=value] [-f | --force]

Overview

Use this command to delete from the user directory disconnected groups that have been previouslysynchronized from an LDAP directory.

361

TIBCO Spotfire® Server and Environment Installation and Administration

Page 362: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Options

Option

Optional orRequired

DefaultValue Description

-b value--bootstrap-config=value

Optional

none The path to the bootstrap configurationfile. See The bootstrap.xml file for moreinformation about this file.

-t value--tool-password=value

Optional

none The configuration tool password used todecrypt the database password in the filebootstrap.xml. If the tool password isomitted, the command prompts the userfor it in the console. Refer to Thebootstrap.xml file.

-f--force

Optional

none Indicates that groups should be deletedwithout need for further confirmation.

delete-library-contentDeletes library content.delete-library-content[-b value | --bootstrap-config=value] [-t value | --tool-password=value] <-i value | --items=value> [-d | --database] [-e | --external]

Overview

Use this command to delete a library items from the Spotfire database or from external storage onAmazon S3.

Options

Option

Optional orRequired

DefaultValue Description

-b value--bootstrap-config=value

Optional

none The path to the bootstrap configurationfile. See The bootstrap.xml file for moreinformation about this file.

-t value--tool-password=value

Optional

none The configuration tool password used todecrypt the database password in the filebootstrap.xml. If the tool password isomitted, the command prompts the userfor it in the console. Refer to Thebootstrap.xml file.

362

TIBCO Spotfire® Server and Environment Installation and Administration

Page 363: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Option

Optional orRequired

DefaultValue Description

-i value--items=value

Required

none A comma-separated list of items (GUIDs)to delete.

-d--database

Optional

none Deletes entries in the Spotfire librarydatabase.

-e--external

Optional

none Deletes entries in external storage.

delete-jmx-userDeletes a JMX user.delete-jmx-user [-b value | --bootstrap-config=value] [-t value | --tool-password=value] <-u value | --username=value>

Overview

Use this command to delete a user who can access the server through JMX.

Options

Option

Optional orRequired

DefaultValue Description

-b value--bootstrap-config=value

Optional

none The path to the bootstrap configurationfile. See The bootstrap.xml file for moreinformation about this file.

-t value--tool-password=value

Optional

none The configuration tool password used todecrypt the database password in the filebootstrap.xml. If the tool password isomitted, the command prompts the userfor it in the console. Refer to Thebootstrap.xml file.

-u value--username=value

Required

none The name of the user to be deleted.

delete-nodeDeletes a specified node.delete-node [-b value | --bootstrap-config=value] [-t value | --tool-password=value] [-k value | --keystore-file=value] <-i value | --id=value>

363

TIBCO Spotfire® Server and Environment Installation and Administration

Page 364: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Overview

Use this command to delete a specified node, after which it will no longer be a part of the collective. Touse this command, at least one server in the collective must be running.

Options

OptionOptional orRequired Default Value Description

-b value--bootstrap-config=value

Optional none The path to the bootstrapconfiguration file. See Thebootstrap.xml file for moreinformation about this file.

-t value--tool-password=value

Optional none The configuration toolpassword used to decrypt thedatabase password in thebootstrap.xml file. If the toolpassword is omitted, thecommand will prompt theend user for it on the console.See The bootstrap.xml file formore information.

-k value--keystore-file=value

Optional none The location of the keystorecontaining the certificatesused for securing internalcommunication.

-i value--id=value

Required none The ID of the node thatshould be deleted. The list-nodes command can be usedto find the IDs of all nodes.

delete-service-configDeletes a service configuration.delete-service-config [-b value | --bootstrap-config=value] [-t value | --tool-password=value] <-c value | --config-name=value>

Overview

Use this command to delete a service configuration. If the configuration is currently assigned to aservice, that service will be reverted to the default configuration.

Options

OptionOptional orRequired Default Value Description

-b value--bootstrap-config=value

Optional none The path to the bootstrapconfiguration file. See Thebootstrap.xml file for moreinformation about this file.

364

TIBCO Spotfire® Server and Environment Installation and Administration

Page 365: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

OptionOptional orRequired Default Value Description

-t value--tool-password=value

Optional none The configuration toolpassword used to decrypt thedatabase password in thebootstrap.xml file. If the toolpassword is omitted, thecommand will prompt theend-user for it on the console.See the The bootstrap.xml filefor more information.

-c value--config-name=value

Required none The name of the configurationthat should be deleted.

delete-userDeletes a user account.delete-user [-b value | --bootstrap-config=value] [-t value | --tool-password=value] <-u value | --username=value>

Overview

Use this command to delete a user account.

Options

Option

Optional orRequired

DefaultValue Description

-b value--bootstrap-config=value

Optional

none The path to the bootstrap configurationfile. See The bootstrap.xml file for moreinformation about this file.

-t value--tool-password=value

Optional

none The configuration tool password used todecrypt the database password in the filebootstrap.xml. If the tool password isomitted, the command prompts the userfor it in the console. Refer to Thebootstrap.xml file.

-u value--username=value

Required

none The name of the user to be deleted.

demote-adminRevokes full administrator privileges for a user.demote-admin [-b value | --bootstrap-config=value] [-t value | --tool-password=value] <-u value | --username=value>

365

TIBCO Spotfire® Server and Environment Installation and Administration

Page 366: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Overview

Use this command to revoke administrator privileges for a user by removing the user account from theAdministrator group.

Options

Option

Optional orRequired

DefaultValue Description

-b value--bootstrap-config=value

Optional

none The path to the bootstrap configurationfile. See The bootstrap.xml file for moreinformation about this file.

-t value--tool-password=value

Optional

none The configuration tool password used todecrypt the database password in the filebootstrap.xml. If the tool password isomitted, the command prompts the userfor it in the console. Refer to Thebootstrap.xml file.

-u value--username=value

Required

none The name of the user for which to revokethe administrator privileges. Unless theuser is part of the configured defaultdomain, the name of the user needs toinclude the user's domain name, forexample DOMAIN\user or user@domain.

enable-userEnables or disables a user account in the Spotfire database.enable-user [-b value | --bootstrap-config=value] [-t value | --tool-password=value] [-u value | --username=value] [-a | --all] [-e <true|false> | --enabled=<true|false>]

Overview

Use this command to enable or disable a user account in the Spotfire database. A disabled user accountdoes not have access to Spotfire.

Options

OptionOptional orRequired

DefaultValue Description

-b value--bootstrap-config=value

Optional none The path to the bootstrapconfiguration file. See the Thebootstrap.xml file for moreinformation about this file.

366

TIBCO Spotfire® Server and Environment Installation and Administration

Page 367: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

OptionOptional orRequired

DefaultValue Description

-t value--tool-password=value

Optional none The configuration tool passwordused to decrypt the databasepassword in the filebootstrap.xml. If the toolpassword is omitted, the commandprompts the user for it in theconsole. Refer to The bootstrap.xmlfile.

u value--username=value

Optional none The user that should be enabled ordisabled. Should not be specified ifthe -all argument is used.

-a--all

Optional none Updates the enabled status for allthe users. If this argument ispresent, no user name should bespecified.

-e <true|false>--enabled=<true|false>

Optional true Specifies if the user should beenabled or disabled.

export-configExports a server configuration from the server database to the current working directory as aconfiguration.xml file.export-config [-f | --force] [-b value | --bootstrap-config=value] [-t value | --tool-password=value] [-h value | --hash=value] [export file]

Overview

Use this command to export a server configuration from the server database to a file. The configurationin the file can be edited and then imported back into the server database using the import-configcommand.

Options

OptionOptional orRequired

DefaultValue Description

-f--force

Optional none Indicates that the tool shouldoverwrite an existing destination file.

-b value--bootstrap-config=value

Optional none The path to the bootstrapconfiguration file. See Thebootstrap.xml file for moreinformation about this file.

367

TIBCO Spotfire® Server and Environment Installation and Administration

Page 368: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

OptionOptional orRequired

DefaultValue Description

-t value--tool-password=value

Optional none The configuration tool password usedto decrypt the database password inthe file bootstrap.xml. If the toolpassword is omitted, the commandprompts the user for it in the console.Refer to The bootstrap.xml file.

-h value--hash=value

Optional none The (possibly abbreviated) hash of theconfiguration to export. Must consistof at least 6 hexadecimal characters.

[export file] Optional configuration.xml

The path to the configuration file thatwill be created.

export-ds-templateExports the definition of a data source template.export-ds-template [-f | --force] [-c value | --configuration=value] [-b value | --bootstrap-config=value] <-n value | --name=value> [template definition file]

Overview

Use this command to export to a file the definition of a data source template used by InformationServices.

Options

Option

Optional orRequired

DefaultValue Description

-f--force

Optional

none Indicates whether the tool shouldoverwrite an existing destination file.

-c value--configuration=value

Optional

configuration.xml

The path to the server configuration file.

-b value--bootstrap-config=value

Optional

none The path to the bootstrap configurationfile. See The bootstrap.xml file for moreinformation about this file.

-n value--name=value

Required

none The name of the data source template forwhich to export the definition.

[template definition file]

Optional

template.xml The path to the definition file to create.

368

TIBCO Spotfire® Server and Environment Installation and Administration

Page 369: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

export-groupsExports groups from the user directory.export-groups [-b value | --bootstrap-config=value] [-t value | --tool-password=value] [-m <true|false> | --include-member-groups=<true|false>] [-u <true|false> | --include-member-users=<true|false>] [-g <true|false> | --include-guids=<true|false>] [-s <true|false> | --use-stdf=<true|false>] [-n <true|false> | --include-name-row=<true|false>] [export file] [-f | --force]

Overview

Use this command to export all groups from the user directory. The exported groups can be importedon a different server.

Options

Option

Optional orRequired

DefaultValue Description

-b value--bootstrap-config=value

Optional

none The path to the bootstrap configurationfile. See The bootstrap.xml file for moreinformation about this file.

-t value--tool-password=value

Optional

none The configuration tool password used todecrypt the database password in the filebootstrap.xml. If the tool password isomitted, the command prompts the userfor it in the console. Refer to Thebootstrap.xml file.

-m <true|false>--include-member-groups=<true|false>

Optional

false Indicates whether the group hierarchyinformation (groups in groups) should beincluded. Can be used in conjunction withthe --include-member-users argumentto include all information.

-u <true|false>--include-member-users=<true|false>

Optional

false Indicates whether the group hierarchyinformation (users in groups) should beincluded. Can be used in conjunction withthe --include-member-groups argumentto include all information.

-g <true|false>--include-guids=<true|false>

Optional

false Indicates whether the globally uniqueidentifier (GUID) of each group should beincluded.

-s <true|false>--use-stdf=<true|false>

Optional

true Indicates whether the exported file shouldbe created in Spotfire Text Data Format. Iffalse, plain CSV format is used.

369

TIBCO Spotfire® Server and Environment Installation and Administration

Page 370: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Option

Optional orRequired

DefaultValue Description

-n <true|false>--include-name-row=<true|false>

Optional

false Indicates whether the exported file shouldinclude a column name row. Applicableonly when --use-stdf is set to falsebecause STDF always includes a name row.

[export file] Optional

groups.txt The path to the file to create.

-f--force

Optional

none Indicates that the tool should overwrite anexisting destination file.

export-library-contentExports content from the library.export-library-content [-f | --force] [-b value | --bootstrap-config=value] [-t value | --tool-password=value] <-p value | --file-path=value> <-u value | --user=value> [-a <true|false> | --include-access-rights=<true|false>] <-i value | --item-type=value> <-l value | --library-path=value>

Overview

Use this command to export content from the library.

Options

Option

Optional orRequired

DefaultValue Description

-f--force

Optional

none Indicates that the tool should overwriteany already existing file with the samename as specified in the path argument.All parts of the existing file (path.part0.zip,path.part1.zip, and so on) are also deleted.

-b value--bootstrap-config=value

Optional

none The path to the bootstrap configurationfile. See The bootstrap.xml file for moreinformation about this file.

-t value--tool-password=value

Optional

none The configuration tool password used todecrypt the database password in the filebootstrap.xml. Can be specified if andonly if a password is given and --enable-config-tool argument is set to true (thedefault).

-p value--file-path=value>

Required

none The file system path to where the itemshould be exported.

370

TIBCO Spotfire® Server and Environment Installation and Administration

Page 371: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Option

Optional orRequired

DefaultValue Description

-u value--user=value>

Required

none The user performing the export should bea Library Administrator. The name of theuser needs to include the user's domainname, for example DOMAIN\user oruser@domain, unless the user is part of theconfigured default domain.

-a <true|false>--include-access-rights=<true|false>

Optional

true Specifies if access rights should beexported.

-i value--item-type=value

Required

none Indicates which item types should beexported from the library. It is possible toexport all items, or all items of a certaintype, from a folder. It is also possible toexport a single item of a certain type.When exporting the content of a folder,valid values are: all_items,colorschemes, information_model,analysis_files, and datafunctions.When exporting a single item, valid valuesare: analyticitem, dxpscript, bookmark,embeddedresource, query, join, dxp,datafunction, folder, colorscheme,column, datasource, filter, andprocedure.

-l value--library-path=value

Required

none The path in the library where the content isexported from. When exporting foldercontent, a path to the folder must bespecified. When exporting a single item, apath to that specific item must be specified.The path must start with a slash (/). If theentire library should be exported, the pathshould be "/".

export-service-configExports a service configuration.export-service-config [-b value | --bootstrap-config=value] [-t value | --tool-password=value] [-c value | --config-name=value] [-a value | --capability=value] [-d value | --deployment-area=value] [-f | --force] [destination directory]

Overview

Use this command to export a service configuration for editing. The edited configuration can beimported using the import-service-config command. Either specify a configuration name or, to export adefault configuration, a capability and a deployment area.

371

TIBCO Spotfire® Server and Environment Installation and Administration

Page 372: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Options

OptionOptional orRequired Default Value Description

-b value--bootstrap-config=value

Optional none The path to the bootstrapconfiguration file. See Thebootstrap.xml file for moreinformation about this file.

-t value--tool-password=value

Optional none The configuration toolpassword used to decrypt thedatabase password in thebootstrap.xml file. If the toolpassword is omitted, thecommand will prompt theend-user for it on the console.See the The bootstrap.xml filefor more information.

-c value--config-name=value

Required, unlessthe --capabilityand --deployment-area

arguments arespecified (in whichcase this argumentcannot bespecified)

none The name of the configurationthat should be exported.

-a value--capability=value

Required, unlessthe --config-name argument isspecified (in whichcase this argumentcannot bespecified).

none The name of a capability forwhich the defaultconfiguration should beexported. The possible valuescan be found using the list-service-configs command.This argument must bespecified together with the --deployment-area argument.

-d value--deployment-area=value

Required, unlessthe --config-name argument isspecified (in whichcase this argumentcannot bespecified).

none The name of a deploymentarea for which the defaultconfiguration should beexported. This argument mustbe specified together with the--capability argument.

-f--force

Optional none Indicates that the tool shouldoverwrite any existingdestination directory.

372

TIBCO Spotfire® Server and Environment Installation and Administration

Page 373: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

OptionOptional orRequired Default Value Description

[destination directory]

Optional config The destination directory towhich the configurationshould be exported.

export-usersExports users from the user directory.export-users [-b value | --bootstrap-config=value] [-t value | --tool-password=value] [-i value | --include-password-hashes=value] [-s value | --use-stdf=value] [-g value | --include-guids=value] [-n value | --include-name-row=value] [export file] [-f | --force]

Overview

Use this command to export all users from the user directory. The exported users can be imported on adifferent server.

Options

Option

Optional orRequired

DefaultValue Description

-b value--bootstrap-config=value

Optional

none The path to the bootstrap configurationfile. See The bootstrap.xml file for moreinformation about this file.

-t value--tool-password=value

Optional

none The configuration tool password used todecrypt the database password in the filebootstrap.xml. If the tool password isomitted, the command prompts the userfor it in the console. Refer to Thebootstrap.xml file.

-i value--include-password-hashes=value>

Optional

false Indicates whether the exported file shouldinclude the password hashes. Passwordsare relevant only if you use the Spotfiredatabase for authentication.

-s value--use-stdf=value

Optional

true Indicates whether the exported file shouldbe created in Spotfire Text Data Format. Iffalse, plain CSV format is used.

-g value--include-guids=value

Optional

false Indicates whether the Globally UniqueIdentifier (GUID) of each user should beincluded.

-n value--include-name-row=value

Optional

false Indicates whether the exported file shouldinclude a column name row. Applicableonly when --use-stdf is set to falsebecause STDF always includes a name row.

373

TIBCO Spotfire® Server and Environment Installation and Administration

Page 374: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Option

Optional orRequired

DefaultValue Description

[export file] Optional

users.txt The path to the file to create.

-f--force

Optional

none Indicates that the tool should overwrite anexisting destination file.

helpDisplays the help overview or a specific help topic.help [topic name]

Overview

Use this command to display the help overview or a specific help topic.

Options

OptionOptional orRequired

DefaultValue Description

[topic name] Optional none The name of the help topic to be displayed.

import-configImports a server configuration from a file to the server database.import-config [-b value | --bootstrap-config=value] [-t value | --tool-password=value] <-c value | --comment=value> [-d <true|false> | --delete-file=<true|false>] [import file]

Overview

Use this command to import a server configuration from a file to the server database and to set it as thecurrent configuration. Such a server configuration file can be generated either by running the export-config command or by creating a new default configuration using the create-default-config command.If an identical configuration file already exists in the server database, the existing configuration willhave its description and modification date updated.

Options

OptionOptional orRequired Default Value Description

-b value--bootstrap-config=value

Optional none The path to the bootstrapconfiguration file. See Thebootstrap.xml topic for moreinformation about this file.

374

TIBCO Spotfire® Server and Environment Installation and Administration

Page 375: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

OptionOptional orRequired Default Value Description

-t value--tool-password=value

Optional none The configuration tool passwordused to decrypt the databasepassword in the bootstrap.xmlfile. If the tool password isomitted, the command willprompt the end-user for it on theconsole. See The bootstrap.xmltopic for more information.

-c value--comment=value

Required none A comment describing the reasonfor the configuration change.Make sure to enclose the specifiedcomment in quotation marks andto quote all special characters thatmight otherwise be consumed bythe command line shell.

-d <true|false>--delete-file=<true|false>

Optional false Indicates whether the importedconfiguration file should bedeleted from the file system aftera successful import.

[import file] Optional configuration.x

ml

The path to the configuration fileto import.

import-groupsImports groups to the user directory.import-groups [-b value | --bootstrap-config=value] [-t value | --tool-password=value] [-m <true|false> | --include-member-groups=<true|false>] [-u <true|false> | --include-member-users=<true|false>] [-g <true|false> | --include-guids=<true|false>] [-n <true|false> | --has-name-row=<true|false>] [import file]

Overview

Use this command to import all groups in a given file to the user directory. The groups can be importedincluding membership information or as a simple list.

Options

OptionOptional orRequired Default Value Description

-b value--bootstrap-config=value

Optional none The path to the bootstrapconfiguration file. See Thebootstrap.xml topic for moreinformation about this file.

-t value--tool-password=value

Optional configuration.x

ml

The path to the configuration fileto create.

375

TIBCO Spotfire® Server and Environment Installation and Administration

Page 376: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

OptionOptional orRequired Default Value Description

-m <true|false>--include-member-groups=<true|false>

Optional false Indicates whether the grouphierarchy information (groups ingroups) should be included. Canbe used in conjunction with the--include-member-users

argument to include allinformation.

-u <true|false>--include-member-users=<true|false>

Optional false Indicates whether the grouphierarchy information (users ingroups) should be included. Canbe used in conjunction with the--include-member-groups

argument to include allinformation.

-g <true|false>--include-guids=<true|false>

Optional false Indicates whether globallyunique identifiers (GUIDs) in thefile should be included.

-n <true|false>--has-name-row=<true|false>

Optional false Indicates whether the filecontains a name row. Applicableonly when the file is in plain CSVformat because the Spotfire TextData Format (STDF) always has aname row.

[import file] Optional groups.txt The path to the file to import.

import-jaas-configImports new JAAS application configurations into the server configuration.import-jaas-config [-c value | --configuration=value] [-b value | --bootstrap-config=value] [-f | --force] <-j value | --jaas-config-file=value> [-n value | --name=value]

Overview

Use this command to import new JAAS application configurations into the server configurations.

Options

OptionOptional orRequired Default Value Description

-c value--configuration=value

Optional configuration.x

ml

The path to the serverconfiguration file.

-b value--bootstrap-config=value

Optional none The path to the bootstrapconfiguration file. See Thebootstrap.xml topic for moreinformation about this file.

376

TIBCO Spotfire® Server and Environment Installation and Administration

Page 377: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

OptionOptional orRequired Default Value Description

-f--force

Optional none Indicates that the JAASapplication configurations shouldbe imported into the server evenif other configurations with thesame names already exist. Whenthis argument is enabled, the oldconfigurations are overwritten

-j value--jaas-config-file=value

Required none The path to the JAAS applicationconfiguration file. The file isexpected to be in the standardJAAS application configurationformat.

-n value--name=value

Optional none The names of the JAASapplication configurations to beimported into the server. Multiplenames must be comma-separatedand enclosed between quotes. Ifthis argument is omitted, then allJAAS application configurationswithin the specified file areimported.

import-library-contentImports content into the library.import-library-content [-b value | --bootstrap-config=value] [-t value | --tool-password=value] <-p value | --file-path=value> <-m value | --conflict-resolution-mode=value> <-u value | --user=value> [-e <true|false> | --prune-empty-directories=<true|false>] [-a <true|false> | --include-access-rights=<true|false>] [-i value | --item-type=value] [-l value | --library-path=value]

Overview

Use this command to import content into the library.

Options

OptionOptional orRequired Default Value Description

-b value--bootstrap-config=value

Optional none The path to the bootstrapconfiguration file. See Thebootstrap.xml topic for moreinformation about this file.

377

TIBCO Spotfire® Server and Environment Installation and Administration

Page 378: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

OptionOptional orRequired Default Value Description

-t value--tool-password=value

Optional true The configuration tool passwordused to decrypt the databasepassword in the filebootstrap.xml. Can be specifiedif and only if a password is givenand --enable-config-toolargument is set to true.

-p value--file-path=value

Required none The file system path to the filethat should be imported into thelibrary. This should be the resultof a previous library export andwith a name endingwith .part0.zip. If the exportconsists of several parts (endingwith .part1.zip and so on), thesemust be placed in the same folder.

-m value--conflict-resolution-mode=value

Required none Sets the conflict resolution modethat should be used if there is aconflict with existing content inthe library path given. Theconflict resolution mode isapplied for each conflicting itemthat is imported. Valid values areKEEP_NEW, KEEP_OLD, andKEEP_BOTH.

-u value--user=value

Required none The user performing the import,should be a LibraryAdministrator. Unless the user ispart of the configured defaultdomain, the name of the userneeds to include the user'sdomain name, like DOMAIN\user or user@domain.

-e <true|false>--prune-empty-directories=<true|false>

Optional false Specifies if empty directoriesshould be created.

-a <true|false>--include-access-rights=<true|false>

Optional true Specifies if access rights shouldbe imported.

-i value--item-type=value

Optional all_items Which item types that should beimported into the library. Validvalues are: all_items,colorschemes,information_model,analysis_files, anddatafunctions.

378

TIBCO Spotfire® Server and Environment Installation and Administration

Page 379: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

OptionOptional orRequired Default Value Description

-l value--library-path=value

Optional / The path in the library where thecontent is imported. The pathmust specify an existing folder inthe library.

import-scheduled-updatesImports scheduled updates from previous Spotfire Web Player versions, from either a local file or thelibrary.import-scheduled-updates [-b value | --bootstrap-config=value] [-t value | --tool-password=value] [-k value | --keystore-file=value] [-p value | --local-file-path=value] [-n value | --library-file-name=value] [-r value | --resource-pool-name=value] [-z value | --time-zone-id=value] [-e <true|false> | --enabled=<true|false>] [-i value | --instances-count=value]

Overview

Use this command to import scheduled updates from previous Spotfire Web Player versions, fromeither a local file or the library. At least one Spotfire Server instance must be running.

Options

OptionOptional orRequired Default Value Description

-b value--bootstrap-config=value

Optional none The path to the bootstrapconfiguration file. See thebootstrap.xml topic for moreinformation about this file.

-t value--tool-password=value

Optional none The configuration tool passwordused to decrypt the databasepassword in the bootstrap.xmlfile. If the tool password isomitted, the command willprompt the end-user for it on theconsole. See the thebootstrap.xml topic for moreinformation.

-k value--keystore-file=value

Optional none The location of the keystorecontaining the certificates usedfor securing internalcommunication.

-p value--local-file-path=value

Optional none Full path to the local scheduledupdates file. Mutually exclusivewith the library-file-name.

379

TIBCO Spotfire® Server and Environment Installation and Administration

Page 380: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

OptionOptional orRequired Default Value Description

-n value--library-file-name=value

Optional none Name of the scheduled updatesfile in the library (specified in theprevious Spotfire Web Playerconfiguration). Mutuallyexclusive with the local-file-path.

-r value--resource-pool-name=value

Optional Optional resource pool for thescheduled updates. Ifunspecified, default routingapplies.

-z value--time-zone-id=value

Optional none Optional time zone ID in theArea/City format, for exampleAmerica/Los_Angeles or Europe/Brussels (a full list is available inthe Administration Console). Ifunspecified, server time zoneapplies.

-e <true|false>--enabled=<true|false>

Optional false Optional flag to specify if thescheduled updates are enabledwhen imported.

-i value--instances-count=value

Optional 1 Optionally specifies on howmany Spotfire Web Playerinstances the scheduled updatesshould run. '0' means allavailable.

import-service-configImports a service configuration.import-service-config [-b value | --bootstrap-config=value] [-t value | --tool-password=value] [-n value | --config-name=value] [-d | --delete-directory] [source directory]

Overview

Use this command to import a service configuration. The imported configuration can be assigned to aservice using the set-service-config command.

Options

OptionOptional orRequired Default Value Description

-b value--bootstrap-config=value

Optional none The path to the bootstrapconfiguration file. See Thebootstrap.xml topic for moreinformation about this file.

380

TIBCO Spotfire® Server and Environment Installation and Administration

Page 381: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

OptionOptional orRequired Default Value Description

-t value--tool-password=value

Optional none The configuration tool passwordused to decrypt the databasepassword in the bootstrap.xmlfile. If the tool password isomitted, the command willprompt the end-user for it on theconsole. See the Thebootstrap.xml topic for moreinformation.

-n value--config-name=value

Optional none The name to give to theconfiguration. If no name isgiven, the existing configurationwill be overwritten. Note thatdefault configurations cannot beoverwritten, so if theconfiguration to be imported wascreated from a defaultconfiguration, a name must bespecified.

-d--delete-directory

Optional none Indicates whether or not thesource directory should bedeleted after a successful import.

[source directory] Optional config The source directory containingthe configuration that should beimported.

import-usersImports users to the user directory.import-users [-b value | --bootstrap-config=value] [-t value | --tool-password=value] [-i <true|false> | --include-passwords=<true|false>] [-h <true|false> | --hash-passwords=<true|false>] [-g <true|false> | --include-guids=<true|false>] [-n <true|false> | --has-name-row=<true|false>] [import file]

Overview

Use this command to import all users in a given file to the user directory. The users can be importedwith or without passwords.

381

TIBCO Spotfire® Server and Environment Installation and Administration

Page 382: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Options

Option

Optional orRequired

DefaultValue Description

-b value--bootstrap-config=value

Optional

none The path to the bootstrap configurationfile. See The bootstrap.xml topic for moreinformation about this file.

-t value--tool-password=value

Optional

none The configuration tool password used todecrypt the database password in the filebootstrap.xml. If the tool password isomitted, the command prompts the userfor it in the console. Refer to Thebootstrap.xml file.

-i <true|false>--include-passwords=<true|false>

Optional

false Indicates whether passwords in the fileshould be included.

-h <true|false>--hash-passwords=<true|false>

Optional

false Indicates whether the included passwordsshould be hashed during import. Shouldbe false if the users have previously beenexported from a Spotfire Server becausethose passwords are already hashed.

-g <true|false>--include-guids=<true|false>

Optional

false Indicates whether the globally uniqueidentifiers (GUIDs) in the file should beincluded.

-n <true|false>--has-name-row=<true|false>

Optional

false Indicates whether the file contains a namerow. Applicable only when the file is inplain CSV format because the Spotfire TextData Format (STDF) always has a namerow.

[import file] Optional

users.txt The path to the file to import.

invalidate-persistent-sessionsInvalidates all persistent sessions.invalidate-persistent-sessions [-b value | --bootstrap-config=value] [-t value | --tool-password=value] [-u value | --username=value] [-a | --all]

Overview

Use this command to invalidate persistent sessions for a specified user or for all users.

After the persistent sessions have been invalidated, the user(s) must re-authenticate when they next login. Currently active sessions will remain active until the next idle timeout or absolute timeout(whichever happens first), after which the user will have to re-authenticate.

382

TIBCO Spotfire® Server and Environment Installation and Administration

Page 383: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Options

OptionOptional orRequired Default Value Description

-b value--bootstrap-config=value

Optional none The path to the bootstrapconfiguration file. See Thebootstrap.xml topic for moreinformation about this file.

-t value--tool-password=value

Optional none The configuration tool passwordused to decrypt the databasepassword in the bootstrap.xmlfile. If the tool password isomitted, the command willprompt the end-user for it on theconsole. See The bootstrap.xmltopic for more information.

-u value--username=value

Required,unless the --all flag hasbeen specified

none The user for which all persistentsessions should be invalidated.Must not be specified togetherwith the --all flag.

-a--all

Required,unless the --username

argument hasbeen specified

none Indicates that all persistentsessions for all users should beinvalidated. Must not be specifiedtogether with the --usernameargument.

list-active-service-configsLists active (configured) service configurations.list-active-service-configs [-b value | --bootstrap-config=value] [-t value | --tool-password=value]

Overview

Use this command to list the active (configured) service configurations. See also the list-service-configscommand.

Options

OptionOptional orRequired Default Value Description

-b value--bootstrap-config=value

Optional none The path to the bootstrapconfiguration file. See Thebootstrap.xml topic for moreinformation about this file.

383

TIBCO Spotfire® Server and Environment Installation and Administration

Page 384: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

OptionOptional orRequired Default Value Description

-t value--tool-password=value

Optional none The configuration tool passwordused to decrypt the databasepassword in the bootstrap.xmlfile. If the tool password isomitted, the command willprompt the end-user for it on theconsole. See The bootstrap.xmltopic for more information.

list-addressesLists the addresses of a node.list-addresses [-b value | --bootstrap-config=value] [-t value | --tool-password=value] [-n value | --node-id=value]

Overview

Use this command to list the configured addresses of a node. The addresses can be configured using the set-addresses command.

Options

OptionOptional orRequired Default Value Description

-b value--bootstrap-config=value

Optional none The path to the bootstrapconfiguration file. See thebootstrap.xml topic for moreinformation about this file.

-t value--tool-password=value

Optional none The configuration tool passwordused to decrypt the databasepassword in the bootstrap.xmlfile. If the tool password isomitted, the command willprompt the end-user for it on theconsole. See The bootstrap.xmltopic for more information.

-n value--node-id=value

Required The default valueis taken from thefile specified with--bootstrap-

config.

The ID of the node for which thesite should be set. The list-nodescommand can be used to find theIDs of all nodes in the collective.

list-adminsLists the server administrators.list-admins [-b value | --bootstrap-config=value] [-t value | --tool-password=value]

384

TIBCO Spotfire® Server and Environment Installation and Administration

Page 385: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Overview

Use this command to list the server administrators. Only direct members of the Administrator groupare shown.

Options

Option

Optional orRequired

DefaultValue Description

-b value--bootstrap-config=value

Optional

none The path to the bootstrap configurationfile. See The bootstrap.xml topic for moreinformation about this file.

-t value--tool-password=value

Optional

none The configuration tool password used todecrypt the database password in the filebootstrap.xml. If the tool password isomitted, the command prompts the userfor it. Refer to The bootstrap.xml file.

list-auth-configDisplays the current authentication configuration.list-auth-config [-c value | --configuration=value] [-b value | --bootstrap-config=value]

Overview

Use this command to display the current authentication configuration.

Options

Option

Optional orRequired

DefaultValue Description

-c value--configuration=value

Optional

configuration.xml

The path to the server configuration file.

-b value--bootstrap-config=value

Optional

none The path to the bootstrap configurationfile. See The bootstrap.xml topic for moreinformation about this file.

list-auth-modeDisplays the currently configured authentication mode.list-auth-mode [-c value | --configuration=value] [-b value | --bootstrap-config=value]

385

TIBCO Spotfire® Server and Environment Installation and Administration

Page 386: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Overview

Use this command to display the configured authentication mode.

Options

Option

Optional orRequired

DefaultValue Description

-c value--configuration=value

Optional

configuration.xml

The path to the server configuration file.

-b value--bootstrap-config=value

Optional

none The path to the bootstrap configurationfile. See The bootstrap.xml topic for moreinformation about this file.

list-certificatesLists the certificates that establish the trust between components within the Spotfire collective.list-certificates [-b value | --bootstrap-config=value] [-t value | --tool-password=value] [-v | --valid] [-e | --expired] [-r | --revoked] [-p | --pending]

Overview

Use this command to list the certificates that establish the trust between components within the Spotfirecollective. By default, the tool displays all certificates issued by the internal CA. The output from thetool can be restricted by specifying one or more of the flags.

Options

OptionOptional orRequired Default Value Description

-b value--bootstrap-config=value

Optional none The path to the bootstrapconfiguration file. See Thebootstrap.xml topic for moreinformation about this file.

-t value--tool-password=value

Optional none The configuration tool passwordused to decrypt the databasepassword in the bootstrap.xmlfile. If the tool password isomitted, the command willprompt the end-user for it on theconsole. See The bootstrap.xmltopic for more information.

-v--valid

Optional none When this flag is specified, thetool displays all valid certificates.

386

TIBCO Spotfire® Server and Environment Installation and Administration

Page 387: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

OptionOptional orRequired Default Value Description

-e--expired

Optional none When this flag is specified, thetool displays all expiredcertificates.

-r--revoked

Optional none When this flag is specified, thetool displays all revokedcertificates.

-p--pending

Optional none When this flag is specified, thetool displays all pendingcertificates.

list-configsLists all available server configurations.list-configs [-b value | --bootstrap-config=value] [-t value | --tool-password=value] [-i | --include-incompatible] [-h value | --hash-abbrev=value]

Overview

Use this command to list the available configurations. The current configuration is indicated by anasterisk in the left column.

Options

Option

Optional orRequired

DefaultValue Description

-b value--bootstrap-config=value

Optional

none The path to the bootstrap configurationfile. See The bootstrap.xml topic for moreinformation about this file.

-t value--tool-password=value

Optional

none The configuration tool password used todecrypt the database password in the filebootstrap.xml. If the tool password isomitted, the command prompts the userfor it in the console. Refer to Thebootstrap.xml file.

-i--include-incompatible

Optional

none Indicates whether to includeconfigurations incompatible with thecurrent server version.

-h value--hash-abbrev=value

Optional

7 The number of hexadecimal digits(between 6 and 40) to which you want toabbreviate the configuration hash.

387

TIBCO Spotfire® Server and Environment Installation and Administration

Page 388: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

list-deployment-areasLists the deployment areas.list-deployment-areas [-b value | --bootstrap-config=value] [-t value | --tool-password=value]

Overview

Use this command to list the deployment areas as well as display the default deployment area.

Options

Option

Optional orRequired

DefaultValue Description

-b value--bootstrap-config=value

Optional

none The path to the bootstrap configurationfile. See The bootstrap.xml topic for moreinformation about this file.

-t value--tool-password=value

Optional

none The configuration tool password used todecrypt the database password in the filebootstrap.xml. If the tool password isomitted, the command prompts the userfor it. Refer to The bootstrap.xml file.

list-ds-templateLists the data source templates.list-ds-template [-c value | --configuration=value] [-b value | --bootstrap-config=value]

Overview

Use this command to list the data source templates.

Options

Option

Optional orRequired

DefaultValue Description

-c value--configuration=value

Optional

configuration.xml

The path to the server configuration file.

-b value--bootstrap-config=value

Optional

none The path to the bootstrap configurationfile. See The bootstrap.xml topic for moreinformation about this file.

388

TIBCO Spotfire® Server and Environment Installation and Administration

Page 389: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

list-groupsLists all groups.list-groups [-l value | --limit=value] [-s value | --search-expression=value] [-m | --list-members] [-b value | --bootstrap-config=value] [-t value | --tool-password=value]

Overview

Use this command to list all groups in the user directory.

Options

Option

Optional orRequired

DefaultValue Description

-l value--limit=value

Optional

20 The maximum number of groups to list.

-s value--search-expression=value

Optional

none A search expression that can be used tosearch only for groups with namesmatching the expression.

-m value--list-members

Optional

none Determines whether to list the members.

-b value--bootstrap-config=value

Optional

none The path to the bootstrap configurationfile. See The bootstrap.xml topic for moreinformation about this file.

-t value--tool-password=value

Optional

none The configuration tool password used todecrypt the database password in the filebootstrap.xml. If the tool password isomitted, the command prompts the userfor it in the console. Refer to Thebootstrap.xml file.

list-jaas-configLists the JAAS application configurations.list-jaas-config [-c value | --configuration=value] [-b value | --bootstrap-config=value] [--xml] [JAAS application configuration name]

Overview

Use this command to display the server JAAS application configurations. (It cannot display systemJAAS application configurations.)

389

TIBCO Spotfire® Server and Environment Installation and Administration

Page 390: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Options

Option

Optional orRequired

DefaultValue Description

-c value--configuration=value

Optional

configuration.xml

The path to the server configuration file.

-b value--bootstrap-config=value

Optional

none The path to the bootstrap configurationfile. See The bootstrap.xml topic for moreinformation about this file.

--xml Optional

none Specifies if the JAAS applicationconfigurations should be displayed in XMLformat, as it is stored within theconfiguration.xml file.

[JAAS application configuration name]

Optional

none The names of the JAAS applicationconfiguration to display. Multiple namesmust be comma-separated and enclosedbetween quotes. If this argument isomitted, then all JAAS applicationconfigurations are displayed.

list-jmx-usersLists all JMX users.list-jmx-users [-b value | --bootstrap-config=value] [-t value | --tool-password=value]

Overview

Use this command to list all users who can access the server through JMX. The result contains the username and access level of each user.

Options

Option

Optional orRequired

DefaultValue Description

-b value--bootstrap-config=value

Optional

none The path to the bootstrap configurationfile. See The bootstrap.xml topic for moreinformation about this file.

-t value--tool-password=value

Optional

none The configuration tool password used todecrypt the database password in the filebootstrap.xml. If the tool password isomitted, the command prompts the userfor it in the console. Refer to Thebootstrap.xml file.

390

TIBCO Spotfire® Server and Environment Installation and Administration

Page 391: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

list-ldap-configDisplays LDAP configurations.list-ds-template [-c value | --configuration=value] [-b value | --bootstrap-config=value]

Overview

Use this command to list the data source templates.

Options

Option

Optional orRequired

DefaultValue Description

-c value--configuration=value

Optional

configuration.xml

The path to the server configuration file.

-b value--bootstrap-config=value

Optional

none The path to the bootstrap configurationfile. See The bootstrap.xml topic for moreinformation about this file.

--xml=value Optional

none Specifies that the LDAP configurationshould be displayed in XML formatinstead of the standard JAAS applicationconfiguration format.

[LDAP configuration id]

Optional

none Specifies the identifier of the LDAPconfiguration to be displayed. If noidentifier is specified, then all LDAPconfigurations are displayed.

list-ldap-userdir-configLists the configuration for the user directory LDAP mode.list-ldap-userdir-config [-c value | --configuration=value] [-b value | --bootstrap-config=value]

Overview

Use this command to list the configuration for the user directory LDAP mode.

Options

Option

Optional orRequired

DefaultValue Description

-c value--configuration=value

Optional

configuration.xml

The path to the server configuration file.

391

TIBCO Spotfire® Server and Environment Installation and Administration

Page 392: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Option

Optional orRequired

DefaultValue Description

-b value--bootstrap-config=value

Optional

none The path to the bootstrap configurationfile. See The bootstrap.xml file for moreinformation about this file.

list-licensesLists the currently known licenses and license functions.list-licenses [-b value | --bootstrap-config=value] [-t value | --tool-password=value]

Overview

Use this command to list the license and license functions.

To get the licenses, you first must deploy Spotfire.

Options

OptionOptional orRequired Default Value Description

-b value--bootstrap-config=value

Optional none The path to the bootstrapconfiguration file. See Thebootstrap.xml file for moreinformation about this file.

-t value--tool-password=value

Optional none The configuration tool passwordused to decrypt the databasepassword in the bootstrap.xmlfile. If the tool password isomitted, the command willprompt the end-user for it on theconsole. See the Thebootstrap.xml file for moreinformation.

list-nodesLists the nodes in the collective.list-nodes [-b value | --bootstrap-config=value] [-t value | --tool-password=value] [-e | --exclude-trusted]

Overview

Use this command to list the nodes in the collective.

392

TIBCO Spotfire® Server and Environment Installation and Administration

Page 393: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Options

OptionOptional orRequired Default Value Description

-b value--bootstrap-config=value

Optional none The path to the bootstrapconfiguration file. See Thebootstrap.xml file for moreinformation about this file.

-t value--tool-password=value

Optional none The configuration tool passwordused to decrypt the databasepassword in the bootstrap.xmlfile. If the tool password isomitted, the command willprompt the end-user for it on theconsole. See the Thebootstrap.xml file for moreinformation.

-e--exclude-trusted

Optional none Indicates whether trusted nodesshould be excluded.

list-ntlm-authDisplays the NTLM authentication service configuration.list-ntlm-auth [-c value | --configuration=value] [-b value | --bootstrap-config=value] [-S value | --server=value]

Overview

Use this command to display the NTLM authentication service configuration.

Options

Option

Optional orRequired

DefaultValue Description

-c value--configuration=value

Optional

configuration.xml

The path to the server configuration file.

-b value--bootstrap-config=value

Optional

none The path to the bootstrap configurationfile. See The bootstrap.xml file for moreinformation about this file.

-S value--server=value

Optional

none The name of the cluster server whoseconfiguration should be displayed. If noname is specified, the global parameterscommon to all servers in the cluster aredisplayed.

393

TIBCO Spotfire® Server and Environment Installation and Administration

Page 394: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

list-online-serversLists all online servers.list-online-servers [-b value | --bootstrap-config=value] [-t value | --tool-password=value]

Overview

Use this command to list all servers in the cluster that are currently online.

Options

Option

OptionalorRequired

DefaultValue Description

-b value--bootstrap-config=value

Optional none The path to the bootstrap configurationfile. See The bootstrap.xml file for moreinformation about this file.

-t value--tool-password=value

Optional none The configuration tool password used todecrypt the database password in the filebootstrap.xml. If the tool password isomitted, the command prompts the userfor it in the console. See the Thebootstrap.xml file.

Output

A table of all servers in the cluster that are currently online. An asterisk in the left column is used toindicate that the server is the current primus server (responsible for handling tasks such as thesynchronization of LDAP groups).

Example

list-post-auth-filterDisplays the current post-authentication filter configuration.list-post-auth-filter [-c value | --configuration=value] [-b value | --bootstrap-config=value]

Overview

Use this command to display the post-authentication filter configuration.

394

TIBCO Spotfire® Server and Environment Installation and Administration

Page 395: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Options

Option

Optional orRequired

DefaultValue Description

-c value--configuration=value

Optional

configuration.xml

The path to the server configuration file.

-b value--bootstrap-config=value

Optional

none The path to the bootstrap configurationfile. See The bootstrap.xml file for moreinformation about this file.

list-service-configsLists available service configurations.list-service-configs [-b value | --bootstrap-config=value] [-t value | --tool-password=value] [-c value | --capability=value] [-a value | --deployment-area=value] [-e | --exclude-default-configs]

Overview

Use this command to list the available service configurations. The configurations can be exported usingthe export-service-config command.

Options

OptionOptional orRequired Default Value Description

-b value--bootstrap-config=value

Optional none The path to the bootstrapconfiguration file. See Thebootstrap.xml file for moreinformation about this file.

-t value--tool-password=value

Optional none The configuration tool passwordused to decrypt the databasepassword in the bootstrap.xmlfile. If the tool password isomitted, the command willprompt the end-user for it on theconsole. See The bootstrap.xmlfile for more information.

-c value--capability=value

Optional none The name of the capability forwhich to list configurations.

-a value--deployment-area=value

Optional none The name of the deployment areafor which to list configurations.

-e--exclude-default-configs

Optional none Indicates whether defaultconfigurations should beexcluded.

395

TIBCO Spotfire® Server and Environment Installation and Administration

Page 396: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

list-userdir-configList the current user directory configuration.list-userdir-config [-c value | --configuration=value] [-b value | --bootstrap-config=value]

Overview

Use this command to list the current user directory configuration.

Options

Option

Optional orRequired

DefaultValue Description

-c value--configuration=value

Optional

configuration.xml

The path to the server configuration file.

-b value--bootstrap-config=value

Optional

none The path to the bootstrap configurationfile. See The bootstrap.xml file for moreinformation about this file.

list-userdir-modeThis command is deprecated and is replaced by list-userdir-config.

list-usersLists all users.list-users [-f | --force-synchronization] [-l value | --limit=value] [-s value | --search-expression=value] [-e <true|false> | --exclude-disabled=<true|false>] [-b value | --bootstrap-config=value] [-t value | --tool-password=value]

Overview

Use this command to list all users in the user directory. It does not work when using the user directoryWindows provider.

Options

Option

OptionalorRequired

DefaultValue Description

-f--force-synchronization

Optional none Indicates that the command should force auser directory synchronization beforeattempting to list the users. This argumenthas no effect if the user directory isrunning in database mode.

-l value--limit=value

Optional 100 The maximum number of users to list.

396

TIBCO Spotfire® Server and Environment Installation and Administration

Page 397: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Option

OptionalorRequired

DefaultValue Description

-s value--search-expression=value

Optional none A search expression that can be used tosearch only for users with names matchingthe expression.

-e value--exclude-disabled=<true|false>

Optional false Indicates whether disabled users should beexcluded.

-b value--bootstrap-config=value

Optional none The path to the bootstrap configurationfile. See The bootstrap.xml file for moreinformation about this file.

-t value--tool-password=value

Optional none The configuration tool password used todecrypt the database password in the filebootstrap.xml. If the tool password isomitted, the command prompts the userfor it in the console. See the Thebootstrap.xml file.

list-windows-userdir-configLists the configuration for the user directory Windows NT mode.list-windows-userdir-config [-c value | --configuration=value] [-b value | --bootstrap-config=value]

Overview

Use this command to list the configuration for the user directory Windows NT mode.

Options

Option

OptionalorRequired

DefaultValue Description

-c value--configuration=value

Optional configuration.xml

The path to the server configuration file.

-b value--bootstrap-config=value

Optional none The path to the bootstrap configurationfile. See The bootstrap.xml file for moreinformation about this file.

manage-deployment-areasManages the deployment areas.manage-deployment-areas [-b value | --bootstrap-config=value] [-t value | --tool-password=value] [-R | --reset-all-group-areas] [-r | --reset-group-area] [-s | --set-group-area] [-c | --create-area] [-D | --delete-area] [-d | --default-area] [-g value | --group-name=value] [-a value | --area-name=value]

397

TIBCO Spotfire® Server and Environment Installation and Administration

Page 398: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Overview

Use this command to change the deployment area for groups, change the default deployment area, andcreate and remove deployment areas.

Options

Option

Optional orRequired

DefaultValue Description

-b value--bootstrap-config=value

Optional

none The path to the bootstrap configurationfile. See The bootstrap.xml file for moreinformation about this file.

-t value--tool-password=value

Optional

none The configuration tool password used todecrypt the database password in the filebootstrap.xml. If the tool password isomitted, the command prompts the userfor it in the console. See The bootstrap.xmlfile.

-R--reset-all-group-areas

Optional

none Use if all specified areas for all groupsshould be removed.

This does not affect the default area or anycontent on the areas. Users are using thedefault area after running this command.The ‐‐reset‐all‐group‐areas, -‐reset‐group‐area, ‐‐set‐group‐area, ‐‐create‐area, ‐‐delete‐area, and ‐‐default‐areaarguments are mutually exclusive.

-r--reset-group-area

Optional

none Use if an area for a specific group shouldbe removed. This does not affect thedefault area or any content on the area. If auser is not a member of any group with aspecified area, the default area is used. The‐‐reset‐all‐group‐areas, -‐reset‐group‐area, ‐‐set‐group‐area, ‐‐create‐area, ‐‐delete‐area, and ‐‐default‐areaarguments are mutually exclusive.

-s--set-group-area

Optional

none Use if an area should be set for a specificgroup. A user that is a member of thisgroup gets access to the specified areainstead of the default area. The ‐‐reset‐all‐group‐areas, -‐reset‐group‐area, ‐‐set‐group‐area, ‐‐create‐area, ‐‐delete‐area, and ‐‐default‐area arguments aremutually exclusive.

398

TIBCO Spotfire® Server and Environment Installation and Administration

Page 399: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Option

Optional orRequired

DefaultValue Description

-c--create-area

Optional

none Specifies that a new area should becreated. The ‐‐reset‐all‐group‐areas, -‐reset‐group‐area, ‐‐set‐group‐area, ‐‐create‐area, ‐‐delete‐area, and ‐‐default‐area arguments are mutuallyexclusive.

-D--delete-area

Optional

none Specifies that an existing area should bedeleted. The ‐‐reset‐all‐group‐areas, -‐reset‐group‐area, ‐‐set‐group‐area, ‐‐create‐area, ‐‐delete‐area, and ‐‐default‐area arguments are mutuallyexclusive.

-d--default-area

Optional

none Specifies that a the default area should bechanged.

The ‐‐reset‐all‐group‐areas, -‐reset‐group‐area, ‐‐set‐group‐area, ‐‐create‐area, ‐‐delete‐area, and ‐‐default‐areaarguments are mutually exclusive.

-g value--group-name=value

Optional

none The name of the group. Applicable for ‐ ‐reset‐all‐group‐areas, ‐‐reset‐group‐area, and ‐‐set‐group‐area.

-a value--area-name=value

Optional

none The name of the area. Applicable for ‐‐set‐group‐area, ‐‐create‐area, ‐‐delete‐area,and ‐‐default‐area.

modify-db-configModifies the common database connection configuration.modify-db-config [-c value | --configuration=value] [-b value | --bootstrap-config=value] [-l value | --login-timeout=value] [-o value | --connection-timeout=value] [-i value | --min-connections=value] [-a value | --max-connections=value] [-p value | --pooling-scheme=value] [-q value] {-Ckey=value} [-e <true|false> | --clear-connection-properties=<true|false>]

Overview

Use this command to modify the common configuration for the connection to the Spotfire Serverdatabase. This configuration (which affects all servers) is merged with the configuration in thebootstrap.xml file on each server.

399

TIBCO Spotfire® Server and Environment Installation and Administration

Page 400: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Options

Option

Optional orRequired

DefaultValue Description

-c value--configuration=value

Optional

configuration.xml

The path to the server configuration file.

-b value--bootstrap-config=value

Optional

none The path to the bootstrap configurationfile. See The bootstrap.xml file for moreinformation about this file.

-l value--login-timeout=value

Optional

none The maximum time (in seconds) to wait fora connection to become available.

-o value--connection-timeout=value

Optional

none The maximum time (in seconds) aconnection can stay idle in the connectionpool before being closed and discarded.

-i value--min-connections=value

Optional

none The minimum number of connections tokeep in the connection pool.

-a value--max-connections=value

Optional

none The maximum number of connections tokeep in the connection pool.

-p value--pooling-scheme=value

Optional

none The connection pooling algorithm to beused. Valid values are:

● WAIT: The --max-connectionsparameter is strictly respected.

● DYNAMIC: The number of connectionscan occasionally exceed the configuredmaximum number.

-q value Optional

none An SQL query that should be run directlyafter a connection has been created.

-Ckey=value Optional

none A JDBC connection property that is addedto the existing list of connection properties.Several properties can be specified. (Can bespecified multiple times with differentkeys.)

-e <true|false>--clear-connection-properties=<true|false>

Optional

false Clears the existing list of connectionproperties.

400

TIBCO Spotfire® Server and Environment Installation and Administration

Page 401: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Examples

Setting the maximum number of connections in the pool:

modify‐db‐config ‐‐max‐connections=100

Setting the pooling scheme:

modify‐db‐config ‐‐pooling‐scheme=WAIT

Setting the size of the statement pool of the DataDirect driver:

modify‐db‐config ‐CMaxPooledStatements=20

modify-ds-templateModifies a data source template.modify-ds-template [-c value | --configuration=value] [-b value | --bootstrap-config=value] <-n value | --name=value> [-e <true|false> | --enable=<true|false>] [-r value | --rename=value] [-d value | --definition=value]

Overview

Use this command to modify a data source template used by Information Services.

Options

Option

Optional orRequired

DefaultValue Description

-c value--configuration=value

Optional

configuration.xml

The path to the server configuration file.

-b value--bootstrap-config=value

Optional

none The path to the bootstrap configurationfile. See The bootstrap.xml file for moreinformation about this file.

-n value--name=value

Required

none The name of the data source template tomodify.

-e <true|false>--enable=<true|false>

Optional

none Indicates whether the data source templateshould be enabled. If no argument is given,the value is unchanged.

-r value--rename=value

Optional

none The name to rename the data sourcetemplate to. If no argument is given, thevalue is unchanged.

-d value--definition=value

Optional

none The path to the file containing a new datasource template definition. If no argumentis given, the value is unchanged.

401

TIBCO Spotfire® Server and Environment Installation and Administration

Page 402: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

promote-adminAssigns full administrator privileges to a user.promote-admin [-b value | --bootstrap-config=value] [-t value | --tool-password=value] <-u value | --username=value>

Overview

Use this command to promote a user to administrator by adding the user account to the Administratorgroup.

Options

OptionOptional orRequired

DefaultValue Description

-b value--bootstrap-config=value

Optional none The path to the bootstrap configurationfile. See The bootstrap.xml file for moreinformation about this file.

-t value--tool-password=value

Optional none The configuration tool password usedto decrypt the database password inthe file bootstrap.xml. If the toolpassword is omitted, the commandprompts the user for it in the console.Refer to The bootstrap.xml file.

-u value--username=value

Required none The name of the user to be promoted toadministrator. Unless the user is part ofthe configured default domain, thename of the user must include theuser's domain name, as in "DOMAIN\user" or "user@domain".

remove-ds-templateRemoves a data source template.remove-ds-template [-c value | --configuration=value] [-b value | --bootstrap-config=value] <-n value | --name=value>

Overview

Use this command to remove a data source templates.

Options

Option

Optional orRequired

DefaultValue Description

-c value--configuration=value

Optional

configuration.xml

The path to the server configuration file.

402

TIBCO Spotfire® Server and Environment Installation and Administration

Page 403: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Option

Optional orRequired

DefaultValue Description

-b value--bootstrap-config=value

Optional

none The path to the bootstrap configurationfile. See The bootstrap.xml file for moreinformation about this file.

-n value--name=value

Required

none The name of the data source template toremove.

remove-jaas-configRemoves the specified JAAS application configurations from the server configuration.remove-jaas-config [-c value | --configuration=value] [-b value | --bootstrap-config=value] <-n value | --name=value>

Overview

Use this command to remove JAAS application configurations from the server.

Options

Option

Optional orRequired

DefaultValue Description

-c value--configuration=value

Optional

configuration.xml

The path to the server configuration file.

-b value--bootstrap-config=value

Optional

none The path to the bootstrap configurationfile. See The bootstrap.xml file for moreinformation about this file.

-n value--name=value

Required

none The names of the JAAS applicationconfigurations to be removed from theserver. Multiple names must be comma-separated and enclosed between quotes.

remove-ldap-configRemoves LDAP configurations.remove-ldap-config [-c value | --configuration=value] [-b value | --bootstrap-config=value] <LDAP configuration ids>

Overview

Use this command to remove LDAP configurations.

403

TIBCO Spotfire® Server and Environment Installation and Administration

Page 404: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Options

Option

OptionalorRequired

DefaultValue Description

-c value--configuration=value

Optional configuration.xml

The path to the server configurationfile.

-b value--bootstrap-config=value

Optional none The path to the bootstrapconfiguration file. See Thebootstrap.xml file for moreinformation about this file.

<LDAP configuration ids> Required none Specifies a comma-separated list ofidentifiers of the LDAP configurationsto be removed.

remove-licenseRemoves a license from a group.remove-license <-g value | --group=value> <-l value | --license=value> [-b value | --bootstrap-config=value] [-t value | --tool-password=value]

Overview

Use this command to remove a license from a group.

Options

Option

OptionalorRequired

DefaultValue Description

-g value--group=value

Required none The group to have its licensesremoved.

-l value--license=value

Required none The license to remove.

-b value--bootstrap-config=value

Optional none The path to the bootstrapconfiguration file. See Thebootstrap.xml file for moreinformation about this file.

-t value--tool-password=value

Optional none The configuration tool password usedto decrypt the database password inthe file bootstrap.xml. If the toolpassword is omitted, the commandprompts the user for it in the console.Refer to The bootstrap.xml file.

404

TIBCO Spotfire® Server and Environment Installation and Administration

Page 405: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

reset-trustResets the trust within the Spotfire collective.reset-trust [-b value | --bootstrap-config=value] [-t value | --tool-password=value] [-d | --delete] [-f | --force]

Overview

Use this command to reset the trust within the Spotfire collective by revoking all the certificates in theinternal CA. When the --delete argument is provided, the certificates are deleted instead of revoked.

Options

OptionOptional orRequired Default Value Description

-b value--bootstrap-config=value

Optional none The path to the bootstrapconfiguration file. See Thebootstrap.xml file for moreinformation about this file.

-t value--tool-password=value

Optional none The configuration tool passwordused to decrypt the databasepassword in the bootstrap.xmlfile. If the tool password isomitted, the command willprompt the end-user for it on theconsole. See the Thebootstrap.xml file for moreinformation.

-d--delete

Optional none When this flag is specified, thetool deletes the certificates in theinternal CA instead of justrevoking them.

-f--force

Optional none When this flag is specified, thetool revokes or deletes thecertificates in the internal CAwithout requiring anyconfirmation.

runRuns a configuration script.run <script file>

Overview

Use this command to run a configuration script.

405

TIBCO Spotfire® Server and Environment Installation and Administration

Page 406: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Options

OptionOptional orRequired

DefaultValue Description

<script file> Required none The name of the script to be executed.

Script Syntax

Each line must contain the name of a command and its arguments. Arguments can be quoted usingeither single or double quotation marks. Lines beginning with a hash character (#) are regarded ascomments and have no effect. Lines ending with a backslash character (\) are continued on the nextline with the backslash character removed before parsing. The special script command "echo" can beused to echo messages to the console. See Script language.

s3-downloadDownloads the data of library items in Amazon S3 storage.s3-download [-c value | --configuration=value] [-b value | --bootstrap-config=value] [-t value | --tool-password=value] <-i value | --items=value> <-d value | --destination=value>

Overview

Use this command to download the data of library items in Amazon S3 storage.

Options

OptionOptional orRequired

DefaultValue Description

-c value--configuration=value

Optional configuration.xml

The path to the server configurationfile.

-b value--bootstrap-config=value

Optional none The path to the bootstrap configurationfile. See The bootstrap.xml file for moreinformation about this file.

-t value--tool-password=value

Optional none The configuration tool password usedto decrypt the database password inthe file bootstrap.xml. If the toolpassword is omitted, the commandprompts the user for it. Refer to Thebootstrap.xml file.

-i value--items=value

Required none A comma-separated list of the libraryitems (GUIDs) to download.

-d value--destination=value

Required none The directory where the downloadeditems should be saved.

406

TIBCO Spotfire® Server and Environment Installation and Administration

Page 407: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

set-addressesSets the addresses for a Spotfire Server node.set-addresses [-b value | --bootstrap-config=value] [-t value | --tool-password=value] [-n value | --node-id=value] {-Avalue} [-d | --auto-detect]

Overview

Use this command to set the (back-end) addresses (host names and IP addresses) of the Spotfire Servernode, used for internal communication within the Spotfire collective. Ensure that the node can bereached on all addresses. The back-end ports must be reachable through the configured addresses, andthe front-end port may be reachable through the configured addresses.

The server being configured must be offline when running the command.

Options

OptionOptional orRequired Default Value Description

-b value--bootstrap-config=value

Optional none The path to the bootstrapconfiguration file. See Thebootstrap.xml file for moreinformation about this file.

-t value--tool-password=value

Optional none The configuration tool passwordused to decrypt the databasepassword in the bootstrap.xmlfile. If the tool password isomitted, the command willprompt the end-user for it on theconsole. See The bootstrap.xmlfile for more information.

-n value--node-id=value

Optional The default valueis taken from thefile specified with--bootstrap-

config.

The ID of the node for which thesite should be set. The list-nodescommand can be used to find theIDs of all nodes in the collective.

-Avalue Required,unless the --auto-detect

flag isspecified. Theflag may bespecifiedmultiple timeswith differentvalues.

The default valueis the hostname(s) and IPaddress(es) asdetermined whenthis command isrun.

The possible node back-endaddresses (host names and IPaddresses). Used for internalcommunication within theSpotfire collective. The addresseswill be used in the order they areprovided (in cases where there isa need for ordering). The -A and--auto-detect arguments aremutually exclusive.

407

TIBCO Spotfire® Server and Environment Installation and Administration

Page 408: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

OptionOptional orRequired Default Value Description

-d--auto-detect

Required,unless at leastone -Aargument isspecified.

none If specified, this argumentindicates that the addressesshould be determinedautomatically. Must only bespecified when configuring theaddresses of the server nodewhere the command is run. The -A and --auto-detect argumentsare mutually exclusive.

set-auth-modeThis command is deprecated and replaced by config-auth.

See config-auth.

set-configSets the current server configuration.set-config [-b value | --bootstrap-config=value] [-t value | --tool-password=value] <-h value | --hash=value> <-c value | --comment=value>

Overview

Use this command to set the current configuration to one of the existing configurations. See list-configsfor more information.

Options

OptionOptional orRequired

DefaultValue Description

-b value--bootstrap-config=value

Optional none The path to the bootstrap configurationfile. See The bootstrap.xml file for moreinformation about this file.

-t value--tool-password=value

Optional none The configuration tool password usedto decrypt the database password inthe file bootstrap.xml. If the toolpassword is omitted, the commandprompts the user for it in the console.Refer to The bootstrap.xml file.

-h value--hash=valuey

Required none The (possibly abbreviated) hash of theconfiguration to set. Must be at leastthe first six hexadecimal characters ofthe hash.

-c value--comment=value

Required none A comment describing the reason forthe configuration change.

408

TIBCO Spotfire® Server and Environment Installation and Administration

Page 409: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

set-config-propSets the value of a specific configuration property.set-config-prop [-c value | --configuration=value][-b value | --bootstrap-config=value] <-n value | --name=value> <-v value | --value=value>

Overview

Use this command to set the value of a specific configuration property. There must be at most one suchpreperty and the value of the property must be representable as a string.

Options

OptionOptional orRequired

DefaultValue Description

-c value--configuration=value

Optional configuration.xml

The path to the server configurationfile.

-b value--bootstrap-config=value

Optional none The path to the bootstrap configurationfile. See The bootstrap.xml file for moreinformation about this file.

-n value--name=value

Required none The name of the configurationproperty.

-v value--value=value

Required none The new value of the configurationproperty. This will replace any existingvalue.

Example

To set the absolute session timeout to one hour:set-config-prop --name="security.absolute-session-timeout" --value="60"

set-db-configSets the common database connection configuration.set-db-config [-c value | --configuration=value] [-b value | --bootstrap-config=value] [-l value | --login-timeout=value] [-o value | --connection-timeout=value] [-i value | --min-connections=value] [-a value | --max-connections=value] [-p value | --pooling-scheme=value] [-q value] {-Ckey=value}

Overview

Use this command to set the common configuration for the connection to the Spotfire Server database.This configuration (which affects all servers) is merged with the configuration in the bootstrap.xmlfile on each server.

409

TIBCO Spotfire® Server and Environment Installation and Administration

Page 410: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Options

OptionOptional orRequired

DefaultValue Description

-c value--configuration=value

Optional configuration.xml

The path to the server configurationfile.

-b value--bootstrap-config=value

Optional none The path to the bootstrap configurationfile. See The bootstrap.xml file for moreinformation about this file.

-l value--login-timeout=value

Optional 10 The maximum time (in seconds) towait for a connection to becomeavailable.

-o value--connection-timeout=value

Optional 600 A comma-separated list of the libraryitems (GUIDs) to download.

-i value--min-connections=value

Optional 5 The directory where the downloadeditems should be saved.

-a value--max-connections=value

Optional 40 The maximum number of connectionsto keep in the connection pool.

-p value--pooling-scheme=value

Optional WAIT The connection pooling algorithm to beused. Valid values are:

● WAIT: The --max-connectionsparameter is strictly respected.

● DYNAMIC: The number ofconnections can occasionally exceedthe configured maximum number.

-q value Optional none An SQL query that should be rundirectly after a connection has beencreated.

-Ckey=value Optional none A JDBC connection property. Severalproperties can be specified.

Examples

To set the maximum number of connections in the pool:

set‐db‐config ‐‐max‐connections=100

To set the pooling scheme:

set‐db‐config ‐‐pooling‐scheme=WAIT

410

TIBCO Spotfire® Server and Environment Installation and Administration

Page 411: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

To set the size of the statement pool of the DataDirect driver:

set‐db‐config CMaxPooledStatements=20

set-licenseSets a license and license functions for a group. To see the currently available licenses and licensefunctions, use the list-licenses command.set-license <-g value | --group=value> <-l value | --license=value> [-f value | --functions=value] [-b value | --bootstrap-config=value] [-t value | --tool-password=value]

Overview

Use this command to set a license and license functions for a group.

Options

OptionOptional orRequired

DefaultValue Description

-g value--group=value

Required none The group that should get the licensesset.

-l value--license=value

Required none The license to set.

-f value--functions=value

Optional none The license functions to enable.

-b value--bootstrap-config=value

Optional none The path to the bootstrap configurationfile. See The bootstrap.xml file for moreinformation about this file.

-t value--tool-password=value

Optional none The configuration tool password usedto decrypt the database password inthe file bootstrap.xml. If the toolpassword is omitted, the commandprompts the user for it in the console.Refer to The bootstrap.xml file.

set-server-service-configSets the configuration for a service running in Spotfire Server (typically the Spotfire Web Player front-end).set-server-service-config [-b value | --bootstrap-config=value] [-t value | --tool-password=value] [-a value | --capability=value] [-c value | --config-name=value]

Overview

Use this command to set the configuration for a service running in Spotfire Server. To configure aservice running on a remote node, use the set-service-config command.

411

TIBCO Spotfire® Server and Environment Installation and Administration

Page 412: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Options

OptionOptional orRequired Default Value Description

-b value--bootstrap-config=value

Optional none The path to the bootstrapconfiguration file. See Thebootstrap.xml file for moreinformation about this file.

-t value--tool-password=value

Optional none The configuration tool passwordused to decrypt the databasepassword in the bootstrap.xmlfile. If the tool password isomitted, the command willprompt the end-user for it on theconsole. See The bootstrap.xmlfile for more information.

-a value--capability=value

Optional WEB_PLAYER The name of the capability forwhich to set the configuration.

-c value--config-name=value

Optional none The name of the configurationthat should be set. If noconfiguration name is specified,the service will revert to thedefault configuration.

set-service-configSets the configuration for a service running on a remote node.set-service-config [-b value | --bootstrap-config=value] [-t value | --tool-password=value] [-k value | --keystore-file=value] <-s value | --service-id=value> [-c value | --config-name=value] [-f | --force]

Overview

Use this command to set the configuration for a service running on a remote node. Note that allrunning instances (if any) of the service will be restarted.

Options

OptionOptional orRequired Default Value Description

-b value--bootstrap-config=value

Optional none The path to the bootstrapconfiguration file. See Thebootstrap.xml file for moreinformation about this file.

412

TIBCO Spotfire® Server and Environment Installation and Administration

Page 413: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

OptionOptional orRequired Default Value Description

-t value--tool-password=value

Optional none The configuration tool passwordused to decrypt the databasepassword in the bootstrap.xmlfile. If the tool password isomitted, the command willprompt the end-user for it on theconsole. See The bootstrap.xmlfile for more information.

k value--keystore-file=value

Optional none The location of the keystorecontaining the certificates usedfor securing internalcommunication.

-s value--service-id=value

Required none The ID of the service for whichthe service should be set.

-c value--config-name=value

Optional none The name of the configurationthat should be set. If noconfiguration name is specified,the service reverts to the defaultconfiguration.

-f--force

Optional none Indicates that the serviceconfiguration should be setwithout need for furtherconfirmation.

set-user-passwordSets a new password for a given user.set-user-password [-b value | --bootstrap-config=value] [-t value | --tool-password=value] <-u value | --username=value> [-p value | --password=value]

Overview

Use this command to set the password for a specific user account.

Options

OptionOptional orRequired Default Value Description

-b value--bootstrap-config=value

Optional none The path to the bootstrapconfiguration file. See Thebootstrap.xml file for moreinformation about this file.

413

TIBCO Spotfire® Server and Environment Installation and Administration

Page 414: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

OptionOptional orRequired Default Value Description

-t value--tool-password=value

Optional none The configuration tool passwordused to decrypt the databasepassword in the bootstrap.xmlfile. If the tool password isomitted, the command willprompt the end-user for it on theconsole. See The bootstrap.xmlfile for more information.

-u value--username=value

Required WEB_PLAYER The name of the user for whichthe password should be set.

-p value--password=value

Optional none The new password.

set-userdir-modeThis command is deprecated.

See config-userdir.

show-basic-ldap-authShows the LDAP authentication source for use with the BASIC authentication method.show-basic-ldap-auth [-c value | --configuration=value] [-b value | --bootstrap-config=value]

Overview

Use this command to set the way the server(s) react to configuration changes. Each server periodicallychecks for configuration changes and handles any such changes according to the policy set using thiscommand. Use this command to show the LDAP authentication source(s) for use with the BASICauthentication method. The configuration is stored within the Spotfire LDAP JAAS applicationconfiguration.

Options

OptionOptional orRequired

DefaultValue Description

-c value--configuration=value

Optional configuration.xml

The path to the server configuration file.

-b value--bootstrap-config=value

Optional none The path to the bootstrap configuration file.See The bootstrap.xml file for moreinformation about this file.

414

TIBCO Spotfire® Server and Environment Installation and Administration

Page 415: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

show-config-historyShows the configuration history.show-config-history [-b value | --bootstrap-config=value] [-t value | --tool-password=value] [-h value | --hash-abbrev=value]

Overview

Use this command to show the configuration history. The most recent entry is the current configuration.

Options

OptionOptional orRequired

DefaultValue Description

-b value--bootstrap-config=value

Optional none The path to the bootstrap configurationfile. See The bootstrap.xml file for moreinformation about this file.

-t value--tool-password=value

Optional none The configuration tool password usedto decrypt the database password inthe file bootstrap.xml. If the toolpassword is omitted, the commandprompts the user for it in the console.Refer to The bootstrap.xml file.

-h value--hash-abbrev=value

Optional 7 The number of hexadecimal digits toabbreviate the configuration hash to.Must be a number between 6 and 40.

show-deploymentShows the current deployment.show-deployment [-b value | --bootstrap-config=value] [-t value | --tool-password=value] [-a value | --area=value] [-s | --show-ids]

Overview

Use this command to show the current deployment in a given area.

Options

OptionOptional orRequired

DefaultValue Description

-b value--bootstrap-config=value

Optional none The path to the bootstrap configurationfile. See The bootstrap.xml file for moreinformation about this file.

415

TIBCO Spotfire® Server and Environment Installation and Administration

Page 416: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

OptionOptional orRequired

DefaultValue Description

-t value--tool-password=value

Optional none The configuration tool password usedto decrypt the database password inthe file bootstrap.xml. If the toolpassword is omitted, the commandprompts the user for it in the console.Refer to The bootstrap.xml file.

-a value--area=value

Optional none The deployment area for which toshow the current deployment. If noarea is specified, the deployment of thedefault area is showed.

-s--show-ids

Optional none Indicates whether the package IDsshould be included in the output. Apackage ID is needed to remove aspecific package using the update-deployment command. For moreinformation, see update-deployment.

show-import-export-directoryShows the library import/export directory.show-import-export-directory [-c value | --configuration=value] [-b value | --bootstrap-config=value]

Overview

Use this command to display the library import/export directory. All library import and exportoperations are done from and to this directory, which can be a local directory or can reside on a shareddisk.

Options

OptionOptional orRequired

DefaultValue Description

-c value--configuration=value

Optional configuration.xml

The path to the server configuration file.

-b value--bootstrap-config=value

Optional none The path to the bootstrap configuration file.See The bootstrap.xml file for moreinformation about this file.

show-join-databaseShows the configured default join database.show-join-database [-c value | --configuration=value] [-b value | --bootstrap-config=value]

416

TIBCO Spotfire® Server and Environment Installation and Administration

Page 417: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Overview

Use this command to show the configured default join database, used by Information Services.

Options

OptionOptional orRequired

DefaultValue Description

-c value--configuration=value

Optional configuration.xml

The path to the server configuration file.

-b value--bootstrap-config=value

Optional none The path to the bootstrap configuration file.See The bootstrap.xml file for moreinformation about this file.

show-library-permissionsShows permissions set in the library.show-library-permissions [-b value | --bootstrap-config=value] [-t value | --tool-password=value] <-l value | --library-path=value> [-r <true|false> | --recursive=<true|false>] [-x <true|false> | --expand-groups=<true|false>] [-d <true|false> | --downward=<true|false>] [-p value | --path-to-report=value] [-f <true|false> | --force-overwrite=<true|false>]

Overview

Use this command to create a report file that shows the permissions in the library.

Permissions are set on directories. if no permission is set, the directory inherits the permissions fromthe directory above.

You can use this command in three different ways:

● It can show if any permissions are set explicitly on a directory.

● It can show what permissions are in effect on a certain directory. If no permissions are set on thedirectory itself, it will continue upwards until it finds the directory from which the permissions areinherited (see recursive option).

● It can be used to report on all directories with permissions explicitly set in a branch of the directory(see the downward option).

The resulting file should be possible to read in Spotfire. It has headers that explain the display in thedifferent columns.

This command may take some time to run. Also, you may need to increase the Java memory allocationto run the command, especially if the users are displayed.

417

TIBCO Spotfire® Server and Environment Installation and Administration

Page 418: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Options

OptionOptional orRequired

DefaultValue Description

-b value--bootstrap-config=value

Optional none The path to the bootstrap configuration file.See The bootstrap.xml file for moreinformation about this file.

-t value--tool-password=value

Optional none The configuration tool password used todecrypt the database password in the filebootstrap.xml. Can be specified if apassword is given and the ‐‐enable‐config‐tool argument is set to true (the default).

-l value--library-path=value

Required none The path in the library to start to report with(must start with a /).

-r <true|false>--recursive=<true|false>

Optional false If no permission is set on this directory,continue upwards until permissions arefound.

-x <true|false>--expand-groups=<true|false>

Optional false Specifies whether groups are expanded toshow their members.

Members of the Administrator and LibraryAdministrator group can see all content.

When expand-groups is true, theseimplicit rights are also taken into account,and these groups and their members arealso displayed.

-d <true|false>--downward=<true|false>

Optional false Lists permissions on an entire branch of thelibrary, and shows only folders wherepermissions are set explicitly. (This optiontakes precedence over the recursive option.)

-p value--path-to_report=value

Optional none The name of the report file that should begenerated. If not provided, an automaticname is generated.

-f <true|false>--force-overwrite=<true|false>

Optional false If a name for the report file is provided buta file with that name already exists, set thisoption to true to overwrite the existing file.

show-licensesShows licenses set on the server.show-licenses [-b value | --bootstrap-config=value] [-t value | --tool-password=value] [-l value | --license=value] [-x <true|false> | --expand-groups=<true|false>][-p value | --path-to_report=value[-f <true|false> | --force-overwrite=<true|false>]

418

TIBCO Spotfire® Server and Environment Installation and Administration

Page 419: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Overview

Use this command to create a report file that shows the licenses set on the server.

You can read the resulting file in Spotfire. The file has headers that explain the contents displayed in thecolumns. The column "From Group" contains the group on which the license is explicitly set. For everygroup that has a license set explicitly, the resulting groups and users (if the expand option is set) areshown once.

Users get the sum of all licenses (and functions). When you analyze the file, note that a user and alicense might occur more than once if the user gets its licenses from more than one group with explicitlicenses set.

This command may take some time to run. Also, you may need to increase the Java memory allocationto run the command, especially if the users are displayed.

Options

OptionOptional orRequired

DefaultValue Description

-b value--bootstrap-config=value

Optional none The path to the bootstrap configuration file.See The bootstrap.xml file for moreinformation about this file.

-t value--tool-password=value

Optional none The configuration tool password used todecrypt the database password in the filebootstrap.xml. If the tool password isomitted, the command prompts the user forit in the console. See The bootstrap.xml file.

-l value--license=value

Optional none An optional, comma-separated list oflicenses. If provided, the report containsonly these licenses. If an invalid entry isgiven, the valid licenses are displayed.

-x <true|false>--expand-groups=<true|false>

Optional false Specifies whether groups are expanded toshow their members.

Members of the Administrator and LibraryAdministrator group can see all content.

When expand-groups is true, theseimplicit rights are also taken into account,and these groups and their members arealso displayed.

-p value--path-to_report=value

Optional none The name of the report file that should begenerated. If not provided, an automaticname is generated.

-f <true|false>--force-overwrite=<true|false>

Optional false If a name for the report file is provided buta file with that name already exists, set thisoption to true to overwrite the existing file.

419

TIBCO Spotfire® Server and Environment Installation and Administration

Page 420: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

switch-domain-name-styleSwitches the domain names for all users and groups from one style (DNS or NetBIOS) to the other (forall configured domains).switch-domain-name-style [-b value | --bootstrap-config=value] [-t value | --tool-password=value] <-n value | --new-domain-name-style=value>

Overview

Use this command to switch the domain names for all existing users and groups from one style (DNS orNetBIOS) to the other (for all configured domains). The new domain name style must first beconfigured using the config-userdir command. Note that this command is only applicable when using auser directory in LDAP mode against Active Directory.

Options

OptionOptional orRequired

DefaultValue Description

-b value--bootstrap-config=value

Optional none The path to the bootstrapconfiguration file. See the Thebootstrap.xml file for moreinformation about this file.

-t value--tool-password=value

Optional none The configuration tool passwordused to decrypt the databasepassword in the file bootstrap.xml.If the tool password is omitted, thecommand prompts the user for it inthe console. See The bootstrap.xmlfile.

-n value--new-domain-name-style=value

Required none The new domain name style. Validvalues are dns and netbios.

test-jaas-configTests a JAAS application configuration.test-jaas-config [-b value | --bootstrap-config=value] [-t value | --tool-password=value] [-c value | --configuration=value] <-j value | --jaas-configuration=value> <-u value | --username=value> [-p value | --password=value]

Overview

Use this command to test a JAAS application configuration by performing a login attempt, using thespecified credentials. It can test either a configuration stored in the server database or a configurationstored in an exported configuration file. To test a configuration stored in a configuration file, use the ‐‐configuration argument. Otherwise the configuration stored in the database is tested. If the JAASlogin module requires a connection to the server database, the --configuration argument cannot beused.

420

TIBCO Spotfire® Server and Environment Installation and Administration

Page 421: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Options

OptionOptional orRequired

DefaultValue Description

-b value--bootstrap-config=value

Optional none The path to the bootstrap configuration file.See The bootstrap.xml file for moreinformation about this file.

-t value--tool-password=value

Optional none The configuration tool password used todecrypt the database password in the filebootstrap.xml. Can be specified if apassword is given and ‐‐enable‐config‐tool argument is set to true (the default).

-c value--configuration=value

Optional none The path to an exported serverconfiguration file. If this parameter isomitted, the application attempts to retrievethe configuration parameters from theserver database using the filebootstrap.xml, specified by the ‐‐bootstrap argument.

-j value--jaas-configuration=value

Required none The name of the JAAS applicationconfiguration to test.

-u value--username=value

Required none The name of the user to log in as.

-p value--password=value

Optional none The password of the user to log in as. If thepassword is omitted, the command promptsthe user for it.

trust-nodeTrusts a specified node.trust-node [-b value | --bootstrap-config=value] [-t value | --tool-password=value] [-k value | --keystore-file=value] <-i value | --id=value>

Overview

Use this command to trust a specified node, after which it will be a part of the collective. To use thiscommand, at least one server in the collective must be running.

421

TIBCO Spotfire® Server and Environment Installation and Administration

Page 422: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Options

OptionOptional orRequired Default Value Description

-b value--bootstrap-config=value

Optional none The path to the bootstrapconfiguration file. See Thebootstrap.xml file for moreinformation about this file.

-t value--tool-password=value

Optional none The configuration tool passwordused to decrypt the databasepassword in the bootstrap.xmlfile. If the tool password isomitted, the command willprompt the end-user for it on theconsole. See the Thebootstrap.xml file for moreinformation.

k value--keystore-file=value

Optional none The location of the keystorecontaining the certificates usedfor securing internalcommunication.

-i value--id=value

Required none The ID of the node that should betrusted. The list-nodes commandcan be used to find the IDs of allnodes waiting to be trusted.

untrust-nodeUntrusts a specified node.untrust-node [-b value | --bootstrap-config=value] [-t value | --tool-password=value] [-k value | --keystore-file=value] <-i value | --id=value>

Overview

Use this command to untrust a specified node, after which it will no longer be a part of the collective.To use this command, at least one server in the collective must be running.

Options

OptionOptional orRequired Default Value Description

-b value--bootstrap-config=value

Optional none The path to the bootstrapconfiguration file. See Thebootstrap.xml file for moreinformation about this file.

422

TIBCO Spotfire® Server and Environment Installation and Administration

Page 423: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

OptionOptional orRequired Default Value Description

-t value--tool-password=value

Optional none The configuration tool passwordused to decrypt the databasepassword in the bootstrap.xmlfile. If the tool password isomitted, the command willprompt the end-user for it on theconsole. See The bootstrap.xmlfile for more information.

k value--keystore-file=value

Optional none The location of the keystorecontaining the certificates usedfor securing internalcommunication.

-i value--id=value

Required none The ID of the node that should beuntrusted. The list-nodescommand can be used to find theIDs of all trusted nodes.

update-deploymentUpdates the current deployment.update-deployment [-b value | --bootstrap-config=value] [-t value | --tool-password=value] <-a value | --area=value> [-c | --clear] [-r value | --remove-packages=value] [-v value | --version=value] [-d value | --description=value] [-f | --force-update] [deployment files]

Overview

Use this command to add a new deployment or to update the current deployment in a given area.

Options

OptionOptional orRequired

DefaultValue Description

-b value--bootstrap-config=value

Optional none The path to the bootstrap configurationfile. See The bootstrap.xml file for moreinformation about this file.

-t value--tool-password=value

Optional none The configuration tool password usedto decrypt the database password in thefile bootstrap.xml. If the toolpassword is omitted, the commandprompts the user for it in the console.Refer to The bootstrap.xml file.

-a value--area=value

Required none The deployment area that should beupdated.

423

TIBCO Spotfire® Server and Environment Installation and Administration

Page 424: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

OptionOptional orRequired

DefaultValue Description

-c--clear

Optional none Indicates that all existing packagesshould be removed before any new filesare added. If no files are provided toadd to the deployment, the deploymentarea is empty.

-r value--remove-packages=value

Optional none A comma-separated list of IDs ofpackages that should be removed fromthe deployment. The IDs can bedetermined using the show-deployment command. Should not bespecified together with the --clearargument

-v value--version=value

Optional none The version of the new deployment. Ifno value is given, it is taken from thecurrent deployment, or from the lastadded distribution if one is added.

-d value--description=value

Optional none The description of the newdeployment. If no value is given it istaken from the current deployment, orfrom the last added distribution if oneis added.

-f--force-update

Optional none Indicates that users connecting to theserver should be forced to update theirclients.

[deployment files]

Optional none A comma-separated list of files(packages and distributions) thatshould be added to the deployment.Note that the paths cannot containspaces.

update-ldap-configUpdates LDAP configurations.update-ldap-config [-c value | --configuration=value] [-b value | --bootstrap-config=value] <--id=value> [-t value | --type=value] [-s value | --servers=value] [--clear-context-names] [-n value | --context-names=value] [-u value | --username=value] [-p value | --password=value] [--schedules=value] [--clear-schedules] [--user-search-filter=value] [--user-name-attribute=value] [--authentication-attribute=value] [--security-authentication=value] [--referral-mode=value] [--request-control=value]

424

TIBCO Spotfire® Server and Environment Installation and Administration

Page 425: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

[--page-size=value] [--import-limit=value] [--user-display-name-attribute=value] [--group-display-name-attribute=value] {-Ckey=value}{-Rvalue} {-Svalue}

Overview

Use this command to update LDAP configurations.

Options

OptionOptional orRequired

DefaultValue Description

-c value--configuration=value

Optional configuration.xml

The path to the server configurationfile.

-b value--bootstrap-config=value

Optional none The path to the bootstrapconfiguration file. See Thebootstrap.xml file for moreinformation about this file.

--id=value Required none Specifies the identifier for the LDAPconfiguration to be updated.

425

TIBCO Spotfire® Server and Environment Installation and Administration

Page 426: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

OptionOptional orRequired

DefaultValue Description

-t value--type=value

Optional none The type of LDAP server. Thefollowing names are valid types:

● ActiveDirectory

● SunOne

● SunJavaSystem

● Custom

When you specify any of the first threetypes, a type-specific configurationtemplate is automatically applied inruntime so that the most fundamentalconfiguration options are configuredautomatically.

When you specify a Custom LDAPserver type, there is no suchconfiguration template and all thoseconfiguration options must bespecified explicitly. When a customLDAP configuration is to be used forauthentication or with the userdirectory LDAP provider, the --user-search-filter and --user-name-attribute arguments must bespecified. For such an LDAPconfiguration to be used for groupsynchronization, additionalparameters must also be specifiedwhen running the config-ldap-group-sync command. See the help topic forthat command for more information.

426

TIBCO Spotfire® Server and Environment Installation and Administration

Page 427: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

OptionOptional orRequired

DefaultValue Description

-s value--servers=value

Optional none Specifies a whitespace-separated list ofLDAP server URLs. An LDAP serverURL has the format <protocol>://<server>[:<port>]:

● <protocol>: Either LDAP or LDAPS

● <server>: The fully qualified DNSname of the LDAP server.

● <port>: (Optional) Numberindicating the port number theLDAP service is listening on. Whenusing the LDAP protocol, the portnumber defaults to 389. Whenusing the LDAPS protocol, the portnumber defaults to 636. ActiveDirectory LDAP servers alsoprovide a Global Catalogcontaining forest-wideinformation, instead of domain-wide information only. The GlobalCatalog LDAP service by defaultlistens on port number 3268(LDAP) or 3269 (LDAPS).

Spotfire Server does not expect anysearch base, scope, filter or otheradditional parameters after theport number in the LDAP serverURLs. Such properties are specifiedusing other configuration optionsfor this command.

Examples of LDAP server URLs:

— LDAP://myserver.example.com

— LDAPS://myserver.example.com

— LDAP://myserver.example.com:389

— LDAPS://myserver.example.com:636

— LDAP://myserver.example.com:3268

— LDAPS://myserver.example.com:3269

427

TIBCO Spotfire® Server and Environment Installation and Administration

Page 428: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

OptionOptional orRequired

DefaultValue Description

--clear-context-names

Optional none Clears context names from the LDAPconfiguration. This argument can beused together with the ‐‐context‐names argument to remove all oldcontext names before adding the new.

-n value--context-names=value

Optional none A list of distinguished names (DNs) ofcontainers holding LDAP accounts tobe visible within Spotfire Server.When specifying more than one DN,the DNs must be separated by pipe-characters (|). The specified contextnames are added to the context namesthat are already configured. To set thecontext names from scratch, use the --clear-context-names argument withthe --context-names.

If the specified containers contain alarge number of users, of which only afew should be visible in SpotfireServer, a custom user search filter canbe specified to include only thedesignated users (see the --user-search-filter argument).

Examples:

● CN=users,DC=example,DC=com

● OU=project-x,DC=research,DC=example,DC=com

428

TIBCO Spotfire® Server and Environment Installation and Administration

Page 429: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

OptionOptional orRequired

DefaultValue Description

-u value--username=value

Optional none The name of the LDAP service accountto be used when searching for users(and optionally also groups) in theLDAP server. This service accountdoes not need to have any writepermissions, but it needs to have readpermissions for all configured contextnames (LDAP containers). For mostLDAP servers, the account name is theaccount’s distinguished name (DN).For Active Directory, the account namecan also be specified in the formsntdomain\name andname@dnsdomain.

Examples:

● CN=spotsvc,OU=services,DC=research,DC=example,dc=COM

● RESEARCH\spotsvc (ActiveDirectory only)

[email protected](Active Directory only)

--password=value Optional none The password for the LDAP serviceaccount.

429

TIBCO Spotfire® Server and Environment Installation and Administration

Page 430: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

OptionOptional orRequired

DefaultValue Description

--schedules=value Optional none A comma-separated list of schedulesfor when the LDAP synchronizationshould be performed. The schedulesare given in a cron-compatible format,where each schedule consists of eitherfive fields or one shorthand label.Make sure to enclose the value indouble quotes. The specified schedulesare added to the schedules that arealready configured. To set theschedules from scratch, use the --clear-schedules argument with the--schedules.

The five fields are, from left to right,with their valid ranges: minute (0-59),hour (0-23), day of month (1-31),month (1-12) and day of week (0-7,where both 0 and 7 indicate Sunday).A field can also be configured with thewildcard character *, indicating thatany moment in time matches this field.A group synchronization is triggeredwhen all fields match the current time.If both day of month and day of weekhave non-wildcard values, then onlyone of them has to match.

There are also the following shorthandlabels that can be used instead of thefull cron expressions:

● @yearly or @annually: run once ayear (equivalent to 0 0 1 1 *)

● @monthly: run once a month(equivalent to 0 0 1 * *)

● @weekly: run once a week(equivalent to 0 0 * * 0)

● @daily or @midnight: run once aday (equivalent to 0 0 * * *)

● @hourly: run once an hour(equivalent to 0 * * * *)

● @minutely: run once a minute(equivalent to * * * * *)

● @reboot or @restart: run everytime Spotfire Server is started

Refer to the Wikipedia overviewarticle on the cron scheduler.

430

TIBCO Spotfire® Server and Environment Installation and Administration

Page 431: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

OptionOptional orRequired

DefaultValue Description

--clear-schedules Optional none Clears from the LDAP configurationthe LDAP synchronization schedules.This argument can be used togetherwith the --schedules argument toremove all old schedules beforeadding the new.

431

TIBCO Spotfire® Server and Environment Installation and Administration

Page 432: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

OptionOptional orRequired

DefaultValue Description

--user-search-filter=value

Optional; mustbe specified forcustom LDAPconfigurations,either whenrunning thiscommand orthe create-ldap-config

command.(The parameteris required forall customconfigurations.)

For ActiveDirectoryservers, theparametervaluedefaults toobjectClass

=user.

For anyversion of theSun DirectoryServers, itdefaults toobjectClass

=person.

Specifies an LDAP search expressionfilter to be used when searching forusers.

If only a subset of all the users in thespecified LDAP containers should beallowed access to Spotfire Server, amore detailed user search filter can beused. The search expression can, forexample, be expanded so that it alsoputs restrictions on which groups theusers belong to, or which roles theyhave.

● For Active Directory servers, accesscan be restricted to only thoseusers belonging to a certain groupby using a search expression withthe pattern &(objectClass=user)(memberOf=<groupDN>), where<groupDN> is replaced by the realDN of the group to which the usersmust belong. If the users aredivided among multiple groups,use the pattern&(objectClass=user)(|

(memberOf=<firstDN> )

(memberOf=<secondDN>)). Addextra (memberOf=<groupDN>) sub-expressions as needed.

Active Directory example:&(objectClass=person)

(isMemberOf=cn=project-

x,dc=example,dc=com)

● For a Sun Java System DirectoryServer version 6 and later, the sameeffect can be achieved by using asearch expression with the pattern&(objectClass=person)

(isMemberOf=<groupDN>). If theusers are divided among multiplegroups, use the pattern&(objectClass=person)(|

(isMemberOf=<firstDN>)

(isMemberOf=<secondDN>)). Addextra (isMemberOf=<groupDN>)sub-expressions as needed.

Sun Java System Directory Serverexample: &(objectClass=person)(isMemberOf=cn=project-

x,dc=example,dc=com)

432

TIBCO Spotfire® Server and Environment Installation and Administration

Page 433: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

OptionOptional orRequired

DefaultValue Description

● For Sun ONE Directory Servers aswell as the newer Sun Java SystemDirectory Servers or the olderiPlanet Directory Server, access canbe restricted to only those usershaving certain specific roles. Thesearch expression for role filteringmust match the pattern&(objectClass=person)

(nsRole=<roleDN>). If multipleroles are of interest, use the pattern&(objectClass=person)(|

(nsRole=<firstDN>)

(nsRole=<secondDN>). Add extra(nsRole=<roleDN>) sub-expressions as needed.

Sun ONE Directory Servers example:&(objectClass=person)

(isMemberOf=cn=project-

x,dc=example,dc=com)

The syntax of LDAP search expressionfilters is specified by the RFC 4515document. Consult thisdocumentation for information aboutmore advanced filters.

--user-name-attribute=value

Optional; mustbe specified forcustom LDAPconfigurations,either whenrunning thiscommand orthe create-ldap-config

command.

For ActiveDirectoryservers thevaluedefaults tosAMAccountName.

For a SunJava SystemDirectoryServer (orany olderSun ONEDirectoryServer oriPlanetDirectoryServer) witha defaultconfiguration, it defaults toUID.

Specifies the name of the LDAPattribute containing the user accountnames.

433

TIBCO Spotfire® Server and Environment Installation and Administration

Page 434: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

OptionOptional orRequired

DefaultValue Description

--authentication-attribute=value

Optional;should be usedonly foradvancedsetups. It is notset by default.

none Specifies the name of the LDAPattribute containing a user identitythat can be used for binding(authenticating) to the LDAP server.This attribute fills no purpose in mostcommon LDAP configurations, butcan be useful in more advancedsetups, where the distinguished name(DN) does not work forauthentication, or where users shouldbe able to log in using a username thatdoes not map directly to an actualLDAP account.

When setting up SASL with DIGEST-MD5 in an Active Directoryenvironment, the DN does not workfor authentication and theuserPrincipalName attribute must beused instead. The --authentication-attribute argument should then beset to userPrincipalName and the --user-name-attribute argumentshould be set to sAMAccountName (thelatter value also happens to be thedefault value for an Active DirectoryLDAP configuration, so there's noneed to set it explicitly). See also the--security-authentication

argument.

When setting up SASL with GSSAPI inan Active Directory environment, theDN does not work for authenticationand the sAMAccountName oruserPrincipalName attribute must beused instead. The --authentication-attribute argument should then beset to sAMAccountName oruserPrincipalName and the --user-name-attribute argument should beset to sAMAccountName (the lattervalue also happens to be the defaultvalue for an Active Directory LDAPconfiguration, so there is no need toset it explicitly). See also the --security-authentication

argument.

Example: By setting the --user-name-attribute argument to cn and the --authentication-attribute

argument to userPrincipalName inan Active Directory environment, the

434

TIBCO Spotfire® Server and Environment Installation and Administration

Page 435: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

OptionOptional orRequired

DefaultValue Description

users can log in to Spotfire Serverusing their CN attribute values, butunderneath the hood, Spotfire Serveractually uses the userPrincipalNameattribute value of the LDAP accountwith the matching CN for the actualauthentication.

435

TIBCO Spotfire® Server and Environment Installation and Administration

Page 436: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

OptionOptional orRequired

DefaultValue Description

--security-authentication=value

Optional;should be usedonly inadvancedsetups.

The defaultvalue issimple.

This parameter specifies the securitylevel to use when binding to the LDAPserver.

● To enable anonymous binding, itshould be set to none.

● To enable plain username/password authentication, it shouldbe set to simple.

● To enable SASL authentication, itshould be set to the name of theSASL mechanism to be used, forexample DIGEST-MD5 or GSSAPI.Use multiple -C arguments to setthe additional JNDI environmentproperties that the SASLauthentication mechanismtypically requires.

When setting up SASL with DIGEST-MD5 in an Active Directoryenvironment, all accounts must usereversible encryption for theirpasswords. This is typically not thedefault setting for the domaincontroller. The --authentication-attribute argument must also beused to specify the userPrincipalNameattribute for the actual authenticationto work correctly.

When setting up SASL with GSSAPI inan Active Directory environment, the--authentication-attribute

argument must be used to specifyeither the sAMAccountName or theuserPrincipalName attribute and thecustom propertykerberos.login.con‐ text.namemust be mapped to the JAASapplication configurationSpotfireGSSAPI. This in turn requiresa fully working Kerberosconfiguration file at <installationdir>/jdk/jre/lib/security/

krb5.conf.

--referral-mode=value

Optional follow Specifies how LDAP referrals shouldbe handled. Valid arguments arefollow (automatically follow anyreferrals), ignore (ignore referrals),and throw (fail with an error).

436

TIBCO Spotfire® Server and Environment Installation and Administration

Page 437: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

OptionOptional orRequired

DefaultValue Description

--request-control=value

Optional probe Determines the type of LDAP controlsto be used when executing searchqueries to the LDAP server. Thedefault behavior is to probe the LDAPserver for the best supported requestcontrol. The paged results control isalways preferred, because it providesthe most efficient way of retrieving thequery result set. The virtual list viewcontrol can also be used for the samepurpose if the paged results control isnot supported. The virtual list viewcontrol is automatically used togetherwith a sort control. Both the pagedresults control and the virtual list viewcontrol supports a configurable pagesize, set by the --page-sizeargument.

● To explicitly configure the serverfor probing, set the argument valueto probe.

● To configure the server for thepaged results control, set theargument value toPagedResultsControl.

● To request the virtual list viewcontrol, set the argument value toVirtualListViewControl.

● To completely disable requestcontrols, set the argument value tonone.

--page-size=value Optional The page sizevaluedefaults to2000 for boththe pagedresultscontrol andthe virtuallist viewcontrol.

Specifies the page size to be used withthe paged results control or the virtuallist view control when performingsearch queries to the LDAP server

437

TIBCO Spotfire® Server and Environment Installation and Administration

Page 438: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

OptionOptional orRequired

DefaultValue Description

--import-limit=value

Optional unlimited Specifies a threshold that limits thenumber of users that can be importedfrom an LDAP server to SpotfireServer in one query. This can be usedto prevent accidental flooding of theSpotfire Server user directory whenintegrating with an LDAP server withtens or even hundreds of thousands ofusers. By setting an import limit, theadministrator can be sure that anunexpected high number of users doesnot affect the server performance. Bydefault, there is no import limit. Toexplicitly request unlimited import, setthe parameter value to -1. All positivenumbers are treated as an importlimit. In most cases, it is recommendedto leave this parameter untouched.

--user-display-name-attribute=value

Optional none Specifies the name of the LDAPattribute containing the user displaynames.

--group-display-name-attribute=value

Optional none Specifies the name of the LDAPattribute containing the group displaynames.

-Ckey=value Optional none Specifies additional JNDI environmentproperties to be used when connectingto the LDAP server. Note that it doesnot add to the previously configuredcustom properties; it replaces themcompletely. If you want to keep any ofthe old custom properties, make sureto specify them once again whenadding new ones. This option can bespecified multiple times with differentkeys.

Example: The equivalent of specifyingthe --security-authentication=DIGEST-MD5

argument is -Cjava.naming.security.authentic

ation=DIGEST-MD5 .

Example: Updating the context names

update-ldap-config --id="ldap1"

--context-names="OU=project-

x,DC=research,DC=example,DC=com

|

OU=phbs,DC=management,DC=exampl

e,DC=com"

438

TIBCO Spotfire® Server and Environment Installation and Administration

Page 439: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

OptionOptional orRequired

DefaultValue Description

-Rvalue Optional andmay bespecifiedmultiple timeswith differentvalues.

If thisargument isnot specified,the Javadefaults areused.

Specifies the protocols to be used forLDAPS when connecting to the LDAPserver.

Example: To enable only TLSv1.2-RTLSv1.2

-Svalue Optional andmay bespecifiedmultiple timeswith differentvalues.

If thisargument isnot specified,the Javadefaults areused.

Specifies the cipher suites to be usedfor LDAPS when connecting to theLDAP server.

Example: To enable only these twocipher suites-STLS_DHE_RSA_WITH_AES_128_GCM_SHA256 -STLS_DHE_RSA_WITH_AES_256_GCM_SHA384

versionDisplays the current version of the server.version

Overview

Use this command to display the current version of the server.

Mapping content of old configuration files to new service configurationfiles

The applicable settings in the old Web Player and Automation Services configuration files are nowlocated in the different service configuration files.

Settings in Web.config

Section Service configuration file

<Spotfire.Dxp.Services.Settings> Spotfire.Dxp.Worker.Core.config

<Spotfire.Dxp.Web.Properties.Settings> Spotfire.Dxp.Worker.Host.exe.config

<Spotfire.Dxp.Data.Properties.Settings> Spotfire.Dxp.Worker.Host.exe.config

<Spotfire.Dxp.Data.Access.Adapters.Setti

ngs>

Spotfire.Dxp.Worker.Host.exe.config

<setup> Spotfire.Dxp.Worker.Web.config

<userInterface> Spotfire.Dxp.Worker.Web.config

<performance> Spotfire.Dxp.Worker.Web.config

439

TIBCO Spotfire® Server and Environment Installation and Administration

Page 440: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Settings in Spotfire.Dxp.Launcher.exe.config

Section Service configuration file

<Spotfire.Dxp.Automation> <application> Spotfire.Dxp.Worker.Web.config

<spotfire.dxp.automation.tasks> Spotfire.Dxp.Worker.Automation.config

<appSettings> Spotfire.Dxp.Worker.Automation.config

440

TIBCO Spotfire® Server and Environment Installation and Administration

Page 441: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

Glossary

Deployments & Packages

deployment areaDeployment areas, which are set up by the Spotfire administrator, make it possible to give differentusers access to different versions of the Spotfire client, while still using a single Spotfire Server.

distributionA collection of one or more software packages. The contents of a distribution are distributed to eachend user’s desktop using the deployment mechanism. A distribution is deployed to a deploymentarea. .

Nodes & Services

primary serverIn a clustered server implementation, the primary Spotfire Server is responsible for the tasks thatshould be handled by only one server. These tasks include triggering and routing updates to analyses,and synchronizing external LDAP users and groups.

node managerThe node manager is the networked software agent that is responsible for managing a set of serviceson a specific physical or virtual host. This software makes it possible to execute remote commandsfrom the Spotfire Server.

nodeAll the services and instances that are run by a particular node manager.

serviceAn application that runs on a node manager and provides a particular capability; in the currentversion of Spotfire Server, Spotfire Web Player and Spotfire Automation Services are the availableservices. A service is not available to end users until a service instance is running.

service instanceA specific realization of a service that is available to Spotfire end users. For example, when a useropens an analysis in the Spotfire Web Player, the user is accessing a particular instance of the WebPlayer service. (This distinction is invisible to the user.)

resource poolA set of specific Spotfire Web Player services or service instances (or a single instance) that can be usedin a routing rule to define where a given file should preferably open. For example, a rule can specifythat company VIPs always view analyses in a particular resource pool.

Scheduling & Routing

rulesThere are three types of rules: File, Group, and User.

The Spotfire administrator creates rules to do one of the following:

● Schedule updates to analyses (type of rule = File).

441

TIBCO Spotfire® Server and Environment Installation and Administration

Page 442: TIBCO Spotfire® Server and Environment - Installation and ... · TIBCO Spotfire® Server and Environment Installation and Administration. ... password authentication ... and Environment

● Specify resource pools on which to open analyses that are requested by specific users or membersof specific groups (type of rule = User or Group).

● Specify resource pools on which to open specific analyses (type of rule = File).

scheduled updateA rule that sets a schedule for automatically adding fresh data to an existing analysis. The rule alsoindicates the resource pool on which the analysis should open (Type of rule=File).

routing ruleA rule that specifies the resource pool on which an analysis should preferably open.

Users & Groups

primary groupThe primary group is the group that determines which licenses and settings apply for a user whobelongs to two or more groups.

Miscellaneous

information linkAn information link is a structured request for data. Users can create information links to connect toexternal JDBC databases and thereby access and load data into Spotfire analysis files. Informationlinks and the elements they are created from are stored in the Spotfire database.

licenseLicenses determine which features and functionality a user has access to when working in Spotfire.Administrators set licenses at the group level, using the Administration Manager in Spotfire Analyst.

post-authentication filterThe Spotfire Server filter that can either block all users who try to log in but are not already present inthe user directory, or automatically create a new account in the user directory for any user who logs into the server for the first time. It is also possible to use the Spotfire Server api to create a custom post-authentication filter.

preferencesPreferences are default settings for the way that people work, and the analyses they create.Preferences include a wide range of properties, from which toolbars are visible when the user startsSpotfire to the look of tables in visualizations. Administrators set preferences at the group level, usingthe Administration Manager in Spotfire Analyst.

442

TIBCO Spotfire® Server and Environment Installation and Administration


Recommended