TIBCO Spotfire® Server and Environment SecuritySoftware Release 10.3 or later

Important Information

SOME TIBCO SOFTWARE EMBEDS OR BUNDLES OTHER TIBCO SOFTWARE. USE OF SUCHEMBEDDED OR BUNDLED TIBCO SOFTWARE IS SOLELY TO ENABLE THE FUNCTIONALITY (ORPROVIDE LIMITED ADD-ON FUNCTIONALITY) OF THE LICENSED TIBCO SOFTWARE. THEEMBEDDED OR BUNDLED SOFTWARE IS NOT LICENSED TO BE USED OR ACCESSED BY ANYOTHER TIBCO SOFTWARE OR FOR ANY OTHER PURPOSE.

USE OF TIBCO SOFTWARE AND THIS DOCUMENT IS SUBJECT TO THE TERMS ANDCONDITIONS OF A LICENSE AGREEMENT FOUND IN EITHER A SEPARATELY EXECUTEDSOFTWARE LICENSE AGREEMENT, OR, IF THERE IS NO SUCH SEPARATE AGREEMENT, THECLICKWRAP END USER LICENSE AGREEMENT WHICH IS DISPLAYED DURING DOWNLOADOR INSTALLATION OF THE SOFTWARE (AND WHICH IS DUPLICATED IN THE LICENSE FILE)OR IF THERE IS NO SUCH SOFTWARE LICENSE AGREEMENT OR CLICKWRAP END USERLICENSE AGREEMENT, THE LICENSE(S) LOCATED IN THE “LICENSE” FILE(S) OF THESOFTWARE. USE OF THIS DOCUMENT IS SUBJECT TO THOSE TERMS AND CONDITIONS, ANDYOUR USE HEREOF SHALL CONSTITUTE ACCEPTANCE OF AND AN AGREEMENT TO BEBOUND BY THE SAME.

ANY SOFTWARE ITEM IDENTIFIED AS THIRD PARTY LIBRARY IS AVAILABLE UNDERSEPARATE SOFTWARE LICENSE TERMS AND IS NOT PART OF A TIBCO PRODUCT. AS SUCH,THESE SOFTWARE ITEMS ARE NOT COVERED BY THE TERMS OF YOUR AGREEMENT WITHTIBCO, INCLUDING ANY TERMS CONCERNING SUPPORT, MAINTENANCE, WARRANTIES,AND INDEMNITIES. DOWNLOAD AND USE OF THESE ITEMS IS SOLELY AT YOUR OWNDISCRETION AND SUBJECT TO THE LICENSE TERMS APPLICABLE TO THEM. BY PROCEEDINGTO DOWNLOAD, INSTALL OR USE ANY OF THESE ITEMS, YOU ACKNOWLEDGE THEFOREGOING DISTINCTIONS BETWEEN THESE ITEMS AND TIBCO PRODUCTS.

This document is subject to U.S. and international copyright laws and treaties. No part of thisdocument may be reproduced in any form without the written authorization of TIBCO Software Inc.

TIBCO, the TIBCO logo, the TIBCO O logo, TIBCO Spotfire, TIBCO Spotfire Analyst, TIBCO SpotfireAutomation Services, TIBCO Spotfire Server, TIBCO Spotfire Web Player, TIBCO Spotfire Developer,TIBCO Enterprise Message Service, TIBCO Enterprise Runtime for R, TIBCO Enterprise Runtime for R -Server Edition, TERR, TERR Server Edition, TIBCO Hawk, and TIBCO Spotfire Statistics Services areeither registered trademarks or trademarks of TIBCO Software Inc. in the United States and/or othercountries.

Java and all Java based trademarks and logos are trademarks or registered trademarks of Oracle and/orits affiliates.

All other product and company names and marks mentioned in this document are the property of theirrespective owners and are mentioned for identification purposes only.

This software may be available on multiple operating systems. However, not all operating systemplatforms for a specific software version are released at the same time. Please see the readme.txt file forthe availability of this software version on a specific operating system platform.

THIS DOCUMENT IS PROVIDED “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSOR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OFMERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT.

THIS DOCUMENT COULD INCLUDE TECHNICAL INACCURACIES OR TYPOGRAPHICALERRORS. CHANGES ARE PERIODICALLY ADDED TO THE INFORMATION HEREIN; THESECHANGES WILL BE INCORPORATED IN NEW EDITIONS OF THIS DOCUMENT. TIBCOSOFTWARE INC. MAY MAKE IMPROVEMENTS AND/OR CHANGES IN THE PRODUCT(S)AND/OR THE PROGRAM(S) DESCRIBED IN THIS DOCUMENT AT ANY TIME.

THE CONTENTS OF THIS DOCUMENT MAY BE MODIFIED AND/OR QUALIFIED, DIRECTLY ORINDIRECTLY, BY OTHER DOCUMENTATION WHICH ACCOMPANIES THIS SOFTWARE,INCLUDING BUT NOT LIMITED TO ANY RELEASE NOTES AND "READ ME" FILES.

2

TIBCO Spotfire® Server and Environment Security

This and other products of TIBCO Software Inc. may be covered by registered patents. Please refer toTIBCO's Virtual Patent Marking document (https://www.tibco.com/patents) for details.

Copyright © 2019. TIBCO Software Inc. All Rights Reserved.

3

TIBCO Spotfire® Server and Environment Security

Contents

TIBCO Documentation and Support Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6

Environment Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8

Ports and Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Outbound Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

HTTP Cookies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Node Trust and Back-End HTTPS Communication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Authentication and Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15

Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

User Directory Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16

APIs and Extension Points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Password Policy and Password Complexity Enforcement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19

Preferences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19

Logging and Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Data At Rest . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Data In Motion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Standards and Algorithms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Spotfire Analyst, Spotfire Web Player, and Spotfire Automation Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Scripts in Spotfire . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .28

Script Trust . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

Script Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

Python (IronPython) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .29

JavaScript in Text Area . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

HTML in Text Area . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

Custom Queries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

TERR Data Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .31

Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .32

TIBCO Spotfire Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .32

Spotfire Server Security Configuration and Administration Activities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

Changing a Windows Service Account for Spotfire Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .37

Change a Linux Service Account for Spotfire Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

HTTPS (TLS over HTTP) for Front End Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

4

TIBCO Spotfire® Server and Environment Security

Security HTTP Headers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

Adding Custom HTTP Headers in the Spotfire Server Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

TIBCO Spotfire Node Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

Node Manager Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

TIBCO Spotfire Connectors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .41

Database Credentials for Connectors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .41

TIBCO Spotfire Web Player . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .42

Configuration File Settings for Spotfire Web Player . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .43

TIBCO Spotfire Automation Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .45

Configuration File Settings for Spotfire Automation Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

Client Job Sender (Spotfire Automation Services) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .47

TIBCO Enterprise Runtime for R - Server Edition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .47

Settings and Configuration Tasks for TERR Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .48

Restrict Network Access for TERR Scripts in Containers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

Use a Custom Docker Image for Containerized TERR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

Script Security & Restricted Execution Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

Docker Containerization for TERR Scripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .49

TERR Restricted Execution Mode (REX) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .50

Impact of Relaxing the TERR Service Security Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

TIBCO Spotfire Analyst . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

5

TIBCO Spotfire® Server and Environment Security

TIBCO Documentation and Support Services

How to Access TIBCO Documentation

Documentation for TIBCO products is available on the TIBCO Product Documentation website, mainlyin HTML and PDF formats.

The TIBCO Product Documentation website is updated frequently and is more current than any otherdocumentation included with the product. To access the latest documentation, visit https://docs.tibco.com.

TIBCO Spotfire Documentation

Documentation for Spotfire Server and related products is available on the Spotfire Server ProductDocumentation page.

The following documents relevant for this product can be found on the Spotfire Server Documentationsite:

● TIBCO Spotfire® Server and Environment - Quick Start

● TIBCO Spotfire® Server and Environment - Installation and Administration

● TIBCO Spotfire® Server Release Notes

● TIBCO Spotfire® Business Author and TIBCO Spotfire® Consumer Release Notes

● TIBCO Spotfire® Business Author and Consumer User's Guide

● TIBCO Spotfire® Cobranding Help

● TIBCO Spotfire® Qualification Installation and Configuration Manual

● TIBCO Spotfire® Qualification User's Guide

● Deploying and Using a TIBCO Spotfire® Language Pack

● TIBCO Spotfire® Automation Services User's Guide

● TIBCO Spotfire® Automation Services API Reference

● TIBCO Spotfire® Automation Services REST API Reference

● TIBCO Spotfire® Server Information Services API Reference

● TIBCO Spotfire® Server Library REST API Reference

● TIBCO Spotfire® Server Platform API Reference

● TIBCO Spotfire® Server Web Services API Reference

● TIBCO Spotfire® Server License Agreement

TIBCO Enterprise Runtime for R documentation

You can find the following documents for TIBCO Enterprise Runtime for R in the TIBCODocumentation Library.

● TIBCO® Enterprise Runtime for R Technical Documentation

● Language Reference (HTML)

● Differences Between TIBCO® Enterprise Runtime for R and Open-Source R (HTML)

● Release Notes (PDF)

● License Agreement (PDF)

6

TIBCO Spotfire® Server and Environment Security

You can also find links to CRAN package compatibility reports for this release on TIBCO Cloud™Spotfire®.

TIBCO Enterprise Runtime for R - Server Edition documentation

The following documents for the TIBCO® Enterprise Runtime for R - Server Edition can be found in theTIBCO Documentation website.

● TIBCO® Enterprise Runtime for R - Server Edition Installation and Administration

● TIBCO® Enterprise Runtime for R - Server Edition Release Notes

Release Version Support

Some release versions of TIBCO Spotfire products are designated as long-term support (LTS) versions.LTS versions are typically supported for up to 36 months from release. Defect corrections will typicallybe delivered in a new release version and as hotfixes or service packs to one or more LTS versions. Seealso https://docs.tibco.com/pub/spotfire/general/LTS/spotfire_LTS_releases.htm.

How to Contact TIBCO Support

You can contact TIBCO Support in the following ways:

● For an overview of TIBCO Support, visit http://www.tibco.com/services/support.

● For accessing the Support Knowledge Base and getting personalized content about products you areinterested in, visit the TIBCO Support portal at https://support.tibco.com.

● For creating a Support case, you must have a valid maintenance or support contract with TIBCO.You also need a user name and password to log in to https://support.tibco.com. If you do not have auser name, you can request one by clicking Register on the website.

System Requirements for Spotfire Products

For information about the system requirements for Spotfire products, visit http://spotfi.re/sr.

How to Join TIBCO Community

TIBCO Community is the official channel for TIBCO customers, partners, and employee subject matterexperts to share and access their collective experience. TIBCO Community offers access to Q&A forums,product wikis, and best practices. It also offers access to extensions, adapters, solution accelerators, andtools that extend and enable customers to gain full value from TIBCO products. In addition, users cansubmit and vote on feature requests from within the TIBCO Ideas Portal. For a free registration, go to https://community.tibco.com.

For quick access to TIBCO Spotfire content, see https://community.tibco.com/products/spotfire.

7

TIBCO Spotfire® Server and Environment Security

Environment Overview

Understanding the components, and the communication between the components of the Spotfireenvironment is key to understanding how to build a more secure environment .

1. The Spotfire Server is the central component of the Spotfire environment, to which all Spotfireclients connect. From a Spotfire Server start page, entities in the Spotfire environment can beconfigured and monitored.

For more information about the Spotfire Server, see its documentation.

2. Multiple nodes are installed and connected to Spotfire Server. The Spotfire Web Player service,Spotfire Automation Services, and the TERR service are installed on nodes to enable the use ofSpotfire web clients, running Spotfire Automation Services jobs, and running TERR data functionsand scripts.

For more information about the components installed on nodes, see their help:

● Node manager (installation and configuration in TIBCO Spotfire® Server and EnvironmentInstallation and Administration)

● Spotfire® Web Player (service installation and configuration in TIBCO Spotfire® Server andEnvironment Installation and Administration)

● Spotfire® Automation Services

● TERR™ Server Edition (TERR service)

3. The server is connected to a Spotfire database that contains a user directory and stores analyses andconfiguration files. For more information, see its documentation.

4. After the node is installed, the node performs a join request to a specific, unencrypted SpotfireServer HTTP port that handles only registration requests. The node remains untrusted until theadministrator approves the request by trusting the node. The Spotfire Server start page provides thetools to add nodes to the environment by explicitly trusting them, thereby issuing the certificates.When the node receives its certificate, it can send encrypted communication over the HTTPS/TLSports, and with this, the node can start to send more than registration requests.

The secured back-end communication is based on certificates. After an administrator has approvedthe new server or node, the certificates are issued automatically. Without a certificate, a server or aservice on a node cannot make requests to, or receive requests from, other entities, except for whenrequiring a certificate. For more information, see Ports and firewall configuration in TIBCO Spotfire®Server and Environment Installation and Administration.

This diagram shows all of these components, as well as how data flows and network protocols are usedin a typical Spotfire environment.

8

TIBCO Spotfire® Server and Environment Security

9

TIBCO Spotfire® Server and Environment Security

Ports and Protocols

You can use the following ports, connections, and protocols to secure Spotfire.

PortsSpotfire Server, the node manager, and related services reserve the following ports for variouscommunication tasks.

Public-Facing Client Connection Ports

NameDefault Port andProtocol Function Description Secure/Encrypted

Public HTTP port 80/tcp, if enabled Non-secure communicationwith installed clients andweb clients.

No

Public HTTPSport

443/tcp, ifenabled

Secure communication withinstalled clients and webclients.

Yes

The HTTP connector port and the HTTPS connector port are configured independently and areexposed externally for client connection. You can use either of them or, in some cases, both.

Spotfire Server

NameDefault Port andProtocol Function Description Secure/Encrypted

Back-endregistration port

9080/tcp Establishing trust betweenthe Spotfire Server andnodes only.

No

Back-endcommunicationport

9443/tcp Monitoring secure trafficbetween nodes. (SpotfireServer monitors securetraffic from services on thenodes. )

Yes

First clusteringport

5701/tcp Secure communicationwithin the environment.This port is the same for allservers in the cluster.

Yes

Second clusteringport

5702/tcp A second clustering port forsecure communicationwithin the environment.

Yes

10

TIBCO Spotfire® Server and Environment Security

NameDefault Port andProtocol Function Description Secure/Encrypted

JMX RMI port 1099/tcp, ifenabled

If JMX RMI access isenabled, Spotfire Serveropens a separate port forthis purpose. Might beconsidered a "public-facing"port.

See config-jmx

Node Manager

NameDefault Port andProtocol Function Description Secure/Encrypted

Registration port 9080/tcp Establishing trust betweennode managers and SpotfireServer.

No

Communicationport

9443/tcp Secure communicationwithin the environment.

Yes

Services

NameDefault Port andProtocol Function Description Secure/Encrypted

Communication port(Spotfire Web Player/Spotfire AutomationServices)

9501/tcp, if the serviceis installed

Spotfire Web Playerand SpotfireAutomation Servicesfor securecommunication.

Yes

Communication port(TERR)

9502/tcp, if the TERRservice is installed

TERR service, forsecure communication.

Yes

TERR engine ports 61000/tcp -> 63000/tcp,if the TERR service isinstalled.

Host-internalcommunicationbetween the TERRservice and the TERRengines.

No

The back-end ports need exposed only for Spotfire Server connection to services available from thenode manager.

11

TIBCO Spotfire® Server and Environment Security

Outbound ConnectionsThe following outbound connections might differ from your deployed system, because connectionsdepend on the configuration of the particular environment. For example, the Spotfire Server createsLDAP connections only if the system is configured to use LDAP.

Spotfire Server

Type of connection Default Function Secure/ Encrypted

Databasecommunication

Oracle database: 1521

SQL Server: 1433

The Spotfire databaseserver monitors thisport.

If configured

LDAP LDAP over TLS: 389

LDAPS: 636.

An optional numberthat indicates the TCPport that the LDAPservice is monitoring.

If configured

LDAP > GlobalCatalog

LDAP: 3268

LDAPS: 3269

Active DirectoryLDAP servers alsoprovide a GlobalCatalog that containsforest-wideinformation, instead ofdomain-wideinformation only.

If configured

TIBCO EnterpriseMessage Service(EMS)

Non-secureconnection: 7222

Secure connection:7243

This service can beused to triggerscheduled updates.EMS monitors thisport.

If configured

Kerberos/GSSAPI Fixed port 88 on theActive Directorydomain controllers

Used by the Kerberosauthenticationmethod, as well aswhen authenticating toan LDAP server usingthe GSSAPI method.

Yes

Microsoft Net Logon,SMB, and CIFS

Fixed port 445 on theActive Directorydomain controllers

Used by the NTLM v2authenticationmethod.

Yes

Open ID Connectproviders

443 Used by the webauthenticationmethod.

Yes

Data sources(Information Services)

Oracle database: 1521

SQL Server: 1433

Netezza: 5480

Otherwise, varies.

JDBC-compliant datasources and otherservices used byInformation Servicesmonitor these ports.

Varies

12

TIBCO Spotfire® Server and Environment Security

Node manager/Services

Type of connection Default Function Secure/ Encrypted

Spotfire® Web Player& Spotfire®Automation Services >Map/tiles serverconnections

The default map layeruses https://geoanalytics.tibco.com/

The map chartdownloads map tilesand other informationfrom external servers.

Yes

Spotfire Web Player &Spotfire AutomationServices > SMTP

25, 2525, or 587

Secure SMTP: 465, 25,or 587

Used by SpotfireAutomation Servicesfor sending e-mails.

Secure if configured

Spotfire Web Player &Spotfire AutomationServices > Datasources (Connectors)

Varies For information onavailable connectors,see "List of Connectorsin this Version" in theSpotfire Analyst User'sGuide. Dataconnectors listen tothese ports.

Varies

HTTP CookiesSpotfire Server can set the following HTTP cookies on Spotfire Analyst clients that connect over thepublic HTTP port (default 80/433).

The Secure attribute is set only if the connection is HTTPS, not HTTP. To protect against cross-siterequest forgery (CSRF) attacks, Spotfire does not rely on using the SameSite attribute on cookies.

HTTP Cookies Spotfire Server can set for public HTTP port connections from Spotfire Analyst clients

Name Description Comment

JSESSIONID Session cookie for Spotfire Server. HttpOnly attribute is set.

SF_REMEMBER_ME Cookies used for persistent sessions("remember me") feature.

HttpOnly attribute is set. See config-persistent-sessions.

XSRF-TOKEN Holds CSRF token. HttpOnly is not set. A cookiethat holds a CSRF token ispassed to JavaScript using acookie value. This behavior isintended.

zoneCheck Cookie the JavaScript API uses foridentifying browser incompatibilities withSpotfire.

HttpOnly is not set. It is notneeded, because it is used byclient-side JavaScript code anddoes not contain sensitiveinformation.

13

TIBCO Spotfire® Server and Environment Security

Node Trust and Back-End HTTPS CommunicationNode managers and Spotfire Server use encrypted HTTPS for communication. All endpoints areauthenticated using either server or client certificates issued by the Spotfire Server root certificate,which acts as a certificate authority for a particular Spotfire environment.

Neither the Spotfire Server nor the client certificates used by the various components of the system areself-signed. They are all signed by the certificate authority that is part of the Spotfire Server. EachSpotfire Server installation generates its own unique root certificate. You cannot provide your own.

The node manager and Spotfire Server registration ports (9080/tcp) are used to establish the trust. Theseports use plain HTTP and are used only when new nodes are added to the cluster. After trust isestablished, any further communication is done over a secured HTTPS connection using thecommunication port (9443/tcp). For a node to become trusted, a member with the role of Spotfireadministrator must manually trust the node, enabling the Spotfire Server certificate authority to issueserver and client certificates to it. If a node is untrusted by an administrator through the webadministration interface, the Online Certificate Status Protocol (OCSP) is used to communicate that thecertificate for the untrusted node has been revoked.

Node managers running a Spotfire service or Spotfire Automation Services install the three certificatesinto the Windows certificate store under the machine level.

14

TIBCO Spotfire® Server and Environment Security

Authentication and Authorization

The following image provides an overview of the available authentication and authorization options forSpotfire.

You can implement other methods using APIs.

Generally, authentication and authorization occur in the following sequence, as shown in theillustration.

1. Authentication established: determined by one of the configurations shown in the left panel of theillustration.

2. User directory authorization.

3. Groups and roles authorization.

4. Licenses authorization.

5. Preferences authorization.

AuthenticationSpotfire provides several standard authentication methods, as well as custom authentication usingAPIs.

Authenticationmethod Description

User name andpassword

The default method. User name and password specifies authentication usingHTML forms (POST - application/x-www-form-urlencoded) or BASICaccess authentication. The credentials are checked against the Spotfiredatabase or another external authentication source (such as LDAP, WindowsNT Domain, or Custom JAAS). See External directories and domains and User name and password authentication methods.

15

TIBCO Spotfire® Server and Environment Security

Authenticationmethod Description

Two-factor You can combine the chosen primary authentication method with X.509client certificates. See Two-factor authentication.

NTLMv2 Note that NTLMv1 is not supported. See NTLM authentication.

Kerberos See Kerberos authentication.

Anonymous If enabled, limited access to view Spotfire files is allowed forunauthenticated sessions. See Configuring anonymous authentication.

X.509 clientcertificates1

Spotfire Server requires the client to provide a valid X.509 certificate.Requires HTTPS. See Authentication using X.509 client certificates.

OpenID Connect Goes under the label "Web Authentication" in Spotfire. Provides integrationwith external authentication providers that support OpenID Connect. See Configuring OpenID Connect.

Externalauthentication

See APIs and extension points.

Custom WebAuthentication

See APIs and extension points.

CustomAuthentication

See APIs and extension points.

User Directory OptionsSpotfire features the following user directory sources for authentication.

User directory source Description

Spotfire database Users are stored in a database and managed using the Spotfireadministrative tools.

Windows NT Legacy. Users are managed in a Windows NT domain.

This option does not apply to Linux installations.

LDAP Users (and groups, optionally) are managed in an LDAP server (suchas Active Directory) and are synchronized with Spotfire database.

1 Combining X.509 client certificates with another authentication method such as user name and password provides a type of two-factorauthentication.

16

TIBCO Spotfire® Server and Environment Security

APIs and Extension PointsTo create a custom authentication experience for your Spotfire users, you can use one of the followingtypes of APIs or extension points.

Type Description

Post-authenticationfilter

Use a Java class to implement thecom.spotfire.server.security.PostAuthenticationFilter interface,perform additional checks, or create automation steps to perform aftercompleting authentication but before logging the user in.

See TIBCO Spotfire Server latest Platform API for more information.

Custom JAASmodule

Customize a user name and password authentication method with a JAASmodule, which is implemented using the com.spotfire.server.jaas API.For example, instead of checking the end-user credentials for the Spotfiredatabase or LDAP, you can implement a custom login.

See TIBCO Spotfire Server Platform API for more information.

Externalauthentication

Use external authentication to provide custom authentication flows wherethe user's identity can be derived from the incoming HTTP request (forexample, using a cookie or a header). External authentication should becombined with a (reverse) proxy or Java class (Custom Web Authentication)that implements the logic that the custom authentication scheme requires.

Custom WebAuthentication

Implement custom web-based authentication flows using thecom.spotfire.server.security.CustomWebAuthenticator API. Atypical use case is to implement an OAuth2-based authentication flow.

See TIBCO Spotfire Server Platform API and Configuring custom webauthentication.

CustomAuthentication

Implement custom authentication by implementing thecom.spotfire.server.security.CustomAuthenticator interface. See TIBCO Spotfire Server Platform API.

Custom login page Create a custom login page for the Spotfire Server to enable a fullycustomizable look and feel. If the authentication method is based on username and password, and if additional information must be collected fromthe user, you can combine a custom login page with aPostAuthenticationFilter and possibly a custom JAAS login module. See Create a custom login page on the TIBCO Community web site.

Authentication FilterAPI

This feature is deprecated and should no longer be used.

Additional information about custom authentication methods is available on TIBCO Community.

● TIBCO Spotfire Server API for Custom Authentication

● External Authentication in TIBCO Spotfire 7.11 and later versions

17

TIBCO Spotfire® Server and Environment Security

Password Policy and Password Complexity Enforcement

Spotfire Server does not have built-in support for password policies.

However, you can implement support by configuring Spotfire for Kerberos, NTLM, OpenID Connect,or User name and Password authentication (together with an LDAP/Active Directory). If the externalauthentication source enforces a password policy, it also applies to Spotfire.

AuthorizationGroup assignments can authorize users' permissions with Spotfire Server and should be granted onlyto users who are fully trusted. The list is only a subset of all available Spotfire groups.

For a full list, see Roles.

RolesGroups define standard roles for administering and using Spotfire. Each special group enables a set oflicenses that correspond to an administrative or user role. To assign a role to a user, just add the user toone of the special groups in the following list.

Group Description

Administrator¹ Members of this group can set library permissions, preferences, licenses,manage users and memberships on the system. Only users who needadministrator privileges on Spotfire Server, including the ability to manageusers and groups, should belong to this group.

LibraryAdministrator¹

Members of this group are granted full permission to the library. It overridesall folder permissions set in the library, granting full control over content. Italso includes the permission to import and export library content. Only usersand groups that need administrative privileges in the library should belong tothis group.

DeploymentAdministrator¹

Members of this group have permission to use the Deployments & Packagesuser interface in theSpotfire Server console. A deployment area is a collectionof software packages intended for a specific Spotfire group and client type(Spotfire client, Spotfire Web Player and Spotfire Automation Services) and areused to push hotfixes and other software updates.

DiagnosticsAdministrator¹

Members of this group have permission to use the Monitoring & Diagnosticsuser interface in the Spotfire Server console.

Scheduling andRoutingAdministrator¹

Members of this group have permission to use the Scheduling & RoutingMembership user interface in the Spotfire Server console to create and managescheduled updates routing rules.

ScheduledUpdates Users

The account that runs scheduled updates must be a member of this group. Bydefault, the account scheduledupdates@SPOTFIRESYSTEM is a member of thisgroup.

AutomationServices Users

Members of this group have permission to execute Spotfire AutomationServices jobs on the server, using the Job Builder or the Client Job Sender. Bydefault, the account automationservices@SPOTFIRESYSTEM is a member ofthis group.

18

TIBCO Spotfire® Server and Environment Security

Group Description

Custom QueryAuthor²

Members of this group have permission to save scripts written in customquery languages as trusted to the library.

Script Author³ Members of this group have permission to save scripts as trusted to the library.For more information about scripts see Use of scripts in Spotfire.

Everyone This group always contains all users in the Spotfire implementation. No userscan be removed from this group, but you can set licenses for the group if youwant to.

System Account This group cannot be edited. It contains the system accounts that are usedinternally in the Spotfire environment.

¹Members of these groups have almost unrestricted access to the system. Only fully trusted usersshould be added to any of the administrator groups.

²Provides to ability to create data connections that contains arbitrary and unrestricted query languageconstructs (typically SQL).

³Scripts are very powerful. A script author can, but is not limited to, run arbitrary commands on theWeb Player server. See Scripts in Spotfire for a description of the different types of scripts in Spotfireand what capabilities they bring.

LicensesGenerally, licenses do not grant further permissions to Spotfire users (as opposed to groups). Rather,licenses provide a way to toggle certain functionality on or off for groups of users in the user interface.This topic discusses exceptions.

See the TIBCO Spotfire® Administration Manager User's Manual, available on the TIBCO docsite, for moreinformation about licenses.

License name Description

TIBCO Spotfire Analyst:Create Information Link

Users that have this license can author information links containingarbitrary SQL code.

TIBCO SpotfireInformation Modeler:Administration

Users that have this license have permission to modify data sources,joins, and other elements when they are working with information links.

PreferencesPreferences are usually set by administrators. Some preferences can have an impact on security, andthese should be set only after considerations about any possible security impact setting the preferencemight have. A non-exhaustive list of such preferences are listed below.

See the TIBCO Spotfire® Administration Manager User's Manual, available on the TIBCO docsite, for moreinformation about preferences.

19

TIBCO Spotfire® Server and Environment Security

Application > ApplicationPreferences

Preference name Default Description

Additional File Extensions .html, .htm In Spotfire clients, file:// links arepassed to Windows, and the defaultopen action for the file type isperformed. For example .html files areopened in the default browser, .jpg filesare opened in the application associatedwith the .jpg file extension. By addingextensions such as .bat, .py, .exe (thatcan contain code), as allowed fileextensions in Spotfire, opening files fromuntrustworthy sources can be dangerousif dangerous file types are allowed.

Additional URI Schemes Empty Controls which URI schemes can beused, in addition to http:// andhttps://.

AllowSharingOfCachedDataBetweenUsers

Controls whether A user is allowed toselect the check box Share cached databetween all concurrent users of Spotfireweb clients on the Cache Settings tab inthe Data Connection Properties dialogbox. Setting this preference to False willdisable the check box control.

Blocked System Types Empty Specifies an array of system types thatcannot be used when users save or loaddocuments and bookmarks. The purposeof this restriction preference is to providethe administrator a way to block yet-unknown security issues with insecuredeserialization of .Net types or classes, asan environment option. Any classesfound to be insecure classes can beblocked without using this preference.Also see Use Blocked System Types inthe Application Preferences topic in theTIBCO Spotfire Administration Manager -User's Guide.

EnableAllowSavingDatabaseCredentials

True If enabled, users have the option toinclude embedded credentials to a datasource used in the file when savingSpotfire analyses. Embedding credentialsis not recommended because it ispossible for anyone with access to the fileto read the credentials. By setting thisvalue to False, you can ensure thatcredentials are not embedded in files bymistake.

20

TIBCO Spotfire® Server and Environment Security

Preference name Default Description

Sandbox Attribute for iframeComponents

allow-forms allow-popups allow-same-origin allow-scripts

You can restrict the content of iframecomponents in the application (such asthe Web page panel) using the standardsandbox attribute rules. Enter values thatremoves the specified sandboxrestrictions, as a space-separated list.

Whitelist for Allowed URIs Empty You can specify an array of URIs thatshould be allowed to use in links withinSpotfire analyses but also in the "WebPage panel". For security reasons, onlytrusted sources should be whitelisted. Bycontrolling the whitelist, you can ensurethat only approved web servers andother external resources are allowed tointeract with analysis files in the Spotfireenvironment. See Use Whitelist forAllowed URIs in the ApplicationPreferences topic in the TIBCO SpotfireAdministration Manager - User's Guide.

TextArea > TextAreaPreferences

Preference name Default Description

PerformHtmlSanitation True The HTMLSanitization is a whitelistfeature that works by only allowing asmall subset of HTML in the text area. Ifdisabled, the author or others can createor open analyses that include text areaswithout HTML sanitation. Setting thepreference to False makes the systemsusceptible to cross-site scripting (XSS)attacks if files from untrustworthysources are opened.

DataFunctions

Preference name Default Description

IgnoreTrustCheck False Allows you to switch off the trustchecking of data functions so that datafunctions that are not approved by amember of the Script Author group canexecute without prior approval.Introduced in Spotfire 10.3.

21

TIBCO Spotfire® Server and Environment Security

MapChart > MapChartPreferences

Preference name Default Description

DefaultWebMapServiceListUrl http://geoanalytics.tibco.com/ The default map chartresource server URLcan be overriden so themap chart can be usedin an environmentwithout Internet access.See Offline Maps inSpotfire.

DefaultHttpsWebMapServiceListU

rl

http://geoanalytics.tibco.com/ The default map chartresource server URLcan be overriden so themap chart can be usedin an environmentwithout Internet access.See Offline Maps inSpotfire.

22

TIBCO Spotfire® Server and Environment Security

Logging and Monitoring

Spotfire provides different logs for monitoring, diagnostics, and accountability purposes.

Type Description

User ActionLogging

See Action logs and system monitoring.

Monitoring &Diagnostics

See Monitoring and diagnostics.

JMX See Server monitoring using JMX and JMX configuration security features.

Logs can contain personal identifiable information such as IP numbers, e-mail addresses, and usernames. Logs do not contain hashed, encrypted or clear text passwords, session tokens, authentication/authorization tokens.

23

TIBCO Spotfire® Server and Environment Security

Cryptography

Most authentication data and cryptographic keys for user-facing services are configurable by theadministrator.

A Spotfire system also uses cryptographic keys to bind together the internal components and servicesusing connections requiring TLS client authentication. These keys are randomly generated by theservices when the system is set up, therefore, they are unique to each Spotfire system. They cannot bemodified by the purchaser, but the keys can be replaced by new random keys at any time.

Data At RestData at rest is data stored, either temporarily or permanently. Data at rest has certain encryption types,or no encryption, depending on where it is being stored.

● Data in memory on the Spotfire Server, Spotfire Web Player or in the Spotfire Analyst clients isnever encrypted.

● Data stored in the Spotfire database is not encrypted, except for especially sensitive data likepasswords for service accounts, which are encrypted using AES-128 (Kerberos or LDAPS). Userpasswords are always hashed (by default, using PBKDF2) and never encrypted.

● Temporary files stored in the attachment manager on the Spotfire Server file system are encrypted.(One exception: the Information Services component's temporary pivot cache is not encrypted.) Thedefault encryption algorithm is AES-128. Other possible options are AES-192 or AES-256. See config-attachment-manager (--encryption-enabled and --encryption-key) for more information.

● Temporary files stored on the Spotfire Web Player file system are not encrypted.

● Temporary files stored on the Spotfire Analyst file system are not encrypted.

● "Save my login information" stores the user's Spotfire login in an encrypted form using Microsoft'sProtectedData API (DPAPI) protected with the user scope.

Data In MotionData in motion is moving through the Spotfire environment. Data in motion has certain encryptionprotection, depending on how and where it is moving.

● Communication between the Spotfire Server and any backend services, like Spotfire Web Player, isalways encrypted using Transport Layer Security (TLS).

● Data that is transported over the HTTP, LDAP, and JMX protocols can be secured by TLS. The TLSprotocol version, the encryption algorithm, and the key strength is configurable using standard Javaprocedures. See Test or Revert changes to Oracle's JDK and JRE Cryptographic Algorithms in theJava documentation for more information. Also see:

— Configuring HTTPS

— Configuring LDAPS

— config-jmx (--tls-enabled, --need-client-auth)

● Communication with the Spotfire database can be secured by either TLS or vendor-specificencryption protocols. See the documentation for your Oracle or MS SQL database for moreinformation about configuring the database server to accept only secured / encrypted connections.

● Communication with databases used as Information Services data sources can also be secured byeither TLS or vendor-specific encryption protocols. See the vendor documentation for yourdatabase.

24

TIBCO Spotfire® Server and Environment Security

Standards and AlgorithmsSpotfire provides the following standards and algorithms for encryption.

Purpose Encryption/Hashing algorithm Comment

Hashing of userpasswords

PBKDF2 SHA-512, SHA-256 or SHA-1 can beused for password hashes created byolder versions of Spotfire Server.

Script trust hashes SHA-1 and SHA-512 IronPython scripts, JavaScript, customqueries, TERR scripts, and other datafunctions are trusted based on hashvalue.

Encryption of servicepasswords

AES-128

Data transfers SHA-512, but also supportsSHA-256, SHA-1 and MD5

For error-detection checksums in theDigest/Content-MD5 HTTP headers, asdefined by RFC 3230 and RFC 1864.

Temporary data files AES-128, AES-192 and AES-256

Information Linkcache

SHA-256 For calculation of cache keys used forcomparison.

Softwaredistributions files("deployments")

SHA-1 For error-detection checksums.

Serverconfigurations

SHA-1 For error-detection checksums.

HTTP over TLS(HTTPS)

The TLS protocol version, theencryption algorithm and the keystrength are configurable usingstandard Java procedures.

See Java Cryptography ArchitectureOracle Providers Documentation.

LDAP over TLS(LDAPS)

The TLS protocol version, theencryption algorithm and the keystrength are configurable usingstandard Java procedures.

See Java Cryptography ArchitectureOracle Providers Documentation.

JMX over TLS The TLS protocol version, theencryption algorithm and the keystrength are configurable usingstandard Java procedures.

See Java Cryptography ArchitectureOracle Providers Documentation.

JDBC over TLS The TLS protocol version, theencryption algorithm and the keystrength are configurable usingstandard Java procedures.

See Java Cryptography ArchitectureOracle Providers Documentation.

25

TIBCO Spotfire® Server and Environment Security

Purpose Encryption/Hashing algorithm Comment

JDBC using vendor-specificcryptography

The Oracle Database JDBC driversupports the followingalgorithms: Legacy: RC4-40,RC4-56, RC4-128, RC4-256,DES-40-CBC, DES-56-CBC,3DES-112 and 3DES-168.Recommended: AES-128,AES-192 and AES-256.

See Java Cryptography ArchitectureOracle Providers Documentation.

Kerberos/GSSAPI Legacy: DES-CRC, DES-MD5,RC4-HMAC and AES-128-CTS-HMAC-SHA1-96.Recommended: AES-256-CTS-HMAC-SHA1-96.

Uses the built-in Java support for theKerberos and GSS-API protocols. See Java Cryptography Architecture OracleProviders Documentation.

NTLM v2 According to the protocolspecification.

Backend certificates Asymmetric keys: automaticallygenerated 2048-bit RSA keys(configurable for certificatesrepresenting TSS instances, butnot configurable for othercomponents). Signaturealgorithm: SHA256withRSA(configurable).

Keystore: PKCS12.

Backend HTTP overTLS (HTTPS)

The TLS cipher suite is chosenfrom the following set:

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,TLS_AES_CBC_128_SHA256,TLS_AES_CBC_256_SHA256.

The Node manager does not supportECDHE cipher suites. It cannot be usedfor communication involving a Nodemanager.

The TLS protocol is chosen from thefollowing set: TLSv1.2, TLSv1.1, TLSv1.

As long as TLSv1.2 is enabled on themachine running Spotfire Web Player,the only protocol and cipher suite usedis TLSv1.2 andTLS_RSA_WITH_AES_256_CBC_SHA256.

26

TIBCO Spotfire® Server and Environment Security

Spotfire Analyst, Spotfire Web Player, and Spotfire Automation ServicesThe applications in the Spotfire environment use the following encryptions.

PurposeEncryption/Hashing algorithm Comment / References

Digital signatures andencryption of sensitivedata and credentials

Strength andalgorithmdependent onWindows versionand Windowsconfiguration

The Microsoft ProtectedData API (DPAPI)

● Protected Data. Protect Method

● Windows Data Protection

● Data Protection API (Wikipedia)

Hash calculation (notfor security purposes)

SHA-1 (160 bit) Microsoft's SHA1CryptoServiceProvider

● SHA1Crypto Service Provider Class

Script trust hashes SHA-1 and SHA-512 IronPython, JavaScript, Python, custom queries,TERR scripts, and other data functions are trustedbased on hash value.

Hash calculation (forsecurity purposes)

SHA-256 The Microsoft SHA256CryptoServiceProvider

● SHA256Crypto Service Provider Class

Hash calculation (forsecurity purposes)

SHA-512 The Microsoft SHA512CryptoServiceProvider

● SHA512Crypto Service Provider Class

Encryption of datathat crosses computerboundaries

AES-256 The Microsoft EncryptedXml.Encrypt API

● Encrypt(XmlElement, X509Certificate2)

27

TIBCO Spotfire® Server and Environment Security

Scripts in Spotfire

Spotfire supports a number of execution environments for a several programming languages:JavaScript, R (TERR) scripts, Python (IronPython for .Net), Custom queries (different database querylanguages). In addition, a limited subset of HTML is available in text areas of Spotfire files.

This diagram demonstrates the following.

● Local execution of Python (IronPython) from Spotfire Analyst, Spotfire Web Player, or SpotfireAutomation Services.

● Local TERR script execution by Spotfire Analyst.

● Remote TERR script execution on TIBCO Spotfire® Statistics Services on behalf of Spotfire Analyst.

● Remote TERR script execution on TERR service, on behalf of Spotfire Analyst, Spotfire Web Player,and Spotfire Automation Services.

● JavaScript execution on Spotfire Analyst and in a web browser (file opened in Spotfire Web Player).

Not pictured: Spotfire Web Player and Spotfire Automation Services executes a data function onSpotfire® Statistics Services.

Spotfire Statistics Services can support one of many different types of scripts, but it is not describedfurther in this document. Use TERR service instead of Spotfire Statistics Services to run TERR datafunctions from Spotfire Web Player and Spotfire Automation Services.

28

TIBCO Spotfire® Server and Environment Security

Script TrustOnly members of the Script Author group can save Spotfire files with scripts that are marked astrusted.

A file containing a trusted script is automatically executed when needed without first asking for enduser consent. If the script is not trusted, the user is prompted to approve and manually trust the scriptfor execution to prevent potentially harmful scripts.

Because the Spotfire Server tells a Spotfire client which scripts are trusted and which are not, a Spotfireclient must not connect to unknown servers that the user does not trust. For this reason, the followingpop-up is displayed if the user tries to connect to a server that has not been manually added to the listof known servers.

If the user does not trust the administrator of the Spotfire Server, then the user should click No. To limitthe exposure of the infrastructure to the TERR script, you can configure the TERR service to run TERRdata functions in a Docker container on Linux, or you can run TERR scripts in restricted executionmode.

Script TypesIf the correct trust is in place, you can run any of these script types in Spotfire.

Python (IronPython)Python scripts can access the capabilities available in the Spotfire Analyst API, and also other APIsprovided by the Windows operating system. These capabilities include running arbitrary commands;therefore, strict control must be employed to those users who are allowed to author and mark scripts astrusted in the library (such as members of the Script Author group).

Component Description

Authorization Members of the Script Author group can mark scripts as trusted to be executedby others.

Executioncontext ● The script is executed on the computer that opens the file, which can be either

on the computer running Spotfire Web Player, the Spotfire Analyst client orSpotfire Automation Services, depending on where the file is opened.

● The script is executed with privileges of the user who is currently logged in,or of the service account for which the service is set to run. In some caseswhere Kerberos with delegation is configured, the script will execute in theend users' context.

29

TIBCO Spotfire® Server and Environment Security

JavaScript in Text AreaTo customize parts of the application that cannot be done using sanitized HTML in the Spotfire textarea, you can add snippets of JavaScript.

Component Description

Authorization Members of the Script Author group mark scripts as trusted for execution byothers.

Executioncontext

JavaScript runs in a web browser that does not have direct access to the operatingsystem API. It can use a subset of the functions provided by the Spotfireapplication for the user who is currently logged in. If a user opens a file containingtrusted JavaScript on the Spotfire Web Player, then the script can access anythingthe user has permission to access in the domain running the Spotfire Server(according to a security policy in browsers referred to as same origin policy). Forthis reason, only trusted users should be members of the Script Author group.

HTML in Text AreaA subset of HTML is allowed in the text area visualization.

Component Description

Authorization By default, arbitrary HTML is not allowed in Spotfire because it wouldenable running JavaScript in the text area . The preferencePerformHTMLSanitation can be set to false, which allows creating andviewing any HTML. Setting this preference to false is not recommended,because doing so allows any user to create a file with Javascript code,bypassing all script trust mechanisms. See Supported HTML in the TextArea

Execution context If PerforHTMLSanitation is set to false, then HTML or JavaScript runs ina web browser that does not have direct access to the operating system API.It can use a subset of the functions provided by the Spotfire application forthe user who is currently logged in. If a user opens a file containing trustedJavaScript on the Spotfire Web Player, then the script can access anythingthe user has permission to access in the domain running the Spotfire Server(according to a security policy in browsers referred to as same originpolicy). For this reason, only trusted users should be member of the ScriptAuthor group.

Custom QueriesA normal query (not custom) issued by a Spotfire data connection can use only allowed constructs (forexample SELECT column FROM table) in a way that is tightly controlled by the Spotfire connector. Adata connection with a custom query does not limit the types of language constructs that are allowed,and enables use of any language construct (for example INSERT, UPDATE, CREATE), as well as otherfunctions specific to the data source.

30

TIBCO Spotfire® Server and Environment Security

Component Description

Authorization● Only users that are members of the Custom Query Author group can

create custom queries to be trusted by other users.

● The database server normally allows only connections that areauthenticated and authorized. Spotfire must provide the connectionwith credentials to the database server.

Execution context● A custom query is executed on the database server and initiated fromSpotfire Analyst, Spotfire Web Player, or Spotfire Automation Services.

● The query runs with the permissions assigned to the currently-authenticated user by the database server.

TERR Data FunctionsTERR is an implementation of the R programming language that provides restricted and unrestrictedexecution environments. TERR data functions running in unrestricted mode has access to the operatingsystem and can run arbitrary commands.

Component Description

Authorization● Members of the Script Author group can save data functions as trusted

to be executed in unrestricted mode for other users.

● Spotfire Statistics Services can be configured to require authentication. Itruns as a separate product.

● TERR service runs in a node manager and is called using the SpotfireServer acting as a reverse proxy. It requires an authenticated Spotfiresession.

Execution context A TERR data function runs locally or remotely. Local execution takes placeon the Spotfire client itself. Remote execution is when a TERR data functionis sent off from a Spotfire client, Spotfire Web Player service, or SpotfireAutomation Services service to a TIBCO Spotfire Statistics Services service(a stand-alone product) or TERR service (which runs on a node manager).

31

TIBCO Spotfire® Server and Environment Security

Components

The Spotfire environment is composed of servers, services, applications, and tools that communicateand interact to produce visualizations and dashboards that can be shared through a web browser andexported to different formats.

Securing communication between the components of the Spotfire environment require planning and anunderstanding of each component. This section provides information about each component, itsauthentication protocols, and how it executes requests.

TIBCO Spotfire ServerThe Spotfire Server is the central component of the Spotfire environment, to which all Spotfire clientsconnect.

These tables provide reference for the security considerations for the Spotfire Server.

Spotfire Server component Description

Service account By default, the service is installed under the root account (onLinux) or NT AUTHORITY\System (on Windows).

Ports and protocols External communication port:

● HTTP over 80/tcp

● HTTPS over 443/tcp if enabled

Logs <spotfire server root>/tomcat/logs, See Spotfire server logs.

A non-extensive inventory of data that may contain credentials and other sensitive information

Type (Default) location Comments

Spotfire library exports <spotfire server root>/

tomcat/application-data/

library/

Default library export path.Can contain old export orbackups of library content.

Spotfire server logs <spotfire server root>/

tomcat/logs

See Logging and monitoring.

Spotfire temporary attachments <spotfire server root>/

tomcat/temp/

AttachmentManager

Encrypted attachments.Temporary storage for datauploaded and downloaded tothe server by Spotfire clients.

Encrypted Spotfire databasepassword for Spotfire Server

<spotfire server root>/

tomcat/webapps/spotfire/

WEB-INF/bootstrap.xml

Used by Spotfire server duringstartup process to connect todatabase.

Spotfire library data External library storagelocation, S3 or local file system,or in Spotfire database.

Only used if enabled. Defaultsetting is to store library data inthe Spotfire database.

32

TIBCO Spotfire® Server and Environment Security

Type (Default) location Comments

HTTPS keystore password <spotfire server root>/

tomcat/conf/server.xml

If HTTPS is enabled,server.xml contains thepassword to the keystore(pkcs12 or jks) that contains theprivate certificate required tocreate a HTTPS listener.

Keystore for HTTPS certificates <spotfire server root>/

tomcat/certs

PKCS12 (.pfx) or Java keystore(.jks) with private keysneeded for HTTPSconfiguration.

Password hashes for end users Spotfire database Users' password hashes neededwhen Spotfire database is usedas the authentication source.Default algorithm sinceSpotfire Server 7.5 is PBKDF2(using HmacSHA512), 100000iterations, 32 bytes of salt.Older algorithm still supportedfor upgraded system. Fromversion 3.3 to 7.5: SHA-512,2323 iterations, 16 bytes of salt.Default in 3.0 to 3.2: SHA-1,one iteration.

Encryption password <spotfire server root>/

tomcat/webapps/spotfire/

WEB-INF/boostrap.xml

The password is storedencrypted using AES-128symmetric encryption using astatic secret key. The passwordis used to encrypt serviceaccounts passwords stored inSpotfire database. See config-encryption. If not set, a staticpassword is used.

33

TIBCO Spotfire® Server and Environment Security

Type (Default) location Comments

Service account passwords Spotfire database andconfiguration.xml

Passwords for service accountsfor services such as LDAPconfiguration, S3 configuration,OpenId Connect, Action Logdatabase are encryptedAES-128 using an encryptionpassword as secret key.

configuration.xml

is an exported copyof the effectiveconfiguration thatresides in theSpotfire database.The file can safely beremoved from thefile system afterhaving changed theSpotfireconfiguration in thedatabase

Information services datasource credentials

Spotfire database Credentials for data sourcesused by information services(created using the SpotfireAnalyst > Information Designertool) are encrypted AES-128using an encryption passwordas secret key.

Hashed passwords for JMXusers

Spotfire database If JMX is used, userscredentials are stored in theSpotfire database.

Kerberos keytab <spotfire server root>/

Spotfire.keytab

Used if Spotfire is configuredfor Kerberos authentication.The keytab file containsencrypted credentials that canbe used to authenticate toremote systems.

Spotfire Server Backend trustkeystore

<spotfire server root>/nm/

trust/keystore.p12

Keystore needed for back-endtrust encrypted TLScommunication. The keystoreis locked with a staticpassword.

34

TIBCO Spotfire® Server and Environment Security

Type (Default) location Comments

Passwords embedded inSpotfire files

Spotfire database (library) The Spotfire database maycontain Spotfire files (.dxp)with embedded credentials todata sources. Passwords are notencrypted because thepassword must be madeavailable to end users whoaccess the file. We do notrecommend embeddingcredentials in the file. ThepreferenceEnableAllowSavingDatabase

Credentials can be used todisable the option to embedcredentials in Spotfire files.

Library exports <spotfire server root>/

tomcat/application-data/

library

Can contain zip-files containingexported library content. Datasource passwords forinformation services datasources are not included in thelibrary exports. However,Spotfire analysis files (.dxp) inthe exported zip can containembedded passwords.

Database installation script No default location. Fromwhere they were run

Database installation scriptswill contain credentials andconnection information to theSpotfire Server database whenthey are run. These files willcontain sensitive informationand should be deleted when nolonger needed or stored in asafe location

OAuth2 API Clients credentials The credentials are encrypted.

Spotfire Server Security Configuration and Administration ActivitiesThis table provides information about configuration activities, security settings, and links into thedocumentation and community site.

Activity Description or references

Setting LDAP - LDAP over TLS Configuring LDAPS. In an LDAP environment, where theSpotfire system communicates with an LDAP directoryserver, administrators often secure the LDAP protocol usingTLS, if the LDAP directory supports this. Authenticationtowards LDAP.

35

TIBCO Spotfire® Server and Environment Security

Activity Description or references

LDAP - SASL authentication Spotfire Server supports two Simple Authentication SocketLayer (SASL) mechanisms for authentication towards LDAP:DIGEST-MD5 and GSSAPI. See Authentication towardsLDAP.

HTTP - Security headers See Security HTTP headers.

Apache Ignite - TLS (Spotfire serverclustering communication)

Default: Enabled. TLS can be disabled or enabled. See config-cluster --secure-transport=<true|false>.

Session handling - Persistentsessions

Default: Enabled. See config-persistent-sessions forinformation on configuring persistent sessions for browserclients.

"Remember me" in Spotfire Analyst Default: Enabled. See config-login-dialog --allow-remember-me. Controls whether a user can select to store the log ininformation for future automatic login, or if he or she mustalways provide username and password when logging in.

Session handling - Timeouts Default: 30 minutes (session), 24 hours (absolute). See Absolute session timeout and idle session timeout for moreinformation.

Backend communication - Auto-trust

Default: Disabled - If enabled, node managers areautomatically trusted by the server cluster. See Automaticallytrusting new nodes for more information.

Cross-site request forgery (CSRF) -Public web services

See config-csrf-protection for more information.

Configure Spotfire server databasesecurity

See the following help topics for more information.

● Using Kerberos to log in to the Spotfire database

● Setting up the Spotfire database (SQL Server withIntegrated Windows authentication)

Upgrade Java See Upgrade Java for Spotfire Server 7.5 and later on community.tibo.com.

Upgrade Tomcat See Upgrade Apache Tomcat for Spotfire Server 7.5 and lateron community.tibco.com.

Upgrade Spring See Upgrade Spring for Spotfire Server 7.5 and later oncommunity.tibco.com.

HTTPS (TLS over HTTP) for frontend port

See HTTPS (TLS over HTTP) for Front End Port.

JMX Security JMX Security

36

TIBCO Spotfire® Server and Environment Security

Activity Description or references

Configure Encryption password The encryption password is used to encrypt service accountpasswords stored in Spotfire database. If not set, a staticpassword is used. See config-encryption for moreinformation.

Changing a Windows Service Account for Spotfire ServerThe service account running the Spotfire Server under Windows can be changed to a user with morerestricted rights.Change this setting from the Windows Services user interface.

Procedure

1. Right-click TIBCO Spotfire server > Properties > Login On tab > Log on as.The specified user must have read and write permissions to the files in the Spotfire Serverinstallation path.

2. Set file system permissions restrictively and apply minimal permissions.The service account must have both read and write permissions in the installation folder. Otherusers on the system do not need access to files in the installation folder.

Change a Linux Service Account for Spotfire ServerSpotfire Server for Linux provides two different installation methods: an RPM-installer and a tarball.You can use the tarball to install and configure to run as any user.

See Installing the Spotfire Server files (tarball Linux) for more information.

HTTPS (TLS over HTTP) for Front End PortThe file <spotfire server root>/tomcat/conf/server.xml contains the TLS configuration for theHTTPS.

In version 10.3, the server.xml file is aligned with Mozilla's Modern Compatibility configuration. Theciphers and protocols in the configuration file can be adjusted to accommodate for environment specificneeds. <Connector port="443" [...] SSLEnabled="true" scheme="https" secure="true"> <SSLHostConfig certificateVerification="none" [...] sslProtocol="TLSv1.2" protocols="TLSv1.2" honorCipherOrder="true" ciphers="<cipher-suites>" [...] </SSLHostConfig> </Connector>

See Configuring HTTPS for how to enable HTTPS for front end communication, between Spotfireclients and Spotfire Server.

See Authentication using X.509 client certificates for how to enable HTTPS client certificateauthentication.

37

TIBCO Spotfire® Server and Environment Security

Security HTTP HeadersThe HTTP headers listed in this topic can be set using Spotfire configuration settings.

See the header help topics, linked from the table, for detailed instructions for configuring the header.

HeaderDefaultvalue Comment

X-Frame-Options Not set Prevents clickjacking and framing of the SpotfireServer web interface by other web sites. If enabled (setto DENY), then the Spotfire Web Player JavaScript APIstops working. See Mozilla's reference for X-Frame-Options for more information.

X-XSS-Protection Not set Controls how the built-in XSS filter for InternetExplorer, Chrome, and Safari should behave whendetecting an XSS attack, and whether the filter isenabled. See Mozilla's reference for X-XSS-Protectionfor more information.

Strict-Transport-Security(HSTS)

Not set Instructs the client that it should be accessed onlyusing HTTPS, instead of using HTTP. See Mozilla'sreference for Strict-Transport-Security for moreinformation.

Cache-Control Sets directives for caching mechanisms in requests andresponses. See Mozilla's reference for Cache-Controlfor more information.

X-Content-Type-Options Not set Prevents browser mime-sniffing in some cases. SeeMozilla's reference for X-Content-Type-Options formore information.

Adding Custom HTTP Headers in the Spotfire Server Configuration

Other HTTP headers, such as Content-Security-Policy, Referrer-Policy, and Public-Key-Pins(HTTP Public Key Pinning / HPKP), do not have built-in commands to configure. They can be added ascustom headers in the Spotfire Server configuration by using the following steps.

Procedure

1. Export the configuration to an XML file.

2. Open the configuration XML file in a text editor, and then add the following tag with content. <security> ... <headers> <directives> <directive> <action>add</action> <enabled>true</enabled> <name>headername</name> <value>value</value> </directive> </directives> <properties /> </headers>

38

TIBCO Spotfire® Server and Environment Security

3. Replace headername with the name of the HTTP header and value with the header value, and, ifneeded, replace add with another action type.The allowed values for <action> are:

● add

● append

● set

4. Issue config import-config --comment "HTTP header <action>" ( with <action> reflectingthe appropriate action type).

5. Restart the server.

TIBCO Spotfire Node ManagerA node manager is a container for setting up, running, or tearing down services such as SpotfireAutomation Services, Spotfire Web Player, or TERR service. A service running on a node manager runsin a separate process, can open service ports and the service installation files resides under <nminstallation path>/services/.

Spotfire node managercomponent Description

Service account● Windows default: NT Authority\system

● Linux default: root

Ports and protocols● Registration port on node manager computer: HTTP/9080

● Communication port on node manager computer:HTTPS/9443

A non-extensive inventory of data that might contain credentials and other sensitive information.

Type (Default) Location Comments

Node manager and servicelogs

<node manager root>/logs Contains the node managerand the service logs. It can alsocontain minidumps, andmemory process dumps forSpotfire Web Player, if these arecreated.

See alsoenabledMiniDumpCreationOn

Error in theSpotfire.Dxp.Worker.Web.c

onfig help topic.

SMTP configurationcredentials

Spotfire.Dxp.Worker.Automation.config

When Spotfire AutomationServices is configured with anSMTP server that requiresauthenticated connections.

39

TIBCO Spotfire® Server and Environment Security

Type (Default) Location Comments

Node manager backendtrust keystore

<node manager installation

directory>/trust/

keystore.p12 (node manager).

Keystore containing keys forthe following:

● internal node manager <->Spotfire Server

● node manager <-> service

● service <-> Spotfire Server

● service <-> service

The keystore is locked with astatic password.

Spotfire Web Player /Spotfire AutomationServices proxy servercredentials

Spotfire.Dxp.Worker.Host.exe.config

ProxyUsername andProxyPassword holdcredentials to a network proxyif one is configured.

Spotfire Statistics Servicesconfiguration for SpotfireWeb Player and SpotfireAutomation Services.

Spotfire.Dxp.Worker.Host.exe

.config

TibcoSpotfireStatisticsSe

rvicesUsernames andTibcoSpotfireStatisticsSe

rvicesPasswords in containscredentials to Spotfire StatisticsServices server(s) if one ormore is configured.

Credentials Profiles forConnectors used by SpotfireWeb Player and SpotfireAutomation Services

Spotfire.Dxp.Worker.Host.exe

.config

A configuration file containinguser names and passwords todata sources used by dataconnectors.

Spotfire AutomationServices Kerberos identity

Spotfire.Dxp.Worker.Automati

on.config

The Windows user specified by<kerberosIdentity

userName="domain

\username"

password="password" /> isused to run SpotfireAutomation Services.

Spotfire Web Player >Scheduled updates identity

Spotfire.Dxp.Worker.Web.config The Windows user specified by<kerberosIdentity

userName="domain

\username"

password="password" /> isused to run Spotfire WebPlayer.

Credentials are encrypted in the configuration files that are installed with the service. To modify theconfiguration, you must export the configuration from the database, make modifications, import it backinto the database, and then set the configuration for the service.

40

TIBCO Spotfire® Server and Environment Security

Node Manager Configuration TasksThese tools are bundled with the node manager; however, to run the most recent and most secureversion, you should review the versions and upgrade as necessary. The articles listed in this topic canhelp guide you.

● Upgrade Java for TIBCO Spotfire Node Manger on community.tibco.com

● Upgrade Spring for TIBCO Spotfire Node Manager on community.tibco.com

TIBCO Spotfire ConnectorsSpotfire connectors support a variety of authentication and transport security options.

See the documentation for each connector to see available security options.

Database Credentials for ConnectorsBecause the database connections using Spotfire connectors are initiated directly from the Spotfireclient (Spotfire Analyst, Spotfire Web Player, or Spotfire Automation Services), it's important tounderstand that any database credentials must be available to the client in order to establish theconnection. Spotfire connector data source credentials settings control whether credentials areembedded in the connection or not.

41

TIBCO Spotfire® Server and Environment Security

Option Description

No, do not save any credentials Use this option if you do not want to save credentials with theconnection data source. If the connection data source usesdatabase authentication, all users of the data source areprompted for user name and password for the database whenthis data source (or a data connection using it) is opened.

No, but save credentials profile(may be used when opening inSpotfire web clients or runningTIBCO Spotfire AutomationServices jobs)

Use this option if you want to save a credentials profile insteadof saving the actual credentials with the connection data source.See Details on Data Source Settings - Credentials in the Spotfiredocumentation for more info how to use credentials profiles.

See Spotfire.Dxp.Worker.Host.exe.config file >DataAdapterCredentials for information on how to configureSpotfire Automation Services services and Spotfire Web Playerto use a credentials profile. Use<Spotfire.Dxp.Web.Properties.Settings> and<Spotfire.Dxp.Data.Access.Adapters.Settings> in Spotfire.Dxp.Worker.Host.exe.config.

Yes, save credentials with theconnection data source

Saving credentials with the connection data sourcecan be a security risk because the user name andpassword are stored as part of the analysis file, andanyone with access to the file can obtain thisinformation. Use this option carefully.

If you do save credentials with the connection datasource, a recommended practice is to use a databaseuser that has only the minimum required privilegesfor reading the data that you want to analyze inSpotfire.

Select this check box if you want the connection data source toremember the specified username and password. This meansthat users will not be prompted for credentials when opening adata connection which uses this data source or an analysiswhich includes such a data connection. This option can only beused if the connection data source is set to use databaseauthentication.See also the preferenceEnableAllowsavingDatabaseCredentials. When thispreference is set to False, then the option Yes, save credentialswith the connection data source" is disabled in the userinterface.

TIBCO Spotfire Web PlayerSpotfire Web Player is a service that runs on a node. It provides a web service for sharing anddistributing analyses inside and outside of an organization.

See Manually Editing the Service Configuration Files for more information.

42

TIBCO Spotfire® Server and Environment Security

Spotfire Web Playercomponent Description

Service account Default: NT Authority\System.

Ports and Protocols Default: HTTPS on port 9501/tcp on node manager host.

Configuration File Settings for Spotfire Web PlayerThese tables provide information about the configuration files for Spotfire Web Player and itsinteractions with Spotfire Server and Spotfire Automation Services using APIs.

Spotfire.Dxp.Worker.Web.config

For more information, see Spotfire.Dxp.Worker.Web.config help.

Setting Default value Description

/javascriptApi -<javaScriptApi

enabled="true"

domain="domain1.com,d

omain2.com">

JavaScript APIenabled, alldomains allowed

Controls whether the use of the JavaScript API isenabled or not enabled, and from which domains itis possible to use the Javascript API. A non-emptydomain whitelist indicates that only listed domainsare able to embed Spotfire files in their web siteusing the JavaScript API. The list is a comma-separated list of domain names.

/analysis/

inactivityTimeout

2 hours Timeout for inactive analyses. A Spotfire file isclosed after the inactivityTimeout is reached. Inpractice, a session timeout is not shorter than theinactivityTimeout value because an openanalysis file in a web browser continuously renewsthe session, so the session timeout is not met. Onlyafter the session has no open files left, and the usersession is not actively connected to Spotfire Server,the session timeout starts counting. This designensures that every HTTP request renews thesession.

Spotfire.Dxp.Worker.Core.config

This configuration file specifies settings for the service's communication with the Spotfire Server, and ifsections in configuration files should be encrypted. For more information, see Spotfire.Dxp.Worker.Core.config help.

43

TIBCO Spotfire® Server and Environment Security

Setting Default value Description

/

authentication@hostsToAuth

enticate

A list of patterns for which theservice should to use Windowsauthentication (NTLM orKerberos). Wildcard patternssuch as *.x.com can be used tomatch all subdomains to x.com.Do not add servers that are nottrusted in this list because yourisk leaking NetNTLM tokens,which can be a security risk.

/

cryptography@encryptConfig

urationSections

true Set to true to encrypt sectionsof configuration files containingsensitive information.

/

cryptography@DataProtectio

nConfigurationProvider

DataProtectionConfigurat

ionProvider

By default theDataProtectionConfiguratio

nProvider uses Windows DataProtection API (DPAPI) toencrypt sections of theconfiguration with a machine-specific secret key which meansthat the encrypted sections canonly be decrypted from thesame machine as the service isrunning on. See EncryptingConfiguration InformationUsing Protected Configurationfor more information.

Spotfire.Dxp.Worker.Host.exe.config

Spotfire.Dxp.Worker.Host.exe.config is the configuration file for both Spotfire Web Player andSpotfire Automation Services. See Spotfire.Dxp.Worker.Host.exe.config file help for more information.

SettingDefaultvalue Description

/

Spotfire.Dxp.Internal.Pro

perties.Settings/

AllowedTlsVersions

Tls,

Tls11,

Tls12

Determines which versions of the TLS securityprotocol are allowed. Specify the values separated bya comma ",". For information about the possiblevalues for this setting, refer to the .NET enumSecurityProtocolType.

If you leave the value for this setting blank, theallowed TLS versions are set to SystemDefault. Ifyou remove the setting from the configuration file,the allowed TLS versions are set to the default value.

44

TIBCO Spotfire® Server and Environment Security

SettingDefaultvalue Description

/

Spotfire.Dxp.Data.Propert

ies.Settings/

AllowedFilePaths

Empty A list of directories that Spotfire Web Player orSpotfire Automation Services are allowed to use asfile data sources. Add only approved network sharesor other paths that contain files that should bepossible to load in a Spotfire file. For securityreasons, you should not add entire drive letters suchas C:\ because that would allow Spotfire users toread local files from the Spotfire Web Player service.

/system.net/defaultProxy If the Spotfire Web Player or Spotfire AutomationServices should use a proxy server to reach internaland external networks, one can be enabled in thisfile.

TIBCO Spotfire Automation ServicesTIBCO Spotfire® Automation Services is a web service for automatically executing multi-step jobswithin your TIBCO Spotfire® environment. You can, for example, use Spotfire® Automation Services todeliver an analysis file to specific people, in a particular format, at specified times.

TIBCO Spotfire AutomationServices component Description

Service account Default: NT Authority\System

Ports and protocol Default service port: HTTPS on port 9501 / TCP on node managerhost.

Log files <node manager installation directory>/logs/, <nodemanager installation directory>/services/<automation

services service directory>/logs

Configuration File Settings for Spotfire Automation ServicesThese tables provide information about the configuration files for Spotfire Automation Services and itsinteractions with Spotfire Server and Spotfire Automation Services using APIs.

Spotfire.Dxp.Worker.Automation.config

This configuration file is used for configurations that are specific to Spotfire Automation Services.

Setting Default value Description

/

Spotfire.Dxp.Automation.F

ramework/security/

allowedFilePaths@allowAll

True By default, Spotfire Automation Services taskscan read files from, and write files to anydirectory in the file system. Set this to False toallow only tasks to read from, and write to,directories specified in the\<allowedFilePaths> section.

45

TIBCO Spotfire® Server and Environment Security

Setting Default value Description

/

spotfire.dxp.automation.t

asks/smtp - SMTPConfiguration

Not enabled An SMTP server can be set up to use TLS(useTls) or different methods of authentication.

/

Spotfire.Dxp.Automation.F

ramework/allowedFilePaths

All paths areallowed

By default, Spotfire Automation Services taskscan read files from, and write files to, anydirectory in the file system. Set this to False toallow only tasks to read from, and write to,directories specified in the<allowedFilePaths> section. (Not to beconfused with <allowedFilePaths> inSpotfire.Dxp.Worker.Core.config.)

Spotfire.Dxp.Worker.Core.config

This configuration file specifies settings for the service's communication with the Spotfire Server, and ifsections in configuration files should be encrypted.

Setting Default value Description

/

authentication@hostsToAuth

enticate

A list of patterns for which theservice should to use Windowsauthentication (NTLM orKerberos). Wildcard patternssuch as *.x.com can be used tomatch all subdomains to x.com.Do not add servers that are nottrusted in this list because yourisk leaking NetNTLM tokens,which can be a security risk.

/

cryptography@encryptConfig

urationSections

true Set to true to encrypt sectionsof configuration files containingsensitive information.

/

cryptography@DataProtectio

nConfigurationProvider

DataProtectionConfigurat

ionProvider

By default theDataProtectionConfiguratio

nProvider uses Windows DataProtection API (DPAPI) toencrypt sections of theconfiguration with a machine-specific secret key which meansthat the encrypted sections canonly be decrypted from thesame machine as the service isrunning on. See EncryptingConfiguration InformationUsing Protected Configurationfor more information.

46

TIBCO Spotfire® Server and Environment Security

Spotfire.Dxp.Worker.Host.exe.config

SettingDefaultvalue Description

/

Spotfire.Dxp.Internal.Pro

perties.Settings/

AllowedTlsVersions

Tls,

Tls11,

Tls12

Determines which versions of the TLS securityprotocol are allowed. Specify the values separated bya comma ",". For information about the possiblevalues for this setting, refer to the .NET enumSecurityProtocolType.

If you leave the value for this setting blank, theallowed TLS versions are set to SystemDefault. Ifyou remove the setting from the configuration file,the allowed TLS versions are set to the default value.

/

Spotfire.Dxp.Data.Propert

ies.Settings/

AllowedFilePaths

Empty A list of directories that Spotfire Web Player orSpotfire Automation Services are allowed to use asfile data sources. Add only approved network sharesor other paths that contain files that should bepossible to load in a Spotfire file. For security reasonsyou should not add entire drive letters such as C:\because that would allow Spotfire users to read localfiles from the Spotfire Web Player service.

/system.net/defaultProxy If the Spotfire Web Player or Spotfire AutomationServices should use a proxy server to reach internaland external networks, one can be enabled in thisfile.

Client Job Sender (Spotfire Automation Services)The Client Job Sender command-line tool for executing Spotfire Automation Services jobs.

The tool has a number of security configuration options. See section Configuring the Client Job Senderin the Spotfire Automation Services User's Manual for a full list of settings.

TIBCO Enterprise Runtime for R - Server EditionTIBCO® Enterprise Runtime for R - Server Edition provides Spotfire clients with the ability to execute Rcode, using TERR, on the TERR service node.

A TERR service is required to execute data functions in Spotfire files from Spotfire Automation Servicesand Spotfire Web Player, because those services do not have TERR engines.

The TERR service itself is running the service as the same user account as is running the Node Manageron which the service runs. See Node Manager.

By default, TERR scripts executed by the TERR service on behalf of its users are executed in a differentexecution context, as explained here.

TERR servicecomponent Default Description

Serviceaccount

NT Authority\System or root(Linux)

Default: NT Authority\System or root(Linux)

47

TIBCO Spotfire® Server and Environment Security

TERR servicecomponent Default Description

Log files <node manager installation>/logs

See the TERR service logs for moreinformation.

The TERR service ports and protocols

NameDefault Port andProtocol Function Description Secure/Encrypted

Communication port 9502/tcp For secure (HTTPS)internalcommunication.Cannot be accesseddirectly.

Yes

TERR engine ports 61000/tcp ->63000/tcp

Host-internalcommunicationbetween the TERRservice and the TERRengines.

No

Settings and Configuration Tasks for TERR ServiceYou can use these settings to limit the capabilities of running TERR data functions.

Setting / Configuration task Default value Description

terr.restricted.execution

.mode (Enforce restrictedexecution )

TRUE Enforce restricted execution modefor all scripts. Restricted executionmode in the TERR service allowsexecuting arbitrary scripts withoutworrying that the script could domalicious things, such as deletingfiles or uploading confidential datato a server over the internet. Formore information, see the TERRservice help: Safeguarding yourenvironment.

use.engine.containers● Windows: FALSE

● Linux: TRUE

Available on Linux only.

If your deployment is on a Linuxserver, then the default configurationfor the TERR service is to usecontainers (the propertyuse.engine.containers: TRUE).Running the TERR service withcontainers enabled prevents theengines from having access to thehost system. See Containerized TERRService for more information.

48

TIBCO Spotfire® Server and Environment Security

Setting / Configuration task Default value Description

disable.spotfire.trust.ch

ecks

FALSE Disable the trust check only if theTERR service is installed on Linux,with Docker containers, where extrameans have been taken to secure thecontainer environment or if allSpotfire users in the environment canbe trusted.

Set file size upload limit 100MB See File size upload limit for moreinformation.

Set TERR engine ports range 61000 - 63000 See TERR engine ports for moreinformation.

Enable JMX Monitoring OFF See Monitoring the TERR serviceusing JMX.

Restrict Network Access for TERR Scripts in Containers

By default, the containers in which TERR scripts are running have access to network resources given toit.

If TERR scripts are not running in restricted execution (REX) mode, then any TERR scripts can connectto the network. To restrict external network access for the container, and therefore any scripts runningwithin it, the node manager computer must be configured in such a way that the containers cannotreach the network. One way to do this is by implementing iptables rules that block traffic from Dockercontainers to outside networks.

Use a Custom Docker Image for Containerized TERR

If the node manager is running on a Linux computer, then you can run TERR service in a Dockercontainer.

For more information, see the following help topics.

● Configuring a custom Docker image on a node with internet access● Pulling a custom Docker image from an authenticated repository

Script Security & Restricted Execution ModesThe following mechanisms control security of the TERR service and to prevent users from runningmalicious scripts on the server.

● Restricted execution mode (REX).● TERR engine in Docker containerization.● Script trust and access control.Only users in the Spotfire license group Script Author can create and mark TERR scripts as trusted.Trusted scripts run in an unrestricted execution environment (no REX or container) unless the TERRservice enforces all scripts to be run in restricted mode. Untrusted scripts always run in REX mode or ina container.

Docker Containerization for TERR Scripts

Scripts running in a container but not using restricted execution mode have full access to the Dockercontainer and have permission to do anything that is possible to do from within the container. The level

49

TIBCO Spotfire® Server and Environment Security

of isolation a container provides depends on the Docker installation and the privileges given to thesecontainers.

Configuration Description

TERR service host isolation Scripts are prohibited from accessing the file system of thehost computer running the TERR service.

User isolation The use of engine containers ensures that the sameexecution environment is not re-used for multiple datafunctions initiated by different users.

Network isolation Depending on configuration, the TERR scripts can accessexternal network and other Docker containers that areavailable from within a container. In many cases, a defaultinstallation with engine containers lets scripts access theexternal network, including the internet, and to accessother Docker containers. To restrict access to the network,the Docker containers must be configured to restrictnetwork access. The container options should not be usedwithout terr.restricted.execution.mode=true oradditional network configuration, if network isolation isneeded.

TERR Restricted Execution Mode (REX)

Scripts running in restricted execution mode (REX), but without container isolation, are runningdirectly on the TERR service host using the same user account as is running the node manager onwhich the service runs.

The scripts are restricted in their capabilities (see terr.restricted.execution.mode). Enforcing all scripts tobe running in both restricted execution mode and in container isolation provides an extra level ofsecurity and is recommended to achieve the highest level of security.

Impact of Relaxing the TERR Service Security Settings

If you have scripts that cannot run in restricted mode because they need access to resources on thesystem or network, then you can change the settings to enable those scripts to run.

This table shows the resulting execution mode, given user role, service configuration, and whether thescript is marked as trusted in the library.

Script Authorterr.restricted.execution.mode

disable.spotfire.trust.checks Trusted Script Use evalREX

* True * * Yes

Yes False * * No

No False True * No

No False False True No

No False False False Yes

50

TIBCO Spotfire® Server and Environment Security

A TERR data function runs without evalREX only if terr.restricted.execution.mode is False andone of the following conditions also exists.

● The data function is trusted in the Spotfire library.

● The request to run the data function originates from a member of the Script author group.

● TERR service is configured with disable.spotfire.trust.checks=True.

TIBCO Spotfire AnalystWith Spotfire Analyst, analysis authors can develop web-based and Windows client-based analyses.Spotfire Analyst provides authoring tools for sharing analyses and dashboards. It is installed on theWindows desktop.

Documentation

You can find documentation for Spotfire Analyst on the TIBCO documentation portal at TIBCO SpotfireAnalyst Documentation. Alternatively, you can find the documentation from the Spotfire Analyst Helpmenu.

Installation directory

By default, Spotfire Analyst is installed in C:\Program Files\TIBCO\. Other information and settingsare stored in the directory C:\Users\[username]\AppData.

Ports & Protocols

The default HTTP port is 8000. The protocol is tcp HTTP. Spotfire opens a web server on port 8000. Itaccepts connections only from localhost.

51

TIBCO Spotfire® Server and Environment Security