TIBCO Spotfire® Server and Environment SecuritySoftware Release 10.3 or later
Important Information
SOME TIBCO SOFTWARE EMBEDS OR BUNDLES OTHER TIBCO SOFTWARE. USE OF SUCHEMBEDDED OR BUNDLED TIBCO SOFTWARE IS SOLELY TO ENABLE THE FUNCTIONALITY (ORPROVIDE LIMITED ADD-ON FUNCTIONALITY) OF THE LICENSED TIBCO SOFTWARE. THEEMBEDDED OR BUNDLED SOFTWARE IS NOT LICENSED TO BE USED OR ACCESSED BY ANYOTHER TIBCO SOFTWARE OR FOR ANY OTHER PURPOSE.
USE OF TIBCO SOFTWARE AND THIS DOCUMENT IS SUBJECT TO THE TERMS ANDCONDITIONS OF A LICENSE AGREEMENT FOUND IN EITHER A SEPARATELY EXECUTEDSOFTWARE LICENSE AGREEMENT, OR, IF THERE IS NO SUCH SEPARATE AGREEMENT, THECLICKWRAP END USER LICENSE AGREEMENT WHICH IS DISPLAYED DURING DOWNLOADOR INSTALLATION OF THE SOFTWARE (AND WHICH IS DUPLICATED IN THE LICENSE FILE)OR IF THERE IS NO SUCH SOFTWARE LICENSE AGREEMENT OR CLICKWRAP END USERLICENSE AGREEMENT, THE LICENSE(S) LOCATED IN THE “LICENSE” FILE(S) OF THESOFTWARE. USE OF THIS DOCUMENT IS SUBJECT TO THOSE TERMS AND CONDITIONS, ANDYOUR USE HEREOF SHALL CONSTITUTE ACCEPTANCE OF AND AN AGREEMENT TO BEBOUND BY THE SAME.
ANY SOFTWARE ITEM IDENTIFIED AS THIRD PARTY LIBRARY IS AVAILABLE UNDERSEPARATE SOFTWARE LICENSE TERMS AND IS NOT PART OF A TIBCO PRODUCT. AS SUCH,THESE SOFTWARE ITEMS ARE NOT COVERED BY THE TERMS OF YOUR AGREEMENT WITHTIBCO, INCLUDING ANY TERMS CONCERNING SUPPORT, MAINTENANCE, WARRANTIES,AND INDEMNITIES. DOWNLOAD AND USE OF THESE ITEMS IS SOLELY AT YOUR OWNDISCRETION AND SUBJECT TO THE LICENSE TERMS APPLICABLE TO THEM. BY PROCEEDINGTO DOWNLOAD, INSTALL OR USE ANY OF THESE ITEMS, YOU ACKNOWLEDGE THEFOREGOING DISTINCTIONS BETWEEN THESE ITEMS AND TIBCO PRODUCTS.
This document is subject to U.S. and international copyright laws and treaties. No part of thisdocument may be reproduced in any form without the written authorization of TIBCO Software Inc.
TIBCO, the TIBCO logo, the TIBCO O logo, TIBCO Spotfire, TIBCO Spotfire Analyst, TIBCO SpotfireAutomation Services, TIBCO Spotfire Server, TIBCO Spotfire Web Player, TIBCO Spotfire Developer,TIBCO Enterprise Message Service, TIBCO Enterprise Runtime for R, TIBCO Enterprise Runtime for R -Server Edition, TERR, TERR Server Edition, TIBCO Hawk, and TIBCO Spotfire Statistics Services areeither registered trademarks or trademarks of TIBCO Software Inc. in the United States and/or othercountries.
Java and all Java based trademarks and logos are trademarks or registered trademarks of Oracle and/orits affiliates.
All other product and company names and marks mentioned in this document are the property of theirrespective owners and are mentioned for identification purposes only.
This software may be available on multiple operating systems. However, not all operating systemplatforms for a specific software version are released at the same time. Please see the readme.txt file forthe availability of this software version on a specific operating system platform.
THIS DOCUMENT IS PROVIDED “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSOR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OFMERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT.
THIS DOCUMENT COULD INCLUDE TECHNICAL INACCURACIES OR TYPOGRAPHICALERRORS. CHANGES ARE PERIODICALLY ADDED TO THE INFORMATION HEREIN; THESECHANGES WILL BE INCORPORATED IN NEW EDITIONS OF THIS DOCUMENT. TIBCOSOFTWARE INC. MAY MAKE IMPROVEMENTS AND/OR CHANGES IN THE PRODUCT(S)AND/OR THE PROGRAM(S) DESCRIBED IN THIS DOCUMENT AT ANY TIME.
THE CONTENTS OF THIS DOCUMENT MAY BE MODIFIED AND/OR QUALIFIED, DIRECTLY ORINDIRECTLY, BY OTHER DOCUMENTATION WHICH ACCOMPANIES THIS SOFTWARE,INCLUDING BUT NOT LIMITED TO ANY RELEASE NOTES AND "READ ME" FILES.
2
TIBCO Spotfire® Server and Environment Security
This and other products of TIBCO Software Inc. may be covered by registered patents. Please refer toTIBCO's Virtual Patent Marking document (https://www.tibco.com/patents) for details.
Copyright © 2019. TIBCO Software Inc. All Rights Reserved.
3
TIBCO Spotfire® Server and Environment Security
Contents
TIBCO Documentation and Support Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6
Environment Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8
Ports and Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Outbound Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
HTTP Cookies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Node Trust and Back-End HTTPS Communication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Authentication and Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15
Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
User Directory Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16
APIs and Extension Points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Password Policy and Password Complexity Enforcement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19
Preferences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19
Logging and Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Data At Rest . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Data In Motion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Standards and Algorithms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Spotfire Analyst, Spotfire Web Player, and Spotfire Automation Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Scripts in Spotfire . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .28
Script Trust . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Script Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Python (IronPython) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .29
JavaScript in Text Area . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
HTML in Text Area . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Custom Queries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
TERR Data Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .31
Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .32
TIBCO Spotfire Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .32
Spotfire Server Security Configuration and Administration Activities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Changing a Windows Service Account for Spotfire Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .37
Change a Linux Service Account for Spotfire Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
HTTPS (TLS over HTTP) for Front End Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
4
TIBCO Spotfire® Server and Environment Security
Security HTTP Headers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Adding Custom HTTP Headers in the Spotfire Server Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
TIBCO Spotfire Node Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Node Manager Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
TIBCO Spotfire Connectors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .41
Database Credentials for Connectors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .41
TIBCO Spotfire Web Player . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .42
Configuration File Settings for Spotfire Web Player . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .43
TIBCO Spotfire Automation Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .45
Configuration File Settings for Spotfire Automation Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Client Job Sender (Spotfire Automation Services) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .47
TIBCO Enterprise Runtime for R - Server Edition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .47
Settings and Configuration Tasks for TERR Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .48
Restrict Network Access for TERR Scripts in Containers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Use a Custom Docker Image for Containerized TERR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Script Security & Restricted Execution Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Docker Containerization for TERR Scripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .49
TERR Restricted Execution Mode (REX) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .50
Impact of Relaxing the TERR Service Security Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
TIBCO Spotfire Analyst . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
5
TIBCO Spotfire® Server and Environment Security
TIBCO Documentation and Support Services
How to Access TIBCO Documentation
Documentation for TIBCO products is available on the TIBCO Product Documentation website, mainlyin HTML and PDF formats.
The TIBCO Product Documentation website is updated frequently and is more current than any otherdocumentation included with the product. To access the latest documentation, visit https://docs.tibco.com.
TIBCO Spotfire Documentation
Documentation for Spotfire Server and related products is available on the Spotfire Server ProductDocumentation page.
The following documents relevant for this product can be found on the Spotfire Server Documentationsite:
● TIBCO Spotfire® Server and Environment - Quick Start
● TIBCO Spotfire® Server and Environment - Installation and Administration
● TIBCO Spotfire® Server Release Notes
● TIBCO Spotfire® Business Author and TIBCO Spotfire® Consumer Release Notes
● TIBCO Spotfire® Business Author and Consumer User's Guide
● TIBCO Spotfire® Cobranding Help
● TIBCO Spotfire® Qualification Installation and Configuration Manual
● TIBCO Spotfire® Qualification User's Guide
● Deploying and Using a TIBCO Spotfire® Language Pack
● TIBCO Spotfire® Automation Services User's Guide
● TIBCO Spotfire® Automation Services API Reference
● TIBCO Spotfire® Automation Services REST API Reference
● TIBCO Spotfire® Server Information Services API Reference
● TIBCO Spotfire® Server Library REST API Reference
● TIBCO Spotfire® Server Platform API Reference
● TIBCO Spotfire® Server Web Services API Reference
● TIBCO Spotfire® Server License Agreement
TIBCO Enterprise Runtime for R documentation
You can find the following documents for TIBCO Enterprise Runtime for R in the TIBCODocumentation Library.
● TIBCO® Enterprise Runtime for R Technical Documentation
● Language Reference (HTML)
● Differences Between TIBCO® Enterprise Runtime for R and Open-Source R (HTML)
● Release Notes (PDF)
● License Agreement (PDF)
6
TIBCO Spotfire® Server and Environment Security
You can also find links to CRAN package compatibility reports for this release on TIBCO Cloud™Spotfire®.
TIBCO Enterprise Runtime for R - Server Edition documentation
The following documents for the TIBCO® Enterprise Runtime for R - Server Edition can be found in theTIBCO Documentation website.
● TIBCO® Enterprise Runtime for R - Server Edition Installation and Administration
● TIBCO® Enterprise Runtime for R - Server Edition Release Notes
Release Version Support
Some release versions of TIBCO Spotfire products are designated as long-term support (LTS) versions.LTS versions are typically supported for up to 36 months from release. Defect corrections will typicallybe delivered in a new release version and as hotfixes or service packs to one or more LTS versions. Seealso https://docs.tibco.com/pub/spotfire/general/LTS/spotfire_LTS_releases.htm.
How to Contact TIBCO Support
You can contact TIBCO Support in the following ways:
● For an overview of TIBCO Support, visit http://www.tibco.com/services/support.
● For accessing the Support Knowledge Base and getting personalized content about products you areinterested in, visit the TIBCO Support portal at https://support.tibco.com.
● For creating a Support case, you must have a valid maintenance or support contract with TIBCO.You also need a user name and password to log in to https://support.tibco.com. If you do not have auser name, you can request one by clicking Register on the website.
System Requirements for Spotfire Products
For information about the system requirements for Spotfire products, visit http://spotfi.re/sr.
How to Join TIBCO Community
TIBCO Community is the official channel for TIBCO customers, partners, and employee subject matterexperts to share and access their collective experience. TIBCO Community offers access to Q&A forums,product wikis, and best practices. It also offers access to extensions, adapters, solution accelerators, andtools that extend and enable customers to gain full value from TIBCO products. In addition, users cansubmit and vote on feature requests from within the TIBCO Ideas Portal. For a free registration, go to https://community.tibco.com.
For quick access to TIBCO Spotfire content, see https://community.tibco.com/products/spotfire.
7
TIBCO Spotfire® Server and Environment Security
Environment Overview
Understanding the components, and the communication between the components of the Spotfireenvironment is key to understanding how to build a more secure environment .
1. The Spotfire Server is the central component of the Spotfire environment, to which all Spotfireclients connect. From a Spotfire Server start page, entities in the Spotfire environment can beconfigured and monitored.
For more information about the Spotfire Server, see its documentation.
2. Multiple nodes are installed and connected to Spotfire Server. The Spotfire Web Player service,Spotfire Automation Services, and the TERR service are installed on nodes to enable the use ofSpotfire web clients, running Spotfire Automation Services jobs, and running TERR data functionsand scripts.
For more information about the components installed on nodes, see their help:
● Node manager (installation and configuration in TIBCO Spotfire® Server and EnvironmentInstallation and Administration)
● Spotfire® Web Player (service installation and configuration in TIBCO Spotfire® Server andEnvironment Installation and Administration)
● Spotfire® Automation Services
● TERR™ Server Edition (TERR service)
3. The server is connected to a Spotfire database that contains a user directory and stores analyses andconfiguration files. For more information, see its documentation.
4. After the node is installed, the node performs a join request to a specific, unencrypted SpotfireServer HTTP port that handles only registration requests. The node remains untrusted until theadministrator approves the request by trusting the node. The Spotfire Server start page provides thetools to add nodes to the environment by explicitly trusting them, thereby issuing the certificates.When the node receives its certificate, it can send encrypted communication over the HTTPS/TLSports, and with this, the node can start to send more than registration requests.
The secured back-end communication is based on certificates. After an administrator has approvedthe new server or node, the certificates are issued automatically. Without a certificate, a server or aservice on a node cannot make requests to, or receive requests from, other entities, except for whenrequiring a certificate. For more information, see Ports and firewall configuration in TIBCO Spotfire®Server and Environment Installation and Administration.
This diagram shows all of these components, as well as how data flows and network protocols are usedin a typical Spotfire environment.
8
TIBCO Spotfire® Server and Environment Security
9
TIBCO Spotfire® Server and Environment Security
Ports and Protocols
You can use the following ports, connections, and protocols to secure Spotfire.
PortsSpotfire Server, the node manager, and related services reserve the following ports for variouscommunication tasks.
Public-Facing Client Connection Ports
NameDefault Port andProtocol Function Description Secure/Encrypted
Public HTTP port 80/tcp, if enabled Non-secure communicationwith installed clients andweb clients.
No
Public HTTPSport
443/tcp, ifenabled
Secure communication withinstalled clients and webclients.
Yes
The HTTP connector port and the HTTPS connector port are configured independently and areexposed externally for client connection. You can use either of them or, in some cases, both.
Spotfire Server
NameDefault Port andProtocol Function Description Secure/Encrypted
Back-endregistration port
9080/tcp Establishing trust betweenthe Spotfire Server andnodes only.
No
Back-endcommunicationport
9443/tcp Monitoring secure trafficbetween nodes. (SpotfireServer monitors securetraffic from services on thenodes. )
Yes
First clusteringport
5701/tcp Secure communicationwithin the environment.This port is the same for allservers in the cluster.
Yes
Second clusteringport
5702/tcp A second clustering port forsecure communicationwithin the environment.
Yes
10
TIBCO Spotfire® Server and Environment Security
NameDefault Port andProtocol Function Description Secure/Encrypted
JMX RMI port 1099/tcp, ifenabled
If JMX RMI access isenabled, Spotfire Serveropens a separate port forthis purpose. Might beconsidered a "public-facing"port.
See config-jmx
Node Manager
NameDefault Port andProtocol Function Description Secure/Encrypted
Registration port 9080/tcp Establishing trust betweennode managers and SpotfireServer.
No
Communicationport
9443/tcp Secure communicationwithin the environment.
Yes
Services
NameDefault Port andProtocol Function Description Secure/Encrypted
Communication port(Spotfire Web Player/Spotfire AutomationServices)
9501/tcp, if the serviceis installed
Spotfire Web Playerand SpotfireAutomation Servicesfor securecommunication.
Yes
Communication port(TERR)
9502/tcp, if the TERRservice is installed
TERR service, forsecure communication.
Yes
TERR engine ports 61000/tcp -> 63000/tcp,if the TERR service isinstalled.
Host-internalcommunicationbetween the TERRservice and the TERRengines.
No
The back-end ports need exposed only for Spotfire Server connection to services available from thenode manager.
11
TIBCO Spotfire® Server and Environment Security
Outbound ConnectionsThe following outbound connections might differ from your deployed system, because connectionsdepend on the configuration of the particular environment. For example, the Spotfire Server createsLDAP connections only if the system is configured to use LDAP.
Spotfire Server
Type of connection Default Function Secure/ Encrypted
Databasecommunication
Oracle database: 1521
SQL Server: 1433
The Spotfire databaseserver monitors thisport.
If configured
LDAP LDAP over TLS: 389
LDAPS: 636.
An optional numberthat indicates the TCPport that the LDAPservice is monitoring.
If configured
LDAP > GlobalCatalog
LDAP: 3268
LDAPS: 3269
Active DirectoryLDAP servers alsoprovide a GlobalCatalog that containsforest-wideinformation, instead ofdomain-wideinformation only.
If configured
TIBCO EnterpriseMessage Service(EMS)
Non-secureconnection: 7222
Secure connection:7243
This service can beused to triggerscheduled updates.EMS monitors thisport.
If configured
Kerberos/GSSAPI Fixed port 88 on theActive Directorydomain controllers
Used by the Kerberosauthenticationmethod, as well aswhen authenticating toan LDAP server usingthe GSSAPI method.
Yes
Microsoft Net Logon,SMB, and CIFS
Fixed port 445 on theActive Directorydomain controllers
Used by the NTLM v2authenticationmethod.
Yes
Open ID Connectproviders
443 Used by the webauthenticationmethod.
Yes
Data sources(Information Services)
Oracle database: 1521
SQL Server: 1433
Netezza: 5480
Otherwise, varies.
JDBC-compliant datasources and otherservices used byInformation Servicesmonitor these ports.
Varies
12
TIBCO Spotfire® Server and Environment Security
Node manager/Services
Type of connection Default Function Secure/ Encrypted
Spotfire® Web Player& Spotfire®Automation Services >Map/tiles serverconnections
The default map layeruses https://geoanalytics.tibco.com/
The map chartdownloads map tilesand other informationfrom external servers.
Yes
Spotfire Web Player &Spotfire AutomationServices > SMTP
25, 2525, or 587
Secure SMTP: 465, 25,or 587
Used by SpotfireAutomation Servicesfor sending e-mails.
Secure if configured
Spotfire Web Player &Spotfire AutomationServices > Datasources (Connectors)
Varies For information onavailable connectors,see "List of Connectorsin this Version" in theSpotfire Analyst User'sGuide. Dataconnectors listen tothese ports.
Varies
HTTP CookiesSpotfire Server can set the following HTTP cookies on Spotfire Analyst clients that connect over thepublic HTTP port (default 80/433).
The Secure attribute is set only if the connection is HTTPS, not HTTP. To protect against cross-siterequest forgery (CSRF) attacks, Spotfire does not rely on using the SameSite attribute on cookies.
HTTP Cookies Spotfire Server can set for public HTTP port connections from Spotfire Analyst clients
Name Description Comment
JSESSIONID Session cookie for Spotfire Server. HttpOnly attribute is set.
SF_REMEMBER_ME Cookies used for persistent sessions("remember me") feature.
HttpOnly attribute is set. See config-persistent-sessions.
XSRF-TOKEN Holds CSRF token. HttpOnly is not set. A cookiethat holds a CSRF token ispassed to JavaScript using acookie value. This behavior isintended.
zoneCheck Cookie the JavaScript API uses foridentifying browser incompatibilities withSpotfire.
HttpOnly is not set. It is notneeded, because it is used byclient-side JavaScript code anddoes not contain sensitiveinformation.
13
TIBCO Spotfire® Server and Environment Security
Node Trust and Back-End HTTPS CommunicationNode managers and Spotfire Server use encrypted HTTPS for communication. All endpoints areauthenticated using either server or client certificates issued by the Spotfire Server root certificate,which acts as a certificate authority for a particular Spotfire environment.
Neither the Spotfire Server nor the client certificates used by the various components of the system areself-signed. They are all signed by the certificate authority that is part of the Spotfire Server. EachSpotfire Server installation generates its own unique root certificate. You cannot provide your own.
The node manager and Spotfire Server registration ports (9080/tcp) are used to establish the trust. Theseports use plain HTTP and are used only when new nodes are added to the cluster. After trust isestablished, any further communication is done over a secured HTTPS connection using thecommunication port (9443/tcp). For a node to become trusted, a member with the role of Spotfireadministrator must manually trust the node, enabling the Spotfire Server certificate authority to issueserver and client certificates to it. If a node is untrusted by an administrator through the webadministration interface, the Online Certificate Status Protocol (OCSP) is used to communicate that thecertificate for the untrusted node has been revoked.
Node managers running a Spotfire service or Spotfire Automation Services install the three certificatesinto the Windows certificate store under the machine level.
14
TIBCO Spotfire® Server and Environment Security
Authentication and Authorization
The following image provides an overview of the available authentication and authorization options forSpotfire.
You can implement other methods using APIs.
Generally, authentication and authorization occur in the following sequence, as shown in theillustration.
1. Authentication established: determined by one of the configurations shown in the left panel of theillustration.
2. User directory authorization.
3. Groups and roles authorization.
4. Licenses authorization.
5. Preferences authorization.
AuthenticationSpotfire provides several standard authentication methods, as well as custom authentication usingAPIs.
Authenticationmethod Description
User name andpassword
The default method. User name and password specifies authentication usingHTML forms (POST - application/x-www-form-urlencoded) or BASICaccess authentication. The credentials are checked against the Spotfiredatabase or another external authentication source (such as LDAP, WindowsNT Domain, or Custom JAAS). See External directories and domains and User name and password authentication methods.
15
TIBCO Spotfire® Server and Environment Security
Authenticationmethod Description
Two-factor You can combine the chosen primary authentication method with X.509client certificates. See Two-factor authentication.
NTLMv2 Note that NTLMv1 is not supported. See NTLM authentication.
Kerberos See Kerberos authentication.
Anonymous If enabled, limited access to view Spotfire files is allowed forunauthenticated sessions. See Configuring anonymous authentication.
X.509 clientcertificates1
Spotfire Server requires the client to provide a valid X.509 certificate.Requires HTTPS. See Authentication using X.509 client certificates.
OpenID Connect Goes under the label "Web Authentication" in Spotfire. Provides integrationwith external authentication providers that support OpenID Connect. See Configuring OpenID Connect.
Externalauthentication
See APIs and extension points.
Custom WebAuthentication
See APIs and extension points.
CustomAuthentication
See APIs and extension points.
User Directory OptionsSpotfire features the following user directory sources for authentication.
User directory source Description
Spotfire database Users are stored in a database and managed using the Spotfireadministrative tools.
Windows NT Legacy. Users are managed in a Windows NT domain.
This option does not apply to Linux installations.
LDAP Users (and groups, optionally) are managed in an LDAP server (suchas Active Directory) and are synchronized with Spotfire database.
1 Combining X.509 client certificates with another authentication method such as user name and password provides a type of two-factorauthentication.
16
TIBCO Spotfire® Server and Environment Security
APIs and Extension PointsTo create a custom authentication experience for your Spotfire users, you can use one of the followingtypes of APIs or extension points.
Type Description
Post-authenticationfilter
Use a Java class to implement thecom.spotfire.server.security.PostAuthenticationFilter interface,perform additional checks, or create automation steps to perform aftercompleting authentication but before logging the user in.
See TIBCO Spotfire Server latest Platform API for more information.
Custom JAASmodule
Customize a user name and password authentication method with a JAASmodule, which is implemented using the com.spotfire.server.jaas API.For example, instead of checking the end-user credentials for the Spotfiredatabase or LDAP, you can implement a custom login.
See TIBCO Spotfire Server Platform API for more information.
Externalauthentication
Use external authentication to provide custom authentication flows wherethe user's identity can be derived from the incoming HTTP request (forexample, using a cookie or a header). External authentication should becombined with a (reverse) proxy or Java class (Custom Web Authentication)that implements the logic that the custom authentication scheme requires.
Custom WebAuthentication
Implement custom web-based authentication flows using thecom.spotfire.server.security.CustomWebAuthenticator API. Atypical use case is to implement an OAuth2-based authentication flow.
See TIBCO Spotfire Server Platform API and Configuring custom webauthentication.
CustomAuthentication
Implement custom authentication by implementing thecom.spotfire.server.security.CustomAuthenticator interface. See TIBCO Spotfire Server Platform API.
Custom login page Create a custom login page for the Spotfire Server to enable a fullycustomizable look and feel. If the authentication method is based on username and password, and if additional information must be collected fromthe user, you can combine a custom login page with aPostAuthenticationFilter and possibly a custom JAAS login module. See Create a custom login page on the TIBCO Community web site.
Authentication FilterAPI
This feature is deprecated and should no longer be used.
Additional information about custom authentication methods is available on TIBCO Community.
● TIBCO Spotfire Server API for Custom Authentication
● External Authentication in TIBCO Spotfire 7.11 and later versions
17
TIBCO Spotfire® Server and Environment Security
Password Policy and Password Complexity Enforcement
Spotfire Server does not have built-in support for password policies.
However, you can implement support by configuring Spotfire for Kerberos, NTLM, OpenID Connect,or User name and Password authentication (together with an LDAP/Active Directory). If the externalauthentication source enforces a password policy, it also applies to Spotfire.
AuthorizationGroup assignments can authorize users' permissions with Spotfire Server and should be granted onlyto users who are fully trusted. The list is only a subset of all available Spotfire groups.
For a full list, see Roles.
RolesGroups define standard roles for administering and using Spotfire. Each special group enables a set oflicenses that correspond to an administrative or user role. To assign a role to a user, just add the user toone of the special groups in the following list.
Group Description
Administrator¹ Members of this group can set library permissions, preferences, licenses,manage users and memberships on the system. Only users who needadministrator privileges on Spotfire Server, including the ability to manageusers and groups, should belong to this group.
LibraryAdministrator¹
Members of this group are granted full permission to the library. It overridesall folder permissions set in the library, granting full control over content. Italso includes the permission to import and export library content. Only usersand groups that need administrative privileges in the library should belong tothis group.
DeploymentAdministrator¹
Members of this group have permission to use the Deployments & Packagesuser interface in theSpotfire Server console. A deployment area is a collectionof software packages intended for a specific Spotfire group and client type(Spotfire client, Spotfire Web Player and Spotfire Automation Services) and areused to push hotfixes and other software updates.
DiagnosticsAdministrator¹
Members of this group have permission to use the Monitoring & Diagnosticsuser interface in the Spotfire Server console.
Scheduling andRoutingAdministrator¹
Members of this group have permission to use the Scheduling & RoutingMembership user interface in the Spotfire Server console to create and managescheduled updates routing rules.
ScheduledUpdates Users
The account that runs scheduled updates must be a member of this group. Bydefault, the account scheduledupdates@SPOTFIRESYSTEM is a member of thisgroup.
AutomationServices Users
Members of this group have permission to execute Spotfire AutomationServices jobs on the server, using the Job Builder or the Client Job Sender. Bydefault, the account automationservices@SPOTFIRESYSTEM is a member ofthis group.
18
TIBCO Spotfire® Server and Environment Security
Group Description
Custom QueryAuthor²
Members of this group have permission to save scripts written in customquery languages as trusted to the library.
Script Author³ Members of this group have permission to save scripts as trusted to the library.For more information about scripts see Use of scripts in Spotfire.
Everyone This group always contains all users in the Spotfire implementation. No userscan be removed from this group, but you can set licenses for the group if youwant to.
System Account This group cannot be edited. It contains the system accounts that are usedinternally in the Spotfire environment.
¹Members of these groups have almost unrestricted access to the system. Only fully trusted usersshould be added to any of the administrator groups.
²Provides to ability to create data connections that contains arbitrary and unrestricted query languageconstructs (typically SQL).
³Scripts are very powerful. A script author can, but is not limited to, run arbitrary commands on theWeb Player server. See Scripts in Spotfire for a description of the different types of scripts in Spotfireand what capabilities they bring.
LicensesGenerally, licenses do not grant further permissions to Spotfire users (as opposed to groups). Rather,licenses provide a way to toggle certain functionality on or off for groups of users in the user interface.This topic discusses exceptions.
See the TIBCO Spotfire® Administration Manager User's Manual, available on the TIBCO docsite, for moreinformation about licenses.
License name Description
TIBCO Spotfire Analyst:Create Information Link
Users that have this license can author information links containingarbitrary SQL code.
TIBCO SpotfireInformation Modeler:Administration
Users that have this license have permission to modify data sources,joins, and other elements when they are working with information links.
PreferencesPreferences are usually set by administrators. Some preferences can have an impact on security, andthese should be set only after considerations about any possible security impact setting the preferencemight have. A non-exhaustive list of such preferences are listed below.
See the TIBCO Spotfire® Administration Manager User's Manual, available on the TIBCO docsite, for moreinformation about preferences.
19
TIBCO Spotfire® Server and Environment Security
Application > ApplicationPreferences
Preference name Default Description
Additional File Extensions .html, .htm In Spotfire clients, file:// links arepassed to Windows, and the defaultopen action for the file type isperformed. For example .html files areopened in the default browser, .jpg filesare opened in the application associatedwith the .jpg file extension. By addingextensions such as .bat, .py, .exe (thatcan contain code), as allowed fileextensions in Spotfire, opening files fromuntrustworthy sources can be dangerousif dangerous file types are allowed.
Additional URI Schemes Empty Controls which URI schemes can beused, in addition to http:// andhttps://.
AllowSharingOfCachedDataBetweenUsers
Controls whether A user is allowed toselect the check box Share cached databetween all concurrent users of Spotfireweb clients on the Cache Settings tab inthe Data Connection Properties dialogbox. Setting this preference to False willdisable the check box control.
Blocked System Types Empty Specifies an array of system types thatcannot be used when users save or loaddocuments and bookmarks. The purposeof this restriction preference is to providethe administrator a way to block yet-unknown security issues with insecuredeserialization of .Net types or classes, asan environment option. Any classesfound to be insecure classes can beblocked without using this preference.Also see Use Blocked System Types inthe Application Preferences topic in theTIBCO Spotfire Administration Manager -User's Guide.
EnableAllowSavingDatabaseCredentials
True If enabled, users have the option toinclude embedded credentials to a datasource used in the file when savingSpotfire analyses. Embedding credentialsis not recommended because it ispossible for anyone with access to the fileto read the credentials. By setting thisvalue to False, you can ensure thatcredentials are not embedded in files bymistake.
20
TIBCO Spotfire® Server and Environment Security
Preference name Default Description
Sandbox Attribute for iframeComponents
allow-forms allow-popups allow-same-origin allow-scripts
You can restrict the content of iframecomponents in the application (such asthe Web page panel) using the standardsandbox attribute rules. Enter values thatremoves the specified sandboxrestrictions, as a space-separated list.
Whitelist for Allowed URIs Empty You can specify an array of URIs thatshould be allowed to use in links withinSpotfire analyses but also in the "WebPage panel". For security reasons, onlytrusted sources should be whitelisted. Bycontrolling the whitelist, you can ensurethat only approved web servers andother external resources are allowed tointeract with analysis files in the Spotfireenvironment. See Use Whitelist forAllowed URIs in the ApplicationPreferences topic in the TIBCO SpotfireAdministration Manager - User's Guide.
TextArea > TextAreaPreferences
Preference name Default Description
PerformHtmlSanitation True The HTMLSanitization is a whitelistfeature that works by only allowing asmall subset of HTML in the text area. Ifdisabled, the author or others can createor open analyses that include text areaswithout HTML sanitation. Setting thepreference to False makes the systemsusceptible to cross-site scripting (XSS)attacks if files from untrustworthysources are opened.
DataFunctions
Preference name Default Description
IgnoreTrustCheck False Allows you to switch off the trustchecking of data functions so that datafunctions that are not approved by amember of the Script Author group canexecute without prior approval.Introduced in Spotfire 10.3.
21
TIBCO Spotfire® Server and Environment Security
MapChart > MapChartPreferences
Preference name Default Description
DefaultWebMapServiceListUrl http://geoanalytics.tibco.com/ The default map chartresource server URLcan be overriden so themap chart can be usedin an environmentwithout Internet access.See Offline Maps inSpotfire.
DefaultHttpsWebMapServiceListU
rl
http://geoanalytics.tibco.com/ The default map chartresource server URLcan be overriden so themap chart can be usedin an environmentwithout Internet access.See Offline Maps inSpotfire.
22
TIBCO Spotfire® Server and Environment Security
Logging and Monitoring
Spotfire provides different logs for monitoring, diagnostics, and accountability purposes.
Type Description
User ActionLogging
See Action logs and system monitoring.
Monitoring &Diagnostics
See Monitoring and diagnostics.
JMX See Server monitoring using JMX and JMX configuration security features.
Logs can contain personal identifiable information such as IP numbers, e-mail addresses, and usernames. Logs do not contain hashed, encrypted or clear text passwords, session tokens, authentication/authorization tokens.
23
TIBCO Spotfire® Server and Environment Security
Cryptography
Most authentication data and cryptographic keys for user-facing services are configurable by theadministrator.
A Spotfire system also uses cryptographic keys to bind together the internal components and servicesusing connections requiring TLS client authentication. These keys are randomly generated by theservices when the system is set up, therefore, they are unique to each Spotfire system. They cannot bemodified by the purchaser, but the keys can be replaced by new random keys at any time.
Data At RestData at rest is data stored, either temporarily or permanently. Data at rest has certain encryption types,or no encryption, depending on where it is being stored.
● Data in memory on the Spotfire Server, Spotfire Web Player or in the Spotfire Analyst clients isnever encrypted.
● Data stored in the Spotfire database is not encrypted, except for especially sensitive data likepasswords for service accounts, which are encrypted using AES-128 (Kerberos or LDAPS). Userpasswords are always hashed (by default, using PBKDF2) and never encrypted.
● Temporary files stored in the attachment manager on the Spotfire Server file system are encrypted.(One exception: the Information Services component's temporary pivot cache is not encrypted.) Thedefault encryption algorithm is AES-128. Other possible options are AES-192 or AES-256. See config-attachment-manager (--encryption-enabled and --encryption-key) for more information.
● Temporary files stored on the Spotfire Web Player file system are not encrypted.
● Temporary files stored on the Spotfire Analyst file system are not encrypted.
● "Save my login information" stores the user's Spotfire login in an encrypted form using Microsoft'sProtectedData API (DPAPI) protected with the user scope.
Data In MotionData in motion is moving through the Spotfire environment. Data in motion has certain encryptionprotection, depending on how and where it is moving.
● Communication between the Spotfire Server and any backend services, like Spotfire Web Player, isalways encrypted using Transport Layer Security (TLS).
● Data that is transported over the HTTP, LDAP, and JMX protocols can be secured by TLS. The TLSprotocol version, the encryption algorithm, and the key strength is configurable using standard Javaprocedures. See Test or Revert changes to Oracle's JDK and JRE Cryptographic Algorithms in theJava documentation for more information. Also see:
— Configuring HTTPS
— Configuring LDAPS
— config-jmx (--tls-enabled, --need-client-auth)
● Communication with the Spotfire database can be secured by either TLS or vendor-specificencryption protocols. See the documentation for your Oracle or MS SQL database for moreinformation about configuring the database server to accept only secured / encrypted connections.
● Communication with databases used as Information Services data sources can also be secured byeither TLS or vendor-specific encryption protocols. See the vendor documentation for yourdatabase.
24
TIBCO Spotfire® Server and Environment Security
Standards and AlgorithmsSpotfire provides the following standards and algorithms for encryption.
Purpose Encryption/Hashing algorithm Comment
Hashing of userpasswords
PBKDF2 SHA-512, SHA-256 or SHA-1 can beused for password hashes created byolder versions of Spotfire Server.
Script trust hashes SHA-1 and SHA-512 IronPython scripts, JavaScript, customqueries, TERR scripts, and other datafunctions are trusted based on hashvalue.
Encryption of servicepasswords
AES-128
Data transfers SHA-512, but also supportsSHA-256, SHA-1 and MD5
For error-detection checksums in theDigest/Content-MD5 HTTP headers, asdefined by RFC 3230 and RFC 1864.
Temporary data files AES-128, AES-192 and AES-256
Information Linkcache
SHA-256 For calculation of cache keys used forcomparison.
Softwaredistributions files("deployments")
SHA-1 For error-detection checksums.
Serverconfigurations
SHA-1 For error-detection checksums.
HTTP over TLS(HTTPS)
The TLS protocol version, theencryption algorithm and the keystrength are configurable usingstandard Java procedures.
See Java Cryptography ArchitectureOracle Providers Documentation.
LDAP over TLS(LDAPS)
The TLS protocol version, theencryption algorithm and the keystrength are configurable usingstandard Java procedures.
See Java Cryptography ArchitectureOracle Providers Documentation.
JMX over TLS The TLS protocol version, theencryption algorithm and the keystrength are configurable usingstandard Java procedures.
See Java Cryptography ArchitectureOracle Providers Documentation.
JDBC over TLS The TLS protocol version, theencryption algorithm and the keystrength are configurable usingstandard Java procedures.
See Java Cryptography ArchitectureOracle Providers Documentation.
25
TIBCO Spotfire® Server and Environment Security
Purpose Encryption/Hashing algorithm Comment
JDBC using vendor-specificcryptography
The Oracle Database JDBC driversupports the followingalgorithms: Legacy: RC4-40,RC4-56, RC4-128, RC4-256,DES-40-CBC, DES-56-CBC,3DES-112 and 3DES-168.Recommended: AES-128,AES-192 and AES-256.
See Java Cryptography ArchitectureOracle Providers Documentation.
Kerberos/GSSAPI Legacy: DES-CRC, DES-MD5,RC4-HMAC and AES-128-CTS-HMAC-SHA1-96.Recommended: AES-256-CTS-HMAC-SHA1-96.
Uses the built-in Java support for theKerberos and GSS-API protocols. See Java Cryptography Architecture OracleProviders Documentation.
NTLM v2 According to the protocolspecification.
Backend certificates Asymmetric keys: automaticallygenerated 2048-bit RSA keys(configurable for certificatesrepresenting TSS instances, butnot configurable for othercomponents). Signaturealgorithm: SHA256withRSA(configurable).
Keystore: PKCS12.
Backend HTTP overTLS (HTTPS)
The TLS cipher suite is chosenfrom the following set:
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,TLS_AES_CBC_128_SHA256,TLS_AES_CBC_256_SHA256.
The Node manager does not supportECDHE cipher suites. It cannot be usedfor communication involving a Nodemanager.
The TLS protocol is chosen from thefollowing set: TLSv1.2, TLSv1.1, TLSv1.
As long as TLSv1.2 is enabled on themachine running Spotfire Web Player,the only protocol and cipher suite usedis TLSv1.2 andTLS_RSA_WITH_AES_256_CBC_SHA256.
26
TIBCO Spotfire® Server and Environment Security
Spotfire Analyst, Spotfire Web Player, and Spotfire Automation ServicesThe applications in the Spotfire environment use the following encryptions.
PurposeEncryption/Hashing algorithm Comment / References
Digital signatures andencryption of sensitivedata and credentials
Strength andalgorithmdependent onWindows versionand Windowsconfiguration
The Microsoft ProtectedData API (DPAPI)
● Protected Data. Protect Method
● Windows Data Protection
● Data Protection API (Wikipedia)
Hash calculation (notfor security purposes)
SHA-1 (160 bit) Microsoft's SHA1CryptoServiceProvider
● SHA1Crypto Service Provider Class
Script trust hashes SHA-1 and SHA-512 IronPython, JavaScript, Python, custom queries,TERR scripts, and other data functions are trustedbased on hash value.
Hash calculation (forsecurity purposes)
SHA-256 The Microsoft SHA256CryptoServiceProvider
● SHA256Crypto Service Provider Class
Hash calculation (forsecurity purposes)
SHA-512 The Microsoft SHA512CryptoServiceProvider
● SHA512Crypto Service Provider Class
Encryption of datathat crosses computerboundaries
AES-256 The Microsoft EncryptedXml.Encrypt API
● Encrypt(XmlElement, X509Certificate2)
27
TIBCO Spotfire® Server and Environment Security
Scripts in Spotfire
Spotfire supports a number of execution environments for a several programming languages:JavaScript, R (TERR) scripts, Python (IronPython for .Net), Custom queries (different database querylanguages). In addition, a limited subset of HTML is available in text areas of Spotfire files.
This diagram demonstrates the following.
● Local execution of Python (IronPython) from Spotfire Analyst, Spotfire Web Player, or SpotfireAutomation Services.
● Local TERR script execution by Spotfire Analyst.
● Remote TERR script execution on TIBCO Spotfire® Statistics Services on behalf of Spotfire Analyst.
● Remote TERR script execution on TERR service, on behalf of Spotfire Analyst, Spotfire Web Player,and Spotfire Automation Services.
● JavaScript execution on Spotfire Analyst and in a web browser (file opened in Spotfire Web Player).
Not pictured: Spotfire Web Player and Spotfire Automation Services executes a data function onSpotfire® Statistics Services.
Spotfire Statistics Services can support one of many different types of scripts, but it is not describedfurther in this document. Use TERR service instead of Spotfire Statistics Services to run TERR datafunctions from Spotfire Web Player and Spotfire Automation Services.
28
TIBCO Spotfire® Server and Environment Security
Script TrustOnly members of the Script Author group can save Spotfire files with scripts that are marked astrusted.
A file containing a trusted script is automatically executed when needed without first asking for enduser consent. If the script is not trusted, the user is prompted to approve and manually trust the scriptfor execution to prevent potentially harmful scripts.
Because the Spotfire Server tells a Spotfire client which scripts are trusted and which are not, a Spotfireclient must not connect to unknown servers that the user does not trust. For this reason, the followingpop-up is displayed if the user tries to connect to a server that has not been manually added to the listof known servers.
If the user does not trust the administrator of the Spotfire Server, then the user should click No. To limitthe exposure of the infrastructure to the TERR script, you can configure the TERR service to run TERRdata functions in a Docker container on Linux, or you can run TERR scripts in restricted executionmode.
Script TypesIf the correct trust is in place, you can run any of these script types in Spotfire.
Python (IronPython)Python scripts can access the capabilities available in the Spotfire Analyst API, and also other APIsprovided by the Windows operating system. These capabilities include running arbitrary commands;therefore, strict control must be employed to those users who are allowed to author and mark scripts astrusted in the library (such as members of the Script Author group).
Component Description
Authorization Members of the Script Author group can mark scripts as trusted to be executedby others.
Executioncontext ● The script is executed on the computer that opens the file, which can be either
on the computer running Spotfire Web Player, the Spotfire Analyst client orSpotfire Automation Services, depending on where the file is opened.
● The script is executed with privileges of the user who is currently logged in,or of the service account for which the service is set to run. In some caseswhere Kerberos with delegation is configured, the script will execute in theend users' context.
29
TIBCO Spotfire® Server and Environment Security
JavaScript in Text AreaTo customize parts of the application that cannot be done using sanitized HTML in the Spotfire textarea, you can add snippets of JavaScript.
Component Description
Authorization Members of the Script Author group mark scripts as trusted for execution byothers.
Executioncontext
JavaScript runs in a web browser that does not have direct access to the operatingsystem API. It can use a subset of the functions provided by the Spotfireapplication for the user who is currently logged in. If a user opens a file containingtrusted JavaScript on the Spotfire Web Player, then the script can access anythingthe user has permission to access in the domain running the Spotfire Server(according to a security policy in browsers referred to as same origin policy). Forthis reason, only trusted users should be members of the Script Author group.
HTML in Text AreaA subset of HTML is allowed in the text area visualization.
Component Description
Authorization By default, arbitrary HTML is not allowed in Spotfire because it wouldenable running JavaScript in the text area . The preferencePerformHTMLSanitation can be set to false, which allows creating andviewing any HTML. Setting this preference to false is not recommended,because doing so allows any user to create a file with Javascript code,bypassing all script trust mechanisms. See Supported HTML in the TextArea
Execution context If PerforHTMLSanitation is set to false, then HTML or JavaScript runs ina web browser that does not have direct access to the operating system API.It can use a subset of the functions provided by the Spotfire application forthe user who is currently logged in. If a user opens a file containing trustedJavaScript on the Spotfire Web Player, then the script can access anythingthe user has permission to access in the domain running the Spotfire Server(according to a security policy in browsers referred to as same originpolicy). For this reason, only trusted users should be member of the ScriptAuthor group.
Custom QueriesA normal query (not custom) issued by a Spotfire data connection can use only allowed constructs (forexample SELECT column FROM table) in a way that is tightly controlled by the Spotfire connector. Adata connection with a custom query does not limit the types of language constructs that are allowed,and enables use of any language construct (for example INSERT, UPDATE, CREATE), as well as otherfunctions specific to the data source.
30
TIBCO Spotfire® Server and Environment Security
Component Description
Authorization● Only users that are members of the Custom Query Author group can
create custom queries to be trusted by other users.
● The database server normally allows only connections that areauthenticated and authorized. Spotfire must provide the connectionwith credentials to the database server.
Execution context● A custom query is executed on the database server and initiated fromSpotfire Analyst, Spotfire Web Player, or Spotfire Automation Services.
● The query runs with the permissions assigned to the currently-authenticated user by the database server.
TERR Data FunctionsTERR is an implementation of the R programming language that provides restricted and unrestrictedexecution environments. TERR data functions running in unrestricted mode has access to the operatingsystem and can run arbitrary commands.
Component Description
Authorization● Members of the Script Author group can save data functions as trusted
to be executed in unrestricted mode for other users.
● Spotfire Statistics Services can be configured to require authentication. Itruns as a separate product.
● TERR service runs in a node manager and is called using the SpotfireServer acting as a reverse proxy. It requires an authenticated Spotfiresession.
Execution context A TERR data function runs locally or remotely. Local execution takes placeon the Spotfire client itself. Remote execution is when a TERR data functionis sent off from a Spotfire client, Spotfire Web Player service, or SpotfireAutomation Services service to a TIBCO Spotfire Statistics Services service(a stand-alone product) or TERR service (which runs on a node manager).
31
TIBCO Spotfire® Server and Environment Security
Components
The Spotfire environment is composed of servers, services, applications, and tools that communicateand interact to produce visualizations and dashboards that can be shared through a web browser andexported to different formats.
Securing communication between the components of the Spotfire environment require planning and anunderstanding of each component. This section provides information about each component, itsauthentication protocols, and how it executes requests.
TIBCO Spotfire ServerThe Spotfire Server is the central component of the Spotfire environment, to which all Spotfire clientsconnect.
These tables provide reference for the security considerations for the Spotfire Server.
Spotfire Server component Description
Service account By default, the service is installed under the root account (onLinux) or NT AUTHORITY\System (on Windows).
Ports and protocols External communication port:
● HTTP over 80/tcp
● HTTPS over 443/tcp if enabled
Logs <spotfire server root>/tomcat/logs, See Spotfire server logs.
A non-extensive inventory of data that may contain credentials and other sensitive information
Type (Default) location Comments
Spotfire library exports <spotfire server root>/
tomcat/application-data/
library/
Default library export path.Can contain old export orbackups of library content.
Spotfire server logs <spotfire server root>/
tomcat/logs
See Logging and monitoring.
Spotfire temporary attachments <spotfire server root>/
tomcat/temp/
AttachmentManager
Encrypted attachments.Temporary storage for datauploaded and downloaded tothe server by Spotfire clients.
Encrypted Spotfire databasepassword for Spotfire Server
<spotfire server root>/
tomcat/webapps/spotfire/
WEB-INF/bootstrap.xml
Used by Spotfire server duringstartup process to connect todatabase.
Spotfire library data External library storagelocation, S3 or local file system,or in Spotfire database.
Only used if enabled. Defaultsetting is to store library data inthe Spotfire database.
32
TIBCO Spotfire® Server and Environment Security
Type (Default) location Comments
HTTPS keystore password <spotfire server root>/
tomcat/conf/server.xml
If HTTPS is enabled,server.xml contains thepassword to the keystore(pkcs12 or jks) that contains theprivate certificate required tocreate a HTTPS listener.
Keystore for HTTPS certificates <spotfire server root>/
tomcat/certs
PKCS12 (.pfx) or Java keystore(.jks) with private keysneeded for HTTPSconfiguration.
Password hashes for end users Spotfire database Users' password hashes neededwhen Spotfire database is usedas the authentication source.Default algorithm sinceSpotfire Server 7.5 is PBKDF2(using HmacSHA512), 100000iterations, 32 bytes of salt.Older algorithm still supportedfor upgraded system. Fromversion 3.3 to 7.5: SHA-512,2323 iterations, 16 bytes of salt.Default in 3.0 to 3.2: SHA-1,one iteration.
Encryption password <spotfire server root>/
tomcat/webapps/spotfire/
WEB-INF/boostrap.xml
The password is storedencrypted using AES-128symmetric encryption using astatic secret key. The passwordis used to encrypt serviceaccounts passwords stored inSpotfire database. See config-encryption. If not set, a staticpassword is used.
33
TIBCO Spotfire® Server and Environment Security
Type (Default) location Comments
Service account passwords Spotfire database andconfiguration.xml
Passwords for service accountsfor services such as LDAPconfiguration, S3 configuration,OpenId Connect, Action Logdatabase are encryptedAES-128 using an encryptionpassword as secret key.
configuration.xml
is an exported copyof the effectiveconfiguration thatresides in theSpotfire database.The file can safely beremoved from thefile system afterhaving changed theSpotfireconfiguration in thedatabase
Information services datasource credentials
Spotfire database Credentials for data sourcesused by information services(created using the SpotfireAnalyst > Information Designertool) are encrypted AES-128using an encryption passwordas secret key.
Hashed passwords for JMXusers
Spotfire database If JMX is used, userscredentials are stored in theSpotfire database.
Kerberos keytab <spotfire server root>/
Spotfire.keytab
Used if Spotfire is configuredfor Kerberos authentication.The keytab file containsencrypted credentials that canbe used to authenticate toremote systems.
Spotfire Server Backend trustkeystore
<spotfire server root>/nm/
trust/keystore.p12
Keystore needed for back-endtrust encrypted TLScommunication. The keystoreis locked with a staticpassword.
34
TIBCO Spotfire® Server and Environment Security
Type (Default) location Comments
Passwords embedded inSpotfire files
Spotfire database (library) The Spotfire database maycontain Spotfire files (.dxp)with embedded credentials todata sources. Passwords are notencrypted because thepassword must be madeavailable to end users whoaccess the file. We do notrecommend embeddingcredentials in the file. ThepreferenceEnableAllowSavingDatabase
Credentials can be used todisable the option to embedcredentials in Spotfire files.
Library exports <spotfire server root>/
tomcat/application-data/
library
Can contain zip-files containingexported library content. Datasource passwords forinformation services datasources are not included in thelibrary exports. However,Spotfire analysis files (.dxp) inthe exported zip can containembedded passwords.
Database installation script No default location. Fromwhere they were run
Database installation scriptswill contain credentials andconnection information to theSpotfire Server database whenthey are run. These files willcontain sensitive informationand should be deleted when nolonger needed or stored in asafe location
OAuth2 API Clients credentials The credentials are encrypted.
Spotfire Server Security Configuration and Administration ActivitiesThis table provides information about configuration activities, security settings, and links into thedocumentation and community site.
Activity Description or references
Setting LDAP - LDAP over TLS Configuring LDAPS. In an LDAP environment, where theSpotfire system communicates with an LDAP directoryserver, administrators often secure the LDAP protocol usingTLS, if the LDAP directory supports this. Authenticationtowards LDAP.
35
TIBCO Spotfire® Server and Environment Security
Activity Description or references
LDAP - SASL authentication Spotfire Server supports two Simple Authentication SocketLayer (SASL) mechanisms for authentication towards LDAP:DIGEST-MD5 and GSSAPI. See Authentication towardsLDAP.
HTTP - Security headers See Security HTTP headers.
Apache Ignite - TLS (Spotfire serverclustering communication)
Default: Enabled. TLS can be disabled or enabled. See config-cluster --secure-transport=<true|false>.
Session handling - Persistentsessions
Default: Enabled. See config-persistent-sessions forinformation on configuring persistent sessions for browserclients.
"Remember me" in Spotfire Analyst Default: Enabled. See config-login-dialog --allow-remember-me. Controls whether a user can select to store the log ininformation for future automatic login, or if he or she mustalways provide username and password when logging in.
Session handling - Timeouts Default: 30 minutes (session), 24 hours (absolute). See Absolute session timeout and idle session timeout for moreinformation.
Backend communication - Auto-trust
Default: Disabled - If enabled, node managers areautomatically trusted by the server cluster. See Automaticallytrusting new nodes for more information.
Cross-site request forgery (CSRF) -Public web services
See config-csrf-protection for more information.
Configure Spotfire server databasesecurity
See the following help topics for more information.
● Using Kerberos to log in to the Spotfire database
● Setting up the Spotfire database (SQL Server withIntegrated Windows authentication)
Upgrade Java See Upgrade Java for Spotfire Server 7.5 and later on community.tibo.com.
Upgrade Tomcat See Upgrade Apache Tomcat for Spotfire Server 7.5 and lateron community.tibco.com.
Upgrade Spring See Upgrade Spring for Spotfire Server 7.5 and later oncommunity.tibco.com.
HTTPS (TLS over HTTP) for frontend port
See HTTPS (TLS over HTTP) for Front End Port.
JMX Security JMX Security
36
TIBCO Spotfire® Server and Environment Security
Activity Description or references
Configure Encryption password The encryption password is used to encrypt service accountpasswords stored in Spotfire database. If not set, a staticpassword is used. See config-encryption for moreinformation.
Changing a Windows Service Account for Spotfire ServerThe service account running the Spotfire Server under Windows can be changed to a user with morerestricted rights.Change this setting from the Windows Services user interface.
Procedure
1. Right-click TIBCO Spotfire server > Properties > Login On tab > Log on as.The specified user must have read and write permissions to the files in the Spotfire Serverinstallation path.
2. Set file system permissions restrictively and apply minimal permissions.The service account must have both read and write permissions in the installation folder. Otherusers on the system do not need access to files in the installation folder.
Change a Linux Service Account for Spotfire ServerSpotfire Server for Linux provides two different installation methods: an RPM-installer and a tarball.You can use the tarball to install and configure to run as any user.
See Installing the Spotfire Server files (tarball Linux) for more information.
HTTPS (TLS over HTTP) for Front End PortThe file <spotfire server root>/tomcat/conf/server.xml contains the TLS configuration for theHTTPS.
In version 10.3, the server.xml file is aligned with Mozilla's Modern Compatibility configuration. Theciphers and protocols in the configuration file can be adjusted to accommodate for environment specificneeds. <Connector port="443" [...] SSLEnabled="true" scheme="https" secure="true"> <SSLHostConfig certificateVerification="none" [...] sslProtocol="TLSv1.2" protocols="TLSv1.2" honorCipherOrder="true" ciphers="<cipher-suites>" [...] </SSLHostConfig> </Connector>
See Configuring HTTPS for how to enable HTTPS for front end communication, between Spotfireclients and Spotfire Server.
See Authentication using X.509 client certificates for how to enable HTTPS client certificateauthentication.
37
TIBCO Spotfire® Server and Environment Security
Security HTTP HeadersThe HTTP headers listed in this topic can be set using Spotfire configuration settings.
See the header help topics, linked from the table, for detailed instructions for configuring the header.
HeaderDefaultvalue Comment
X-Frame-Options Not set Prevents clickjacking and framing of the SpotfireServer web interface by other web sites. If enabled (setto DENY), then the Spotfire Web Player JavaScript APIstops working. See Mozilla's reference for X-Frame-Options for more information.
X-XSS-Protection Not set Controls how the built-in XSS filter for InternetExplorer, Chrome, and Safari should behave whendetecting an XSS attack, and whether the filter isenabled. See Mozilla's reference for X-XSS-Protectionfor more information.
Strict-Transport-Security(HSTS)
Not set Instructs the client that it should be accessed onlyusing HTTPS, instead of using HTTP. See Mozilla'sreference for Strict-Transport-Security for moreinformation.
Cache-Control Sets directives for caching mechanisms in requests andresponses. See Mozilla's reference for Cache-Controlfor more information.
X-Content-Type-Options Not set Prevents browser mime-sniffing in some cases. SeeMozilla's reference for X-Content-Type-Options formore information.
Adding Custom HTTP Headers in the Spotfire Server Configuration
Other HTTP headers, such as Content-Security-Policy, Referrer-Policy, and Public-Key-Pins(HTTP Public Key Pinning / HPKP), do not have built-in commands to configure. They can be added ascustom headers in the Spotfire Server configuration by using the following steps.
Procedure
1. Export the configuration to an XML file.
2. Open the configuration XML file in a text editor, and then add the following tag with content. <security> ... <headers> <directives> <directive> <action>add</action> <enabled>true</enabled> <name>headername</name> <value>value</value> </directive> </directives> <properties /> </headers>
38
TIBCO Spotfire® Server and Environment Security
3. Replace headername with the name of the HTTP header and value with the header value, and, ifneeded, replace add with another action type.The allowed values for <action> are:
● add
● append
● set
4. Issue config import-config --comment "HTTP header <action>" ( with <action> reflectingthe appropriate action type).
5. Restart the server.
TIBCO Spotfire Node ManagerA node manager is a container for setting up, running, or tearing down services such as SpotfireAutomation Services, Spotfire Web Player, or TERR service. A service running on a node manager runsin a separate process, can open service ports and the service installation files resides under <nminstallation path>/services/.
Spotfire node managercomponent Description
Service account● Windows default: NT Authority\system
● Linux default: root
Ports and protocols● Registration port on node manager computer: HTTP/9080
● Communication port on node manager computer:HTTPS/9443
A non-extensive inventory of data that might contain credentials and other sensitive information.
Type (Default) Location Comments
Node manager and servicelogs
<node manager root>/logs Contains the node managerand the service logs. It can alsocontain minidumps, andmemory process dumps forSpotfire Web Player, if these arecreated.
See alsoenabledMiniDumpCreationOn
Error in theSpotfire.Dxp.Worker.Web.c
onfig help topic.
SMTP configurationcredentials
Spotfire.Dxp.Worker.Automation.config
When Spotfire AutomationServices is configured with anSMTP server that requiresauthenticated connections.
39
TIBCO Spotfire® Server and Environment Security
Type (Default) Location Comments
Node manager backendtrust keystore
<node manager installation
directory>/trust/
keystore.p12 (node manager).
Keystore containing keys forthe following:
● internal node manager <->Spotfire Server
● node manager <-> service
● service <-> Spotfire Server
● service <-> service
The keystore is locked with astatic password.
Spotfire Web Player /Spotfire AutomationServices proxy servercredentials
Spotfire.Dxp.Worker.Host.exe.config
ProxyUsername andProxyPassword holdcredentials to a network proxyif one is configured.
Spotfire Statistics Servicesconfiguration for SpotfireWeb Player and SpotfireAutomation Services.
Spotfire.Dxp.Worker.Host.exe
.config
TibcoSpotfireStatisticsSe
rvicesUsernames andTibcoSpotfireStatisticsSe
rvicesPasswords in containscredentials to Spotfire StatisticsServices server(s) if one ormore is configured.
Credentials Profiles forConnectors used by SpotfireWeb Player and SpotfireAutomation Services
Spotfire.Dxp.Worker.Host.exe
.config
A configuration file containinguser names and passwords todata sources used by dataconnectors.
Spotfire AutomationServices Kerberos identity
Spotfire.Dxp.Worker.Automati
on.config
The Windows user specified by<kerberosIdentity
userName="domain
\username"
password="password" /> isused to run SpotfireAutomation Services.
Spotfire Web Player >Scheduled updates identity
Spotfire.Dxp.Worker.Web.config The Windows user specified by<kerberosIdentity
userName="domain
\username"
password="password" /> isused to run Spotfire WebPlayer.
Credentials are encrypted in the configuration files that are installed with the service. To modify theconfiguration, you must export the configuration from the database, make modifications, import it backinto the database, and then set the configuration for the service.
40
TIBCO Spotfire® Server and Environment Security
Node Manager Configuration TasksThese tools are bundled with the node manager; however, to run the most recent and most secureversion, you should review the versions and upgrade as necessary. The articles listed in this topic canhelp guide you.
● Upgrade Java for TIBCO Spotfire Node Manger on community.tibco.com
● Upgrade Spring for TIBCO Spotfire Node Manager on community.tibco.com
TIBCO Spotfire ConnectorsSpotfire connectors support a variety of authentication and transport security options.
See the documentation for each connector to see available security options.
Database Credentials for ConnectorsBecause the database connections using Spotfire connectors are initiated directly from the Spotfireclient (Spotfire Analyst, Spotfire Web Player, or Spotfire Automation Services), it's important tounderstand that any database credentials must be available to the client in order to establish theconnection. Spotfire connector data source credentials settings control whether credentials areembedded in the connection or not.
41
TIBCO Spotfire® Server and Environment Security
Option Description
No, do not save any credentials Use this option if you do not want to save credentials with theconnection data source. If the connection data source usesdatabase authentication, all users of the data source areprompted for user name and password for the database whenthis data source (or a data connection using it) is opened.
No, but save credentials profile(may be used when opening inSpotfire web clients or runningTIBCO Spotfire AutomationServices jobs)
Use this option if you want to save a credentials profile insteadof saving the actual credentials with the connection data source.See Details on Data Source Settings - Credentials in the Spotfiredocumentation for more info how to use credentials profiles.
See Spotfire.Dxp.Worker.Host.exe.config file >DataAdapterCredentials for information on how to configureSpotfire Automation Services services and Spotfire Web Playerto use a credentials profile. Use<Spotfire.Dxp.Web.Properties.Settings> and<Spotfire.Dxp.Data.Access.Adapters.Settings> in Spotfire.Dxp.Worker.Host.exe.config.
Yes, save credentials with theconnection data source
Saving credentials with the connection data sourcecan be a security risk because the user name andpassword are stored as part of the analysis file, andanyone with access to the file can obtain thisinformation. Use this option carefully.
If you do save credentials with the connection datasource, a recommended practice is to use a databaseuser that has only the minimum required privilegesfor reading the data that you want to analyze inSpotfire.
Select this check box if you want the connection data source toremember the specified username and password. This meansthat users will not be prompted for credentials when opening adata connection which uses this data source or an analysiswhich includes such a data connection. This option can only beused if the connection data source is set to use databaseauthentication.See also the preferenceEnableAllowsavingDatabaseCredentials. When thispreference is set to False, then the option Yes, save credentialswith the connection data source" is disabled in the userinterface.
TIBCO Spotfire Web PlayerSpotfire Web Player is a service that runs on a node. It provides a web service for sharing anddistributing analyses inside and outside of an organization.
See Manually Editing the Service Configuration Files for more information.
42
TIBCO Spotfire® Server and Environment Security
Spotfire Web Playercomponent Description
Service account Default: NT Authority\System.
Ports and Protocols Default: HTTPS on port 9501/tcp on node manager host.
Configuration File Settings for Spotfire Web PlayerThese tables provide information about the configuration files for Spotfire Web Player and itsinteractions with Spotfire Server and Spotfire Automation Services using APIs.
Spotfire.Dxp.Worker.Web.config
For more information, see Spotfire.Dxp.Worker.Web.config help.
Setting Default value Description
/javascriptApi -<javaScriptApi
enabled="true"
domain="domain1.com,d
omain2.com">
JavaScript APIenabled, alldomains allowed
Controls whether the use of the JavaScript API isenabled or not enabled, and from which domains itis possible to use the Javascript API. A non-emptydomain whitelist indicates that only listed domainsare able to embed Spotfire files in their web siteusing the JavaScript API. The list is a comma-separated list of domain names.
/analysis/
inactivityTimeout
2 hours Timeout for inactive analyses. A Spotfire file isclosed after the inactivityTimeout is reached. Inpractice, a session timeout is not shorter than theinactivityTimeout value because an openanalysis file in a web browser continuously renewsthe session, so the session timeout is not met. Onlyafter the session has no open files left, and the usersession is not actively connected to Spotfire Server,the session timeout starts counting. This designensures that every HTTP request renews thesession.
Spotfire.Dxp.Worker.Core.config
This configuration file specifies settings for the service's communication with the Spotfire Server, and ifsections in configuration files should be encrypted. For more information, see Spotfire.Dxp.Worker.Core.config help.
43
TIBCO Spotfire® Server and Environment Security
Setting Default value Description
/
authentication@hostsToAuth
enticate
A list of patterns for which theservice should to use Windowsauthentication (NTLM orKerberos). Wildcard patternssuch as *.x.com can be used tomatch all subdomains to x.com.Do not add servers that are nottrusted in this list because yourisk leaking NetNTLM tokens,which can be a security risk.
/
cryptography@encryptConfig
urationSections
true Set to true to encrypt sectionsof configuration files containingsensitive information.
/
cryptography@DataProtectio
nConfigurationProvider
DataProtectionConfigurat
ionProvider
By default theDataProtectionConfiguratio
nProvider uses Windows DataProtection API (DPAPI) toencrypt sections of theconfiguration with a machine-specific secret key which meansthat the encrypted sections canonly be decrypted from thesame machine as the service isrunning on. See EncryptingConfiguration InformationUsing Protected Configurationfor more information.
Spotfire.Dxp.Worker.Host.exe.config
Spotfire.Dxp.Worker.Host.exe.config is the configuration file for both Spotfire Web Player andSpotfire Automation Services. See Spotfire.Dxp.Worker.Host.exe.config file help for more information.
SettingDefaultvalue Description
/
Spotfire.Dxp.Internal.Pro
perties.Settings/
AllowedTlsVersions
Tls,
Tls11,
Tls12
Determines which versions of the TLS securityprotocol are allowed. Specify the values separated bya comma ",". For information about the possiblevalues for this setting, refer to the .NET enumSecurityProtocolType.
If you leave the value for this setting blank, theallowed TLS versions are set to SystemDefault. Ifyou remove the setting from the configuration file,the allowed TLS versions are set to the default value.
44
TIBCO Spotfire® Server and Environment Security
SettingDefaultvalue Description
/
Spotfire.Dxp.Data.Propert
ies.Settings/
AllowedFilePaths
Empty A list of directories that Spotfire Web Player orSpotfire Automation Services are allowed to use asfile data sources. Add only approved network sharesor other paths that contain files that should bepossible to load in a Spotfire file. For securityreasons, you should not add entire drive letters suchas C:\ because that would allow Spotfire users toread local files from the Spotfire Web Player service.
/system.net/defaultProxy If the Spotfire Web Player or Spotfire AutomationServices should use a proxy server to reach internaland external networks, one can be enabled in thisfile.
TIBCO Spotfire Automation ServicesTIBCO Spotfire® Automation Services is a web service for automatically executing multi-step jobswithin your TIBCO Spotfire® environment. You can, for example, use Spotfire® Automation Services todeliver an analysis file to specific people, in a particular format, at specified times.
TIBCO Spotfire AutomationServices component Description
Service account Default: NT Authority\System
Ports and protocol Default service port: HTTPS on port 9501 / TCP on node managerhost.
Log files <node manager installation directory>/logs/, <nodemanager installation directory>/services/<automation
services service directory>/logs
Configuration File Settings for Spotfire Automation ServicesThese tables provide information about the configuration files for Spotfire Automation Services and itsinteractions with Spotfire Server and Spotfire Automation Services using APIs.
Spotfire.Dxp.Worker.Automation.config
This configuration file is used for configurations that are specific to Spotfire Automation Services.
Setting Default value Description
/
Spotfire.Dxp.Automation.F
ramework/security/
allowedFilePaths@allowAll
True By default, Spotfire Automation Services taskscan read files from, and write files to anydirectory in the file system. Set this to False toallow only tasks to read from, and write to,directories specified in the\<allowedFilePaths> section.
45
TIBCO Spotfire® Server and Environment Security
Setting Default value Description
/
spotfire.dxp.automation.t
asks/smtp - SMTPConfiguration
Not enabled An SMTP server can be set up to use TLS(useTls) or different methods of authentication.
/
Spotfire.Dxp.Automation.F
ramework/allowedFilePaths
All paths areallowed
By default, Spotfire Automation Services taskscan read files from, and write files to, anydirectory in the file system. Set this to False toallow only tasks to read from, and write to,directories specified in the<allowedFilePaths> section. (Not to beconfused with <allowedFilePaths> inSpotfire.Dxp.Worker.Core.config.)
Spotfire.Dxp.Worker.Core.config
This configuration file specifies settings for the service's communication with the Spotfire Server, and ifsections in configuration files should be encrypted.
Setting Default value Description
/
authentication@hostsToAuth
enticate
A list of patterns for which theservice should to use Windowsauthentication (NTLM orKerberos). Wildcard patternssuch as *.x.com can be used tomatch all subdomains to x.com.Do not add servers that are nottrusted in this list because yourisk leaking NetNTLM tokens,which can be a security risk.
/
cryptography@encryptConfig
urationSections
true Set to true to encrypt sectionsof configuration files containingsensitive information.
/
cryptography@DataProtectio
nConfigurationProvider
DataProtectionConfigurat
ionProvider
By default theDataProtectionConfiguratio
nProvider uses Windows DataProtection API (DPAPI) toencrypt sections of theconfiguration with a machine-specific secret key which meansthat the encrypted sections canonly be decrypted from thesame machine as the service isrunning on. See EncryptingConfiguration InformationUsing Protected Configurationfor more information.
46
TIBCO Spotfire® Server and Environment Security
Spotfire.Dxp.Worker.Host.exe.config
SettingDefaultvalue Description
/
Spotfire.Dxp.Internal.Pro
perties.Settings/
AllowedTlsVersions
Tls,
Tls11,
Tls12
Determines which versions of the TLS securityprotocol are allowed. Specify the values separated bya comma ",". For information about the possiblevalues for this setting, refer to the .NET enumSecurityProtocolType.
If you leave the value for this setting blank, theallowed TLS versions are set to SystemDefault. Ifyou remove the setting from the configuration file,the allowed TLS versions are set to the default value.
/
Spotfire.Dxp.Data.Propert
ies.Settings/
AllowedFilePaths
Empty A list of directories that Spotfire Web Player orSpotfire Automation Services are allowed to use asfile data sources. Add only approved network sharesor other paths that contain files that should bepossible to load in a Spotfire file. For security reasonsyou should not add entire drive letters such as C:\because that would allow Spotfire users to read localfiles from the Spotfire Web Player service.
/system.net/defaultProxy If the Spotfire Web Player or Spotfire AutomationServices should use a proxy server to reach internaland external networks, one can be enabled in thisfile.
Client Job Sender (Spotfire Automation Services)The Client Job Sender command-line tool for executing Spotfire Automation Services jobs.
The tool has a number of security configuration options. See section Configuring the Client Job Senderin the Spotfire Automation Services User's Manual for a full list of settings.
TIBCO Enterprise Runtime for R - Server EditionTIBCO® Enterprise Runtime for R - Server Edition provides Spotfire clients with the ability to execute Rcode, using TERR, on the TERR service node.
A TERR service is required to execute data functions in Spotfire files from Spotfire Automation Servicesand Spotfire Web Player, because those services do not have TERR engines.
The TERR service itself is running the service as the same user account as is running the Node Manageron which the service runs. See Node Manager.
By default, TERR scripts executed by the TERR service on behalf of its users are executed in a differentexecution context, as explained here.
TERR servicecomponent Default Description
Serviceaccount
NT Authority\System or root(Linux)
Default: NT Authority\System or root(Linux)
47
TIBCO Spotfire® Server and Environment Security
TERR servicecomponent Default Description
Log files <node manager installation>/logs
See the TERR service logs for moreinformation.
The TERR service ports and protocols
NameDefault Port andProtocol Function Description Secure/Encrypted
Communication port 9502/tcp For secure (HTTPS)internalcommunication.Cannot be accesseddirectly.
Yes
TERR engine ports 61000/tcp ->63000/tcp
Host-internalcommunicationbetween the TERRservice and the TERRengines.
No
Settings and Configuration Tasks for TERR ServiceYou can use these settings to limit the capabilities of running TERR data functions.
Setting / Configuration task Default value Description
terr.restricted.execution
.mode (Enforce restrictedexecution )
TRUE Enforce restricted execution modefor all scripts. Restricted executionmode in the TERR service allowsexecuting arbitrary scripts withoutworrying that the script could domalicious things, such as deletingfiles or uploading confidential datato a server over the internet. Formore information, see the TERRservice help: Safeguarding yourenvironment.
use.engine.containers● Windows: FALSE
● Linux: TRUE
Available on Linux only.
If your deployment is on a Linuxserver, then the default configurationfor the TERR service is to usecontainers (the propertyuse.engine.containers: TRUE).Running the TERR service withcontainers enabled prevents theengines from having access to thehost system. See Containerized TERRService for more information.
48
TIBCO Spotfire® Server and Environment Security
Setting / Configuration task Default value Description
disable.spotfire.trust.ch
ecks
FALSE Disable the trust check only if theTERR service is installed on Linux,with Docker containers, where extrameans have been taken to secure thecontainer environment or if allSpotfire users in the environment canbe trusted.
Set file size upload limit 100MB See File size upload limit for moreinformation.
Set TERR engine ports range 61000 - 63000 See TERR engine ports for moreinformation.
Enable JMX Monitoring OFF See Monitoring the TERR serviceusing JMX.
Restrict Network Access for TERR Scripts in Containers
By default, the containers in which TERR scripts are running have access to network resources given toit.
If TERR scripts are not running in restricted execution (REX) mode, then any TERR scripts can connectto the network. To restrict external network access for the container, and therefore any scripts runningwithin it, the node manager computer must be configured in such a way that the containers cannotreach the network. One way to do this is by implementing iptables rules that block traffic from Dockercontainers to outside networks.
Use a Custom Docker Image for Containerized TERR
If the node manager is running on a Linux computer, then you can run TERR service in a Dockercontainer.
For more information, see the following help topics.
● Configuring a custom Docker image on a node with internet access● Pulling a custom Docker image from an authenticated repository
Script Security & Restricted Execution ModesThe following mechanisms control security of the TERR service and to prevent users from runningmalicious scripts on the server.
● Restricted execution mode (REX).● TERR engine in Docker containerization.● Script trust and access control.Only users in the Spotfire license group Script Author can create and mark TERR scripts as trusted.Trusted scripts run in an unrestricted execution environment (no REX or container) unless the TERRservice enforces all scripts to be run in restricted mode. Untrusted scripts always run in REX mode or ina container.
Docker Containerization for TERR Scripts
Scripts running in a container but not using restricted execution mode have full access to the Dockercontainer and have permission to do anything that is possible to do from within the container. The level
49
TIBCO Spotfire® Server and Environment Security
of isolation a container provides depends on the Docker installation and the privileges given to thesecontainers.
Configuration Description
TERR service host isolation Scripts are prohibited from accessing the file system of thehost computer running the TERR service.
User isolation The use of engine containers ensures that the sameexecution environment is not re-used for multiple datafunctions initiated by different users.
Network isolation Depending on configuration, the TERR scripts can accessexternal network and other Docker containers that areavailable from within a container. In many cases, a defaultinstallation with engine containers lets scripts access theexternal network, including the internet, and to accessother Docker containers. To restrict access to the network,the Docker containers must be configured to restrictnetwork access. The container options should not be usedwithout terr.restricted.execution.mode=true oradditional network configuration, if network isolation isneeded.
TERR Restricted Execution Mode (REX)
Scripts running in restricted execution mode (REX), but without container isolation, are runningdirectly on the TERR service host using the same user account as is running the node manager onwhich the service runs.
The scripts are restricted in their capabilities (see terr.restricted.execution.mode). Enforcing all scripts tobe running in both restricted execution mode and in container isolation provides an extra level ofsecurity and is recommended to achieve the highest level of security.
Impact of Relaxing the TERR Service Security Settings
If you have scripts that cannot run in restricted mode because they need access to resources on thesystem or network, then you can change the settings to enable those scripts to run.
This table shows the resulting execution mode, given user role, service configuration, and whether thescript is marked as trusted in the library.
Script Authorterr.restricted.execution.mode
disable.spotfire.trust.checks Trusted Script Use evalREX
* True * * Yes
Yes False * * No
No False True * No
No False False True No
No False False False Yes
50
TIBCO Spotfire® Server and Environment Security
A TERR data function runs without evalREX only if terr.restricted.execution.mode is False andone of the following conditions also exists.
● The data function is trusted in the Spotfire library.
● The request to run the data function originates from a member of the Script author group.
● TERR service is configured with disable.spotfire.trust.checks=True.
TIBCO Spotfire AnalystWith Spotfire Analyst, analysis authors can develop web-based and Windows client-based analyses.Spotfire Analyst provides authoring tools for sharing analyses and dashboards. It is installed on theWindows desktop.
Documentation
You can find documentation for Spotfire Analyst on the TIBCO documentation portal at TIBCO SpotfireAnalyst Documentation. Alternatively, you can find the documentation from the Spotfire Analyst Helpmenu.
Installation directory
By default, Spotfire Analyst is installed in C:\Program Files\TIBCO\. Other information and settingsare stored in the directory C:\Users\[username]\AppData.
Ports & Protocols
The default HTTP port is 8000. The protocol is tcp HTTP. Spotfire opens a web server on port 8000. Itaccepts connections only from localhost.
51
TIBCO Spotfire® Server and Environment Security