When users start a Spotfire Analyst client, they select which Spotfire Server to connect to. If that server is configured for a user name and password based authentication method, the users are also prompted for their user name and password.
The user name and password are then sent to Spotfire Server.
The login experience for the Spotfire Analyst client can be customized in several ways, including whether users have the option to save their login information, and whether the dialog contains an RSS feed. For details, see Login behavior configuration .
The credentials that users enter are not encrypted when they are transferred to Spotfire Server unless the server uses TLS/SSL. To help counter the risks associated with unencrypted data, enable TLS/SSL when configuring a user name and password authentication method.
For all the user name and password methods, an entry for each user is created in the Spotfire database.
● If you configure authentication towards an external user directory such as an LDAP directory, the user list or group hierarchies from the external directory are automatically copied to the Spotfire database.
● If you configure authentication towards the Spotfire database, the user and group information must be manually entered.
Authentication towards the Spotfire database
This authentication method requires that the Spotfire user directory be configured for Spotfire database.
When the user directory is set to Database, the administrator usually enters the user names and passwords into the Spotfire database manually. The names and passwords can also be imported from a CSV file, or be automatically created as new users log in to the server. The option to automatically create users is available through the post-authentication filter.
Authentication towards the Spotfire database is the default configuration for Spotfire Server, so no special configuration is required. It is easy and fast to set up and it is recommended for small sites.
Authentication towards LDAP
This authentication method integrates with an existing LDAP directory and delegates the actual authentication responsibility to its configured LDAP servers.
The result is that only users with valid accounts in the LDAP directory can log in to Spotfire Server.
This setup is recommended for larger sites.
Spotfire Server supports the following LDAP servers:
● Microsoft Active Directory
● The Directory Server product family (Oracle Directory Server, Sun Java System Directory Server, Sun ONE Directory Server, iPlanet Directory Server, Netscape Directory Server)
Other types of LDAP servers may also work with Spotfire Server, but require more advanced configuration.
When Spotfire Server is authenticating towards a Microsoft Active Directory server, it automatically uses the Fast Bind Control (also known as Concurrent Bind Control) option to minimize the consumed resources on the LDAP server.
LDAP authentication can be combined with either the LDAP user directory or the Spotfire database user directory:
● When the user directory is set to LDAP, Spotfire Server can automatically import the user names from the LDAP directory. Passwords remain in the external directory, and Spotfire Server contacts this directory to validate users' passwords. You can set the frequency with which Spotfire Server checks the LDAP directory for updates.
When the user directory mode is set to LDAP, Spotfire Server also imports the group names and group membership information. For information on groups, see Users &
groups introduction and Group administration.
● When the user directory mode is set to Database, the administrator usually enters the valid user names and passwords into the Spotfire database manually. The names and passwords can also be imported from a CSV file, or be automatically created as new users log in to the server. The option to automatically create users as they log in is available through the post-authentication filter.
Configuring LDAP
When user authentication is configured towards an LDAP directory, Spotfire Server delegates
authentication responsibility to the configured LDAP servers. Therefore only users with valid accounts in the LDAP directory can log in to Spotfire Server.
For information about supported LDAP servers and what you need to know about your organization's server, see Authentication towards LDAP.
For information about other LDAP implementations, including Kerberos, NTLM, X.509 client certificates, and external authentication, see User authentication.
Prerequisites
● Your organization stores user information in an LDAP directory.
● A bootstrap.xml file has been successfully saved in the graphical configuration tool; for instructions, see Creating the bootstrap.xml File.
Procedure
1. On the Configuration tab of the configuration tool, next to Authentication, select BASIC LDAP.
The User directory field switches to LDAP along with the Authentication field. This is because in most cases it is recommended that LDAP authentication be paired with the user directory in LDAP mode.
If your LDAP directory contains a very large number of users that are not divided into convenient sub-units (contexts), you may want to use the Spotfire database user directory instead. In this configuration, only users who log in to Spotfire Server are included in the user directory, so there are fewer users for Spotfire Server to track.
2. In the left panel of the page, click Authentication: LDAP, and then click New.
3. In the Create configuration dialog, enter a name for your LDAP configuration, for example "LDAP on TIBCO123", and then click OK.
The LDAP configuration page is displayed.
4. Next to Enable for, select both the Authentication and User directory check boxes. This instructs Spotfire Server to create a user account in the Spotfire database for each user (within the configured scope) in the LDAP directory. When someone tries to log in to the Spotfire system, Spotfire Server accesses their account and then validates their password through the LDAP directory.
5. Next to LDAP username and LDAP password, enter the user name and password of an LDAP service account with read access to Active Directory.
6. Next to LDAP server URL, enter the URL in the form LDAP://server/:port, for example LDAP://
computer1.TIBCO.com:389
7. Next to Context names, enter the contexts you want to synchronize.
8. Next to Synchronization schedule you can change the scheduled synchronization times between the LDAP directory and the Spotfire database. The default is to synchronize whenever Spotfire Server is restarted, in addition to daily. For additional synchronization options, click Add.
9. Click Test connection to verify your entries.
10. If you set the user directory to Database in step 1 above, click Post Authentication Filter in the left panel and then, next to Default filter mode, select Auto-create.
When users log in to Spotfire Server they are added to the Spotfire user directory.
11. When you're finished, click Save configuration.
Configuring LDAPS
In an LDAP environment, where the Spotfire system communicates with an LDAP directory server, administrators often secure the LDAP protocol using SSL, if the LDAP directory supports this.
Prerequisites
● The LDAP directory server has been set up to communicate using SSL.
Procedure
1. If you are using a self-signed certificate, set Spotfire Server to trust this certificate:
a) Export the certificate to file and copy it to Spotfire Server.
b) Open a command-line interface, navigate to the <installation dir>/jdk/jre/lib/security
directory, and run the following keytool command: ../../bin/keytool -import -file ldapserver.crt -keystore cacerts -alias spotfire_ldaps. Replace ldapserver.crt
with the name of the exported certificate.
c) When prompted, enter the password to the cacerts keystore. The default password is "changeit"
(without quotation marks).
d) Verify that the certificate has been successfully added by using the following
command: ../../bin/keytool -list -keystore cacerts -alias spotfire_ldaps. e) When prompted, enter the password to the cacerts keystore.
2. To activate LDAPS, use the create-ldap-config or the update-ldap-config command.
SASL authentication for LDAP
Spotfire Server supports two SASL (Simple Authentication Socket Layer) mechanisms for authentication towards LDAP: DIGEST-MD5 and GSSAPI.
These mechanisms can provide secure authentication of Spotfire Server when it is connecting to LDAP servers by preventing clear text passwords from being transmitted over the network.
GSSAPI can provide secure authentication even over un-secure networks because it uses the Kerberos protocol for authentication.
These instructions apply for Active Directory LDAP configurations. Spotfire Server does not support GSSAPI for other LDAP configurations.
Configuring Spotfire Server for DIGEST-MD5 authentication of LDAP
These instructions apply for Active Directory LDAP configurations. Spotfire Server does not support GSSAPI for other LDAP configurations.
Procedure
● When configuring SASL authentication with DIGEST-MD5, follow these guidelines:
● The distinguished name (DN) does not work for authentication; the userPrincipalName attribute must be used instead.
● Set the authentication attribute option to userPrincipalName.
● Set the username attribute option to sAMAccountName.
● All accounts must use reversible encryption for their passwords. This is typically not the default setting for Active Directory.
Configuring Spotfire Server for GSSAPI authentication of LDAP
These instructions apply for Active Directory LDAP configurations. Spotfire Server does not support GSSAPI for other LDAP configurations.
Prerequisites
● Make sure that you have a fully working Active Directory LDAP configuration using clear-text password authentication (also known as simple authentication mechanism).
● Save this fully working Active Directory LDAP configuration to file.
● Make a note of the LDAP configuration's ID.
● Make sure that you have a fully working krb5.conf file. The content of the krb5.conf file must be the same as when setting up Spotfire Server for Kerberos authentication. See Configuring Kerberos for Java.
Make sure to stop the entire service/Java process before installing the file. If the krb5.conf file is modified after Spotfire Server has been started, you must restart the Spotfire Server process for the modifications to take effect.
Procedure
1. Stop Spotfire Server (see Start or stop Spotfire Server).
2. Copy the fully working krb5.conf file to the <install dir>/jdk/jre/lib/security directory on each Spotfire Server in the cluster.
3. Open the graphical configuration tool and go to the LDAP Configuration panel.
4. Update the LDAP user name so that it is a proper Kerberos principal name. Usually it is sufficient to add the name of the account's Windows domain in upper-case letters. Sometimes it is also necessary to include the Windows domain name. Using a name based on a distinguished name (DN) or including a NetBIOS domain name does not work when using GSSAPI.
Examples of correct names:
● ldapsvc@ RESEARCH.EXAMPLE.COM
● [email protected]@ RESEARCH.EXAMPLE.COM
5. Select the specific LDAP configuration to be enabled for GSSAPI and then expand the Advanced settings.
6. In the Advanced dialog, make the following changes:
a) Set the security-authentication configuration property to GSSAPI.
b) Set the authentication-attribute to sAMAccountName or userPrincipalName (whichever works best for your configuration). The default value is empty.
If the krb5.conf file contains more than one Kerberos realm, the authentication-attribute must be set to userPrincipalName.
c) Add a custom property with the key kerberos.login.context.name and the value SpotfireGSSAPI.
7. Click Save configuration.
8. Restart Spotfire Server.
What to do next
Procedure steps related to LDAP configurations must be performed for each LDAP catalogue that you want to enable for GSSAPI. For multiple LDAP configurations, repeat these steps for each
configuration.
Authentication towards Windows NT Domain (legacy)
With this authentication method, user authentication is delegated to Windows NT domain controllers.
Spotfire Server must be installed on a computer running Windows and there must be a working Windows NT 4 Server domain controller or a Windows Server 2000 or later domain controller running in mixed mode. This is a legacy solution that should only be used if LDAP cannot be used.
The Windows NT Domain authentication method can be combined with a user directory in either Windows NT Domain mode or in Spotfire database mode.
When combining this authentication method with a Spotfire database user directory mode, the post-authentication filter must be configured for auto-creating mode, so that the users will be automatically added to the user directory. When combining it with a Windows NT Domain User Directory, the default blocking post-authentication filter is already correct.
Authentication towards a custom JAAS module
All the user name and password authentication methods that are supported by Spotfire Server are implemented as Java Authentication and Authorization Service (JAAS) modules. Spotfire also supports third-party JAAS modules.
You may therefore use a custom JAAS module, provided that it does the following:
● Validates user name and password authentication.
● Uses JAAS' NameCallback and PasswordCallback objects for collecting the user names and passwords.
When using a custom JAAS module, you must place the jar file in the <install dir>/tomcat/
webapps/spotfire/WEB-INF/lib directory on all Spotfire Servers.
For more information about JAAS, consult the JAAS Reference Guide.