Using ActiveSpaces for clustering

</configuration>

3. After you have enabled clustering, stop all of the servers in the cluster (do not restart them); for instructions, see Start or stop Spotfire Server.

4. One by one, start all the servers in the cluster.

Using Hazelcast for clustering

By default, clustered implementations of Spotfire Server use the Hazelcast distributed data grid product to support data clustering.

Hazelcast requires practically no configuration, and in most cases is a sufficient option for clustering.

However, Hazelcast is an unsecure option. To enable data exchange through Hazelcast, a port (by default, 5701) must be open on each Spotfire Server. These ports are not protected by any SSL/TLS;

Hazelcast uses plain TCP/IP connections for the data exchange between servers.

If you do implement clustering with Hazelcast, the firewalls should be configured for maximum security and, ideally, the ports should be open only to other Spotfire Server instances.

If your implementation requires secure connections between the servers in a cluster, you can install TIBCO ActiveSpaces^® and configure Spotfire Server to use it for secure TCP/TLS transport. For details, see Using ActiveSpaces for clustering.

To enable secure TCP/TLS transport for the exchange of data between clustered Spotfire Servers, install ActiveSpaces and configure the servers to use it as the underlying data grid.

ActiveSpaces is a separate product that must be deployed and configured separately. It is available free-of-charge to purchasers of Spotfire Server.

These instructions are for the baseline scenario of securing TCP/IP transport using SSL certificates/keys, without additional encryption of transmitted data. ActiveSpaces provides various means for securing the cluster; for information on additional options, see the ActiveSpaces documentation.

Installing ActiveSpaces

To use ActiveSpaces to secure the connections between clustered Spotfire Servers, ActiveSpaces must be installed and configured on each Spotfire Server in the cluster. After installation, you reconfigure the servers to use ActiveSpaces as the underlying data grid.

ActiveSpaces is a separate product that is available free-of-charge to purchasers of Spotfire Server.

Procedure

1. From the TIBCO eDelivery web site, download the ActiveSpaces zipped folder for your operating system and extract the files.

The following steps pertain to a Windows installation.

2. Double-click the ActiveSpaces installer to install the product.

3. After installation, make the following changes in the ActiveSpaces environment variables:

● Define AS_HOME, as shown in the following example:

● Add entries to the PATH for the ^lib folder and the ^bin folder, as shown in the following example:

4. Copy the file [AS_HOME]\lib\as-common.jar to the directory [TSS_HOME]\tomcat\webapps

\spotfire\WEB-INF\lib.

5. Validate the ActiveSpaces installation by entering the ^connect command in the command-line tool.

This creates the default cluster.

Configuring a cluster of Spotfire Servers to use ActiveSpaces

After setting up the cluster and installing ActiveSpaces, you must do additional configuration if you have a Linux installation. Then ActiveSpaces must be validated on each server computer in the cluster.

Prerequisites

● You have set up the cluster of Spotfire Servers, and set the Type variable to ActiveSpaces; for instructions, see Setting up a cluster of Spotfire Servers.

● You have installed ActiveSpaces on each server in the cluster; for instructions, see Installing ActiveSpaces.

ActiveSpaces is a separate product that is available free-of-charge to purchasers of Spotfire Server.

Procedure

1. For Linux installations only: Set the LD_LIBRARY_PATH variable to use the ActiveSpaces library. Do one of the following:

● (Recommended) To permanently set the variable for this computer, follow these steps:

1. Navigate to the etc directory.

2. Open the profile file by entering the following command: ^{vi profile} 3. Append the following lines to the end of the profile file:

export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/local/bin/tibco/as/2.1/lib export AS_HOME=/usr/local/bin/tibco/as/2.1

export PATH=${PATH}:${AS_HOME}/bin:${AS_HOME}/lib

where .../tibco/as/2.1/lib specifies the path to ActiveSpaces.

4. Save the file and restart the session.

● To set the variable for only the current session, enter the following command:

export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/local/bin/tibco/as/2.1/lib

where .../tibco/as/2.1/lib specifies the ActiveSpaces installation directory.

In this case the variable must be reset each time that someone logs in to Spotfire Server on any computer in the cluster, including the current computer.

2. Start Spotfire Server and validate ActiveSpaces by using the ActiveSpaces administration console, as shown in the following example.

The ^discovery parameter should point to one of the Spotfire Servers in the cluster. Make sure that the clustering port matches the port that you defined in the clustering

configuration.

as-admin> connect name "spotfire" discovery "tcp://10.90.48.16:5701"

[2015-07-10T15:47:15.428][11524][10356][INFO][transport]

ip_address=10.98.48.27 port=50000

[2015-07-10T15:47:25.455][11524][10356][INFO][spotfire.metaspace]

Connected metaspace name=[spotfire], listen=[tcp://10.90.48.16:50000], discovery=[tcp://10.98.

48.27:5701], member name=[a62301b-c350] version=2.1.4.011 [2015-07-10T15:47:25.455][11524][8508][INFO][spotfConnected to metaspace spotfireias-admin> re.$members] member joined:

member.mydomain.com (a62301b-1645-559fbd18-31d, 10.98.48.16:5701) [2015-07-10T15:47:25.455][11524][8508][INFO][spotfire.$members]

member joined: a62301b-c350 (a62301b-c350-559fbed3-1ad, 10.90.48.16:50000)

The default (immutable) ActiveSpaces metaspace name is "spotfire".

The ActiveSpaces command-line interface should only be used to check that the ActiveSpaces cluster is configured properly; therefore the interface should be launched only after all the Spotfire Servers in the cluster are initialized.

3. List all members of the cluster, as shown in the following example:

as-admin> show members

Show Members for Metaspace 'spotfire' :

_________________________________________________________________________________

______________________________________

Cluster Members:

Member Name | IP:Port | Member Role | Member ID |

---

Total Cluster Members: 2

The total number of cluster members should equal the number of running Spotfire Servers plus one (the administration console also joins the cluster as a member).

4. Repeat these steps for each server in the cluster.

What to do next

After you validate the cluster in non-secure mode, enable transport security.

Enabling secure transport for ActiveSpaces

After configuring the Spotfire Servers in the cluster, you must enable ActiveSpaces to use secure transport for communication between the servers.

Prerequisites

You have configured each Spotfire Server in the cluster to use ActiveSpaces; see Configuring a cluster of Spotfire Servers to use ActiveSpaces.

For additional information on this procedure, see the ActiveSpaces documentation.

Procedure

1. In the command-line tool, enter the following command:

as-admin> create security_policy policy_name "as-policy" policy_file

"as-policy.txt" encrypt false

Do not change the policy name or the policy file name because they are referenced in the Spotfire Server configuration and are immutable.

2. Edit the policy file that you created in the previous step:

a) Under the "discovery" attribute of the metaspace_access policy key, list all the members of the cluster.

b) Alter the metaspace name.

The edited section of the policy file looks similar to this:

metaspace_access=metaspace=spotfire;discovery=tcp:

//10.97.184.60:5701;10.97.184.65:5701

c) To use traditional, TLS-like transport protection, specify transport_security=integrity. For information on additional options, see the ActiveSpaces documentation.

3. On each of the clustered Spotfire Servers, copy the as-policy.txt file to the folder where the keystore file is located. Typically, the keystore file is located here: <installation dir>\nm\trust. 4. Start all of the servers.

5. To validate ActiveSpaces, execute the following commands by using the ActiveSpaces administration console.

1. Create a security token by entering the following command:

as-admin> create security_token domain_name "AS-DOMAIN" policy_file "C:/

tibco/tss/7.5.0/nm/trust/as-policy.txt" token_file "C:/tibco/tss/7.5.0/nm/

trust/mytoken.txt"

2. Connect to the metaspace with the security token by entering the following command, where the ^discovery parameter points to one of the Spotfire Servers in the cluster:

as-admin> connect security_token "C:/tibco/tss/7.5.0/nm/trust/mytoken.txt"

name "spotfire" discovery "tcp://10.97.120.65:5701"

6. To list the members of the cluster, enter the following command:

as-admin> show members

Sample as-policy.txt file

If you configure a clustered deployment of Spotfire Server and use ActiveSpaces to secure the data exchange between servers, you create an as-policy.txt file.

This is a sample of the file:

// ***** TO BE ACCESSED ONLY BY TIBCO ACTIVESPACES CONTROLLER MEMBERS/

PROCESSES *****

// ***** AND THEIR ADMINISTRATION PERSONNEL THAT HAVE AUTHORITATIVE CONTROL OVER *****

// ***** THE USER MANUAL FOR MORE

// List each metaspace, and its discovery URL, which is to be covered by // the settings for this security domain.

// Note: Must specify at least one metaspace and discovery URL.

metaspace_access=metaspace=spotfire;discovery=tcp://

10.97.184.60:5701;10.97.184.65:5701

// Transport Security

// Specify the level of security to use when transmitting data within ActiveSpaces.

// Options:

// encrypted_normal (default): use secure transport with 128 bit symmetric key encryption

// Specify whether transport access should be restricted to only those // ActiveSpaces applications using a token file whose identity certificate // is contained in the given file. The file is a plain text file containing // one or more identity certificates extracted (copied and pasted) from token // files.

// Specify whether data should be encrypted when it resides in memory and // is persisted on the local disk (shared-nothing persistence). Use the // field definitions to define encryptable fields in any space.

// Options:

// false (default): do not encrypt the data // true : always encrypt the data data_encryption=false

// Authentication //

// Specify the type of authentication to use for this security domain and // information for connecting to the authentication source.

// Format:

// authentication=<none(default)|userpwd|x509>;[source=<system|ldap>;<source property>;...;hint=<string>

// Examples:

// authentication=userpwd;source=system;service=login;hint=acme_server //

// // searchUnder: <true|false (default)> search for objects under base DN, if objects may reside at different levels of the directory

// // allowEmptyPassword: <true|false (default)> allow or reject empty passwords from clients

// // objectClass: <* | string> define specific object class to look at during search, * denotes any object class. Only used when searchUnder is enabled.

// Enable or disable access control for the security domain and what the // default behavior should be for users or groups for which no permissions are // either explicitly or implicitly defined.

// Define groups of users where each group will have a specific set of // permissions. The list of groups must be preceded by a line with 'groups'.

// There can be zero or more group assignments in the list.

// Single group assignment lines can be broken into two or more lines by // leaving a comma (,) at the end of the line.

// Format:

// groups

// <user defined name>=<user name>,<user name>,...

// Example:

// group1 = user1, user2, user3 // group2 = user4, group1, user5

// group3 = user6, user7, My Ldap X509Cert CN, group2 // admins = admin1, admin2

groups

// Access Control Permissions //

// Assign permissions to users or groups and specify whether the permissions // should be limited to a particular metaspace or space. The list of permission // assignments must be preceded by a line with 'permissions'.

// There can be zero or more permission assignment lines in the list. Permission // assignment lines can be broken into two or more lines by leaving a comma (,) // at the end of the line to be continued on the next line.

// Format:

// permissions

// <metaspace name>/<space name> <<user name>|<group name>>=<privilege>

// Wildcard: The asterisk (*) can be used as a wildcard for the metaspace name, // the space name or both.

// The available rights options in a privilege:

// deny_all // grant_all // read // write

// encrypt

// Used for encrypting memory and locally persisted data //

OGlW0xuOvnMgxmhuLRsiOEyTCFpwXdMe7TqjgpucwNg=

---END DOMAIN DATA

In document TIBCO Spotfire Server and Environment Installation and Administration (Page 65-72)