• No results found

TIBCO Spotfire Platform IT Brief

N/A
N/A
Protected

Academic year: 2021

Share "TIBCO Spotfire Platform IT Brief"

Copied!
8
0
0

Loading.... (view fulltext now)

Full text

(1)

TIBCO Spotfire® Platform – IT Brief

This IT brief outlines features of the TIBCO Spotfire system: Communication security, load balancing and failover, authentication options, and recommended practices for licenses and access. It primarily targets TIBCO Spotfire Web Player 3.3 and TIBCO Spotfire Server 3.3.

Communication Security

Communication between components of the TIBCO Spotfire platform can be encrypted using HTTPS, LDAPS and Secure JDBC:

For instance, Kerberos can be used throughout the system: A user can be automatically authenticated from a browser to the TIBCO Spotfire Web Player; this Kerberos token is then forwarded through the load balancer, the TIBCO Spotfire Server and all the way to a Kerberos enabled database, potentially applying Role Level Security. The analysis data retrieved is based on the user identity.

Refer to the installation and configuration manuals of TIBCO Spotfire Web Player and TIBCO Spotfire Server for details.

TIBCO Spotfire Server 3.3 and TIBCO Spotfire Web Player 3.3 have been tested with Nessus® Scanner.

TIBCO Spotfire Web Players

Load Balancer TIBCO Spotfire Servers

Spotfire Database

..

..

HTTPS HTTPS

HTTPS

(2)

Load Balancing and Failover

The TIBCO Spotfire server side system can be clustered independently, as indicated below:

TIBCO Spotfire Web Player

Compared to previous versions, memory usage is significantly lowered in TIBCO Spotfire Web Player 3.3. If the same analysis is used by many users, not only data is shared but also visualizations and configurations.

As long as session affinity is maintained, different cluster solutions may be used. Microsoft’s Network Load Balancing (NLB) is tested and recommended:

 NLB supports up to 32 server nodes in a single cluster  New nodes may be added without stopping the cluster

 The distribution of users over the server nodes is based on IP-addresses

 Analyses may be pre-loaded on specific server nodes associated to the intended virtual cluster, using Scheduled Updates

TIBCO Spotfire Server

To achieve failover and to balance load, TIBCO Spotfire Server may be deployed to multiple machines, fronted by a load balancer. The load balancer must be able to detect if a TIBCO Spotfire Server becomes available or unavailable.

Any load balancing technology supporting session affinity may be used. Apache HTTP Server TIBCO Spotfire Web

Player cluster

Load Balancer TIBCO Spotfire Server cluster

Spotfire Database

..

..

(3)

Authentication

Procedure

Authentication is determined by existing IT infrastructure. It is a two-step process: 1. Apply a login mechanism to establish

user identity

2. Verify that the established identity exists in a user directory system

Supported options

Password based: LDAP Directory,

Windows NT Domain, Spotfire Database, Custom JAAS Module

Single sign-on: Kerberos, X.509 Client

Certificate, NTLM

User directory: LDAP Directory, Windows

NT Domain, Spotfire Database

The following sections describe authentication setups for TIBCO Spotfire Web Player, with corresponding TIBCO Spotfire Server scenarios. Common to many setups is the use of the Impersonator feature, enabling the TIBCO Spotfire Web Player to run as a user of choice. Refer to the installation and configuration manuals of TIBCO Spotfire Web Player and TIBCO Spotfire Server for details.

Anonymous

System setup

 TIBCO Spotfire Web Player ASP.NET: None

IIS: Anonymous  TIBCO Spotfire Server

Any supported

All users execute on TIBCO Spotfire Server using a configured TIBCO Spotfire Web Player account.

Anonymous Authentication TIBCO Spotfire Web Player TIBCO Spotfire Server Web Browser

(4)

Username and Password Authentication

System setup

 TIBCO Spotfire Web Player ASP.NET: Forms Authentication IIS: Anonymous

 TIBCO Spotfire Server

Basic authentication

NTLM / Kerberos with impersonation

System setup

 TIBCO Spotfire Web Player ASP.NET: Windows Auth. with

ASP.Net Impersonation enabled

IIS: Windows Authentication  Specify Impersonation user  TIBCO Spotfire Server

Basic, NTLM or Kerberos

The TIBCO Spotfire Web Player logs in to the TIBCO Spotfire Server using a configured Impersonator account, and impersonates user A.

Username and Password Authentication User name: X Password: Y TIBCO Spotfire Web Player TIBCO Spotfire Server User name: X Password: Y Web Browser TIBCO Spotfire Web Player TIBCO Spotfire Server

(5)

Kerberos with delegation

System setup

 TIBCO Spotfire Web Player ASP.NET: Windows Auth. with

ASP.NET Impersonation

IIS: Windows Authentication  TIBCO Spotfire Server

Kerberos

Kerberos security is advanced. It is strongly discouraged to set up Kerberos without any previous experience with the technology.

X.509 Certificates

System setup

 TIBCO Spotfire Web Player ASP.NET: None

IIS: Anonymous with SSL and

Client certificates enabled

 Specify Impersonation user certificate

 TIBCO Spotfire Server

X.509 Client Certificates

The TIBCO Spotfire Web Player logs in to the server using a configured impersonation certificate.

Also note the TIBCO Spotfire ability to support SSL throughout, for any authentication type. See below for details.

Domain user: A

Single Sign-On Authentication: Kerberos with delegation

Domain user: A TIBCO Spotfire Web Player TIBCO Spotfire Server Web Browser TIBCO Spotfire Web Player TIBCO Spotfire Server

(6)

Certificates

A Client certificate: Identifies client connecting to the TIBCO Spotfire Web Player server.

B TIBCO Spotfire Web Player server server certificate: Identifies server to the client.

C TIBCO Spotfire Web Player server client certificate: The impersonation certificate identifying the Web Player server when connecting to the TIBCO Spotfire Server.

D TIBCO Spotfire Server server certificate: Identifies the server to Web Player server.

E CA certificate, a certification authority’s certificate: Issues certificates A, B, C and D. Used to issue client or server certificates, but also to establish trust between clients and servers. If there is a chain of CA certificates, all CA certificates involved must be used.

Client: A browser connects to the TIBCO Spotfire Web Player server providing A, typically stored in the browser’s certificate store for the current user. The server provides B to the client. To ensure that B is trusted by the client, the CA E used to issue B, is added to the

Trusted Root Certification Authorities for the current user on the client computer.

TIBCO Spotfire Web Player server: Configured with its server certificate B. To ensure that the client certificate A is trusted, it must be configured with the CA certificate. The server must be configured with certificate C, to be used when connecting to the TIBCO Spotfire Server.

TIBCO Spotfire Server: When the TIBCO Spotfire Web Player server connects to the server, it

provides C. For the TIBCO Spotfire Server to trust this certificate, the CA certificate E must be added to the jre/lib/security/cacerts keystore.

Custom Authentication

System setup

 TIBCO Spotfire Web Player ASP.NET: None

IIS: Anonymous

web.config: Declare custom authentication

 Specify Impersonation user  TIBCO Spotfire Server

(7)

Groups: Controlling Licenses and Access

License and Library access is controlled by group membership. Group membership is defined manually or automatically synchronized with an LDAP (for instance an Active Directory). This section outlines how to set up group memberships in an LDAP environment:

 First create Access and License control groups in LDAP.

 Next, synchronize them with the TIBCO Spotfire Server, from where they control TIBCO Spotfire behavior.

 Finally, add users to the groups in LDAP to assign Licenses and Access, not in TIBCO Spotfire Server. This way License and Access control is handled by LDAP administrator, making the system easy to manage in an LDAP environment.

LDAP

 Create an OU in the LDAP for the Spotfire related groups  Create the License

related groups  Create the resource

related groups. A resource may be a particular analysis.

LDAP Authentication

(8)

LDAP Synchronization

The LDAP Synchronization is configured in the User Directory tab.

 Context: The OU containing the user accounts and the OU containing the Spotfire groups:

 Group Synchronization :All groups to be available in Spotfire under the Spotfire OU:

 Synchronization schedule: Set to a reasonable value to keep the groups synchronized.

License control

Licenses are managed in the Administration Manager of TIBCO Spotfire client. Launch the UI to assign licenses to the imported LDAP License control groups. Note that LDAP synchronization has to have run at least once before any groups show up in Administration Manager.

Access Control

Access Control is defined in the TIBCO Spotfire Library Manager. Assign Full Control to the Administrator only, ensuring that just the Administrator can modify access permissions.

TIBCO Spotfire Engineering

References

Related documents

When the new Spotfire Server is in place, you need to install a Spotfire client and import the Library content and Information Model exported from the 10.1 database tables by

TIBCO, Two-Second Advantage, TIBCO Spotfire, TIBCO Enterprise Runtime for R, TIBCO Spotfire Server, TIBCO Spotfire Web Player, TIBCO Spotfire Statistics Services, S-PLUS, and

Note: If you have selected a marking to limit the nodes by, you must mark items in a visualization based on the node data table to see any

Administrator Enables access to the Administration Manager and the Library Administration tool (the administration tools available within the Spotfire client).. To administer

Feature Layer Settings Geocoding: • Similar to the Geocoding part in the Positioning section of the Marker Layers Settings dialog Essential properties: Appearance:.. •

The bootstrap configuration file contains the basic information the server needs to bootstrap itself so that it can connect to the Spotfire database and retrieve its configu-

This section describes how to create a simple configuration with Spotfire Database authentication and user directory, the most basic setup of the Spotfire Server.. The setup

The resulting simple installation includes the following: the server on one computer, a few Spotfire Web Player instances available for other computers, the Spotfire Analyst client