TIBCO Spotfire® Server and Environment - Installation and Administration

Trusting custom content in the Spotfire environment

Many Spotfire users want to extend the Spotfire environment in different ways. It has for a long time been possible to add scripts based on IronPython or JavaScript to analyses, to be executed through buttons in text areas or via actions based on clicks in certain visualizations. Further enhancements can be made using many different types of data functions that can either be created directly in an analysis file or saved as a separate entity in the Spotfire library. With Spotfire 11.0, it also became much easier to add custom visualizations, with the new concept of visualization mods. Any custom item created by a malevolent person could potentially perform unexpected or undesired actions. Therefore, Spotfire uses different trust mechanisms to help you to keep your system safe.

Spotfire Visualization Mods

Spotfire visualization mods can be created and also uploaded to the Spotfire library by any user with sufficient privileges. The license features for handling visualization mods are found under TIBCO Spotfire Extensions. To ensure that only trusted developers are allowed to add and execute code, there are many things you can do as an administrator.

Sign mods

Anyone who creates or adds a visualization mod to the Spotfire environment can sign it. The signing informs other people about the origin of the mod and helps you to make informed decisions regarding whether the mod can be trusted or not. Signed mods make it possible to verify the authenticity, integrity and publisher of the code.

Signing can be done, either through certificates created by a certificate authority (CA), or using the Spotfire account of the person who loads a mod project to an analysis file. When the Spotfire account is used to sign code, the Spotfire Server will act as a certificate authority and issue a certificate for the user (on demand only). The certificate will expire after a period of time, and then a new certificate will be issued, if the user still remains in the system. This means that a Spotfire account cannot be used to sign mods while offline. It also means that you might need to copy certificates from one system to another to keep user signatures valid, if your company develops mods on one server and wants to use them on another server. See Moving certificates from one system to another for more information. See Spotfire Developer Documentation > TIBCO Spotfire Package Builder for more information about signing mods while offline or with certificates from a CA.

Note: When using visualization mods, it is important to specify a public address for the Spotfire Server, to be able to verify that certificates are valid. The public address is used for Online Certificate Status Protocol (OCSP) requests and, in production systems, it must be kept stable for a long time period to ensure that certificates remain valid. It is recommended to use a load balancer or reverse proxy to access the server. That way, you can easily add or replace server instances, while keeping the public address stable.
Note: If your organization has a root certificate authority (CA) of its own (which is not present in the default Java cacert) and certificates issued by this authority will be used when signing mods, the root CA certificate needs to be imported to the Spotfire Server using the import-code-signing-certificate command. This is needed because input validation for uploaded certificates is done when making trust decisions (that is, when a trust decision is made, the certificate path of the signing certificate is verified on the server side). If the root certificate is not imported to the Spotfire Server, this verification will fail, and it will not be possible to trust such mods. However, it is possible to switch off the server-side verification by setting the configuration property security.code-trust.validate-uploaded-cert to false.

Trust mods or signers

The trusting may be performed on an individual level by end users who have permission to trust mods but, as an administrator, you can also predefine trusted signers for groups in the Spotfire environment. See Adding trusted signers to a group for more information.

For an end user, it is possible to either trust all mods added by a certain person, that is, to trust the signer, or to trust specific mods only. Signers and mods that have been trusted by an end user with trusting privileges can be reviewed on each user's My account page on the server. It is reached by clicking the username at the top right while being in the library or on any other server administration page. Users with trust permission can download certificates or remove previously added trust decisions they have made. As an administrator, you can also view all trusted signers and items for each user, under Users & Groups.

If a specific mod is trusted, the mod will be seen as trusted in all analyses where it exists, however, re-trusting will be required if any changes are made to the mod at a later stage. If the signer is trusted, instead of a specific mod, then all future mods or new versions of a mod from that signer will automatically be trusted.

Untrusted mods

Attempts to add a mod that is not trusted to an analysis will lead to the question of whether or not it should be trusted (end users who do not have permission to trust cannot add untrusted mods at all). The more mods that have been pre-approved by the administrator, the fewer questions will be shown to the end users who try to add visualizations to their analyses.

Note: By default, only valid signatures can be trusted. If required (in special cases), it is possible to relax this limitation by changing a preference in Administration Manager (Application > Trust > Require valid signature to allow trust).

Remove trusted signers

You can always withdraw a previous decision to trust a certificate or a Spotfire user signature. See Removing trusted signers from a group for more information.

Invalidate signatures and revoke certificates

If a user account has been used to sign items that the user does not wish to be responsible for, each user can invalidate their own signatures from a specific time and up until now. This is done from the My account page of the user (if any signatures are available).

As an administrator, you can invalidate another user's signatures using the revoke-code-signing-certificate command in the CLI. If a user is suspected to try to add malicious mods on purpose, then you might also want to remove the user from the system.

Other users will be informed that the mod is signed by an invalid signature.

Block certificates, users or custom items

It is also possible to block certificates, users or specific mods from being used at all. See Blocking certificates, users or custom items for more information.

CLI commands

For a complete list of the commands available for handling visualization mod trust, see Code trust commands.

Script and Data Function Trust

Currently, there is no way to sign scripts or data functions. This means that all such entities will be seen as unsigned in all the user interfaces.

Instead, Spotfire uses a trust mechanism, where users called Script Authors, verified by licenses and group membership, are the only ones that can make a script trusted for anyone in the organization. See System groups and Spotfire extensions for more information.

End users who have access can still review and trust unsigned entities from the File > Manage trust dialog in the Spotfire installed client.

Data Functions written in R

TIBCO has its own implementation of the R language, TIBCO Enterprise Runtime for R (TERR), which is included in Spotfire applications. TERR comes with a restricted mode which is built to provide a secure environment when working with data functions. If the data function is trusted, then it can be executed without any restrictions. If a TERR-based data function is not trusted, Spotfire will make an attempt to run the data function in the restricted mode. If the script uses statements that are not available in the restricted mode, then the data function will be prevented from running until it has been trusted.