Understanding the components, and the communication between the components of the Spotfire environment is key to understanding how to build a more secure environment.

1. The Spotfire Server is the central component of the Spotfire environment, to which all Spotfire clients connect. From a Spotfire Server start page, entities in the Spotfire environment can be configured and monitored.

   For more information about the Spotfire Server, see its documentation.

2. Multiple nodes are installed and connected to Spotfire Server. The Spotfire Web Player service, Spotfire Automation Services, the Spotfire Enterprise Runtime for R – Server Edition, Spotfire Service for R, and Spotfire Service for Python can be installed on nodes to enable the use of Spotfire web clients, running Spotfire Automation Services jobs, and running data functions and scripts.
   For more information about the components installed on nodes, see their help:

   • Node manager (installation and configuration in Spotfire® Server and Environment Installation and Administration)
   • Spotfire® Web Player (service installation and configuration in Spotfire® Server and Environment Installation and Administration)
   • Spotfire® Automation Services (service installation and configuration in Spotfire® Server and Environment Installation and Administration)
   • Spotfire® Enterprise Runtime for R - Server Edition (a/k/a the TERR™ service)
   • Spotfire® Service for R
   • Spotfire® Service for Python
3. The server is connected to a Spotfire database that contains a user directory and stores analyses and configuration files. For more information, see its documentation.
4. After the node is installed, the node performs a join request to a specific, unencrypted Spotfire Server HTTP port that handles only registration requests. The node remains untrusted until the administrator approves the request by trusting the node. The Spotfire Server start page provides the tools to add nodes to the environment by explicitly trusting them, thereby issuing the certificates. When the node receives its certificate, it can send encrypted communication over the HTTPS/TLS ports, and with this, the node can start to send more than registration requests.

   The secured back-end communication is based on certificates. After an administrator has approved the new server or node, the certificates are issued automatically. Without a certificate, a server or a service on a node cannot make requests to, or receive requests from, other entities, except for when requiring a certificate. For more information, see Ports and firewall configuration in Spotfire® Server and Environment Installation and Administration.

This diagram shows all of these components, as well as how data flows and network protocols are used in a typical Spotfire environment.