Spotfire® Server and Environment Security

Standards and Algorithms

Spotfire provides the following standards and algorithms for encryption.

Purpose Encryption/Hashing algorithm Comment
Backend HTTP over TLS (HTTPS)

Default (with modern protocols and cipher suites enabled):

TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

The following cipher suites are supported for backwards compatibility only: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_AES_CBC_128_SHA256, TLS_AES_CBC_256_SHA256

The TLS protocol for Spotfire Server 11.4 and forward is TLSv1.3, when communicating with the node manager or the Java-based services, and TLSv1.2 when communicating with .NET-based services.

(Previous versions of the node manager can use TLSv1.2, TLSv1.1 or TLSv1 before being upgraded.)

If all (modern) protocols and cipher suites are enabled on the computer running the Spotfire Web Player service, then the cipher suite chosen for all communication is TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256.
Note: Support for the TLS_DHE_RSA_WITH_AES_* and TLS_AES_CBC_* cipher suites are kept only for backwards compatibility and will be removed in a later version.
Backend certificates Asymmetric keys: automatically generated 2048-bit RSA keys (configurable for certificates representing TSS instances, but not configurable for other components). Signature algorithm: SHA256withRSA (configurable). Keystore: PKCS12.
Data transfers SHA-512, but also supports SHA-256, SHA-1 and MD5

For error-detection checksums in the Digest/Content-MD5 HTTP headers, as defined by RFC 3230 and RFC 1864.

Encryption of secrets Default is AES-128.

The key size can be configured to AES-128, AES-192 or AES-256.

For encryption of all sorts of sensitive information (such as service account credentials, etc.).
External actions SHA-512 and ASiC-E Containers (Associated Signature Containers) External actions can be trusted based on hash value or signer certificates.
HTTP over TLS (HTTPS) The TLS protocol version, the encryption algorithm and the key strength are configurable using standard Java procedures. See JDK Providers Documentation.
Hashing of user passwords PBKDF2 SHA-512, SHA-256 or SHA-1 can be used for password hashes created by older versions of Spotfire Server.
Information Link cache SHA-256 For calculation of cache keys used for comparison.
JDBC over TLS The TLS protocol version, the encryption algorithm and the key strength are configurable using standard Java procedures. See JDK Providers Documentation.
JDBC using vendor-specific cryptography The Oracle Database JDBC driver supports the following algorithms: Legacy: RC4-40, RC4-56, RC4-128, RC4-256, DES-40-CBC, DES-56-CBC, 3DES-112 and 3DES-168. Recommended: AES-128, AES-192 and AES-256. See JDK Providers Documentation.
JMX over TLS The TLS protocol version, the encryption algorithm and the key strength are configurable using standard Java procedures. See JDK Providers Documentation.
Kerberos/GSSAPI Legacy: DES-CRC, DES-MD5, RC4-HMAC and AES-128-CTS-HMAC-SHA1-96.

Recommended: AES-256-CTS-HMAC-SHA1-96.

Uses the built-in Java support for the Kerberos and GSS-API protocols. See JDK Providers Documentation.
If you must use RC4_HMAC (which is disabled in newer versions of Java), set allow_weak_crypto = true in the [libdefaults] section of krb5.conf on each Spotfire Server and specify the algorithms to use in permitted_enctypes similar to the following: 
default_tkt_enctypes = <add other ciphers here> rc4-hmac
default_tgs_enctypes = <add other ciphers here> rc4-hmac
permitted_enctypes = <add other ciphers here> rc4-hmac
LDAP over TLS (LDAPS) The TLS protocol version, the encryption algorithm and the key strength are configurable using standard Java procedures. See JDK Providers Documentation.
NTLM v2 According to the protocol specification.
OAuth2 RSA-OAEP-256 For encryption of access and refresh tokens according the JWE standard (RFC 7516).
OAuth2 A128GCM For encryption of access and refresh tokens according the JWE standard (RFC 7516).
OAuth2 SHA-256 For client verification according to the PKCE standard (RFC 7636).
Script trust hashes SHA-512 JavaScript, custom queries, TERR scripts, R scripts, Python scripts, IronPython scripts, and other data functions are trusted based on hash value.
Server configurations SHA-1 For error-detection checksums.
Software distributions files ("deployments") SHA-1 For error-detection checksums.
Temporary data files AES-128, AES-192 and AES-256
Visualization mods SHA-512 and ASiC-E Containers (Associated Signature Containers) Visualization mods can be trusted based on hash value or signer certificates.
Copyright © Cloud Software Group, Inc. All rights reserved.