Spotfire Server
The Spotfire Server is the central component of the Spotfire environment, to which all Spotfire clients connect.
These tables provide reference for the security considerations for the Spotfire Server.
| Spotfire Server component | Description |
|---|---|
| Service account | By default, the service is installed under
the following, for the specified operating system:
|
| Ports and protocols | External communication port:
|
| Logs | <spotfire server installation>/tomcat/logs, See Spotfire server logs. |
| Type | (Default) location | Comments |
|---|---|---|
| Spotfire library exports | <spotfire server installation>/tomcat/application-data/library/ | Default library export path. Can contain old export or backups of library content. |
| Spotfire server logs | <spotfire server installation>/tomcat/logs | See Logging and monitoring. |
| Spotfire temporary attachments | <spotfire server installation>/tomcat/temp/AttachmentManager | Encrypted attachments. Temporary storage for data uploaded and downloaded to the server by Spotfire clients. |
| Encrypted Spotfire database password for Spotfire Server | <spotfire server installation>/tomcat/webapps/spotfire/WEB-INF/bootstrap.xml | Used by Spotfire server during startup process to connect to database. |
| Spotfire library data | External library storage location (Amazon Web Services S3, Azure Blob Storage or Google Cloud Storage or local file system), or in the Spotfire database. | Only used if enabled. Default setting is to store library data in the Spotfire database. |
| HTTPS keystore password | <spotfire server installation>/tomcat/conf/server.xml | If HTTPS is enabled, server.xml contains the password to the keystore (pkcs12 or jks) that contains the private certificate required to create a HTTPS listener. |
| Keystore for HTTPS certificates | <spotfire server installation>/tomcat/certs | PKCS12 (.pfx) or Java keystore (.jks) with private keys needed for HTTPS configuration. |
| Password hashes for end users | Spotfire database | Users' password hashes needed when Spotfire database is used as the authentication source. Default algorithm since Spotfire Server 7.5 is PBKDF2 (using HmacSHA512), 100000 iterations, 32 bytes of salt. Older algorithm still supported for upgraded system. From version 3.3 to 7.5: SHA-512, 2323 iterations, 16 bytes of salt. Default in 3.0 to 3.2: SHA-1, one iteration. |
| Encryption password | <spotfire server installation>/tomcat/webapps/spotfire/WEB-INF/boostrap.xml | The password is stored encrypted using AES-128 symmetric encryption using a static secret key. The password is used to encrypt service accounts passwords stored in Spotfire database. See config-encryption. If not set, a static password is used. |
| Service account passwords | Spotfire database and configuration.xml | Passwords for service accounts for services
such as LDAP configuration,
external storage configuration, OpenId
Connect, the action log database, etc., are AES-128 encrypted using an
encryption password as secret key.
Note: configuration.xml
is an exported copy of the effective configuration that resides in the
Spotfire
database. The file can safely be removed from the file system after having
changed the
Spotfire
configuration in the database.
|
| Information Services data source credentials | Spotfire database | Credentials for data sources used by Information Services (created using the Spotfire Analyst > Information Designer tool) are encrypted AES-128 using an encryption password as secret key. |
| Hashed passwords for JMX users | Spotfire database | If JMX is used, users credentials are stored in the Spotfire database. |
| Kerberos keytab | <spotfire server installation>/Spotfire.keytab | Used if Spotfire is configured for Kerberos authentication. The keytab file contains encrypted credentials that can be used to authenticate to remote systems. |
| Spotfire Server Backend trust keystore | <spotfire server installation>/nm/trust/keystore.p12 | Keystore needed for back-end trust encrypted TLS communication. The keystore is locked with a static password. |
| Passwords embedded in Spotfire files | Spotfire database (library) | The
Spotfire
database may contain
Spotfire
files (.dxp) with embedded credentials to data sources.
Passwords are not encrypted because the password must be made available to end
users who access the file. We do not recommend embedding credentials in the
file. The preference
EnableAllowSavingDatabaseCredentials can be used
to disable the option to embed credentials in
Spotfire
files.
|
| Library exports | <spotfire server installation>/tomcat/application-data/library | Can contain zip-files containing exported library content. Data source passwords for information services data sources are not included in the library exports. However, Spotfire analysis files (.dxp) in the exported zip can contain embedded passwords. |
| Database installation script | No default location. From where they were run. | Database installation scripts will contain credentials and connection information to the Spotfire Server database when they are run. These files will contain sensitive information and should be deleted when no longer needed or stored in a safe location. |
| OAuth2 API Clients credentials | The credentials are encrypted. |