TIBCO Spotfire Server 3.2.2 - TIBCO Product Documentation
TIBCO Spotfire Server 3.2.2 - TIBCO Product Documentation
TIBCO Spotfire Server 3.2.2 - TIBCO Product Documentation
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
<strong>TIBCO</strong> <strong>Spotfire</strong> ® <strong>Server</strong> <strong>3.2.2</strong><br />
Installation and Configuration Manual<br />
Revision date: 14 February 2012
Important Information<br />
SOME <strong>TIBCO</strong> SOFTWARE EMBEDS OR BUNDLES OTHER <strong>TIBCO</strong> SOFTWARE. USE<br />
OF SUCH EMBEDDED OR BUNDLED <strong>TIBCO</strong> SOFTWARE IS SOLELY TO ENABLE<br />
THE FUNCTIONALITY (OR PROVIDE LIMITED ADD-ON FUNCTIONALITY) OF THE<br />
LICENSED <strong>TIBCO</strong> SOFTWARE. THE EMBEDDED OR BUNDLED SOFTWARE IS NOT<br />
LICENSED TO BE USED OR ACCESSED BY ANY OTHER <strong>TIBCO</strong> SOFTWARE OR<br />
FOR ANY OTHER PURPOSE.<br />
USE OF <strong>TIBCO</strong> SOFTWARE AND THIS DOCUMENT IS SUBJECT TO THE TERMS<br />
AND CONDITIONS OF A LICENSE AGREEMENT FOUND IN EITHER A SEPARATELY<br />
EXECUTED SOFTWARE LICENSE AGREEMENT, OR, IF THERE IS NO SUCH<br />
SEPARATE AGREEMENT, THE CLICKWRAP END USER LICENSE AGREEMENT<br />
WHICH IS DISPLAYED DURING DOWNLOAD OR INSTALLATION OF THE<br />
SOFTWARE (AND WHICH IS DUPLICATED IN<br />
LICENSE_<strong>TIBCO</strong>SPOTFIRESERVER.PDF) OR IF THERE IS NO SUCH SOFTWARE<br />
LICENSE AGREEMENT OR CLICKWRAP END USER LICENSE AGREEMENT, THE<br />
LICENSE(S) LOCATED IN THE "LICENSE" FILE(S) OF THE SOFTWARE. USE OF<br />
THIS DOCUMENT IS SUBJECT TO THOSE TERMS AND CONDITIONS, AND YOUR<br />
USE HEREOF SHALL CONSTITUTE ACCEPTANCE OF AND AN AGREEMENT TO BE<br />
BOUND BY THE SAME.<br />
This document contains confidential information that is subject to U.S. and international<br />
copyright laws and treaties. No part of this document may be reproduced in any form without<br />
the written authorization of <strong>TIBCO</strong> Software Inc.<br />
<strong>TIBCO</strong> and <strong>Spotfire</strong> are either registered trademarks or trademarks of <strong>TIBCO</strong> Software Inc.<br />
and/or subsidiaries of <strong>TIBCO</strong> Software Inc. in the United States and/or other countries. All<br />
other product and company names and marks mentioned in this document are the property of<br />
their respective owners and are mentioned for identification purposes only. This software may<br />
be available on multiple operating systems. However, not all operating system platforms for a<br />
specific software version are released at the same time. Please see the readme.txt file for the<br />
availability of this software version on a specific operating system platform.<br />
THIS DOCUMENT IS PROVIDED “AS IS” WITHOUT WARRANTY OF ANY KIND,<br />
EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED<br />
WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE,<br />
OR NON-INFRINGEMENT. THIS DOCUMENT COULD INCLUDE TECHNICAL<br />
INACCURACIES OR TYPOGRAPHICAL ERRORS. CHANGES ARE PERIODICALLY<br />
ADDED TO THE INFORMATION HEREIN; THESE CHANGES WILL BE<br />
INCORPORATED IN NEW EDITIONS OF THIS DOCUMENT. <strong>TIBCO</strong> SOFTWARE INC.<br />
MAY MAKE IMPROVEMENTS AND/OR CHANGES IN THE PRODUCT(S) AND/OR<br />
THE PROGRAM(S) DESCRIBED IN THIS DOCUMENT AT ANY TIME.<br />
Copyright © 1996 - 2012 <strong>TIBCO</strong> Software Inc. ALL RIGHTS RESERVED.<br />
THE CONTENTS OF THIS DOCUMENT MAY BE MODIFIED AND/OR QUALIFIED,<br />
DIRECTLY OR INDIRECTLY, BY OTHER DOCUMENTATION WHICH ACCOMPANIES<br />
THIS SOFTWARE, INCLUDING BUT NOT LIMITED TO ANY RELEASE NOTES AND<br />
"READ ME" FILES.<br />
<strong>TIBCO</strong> <strong>Spotfire</strong> is covered by U.S. Patent No. 6,014,661 and U.S. Patent No. 7, 216,116.<br />
Other patent(s) pending.<br />
<strong>TIBCO</strong> Software Inc. Confidential Information<br />
2 (144) <strong>TIBCO</strong> <strong>Spotfire</strong>® <strong>Server</strong> <strong>3.2.2</strong>
Contents<br />
1 Installation Planning 6<br />
1.1 Overview 6<br />
1.2 Architectural Overview 6<br />
1.3 Migration and Upgrade 8<br />
1.4 Conceptual Outline of Installation Process 9<br />
1.5 Pre-Installation Checklist 10<br />
2 Installing <strong>Spotfire</strong> <strong>Server</strong> 3.2 16<br />
2.1 Overview 16<br />
2.2 Prepare the Database 16<br />
2.3 Install <strong>Spotfire</strong> <strong>Server</strong> 22<br />
2.4 Install the Configuration Console 26<br />
2.5 Run <strong>Spotfire</strong> <strong>Server</strong> as Domain User 28<br />
2.6 Install Patches 29<br />
3 Migration from 10.1 30<br />
3.1 Overview 30<br />
3.2 Prerequisites 31<br />
3.3 Install the Migration Tool 31<br />
3.4 Set up Database Connection File 31<br />
3.5 Run the Migration Tool 32<br />
3.6 Database Drivers 34<br />
3.7 Log Files 35<br />
3.8 Restoring a <strong>Spotfire</strong> 3.2 Database 35<br />
3.9 Configuration Not Migrated 36<br />
3.10 Uninstall the Migration Tool 36<br />
4 Upgrade from 3.0 or 3.1 to 3.2 37<br />
4.1 Overview 37<br />
4.2 Back up or Clone the 3.0 or 3.1 Database 37<br />
4.3 Run the Upgrade Tool 38<br />
4.4 Default Join Database 46<br />
4.5 Start the <strong>Spotfire</strong> <strong>Server</strong> 46<br />
4.6 Verify Configuration 46<br />
5 Configure the System 47<br />
5.1 Overview 47<br />
5.2 <strong>Spotfire</strong> System Security 47<br />
5.3 Database Drivers 47<br />
5.4 Starting the <strong>Spotfire</strong> <strong>Server</strong> Controller 48<br />
5.5 Starting the Configuration Console 50<br />
5.6 Setting up Authentication 51<br />
5.7 Setting up User Directory 52<br />
5.8 Add <strong>Server</strong> to Cluster 53<br />
5.9 Start All <strong>Server</strong>s 54<br />
5.10 Setting up Shared Disk Location 54<br />
5.11 Making the Demo Database Available 54<br />
5.12 Assign Admin User 54<br />
<strong>TIBCO</strong> <strong>Spotfire</strong>® <strong>Server</strong> <strong>3.2.2</strong> 3 (144)
6 <strong>Spotfire</strong> Administrative Tasks 56<br />
6.1 Overview 56<br />
6.2 <strong>TIBCO</strong> <strong>Spotfire</strong> Administration Tools 56<br />
6.3 Deploying <strong>TIBCO</strong> <strong>Spotfire</strong> 57<br />
6.4 Setting up Users, Groups, and Licenses 57<br />
6.5 Importing Library Content 58<br />
7 Load Balancing 59<br />
7.1 Overview 59<br />
7.2 Prerequisites 59<br />
7.3 Cluster Node Configuration 59<br />
7.4 Load Balancer Configuration 60<br />
7.5 Kerberos Authentication 61<br />
7.6 X.509 Client Certificate Authentication 62<br />
7.7 NTLM Authentication 62<br />
7.8 Load Balancer Authentication 63<br />
7.9 Load Balancer AJP Keyword Restriction 63<br />
8 Authentication and User Directory 65<br />
8.1 Overview 65<br />
8.2 Username and Password Authentication 65<br />
8.3 Single Sign-on Authentication 68<br />
8.4 User Directory 79<br />
9 Advanced Procedures 84<br />
9.1 Overview 84<br />
9.2 Installing <strong>Spotfire</strong> <strong>Server</strong> Silently Using Pre-defined Parameters 84<br />
9.3 Setting up HTTPS on a <strong>Spotfire</strong> <strong>Server</strong> 86<br />
9.4 Restricting Access to the Configuration Console 89<br />
9.5 Configuring LDAPS 91<br />
9.6 Database Authentication using Kerberos 91<br />
9.7 Creating and Installing a Self-Signed Client Certificate 95<br />
9.8 Setting up HTTPS in a Load Balanced Environment 97<br />
9.9 Forwarding Traffic from the Load Balancer to the Configuration Console99<br />
9.10 Shared Disk Location in a Clustered Environment 100<br />
9.11 Preventing User Directory Synchronization 101<br />
9.12 Configuring X.509 Client Certificates in a Load Balanced Environment101<br />
9.13 Running Database Preparation Scripts Manually 102<br />
9.14 Resizing Temporary Tablespace 103<br />
9.15 Modifying the Virtual Memory 103<br />
9.16 Starting and Stopping the <strong>Spotfire</strong> <strong>Server</strong> 104<br />
9.17 Data Source Templates 106<br />
9.18 Default Join Database 121<br />
9.19 Login Behavior 122<br />
9.20 Impersonation 125<br />
4 (144) <strong>TIBCO</strong> <strong>Spotfire</strong>® <strong>Server</strong> <strong>3.2.2</strong>
10 Backup and Restore 128<br />
10.1 Overview 128<br />
11 Technical Reference 131<br />
11 Technical Reference 131<br />
11 Technical Reference 131<br />
11.1 <strong>Server</strong> Logs and Diagnostics 131<br />
11.2 <strong>Server</strong>.xml 135<br />
11.3 krb5.conf 137<br />
11.4 Database Connection Configuration 138<br />
12 Uninstall 143<br />
12.1 <strong>Server</strong> Software Uninstall 143<br />
12.2 Database Removal 143<br />
<strong>TIBCO</strong> <strong>Spotfire</strong>® <strong>Server</strong> <strong>3.2.2</strong> 5 (144)
Installation Planning<br />
1 Installation Planning<br />
1.1 Overview<br />
<strong>TIBCO</strong> <strong>Spotfire</strong> <strong>Server</strong> provides basic infrastructure, which is used by the <strong>TIBCO</strong><br />
<strong>Spotfire</strong> and <strong>TIBCO</strong> <strong>Spotfire</strong> Web Player clients.<br />
<strong>TIBCO</strong> <strong>Spotfire</strong> <strong>Server</strong> has functionality for identifying users and assigning<br />
privileges, serves as a central storage for program updates, is a central repository for<br />
analysis files, and connects to different external data sources.<br />
<strong>TIBCO</strong> <strong>Spotfire</strong> <strong>Server</strong> can be installed on one machine, or be clustered on several<br />
machines, thus providing load balancing and failover support.<br />
1.2 Architectural Overview<br />
<strong>Spotfire</strong> <strong>Server</strong> can be installed in two different ways. The simplest way is a one server<br />
solution, illustrated with the following picture:<br />
The <strong>Spotfire</strong> <strong>Server</strong> serves requests from clients while communicating with the<br />
database. It may also redirect authentication requests from clients to an authentication<br />
service, if present. Read more about authentication services in the chapter<br />
“Authentication and User Directory” on page 65. The <strong>Spotfire</strong> database holds<br />
information about its environment and users. Also, users can store analyses in the<br />
databases and share them with others.<br />
6 (144) <strong>TIBCO</strong> <strong>Spotfire</strong>® <strong>Server</strong> <strong>3.2.2</strong>
Installation Planning<br />
The Web Player server communicates with the <strong>Spotfire</strong> <strong>Server</strong> much like it does with a<br />
<strong>Spotfire</strong> client. The Web Player provides a subset of the <strong>Spotfire</strong> features specialized<br />
for viewing in a standard web browser, by which users can access the Web Player.<br />
Also installed on the <strong>Spotfire</strong> <strong>Server</strong> is the <strong>Spotfire</strong> Configuration Console. This is a<br />
web-based application used by administrators to configure and manage the system.<br />
Read more about the configuration console in the chapter “Install the Configuration<br />
Console” on page 26.<br />
It is also possible to deploy <strong>Spotfire</strong> <strong>Server</strong> in a multi-server environment. In this<br />
scenario, several <strong>Spotfire</strong> <strong>Server</strong>s are installed, each communicating with the same<br />
database. The clients communicate with a load balancer that has information about the<br />
different servers. It forwards calls from clients to an available server and makes sure<br />
the answers get back to the client.<br />
The recommended way to load balance a <strong>Spotfire</strong> system is based on a model using a<br />
combination of the Apache httpd, its module mod_jk, and the ability of Apache<br />
Tomcat applications to communicate with such a machine. It is possible to use a<br />
different load balancer, as long as it supports session affinity. Read more about load<br />
balancing in the chapter “Load Balancing” on page 59.<br />
In this example, the configuration console is installed on a separate machine.<br />
However, it could instead be installed on one or more of the <strong>Spotfire</strong> <strong>Server</strong>s in your<br />
system according to your preferences.<br />
<strong>TIBCO</strong> <strong>Spotfire</strong>® <strong>Server</strong> <strong>3.2.2</strong> 7 (144)
Installation Planning<br />
Note that even if you have only one <strong>Spotfire</strong> <strong>Server</strong>, this is still considered as part of a<br />
cluster consisting of one server. This can be seen in every view in the configuration<br />
console, and it is possible to add more servers to the <strong>Spotfire</strong> system in the future, if<br />
expansion of the <strong>Spotfire</strong> system is needed.<br />
The software distributed with <strong>Spotfire</strong> <strong>Server</strong> consists of three main components<br />
running as Apache Tomcat web applications: the <strong>Spotfire</strong> <strong>Server</strong>, the <strong>Spotfire</strong> <strong>Server</strong><br />
Controller, and the Configuration Console. In a non-clustered environment, all three<br />
run within the same instance of Tomcat, as this illustration shows:<br />
In our example of a clustered environment where <strong>Spotfire</strong> <strong>Server</strong> is installed on two<br />
machines, and the configuration console is installed on a separate machine, this can be<br />
illustrated as follows:<br />
The <strong>Spotfire</strong> controller is the process that is first started when the <strong>Spotfire</strong> <strong>Server</strong><br />
Windows Service is started or Unix startup script is run. It starts and stops the <strong>Spotfire</strong><br />
<strong>Server</strong> Tomcat web application process. It also listens to traffic from the configuration<br />
console application. The configuration console provides a web-based interface to<br />
system configuration and administration.<br />
1.3 Migration and Upgrade<br />
When installing <strong>Spotfire</strong> <strong>Server</strong> 3.2, always begin by preparing a database and<br />
installing <strong>Spotfire</strong> <strong>Server</strong> software. If you have been running <strong>Spotfire</strong> before, you may<br />
then perform a migration or an upgrade to transfer information from your previous<br />
installation to your new 3.2 installation. The concepts of migration and upgrade are<br />
similar, yet take slightly different approaches.<br />
Migration<br />
If you are running <strong>Spotfire</strong> Analytics <strong>Server</strong> 10.1, you can perform a migration to<br />
<strong>Spotfire</strong> <strong>Server</strong> 3.2. This entails installing and running the Migration Tool, distributed<br />
with the <strong>Spotfire</strong> <strong>Server</strong>. This tool will extract information from a running 10.1<br />
database and insert it into a 3.2 database. It will also extract Library information and<br />
put it into export files that you can later import to the 3.2 database. The 10.1 database<br />
is never written to when you perform a migration.<br />
Upgrade<br />
8 (144) <strong>TIBCO</strong> <strong>Spotfire</strong>® <strong>Server</strong> <strong>3.2.2</strong>
Installation Planning<br />
If you are running <strong>Spotfire</strong> <strong>Server</strong> 3.0 or 3.1, you can perform an upgrade to <strong>Spotfire</strong><br />
<strong>Server</strong> 3.2. This entails running the Upgrade Tool, distributed with the <strong>Spotfire</strong> <strong>Server</strong>.<br />
This tool will modify the 3.0 or 3.1 database so that the 3.2 server can read and write<br />
from and to it, and also copy configuration from a 3.0 or 3.1 server installation.<br />
Additionally, the Upgrade Tool can also read information from an already installed 3.2<br />
server. Because the Upgrade Tool modifies an existing database, it is important that<br />
you back up the 3.0 or 3.1 database, or make a copy of it and perform the upgrade on<br />
this copy.<br />
1.4 Conceptual Outline of Installation<br />
Process<br />
Each step outlined below is explained in detail in “Installing <strong>Spotfire</strong> <strong>Server</strong> 3.2” on<br />
page 16. You should read through that chapter as well as this outline before you<br />
attempt an installation.<br />
1 Read the “Pre-Installation Checklist” on page 10 and write down the needed<br />
information.<br />
2 Prepare the <strong>Spotfire</strong> database. If you are upgrading from 3.0 or 3.1 this includes<br />
backing up or cloning the existing database. If you are performing a fresh install or<br />
migrating from 10.1, this includes creating new database tables.<br />
3 Run the <strong>Spotfire</strong> <strong>Server</strong> installer on all intended machines.<br />
4 Install the latest patch, if any, released for <strong>Spotfire</strong> <strong>Server</strong> since its release.<br />
5 If needed, replace DataDirect database drivers shipped with <strong>Spotfire</strong> with native<br />
database drivers from your database vendor.<br />
6 If you are performing a migration from 10.1, run the migration tool. If you are<br />
performing an upgrade from 3.0 or 3.1, run the upgrade tool.<br />
7 Log into the configuration console.<br />
8 If you have upgraded from 3.0 or 3.1, verify that the configuration is intact. If you<br />
have performed a new install or a migration from 10.1, configure the system regarding<br />
authentication, user directory, etc.<br />
9 Add servers to cluster or verify that all upgraded servers are in the cluster.<br />
10 If load balancing is to be used, set up a load balancer and configure it to communicate<br />
with the <strong>Spotfire</strong> <strong>Server</strong>s.<br />
11 Assign the first <strong>Spotfire</strong> Admin. You will need the unlock code located in the file<br />
codes.txt distributed with the <strong>Spotfire</strong> <strong>Server</strong>.<br />
The <strong>Spotfire</strong> <strong>Server</strong> is now up and running. Next, a number of administrative tasks<br />
need to be performed before the users can use the <strong>Spotfire</strong> system. These tasks are<br />
described in the <strong>TIBCO</strong> <strong>Spotfire</strong> - Deployment and Administration Manual<br />
distributed with the <strong>TIBCO</strong> <strong>Spotfire</strong> Deployment.<br />
<strong>TIBCO</strong> <strong>Spotfire</strong>® <strong>Server</strong> <strong>3.2.2</strong> 9 (144)
Installation Planning<br />
1.5 Pre-Installation Checklist<br />
Before you begin installing <strong>Spotfire</strong> <strong>Server</strong> 3.2, there are certain things you must<br />
determine. Below is a series of checklists that you must provide answers to before<br />
starting the installation.<br />
Database<br />
You must have a database server up and running before you install <strong>Spotfire</strong> <strong>Server</strong>.<br />
The <strong>Spotfire</strong> <strong>Server</strong> installer will not install a database server, you must provide one<br />
yourself. It is recommended that you run this on a separate and dedicated machine.<br />
<strong>Spotfire</strong> supports Microsoft SQL <strong>Server</strong> and Oracle database engines.<br />
When installing <strong>Spotfire</strong> <strong>Server</strong>, you will run a number of scripts distributed with the<br />
installer that will create and prepare a database. Further specifications about this can<br />
be found in the chapter “Prepare the Database” on page 16.<br />
Note: If you are running <strong>Spotfire</strong> Analytics <strong>Server</strong> 10.1, note that you must create a<br />
new database with unique user credentials for <strong>Spotfire</strong> <strong>Server</strong> 3.2. You cannot reuse<br />
the same database or any of its tables. Also note that if you are running the 10.1<br />
database in Oracle XE, there are certain limitations of this database engine you need to<br />
be aware of.<br />
What type of database server and version will<br />
you be using with your <strong>Spotfire</strong> <strong>Server</strong>?<br />
<strong>Spotfire</strong> <strong>Server</strong> supports the database servers<br />
listed on the system requirements web page:<br />
(http://support.spotfire.com/sr.asp)<br />
What is the hostname of the database server?<br />
What are the administrator username and<br />
password for the database server (If you do<br />
not wish to write sensitive information here,<br />
make sure to memorize it)?<br />
What is the SID (Oracle) or the Instance<br />
(MSSQL) name of the database server you<br />
will be using?<br />
10 (144) <strong>TIBCO</strong> <strong>Spotfire</strong>® <strong>Server</strong> <strong>3.2.2</strong>
Installation Planning<br />
When you set up the <strong>Spotfire</strong> database, you will create database users and databases. It<br />
is recommended that you decide what to name these now.<br />
What will be the name of the <strong>Spotfire</strong><br />
database (MSSQL only)?<br />
What will be the name of the <strong>Spotfire</strong><br />
database user?<br />
Note: If the database is using Windows<br />
Integrated Authentication, make note of this<br />
user. If you use Integrated Authentication, the<br />
<strong>Spotfire</strong> <strong>Server</strong> must run as this Windows<br />
Domain user. If the <strong>Spotfire</strong> <strong>Server</strong> needs to<br />
authenticate with other databases<br />
(Information Sources) using Integrated<br />
Authentication, it will only be possible to<br />
authenticate using the Windows user the<br />
<strong>Spotfire</strong> server runs as.<br />
What will be the password of the <strong>Spotfire</strong><br />
database user?<br />
<strong>Server</strong> Details<br />
<strong>Spotfire</strong> <strong>Server</strong> 3.2 can be installed on one or more machines, each one storing<br />
information in the same database. If you install more than one server, you can use a<br />
separate computer as a load balancer to redirect calls from clients to an available<br />
server. This will improve performance if you have many users, and will also make use<br />
of fail-over functionality, which is convenient if you, for instance, need to take one or<br />
more servers offline for maintenance.<br />
The <strong>Spotfire</strong> servers are always organized in a cluster, even if you have only one<br />
server. You can install more servers and add to your cluster at any time.<br />
For more information, see “Architectural Overview” on page 6.<br />
For comprehensive system requirements refer to http://support.spotfire.com/sr.asp.<br />
Always check here to find updated and precise specifications.<br />
<strong>TIBCO</strong> <strong>Spotfire</strong>® <strong>Server</strong> <strong>3.2.2</strong> 11 (144)
Installation Planning<br />
How many <strong>Spotfire</strong> <strong>Server</strong>s are you going to<br />
install?<br />
What will you call the cluster that the<br />
server(s) will belong to?<br />
What is (are) the hostname(s) of the intended<br />
<strong>Spotfire</strong> <strong>Server</strong> machine(s)?<br />
Note: The hostnames cannot contain the<br />
character “_” (underscore). If it does, you<br />
will need to change the names before you<br />
install.<br />
What is the hostname of the intended<br />
Configuration Console machine (may be a<br />
separate machine or any <strong>Spotfire</strong> <strong>Server</strong><br />
machine)?<br />
If you intend to install a load balancer, what<br />
is the hostname of it?<br />
What operating system(s) are you going to<br />
install <strong>Spotfire</strong> <strong>Server</strong> and Configuration<br />
Console on?<br />
<strong>Spotfire</strong> <strong>Server</strong> can be installed on Windows<br />
<strong>Server</strong> 2003, 2008, and 2008 R2, Solaris 9<br />
and 10 (SPARC-based editions), Red Hat<br />
Enterprise Linux 4 and 5, and SUSE Linux<br />
Enterprise 9 and 10.<br />
Ports<br />
The <strong>Spotfire</strong> <strong>Server</strong> installer will ask for three listen ports to be used by three different<br />
applications: <strong>Spotfire</strong> <strong>Server</strong>, Configuration Console, and <strong>Spotfire</strong> Controller. Each of<br />
these applications are described in the section “Architectural Overview” on page 6.<br />
If you are installing <strong>Spotfire</strong> <strong>Server</strong> on a machine that is already running other<br />
applications you must ensure that you do not select any port that is already in use by<br />
these applications.<br />
If you already have <strong>Spotfire</strong> Analytics <strong>Server</strong> 10.1 or <strong>Spotfire</strong> <strong>Server</strong> 3.0 or 3.1<br />
installed on a machine, and intend to install <strong>Spotfire</strong> <strong>Server</strong> 3.2 on the same machine,<br />
note that the 10.1 or 3.0 or 3.1 server is already using three ports. You must ensure that<br />
you do not select the same ports for the 3.2 server.<br />
Note: Selecting a port already in use may result in failure to start one or more of the<br />
servers...<br />
12 (144) <strong>TIBCO</strong> <strong>Spotfire</strong>® <strong>Server</strong> <strong>3.2.2</strong>
Installation Planning<br />
Which port number will be used for the<br />
<strong>Spotfire</strong> <strong>Server</strong> port?<br />
(Default: 80)<br />
Which port number will be used for the<br />
Configuration Console port?<br />
(Default: 8080)<br />
Which port number will be used for the<br />
<strong>Spotfire</strong> Controller port?<br />
(Default: 8078)<br />
Authentication and User Directory<br />
Authentication is when users prove to the system who they are. The user directory is<br />
where the <strong>Spotfire</strong> system stores user and group names used to set and verify<br />
permissions. The <strong>Spotfire</strong> system is able to authenticate users internally or with<br />
external sources. User directory information may be synchronized with an external<br />
source. These settings are called authentication methods and user directory methods,<br />
respectively. Which methods and combinations to select depends entirely on factors<br />
such as number of users and what kind of infrastructure already exists in the network<br />
in which <strong>Spotfire</strong> is used.<br />
It is vital that you have a clear idea of which authentication and user directory<br />
alternatives you wish to set up. Also note that certain alternatives will require you to<br />
have a solid knowledge of how that technology works.<br />
This manual explains how to set up <strong>Spotfire</strong> <strong>Server</strong> to work with various<br />
authentication and user directory sources, but many of these must already be in place<br />
and working in your organization before you attempt to install <strong>Spotfire</strong> <strong>Server</strong>. This<br />
manual will not explain how to configure these sources, only how to connect to them.<br />
For example, if you intend to set up <strong>Spotfire</strong> <strong>Server</strong> to authenticate with an LDAP<br />
system, then you must know how that LDAP system is set up in your organization. If<br />
you do not, then you must get assistance from someone in your organization that is<br />
responsible for that system.<br />
To help you select an authentication and user directory combination, please see<br />
“Authentication and User Directory” on page 65.<br />
<strong>TIBCO</strong> <strong>Spotfire</strong>® <strong>Server</strong> <strong>3.2.2</strong> 13 (144)
Installation Planning<br />
Authentication<br />
Will you use any type of username and<br />
password login? If so, which type? Valid<br />
options are<br />
• <strong>Spotfire</strong> Database<br />
User Directory<br />
• LDAP<br />
• Windows NT Domain<br />
• Custom JAAS<br />
Will you use any type of single sign-on<br />
login? If so, which type? Valid options are<br />
• Kerberos<br />
• X.509 Client Certificate<br />
• NTLM<br />
Note: Single sign-on is not possible with the<br />
<strong>Spotfire</strong> Database authentication method.<br />
If you will use any login method other than<br />
<strong>Spotfire</strong> Database you need extensive<br />
knowledge of that authentication method, and<br />
how it is set up in your organization.<br />
If you do not have this, you should write<br />
down the name and contact information of<br />
someone who can assist you with this.<br />
Which User Directory method will you use?<br />
Valid options are<br />
• <strong>Spotfire</strong> Database<br />
• LDAP<br />
• Windows NT Domain<br />
If you will use any User Directory method<br />
other than <strong>Spotfire</strong> Database you need<br />
extensive knowledge of this authentication<br />
method, and how it is set up in your<br />
organization.<br />
If you do not have this, you should write<br />
down the name and contact information of<br />
someone who can assist you with this.<br />
14 (144) <strong>TIBCO</strong> <strong>Spotfire</strong>® <strong>Server</strong> <strong>3.2.2</strong>
Installation Planning<br />
Before you continue with the installation of <strong>Spotfire</strong> <strong>Server</strong>, you should make sure to<br />
write down all the information in the tables above.<br />
<strong>TIBCO</strong> <strong>Spotfire</strong>® <strong>Server</strong> <strong>3.2.2</strong> 15 (144)
Installing <strong>Spotfire</strong> <strong>Server</strong> 3.2<br />
2 Installing <strong>Spotfire</strong> <strong>Server</strong> 3.2<br />
2.1 Overview<br />
This chapter explains how to install <strong>Spotfire</strong> <strong>Server</strong> 3.2. Please perform the following<br />
instructions carefully:<br />
MIGRATING OR UPGRADING?<br />
Important: Before you start the installation process below, make sure<br />
you have backups of the 10.1 or 3.0 or 3.1 server software and<br />
databases. For an explanation of the distinction between migration and<br />
upgrade see the section “Migration and Upgrade” on page 8.<br />
2.2 Prepare the Database<br />
2.2.1 Prerequisites<br />
Before you begin installing <strong>Spotfire</strong> <strong>Server</strong>, make sure your database server complies<br />
with the latest system requirements at:<br />
http://support.spotfire.com/sr.asp<br />
2.2.2 Upgrading from <strong>Spotfire</strong> <strong>Server</strong> 3.0 or 3.1<br />
UPGRADING FROM 3.0 OR 3.1 TO 3.2?<br />
If you are running <strong>Spotfire</strong> <strong>Server</strong> 3.0 or 3.1, do not run the database<br />
preparation scripts described below. Continue to “Install <strong>Spotfire</strong><br />
<strong>Server</strong>” on page 22 and follow the instructions there. Once you have<br />
the 3.2 server installed, run the Upgrade tool to upgrade your database.<br />
2.2.3 Overview<br />
Before you can run the <strong>Spotfire</strong> <strong>Server</strong> installer, you must set up the <strong>Spotfire</strong> Database<br />
used to manage users and groups, and optionally the <strong>Spotfire</strong> Demo Database which<br />
contains some demo data and analyses. This is done by running a few scripts.<br />
However, these must first be modified to suit your system.<br />
You can use either an Oracle database server or a Microsoft SQL <strong>Server</strong> to hold your<br />
<strong>Spotfire</strong> <strong>Server</strong> Database. Depending on your choice, please continue to either:<br />
• “Oracle” on page 17<br />
• “Microsoft SQL <strong>Server</strong>” on page 19.<br />
16 (144) <strong>TIBCO</strong> <strong>Spotfire</strong>® <strong>Server</strong> <strong>3.2.2</strong>
Installing <strong>Spotfire</strong> <strong>Server</strong> 3.2<br />
2.2.4 Oracle<br />
2.2.4.1 Prerequisites<br />
In order for the scripts to work, and for the <strong>Spotfire</strong> <strong>Server</strong> to be able to communicate<br />
with the databases once installed, the following settings must be configured on the<br />
Oracle <strong>Server</strong>:<br />
• The Oracle <strong>Server</strong> must allow for username and password authentication.<br />
• National Language Support (NLS) must be set to match the language in which<br />
you will store data (affects search).<br />
If the database server NLS cannot be set to match the language in which you will store<br />
data, Oracle provides other methods of setting NLS to a specific database or user, such<br />
as per session. Refer to the Oracle database documentation for more information about<br />
this..<br />
MIGRATING FROM 10.1 TO 3.2?<br />
If you are using an Oracle XE server to store the 10.1 databases, and<br />
intend to use the same database server to store the 3.2 database, you<br />
must begin by modifying the Oracle XE configuration. Specifically,<br />
you need to set how connections are monitored. You do this by<br />
executing the SQL command<br />
ALTER SYSTEM SET PROCESSES=150 SCOPE=SPFILE;<br />
using the Oracle administration tool you normally use. You must restart<br />
the Oracle XE TNS listener after you have done this. It is important that<br />
you do this before preparing the 3.2 database and migrating the 10.1<br />
data to it.<br />
Note: It is strongly recommended that you do not store the <strong>Spotfire</strong><br />
<strong>Server</strong> 3.2 database on an Oracle XE database server. You should<br />
upgrade to a supported production version of Oracle.<br />
2.2.4.2 Copy the Scripts to the Database <strong>Server</strong><br />
1 On the installation media, find the scripts directory:<br />
• scripts/oracle_install<br />
2 Copy the entire directory to your database server.<br />
Comment: The commandline database tools (sqlplus, sqlload, etc) must be in the<br />
system path of the database server.<br />
<strong>TIBCO</strong> <strong>Spotfire</strong>® <strong>Server</strong> <strong>3.2.2</strong> 17 (144)
Installing <strong>Spotfire</strong> <strong>Server</strong> 3.2<br />
2.2.4.3 Modify the create_databases Script<br />
In the folder you just copied, you will find a file called create_databases.bat<br />
(Windows) or create_databases.sh (Solaris/Red Hat Enterprise Linux/SUSE Linux<br />
Enterprise).<br />
1 Open this file in a text editor.<br />
2 Find the rows:<br />
set ROOTFOLDER=<br />
set CONNECTIDENTIFIER=<br />
set ADMINNAME=system<br />
set ADMINPASSWORD=<br />
set SERVERDB_USER=<br />
set SERVERDB_PASSWORD=<br />
set SERVER_DATA_TABLESPACE=SPOTFIRE_DATA_32<br />
set SERVER_TEMP_TABLESPACE=SPOTFIRE_TEMP_32<br />
rem Demo data parameters<br />
rem Demo data parameters<br />
set INSTALL_DEMODATA=yes<br />
3 Specify these variables.<br />
• ROOTFOLDER. This is where the tablespaces will be created, thus it must be a<br />
directory that is writable for the Oracle instance, usually /<br />
oradata/.<br />
• CONNECTIDENTIFIER. This is the Oracle TNS name of the database.<br />
• ADMINNAME. This is the name of a user with admin privileges on the<br />
database. Defaults to the default system account.<br />
• ADMINPASSWORD. This is the password of the above user.<br />
• SERVERDB_USER. This is the user that will be created and used to set up the<br />
<strong>Spotfire</strong> database.<br />
• SERVERDB_PASSWORD. This is the password of the above user.<br />
• SERVER_DATA_TABLESPACE. This is the name of the tablespace that will be<br />
created. The default value should work for most systems.<br />
• SERVER_TEMP_TABLESPACE. This is the name of the temporary tablespace<br />
that will be created. The default value should work for most systems.<br />
• INSTALL_DEMODATA. This controls whether or not the demo database will<br />
be created. Set to “no” if you do not wish to create it. The default is “yes”.<br />
All the variables must be set to new and unique names. If you wish to create the demo<br />
database, do not change the default username and password.<br />
Note: If you install the demo database, you need to perform additional steps to make<br />
the data available to the users. Please see the the section “Making the Demo Database<br />
Available” on page 54 for more information on how to do this.<br />
4 Save the file and exit the editor.<br />
18 (144) <strong>TIBCO</strong> <strong>Spotfire</strong>® <strong>Server</strong> <strong>3.2.2</strong>
Installing <strong>Spotfire</strong> <strong>Server</strong> 3.2<br />
The demo database contains example data that is useful for learning about <strong>Spotfire</strong>. If<br />
the users are new to <strong>Spotfire</strong>, you might want to install it.<br />
Note: If you are creating the <strong>Spotfire</strong> tablespaces on a database server that is already<br />
hosting Analytics <strong>Server</strong> 10.1 or <strong>Spotfire</strong> <strong>Server</strong> 3.0 or 3.1 tablespaces, ensure that you<br />
do not select any names for the 3.2 databases and users that conflict with the 10.1, 3.0,<br />
or 3.1 tablespaces and users.<br />
2.2.4.4 Run the create_databases.bat/.sh Script<br />
Once the scripts have been properly set up, run the create_databases.bat (or<br />
create_databases.sh) script. Running this script will execute all of the other SQL<br />
scripts in the folder.<br />
1 Open a command prompt window.<br />
2 Navigate to the directory where you placed the scripts.<br />
3 Type create_databases.bat and press Enter.<br />
Response: The scripts now set up the <strong>Spotfire</strong> Database needed to run <strong>Spotfire</strong><br />
<strong>Server</strong>, and the <strong>Spotfire</strong> Demo Database which contains demo data. Note<br />
that this may take some time.<br />
A log file called log.txt will be created in the same directory as the create_databases<br />
file. Also, a number of log files from the creation of the <strong>Spotfire</strong> demo data will be<br />
created. Please examine these files to verify that no errors occurred.<br />
Proceed to “Install <strong>Spotfire</strong> <strong>Server</strong>” on page 22 when finished.<br />
2.2.5 Microsoft SQL <strong>Server</strong><br />
2.2.5.1 Prerequisites<br />
In order for the scripts to work the following settings need to be configured on the<br />
Microsoft SQL <strong>Server</strong>:<br />
• TCP/IP communication must be enabled.<br />
• A TCP/IP listener port must be configured (The recommended default is 1433).<br />
• A case insensitive collation must be used (at least for the <strong>Spotfire</strong> database).<br />
• Collation must match the language in which you will store data (affects search).<br />
2.2.5.2 Copy the Scripts to the Database <strong>Server</strong><br />
1 On the installation media, find the scripts directory:<br />
• scripts/mssql_install<br />
<strong>TIBCO</strong> <strong>Spotfire</strong>® <strong>Server</strong> <strong>3.2.2</strong> 19 (144)
Installing <strong>Spotfire</strong> <strong>Server</strong> 3.2<br />
2 Copy this entire directory to a temporary place on the local disk of your intended<br />
database server.<br />
Comment: The commandline database tools (sqlcmd etc) must be in the system path<br />
of the database server.<br />
2.2.5.3 Modify the create_databases.bat Script<br />
In the folder you just copied you will find two files called create_databases.bat and<br />
create_databases_ia.bat. If you are using Windows Integrated Authentication (ia) on<br />
your Microsoft SQL <strong>Server</strong>, use the second one. Otherwise, use the first one.<br />
Note: Windows Integrated Authentication requires additional steps. See the section<br />
“Run <strong>Spotfire</strong> <strong>Server</strong> as Domain User” on page 28 for more information about this.<br />
1 Open this file in a text editor.<br />
2 Find the rows:<br />
set CONNECTIDENTIFIER=\<br />
set ADMINNAME=sa<br />
set ADMINPASSWORD=<br />
set SERVERDB_NAME=spotfire_server32<br />
set SERVERDB_USER=<br />
set SERVERDB_PASSWORD=<br />
rem Demo data parameters<br />
set INSTALL_DEMODATA=yes<br />
Note: If you are using Windows Integrated Authentication, the<br />
create_server_user_ia.sql script will create a database user (SERVERDB_USER) for<br />
the server database (SERVERDB_NAME). The database user is then tied to the SQL<br />
<strong>Server</strong> login named WINDOWS_LOGIN_ACCOUNT.<br />
3 Specify these variables.<br />
• CONNECTIDENTIFIER. Set this by replacing with the name of<br />
the server running the SQL <strong>Server</strong> instance, and replacing<br />
with the name of the SQL <strong>Server</strong> instance.<br />
• ADMINNAME. This is the name of a user with admin privileges on the<br />
database, most often sa. This is not used if you are using Windows Integrated<br />
Authentication.<br />
• ADMINPASSWORD. This is the password of the above user. This is not used if<br />
you are using Windows Integrated Authentication.<br />
• SERVERDB_NAME. This is the name of the database that will be created.<br />
• SERVERDB_USER. This is the user that you wish to create and use for this<br />
database.<br />
• SERVERDB_PASSWORD. This is the password for the above user. This is not<br />
used if you are using Windows Integrated Authentication.<br />
20 (144) <strong>TIBCO</strong> <strong>Spotfire</strong>® <strong>Server</strong> <strong>3.2.2</strong>
Installing <strong>Spotfire</strong> <strong>Server</strong> 3.2<br />
• INSTALL_DEMODATA. This controls whether or not the demo database<br />
should be created. Set to “no” if you do not wish to create it. The default is<br />
“yes”.<br />
• WINDOWS_LOGIN_ACCOUNT. This is the Windows Login Account that is<br />
used to authenticate with the database server. This is not used if you are using<br />
database authentication.<br />
Note: When using Windows Integrated Login, the create_server_user_ia.sql script<br />
will create a database user with the name specified in the<br />
WINDOWS_LOGIN_ACCOUNT. By default, it is assumed that a Windows login<br />
with this name already exists. If it does not and you wish to create such a login, open<br />
the script in a text editor and uncomment the section that reads<br />
/*<br />
use master<br />
GO<br />
CREATE LOGIN [$(WINDOWS_LOGIN_ACCOUNT)] FROM WINDOWS WITH<br />
DEFAULT_DATABASE=[$(SERVERDB_NAME)], DEFAULT_LANGUAGE=[us_english]<br />
GO<br />
ALTER LOGIN [$(WINDOWS_LOGIN_ACCOUNT)] ENABLE<br />
GO<br />
DENY VIEW ANY DATABASE<br />
TO [$(WINDOWS_LOGIN_ACCOUNT)]<br />
*/<br />
If you wish to create the demo database, do not change the default database name,<br />
username, and password. Make sure that the database server does not have a database<br />
or a user with these names already.<br />
Note: If you install the demo database, you need to perform additional steps to make<br />
the data available to the users. Please see the the section “Making the Demo Database<br />
Available” on page 54 for more information on how to do this.<br />
4 Save the file and exit the editor.<br />
The demo database contains example data that is useful for learning about <strong>Spotfire</strong>. If<br />
the users are new to <strong>Spotfire</strong>, you might want to install it.<br />
Case Sensitive Collation<br />
If your database server is set to use a case sensitive collation by default, you must also<br />
specify that the <strong>Spotfire</strong> database should be case insensitive. To do this, you must edit<br />
the SQL script create_server_db.sql:<br />
1 Open this file in a text editor.<br />
2 Find the commented out line<br />
--create database $(SERVERDB_NAME) collate Latin1_General_CI_AS;<br />
3 Remove the leading “--”. Set the collation to the collation of your preference, and<br />
make sure it is case insensitive (CI), for example Latin1_General_CI_AS. (Refer to the<br />
<strong>TIBCO</strong> <strong>Spotfire</strong>® <strong>Server</strong> <strong>3.2.2</strong> 21 (144)
Installing <strong>Spotfire</strong> <strong>Server</strong> 3.2<br />
Microsoft SQL <strong>Server</strong> documentation for more information about available<br />
collations).<br />
4 Comment out the line below it:<br />
--create database $(SERVERDB_NAME)<br />
5 Save the file and exit the editor.<br />
2.2.5.4 Run the create_databases Script<br />
Once the scripts have been properly set up, run the create_databases.bat or<br />
create_databases_ia.bat script. Running this script will execute all of the other sql<br />
scripts in the folder.<br />
1 Open a command prompt window.<br />
2 Navigate to the directory where you placed the scripts.<br />
3 Type create_databases.bat or create_databases_ia.bat and press Enter.<br />
Response: The scripts now set up the database table needed to run <strong>Spotfire</strong> <strong>Server</strong>.<br />
Note that this may take some time.<br />
A number of log files will be created in the same directory as the create_databases file.<br />
Please examine these files to verify that no errors occurred.<br />
Proceed to “Install <strong>Spotfire</strong> <strong>Server</strong>” on page 22 when finshed.<br />
2.3 Install <strong>Spotfire</strong> <strong>Server</strong><br />
2.3.1 Prerequisites<br />
Before you begin installing <strong>Spotfire</strong> <strong>Server</strong>, make sure your intended machine<br />
complies with the system requirements.<br />
http://support.spotfire.com/sr.asp<br />
2.3.2 Overview<br />
The <strong>Spotfire</strong> <strong>Server</strong> installer lets you install two components:<br />
• The <strong>Spotfire</strong> <strong>Server</strong><br />
• The <strong>Spotfire</strong> Configuration Console<br />
Depending on how you want to set up your system, you can select to install both these<br />
applications on the same machine, or if you prefer, you can choose to install them on<br />
separate machines.<br />
22 (144) <strong>TIBCO</strong> <strong>Spotfire</strong>® <strong>Server</strong> <strong>3.2.2</strong>
Installing <strong>Spotfire</strong> <strong>Server</strong> 3.2<br />
If you plan to run only a single <strong>Spotfire</strong> <strong>Server</strong>, you will most likely install both the<br />
<strong>Spotfire</strong> <strong>Server</strong> and the <strong>Spotfire</strong> Configuration Console on the same machine. In a<br />
clustered environment with several <strong>Spotfire</strong> <strong>Server</strong>s, it is often preferable to install the<br />
configuration console on a separate machine. This way, you can avoid having the<br />
configuration console going down if you for instance need to bring down a <strong>Spotfire</strong><br />
<strong>Server</strong> machine for maintenance.<br />
For more information on the configuration console and what it does, see “Install the<br />
Configuration Console” on page 26.<br />
2.3.3 Run Installer<br />
MIGRATING OR UPGRADING?<br />
Running 10.1, 3.0, or 3.1 and 3.2 on the Same Machine<br />
It is possible to run two versions of the server on the same machine as<br />
long as they communicate on different ports.<br />
The <strong>Spotfire</strong> <strong>Server</strong> installer will ask for three ports: <strong>Spotfire</strong> <strong>Server</strong><br />
port, Configuration Console port, and <strong>Spotfire</strong> Controller port. Each of<br />
these applications is described in the section “Architectural Overview”<br />
on page 6. Ensure that you do not select any port that is already in use<br />
by 10.1 or 3.0. Before starting the <strong>Spotfire</strong> <strong>Server</strong>, you must also make<br />
sure that none of the other ports used by the servers collide. All port<br />
numbers are specified in the file server.xml, located in the directory<br />
/server/conf/ on the 10.1 server, and<br />
/tomcat/conf/ on the 3.0, 3.1, and 3.2<br />
server. For a full specification of this file, see the section “<strong>Server</strong>.xml”<br />
on page 135.<br />
Microsoft SQL <strong>Server</strong> Windows Integrated Login<br />
If the 3.0 or 3.1 installation authenticates with a Microsoft SQL <strong>Server</strong><br />
using Windows Integrated Login, it is important to install and run the<br />
3.2 server using the same Windows Domain user.<br />
Alternatively, you can re-configure your Microsoft SQL <strong>Server</strong> to<br />
accept another Windows Domain user to access the <strong>Spotfire</strong> database.<br />
See also the section “Run the Upgrade Tool” on page 38 for<br />
information about the upgrade tool and Windows Integrated Login.<br />
In the installation kit, you will find the installer (install.exe or install.bin). Copy this<br />
file to the machine on which you want to install the <strong>Spotfire</strong> <strong>Server</strong>.<br />
It is possible to run the <strong>Spotfire</strong> <strong>Server</strong> installer silently using predefined parameters.<br />
This is useful when you wish to install several servers with the same setup. See<br />
“Installing <strong>Spotfire</strong> <strong>Server</strong> Silently Using Pre-defined Parameters” on page 84 for<br />
more information.<br />
<strong>TIBCO</strong> <strong>Spotfire</strong>® <strong>Server</strong> <strong>3.2.2</strong> 23 (144)
Installing <strong>Spotfire</strong> <strong>Server</strong> 3.2<br />
<br />
Note: While it is possible for the installer to start the upgrade tool, this is not possible<br />
if you run the installer silently. The upgrade tool must then be run separately.<br />
Run the Installer:<br />
1 Run the installer.<br />
Comment: If you are using Microsoft SQL <strong>Server</strong> with Windows Integrated<br />
Authentication, it is important that you install the <strong>Spotfire</strong> <strong>Server</strong> with the<br />
same Domain User that you set up with the create_databases_ia.bat script.<br />
This ensures that the Domain User authenticating with the database server<br />
has the appropriate permissions to all files in the <strong>Spotfire</strong> <strong>Server</strong><br />
installation. You must also make sure that the <strong>Spotfire</strong> <strong>Server</strong> always runs<br />
as this Domain User. See the section “Run <strong>Spotfire</strong> <strong>Server</strong> as Domain<br />
User” on page 28 for more information about this.<br />
2 The Introduction dialog is displayed. Click Next.<br />
3 The <strong>TIBCO</strong> License dialog is displayed. Read the license agreement and select the<br />
appropriate radio button. Click Next.<br />
4 The Third Party Components dialog is displayed. Select whether or not you want to<br />
download these.<br />
These components are only needed if you intend to configure your system to use<br />
NTLM login. If you are certain that you do not, then you can select not to download<br />
these. If you are unsure, it is recommended that you download these in case you later<br />
decide to set up your system for NTLM. If you select to download them without<br />
having access to the Internet, the installer will display a warning later in the<br />
installation process. The <strong>Spotfire</strong> products will still be installed.<br />
Note: These components can also be found at http://public.tibco.com/pub/tibco_oss/<br />
jcifs/jcifs_1.3.14.zip. This zip file contains the file jcifs.jar. To install this file<br />
manually, copy it to the folder<br />
/tomcat/webapps/spotfire/WEB-INF/lib/.<br />
Click Next.<br />
5 If you selected to download third party components in the previous dialog, the Third<br />
Party License dialog is displayed. Read the license agreement and select the<br />
appropriate radio button. Click Next.<br />
6 The Choose Install Set dialog is displayed. Select whether you want to install only the<br />
<strong>Spotfire</strong> <strong>Server</strong> or if you also want to install the <strong>Spotfire</strong> Configuration Console.<br />
If you plan to run only a single <strong>Spotfire</strong> <strong>Server</strong>, you will most likely install both the<br />
<strong>Spotfire</strong> <strong>Server</strong> and the <strong>Spotfire</strong> Configuration Console on the same machine. In a<br />
clustered environment with several <strong>Spotfire</strong> <strong>Server</strong>s, it is often preferable to install the<br />
configuration console on a separate machine.<br />
Note: If you want both on the same machine, you must install them at the same time.<br />
If you later decide that you want to run the configuration console on a machine which<br />
already has <strong>Spotfire</strong> <strong>Server</strong> installed, you must first uninstall the <strong>Spotfire</strong> <strong>Server</strong>.<br />
24 (144) <strong>TIBCO</strong> <strong>Spotfire</strong>® <strong>Server</strong> <strong>3.2.2</strong>
Installing <strong>Spotfire</strong> <strong>Server</strong> 3.2<br />
Click Next.<br />
7 The Installation Folder is displayed. Specify where you want to install the previously<br />
selected component(s). Click Next.<br />
8 The OS Architecture dialog is displayed. Select whether you want to install the 32-bit<br />
or 64-bit version of <strong>TIBCO</strong> <strong>Spotfire</strong> <strong>Server</strong>.<br />
The 64-bit version can only be installed on a 64-bit operating system. The 32-bit<br />
Windows and Solaris version can be installed on either a 64-bit or a 32-bit operating<br />
system. The 32-bit Red Hat and SUSE versions can only be installed on 32-bit Red<br />
Hat and SUSE systems.<br />
Note: The version of <strong>Spotfire</strong> <strong>Server</strong> you select to install must match the version of<br />
database drivers it uses. All JDBC database drivers packaged with the <strong>Spotfire</strong> <strong>Server</strong><br />
exist in both 32-bit and 64-bit versions. If you intend to configure the <strong>Spotfire</strong> <strong>Server</strong><br />
to use ODBC Data Sources (as Information Services Data Sources), please note that<br />
while the <strong>Spotfire</strong> <strong>Server</strong> comes bundled with a 32-bit only Oracle (Sun) JDBC-<br />
ODBC bridge, it is recommended that this bridge is used for testing only. For<br />
production use, a commercial JDBC-ODBC bridge should be used. If you intend to<br />
use the bundled JDBC-ODBC bridge, you must install the 32-bit version of the<br />
<strong>Spotfire</strong> <strong>Server</strong>. If unsure, select 32-bit.<br />
Click Next.<br />
9 Windows only. The Windows Service dialog is displayed. You have three options:<br />
• Do not create Windows Service.<br />
• Create Windows Service, but do not start it.<br />
• Create Windows Service, and start it at the end of installation.<br />
Select the option you want and click Next.<br />
10 The <strong>Spotfire</strong> <strong>Server</strong> Ports dialog is displayed. Specify which ports you want the<br />
<strong>Spotfire</strong> <strong>Server</strong> and the <strong>Spotfire</strong> controller to communicate on. Click Next.<br />
11 If you have selected to also install the configuration console, the Configuration Port<br />
dialog is displayed. Specify which port you want the configuration console to<br />
communicate on. Click Next.<br />
12 The Installation Summary dialog is displayed. Click Install.<br />
Response: The installation starts.<br />
13 The Upgrade dialog is displayed. If you are performing an upgrade from 3.0 or 3.1 to<br />
3.2, you can select to start the upgrade tool automatically when the installer finishes.<br />
Check the box if you want to do this.<br />
14 The Install Complete dialog is displayed. Click Done.<br />
<strong>TIBCO</strong> <strong>Spotfire</strong>® <strong>Server</strong> <strong>3.2.2</strong> 25 (144)
Installing <strong>Spotfire</strong> <strong>Server</strong> 3.2<br />
Comment: A registration URL is shown in the Install complete dialog. You are<br />
strongly incouraged to register your <strong>Spotfire</strong> <strong>Server</strong> installation with<br />
<strong>TIBCO</strong>.<br />
If you intend to run several <strong>Spotfire</strong> <strong>Server</strong>s in a cluster, repeat these instructions for<br />
each machine.<br />
Proceed to “Install the Configuration Console” on page 26 when finished.<br />
2.4 Install the Configuration Console<br />
If you have a single <strong>Spotfire</strong> <strong>Server</strong>, then you have most likely already installed the<br />
configuration console at the same time you installed the <strong>Spotfire</strong> <strong>Server</strong>, that is, when<br />
performing the instructions in “Install <strong>Spotfire</strong> <strong>Server</strong>” on page 22.<br />
If you want to install the configuration console on a separate machine, then follow the<br />
instructions in this section. Otherwise, continue to the section “Install Patches” on<br />
page 29.<br />
2.4.1 Prerequisites<br />
Before you begin installing <strong>Spotfire</strong> Configuration Console, make sure your intended<br />
machine complies with the system requirements at http://support.spotfire.com/sr.asp<br />
2.4.2 Overview<br />
The <strong>Spotfire</strong> Configuration Console is an application with a web user interface that is<br />
used to configure the <strong>Spotfire</strong> environment:<br />
• Manage the servers in a cluster.<br />
• Configure authentication.<br />
• Configure user directory.<br />
• Set up data source templates.<br />
• Configure impersonation.<br />
• Set up client login behavior.<br />
Note: If you have a single server system, it is still considered a cluster of one server.<br />
2.4.3 Run Installer<br />
In the installation kit, you will find the installer (install.exe or install.bin). Copy this<br />
file to the machine on which you want to install the <strong>Spotfire</strong> Configuration Console.<br />
Note: You cannot install the configuration console on a machine that already is<br />
running <strong>Spotfire</strong> <strong>Server</strong>. If you want the configuration console installed on a machine<br />
26 (144) <strong>TIBCO</strong> <strong>Spotfire</strong>® <strong>Server</strong> <strong>3.2.2</strong>
Installing <strong>Spotfire</strong> <strong>Server</strong> 3.2<br />
<br />
that is running <strong>Spotfire</strong> <strong>Server</strong>, you must install them at the same time. If you want to<br />
run the configuration console on a machine which already has <strong>Spotfire</strong> <strong>Server</strong><br />
installed, you must first uninstall the <strong>Spotfire</strong> <strong>Server</strong>.<br />
It is possible to run the <strong>Spotfire</strong> <strong>Server</strong> installer silently using predefined parameters.<br />
This is useful in when you wish to install several servers with the same setup. See<br />
“Installing <strong>Spotfire</strong> <strong>Server</strong> Silently Using Pre-defined Parameters” on page 84 for<br />
more information.<br />
To run the Installer:<br />
1 Run the installer.<br />
2 The Introduction dialog is displayed. Click Next.<br />
3 The <strong>TIBCO</strong> License dialog is displayed. Read the license agreement and select the<br />
appropriate radio button. Click Next.<br />
4 The Third Party Components dialog is displayed. You do not need these for the<br />
configuration console, so select not to download these.<br />
Click Next.<br />
5 The Choose Install Set dialog is displayed. Since you are installing the configuration<br />
console on a separate machine from the <strong>Spotfire</strong> <strong>Server</strong>, select to install only the<br />
<strong>Spotfire</strong> Configuration Console.<br />
Click Next.<br />
6 The Installation Folder is displayed. Specify where you want to install the previously<br />
selected component(s). Click Next.<br />
7 The OS Architecture dialog is displayed. Select whether you want to install the 32-bit<br />
or 64-bit version of <strong>TIBCO</strong> <strong>Spotfire</strong> <strong>Server</strong>.<br />
The 64-bit version can only be installed on a 64-bit operating system. The 32-bit<br />
version can be installed on either a 64-bit or a 32-bit operating system.<br />
The 64-bit version can only be installed on a 64-bit operating system. The 32-bit<br />
Windows and Solaris version can be installed on either a 64-bit or a 32-bit operating<br />
system. The 32-bit Red Hat and SUSE versions can only be installed on 32-bit Red<br />
Hat and SUSE systems.<br />
Click Next.<br />
8 Windows only. The Windows Service dialog is displayed. You have three options:<br />
• Do not create Windows Service.<br />
• Create Windows Service, but do not start it.<br />
• Create Windows Service, and start it at the end of installation.<br />
Select the option you want and click Next.<br />
<strong>TIBCO</strong> <strong>Spotfire</strong>® <strong>Server</strong> <strong>3.2.2</strong> 27 (144)
Installing <strong>Spotfire</strong> <strong>Server</strong> 3.2<br />
9 The Configuration Port dialog is displayed. Specify which port you want the<br />
configuration console to communicate on. Click Next.<br />
10 The Installation Summary dialog is displayed. Click Install.<br />
Response: The installation starts.<br />
11 The Upgrade dialog is displayed. If you are performing an upgrade from 3.0 or 3.1 to<br />
3.2, you can select to start the upgrade tool automatically when the installer finishes.<br />
Check the box if you want to do this.<br />
12 The Install Complete dialog is displayed. Click Done.<br />
2.5 Run <strong>Spotfire</strong> <strong>Server</strong> as Domain User<br />
<br />
<br />
If your database server uses Windows Integrated Authentication, your <strong>Spotfire</strong> <strong>Server</strong><br />
needs to run as a Windows Domain user that has permissions to use the <strong>Spotfire</strong><br />
database. To do this, you must perform the following steps:<br />
Run <strong>Spotfire</strong> <strong>Server</strong> as Domain User using Windows Service<br />
1 Start Control Panel > Administrative Tools > Services. Find the service called<br />
“<strong>TIBCO</strong> <strong>Spotfire</strong> <strong>Server</strong> <strong>3.2.2</strong>” Double-click it to open its Properties dialog.<br />
2 Select the tab Log On.<br />
3 Check the radio button This account and enter the user credentials of the Domain<br />
User set up with the database preparation script create_databases_ia.bat.<br />
4 Click OK.<br />
5 Restart the server.<br />
Run <strong>Spotfire</strong> <strong>Server</strong> as Domain User without Windows Service<br />
6 Log onto the <strong>Spotfire</strong> <strong>Server</strong> machine as the Domain User set up with the database<br />
preparation script create_databases_ia.bat.<br />
7 Start a command prompt.<br />
8 Go to the folder /tomcat/bin<br />
9 Run the startup.bat file.<br />
Response: The <strong>Spotfire</strong> <strong>Server</strong> Controller starts.<br />
10 The controller will stop running if you close the command prompt or log out of the<br />
machine.<br />
Note: Using Windows Integrated Authentication has security implications regarding<br />
the Configuration Console. See the section “Restricting Access to the Configuration<br />
Console” on page 89 for more information about this.<br />
28 (144) <strong>TIBCO</strong> <strong>Spotfire</strong>® <strong>Server</strong> <strong>3.2.2</strong>
Installing <strong>Spotfire</strong> <strong>Server</strong> 3.2<br />
2.6 Install Patches<br />
Before you continue, you must install all patches released for <strong>Spotfire</strong> <strong>Server</strong> 3.2.<br />
Check the URL http://support.spotfire.com/patches_spotfireserver.asp and<br />
download the latest collection of patches. Installation instructions for each patch are<br />
included in the package.<br />
Note: If you do not perform this step, later steps may fail.<br />
2.7 System Configuration<br />
When you have installed all applicable patches, the next step is to configure the<br />
<strong>Spotfire</strong> system.<br />
If you are migrating from 10.1, see instructions in “Migration from 10.1” on page 30<br />
on how to migrate your information from your 10.1 system.<br />
If you are upgrading from 3.0 or 3.1, see the chapter “Upgrade from 3.0 or 3.1 to<br />
3.2” on page 37 for instructions on how to perform such an upgrade.<br />
If you are installing <strong>TIBCO</strong> <strong>Spotfire</strong> <strong>Server</strong> for the first time, see the chapter<br />
“Configure the System” on page 47 for instructions on how to configure the <strong>Spotfire</strong><br />
system.<br />
<strong>TIBCO</strong> <strong>Spotfire</strong>® <strong>Server</strong> <strong>3.2.2</strong> 29 (144)
Migration from 10.1<br />
3 Migration from 10.1<br />
MIGRATING FROM 10.1 TO 3.2?<br />
If you are migrating from <strong>Spotfire</strong> Analytics <strong>Server</strong> 10.1 to <strong>Spotfire</strong><br />
<strong>Server</strong> 3.2, you must first install a 3.2 server as described in the<br />
previous chapters. When this is done, you can continue with the<br />
instructions below.<br />
Note: You must migrate the 10.1 information before you proceed to<br />
configure the system and start the server. If the <strong>Spotfire</strong> Database<br />
contains anything except what the database preparation scripts create,<br />
the migration tool will not be able to migrate the 10.1 data to it. See the<br />
section “Restoring a <strong>Spotfire</strong> 3.2 Database” on page 35 for more<br />
information about this.<br />
3.1 Overview<br />
The migration tool is an application that transfers data from a <strong>TIBCO</strong> <strong>Spotfire</strong><br />
Analytics <strong>Server</strong> 10.1 database to a <strong>TIBCO</strong> <strong>Spotfire</strong> 3.2 database. It transfers the<br />
information stored in the database, including users (if database authentication is used),<br />
groups and licenses, the Library, and the information model. It does not transfer<br />
deployments. Its intended use is to migrate data from a 10.1 database to a 3.2 database<br />
in connection with a server upgrade.<br />
Note: The migration tool cannot be used to keep a 10.1 and a 3.2 database<br />
synchronized.<br />
The target database, that is the 3.2 database, must be prepared, using the database<br />
preparation scripts that are packaged with <strong>Spotfire</strong> <strong>Server</strong>. However, the database must<br />
be empty before you can use the migration tool. If something is already stored in the<br />
database the migration tool will not be able to to migrate the 10.1 data.<br />
Users, groups, licenses, and configuration will automatically be stored in the 3.2<br />
database, but the Library and the information model will be stored in export files that<br />
can later be imported into the 3.2 database.<br />
You can select whether to do a “full migration” or a “partial migration”. The latter<br />
only extracts the library and the information model from the 10.1 database and puts<br />
these items in export files.<br />
You can also select to do a “test run”, meaning that all steps are performed, but no<br />
actual data is written to the 3.2 database. Note that if you have selected “partial<br />
migration”, this selection has no effect, as nothing will be written to the 3.2 database in<br />
either case.<br />
You can perform as many test runs as you want, and also as many partial migrations as<br />
you want, but once you have performed a full migration you must empty the 3.2<br />
database if for some reason you need to perform a partial or full migration again.<br />
30 (144) <strong>TIBCO</strong> <strong>Spotfire</strong>® <strong>Server</strong> <strong>3.2.2</strong>
Migration from 10.1<br />
3.2 Prerequisites<br />
In order to run the migration tool, you need a functional <strong>Spotfire</strong> Analytics <strong>Server</strong> 10.1<br />
including database, and a prepared 3.2 database. See the section “Prepare the<br />
Database” on page 16 for information on how to prepare a database for <strong>Spotfire</strong> <strong>Server</strong><br />
3.2.<br />
You must install and run the migration tool from the 10.1 server, as you will need<br />
access to the filesystem where the 10.1 server is installed. You must also be able to<br />
connect to the 3.2 database from the 10.1 server for the migration to work.<br />
3.3 Install the Migration Tool<br />
<br />
You must install the migration tool on the <strong>Spotfire</strong> Analytics <strong>Server</strong> 10.1, as it requires<br />
file system access to the 10.1 installation folder.<br />
To install the migration tool:<br />
1 Copy the migration folder of the <strong>Spotfire</strong> <strong>Server</strong> distribution, and place it on the<br />
<strong>Spotfire</strong> Analytics <strong>Server</strong> 10.1.<br />
2 Run the install.exe (or install.bin) found in this folder.<br />
3 Proceed through the steps of the installer wizard. When prompted for a destination<br />
folder, specify a folder in which to install the migration tool.<br />
Click Finish when the installer finishes.<br />
3.4 Set up Database Connection File<br />
In order for the migration tool to be able to communicate with the 3.2 database, you<br />
need to provide it with an xml file that contains connection information. Distributed<br />
with the migration tool are two xml files, database-mssql.xml and databaseoracle.xml.<br />
Select the one matching your 3.2 database type.<br />
1 Open the file in a text editor.<br />
2 Find the line that reads<br />
jdbc:tibcosoftwareinc:sqlserver://[hostname]:1433;DatabaseName=[database-name]<br />
or<br />
jdbc:tibcosoftwareinc:oracle://[hostname]:1521;SID=[sid]<br />
and change it so that it matches your database, that is enter the hostname, port and<br />
database name or sid.<br />
<strong>TIBCO</strong> <strong>Spotfire</strong>® <strong>Server</strong> <strong>3.2.2</strong> 31 (144)
Migration from 10.1<br />
Note: If your database server is using Windows Integrated Authentication, make sure<br />
to use a database URL that reflects this. See the section “Database Connection<br />
Configuration” on page 138 for examples of database URLs.<br />
3 Find the lines that read<br />
[username]<br />
[password]<br />
and change then to reflect the database username and password of your <strong>Spotfire</strong><br />
database. This is the username and password referred to as SERVERDB_USER and<br />
SERVERDB_PASSWD in the section “Prepare the Database” on page 16.<br />
Note: If your database server is using Windows Integrated Authentication, these<br />
variables are not used. You can safely leave them as they are.<br />
4 Save the file and exit the text editor.<br />
3.5 Run the Migration Tool<br />
The migration tool is run from a command line or shell:<br />
C:\tibco\tss\<strong>3.2.2</strong>\migration>migrationtool.bat<br />
When run without any options the application will start in GUI mode. Doing so, you<br />
are then presented with a window that looks like this:<br />
32 (144) <strong>TIBCO</strong> <strong>Spotfire</strong>® <strong>Server</strong> <strong>3.2.2</strong>
Migration from 10.1<br />
The values prompted for are the following:<br />
When you have entered all the information above, you can perform the migration by<br />
clicking the Migrate button. The output of the migration tool will be presented in the<br />
text field below the heading Migration Log.<br />
When you have performed a migration, the Library content and the information model<br />
will be stored on disk in export files. You can then import the content of these files to<br />
your 3.2 database. See the section “Importing Library Content” on page 58 for more<br />
information about how to do this.<br />
Note: It is only possible to run a full migration once. If you for some reason need to<br />
run it again, you must first restore the database as described in the section “Restoring a<br />
<strong>Spotfire</strong> 3.2 Database” on page 35. It is recommended that you first perform a test run,<br />
to make sure that the migration will run smoothly.<br />
3.5.1 Command Line Usage<br />
10.1 directory The installation folder of the 10.1 server, for<br />
example C:\<strong>TIBCO</strong>\tsas101.<br />
Output directory The folder where the configuration and library<br />
will be exported to as files. Make sure this folder<br />
is capable of storing all the library information.<br />
This could easily be several Gigabytes.<br />
Target database<br />
connection file<br />
Include passwords<br />
Type of migration<br />
Test run<br />
The path to the database connection file you have<br />
prepared.<br />
This option controls whether to include<br />
passwords stored in the information model.<br />
Note: Passwords for users are always migrated<br />
when full migration is selected, and are not<br />
affected by this option.<br />
Specifies whether to perform a full or a partial<br />
migration. A partial migration only exports the<br />
Library content and the information model to<br />
export files, while a full migration also exports<br />
the 10.1 database information and inserts it to the<br />
3.2 database.<br />
If this box is checked, nothing will be written to<br />
the 3.2 database. It is recommended to always<br />
begin by running a test run.<br />
Note: The Library and information model will<br />
still be exported to files.<br />
If you wish to run the migration tool from the command line, you can do so by<br />
entering the migration options as command line options to the .bat or .sh file. For<br />
example:<br />
<strong>TIBCO</strong> <strong>Spotfire</strong>® <strong>Server</strong> <strong>3.2.2</strong> 33 (144)
Migration from 10.1<br />
C:\migration>migrationtool.bat -s C:\<strong>TIBCO</strong>\tsas101 -d C:\output -x<br />
C:\migration\database.xml -t<br />
The above command will perform a test run of the migration and place the Library and<br />
information model export files in the directory C:\output.<br />
For a complete list of command line arguments, run the tool with the option -h:<br />
C:\tibco\tss\<strong>3.2.2</strong>\migration>migrationtool.bat -h<br />
usage: migrationtool.bat (or migrationtool.sh)<br />
-d destination directory (required)<br />
-h help<br />
-n no passwords migrated<br />
-p partial migration (only library content and information<br />
model)<br />
-s 10.1 server base directory (required)<br />
-t test run (run migration without writing to the target<br />
database)<br />
-v version<br />
-w set up and run migration via GUI<br />
-x target server configuration file (database.xml)<br />
(required)<br />
3.6 Database Drivers<br />
The migration tool will automatically scan the 10.1 installation directory for any<br />
database drivers used to connect to the <strong>Spotfire</strong> database. If possible, these drivers will<br />
be used by the migration tool to connect to the 3.2 database. However, in some<br />
situations, this is not possible, such as when the 10.1 server uses a database driver not<br />
compatible with 3.2 (such as an old native database driver provided by Oracle). When<br />
this happens, the migration tool will stop with an error message saying that the<br />
database driver cannot be used.<br />
If this happens, you need to manually copy a compatible database driver from the 3.2<br />
server to the directory /lib or download<br />
new drivers from the database server manufaturer. The 3.2 database drivers are located<br />
in the directory /tomcat/lib on the 3.2 server.<br />
Any database drivers used to connect to the <strong>Spotfire</strong> database or to any information<br />
sources set up in the 10.1 server will also be reported by the migration tool in the log<br />
area or on standard output. Note that if you have any special database drivers set up in<br />
the 10.1 server (to connect to an information source, for example), you need to<br />
manually copy these drivers to the 3.2 server, or acquire new ones from your database<br />
provider. Database drivers used to connect to the <strong>Spotfire</strong> Database (such as<br />
ojdbc6.jar, jtds.jar, and sqljdbc(4).jar) should be placed int the directory /tomcat/lib, and database drivers used to connect to other<br />
databases should be placed in the directory /tomcat/<br />
webapps/spotfire/WEB-INF/lib.<br />
Note: If you copy database drivers from a 10.1 server, only copy the ones needed. Do<br />
not copy any other files from the 10.1 installation.<br />
34 (144) <strong>TIBCO</strong> <strong>Spotfire</strong>® <strong>Server</strong> <strong>3.2.2</strong>
Migration from 10.1<br />
3.7 Log Files<br />
In the migration tool installation directory, there is a folder called logs. This folder<br />
contains three different log files:<br />
debug.log<br />
sql.log<br />
warn.log<br />
Debug.log holds verbose information about exactly what happened, step by step, in the<br />
migration process. Sql.log holds information about every SQL command that was<br />
executed during the migration. Warn.log contains any warnings received during<br />
migration.<br />
If something goes wrong during the migration, these files may contain important<br />
information about the source of the problem. Do not delete them until you know that<br />
the migration is successful.<br />
3.8 Restoring a <strong>Spotfire</strong> 3.2 Database<br />
If the migration fails for some reason and you need to perform it again, you need to<br />
restore the <strong>Spotfire</strong> 3.2 database before you can do this. Distributed with the <strong>Spotfire</strong><br />
<strong>Server</strong> are scripts that will do this, located in the folder scripts/mssql_install/utilities<br />
and scripts/oracle_install/utilities. Select the folder appropriate for your database type.<br />
In the Microsoft SQL folder, you will find the scripts restore_databases.bat and<br />
restore_databases_ia.bat. In the Oracle folder, you fill find the scripts<br />
restore_databases.bat and restore_databases.sh. Select the one appropriate for your<br />
platform and database configuration. Before you run it, you must open it in a text<br />
editor and edit a number of variables. Find the lines that contains the following text:<br />
Microsoft SQL <strong>Server</strong><br />
CONNECTIDENTIFIER=\<br />
SERVERDB_NAME=<br />
SERVERDB_USER=<br />
SERVERDB_PASSWORD=<br />
Note: If you use Windows Integrated Authentication, the variables SERVERDB_USER and<br />
SERVERDB_USER will not be persent.<br />
Oracle<br />
CONNECTIDENTIFIER=<br />
SERVERDB_USER=<br />
SERVERDB_PASSWORD=<br />
Replace these values with the information valid for your database server. See the<br />
section “Prepare the Database” on page 16 for more information about this<br />
information.<br />
When you have entered the information required, you can run the scripts from a<br />
command prompt.<br />
<strong>TIBCO</strong> <strong>Spotfire</strong>® <strong>Server</strong> <strong>3.2.2</strong> 35 (144)
Migration from 10.1<br />
3.9 Configuration Not Migrated<br />
Single-sign on authentication and database authentication configuration from a 10.1<br />
server is compatible with a 3.2 system. If you use any such authentication, any<br />
configuration files, such as spotfire.keytab, krb5.conf, etc., are put in a subfolder of<br />
the export folder, java-mods. You need to manually move these files to the 3.2<br />
server(s). Refer to the chapter “Authentication and User Directory” on page 65 for<br />
details on where to put these files, or how to set up authentication again.<br />
Database drivers are not migrated and need to be copied manually from a 10.1<br />
installation or aquired anew from your database vendor. In the 10.1 installation, these<br />
drivers are located in the folder<br />
/server/webapps/spotfire/WEB-INF/lib.<br />
Copy the drivers used to connect to the <strong>Spotfire</strong> Database to<br />
/tomcat/lib<br />
Copy the drivers used to connect to other data sources to<br />
/tomcat/webapps/spotfire/WEB-INF/lib<br />
Note: Do not copy any other files from the 10.1 installation directory. If you copy all<br />
the files in the lib folder, for instance, the 3.2 server will be incapacitated and a reinstall<br />
is necessary. If at all unsure, aquire new drivers from your database vendor.<br />
3.10 Uninstall the Migration Tool<br />
When you have made sure that everything has been migrated correctly and as<br />
expected, you can safely uninstall the migration tool. An uninstaller created during<br />
install will be located in the folder /installer/.<br />
Once you have migrated the 10.1 data, you are ready to configure your 3.2 system.<br />
Please proceed to “Configure the System” on page 47.<br />
36 (144) <strong>TIBCO</strong> <strong>Spotfire</strong>® <strong>Server</strong> <strong>3.2.2</strong>
Upgrade from 3.0 or 3.1 to 3.2<br />
4 Upgrade from 3.0 or 3.1 to 3.2<br />
UPGRADING FROM 3.0 OR 3.1 TO 3.2?<br />
If you are upgrading from <strong>Spotfire</strong> <strong>Server</strong> 3.0 or 3.1 to <strong>Spotfire</strong> <strong>Server</strong><br />
3.2, you must first install a 3.2 server as described in the previous<br />
chapters.<br />
Important: Do not run the database preparation scripts.<br />
When this is done, you can continue with the instructions below.<br />
4.1 Overview<br />
In the <strong>Spotfire</strong> <strong>Server</strong> 3.2 installation kit there is an upgrade tool. This upgrade tool<br />
modifies an existing 3.0 or 3.1 database and transfers configuration from a 3.0 or 3.1<br />
server installation to a 3.2 installation. Alternatively, it can transfer configuration from<br />
an already working 3.2 server installation. This is useful if you are upgrading several<br />
<strong>Spotfire</strong> <strong>Server</strong>s in a cluster.<br />
It is important to back up or clone the 3.0 or 3.1 database before you continue. Below<br />
are explanations to each of the two approaches mentioned above.<br />
4.2 Back up or Clone the 3.0 or 3.1 Database<br />
Before upgrading your 3.0 or 3.1 database and software installation, it is important that<br />
you back up or clone your existing 3.0 or 3.1 database. A “clone” means that you<br />
make a copy of your entire database, with all its information, into a new database, with<br />
a new user and password. You can run the upgrade on either the 3.0 or 3.1 database<br />
that you have used in production, or on a clone that you set up. There are advantages<br />
and disadvantages to both approaches.<br />
Upgrading a <strong>Product</strong>ion 3.0 or 3.1 Database<br />
In this scenario, you will upgrade the database you have been using for <strong>Spotfire</strong> 3.0 or<br />
3.1. The advantages of this approach are:<br />
• All configuration will be exactly the same. Database name and ports can be<br />
reused in the 3.2 installation.<br />
The disadvantages of this approach are:<br />
• You will have to stop using <strong>Spotfire</strong> 3.0 or 3.1 before you start the upgrade and<br />
no <strong>Spotfire</strong> system will be accessible until you have finished the upgrade.<br />
Cloning a 3.0 or 3.1 Database<br />
In this scenario, you will clone a 3.0 or 3.1 database, i.e. create an identical copy of it,<br />
and perform the upgrade the clone. The advantages of this approach are:<br />
<strong>TIBCO</strong> <strong>Spotfire</strong>® <strong>Server</strong> <strong>3.2.2</strong> 37 (144)
Upgrade from 3.0 or 3.1 to 3.2<br />
• You will be able to run the <strong>Spotfire</strong> 3.0 or 3.1 system while you upgrade.<br />
• If something should go wrong during the upgrade, your users will not be<br />
affected by this and can continue running <strong>Spotfire</strong> 3.0 or 3.1.<br />
The disadvantages of this approach are:<br />
• <strong>Spotfire</strong> client configuration will have to change, either because you install<br />
<strong>Spotfire</strong> <strong>Server</strong> on a new machine, or on the same machine as 3.0 or 3.1, but<br />
listening to a different port.<br />
• If users continue using the 3.0 or 3.1 system during upgrade, you will have to<br />
export content from the 3.0 or 3.1 database and import it to the 3.2 database<br />
before the users make the switch to 3.2.<br />
The upgrade tool will ask you which of the scenarios you want to perform. Depending<br />
on how you answer, the tool will behave slightly differently.<br />
If you are running a fairly simple system, with only one or a couple of <strong>Spotfire</strong><br />
<strong>Server</strong>s, and downtime during upgrade is acceptable, you should probably upgrade the<br />
production 3.0 or 3.1 database.<br />
4.3 Run the Upgrade Tool<br />
HAVE YOU BACKED UP OR CLONED YOUR 3.0 or 3.1 DATABASE?<br />
Before you run the upgrade tool, it is very important that you make sure<br />
you have a working backup or a clone of your 3.0 or 3.1 database.<br />
In the <strong>Spotfire</strong> <strong>Server</strong> installation directory, there is a subdirectory called upgrade.<br />
There you can find the files upgradetool.bat (Windows) and upgradetool.sh (Unix).<br />
Double-click on the file appropriate for your operating system. You can also start it<br />
from a command line or a shell prompt if desired. The typical and recommended way<br />
to start it is to have the <strong>Spotfire</strong> <strong>Server</strong> Installer start it.<br />
Note: If you have installed <strong>Spotfire</strong> <strong>Server</strong> on Windows and selected to create a<br />
Windows Service and to start it after the installation is done, and then select to run the<br />
upgrade tool, the Windows Service will start after the upgrade tool has finished.<br />
The upgrade tool consists of a number of screens which will prompt you for<br />
information regarding your 3.0 or 3.1 installation and your 3.2 installation. Depending<br />
on selections you make on one screen, the following screens may look slightly<br />
different.<br />
If you need to quit the upgrade tool for some reason, you can select to “Save and<br />
Quit”, and the upgrade tool will continue from where you left off the next time you<br />
start it.<br />
38 (144) <strong>TIBCO</strong> <strong>Spotfire</strong>® <strong>Server</strong> <strong>3.2.2</strong>
Upgrade from 3.0 or 3.1 to 3.2<br />
Below is a description of each screen in the upgrade tool.<br />
ARE YOU USING MICROSOFT SQL SERVER WITH WINDOWS INTEGRATED<br />
LOGIN?<br />
Welcome Screen<br />
If <strong>Spotfire</strong> <strong>Server</strong> is set up to authenticate with the <strong>Spotfire</strong> database<br />
using Windows Integrated Authentication, it is important that you run<br />
the upgrade tool as the same user that <strong>Spotfire</strong> <strong>Server</strong> authenticates as.<br />
Otherwise, the upgrade tool will not be able to authenticate with the<br />
database.<br />
Alternatively, you can clone the 3.0 or 3.1 database and allow a<br />
different Windows Domain user to access it.<br />
Note: Windows Integrated Authentication implies that the same login<br />
is always used when authenticating. If the <strong>Spotfire</strong> <strong>Server</strong> connects to<br />
the <strong>Spotfire</strong> database using Integrated Authentication, and also<br />
connects to other databases (information sources) authentication with<br />
all databases will be performed using the same Windows login.<br />
The first screen will remind you again to perform a backup. Select Next to continue.<br />
<strong>TIBCO</strong> <strong>Spotfire</strong>® <strong>Server</strong> <strong>3.2.2</strong> 39 (144)
Upgrade from 3.0 or 3.1 to 3.2<br />
File Locations<br />
This screen asks you from where you wish to copy configuration. You can copy<br />
configuration either from a 3.0 or 3.1 installation or from a 3.2 installation. The latter<br />
is useful if you are upgrading several servers in a cluster and you have already<br />
upgraded one or more servers.<br />
If you select to not copy configuration, you will have to enter all configuration<br />
manually on following screens.<br />
40 (144) <strong>TIBCO</strong> <strong>Spotfire</strong>® <strong>Server</strong> <strong>3.2.2</strong>
Upgrade from 3.0 or 3.1 to 3.2<br />
Database Upgrade<br />
This screen asks you if you are upgrading a production 3.0 or 3.1 database or if you are<br />
upgrading a clone of the 3.0 or 3.1 database. Depending on how you reply, the<br />
following screens may look different.<br />
If you selected not to copy configuration, you will not see this screen.<br />
Database Drivers Not Installed<br />
<strong>TIBCO</strong> <strong>Spotfire</strong>® <strong>Server</strong> <strong>3.2.2</strong> 41 (144)
Upgrade from 3.0 or 3.1 to 3.2<br />
This screen informs you that the upgrade tool cannot find a suitable database driver to<br />
connect to the database. This should only happen if you are using old native database<br />
drivers not supported by <strong>Spotfire</strong> <strong>Server</strong> 3.2 and the upgrade tool. You must manually<br />
copy this database driver from a working <strong>Spotfire</strong> <strong>Server</strong> installation to the /tomcat/lib directory. See the section “Database Connection<br />
Configuration” on page 138 for more information about database drivers. When you<br />
click Done, the upgrade tool will exit. The next time it starts, it will remember the<br />
selections you made on the screen before this.<br />
If there are no database drivers issues, you will not see this screen.<br />
Database Type and Driver<br />
This screen asks you what type of database and what database connection type (driver)<br />
you are using to connect to the database that will be upgraded.<br />
If you selected to copy an existing configuration, you will not see this screen.<br />
42 (144) <strong>TIBCO</strong> <strong>Spotfire</strong>® <strong>Server</strong> <strong>3.2.2</strong>
Upgrade from 3.0 or 3.1 to 3.2<br />
Database Connection Information<br />
This screen asks you for the connection string, username, and password to the<br />
database that will be upgraded.<br />
If you selected to copy configuration and to upgrade a production database, the<br />
information on this screen will be filled out for you. If you selected to copy<br />
configuration but to upgrade a cloned version of the database, the 3.0 or 3.1 production<br />
database connection string will be printed out on the screen, but you will have to<br />
manually enter the connection string of the cloned database.<br />
<strong>TIBCO</strong> <strong>Spotfire</strong>® <strong>Server</strong> <strong>3.2.2</strong> 43 (144)
Upgrade from 3.0 or 3.1 to 3.2<br />
<strong>Server</strong> Information<br />
This screen asks you if you want to remove all servers from the cluster, and if you<br />
want to add the computer you are running the upgrade on to the cluster. If this is the<br />
first (or the only) server in the cluster you are upgrading, you should remove all<br />
servers from the cluster.<br />
Click Upgrade to perform the upgrade.<br />
If you have already upgraded one server in the cluster, the upgrade will not make any<br />
changes to the database, as it is was upgraded the first time you ran the upgrade tool.<br />
In this case, the upgrade tool will update configuration to the software installation on<br />
the computer you are running, either by copying it from a 3.0, 3.1, or 3.2 installation,<br />
or from the information you entered in the upgrade tool.<br />
44 (144) <strong>TIBCO</strong> <strong>Spotfire</strong>® <strong>Server</strong> <strong>3.2.2</strong>
Upgrade from 3.0 or 3.1 to 3.2<br />
Upgrade<br />
This screen will show after the upgrade is finished. It also has information about how<br />
the upgrade went. Following a successful upgrade, it should read either “The database<br />
has been upgraded to <strong>TIBCO</strong> <strong>Spotfire</strong> <strong>Server</strong> 3.2 format” or “The database has already<br />
been upgraded to <strong>TIBCO</strong> <strong>Spotfire</strong> 3.2 format”, the latter indicating that the database<br />
was already in the 3.2 format.<br />
Upgrade Issues<br />
<strong>TIBCO</strong> <strong>Spotfire</strong>® <strong>Server</strong> <strong>3.2.2</strong> 45 (144)
Upgrade from 3.0 or 3.1 to 3.2<br />
This screen will list any issues that occurred during upgrade. These might include port<br />
conflicts, missing database drivers, or any other issues discovered during upgrade.<br />
Please take notice of all the issues, if any. You may have to correct some or all of them<br />
manually, either by copying files to the right location, or by configuring the <strong>Spotfire</strong><br />
system using the Configuration Console.<br />
This screen will only appear if there are any issues that need to be addressed.<br />
4.4 Default Join Database<br />
If you have set a default join database in your 3.0 or 3.1 installation to be the <strong>Spotfire</strong><br />
database, and also upgraded a clone of the 3.0 or 3.1 database to 3.2, you will need to<br />
reset the default join database as it will still be set to the 3.0 or 3.1 database. Log into<br />
the Configuration Console, select the Default Join Database tab, and change the value<br />
to the 3.2 database.<br />
If you have not set a default join database, or set it to a different database than the<br />
<strong>Spotfire</strong> database, you can ignore this step.<br />
4.5 Start the <strong>Spotfire</strong> <strong>Server</strong><br />
When the upgrade tool has completed and you have verified that there are no issues<br />
with the upgrade, you need to start the <strong>Spotfire</strong> <strong>Server</strong>. See the section “Starting and<br />
Stopping the <strong>Spotfire</strong> <strong>Server</strong>” on page 104 for instructions on how to do this.<br />
4.6 Verify Configuration<br />
When you have started the <strong>Spotfire</strong> <strong>Server</strong>, you should log into the Configuration<br />
Console and verify that all configuration is as it was before the upgrade. If you need to<br />
make any changes, please refer to the next chapter, “Configure the System” on<br />
page 47.<br />
46 (144) <strong>TIBCO</strong> <strong>Spotfire</strong>® <strong>Server</strong> <strong>3.2.2</strong>
Configure the System<br />
5 Configure the System<br />
5.1 Overview<br />
After you have set up a database and installed the server software, you must perform a<br />
number of steps to get the system up and running. This chapter will guide you through<br />
the different steps you need to perform.<br />
5.2 <strong>Spotfire</strong> System Security<br />
You may wish to configure security in the <strong>Spotfire</strong> system.<br />
There are several (manual) measures that may be taken. The options available and<br />
recommended are totally depending on the the environment in which the <strong>Spotfire</strong><br />
system is installed. You should confer with network managers and the like to come up<br />
with a solution that fits your specific environment.<br />
The different measures you can take include:<br />
• Set up <strong>Spotfire</strong> to communicate using HTTPS. See the section “Setting up<br />
HTTPS on a <strong>Spotfire</strong> <strong>Server</strong>” on page 86 and/or “Setting up HTTPS in a Load<br />
Balanced Environment” on page 97 for more information about this.<br />
• Using X.509 client certificates to authenticate users. See the section “Creating<br />
and Installing a Self-Signed Client Certificate” on page 95 for more information<br />
about this.<br />
• Setting up LDAP authentication over SSL. See the section “Configuring<br />
LDAPS” on page 91 for more information about this.<br />
• Configuring the <strong>Spotfire</strong> <strong>Server</strong>(s) to authenticate with the database using<br />
Kerberos. See the section “Database Authentication using Kerberos” on page 91<br />
for more information about this.<br />
• Restricting access to the configuration console. See the section “Restricting<br />
Access to the Configuration Console” on page 89 for more information about<br />
this.<br />
Note: For optimal security some of these measure should be taken before you set up<br />
basic configuration. If you think any of these measures apply to you, then it is<br />
recommended that you read the corresponding instructions before you proceed below.<br />
5.3 Database Drivers<br />
<strong>Spotfire</strong> <strong>Server</strong> ships with DataDirect database drivers. While these drivers work well<br />
for test environments and for running the database preparation scripts as described<br />
above, it is strongly recommended that drivers native to your database server are used<br />
in a production environment. Native drivers (JDBC) are available from your database<br />
<strong>TIBCO</strong> <strong>Spotfire</strong>® <strong>Server</strong> <strong>3.2.2</strong> 47 (144)
Configure the System<br />
server manufacturer. If they are drivers used to connect to the <strong>Spotfire</strong> database<br />
(typically ojdbc6.jar, jtds.jar, or sqljdbc(4).jar), place them in the directory<br />
/tomcat/lib<br />
If they are drivers used to connect to other databases (information sources), place them<br />
in the directory<br />
/tomcat/webapps/spotfire/WEB-INF/lib<br />
When you have installed the database drivers, the <strong>Spotfire</strong> <strong>Server</strong> needs to be restarted<br />
according to the instructions in the section “Starting and Stopping the <strong>Spotfire</strong> <strong>Server</strong>”<br />
on page 104.<br />
Note: The database connection URL, used by the server to connect to the database,<br />
may be different for different database drivers. See the section “Database Connection<br />
Configuration” on page 138 for a comprehensive description of the database<br />
connection URL, and for examples using different database drivers.<br />
Data Sources in the Information Designer<br />
The Information Designer tool, available in the <strong>Spotfire</strong> client, allows users to create<br />
analyses based on external data sources. These external data sources are accessed<br />
using database drivers. Any database drivers you install in the folders listed above are<br />
available for use in the Information Designer.<br />
To connect to an external data source, you also need to enable a data source template<br />
that matches the data source and a specific database driver. This is done in the<br />
configuration console. Detailed information about how to do this can be found in the<br />
configuration console help.<br />
5.4 Starting the <strong>Spotfire</strong> <strong>Server</strong> Controller<br />
Before proceeding, you must start the <strong>Spotfire</strong> <strong>Server</strong> controller. This is the small<br />
application that is used to start and stop the actual <strong>Spotfire</strong> <strong>Server</strong>.<br />
5.4.1 For Windows, with Windows Service<br />
If you selected to install a Windows service, and automatically start it at the end of the<br />
installation (see step 9 on page 25), then the <strong>Spotfire</strong> <strong>Server</strong> Controller is already<br />
running. The name of the service is “<strong>TIBCO</strong> <strong>Spotfire</strong> <strong>Server</strong> <strong>3.2.2</strong>”.<br />
If you selected to install a Windows service, but not to start it at the end of the<br />
installation (see step 9 on page 25), then you must now start the service manually. Start<br />
Control Panel > Administrative Tools > Services. Find the service called “<strong>TIBCO</strong><br />
<strong>Spotfire</strong> <strong>Server</strong> <strong>3.2.2</strong>” and start it.<br />
Note: If you for some reason need to reinstall the Windows Service after installation,<br />
run the bat file /tomcat/bin/service.bat with the argument<br />
install:<br />
/tomcat/bin/service.bat install<br />
48 (144) <strong>TIBCO</strong> <strong>Spotfire</strong>® <strong>Server</strong> <strong>3.2.2</strong>
Configure the System<br />
You can also run this script with the argument remove to remove the Windows<br />
Service.<br />
/tomcat/bin/service.bat remove<br />
5.4.2 For Windows, with No Service<br />
If you selected not to install a Windows service (see step 9 on page 25) then you must<br />
start the <strong>Spotfire</strong> <strong>Server</strong> manually.<br />
1 Log onto the <strong>Spotfire</strong> <strong>Server</strong> machine as an administrator.<br />
2 Start a command prompt.<br />
3 Go to the folder /tomcat/bin<br />
4 Run the startup.bat file.<br />
Response: The <strong>Spotfire</strong> <strong>Server</strong> Controller starts.<br />
Comment: The controller will stop running if you close the command prompt or log<br />
out of the machine.<br />
5.4.3 For Solaris, Red Hat, and SUSE<br />
<br />
To start <strong>Spotfire</strong> <strong>Server</strong> on reboot:<br />
After the installation, you may want to configure <strong>Spotfire</strong> <strong>Server</strong> to start automatically<br />
each time the Solaris, Red Hat, or SUSE machine is rebooted. This can be set up by<br />
running a script called install_startup_script.sh.<br />
1 Log in as root.<br />
Comment: In order to have a service automatically start at reboot you must be root.<br />
No other user can do this.<br />
2 Navigate to the /tomcat.<br />
3 Execute the file install_startup_script.sh.<br />
Response: The <strong>Spotfire</strong> <strong>Server</strong> will start automatically after each machine reboot.<br />
To start the server right now, run the script<br />
/etc/init.d/tss start<br />
Note: The install_startup_script.sh script copies the script tss, also located in<br />
/tomcat, to the /etc/init.d directory and places symbolic<br />
links to this scripts in the appropriate runlevel directories (/etc/rc2.d etc).<br />
<br />
To start <strong>Spotfire</strong> <strong>Server</strong> in a terminal:<br />
<strong>TIBCO</strong> <strong>Spotfire</strong>® <strong>Server</strong> <strong>3.2.2</strong> 49 (144)
Configure the System<br />
If you wish to run <strong>Spotfire</strong> <strong>Server</strong> in a terminal, then execute the command startup.sh<br />
located in the directory /tomcat/bin with the same user as<br />
the one who installed the <strong>Spotfire</strong> <strong>Server</strong>.<br />
Response: The <strong>Spotfire</strong> <strong>Server</strong> Controller starts.<br />
5.5 Starting the Configuration Console<br />
If you have installed everything correctly, you will reach the configuration console by<br />
entering the URL<br />
http://hostname:/config (where hostname is the hostname of the machine<br />
running the configuration console and port the port the configuration control is<br />
listening to, by default 8080) into a web browser (see the chapter “Install the<br />
Configuration Console” on page 26 for details on how to install the configuration<br />
console).<br />
Note: If you are using Internet Explorer running on Windows Vista or Windows 2003<br />
or later with Windows Enhanced Security is enabled, you must add the configuration<br />
console URL to the list of “Trusted sites”, on the Security tab of the Internet Options.<br />
If you do not do this, the configuration console will fail to load.<br />
When you start the configuration console for the first time, the following things will<br />
happen:<br />
1 The configuration console will detect that there is no database defined to verify the<br />
login information with. You will be presented with a dialog where you must enter a<br />
valid database URL before you can continue. You can select database server type and<br />
driver from a dropdown menu, which will provide you with the URL syntax. For<br />
instance<br />
jdbc:tibcosoftwareinc:sqlserver://[DB<strong>Server</strong>]:[DB<strong>Server</strong>Port];DatabaseName=[DatabaseName]<br />
or<br />
jdbc:tibcosoftwareinc:oracle://[DB<strong>Server</strong>]:[DB<strong>Server</strong>Port];SID=[DatabaseSID]<br />
using DataDirect drivers. DB<strong>Server</strong> should be replaced with the fully qualified<br />
hostname (that is, including the domain name) of your database server, port with the<br />
port the server is listening to, and databasename with the name (or sid) of your<br />
database. For example, if you are using a standard MSSQL server called<br />
dbsrv.company.com, listening to port 1433, and you have not changed the default<br />
name of the <strong>Spotfire</strong> database, the URL should read:<br />
jdbc:tibcosoftwareinc:sqlserver://dbsrv.company.com:1433;DatabaseName=spotfire_server<br />
If you are using Microsoft SQL <strong>Server</strong> with Integrated Authentication, the URL<br />
should look like this:<br />
jdbc:tibcosoftwareinc:sqlserver://<br />
dbsrv.company.com:1433;DatabaseName=spotfire_server;AuthenticationMethod=ntl<br />
m;LoadLibraryPath=c:/tibco/tss/<strong>3.2.2</strong>/tomcat/lib<br />
50 (144) <strong>TIBCO</strong> <strong>Spotfire</strong>® <strong>Server</strong> <strong>3.2.2</strong>
Configure the System<br />
Note: This information cannot be entered into the configuration console after this has<br />
been started and connected to the database. If you need to change it later, for instance,<br />
if you move your database server, please refer to the section “Database Connection<br />
Configuration” on page 138. This section also contains more examples of connection<br />
URLs.<br />
Also note that it is possible to use another driver to access your database. <strong>Spotfire</strong><br />
<strong>Server</strong> supports DataDirect (tibcosoftwareinc) by default. See the section “Database<br />
Drivers” on page 47 for a brief description on what other database drivers you can use.<br />
2 The configuration console will prompt for username and password. This information<br />
is identical to the username and password created for the database, described in the<br />
section “Prepare the Database” on page 16.<br />
Comment: If you are using Microsoft SQL <strong>Server</strong> with Integrated Authentication, this<br />
dialog will still show. Click OK without entering any information in the<br />
username and password boxes.<br />
3 After your login information has been verified with the database, the configuration<br />
console will detect that no cluster has been defined. You must set up a new cluster<br />
before you can continue. Note that even if you only have one <strong>Spotfire</strong> <strong>Server</strong> in your<br />
<strong>Spotfire</strong> system, this server will be part of a cluster of one server.<br />
4 The configuration console will ask you if you want to import a configuration file. This<br />
is useful if you have previously exported configuration console settings to a file, for<br />
instance if you are re-installing a <strong>Spotfire</strong> system.<br />
After you have completed these preliminary tasks, the configuration console is ready<br />
to configure your <strong>Spotfire</strong> system. Basic configuration tasks include setup of<br />
authentication and user directory methods, and the adding of <strong>Spotfire</strong> <strong>Server</strong>s to the<br />
cluster.<br />
If you attempt to log into the configuration console and the administrative user is<br />
already logged in, you will be asked if you wish to terminate the other login and<br />
proceed with the current one. Use this with care, especially if there are more than one<br />
administrator of the <strong>Spotfire</strong> system.<br />
5.6 Setting up Authentication<br />
Authentication is the verification of user login information. This information usually<br />
consists of username and password, and is by default stored in the <strong>Spotfire</strong> database.<br />
You can also configure <strong>Spotfire</strong> to authenticate users with an existing LDAP server in<br />
your network, such as a Windows Active Directory <strong>Server</strong>, a Windows NT4 Domain<br />
Controller, or the NTLM protocol.<br />
All of these settings are set in the configuration console, and regardless of which<br />
method you select, the users are always presented with the same login screen when<br />
starting a <strong>Spotfire</strong> client, unless you configure the system to use a single sign-on<br />
method, such as Kerberos or X.509 Client Certificate. For more details on these<br />
choices and recommendation about which to use, please see the section<br />
<strong>TIBCO</strong> <strong>Spotfire</strong>® <strong>Server</strong> <strong>3.2.2</strong> 51 (144)
Configure the System<br />
“Authentication and User Directory” on page 65.<br />
<br />
MIGRATING FROM 10.1 TO 3.2?<br />
When you start the <strong>Spotfire</strong> Configuration Console and connect to the<br />
3.2 database you should verify that the configuration from the <strong>Spotfire</strong><br />
Analytics <strong>Server</strong> 10.1 has been transferred correctly.<br />
Configuring Authentication:<br />
1 In the configuration console, click on the tab Authentication.<br />
2 Click the Edit button.<br />
Most login/user directory configurations will have transferred<br />
completely and will not require any additional setup. However:<br />
• If you have set up external LDAP group synchronization, the list<br />
of groups specified for synchronization will be transferred to the<br />
3.2 server. However, you must enable group synchronization and<br />
set up synchronization schedules for the groups from the<br />
configuration console.<br />
• Kerberos, X.509 Client Certificates, and NTLM authentication<br />
information is not transferred. If you intend to use any of these<br />
authentication methods on the 3.2 server, you need to set this up<br />
again.<br />
3 If prompted to stop all servers, select to do so.<br />
4 Select the login method you wish to use from the Login method drop-down menu.<br />
5 Depending on your choice you will be presented with a number of additional<br />
parameters that you must specify.<br />
For more details on these parameters, please see the configuration console online help<br />
by clicking on the question mark icon in the top right corner.<br />
6 Click the Done button when you are finished.<br />
5.7 Setting up User Directory<br />
The user directory is where the <strong>Spotfire</strong> system stores user names and group<br />
memberships. This information can later be used to set permissions to different groups<br />
of users. The user directory is stored in the <strong>Spotfire</strong> database, but to simplify<br />
administration, it is possible to import this information from an external source, such<br />
as an LDAP directory. This is called User Directory Back-end. For a comprehensive<br />
list of user directory backends, and how they can be combined with different<br />
Authentication methods, see the section “Authentication and User Directory” on<br />
page 65.<br />
<br />
Configuring User Directory:<br />
52 (144) <strong>TIBCO</strong> <strong>Spotfire</strong>® <strong>Server</strong> <strong>3.2.2</strong>
Configure the System<br />
1 In the configuration console, click on the tab User Directory.<br />
2 Click the Edit button.<br />
3 If prompted to stop all servers, select to do so.<br />
4 Select the user directory back-end you wish to use from the User directory back-end<br />
drop-down menu.<br />
5 Depending on your choice you will be presented with a number of additional<br />
parameters that you must specify.<br />
For more details on these parameters, please see the configuration console online help<br />
by clicking on the question mark icon in the top right corner.<br />
6 Click the Done button when you are finished.<br />
Note that the settings made here do not include moving users between groups or<br />
creating new groups, only from where to fetch user directory information, whether it<br />
be from the <strong>Spotfire</strong> database or from an external source.<br />
5.8 Add <strong>Server</strong> to Cluster<br />
In order for users to be able to use <strong>Spotfire</strong>, you need to add at least one <strong>Spotfire</strong><br />
<strong>Server</strong> to the cluster you set up on first login to the configuration console.<br />
In the configuration console, click on the tab “Cluster <strong>Server</strong>s” to add servers to your<br />
cluster. Then click on the green + sign in the list of servers and you will be prompted<br />
to specify:<br />
• <strong>Server</strong> protocol (http or https)<br />
• <strong>Server</strong> hostname or IP address<br />
• <strong>Spotfire</strong> Controller port (default 8078)<br />
• <strong>Spotfire</strong> <strong>Server</strong> port (default 80)<br />
Make sure to select either HTTP or HTTPS in the dropdown menu, according to what<br />
protocol you have set up the <strong>Spotfire</strong> Controllers to use. (Do not type http or https into<br />
the text field for server hostname, only type the actual hostname or IP address).<br />
You will also be prompted about uploading a database.xml file to the server. This is the<br />
server configuration file in which the database connection URL is stored.<br />
Note: If you select to not upload this file, you will have to copy it manually to the<br />
/tomcat/webapps/META-INF directory on the server before<br />
you can start the server.<br />
<strong>TIBCO</strong> <strong>Spotfire</strong>® <strong>Server</strong> <strong>3.2.2</strong> 53 (144)
Configure the System<br />
5.9 Start All <strong>Server</strong>s<br />
After you have performed all the above tasks, you are ready to start your cluster. In the<br />
configuration console, there is a button that says Start All <strong>Server</strong>s. You can also start<br />
or stop individual servers belonging to the cluster.<br />
When the Cluster Status Indicator turns green to indicate that at least one server in the<br />
cluster is up and running, you are ready to proceed.<br />
5.10 Setting up Shared Disk Location<br />
Files that are to be imported into the <strong>Spotfire</strong> Library by <strong>Spotfire</strong> Admins need to be<br />
placed in a specific directory in order to be imported. You specify this folder in the<br />
Shared Disk Location setting, found in the Cluster <strong>Server</strong>s tab of the <strong>Spotfire</strong><br />
Configuration Console. By default this is /tomcat/<br />
application-data/library. For most intents and purposes, this setting does not need<br />
to be changed.<br />
Please see the online help for the configuration console for detailed information on<br />
how to use the configuration console.<br />
5.11 Making the Demo Database Available<br />
If you installed the demo database during install, there is one more step you need to<br />
perform in order to make the demo database available to users.<br />
In the <strong>Spotfire</strong> <strong>Server</strong> installation media, there is a folder called demodata. Select one<br />
of its subfolders, oracle or mssql depending on your database server, and copy the file<br />
within this folder, demo.part0.zip to the shared disk location discussed in the previous<br />
section. This zip file contains analysis files and an information model that links to the<br />
demo data.<br />
When this file is in place, a <strong>Spotfire</strong> Admin or a Library Admin can import these files<br />
to the Library.<br />
5.12 Assign Admin User<br />
When the <strong>Spotfire</strong> cluster is up and running, you need to assign administrator<br />
privileges to a <strong>Spotfire</strong> user. <strong>Spotfire</strong> administration includes tasks such as creating<br />
users, managing licenses, and deploying packages. If you are using Database<br />
Authentication, you must first create an initial <strong>Spotfire</strong> user, and then assign<br />
administrator privileges to this user. If you are using external authentication, such as<br />
an LDAP Directory, you need to assign administrator privileges to one of these users.<br />
In the configuration console, click on the tab “Assign Admin User”. If you are using<br />
Database Authentication, first create an initial <strong>Spotfire</strong> user by clicking the button<br />
“Create User”. Then click the button “Assign Privileges” to assign administrator<br />
54 (144) <strong>TIBCO</strong> <strong>Spotfire</strong>® <strong>Server</strong> <strong>3.2.2</strong>
Configure the System<br />
privileges to a <strong>Spotfire</strong> user. Note that you have to supply the username and password<br />
for the user that you assign administrator privileges to.<br />
When you do this, you need an unlock code found in the file codes.txt in the<br />
documentation folder in the <strong>Spotfire</strong> <strong>Server</strong> distribution. Note that this unlock code<br />
can be used only once.<br />
Once the first admin user is assigned, this user may assign administrator privileges to<br />
other <strong>Spotfire</strong> users.<br />
Once the <strong>Spotfire</strong> system is installed and configured, and a <strong>Spotfire</strong> Admin is<br />
assigned, the system is ready to be administered. Before users can start using the<br />
system, there are a number of administrative tasks that need to be performed. These<br />
tasks are described in the chapter “<strong>Spotfire</strong> Administrative Tasks” on page 56.<br />
<strong>TIBCO</strong> <strong>Spotfire</strong>® <strong>Server</strong> <strong>3.2.2</strong> 55 (144)
<strong>Spotfire</strong> Administrative Tasks<br />
6 <strong>Spotfire</strong> Administrative Tasks<br />
6.1 Overview<br />
When the <strong>Spotfire</strong> <strong>Server</strong> has been installed, there are some additional tasks that must<br />
be performed in order for users to be able to use the <strong>Spotfire</strong> clients. These tasks are<br />
referred to as <strong>Spotfire</strong> administrative tasks, and are usually performed by a <strong>Spotfire</strong><br />
Administrator.<br />
<strong>TIBCO</strong> <strong>Spotfire</strong> Deployment is a software distribution needed to deploy and<br />
administer <strong>Spotfire</strong>. It is a separate distribution and it is found on the <strong>TIBCO</strong> <strong>Spotfire</strong><br />
software download web site. In this distribution the <strong>TIBCO</strong> <strong>Spotfire</strong> - Deployment<br />
and Administration Manual is found. This manual describes the <strong>Spotfire</strong><br />
administrative tasks. Below is a brief outline of the tasks that need to be done before<br />
the <strong>Spotfire</strong> system can be used, and the tools involved in performing these tasks.<br />
If these steps are not performed, users will not be able to use <strong>Spotfire</strong>. Refer to the<br />
<strong>TIBCO</strong> <strong>Spotfire</strong> - Deployment and Administration Manual for detailed<br />
instructions on how to perform these steps.<br />
6.2 <strong>TIBCO</strong> <strong>Spotfire</strong> Administration Tools<br />
To perform <strong>Spotfire</strong> Administrative tasks, there are three different tools available.<br />
These tools perform different tasks, and it is important that a <strong>Spotfire</strong> Admin is<br />
familiar with all of them.<br />
6.2.1 <strong>TIBCO</strong> <strong>Spotfire</strong> Administration Console<br />
Each <strong>TIBCO</strong> <strong>Spotfire</strong> <strong>Server</strong> has a web-based administration UI called the <strong>TIBCO</strong><br />
<strong>Spotfire</strong> Administration Console. This tool is used to set up users and groups (unless<br />
users and groups are handled by an external mechanism such as an LDAP server), and<br />
to deploy <strong>Spotfire</strong> packages.. It can be reached by a standard web browser using the<br />
URL http://spotfireserver/spotfire/administration/, where spotfireserver is<br />
the hostname of one of your <strong>Spotfire</strong> <strong>Server</strong>s. If you are not running <strong>Spotfire</strong> <strong>Server</strong> on<br />
the standard port 80, you must also add the port number in the URL: http://<br />
spotfireserver:8080/spotfire/administration/ It does not matter which server in<br />
the cluster you use, changes made to one server will be stored in the <strong>Spotfire</strong> database<br />
and available to all servers.<br />
For detailed help on how to use the Administration Console, please see its online help.<br />
6.2.2 <strong>TIBCO</strong> <strong>Spotfire</strong> Administration Manager<br />
In the <strong>Spotfire</strong> client, there is an administration tool called the Administration<br />
Manager. This tool is used to set up licenses and preferences. It is also possible to<br />
create new users and groups in this tool. It is found on the Tools menu in the <strong>Spotfire</strong><br />
client.<br />
56 (144) <strong>TIBCO</strong> <strong>Spotfire</strong>® <strong>Server</strong> <strong>3.2.2</strong>
<strong>Spotfire</strong> Administrative Tasks<br />
6.2.3 <strong>TIBCO</strong> <strong>Spotfire</strong> Library Administration<br />
In the <strong>Spotfire</strong> client, there is also an administration tool called the Library<br />
Administration. This tool is used to administer the <strong>Spotfire</strong> Library. The Library is a<br />
feature that allows <strong>Spotfire</strong> users to publish and share analyses and data with each<br />
other.<br />
The content of the Library can be exported and imported. This can be used as a backup<br />
function. If you have migrated from <strong>Spotfire</strong> Analytics <strong>Server</strong> 10.1, the Migration<br />
Tool has exported the 10.1 Library content. To import it, see the section “Importing<br />
Library Content” on page 58.<br />
6.3 Deploying <strong>TIBCO</strong> <strong>Spotfire</strong><br />
A <strong>Spotfire</strong> deployment consists of software packages and licenses packaged into<br />
distributions and uploaded to and stored in the <strong>Spotfire</strong> database. For a user to be able<br />
to log in, and for <strong>Spotfire</strong> clients to work properly, a <strong>Spotfire</strong> deployment must be<br />
present at login time. Software patches and license information stored in the<br />
deployment will be downloaded to and control the behavior of the clients.<br />
A <strong>Spotfire</strong> deployment is created by obtaining the <strong>TIBCO</strong> <strong>Spotfire</strong> Deployment<br />
distribution and upload it to the <strong>Spotfire</strong> server using the Administration Console. See<br />
its help for more information about this.<br />
6.4 Setting up Users, Groups, and Licenses<br />
<strong>Spotfire</strong> licenses control which software features are available to different users.<br />
Licenses are set for groups. If you are using an external mechanism to handle users<br />
and groups, you can create <strong>Spotfire</strong> groups and put the external groups into the<br />
<strong>Spotfire</strong> groups. Users and groups can be created and deleted in the Administration<br />
Console. Licenses are set in the Administration Manager, on the tab Groups and<br />
Licenses. See each tool’s help for detailed information and help on setting up Users,<br />
Groups, and Licenses.<br />
<strong>TIBCO</strong> <strong>Spotfire</strong>® <strong>Server</strong> <strong>3.2.2</strong> 57 (144)
<strong>Spotfire</strong> Administrative Tasks<br />
6.5 Importing Library Content<br />
MIGRATING FROM 10.1 TO 3.2?<br />
The Migration Tool exported the 10.1 Library content to Library export<br />
files ready for import into the 3.2 Library.<br />
Note: The 10.1 library allowed for case sensitive item names if it was<br />
stored in an Oracle database. This meant that you could have two<br />
folders, one named “folder” and another named “Folder” on the same<br />
level of the library file tree. Version 3.0 and later treats Library item<br />
names as case insensitive, regardless of whether the library is stored in<br />
an Oracle or a Microsoft SQL <strong>Server</strong> database. Therefore, when you<br />
import a 10.1 library that was stored in an Oracle database, you must<br />
select to automatically change any such conflicting names by checking<br />
the option “Automatically assign new name or GUID to imported item”<br />
in the import dialog.<br />
Importing Library content is performed by using the Library Administration Tool. The<br />
<strong>TIBCO</strong> <strong>Spotfire</strong> - Deployment and Administration Manual and the online help of<br />
the Library Administration tool have detailed information on how to do this.<br />
When the <strong>TIBCO</strong> <strong>Spotfire</strong> <strong>Server</strong> was installed, there was an option of populating the<br />
database with demo data. Also packaged with the <strong>TIBCO</strong> <strong>Spotfire</strong> <strong>Server</strong> is a collection<br />
of <strong>Spotfire</strong> analysis files and an information model that links to this data. If the<br />
demo data is installed in the database, you can import these demo files into the library.<br />
Using the demo files is a good way to learn how to use <strong>Spotfire</strong>. See the <strong>TIBCO</strong> <strong>Spotfire</strong><br />
- Deployment and Administration Manual for more information and detailed<br />
instructions on how to import the demo files.<br />
58 (144) <strong>TIBCO</strong> <strong>Spotfire</strong>® <strong>Server</strong> <strong>3.2.2</strong>
Load Balancing<br />
7 Load Balancing<br />
This chapter explains the concept of load balancing in a clustered environment, and<br />
how to set this up if you are running multiple <strong>Spotfire</strong> <strong>Server</strong>s in a cluster.<br />
7.1 Overview<br />
Load balancing is a technique for spreading the workload between two or more<br />
computers.<br />
In a clustered environment, each <strong>Spotfire</strong> client connects to a single network host, a<br />
load balancer, which redirects calls to an available <strong>Spotfire</strong> <strong>Server</strong>. It is important that<br />
the load balancer is able to redirect follow-up connections from the client to the same<br />
<strong>Spotfire</strong> <strong>Server</strong> for the duration of the user session (session affinity). It must also be<br />
able to detect when a <strong>Spotfire</strong> <strong>Server</strong> is unavailable, such as when maintenance is<br />
being performed, and stop directing traffic to that server. When the <strong>Spotfire</strong> <strong>Server</strong><br />
becomes available again, the load balancer must start directing calls to it again. If you<br />
wish to implement your own load balancing solution, these requirements must be met,<br />
with special emphasis on session affinity, without which communication between<br />
clients and servers will not work.<br />
The rest of this chapter assumes that you are using a load balancing solution based on<br />
Apache httpd with the mod_jk module enabled. Because the <strong>Spotfire</strong> <strong>Server</strong> is<br />
implemented as a Tomcat Service, and therefore supports the AJP (Apache JServ<br />
Protocol) protocol, this technology provides a good starting point for achieving a load<br />
balanced <strong>Spotfire</strong> system.<br />
To set up load balancing, configuration needs to be done on all the cluster nodes, as<br />
well as on the load balancer itself.<br />
7.2 Prerequisites<br />
• At least two <strong>Spotfire</strong> <strong>Server</strong>s need to be installed and configured.<br />
• Apache httpd and the mod_jk module need to be installed on the load balancer.<br />
• Optional: If NTLM authentication is used, the mod_auth_sspi module needs to<br />
be enabled in Apache httpd.<br />
7.3 Cluster Node Configuration<br />
Each <strong>Spotfire</strong> <strong>Server</strong> is prepared for communication with a load balancer on<br />
installation. You do not need to change anything on the servers. If you are well<br />
acquainted with load balancing and want to change any default settings, they are all set<br />
in the file server.xml. See the section “<strong>Server</strong>.xml” on page 135 for more information<br />
about this file.<br />
<strong>TIBCO</strong> <strong>Spotfire</strong>® <strong>Server</strong> <strong>3.2.2</strong> 59 (144)
Load Balancing<br />
7.4 Load Balancer Configuration<br />
The load balancer needs to be configured so that it will be able to find and<br />
communicate with the <strong>Spotfire</strong> <strong>Server</strong>s.<br />
1 Install Apache httpd.<br />
2 Install the mod_jk module. Refer to the Apache httpd manual for instructions on how<br />
to do this.<br />
3 Add the following to workers.properties (you may need to create this file):<br />
# Define worker list<br />
# (All workers with additional exposed applications must also be added here,<br />
# and don't forget to add the corresponding JkMount option in mod_jk.conf!)<br />
worker.list=jkstatus, loadbalancer<br />
# Example: the /admin application on worker1 should be exposed through the load balancer<br />
#worker.list=jkstatus, loadbalancer, worker1<br />
# Set status<br />
worker.jkstatus.type=status<br />
# Set properties for the load balancer<br />
worker.loadbalancer.type=lb<br />
worker.loadbalancer.balance_workers=worker1, worker2<br />
worker.loadbalancer.sticky_session=true<br />
worker.loadbalancer.method=Session<br />
# Set properties for worker1 (ajp13)<br />
worker.worker1.type=ajp13<br />
worker.worker1.host=[<strong>Spotfire</strong><strong>Server</strong>1Hostname]<br />
worker.worker1.port=8009<br />
worker.worker1.max_packet_size=65536<br />
worker.worker1.lbfactor=1<br />
worker.worker1.route=[<strong>Spotfire</strong><strong>Server</strong>1Hostname]-srv<br />
# Set properties for worker2 (ajp13)<br />
worker.worker2.type=ajp13<br />
worker.worker2.host=[<strong>Spotfire</strong><strong>Server</strong>2Hostname]<br />
worker.worker2.port=8009<br />
worker.worker2.max_packet_size=65536<br />
worker.worker2.lbfactor=1<br />
worker.worker2.route=[<strong>Spotfire</strong><strong>Server</strong>2Hostname]-srv<br />
Change [<strong>Spotfire</strong><strong>Server</strong>1Hostname] to the hostname or IP address of your first<br />
<strong>Spotfire</strong> <strong>Server</strong>, [<strong>Spotfire</strong><strong>Server</strong>2Hostname] to the name of your second <strong>Spotfire</strong><br />
<strong>Server</strong>, and so forth.<br />
Note: The AJP route is automatically set to “[<strong>Spotfire</strong><strong>Server</strong>Hostname]-srv” on the<br />
<strong>Spotfire</strong> <strong>Server</strong> end at installation, that is the hostname of the server suffixed by “-<br />
srv”.<br />
4 Add the following to the mod_jk.conf file (you may need to create this file):<br />
60 (144) <strong>TIBCO</strong> <strong>Spotfire</strong>® <strong>Server</strong> <strong>3.2.2</strong>
Load Balancing<br />
# Load the mod_jk module<br />
LoadModule jk_module modules/mod_jk.so<br />
# Load the workers configuration<br />
JkWorkersFile conf/workers.properties<br />
# The mod_jk module's log file<br />
JkLogFile logs/mod_jk.log<br />
# The mod_jk module's log level (trace, debug, info, warn, error)<br />
JkLogLevel info<br />
# Let the load balancer worker handle all requests to the TSS web applications<br />
JkMount /spotfire loadbalancer<br />
JkMount /spotfire/* loadbalancer<br />
# Define Apache environment variables to be exported by mod_jk to Tomcat web<br />
applications<br />
JkEnvVar REMOTE_USER<br />
JkEnvVar SSL_CLIENT_CERT<br />
#JkEnvVar SSL_CLIENT_CERT_CHAIN<br />
#JkEnvVar SSL_CLIENT_S_DN<br />
#JkEnvVar SSL_CLIENT_S_DN_CN<br />
5 Make sure that the Apache httpd configuration includes the file mod_jk.conf.<br />
6 Restart Apache httpd. Check for any startup errors.<br />
7 Make sure you are able to connect to each server using both HTTP on the ports<br />
defined in the installation process, and using AJP on port 8009.<br />
8 To achieve a higher level of security, it is possible to make the load balancer<br />
authenticate when it talks to the <strong>Spotfire</strong> servers. See the section “Load Balancer AJP<br />
Keyword Restriction” on page 63 for more information about this.<br />
Note: It might be a good idea to start by setting up one <strong>Spotfire</strong> <strong>Server</strong> to be load<br />
balanced. When you see that traffic is being forwarded as it should, add the other<br />
servers.<br />
It is also possible to forward traffic from the load balancer to the Configuration<br />
Console. See the section “Forwarding Traffic from the Load Balancer to the<br />
Configuration Console” on page 99 for instructions on how to set this up.<br />
7.5 Kerberos Authentication<br />
In a clustered environment where Kerberos authentication is used to authenticate<br />
users, the load balancer forwards all Kerberos authentication information to the<br />
<strong>Spotfire</strong> <strong>Server</strong>s. No configuration on the load balancer is needed for this, but there<br />
are certain considerations that must be taken into account when Kerberos<br />
authentication is set up:<br />
• Two Service Principal Names must be created for each <strong>Spotfire</strong> <strong>Server</strong> as well as<br />
for the load balancer.<br />
<strong>TIBCO</strong> <strong>Spotfire</strong>® <strong>Server</strong> <strong>3.2.2</strong> 61 (144)
Load Balancing<br />
• One keytab file must be created. This must use the fully qualified Service<br />
Principal Name of the load balancer.<br />
• This keytab file must be copied to each <strong>Spotfire</strong> <strong>Server</strong>.<br />
• When Kerberos authentication is set up in the configuration console, the fully<br />
qualified Service Principal Name of the load balancer must be provided.<br />
For more information about how to set up Kerberos in the <strong>Spotfire</strong> system, refer to the<br />
section “Kerberos” on page 69.<br />
7.6 X.509 Client Certificate Authentication<br />
To set up X.509 Client Certificate Authentication, a server certificate needs to be in<br />
place. In a clustered environment, the clients see the load balancer as the server, and<br />
the server certificate must therefore be created for and installed on the load balancer.<br />
To work properly, the CA certificate must also be installed on the load balancer. See<br />
the section “Setting up HTTPS in a Load Balanced Environment” on page 97 for more<br />
information about server certificates and how to install them on a load balancer.<br />
7.7 NTLM Authentication<br />
In Windows environments, NTLM may be used to authenticate users to the <strong>Spotfire</strong><br />
system. When using load balancing, the load balancer needs to be configured to<br />
forward NTLM authentication requests and answers.<br />
Apache httpd needs the module mod_auth_sspi.so in order to forward authentication<br />
requests and answers. It must be configured to use this module. Add the following to<br />
the httpd.conf, or to a file included from httpd.conf (for instance mod_auth_sspi.conf):<br />
<br />
LoadModule sspi_auth_module modules/mod_auth_sspi.so<br />
<br />
<br />
AuthType SSPI<br />
SSPIAuth On<br />
SSPIAuthoritative On<br />
SSPIPerRequestAuth On<br />
SSPIDomain domain<br />
# The name of the authentication realm<br />
AuthName "Analytics <strong>Server</strong> through Load Balancer"<br />
# When offering Basic authentication, the Apache service<br />
# must be run as a valid local or domain user<br />
SSPIOfferBasic Off<br />
# Set SSPIOmitDomain to Off to retrieve user names<br />
# as "DOMAIN\User" instead of "User"<br />
SSPIOmitDomain On<br />
62 (144) <strong>TIBCO</strong> <strong>Spotfire</strong>® <strong>Server</strong> <strong>3.2.2</strong>
Load Balancing<br />
# Convert usernames to lower/upper case<br />
# SSPIUsernameCase lower<br />
# SSPIUsernameCase upper<br />
require valid-user<br />
# Restrict access to certain users or groups<br />
# require user "DOMAIN\User"<br />
# require group "DOMAIN\Group"<br />
<br />
See also the <strong>Spotfire</strong> <strong>Server</strong> release notes for more information about NTLM<br />
authentication through a load balancer.<br />
7.8 Load Balancer Authentication<br />
The <strong>Spotfire</strong> <strong>Server</strong>s can be set to verify the identity of the load balancers by only<br />
allowing certain hostnames or IP addresses to act as load balancers.<br />
Also included in load balancer authentication is the filtering of user names propagated<br />
from the load balancers when using an authentication method such as NTLM.<br />
Load Balancer Authentication is set in the Configuration Console There are a number<br />
of options that can be configured.<br />
Enable Load Balancer<br />
Authentication<br />
Request attribute name<br />
Filter domain name<br />
expression<br />
Lower case conversion<br />
Allowed hostnames<br />
Decides whether the <strong>Spotfire</strong> <strong>Server</strong>s should use load<br />
balancer authentication or not.<br />
This is the attribute where the propagated username is<br />
stored. For example "REMOTE_USER".<br />
If the attribute where the propagated username is<br />
stored contains more than the actual username, it is<br />
possible to apply a regular expression to filter out the<br />
unwanted parts. For example, if the attribute contains<br />
"domainname\username", you can use the regular<br />
expression ".*\\(.*)" to remove "domainname\".<br />
Specifies whether to convert the propagated username<br />
to lower case or not. The default is not to convert to<br />
lower case.<br />
This is a list of hostnames or IP addresses of<br />
computers allowed to act as load balancers for the<br />
<strong>Spotfire</strong> system.<br />
7.9 Load Balancer AJP Keyword Restriction<br />
Apart from Load Balancer Authentication, it is also possible to set up a AJP Connector<br />
secret keyword for the load balancers to use to authenticate with the <strong>Spotfire</strong> <strong>Server</strong>s.<br />
<strong>TIBCO</strong> <strong>Spotfire</strong>® <strong>Server</strong> <strong>3.2.2</strong> 63 (144)
Load Balancing<br />
This is a secret keyword that the load balancers and the <strong>Spotfire</strong> <strong>Server</strong>s all know. You<br />
set this up by doing the following:<br />
1 Add the keyword to all the <strong>Spotfire</strong> <strong>Server</strong>s.<br />
In the <strong>Spotfire</strong> <strong>Server</strong> server.xml, within the section , find<br />
the Connector configuration:<br />
<br />
Add the keyword definition:<br />
.<br />
2 Then, add the keyword to the worker,properties file on the load balancer.<br />
Above the properties for the individual workers, add a keyword for all the workers to<br />
use:<br />
# Enable secret keyword<br />
worker.loadbalancer.secret="SecretKeyword"<br />
When this is set up, the <strong>Spotfire</strong> <strong>Server</strong> will only accept AJP connections from load<br />
balancers that know the secret keyword.<br />
64 (144) <strong>TIBCO</strong> <strong>Spotfire</strong>® <strong>Server</strong> <strong>3.2.2</strong>
Authentication and User Directory<br />
8 Authentication and User Directory<br />
This chapter will outline and explain the different authentication and user directory<br />
mechanisms available in <strong>Spotfire</strong>. It will also try to guide and advise the <strong>Spotfire</strong><br />
administrator on which combination of authentication and user directory should be<br />
used in different situations. For exact instructions on how to configure the different<br />
methods, see the configuration console and its help.<br />
8.1 Overview<br />
Authentication is the function when users prove to the system who they are. The user<br />
directory is where the <strong>Spotfire</strong> system stores user and group names used to set and<br />
verify permissions. The <strong>Spotfire</strong> system is able to authenticate users internally or with<br />
external sources. User directory information may be synchronized with an external<br />
source. These settings are called authentication methods and user directory methods,<br />
respectively. Which methods and combinations to select depends entirely on factors<br />
such as number of users and what kind of infrastructure already exists in the network<br />
in which <strong>Spotfire</strong> is used.<br />
This chapter will provide an overview of the different combinations, instructions on<br />
how to set them up, and advice on which combination to choose, together with<br />
advantages and disadvantages of the different combinations.<br />
8.2 Username and Password Authentication<br />
When users start a <strong>Spotfire</strong> client, they are normally presented with a login dialog,<br />
where they supply their username and password. Using single sign-on methods,<br />
however, this window is bypassed and other forms of authentication are used, such as<br />
certificates or keys.<br />
The username and password authentication methods supported by <strong>Spotfire</strong> are:<br />
• LDAP Directory<br />
• <strong>Spotfire</strong> Database<br />
• Windows NT Domain<br />
• Custom JAAS Module<br />
All of these methods can be configured in the configuration console.<br />
For all methods, usernames are always stored in the <strong>Spotfire</strong> Database. When using an<br />
external authentication method, passwords and/or other authentication information is<br />
stored elsewhere, such as on an LDAP server or a Windows NT Domain Controller.<br />
<strong>TIBCO</strong> <strong>Spotfire</strong>® <strong>Server</strong> <strong>3.2.2</strong> 65 (144)
Authentication and User Directory<br />
8.2.1 LDAP<br />
With this authentication method, users are authenticated with an LDAP server, such as<br />
Microsoft Windows Active Directory or Sun Java System Directory <strong>Server</strong>. To be able<br />
to use this method, you must have a working LDAP server. When users log in using<br />
this method, their usernames are automatically stored in the <strong>Spotfire</strong> <strong>Server</strong> database,<br />
but all other authentication information, such as passwords, resides only on the LDAP<br />
server. LDAP authentication is recommended when an LDAP server exists in the same<br />
network as the <strong>Spotfire</strong> server and you want to use the benefits of not having to add<br />
users manually to the <strong>Spotfire</strong> system. If external authentication is wanted or required,<br />
this is the recommended solution. This method can also be combined with single signon,<br />
using Kerberos keys.<br />
When using LDAP, you need to provide <strong>Spotfire</strong> <strong>Server</strong> with certain information.<br />
Some are selectable in dropdown menus in the configuration console, while others you<br />
have to provide as text. Below is a list of the information needed.<br />
<strong>Server</strong> Type<br />
Protocol<br />
Hostname<br />
Port<br />
Username and Password<br />
Specifies the brand of your LDAP directory server<br />
(dropdown list).<br />
Specifies whether to use LDAP (clear-text) or LDAPS<br />
(encrypted).<br />
The hostname of your LDAP directory server. You can<br />
add more servers (such as more domain controllers<br />
within the same domain)<br />
The port on which the LDAP Directory <strong>Server</strong><br />
communicates on.<br />
Specifies a user that is able to connect to the LDAP<br />
directory server and browse user and group<br />
information.<br />
If you are using a Microsoft LDAP directory, the<br />
username is simply the name of the user.<br />
If you are using a Sun LDAP directory, the username<br />
field must include the user's UID, OU, and DC. For<br />
example<br />
uid=malcolm,ou=captains,dc=serenity,dc=firefly,dc=c<br />
om.<br />
Note: If you do not provide a context (see below), it is<br />
important that you use the fully qualified user name<br />
here.<br />
66 (144) <strong>TIBCO</strong> <strong>Spotfire</strong>® <strong>Server</strong> <strong>3.2.2</strong>
Authentication and User Directory<br />
Context<br />
Referral mode<br />
Username attribute<br />
Authentication attribute<br />
Custom LDAP Properties<br />
This option specifies which context or contexts of the<br />
LDAP directory you wish to read users from. A<br />
context can be an Organizational Unit, a Common<br />
Name, or any other container containing users. Use the<br />
Browse button to browse and select from the LDAP<br />
directory tree. You can also type the name of a context<br />
directly into the field.<br />
In a large LDAP Directory, different parts of the<br />
directory tree may be stored on different servers.<br />
When a search for users is made on one server, the<br />
result can therefore be a referral to a different server.<br />
This setting decides whether to conduct a follow-up<br />
search for the users in question on the referred server.<br />
The options are Follow, Ignore or Throw. The default<br />
and recommended value is Follow.<br />
In an LDAP Directory, a number of attributes are<br />
stored for each user. The actual username can be called<br />
different things on different brands of LDAP servers.<br />
If you select one of the LDAP directory server types<br />
listed under <strong>Server</strong> Type, this option will be preselected,<br />
but if you use a custom LDAP directory<br />
server, you will need to specify which user attribute is<br />
the username.<br />
This option specifies which user attribute should be<br />
used to authenticate the user. In almost all cases, this is<br />
the same as Username attribute and should not be<br />
specified.<br />
If you authenticate with a custom LDAP server, you<br />
may in some cases need to specify custom LDAP<br />
properties here. In most situations, however, you may<br />
leave this blank.<br />
If you lack any of this information, you need to speak to the person in charge of the<br />
LDAP system within your organization that can assist you before you can set up<br />
LDAP.<br />
8.2.2 <strong>Spotfire</strong> Database<br />
With this authentication method, all usernames and passwords are stored in the<br />
<strong>Spotfire</strong> database. This is the “stand-alone” solution, where no external authentication<br />
is used. No external configuration is required to set this up, but in return all users must<br />
be manually added using the Administration Manager tool found in the <strong>Spotfire</strong> client.<br />
This is recommended when no existing infrastructure can be used, or when the<br />
<strong>Spotfire</strong> system should be independent of any other systems.<br />
<strong>TIBCO</strong> <strong>Spotfire</strong>® <strong>Server</strong> <strong>3.2.2</strong> 67 (144)
Authentication and User Directory<br />
8.2.3 Windows NT Domain<br />
With this authentication method, users are authenticated with a Windows NT Domain.<br />
To be able to use this method, you must have a working Windows NT 4 <strong>Server</strong><br />
Domain Controller or a Windows <strong>Server</strong> 2000 (or later) Domain Controller running in<br />
Mixed Mode. When users log in using this method, their usernames are automatically<br />
stored in the <strong>Spotfire</strong> database, but all other authentication information, such as<br />
passwords, resides only on the Windows NT Domain Controller. This solution should<br />
only be used in combination with legacy Windows NT 4 environments. To set it up,<br />
you need to provide the name of the domain in the configuration console.<br />
8.2.4 Custom JAAS Module<br />
The authentication methods above are all implemented as Java Authentication and<br />
Authorization Services (JAAS) modules. <strong>Spotfire</strong> also supports third-party JAAS<br />
modules, and you may therefore use a JAAS module of your own, or one or from a<br />
third-party supplier. Such a module must use username and password authentication<br />
(specifically, it must use NameCallback and PasswordCallback methods) to be used in<br />
<strong>Spotfire</strong>. You must specify the following options in the configuration console:<br />
Implementation Class<br />
Flag<br />
Key value pair<br />
This option specifies the name of your custom JAAS<br />
module.<br />
This option specifies how flags are to be handled.<br />
This option can contain any other key value pair that<br />
your custom JAAS module needs or can handle.<br />
If you lack any of this information, you need to speak to the person that provided you<br />
with the Custom JAAS module and that can assist you before you can set up Custom<br />
JAAS authentication.<br />
Note: When using a custom JAAS module, you need to place the module file in the<br />
/tomcat/webapps/spotfire/WEB-INF/lib directory on all<br />
<strong>Spotfire</strong> <strong>Server</strong>s.<br />
8.3 Single Sign-on Authentication<br />
With a single sign-on solution, users do not authenticate using username and password<br />
when they start <strong>Spotfire</strong>. Instead, their Windows login or a client certificate is used to<br />
verify the user. <strong>Spotfire</strong> is able to handle a number of different single sign-on<br />
solutions:<br />
• Kerberos<br />
• X.509 Client Certificate<br />
• NTLM (NT LAN Manager version 1)<br />
All three methods are configurable in the configuration console.<br />
68 (144) <strong>TIBCO</strong> <strong>Spotfire</strong>® <strong>Server</strong> <strong>3.2.2</strong>
Authentication and User Directory<br />
8.3.1 Kerberos<br />
Kerberos is a single sign-on protocol that sends encrypted user information from a<br />
client across the network to the authentication server. Kerberos works in LDAP<br />
environments and is considered to have strong security. If you intend to use <strong>Spotfire</strong> in<br />
an environment where Kerberos is used, this may be a good way of increasing security<br />
for the <strong>Spotfire</strong> system.<br />
Note: In a clustered environment, there are certain considerations that must be taken<br />
into account. For details about these, see the section “Kerberos Authentication” on<br />
page 61.<br />
There are several steps that must be taken to set up Kerberos authentication. The<br />
following sections outline them step by step.<br />
8.3.1.1 Prepare the LDAP <strong>Server</strong><br />
How to set up Kerberos with your LDAP server may differ significantly depending on<br />
what LDAP server you are using. The instructions provided here will work for a<br />
Windows Active Directory. If you are using a different LDAP solution, you may have<br />
to provide different settings to the configuration files provided with the <strong>Spotfire</strong><br />
<strong>Server</strong>.<br />
In order for the <strong>Spotfire</strong> <strong>Server</strong> to authenticate with a Windows Domain using<br />
Kerberos, the Windows Domain must meet the following prerequisites:<br />
• All Domain Controllers must run Windows 2003 <strong>Server</strong> SP1 or later.<br />
• Microsoft Support Tools must be installed.<br />
• All computers that will run Kerberos must belong to the same Windows<br />
Domain.<br />
• All computers in the domain must have synchronized clocks (this should happen<br />
automatically when a computer becomes a member of a domain).<br />
• All <strong>Spotfire</strong> users must have user accounts in the Windows Domain.<br />
Note: If the Windows <strong>Server</strong> is an upgrade of a Windows 2000 server, the user<br />
accounts may be using encryption mechanisms not supported by <strong>Spotfire</strong>. Please refer<br />
to Microsoft documentation to get around this issue.<br />
The following steps must then be performed:<br />
1 Configure LDAP authentication for the <strong>Spotfire</strong> <strong>Server</strong> (see the section “LDAP” on<br />
page 66 for instructions on how to do this). Make sure this is working as intended.<br />
2 Create a Domain user to be the <strong>Spotfire</strong> service account. This should be a normal<br />
domain user account, and should be named something easy to remember. Make sure it<br />
meets the following requirements:<br />
• Do not enter a First Name, Initial or Last name for the user account.<br />
• Use the same information in the Full Name field as in the User Logon Name<br />
field. Make sure there are no spaces in these fields.<br />
<strong>TIBCO</strong> <strong>Spotfire</strong>® <strong>Server</strong> <strong>3.2.2</strong> 69 (144)
Authentication and User Directory<br />
• Check the box Password never expires. All other boxes should be unchecked<br />
(Note: Make sure to uncheck User must change password at next logon).<br />
• If you intend to use Kerberos for database authentication (see the section<br />
“Database Authentication using Kerberos” on page 91), you must also set<br />
Account is trusted for delegation found on the Accounts tab of the Properties<br />
dialog. This setting has certain security issues, and therefore you should only set<br />
it if you intend to do this.<br />
Next, you must create two Service Principal Names needed for the authentication.<br />
This requires Microsoft Support Tools. Refer to its documentation for more<br />
information about this and other tools included in the package.<br />
Note: In a load balanced environment, you need to create two Service Principal<br />
Names for each <strong>Spotfire</strong> <strong>Server</strong>, and two for the load balancer. You must map all of<br />
them to the same service account.<br />
Creating Service Principal Names (SPNs)<br />
Executing the following commands on one of the Windows Domain Controllers:<br />
> setspn -A HTTP/myHost.mydomain[:port] myServiceAccount<br />
> setspn -A HTTP/myHost[:port] myServiceAccount<br />
Replace the myHost myServiceAccount, and mydomain variables with values<br />
appropriate in your environment.<br />
Note: If you use port 80, do not specify port number.<br />
Example:<br />
Setting SPNs for the service account "spotsvc" and the computer<br />
spotserver.research.example.com using the HTTP port 8080.<br />
> setspn -A HTTP/spotserver.research.example.com:8080 spotsvc<br />
> setspn -A HTTP/spotserver:8080 spotsvc<br />
This would result in the following two SPNs:<br />
• HTTP/spotserver.research.example.com:8080<br />
• HTTP/spotserver:8080<br />
Note: All usernames, hostnames, and domain names are case sensitive. Take special<br />
care when running the commands and editing the files below.<br />
After you have run these commands, you can verify your setup with the command:<br />
> setspn -L myServiceAccount<br />
Example:<br />
Verifying SPNs for the service account “spotsvc”.<br />
> setspn -L spotsvc<br />
Registered ServicePrincipalNames for<br />
CN=spotsvc,CN=Users,DC=research,DC=example,DC=com:<br />
70 (144) <strong>TIBCO</strong> <strong>Spotfire</strong>® <strong>Server</strong> <strong>3.2.2</strong>
Authentication and User Directory<br />
HTTP/spotserver:8080<br />
HTTP/spotserver.research.example.com:8080<br />
Create Keytab Files<br />
The next step is to create keytab files, which the <strong>Spotfire</strong> <strong>Server</strong>(s) will use to<br />
authenticate using Kerberos. This is also done with a tool that comes with Microsoft<br />
Support Tools, called ktpass.exe. You can run this command on one of your Domain<br />
Controllers and then copy the created files to the <strong>Spotfire</strong> <strong>Server</strong>(s).<br />
Note: In a clustered environment, create one keytab file, and use the long principal<br />
name of the load balancer, not one of the <strong>Spotfire</strong> <strong>Server</strong>s.<br />
Always name the file spotfire.keytab, as shown below. Run the command, including<br />
all the text on one line, like this:<br />
> ktpass /princ HTTP/myHost.mydomain[:port]@MYDOMAIN<br />
/mapuser myServiceAccount /ptype krb5_nt_principal /crypto rc4-hmac-nt<br />
/out spotfire.keytab /pass Password<br />
Replace the myServiceAccount, myHost<br />
appropriate values.<br />
mydomain, and Password variables with<br />
Example:<br />
Generate a keytab file for the <strong>Spotfire</strong> server spotserver.research.example.com running<br />
on port 8080 in the Windows domain RESEARCH.EXAMPLE.COM (note the upper<br />
case) with the password Pa55w0rd:<br />
> ktpass /princ HTTP/spotserver.research.example.com:8080@RESEARCH.EXAMPLE.COM<br />
/mapuser spotsvc /ptype krb5_nt_principal /crypto rc4-hmac-nt<br />
/out spotfire.keytab /pass Pa55w0rd<br />
Install Keytab Files<br />
Once the keytab files are created with the above examples you need to install them on<br />
the <strong>Spotfire</strong> <strong>Server</strong>s. For each <strong>Spotfire</strong> <strong>Server</strong>, the keytab file should be placed in the<br />
directory<br />
/jdk/jre/lib/security/<br />
Note: This file contains important security information that should not be shared. It is<br />
recommended that you use caution when copying the files to the destination servers. If<br />
possible, a memory stick or similar should be used to avoid insecure network file copy.<br />
You should also limit access to the file once in place. Only the Service and the<br />
Administrator accounts on the <strong>Spotfire</strong> <strong>Server</strong> need to be able to read and write to it.<br />
Also note that if, at any point, you change the password for <strong>Spotfire</strong> service account,<br />
Kerberos will stop working and you will have to re-create the keytab files with the<br />
new password.<br />
8.3.1.2 Configure the <strong>Spotfire</strong> <strong>Server</strong>(s) to Use Kerberos<br />
To enable Kerberos on the <strong>Spotfire</strong> <strong>Server</strong>(s) there is one configuration file that needs<br />
to be modified. This chapter will outline what changes need to be made to this file. For<br />
complete reference of the file, see the section “krb5.conf” on page 137.<br />
<strong>TIBCO</strong> <strong>Spotfire</strong>® <strong>Server</strong> <strong>3.2.2</strong> 71 (144)
Authentication and User Directory<br />
krb5.conf<br />
This file is located in /jdk/jre/lib/security/ and contains<br />
information about the Kerberos realm and Windows Domain. the following values<br />
need to be changed:<br />
• MYDOMAIN: This is the Kerberos realm. It is equal to the Windows Domain<br />
and written in upper case.<br />
• mydomain: This is the Windows Domain. It is written in lower case.<br />
• mydc: This is the name of the domain controller. It is written in lower case.<br />
Note: Make sure to use correct case for these values.<br />
Copy this file to all <strong>Spotfire</strong> <strong>Server</strong>s.<br />
Verify that the Keytab Files Work<br />
The file spotfire.keytab should now be in the directory<br />
/jdk/jre/lib/security/<br />
In the folder jdk/jre/bin there are a number of tools that can<br />
help you verify and troubleshoot the spotfire.keytab file.<br />
You can verify that the spotfire.keytab file works as intended by entering the following<br />
command in a command prompt on the <strong>Spotfire</strong> <strong>Server</strong>:<br />
> kinit.exe -k -t spotfire.keytab HTTP/my<strong>Server</strong>.mydomain[:port]@MYDOMAIN<br />
If the spotfire.keytab file is correct, and works as intended, a ticket cache file will be<br />
created.<br />
Example for Windows <strong>Server</strong> 2008:<br />
C:\Users\\krb5cc_<br />
Important! As soon as you have verified that the ticket cache was created, you must<br />
delete the ticket cache file.<br />
You can also check the contents of the spotfire.keytab file using the following<br />
command. It will list the principal name and security credentials.<br />
> klist.exe -k -t -K spotfire.keytab<br />
For other troubleshooting tools, see Microsoft documentation about Kerberos.<br />
Configuration Console<br />
After everything is prepared on the Domain Controllers and <strong>Spotfire</strong> <strong>Server</strong>s, you need<br />
to configure the <strong>Spotfire</strong> system to use Kerberos. This is done in the configuration<br />
console. You need to specify the <strong>Server</strong> Principal Name that you have created for the<br />
<strong>Spotfire</strong> server, for example HTTP/spotserver.research.example.com.<br />
72 (144) <strong>TIBCO</strong> <strong>Spotfire</strong>® <strong>Server</strong> <strong>3.2.2</strong>
Authentication and User Directory<br />
For more information on how to use the Configuration Console, see its help.<br />
Note: When configuring Kerberos authentication in a load balanced environment,<br />
provide the fully qualified Service Principal Name of the load balancer, not any of the<br />
<strong>Spotfire</strong> <strong>Server</strong>s.<br />
8.3.2 X.509 Client Certificate<br />
With this authentication method, users are authenticated through an automatic<br />
transcript of an X.509 Client Certificate from the <strong>Spotfire</strong> client to the <strong>Spotfire</strong> <strong>Server</strong>.<br />
When users log in using this method, their usernames are automatically stored in the<br />
<strong>Spotfire</strong> database, and instead of passwords, the certificates are used, creating a single<br />
sign-on solution. A prerequisite of this authentication method is that the <strong>Spotfire</strong><br />
<strong>Server</strong>, or the load balancer, if present, must be configured to use the HTTPS protocol<br />
to communicate with the clients. See the sections “Setting up HTTPS on a <strong>Spotfire</strong><br />
<strong>Server</strong>” on page 86 and “Load Balancer Configuration” on page 60 for more<br />
information about this.<br />
To configure <strong>Spotfire</strong> to use X.509 Client Certificates, the following steps must be<br />
performed:<br />
1 Obtain or create a client certificate.<br />
2 Install the certificate onto clients.<br />
3 Configure a server to trust the client certificates.<br />
4 Configure the servers to require client certificates.<br />
5 Configure a load balancer, if present, to forward the client certificates to the server.<br />
6 Configure the servers to use client certificates to authenticate users.<br />
Note: If you perform only steps 1 through 4, the server will require client certificates,<br />
but can still be configured to use a username and password login mechanism. If<br />
required, this would provide a very secure solution.<br />
Obtain or Create a Client Certificate<br />
How to obtain or create a client certificate is different for every provider. Please turn to<br />
your provider for information about this. In the section “Creating and Installing a Self-<br />
Signed Client Certificate” on page 95, an example of how to create a self-signed<br />
certificate using Microsoft Certificate Services is outlined.<br />
Install the Certificate onto Clients<br />
Installing a certificate is normally done with Internet Explorer on the client. By<br />
connecting to the web page of the certificate provider, it should be possible to select to<br />
install the certificate. See the section “Creating and Installing a Self-Signed Client<br />
Certificate” on page 95 for an outline of how to do this with a self-signed certificate<br />
created by Microsoft Certificate Services.<br />
Configure a <strong>Server</strong> to Accept the Client Certificates<br />
<strong>TIBCO</strong> <strong>Spotfire</strong>® <strong>Server</strong> <strong>3.2.2</strong> 73 (144)
Authentication and User Directory<br />
For the servers to accept the client ceritificates, it must be told to trust the certificate of<br />
the certificate authority that issued them. In order for this to happen, you must export<br />
the certificate authority certificate (CA certificate) to file and import it to a truststore<br />
that the <strong>Spotfire</strong> <strong>Server</strong>s can read. Once you have the CA certificate in a file on the<br />
<strong>Spotfire</strong> <strong>Server</strong>s, issue the following command to create a truststore and import the CA<br />
certificate to it:<br />
/jdk/bin/keytool.exe -importcert -v -file -keystore<br />
castore.jks.<br />
clientAuth=”true”<br />
The truststore file castore.jks can be placed anywhere. You must add the path to it, its<br />
password and its type to the file server.xml. See the next step for instructions on how<br />
to do this.<br />
Configure a <strong>Server</strong> to Require Client Certificates<br />
To configure a server to require client certificates you must edit the file server.xml,<br />
located in the directory server installation dir>/conf.<br />
In the Connector definition that you created when you configured the server to use<br />
HTTPS, add the following:<br />
You must also add the path to the truststore, its password, and type to server.xml. Also<br />
within the Connector definition, add the following:<br />
truststoreFile=<br />
truststorePass=password<br />
truststoreType=”JKS”<br />
Configure a Load Balancer<br />
To configure a load balancer to redirect client certificates, see the section “X.509<br />
Client Certificate Authentication” on page 62<br />
Configure the <strong>Server</strong>s to Use Client Certificates to Authenticate Users<br />
To configure the servers in the cluster to use client certificates to authenticate users,<br />
open the configuration console, select the tab called Authentication and select X.509<br />
Client Certificate as the Login Method.<br />
74 (144) <strong>TIBCO</strong> <strong>Spotfire</strong>® <strong>Server</strong> <strong>3.2.2</strong>
Authentication and User Directory<br />
8.3.3 NTLM<br />
MIGRATING OR UPGRADING?<br />
<strong>TIBCO</strong> <strong>Spotfire</strong> <strong>Server</strong> 3.2 introduces support for NTLMv2. You<br />
should consider switching to "NTLM v1/v2" that supports both v1 and<br />
v2. The instructions below explain how to set up this version, not the<br />
old. If you wish to continue using "NTLM v1 only" you must copy the<br />
files jcifs.jar and jcifs-ext.jar from /tomcat/<br />
webapps/spotfire/WEB-INF/lib to /tomcat/<br />
webapps/spotfire/WEB-INF/lib.<br />
With this authentication method, users are authenticated with a Windows Domain.<br />
Setting up NTLM authentication involves three steps:<br />
1 Creating one or more computer service account in your Windows Domain.<br />
2 Enabling NTLM authentication for your cluster in the Configuration Console.<br />
3 Configuring NTLM in either the Configuration Console or on each <strong>Spotfire</strong> <strong>Server</strong> (or<br />
both).<br />
If you have only one server in the <strong>Spotfire</strong> system, you can configure all settings in the<br />
Configuration Console. If you have more than one server, however, you must<br />
configure some or all settings on each <strong>Spotfire</strong> <strong>Server</strong>.<br />
Note: If you have a load balancer in front of your cluster, you must set up NTLM on<br />
the load balancer rather than on the <strong>Spotfire</strong> <strong>Server</strong>s. See the section “NTLM<br />
Authentication” on page 62 for more information about this.<br />
Below are comprehensive instructions for each step.<br />
Creating a Computer Service Account in Your Windows Domain<br />
Creating computer accounts in a Windows Domain is done using the Microsoft<br />
Management Console snap-in Domain Users and Computers. If you do not have<br />
access to this tool, or if you are unfamiliar with how to use it, please speak to your<br />
Windows Domain administrator.<br />
In this tool, create a new computer account. See Microsoft documentation for details<br />
on how to do this.<br />
Note: Adding a real computer or re-using an existing account name will not work and<br />
may cause problems for those accounts and computers. Always create a new account<br />
by selecting “New computer account”.<br />
When you have created a new computer account, you need to set a password for this<br />
account. Unfortunately, this is not possible to do in the Microsoft Management<br />
Console. In the directory /tomcat/bin there is a vbs script<br />
called SetComputerPass.vbs. This is an example of how to run the script:<br />
C:\> cscript SetComputerPass.vbs "cn=spotfireserveruser,cn=computers,dc=yourdomaincontroller,dc=yourorganization,dc=com"<br />
<strong>TIBCO</strong> <strong>Spotfire</strong>® <strong>Server</strong> <strong>3.2.2</strong> 75 (144)
Authentication and User Directory<br />
Note the quotation marks. Here the arguments spotfireserver-user, computers,<br />
yourdomaincontroller, yourorganization and com reflect a Windows Domain. Your<br />
Windows Domain may look different. If you do have this information, ask your<br />
Windows Domain administrator. You will be prompted for the password. If you<br />
receive the error message<br />
C:\tibco\tss\<strong>3.2.2</strong>\tomcat\bin\SetComputerPass.vbs(12, 1) Microsoft VBScript runtime<br />
error:<br />
ActiveX component can't create object: 'ScriptPW.Password'<br />
your system is lacking a component required for password prompting. If this happens,<br />
you need to edit the SetComputerPass.vbs script and specify the password here.<br />
Comment out the three lines that read<br />
Set objPassword = CreateObject("ScriptPW.Password")<br />
WScript.StdOut.Write "Password:"<br />
strPassword = objPassword.GetPassword()<br />
by adding a ' character before them, so that they look like this<br />
'Set objPassword = CreateObject("ScriptPW.Password")<br />
'WScript.StdOut.Write "Password:"<br />
'strPassword = objPassword.GetPassword()<br />
and add the following line directly below:<br />
strPassword = “service.account.password”<br />
and replace the string service.account.password with a long and random password.<br />
When you have run the script, you should make a note of the password and remove the<br />
script with the password in it.<br />
Note: You must be a member of the Account Operators in order to run this script<br />
successfully. If you get the error message “Microsoft VBScript runtime error:<br />
Permission denied”, the most likely cause is that you are not.<br />
Enabling NTLM Authentication for Your Cluster in the Configuration Console<br />
In the Configuration Console, select the Authentication Tab and select NTLM v1/v2<br />
as Login Method.<br />
Configuring NTLM<br />
Once you have enabled NTLM in the Configuration Console, you are ready to<br />
configure the settings the <strong>Spotfire</strong> <strong>Server</strong>s need to communicate with the Windows<br />
Domain.<br />
If you have only one <strong>Spotfire</strong> <strong>Server</strong>, this can be done entirely in the Configuration<br />
Console.<br />
If you have more than one <strong>Spotfire</strong> <strong>Server</strong>, you must configure settings on each<br />
<strong>Spotfire</strong> <strong>Server</strong>, in order to have a unique configuration for each <strong>Spotfire</strong> <strong>Server</strong>. You<br />
76 (144) <strong>TIBCO</strong> <strong>Spotfire</strong>® <strong>Server</strong> <strong>3.2.2</strong>
Authentication and User Directory<br />
can choose to configure all settings on each server, or to configure the settings that<br />
apply to the entire cluster in the Configuration Console and only the settings unique to<br />
each server on the actual server. Which of these options you select can depend on<br />
many factors in your <strong>Spotfire</strong> system and Windows Domain.<br />
The settings that need to be unique for each server are how the <strong>Spotfire</strong> <strong>Server</strong><br />
authenticates with the Windows Domain. This can be achieved either by creating and<br />
specifying different Service accounts, or by using the Service accounts for all servers,<br />
but using different NETBIOS names for this account. For most situations, it is<br />
recommended to use different Service accounts.<br />
If you choose to configure some settings in the Configuration Console and some on<br />
each server, simply leave the settings that you will set on each <strong>Spotfire</strong> <strong>Server</strong> blank in<br />
the Configuration Console.<br />
On the same tab where you enabled NTLM, there are a number of settings that you<br />
need to specify.<br />
DNS domain<br />
Resolve DNS domain<br />
Service account name<br />
Service password<br />
AD site<br />
Specifies the DNS domain name of your Windows<br />
Domain.<br />
Example: yourorganization.com.<br />
Note: If for some reason you cannot specify a domain<br />
here, you can specify a hostname of a Domain<br />
Controller instead. If you do this, set Resolve DNS<br />
domain to No.<br />
Specifies whether the name specified in DNS domain<br />
should be considered a domain name or a hostname.<br />
Specifies the username of the prepared computer<br />
service account set up to perform NTLM<br />
authentication.<br />
Example: spotfiresrv$@yourorganization.com<br />
Note: The local part of the account name (spotfiresrv)<br />
in the example above, must not exceed 15 characters.<br />
Also note the dollar-sign ($) after the local part of the<br />
name.<br />
Specifies the password of the prepared computer<br />
service account set up to perform NTLM<br />
authentication. This password will be stored encrypted<br />
in the <strong>Spotfire</strong> Database.<br />
Specifies the Active Directory Site where the <strong>Spotfire</strong><br />
system is located. This setting is optional, but can<br />
potentially increase performance.<br />
Example: organization-got<br />
<strong>TIBCO</strong> <strong>Spotfire</strong>® <strong>Server</strong> <strong>3.2.2</strong> 77 (144)
Authentication and User Directory<br />
DNS servers<br />
DNS cache TTL (ms)<br />
Specifies the IP addresses DNS servers associated<br />
with your Windows Domain. Separate multiple servers<br />
with commas.<br />
Example: 192.168.1.1,192.168.1.2<br />
Specifies how long name server lookups should be<br />
cached. If not set, defaults are used.<br />
To configure each <strong>Spotfire</strong> <strong>Server</strong>, you must edit the file web.xml in the folder<br />
tomcat/webapps/spotfire/WEB-INF on each <strong>Spotfire</strong> <strong>Server</strong>.<br />
This is an xml file that you can edit in a text or xml editor, and each parameter is set<br />
like this:<br />
<br />
parameter.name<br />
parameter.value<br />
<br />
These are the settings you can configure:<br />
jespa.service.account.name<br />
jespa.service.password<br />
jespa.encrypted.service.passw<br />
ord<br />
jespa.localhost.netbios.name<br />
jespa.dns.domain<br />
jespa.resolve.dns.domain<br />
jespa.ad.site<br />
jespa.dns.servers<br />
jespa.dns.cache.ttl<br />
Corresponds to the Service account name parameter<br />
as specified above.<br />
Corresponds to the Service password parameter as<br />
specified above.<br />
Specifies the encrypted Service password. See below<br />
for instructions on how to set this parameter.<br />
Specifies the NETBIOS version of the Service acount<br />
name. If this is not set, a default name based on the<br />
Service account name is used.<br />
Example: spotfiresrv1<br />
Note: This name may not exceed 15 characters.<br />
Corresponds to the DNS domain parameter as<br />
specified above.<br />
Corresponds to the Resolve DNS domain parameter<br />
as specified above.<br />
Corresponds to the AD site parameter as specified<br />
above.<br />
Corresponds to the DNS servers parameter as<br />
specified above.<br />
Corresponds to the NS cache TTL (ms) parameter as<br />
specified above.<br />
78 (144) <strong>TIBCO</strong> <strong>Spotfire</strong>® <strong>Server</strong> <strong>3.2.2</strong>
Authentication and User Directory<br />
Example:<br />
<br />
jespa.service.account.name<br />
spotfiressrv$@yourorganization.com<br />
<br />
When you have set these parameters, start the <strong>Spotfire</strong> <strong>Server</strong>.<br />
If you have set a non-encrypted password, you must now replace it with an encrypted<br />
version.<br />
Find the log file /tomcat/logs/spotfire/dss.log and open it. In it,<br />
you will find a warning that says the following:<br />
WARN 2010-05-20 14:30:15,401 [*Initialization*] server.security.JespaAdapter:<br />
Unencrypted jespa.service.password found in web.xml, replace with<br />
jespa.encrypted.service.password set to a+iMktMf8m6lvyf90Zia8hbe6/eVh2Mo<br />
The bold text above is an encrypted version of the password. In the file web.xml,<br />
replace the jespa.service.password parameter with a jespa.encrypted.service.password<br />
with a value of the text string from the log file.<br />
Example:<br />
<br />
jespa.encrypted.service.password<br />
a+iMktMf8m6lvyf90Zia8hbe6/eVh2Mo<br />
<br />
Note: For security reasons, it is important that you replace the jespa.service.password<br />
parameter with the encrypted version. Do not keep the unencrypted password in the<br />
web.xml file.<br />
When this is done, NTLM authentication should work in the <strong>Spotfire</strong> system.<br />
Note: It is not possible to delegate NTLM authentication. This means that even if you<br />
set up your <strong>Spotfire</strong> <strong>Server</strong>(s) to authenticate users with NTLM and your database<br />
server also uses NTLM (Integrated Authentication), the <strong>Spotfire</strong> <strong>Server</strong> will always<br />
authenticate with the database using the Domain User it is running as and never the<br />
logged in <strong>Spotfire</strong> user. If you need user delegation, you must use a single-sign on<br />
method that supports this, such as Kerberos. See the section “Using Kerberos<br />
Authentication with Delegated Credentials” on page 120 for more information about<br />
using delegation with Kerberos.<br />
8.4 User Directory<br />
When users have been authenticated, information about them is loaded from the user<br />
directory. This information is stored in the <strong>Spotfire</strong> database and holds information<br />
about groups and group membership. These users and groups can then be used to set<br />
up permissions in the Administration Manager, found in the <strong>Spotfire</strong> client.<br />
<strong>TIBCO</strong> <strong>Spotfire</strong>® <strong>Server</strong> <strong>3.2.2</strong> 79 (144)
Authentication and User Directory<br />
To simplify administration, it is possible to automatically synchronize user names and,<br />
optionally, group membership from an external source. <strong>Spotfire</strong> is able to synchronize<br />
users from the following external sources:<br />
• An LDAP directory<br />
• A Windows NT Domain Controller<br />
As in the case of authentication, the first option can be a Windows Domain Controller<br />
or a Sun Java Directory <strong>Server</strong>, and the second a Windows NT4 Domain Controller.<br />
User directory synchronization is a good way to simplify user configuration, as users<br />
that exist in the LDAP directory or Windows NT Domain can automatically be used in<br />
the <strong>Spotfire</strong> system as well. You can specify which users to synchronize by adding<br />
filters, so that you do not synchronize your entire LDAP tree or Windows NT Domain.<br />
If users are synchronized from an LDAP directory, you can also configure<br />
synchronization of groups. In this scenario, both users and the groups they belong to in<br />
the LDAP tree are synchronized, providing even simpler administration of users. The<br />
imported groups exist in <strong>Spotfire</strong> as any other group, but cannot be modified. In order<br />
to change their permissions, however, you can add them to a regular, non-imported<br />
group. Synchronization of groups is not available if you synchronize with a Windows<br />
NT Domain Controller.<br />
To set up user directory synchronization, you must have a user in the LDAP directory<br />
or the Windows NT Domain that has the appropriate permissions for reading user and<br />
group information. The login information of this user, together with some other<br />
information, is then entered into the configuration console. See the configuration<br />
console help for details on the various settings.<br />
You must specify a number of options in the configuration console for synchronization<br />
with an LDAP directory or a Windows NT Domain Controller. These are specified<br />
below.<br />
LDAP Directory<br />
<strong>Server</strong> Type<br />
Protocol<br />
Hostname<br />
Port<br />
Specifies the brand of your LDAP directory server.<br />
(dropdown list).<br />
Specifies whether to use LDAP (clear-text) or LDAPS<br />
(encrypted) (dropdown list).<br />
The hostname of your LDAP directory server. You can<br />
add more servers (such as more domain controllers<br />
within the same domain).<br />
The port on which the LDAP Directory <strong>Server</strong><br />
communicates.<br />
80 (144) <strong>TIBCO</strong> <strong>Spotfire</strong>® <strong>Server</strong> <strong>3.2.2</strong>
Authentication and User Directory<br />
Username and Password<br />
Context<br />
Request controls<br />
Page size/Import limit<br />
Referral mode<br />
Enable group synchronization<br />
Specifies a user that is able to connect to the LDAP<br />
directory server and import user and group<br />
information. If you are using a Microsoft LDAP<br />
directory, the username is simply the name of the user.<br />
If you are using a Sun LDAP directory, the username<br />
field must include the user's UID, OU, and DC. For<br />
example<br />
uid=malcolm,ou=captains,dc=serenity,dc=firefly,dc=c<br />
om.<br />
Note: If you do not provide a context (see below), it is<br />
important that you use the fully qualified user name<br />
here.<br />
This option specifies which context or contexts of the<br />
LDAP directory you wish to read users from. A<br />
context can be an Organizational Unit, a Common<br />
Name, or any other container containing users.<br />
When searches for users and groups are performed,<br />
these may sometimes result in huge lists. In some<br />
LDAP directory types, it is possible to limit the<br />
number of results returned, or to divide them into<br />
several pages. This option specifies which, if any,<br />
controls like this should be used. If set to Probe, the<br />
<strong>Spotfire</strong> system will ask the LDAP directory servers<br />
for its capabilities. For most types of directory servers,<br />
the default value should be used.<br />
This setting will set the size of each page of returned<br />
results, or the total number of search results that<br />
should be imported, depending on the Request<br />
controls setting. For no limit at all, select the value -1.<br />
To avoid problems, it is recommended to configure<br />
Referral mode and Search filter, if possible, so that the<br />
number of search results will be reasonable.<br />
In a large LDAP Directory, different parts of the<br />
directory tree may be stored on different servers.<br />
When a search for users is made on one server, the<br />
result can therefore be a referral to a different server.<br />
This setting decides whether to conduct a follow-up<br />
search for the users in question on the referred server.<br />
The options are Follow, Ignore, Throw, and Default.<br />
This option specifies whether or not groups should be<br />
synchronized.<br />
<strong>TIBCO</strong> <strong>Spotfire</strong>® <strong>Server</strong> <strong>3.2.2</strong> 81 (144)
Authentication and User Directory<br />
<strong>Server</strong> supports MemberOf<br />
Group synchronization<br />
Synchronization schedule<br />
User search filter<br />
Username attribute<br />
Group name attribute<br />
Group search filter<br />
Most LDAP servers store all groups a user is a<br />
member of in the user object. This is how the <strong>Spotfire</strong><br />
system finds members of groups to synchronize. Some<br />
LDAP implementations, however, do not support this<br />
feature. To perform group synchronization with these<br />
LDAP servers, the <strong>Spotfire</strong> system will have to search<br />
within the group to synchronize for its members, and<br />
then perform a second search to find the correct<br />
username attribute for the user. This will increase<br />
traffic immensely between the <strong>Spotfire</strong> system and the<br />
LDAP server, and should only be used if you need<br />
group synchronization and your LDAP server does not<br />
support the MemberOf attribute. Note that the major<br />
LDAP implementations from Microsoft and Sun do<br />
support MemberOf. If unsure, select Yes. See also the<br />
option Member attribute.<br />
This option specifies which groups should be<br />
synchronized.<br />
This options specifies how often groups should be<br />
synchronized. For instance, if you want to synchronize<br />
groups every Monday at 09:00, the schedule should<br />
read "0 9 * * Monday".<br />
This syntax is a subset of crontab syntax. Specifically,<br />
"/" (slash) is not supported in any field. For more<br />
information about crontab syntax, see the Wikipedia<br />
article http://en.wikipedia.org/wiki/Cron and any of<br />
the pages it refers to.<br />
To further limit what part of the LDAP directory tree is<br />
searched for users, you can add additional search<br />
filters in addition to Context above.<br />
In an LDAP Directory, a number of attributes are<br />
stored for each user. The actual username can be called<br />
different things on different brands of LDAP servers.<br />
If you select one of the LDAP directory server types<br />
listed under <strong>Server</strong> Type, this option will be preselected,<br />
but if you use a custom LDAP directory<br />
server you need to specify which user attribute is the<br />
username.<br />
As with Username attribute, this option specifies<br />
which attribute is the group name.<br />
To further limit what part of the LDAP directory tree is<br />
searched for groups, you can add more search filters in<br />
addition to Contexts above.<br />
82 (144) <strong>TIBCO</strong> <strong>Spotfire</strong>® <strong>Server</strong> <strong>3.2.2</strong>
Authentication and User Directory<br />
Member attribute<br />
Recursive group search<br />
Custom LDAP Properties<br />
This option controls which attribute specifies group<br />
membership for a user. If <strong>Server</strong> supports MemberOf<br />
is set to Yes, this setting is interpreted as an attribute in<br />
user objects. If <strong>Server</strong> supports MemberOf is set to<br />
No, this setting is interpreted as an attribute in group<br />
objects.<br />
This specifies whether group searches in the LDAP<br />
directory should be recursive or not. As different type<br />
of LDAP directories behave differently in this regard,<br />
this option is pre-selected and cannot be changed if<br />
you have not selected to use a custom LDAP server.<br />
If you authenticate with a custom LDAP server, you<br />
may in some cases need to specify custom LDAP<br />
properties here. In most situations, however, you may<br />
leave this blank.<br />
Windows NT Domain<br />
Domains<br />
Synchronize time (minutes)<br />
Defines the Windows Domains where the user<br />
information is stored. The user information will be<br />
synchronized from this domain into the <strong>Spotfire</strong><br />
database regularly. You can add several domains. Note<br />
that all domains you add will be in use; users will be<br />
synchronized from any of the domains configured.<br />
Specifies, in minutes, how often the users should be<br />
synchronized from the Windows NT Domain, in<br />
minutes. The default is 60 minutes.<br />
Note: If you have a large domain and do not need user<br />
synchronization as often as once an hour, you should<br />
consider increasing this value for performance<br />
reasons.<br />
If you lack any of this information, you need to speak to the person in charge of the<br />
LDAP system or Windows NT domain within your organization that can assist you<br />
before you can set up User Directory synchronization.<br />
Note: If you use this feature in a load balanced environment, you must manually add<br />
configuration to the <strong>Spotfire</strong> <strong>Server</strong>s, to prevent them from all synchronizing with the<br />
LDAP directory. See the section “Preventing User Directory Synchronization” on<br />
page 101 for more details on this.<br />
<strong>TIBCO</strong> <strong>Spotfire</strong>® <strong>Server</strong> <strong>3.2.2</strong> 83 (144)
Advanced Procedures<br />
9 Advanced Procedures<br />
9.1 Overview<br />
This section describes advanced manual procedures for setting up various features<br />
supported by the <strong>Spotfire</strong> system. Many of the procedures assume prior knowledge<br />
about LDAP directory, Kerberos, Windows <strong>Server</strong>, Apache httpd, etc. For detailed<br />
information about how these various technologies work and how they are set up,<br />
please refer to the respective documentation for each technology.<br />
9.2 Installing <strong>Spotfire</strong> <strong>Server</strong> Silently Using<br />
Pre-defined Parameters<br />
UPGRADING FROM 3.0 or 3.1 TO 3.2?<br />
If you are upgrading from <strong>Spotfire</strong> <strong>Server</strong> 3.0 or 3.1 and wish to<br />
preform a silent install, you must run the installation and upgrade<br />
separately. When you record the installation, do not launch the upgrade<br />
tool at the end of the installation.<br />
It is possible to run the <strong>Spotfire</strong> <strong>Server</strong> installer silently, using predefined parameters.<br />
This is useful when you wish to install several servers with the same setup.<br />
By running the installer from a command prompt, you can first record the settings you<br />
make in the installer dialogs and save these to a properties file.<br />
You can then run the installer from a command prompt and specify the properties file.<br />
This will cause the installer to execute silently without displaying any dialogs, and it<br />
will use the information specified in the properties file.<br />
You can also edit the properties file in a text editor before you perform a silent install.<br />
Note: Do not attempt to run the Upgrade tool silently, or have a silent install start it.<br />
<br />
To record type:<br />
install.exe -r c:\installer.properties<br />
Note: You must specify an absolute path to the file!<br />
<br />
To run the installer silently:<br />
install.exe -i silent -f installer.properties<br />
Note: If no path is specified to the properties file, it is assumed it is located in the same<br />
folder as the install.exe.<br />
Example:<br />
84 (144) <strong>TIBCO</strong> <strong>Spotfire</strong>® <strong>Server</strong> <strong>3.2.2</strong>
Advanced Procedures<br />
Included in the server distribution, there is an example file called silent.properties.<br />
The exact content of this vary on the platform you have chosen. For Win32 the file<br />
looks like this:<br />
# Thu Dec 17 11:09:57 CET 2009<br />
# Replay feature output<br />
# ---------------------<br />
# This file was built by the Replay feature of InstallAnywhere.<br />
# It contains variables that were set by Panels or Consoles.<br />
#Selected Features.<br />
# '<strong>Server</strong>' selects the Analytics <strong>Server</strong>.<br />
# 'Admin' selects the Management Console.<br />
#----------------------<br />
CHOSEN_INSTALL_FEATURE_LIST=<strong>Server</strong>,Admin<br />
#Third Party Components<br />
#----------------------<br />
THIRD_PARTY_YES=1<br />
THIRD_PARTY_NO=0<br />
#Installation Folder<br />
#-------------------<br />
USER_INSTALL_DIR=C:\\tibco\\tss\\<strong>3.2.2</strong><br />
#OS Architecture<br />
#---------------<br />
IS_32BIT_OS=1<br />
IS_64BIT_OS=0<br />
#Windows Service<br />
#---------------<br />
WINDOWS_SERVICE_CREATE_START=1<br />
WINDOWS_SERVICE_CREATE_NO_START=0<br />
WINDOWS_SERVICE_NO_CREATE=0<br />
#<strong>Spotfire</strong> <strong>Server</strong> Ports<br />
#---------------------<br />
SERVER_PORT=80<br />
CONTROLLER_PORT=8078<br />
#Configuration Port<br />
#------------------<br />
CONSOLE_PORT=8080<br />
#Upgrade<br />
#-------<br />
LAUNCH_UPGRADE_TOOL=\"\"<br />
LAUNCH_UPGRADE_TOOL_1=<br />
LAUNCH_UPGRADE_TOOL_BOOLEAN_1=0<br />
Note that you can choose whether to run the upgrade tool or not, and that the upgrade<br />
tool will be run interactively, not silently, if you choose to launch it from a silent<br />
install.<br />
<strong>TIBCO</strong> <strong>Spotfire</strong>® <strong>Server</strong> <strong>3.2.2</strong> 85 (144)
Advanced Procedures<br />
9.3 Setting up HTTPS on a <strong>Spotfire</strong> <strong>Server</strong><br />
By default, <strong>Spotfire</strong> uses the HTTP protocol for communication between clients and<br />
the server. To achieve a higher level of security, it is possible to use the HTTPS<br />
protocol instead, ensuring encryption between clients and the server.<br />
To configure a <strong>Spotfire</strong> <strong>Server</strong> to use the HTTPS protocol, you must perform these<br />
steps:<br />
1 Obtain or create a server certificate used to encrypt the traffic.<br />
2 Install the certificate on the server.<br />
3 Configure <strong>Spotfire</strong> to communicate over HTTPS.<br />
Obtain a <strong>Server</strong> Certificate<br />
The method for obtaining or creating a server certificate is different for every provider.<br />
Please turn to your provider for information about this. In the section “Creating a Self-<br />
Signed <strong>Server</strong> Certificate” on page 87, an example of how to create a self-signed<br />
certificate using Microsoft Certificate Services is outlined.<br />
Install the Certificate on the <strong>Server</strong><br />
To install the certificate on the <strong>Spotfire</strong> <strong>Server</strong>, place it anywhere on the disk,<br />
preferably in a subfolder to the <strong>Spotfire</strong> <strong>Server</strong> installation directory, such as<br />
/certs/.<br />
Configure the <strong>Server</strong> to Communicate over HTTPS<br />
To make the server communicate using the HTTPS protocol, you must now edit the<br />
main configuration file of the server. This is found in the directory<br />
/tomcat/conf/ and is called server.xml. You need to find the<br />
section that defines the service “<strong>Spotfire</strong>”, and within that the section that defines the<br />
Connector. This section begins with . Replace this section with the<br />
following:<br />
<br />
Be sure to replace [path to server’s private certificate] with the actual path to<br />
the certificate, and [password] with the password to the keystore. If you have obtained<br />
86 (144) <strong>TIBCO</strong> <strong>Spotfire</strong>® <strong>Server</strong> <strong>3.2.2</strong>
Advanced Procedures<br />
the certificate from some other place than Microsoft Certificate Services, the type may<br />
differ.<br />
Note: The password is stored in cleartext. You should secure the file and/or the server<br />
to prevent users from accessing it.<br />
By doing this, you have secured communication between <strong>Spotfire</strong> clients and the<br />
<strong>Spotfire</strong> server. It is also strongly recommended to encrypt communication with the<br />
configuration console and the controller by doing the same thing to the Connector<br />
sections within the “ConfigurationConsole and the “<strong>Spotfire</strong>Controller” Services<br />
respectively. Make sure to select different ports for each Service.<br />
For a more detailed view of the file server.xml, see the section “<strong>Server</strong>.xml” on<br />
page 135.<br />
When you have saved the file, you need to restart the <strong>Spotfire</strong> <strong>Server</strong> for the changes<br />
to take effect. You can then add the server to the cluster in the configuration console.<br />
Note: If you have configured the <strong>Spotfire</strong> controller to use HTTPS, make sure to select<br />
https as the “server protocol” when adding a new server to the cluster. Otherwise, use<br />
http.<br />
Encryption in a Clustered Environment<br />
In a clustered environment, clients communicate using HTTP or HTTPS with the load<br />
balancer, which then redirects traffic to the servers using the AJP protocol. The AJP<br />
protocol cannot be encrypted. It is therefore recommended that the load balancer and<br />
the <strong>Spotfire</strong> <strong>Server</strong>s reside on the same secure network, or that other security<br />
measures, such as tunnel technology, are used.<br />
To configure the load balancer to use HTTPS, follow the instructions in the section<br />
“Setting up HTTPS in a Load Balanced Environment” on page 97.<br />
Note: In a clustered environment, the configuration console communicates with each<br />
server directly, using the HTTP or HTTPS protocol. For this reason, you might still<br />
want to configure the servers to use HTTPS if you need the extra security this<br />
provides.<br />
9.3.1 Creating a Self-Signed <strong>Server</strong> Certificate<br />
In order to use HTTPS, you must have a server certificate on the <strong>Spotfire</strong> <strong>Server</strong>s.<br />
Such a certificate can be obtained from a number of providers. If you are unable to<br />
obtain such a certificate, or wish to set up a test configuration, you can also create a<br />
self-signed certificate. How this is done is highly dependent on which certificate<br />
software you are using.<br />
Note: These directions assume that you are using Microsoft Certificate Services.<br />
1 On the <strong>Spotfire</strong> <strong>Server</strong>, Start Internet Explorer.<br />
2 Connect to your Active Directory Certificate Service homepage. For example,<br />
http:///certsrv/<br />
<strong>TIBCO</strong> <strong>Spotfire</strong>® <strong>Server</strong> <strong>3.2.2</strong> 87 (144)
Advanced Procedures<br />
3 Select Request a certificate... > Advanced Request > Submit a certificate request<br />
to this CA using a form.<br />
4 Enter username and e-mail. Use the hostname of the <strong>Spotfire</strong> <strong>Server</strong> as username. In<br />
a clustered environment, use the hostname that the clients use to connect to the<br />
<strong>Spotfire</strong> cluster.<br />
5 Mark Purpose as <strong>Server</strong> Authentication Certificate.<br />
6 Mark Key as Exportable (but do not check Export Key to File).<br />
7 Click Submit and acknowledge that a certificate is being requested.<br />
8 Open the Certification Authority application on the machine where the Certificate<br />
<strong>Server</strong> is installed.<br />
9 Select Certification Authority > Test > Pending requests, where a pending request<br />
should be available.<br />
10 Mark the request, right-click and select All tasks > Issue.<br />
Response: The new certificate should now be visible under "Issued Certificates".<br />
11 Close the application.<br />
12 Connect to your Active Directory Certificate Service homepage, for example,<br />
http:///certsrv/ from the local computer using Internet<br />
Explorer.<br />
13 Select Check on a pending certificate > Next.<br />
Response: A page with the text "Check On a Pending Certificate Request" and<br />
"Please Select the Certificate Request You Want to Check" is displayed.<br />
14 Select the Certificate and click Next.<br />
Response: A page with the text "Certificate Issued” or “The certificate you requested<br />
was issued to you." is displayed.<br />
15 Select Install this certificate > Yes > Yes.<br />
Response: A page confirming that the certificate is installed is displayed.<br />
16 In Internet Explorer, select Tools > Internet Options.<br />
17 Select the Content tab.<br />
18 Click the Certificates button.<br />
19 Mark the certificate that was issued to you.<br />
20 Click Export > Next > Yes, export the private key > Next.<br />
21 Check Include all certificates.<br />
88 (144) <strong>TIBCO</strong> <strong>Spotfire</strong>® <strong>Server</strong> <strong>3.2.2</strong>
Advanced Procedures<br />
Comment: There is no need to select “Enable strong protection”.<br />
22 Select Next.<br />
23 Enter password for the file.<br />
24 Specify where the key should be saved.<br />
25 Select Next > Finish.<br />
9.3.2 Getting Clients to Trust a CA Certificate<br />
If you have created a self-signed server certificate, the clients will not trust this<br />
certificate by default. For this to happen, you need to tell each client to trust the<br />
Certificate Authority certificate (CA certificate). If you do not, the clients will not use<br />
the certificate and communication with the server will not be possible. These<br />
instructions assume that you are using Microsoft Certificate Services.<br />
1 Connect to your Active Directory Certificate Service homepage. For example,<br />
http:///certsrv/ with Internet Explorer.<br />
2 Select Retrieve the CA certificate or certificate revocation list.<br />
3 Click on the link Install this CA certification path > Yes > Yes.<br />
Note: Verify that you can connect to the <strong>Spotfire</strong> <strong>Server</strong> using https and that the client<br />
and server trusts each other without producing warnings.<br />
9.3.3 Additional Windows Vista Settings:<br />
Windows Vista will by default attempt to check if the certificate is revoked. This<br />
cannot be done with a self-signed certificate. When this fails, communication between<br />
the <strong>Spotfire</strong> client and the <strong>Spotfire</strong> <strong>Server</strong> will not work. You must therefore turn this<br />
feature off. To do this, do the following:<br />
1 Open Tools > Internet Options in Internet Explorer.<br />
2 Select the Security tab.<br />
3 Find the setting “Check for server certificate revocation” and clear it.<br />
4 Click OK and confirm that you wish to do this.<br />
9.4 Restricting Access to the Configuration<br />
Console<br />
To further increase security, you can restrict access to the configuration console. This<br />
can be done by a feature built into Apache Tomcat, and is configured in server.xml.<br />
<strong>TIBCO</strong> <strong>Spotfire</strong>® <strong>Server</strong> <strong>3.2.2</strong> 89 (144)
Advanced Procedures<br />
Note: Restricting access to the Configuration Console is important if you authenticate<br />
with the <strong>Spotfire</strong> database using Windows Integrated Authentication.<br />
Within the ConfigurationConsole section, find the Context definition:<br />
<br />
Below it, add a “Valve” definition, so that it looks like this:<br />
<br />
<br />
You can add any IP address or addresses, comma separated (127.0.0.1,192.168.0.1).<br />
Wildcards are also supported (192.168.0.*).<br />
If you need to restrict address to hostnames rather than IP addresses, you can do this<br />
by enabling host lookups. This is done within the Connector definition:<br />
<br />
With this enabled, you can add hostnames instead of IP addresses:<br />
<br />
<br />
Note: Host lookups are time and resource consuming. If possible, access restriction<br />
based on IP address should therefore be used.<br />
You can of course also restrict access to the configuration console by filtering the<br />
Configuration Console port (by default 8080) in any firewall or router that the<br />
configuration console is located behind.<br />
For further information about the server.xml file, see the section “<strong>Server</strong>.xml” on<br />
page 135 and the Apache Tomcat manual, located at http://tomcat.apache.org/tomcat-<br />
6.0-doc/config/.<br />
Note that this approach is also valid in a clustered environment. The load balancer will<br />
retain the IP address of the client when forwarding the request, so that the<br />
configuration console is able to filter out unwanted traffic. This can therefore be<br />
combined with the method described in the section “Forwarding Traffic from the Load<br />
Balancer to the Configuration Console” on page 99.<br />
90 (144) <strong>TIBCO</strong> <strong>Spotfire</strong>® <strong>Server</strong> <strong>3.2.2</strong>
Advanced Procedures<br />
9.5 Configuring LDAPS<br />
In an LDAP environment, where the <strong>Spotfire</strong> system authenticates users with an<br />
LDAP directory, it might be a good idea to secure the LDAP protocol using SSL, if the<br />
LDAP directory supports this.<br />
To achieve this, you must first set up the LDAP directory to communicate using SSL.<br />
Refer to your LDAP server manual for instructions on this.<br />
Then you must get the <strong>Spotfire</strong> <strong>Server</strong>(s) to trust this certificate. This is done by<br />
following steps:<br />
1 Export the certificate to file and copy it to the <strong>Spotfire</strong> <strong>Server</strong>(s) and the configuration<br />
console machine(s).<br />
2 With a command prompt or shell, navigate to the directory /jdk/jre/lib/security and execute the keytool command located in the<br />
/jdk/bin/ directory to import the certificate:<br />
../../bin/keytool -import -file ldapserver.crt -keystore cacerts -alias spotfire_ldaps<br />
Replace ldapserver.crt with the name of the exported certificate.<br />
When prompted, enter the password to the cacerts keystore. The default password is<br />
“changeit”.<br />
3 Verify that the certificate has been successfully added by using the keytool command<br />
again:<br />
../../bin/keytool -list -keystore cacerts -alias spotfire_ldaps<br />
When prompted, enter the password to the cacerts keystore. The result of the<br />
command should be that the certificate is added.<br />
Once the server certificate is trusted by all the <strong>Spotfire</strong> <strong>Server</strong>s, log into the<br />
configuration console and set Authentication Method to LDAPS. Refer to the<br />
configuration console help for assistance.<br />
9.6 Database Authentication using Kerberos<br />
If your database engine is able to authenticate users using Kerberos, you can let the<br />
<strong>Spotfire</strong> <strong>Server</strong> authenticate with it in this way.<br />
To set this up, you need to perform a number of manual steps. While it is possible to<br />
perform these steps on a running <strong>Spotfire</strong> installation, it is recommended that you do<br />
them before defining a <strong>Spotfire</strong> cluster, and before you log into the configuration<br />
console for the first time.<br />
You also need to make sure to either be logged into the database server with the user<br />
created below when creating the <strong>Spotfire</strong> database, or ensure that you can give this<br />
user access to the <strong>Spotfire</strong> database later. Refer to your database engine manual for<br />
more details on this.<br />
<strong>TIBCO</strong> <strong>Spotfire</strong>® <strong>Server</strong> <strong>3.2.2</strong> 91 (144)
Advanced Procedures<br />
Note: These steps should all be performed on the machine that runs the configuration<br />
console. The configuration console will then export these settings to all <strong>Spotfire</strong><br />
<strong>Server</strong>s when they are added to the cluster. You do not need to modify any files on the<br />
<strong>Spotfire</strong> <strong>Server</strong>(s).<br />
The steps will first be outlined briefly, and then described in detail below:<br />
1 Create a user account in the Kerberos environment.<br />
2 Create a keytab file for the user account.<br />
3 Create and populate the <strong>Spotfire</strong> database.<br />
4 Modify the file krb5.conf.<br />
5 Create the file databasekerberos.login.<br />
6 Modify the file java.security.<br />
7 Modify the file connections.xml.<br />
8 Log into the configuration console.<br />
9 Export the <strong>Spotfire</strong> configuration to file.<br />
10 Modify the <strong>Spotfire</strong> configuration export file.<br />
11 Import the <strong>Spotfire</strong> configuration.<br />
12 Add <strong>Spotfire</strong> <strong>Server</strong>s to the cluster.<br />
Create a User Account in the Kerberos Environment<br />
Start by creating a user account in the Kerberos environment. See the section “Prepare<br />
the LDAP <strong>Server</strong>” on page 69 for information about how the user account should be<br />
set up.<br />
Create a Keytab File for the User Account<br />
Use the ktab.exe tool found in the folder /jdk/bin/ to<br />
ktab.exe -k database.keytab -a <br />
Note: Use only the username, not the fully qualified username.<br />
Create and Populate the <strong>Spotfire</strong> Database<br />
To be able to use the create_databases script, the database engine needs to accept<br />
regular login as well as Kerberos login. If it does not, you cannot use this file. Instead,<br />
you must run the sql-scripts this file calls. See the section “Running Database<br />
Preparation Scripts Manually” on page 102 for more information about this.<br />
Modify the File krb5.conf.<br />
92 (144) <strong>TIBCO</strong> <strong>Spotfire</strong>® <strong>Server</strong> <strong>3.2.2</strong>
Advanced Procedures<br />
The file krb5.conf needs to be modified according to the same principle as for <strong>Spotfire</strong><br />
client authentication using Kerberos (see the section “krb5.conf” on page 72 for more<br />
information).<br />
Create the File databasekerberos.login<br />
Create a file called databasekerberos.login in the<br />
/jdk/jre/lib/security/ directory. It should contain the<br />
following:<br />
DatabaseKerberos<br />
{<br />
com.sun.security.auth.module.Krb5LoginModule<br />
required<br />
debug=true<br />
storeKey=true<br />
useKeyTab=true<br />
keyTab="${java.home}/lib/security/database.keytab"<br />
principal="MSSQLSrv/spotdb.research.example.com:1433@ RESEARCH.EXAMPLE.COM";<br />
};<br />
Modify the File java.security<br />
Add the following to the end of file java.secuity, located in the<br />
/jdk/jre/lib/security/ directory:<br />
# Register Java Authentication & Authorization Services (JAAS) configurations<br />
login.config.url.1=file:${java.home}/lib/security/databasekerberos.login<br />
Modify the file connections.xml<br />
Add the following data source definition to the file connections.xml located in<br />
/webapps/admin/WEB-INF/:<br />
<br />
<strong>Server</strong>.Default<br />
<br />
<strong>Server</strong>.Default<br />
tibcosoftwareinc.jdbc.sqlserver.SQL<strong>Server</strong>Driver<br />
jdbc:tibcosoftwareinc:sqlserver://<br />
spotdb.research.example.com\SPOTFIRE;DatabaseName=spotfire_server<br />
false<br />
DYNAMIC_ADAPTIVE<br />
-1<br />
0<br />
600<br />
false<br />
true<br />
0<br />
<br />
<br />
DatabaseKerberos<br />
<br />
<br />
<strong>TIBCO</strong> <strong>Spotfire</strong>® <strong>Server</strong> <strong>3.2.2</strong> 93 (144)
Advanced Procedures<br />
Note: See the section “Database Connection URL Components and Examples” on<br />
page 140 for more information about Database Connection URLs.<br />
Log into the Configuration Console<br />
Log into the configuration console without providing a username or password. Click<br />
the button login with the login and password fields empty.<br />
Export the <strong>Spotfire</strong> Configuration to File<br />
In the configuration console, select Export to export the <strong>Spotfire</strong> configuration to file.<br />
Modify the <strong>Spotfire</strong> Configuration Export File<br />
Using a text or xml editor, add the following text to the authentication tag:<br />
<br />
<br />
<br />
DatabaseKerberos<br />
com.sun.security.auth.module.Krb5LoginModule<br />
required<br />
<br />
<br />
debug<br />
false<br />
<br />
<br />
storeKey<br />
true<br />
<br />
<br />
useKeyTab<br />
true<br />
<br />
<br />
keyTab<br />
[Path to KeyTab file]<br />
<br />
<br />
principal<br />
MSSQLSrv/spotdb.research.example.com:1433@RESEARCH.EXAMPLE.COM<br />
<br />
<br />
<br />
<br />
<br />
Make sure not to modify other content within the authentication tag or any other<br />
contents of the file.<br />
Import the <strong>Spotfire</strong> Configuration<br />
Import the modified <strong>Spotfire</strong> configuration by selecting Import in the configuration<br />
console.<br />
Add <strong>Spotfire</strong> <strong>Server</strong>s to the Cluster<br />
94 (144) <strong>TIBCO</strong> <strong>Spotfire</strong>® <strong>Server</strong> <strong>3.2.2</strong>
Advanced Procedures<br />
Add <strong>Spotfire</strong> <strong>Server</strong>s to the cluster. This will create a database.xml file for each server<br />
with the information created above.<br />
Note: If you added servers to the cluster before setting up Kerberos database<br />
authentication, you need to remove them from the cluster and add them again.<br />
When you start the servers, you might want to check the logs located in<br />
/tomcat/logs/spotfire/ to make sure they are able to<br />
authenticate with the database properly.<br />
Verify that the spotfire.keytab File is in Place and Works<br />
Verify that the spotfire.keytab file created earlier has been moved from the Domain<br />
Controller and is now placed on the <strong>Spotfire</strong> Analytics <strong>Server</strong> in the following<br />
directory:<br />
/jdk/jre/lib/security/spotfire.keytab<br />
Optional:<br />
In the folder jdk/jre/bin there are a number of tools that can<br />
help you verify and troubleshoot the spotfire.keytab file.<br />
You can verify that the spotfire.keytab file works as intended by entering the following<br />
command in a command prompt on the <strong>Spotfire</strong> Analytics <strong>Server</strong>:<br />
> kinit.exe -k -t spotfire.keytab HTTP/my<strong>Server</strong>.mydomain[:port]@MYDOMAIN<br />
If the spotfire.keytab file is correct, and works as intended, a ticket cache file will be<br />
created.<br />
Example for Windows <strong>Server</strong> 2003:<br />
C:\Documents and Settings\\krb5cc_<br />
Important! As soon as you have verified that the ticket cache was created, you must<br />
delete the file.<br />
You can also check the contents of the spotfire.keytab file using the following<br />
command. It will list the principal name and security credentials.<br />
> klist.exe -k -t -K spotfire.keytab<br />
9.7 Creating and Installing a Self-Signed<br />
Client Certificate<br />
In order to use X.509 Client Certificates, you need to have a client certificate on the<br />
<strong>Spotfire</strong> clients. Such a certificate can be obtained from a number of providers. If you<br />
are unable to obtain such a certificate, or wish to set up a test configuration, you can<br />
<strong>TIBCO</strong> <strong>Spotfire</strong>® <strong>Server</strong> <strong>3.2.2</strong> 95 (144)
Advanced Procedures<br />
<br />
<br />
<br />
also create a self-signed certificate. How this is done is highly dependent on which<br />
certificate software you are using. These instructions assume that you are using<br />
Microsoft Certificate Services.<br />
Request a Certificate:<br />
1 Connect to your Active Directory Certificate Service homepage. For example,<br />
http:///certsrv/ using Internet Explorer.<br />
2 Request a certificate of the type “Client Authentication Certificate”.<br />
Comment: If the certificate is used as the only authentication method the username is<br />
used as the identity. If the user directory is using windows authentication,<br />
then this should be the shorter alias, e.g., not "John Doe", but "johnd".<br />
Issue the Certificate:<br />
1 Open the Certification Authority application on the machine running the Certificate<br />
Services.<br />
2 Select Certification Authority > Test > Pending requests, where a pending request<br />
should be available.<br />
3 Mark the request, right-click and select All tasks > Issue.<br />
Response: The new certificate should now be visible under Issued Certificates.<br />
Close the application.<br />
Install the Certificate:<br />
1 Connect to your Active Directory Certificate Service homepage, for example, http://<br />
/certsrv/ from the client computer.<br />
2 Select Check on a pending certificate > Next.<br />
3 Verify that a Client Authentication certificate is selected.<br />
4 Click Next.<br />
Response: A page with the text "Certificate Issued/The certificate you requested was<br />
issued to you." is displayed.<br />
5 Select Install this certificate.<br />
6 Select Yes in the confirmation dialogs.<br />
Response: A page confirming that the certificate is installed is displayed.<br />
<br />
Optional IE Settings:<br />
Internet Explorer might provide you with a selection box which lets you specify which<br />
certificate is to be used. To get rid of these certificate selection boxes, do the<br />
following:<br />
96 (144) <strong>TIBCO</strong> <strong>Spotfire</strong>® <strong>Server</strong> <strong>3.2.2</strong>
Advanced Procedures<br />
1 Open Tools > Internet Options in Internet Explorer.<br />
2 Select the Security tab.<br />
3 Select Local Intranet.<br />
4 Click Sites > Advanced.<br />
5 Add https:// to the list of hosts in this zone.<br />
6 Click OK.<br />
7 Select Custom level for the Intranet zone security settings.<br />
8 Make sure that Don't prompt for client certificate selection when no certificates or<br />
only one certificate exists is Enabled.<br />
9 Click OK and confirm that the security settings should be changed.<br />
Comment: This works if there is only one matching certificate. Thus if there is more<br />
than one certificate which can be used by the server, there will still be<br />
selection dialogs.<br />
9.8 Setting up HTTPS in a Load Balanced<br />
Environment<br />
In a clustered environment, the clients see the load balancer as the server. Therefore, in<br />
order to secure the communication in the <strong>Spotfire</strong> system, using HTTPS, the load<br />
balancer needs to be configured to do this. This is achieved by obtaining (or creating)<br />
a server certificate for the load balancer and instalingl it on the load balancer. You may<br />
need to convert it first.<br />
Note: You cannot use a server certificate created for a <strong>Spotfire</strong> server. A server<br />
certificate must always be created for the computer it is intended for.<br />
The following instructions assume that you are acquainted with the Apache httpd and<br />
its configuration files. It should be seen as an overview of how HTTPS is setup for use<br />
in load balancing a <strong>Spotfire</strong> system, not as a tutorial on Apache httpd. For more<br />
information, please refer to the Apache httpd manual.<br />
1 Install Apache httpd with ssl support and the mod_ssl.so and mod_jk modules.<br />
2 Create a self-signed server certificate.<br />
3 If needed, convert the certificate to a format readable by the load balancer.<br />
4 Store the converted certificate in the Apache conf directory.<br />
5 Configure Apache to use the certificate files.<br />
6 Make your clients trust the CA certificate.<br />
<strong>TIBCO</strong> <strong>Spotfire</strong>® <strong>Server</strong> <strong>3.2.2</strong> 97 (144)
Advanced Procedures<br />
Install Apache httpd with SSL Support and the mod_ssl.so and mod_jk<br />
modules<br />
For exact instructions on how to install Apache httpd, see the Apache manual.<br />
If you are using an Apache installer, you might be presented with the option of<br />
creating a self-signed server certificate from within the installer, and have Apache<br />
automatically configured to use this server certificate. If this is the case, you can skip<br />
to the step “Make your clients trust the CA certificate”.<br />
If you are not using an automatic installer, or wish to create and install a different selfsigned<br />
certificate, continue reading.<br />
Create a Self-Signed Certificate<br />
You can create a self-signed certificate for the load balancer using the steps described<br />
in the section “Creating a Self-Signed <strong>Server</strong> Certificate” on page 87.<br />
After creation, save the certificate to file and transfer it to the load balancer.<br />
Convert the Certificate to a Format Readable by the Load Balancer<br />
The certificate must be in the Base 64-encoded DER format (PEM) format for Apache<br />
httpd to be able to read it. If the certificate is created with Microsoft Certificate<br />
Services, it is in the PKCS #12 format. To convert it, use the openssl command on the<br />
load balancer. (If this is not installed, refer to http://openssl.org/ or your OS manual for<br />
instructions on how to install it.)<br />
openssl pkcs12 -in server.pfx -out server.pem<br />
Next, the public key in the certificate must be extracted from the converted certificate:<br />
openssl x509 -in server.pem -out server_cert.pem<br />
Finally, the private key in the certificate must be extracted from the converted<br />
certificate:<br />
openssl rsa -in server.pem -out server_key.pem<br />
These commands will provide you with three files: server.pem, server_cert.pem, and<br />
server_key.pem. You will only need the two latter files.<br />
You also need the CA certificate on the load balancer in the PEM format. If you are<br />
using a self-signed certificate, the CA certificate should be available for download<br />
from the same source, usually under “Trusted Root Certification Authorities” or<br />
similar. If needed, convert the CA certificate to PEM format using the convert<br />
command above. You do not need to extract anything from it.<br />
Store the Converted Certificate Files in the Apache Conf Directory<br />
Copy all the files created above to the directory /conf.<br />
Configure Apache httpd to Use the Certificate Files<br />
Add the following lines to the Apache httpd configuration (for instance, to the load<br />
balancer’s virtual host):<br />
98 (144) <strong>TIBCO</strong> <strong>Spotfire</strong>® <strong>Server</strong> <strong>3.2.2</strong>
Advanced Procedures<br />
# Configure SSL<br />
SSLEngine On<br />
SSLCertificateFile "conf/server_cert.pem"<br />
SSLCertificateKeyFile "conf/server_key.pem"<br />
SSLCACertificateFile "conf/cacert.pem"<br />
SSLOptions +StdEnvVars +ExportCertData<br />
Your Apache httpd should now communicate using the HTTPS protocol.<br />
Make Your Clients Trust the CA Certificate<br />
This step is identical to that described in the section “Getting Clients to Trust a CA<br />
Certificate” on page 89.<br />
9.9 Forwarding Traffic from the Load<br />
Balancer to the Configuration Console<br />
In a non-clustered environment, the administator uses the configuration console by<br />
entering its hostname in a web browser. In a clustered environment this approach is of<br />
course valid, but it is also possible to reach the configuration console through the load<br />
balancer. This is beneficial if the <strong>Spotfire</strong> <strong>Server</strong>s and the configuration console are<br />
installed in a network only reachable through the load balancer.<br />
To set this up using Apache httpd as a load balancer, you need to add the following to<br />
mod_jk configuration (such as in the file mod_jk.conf):<br />
JkUnmount /config loadbalancer<br />
JkUnmount /config/* loadbalancer<br />
JkMount /config mcworker<br />
JkMount /config/* mcworker<br />
“mcworker” is the machine where the configuration console is installed. Its hostname<br />
is “mc1” in this example.<br />
Then, you need to add the mcworker to the list of workers in the workers.properties<br />
file:<br />
worker.list=jkstatus, loadbalancer, mcworker<br />
You must also define the mcworker just as you would any other worker in the<br />
worker.properties file:<br />
worker.mcworker.type=ajp13<br />
worker.mcworker.host=mchostname<br />
worker.mcworker.port=8079<br />
worker.mcworker.max_packet_size=65536<br />
worker.mcworker.lbfactor=1<br />
worker.mcworker.route=[servername]-adm<br />
Make sure port number and route correspond to the values in the server.xml file on the<br />
configuration console. See the section “<strong>Server</strong>.xml” on page 135 for further<br />
information about this file.<br />
<strong>TIBCO</strong> <strong>Spotfire</strong>® <strong>Server</strong> <strong>3.2.2</strong> 99 (144)
Advanced Procedures<br />
With this setup, all calls to the configuration console will terminate on the machine<br />
running the configuration console, known to the load balancer as “mcworker”. See the<br />
section “Load Balancing” on page 59 for further information about load balancing in<br />
the <strong>Spotfire</strong> system.<br />
Note: It is also possible to create a load balanced system of configuration console<br />
machines by using the same method as when load balancing <strong>Spotfire</strong> <strong>Server</strong>s,<br />
described in the chapter “Load Balancing” on page 59. This can be beneficial in order<br />
to avoid the configuration console being a single point of failure.<br />
9.10 Shared Disk Location in a Clustered<br />
Environment<br />
From the Library Administration tool found in the <strong>Spotfire</strong> client, it is possible to<br />
import and export content to and from the library. The import and export files are<br />
stored in a folder specified in the <strong>Spotfire</strong> <strong>Server</strong> configuration.<br />
In a clustered environment, there is no way of being certain which server the client is<br />
communicating with. Therefore, steps must be taken to ensure that the import and<br />
export files are always stored in the same folder.<br />
One method is to use Windows shared folder technology, and set the location of the<br />
import and export folder to a folder that is shared with all <strong>Spotfire</strong> <strong>Server</strong>s. As this<br />
may not be the most secure option, there is also a method in which you can configure<br />
the load balancer to always redirect import and export requests to the same <strong>Spotfire</strong><br />
<strong>Server</strong>.<br />
To set this up using Apache httpd as a load balancer, you need to add the following to<br />
the mod_jk configuration (such as in the file mod_jk.conf):<br />
JkUnmount /spotfire/ws/protected/services/LibraryImportExportService loadbalancer<br />
JkUnmount /spotfire/ws/protected/services/LibraryImportExportService/* loadbalancer<br />
JkMount /spotfire/ws/protected/services/LibraryImportExportService worker1<br />
JkMount /spotfire/ws/protected/services/LibraryImportExportService/* worker1<br />
“worker1” is the <strong>Spotfire</strong> <strong>Server</strong> where import and export files are to be stored.<br />
Then, you need to add the worker1 to the list of workers in the workers.properties file:<br />
worker.list=jkstatus, loadbalancer, worker1<br />
With this setup, all import and export calls from the Library Administration tool will<br />
terminate on the <strong>Spotfire</strong> <strong>Server</strong> worker1. See the section “Load Balancing” on<br />
page 59 for further information about load balancing in the <strong>Spotfire</strong> system.<br />
100 (144) <strong>TIBCO</strong> <strong>Spotfire</strong>® <strong>Server</strong> <strong>3.2.2</strong>
Advanced Procedures<br />
9.11 Preventing User Directory<br />
Synchronization<br />
When you use user directory synchronization with an LDAP directory in a load<br />
balanced environment, only one <strong>Spotfire</strong> <strong>Server</strong> should synchronize from the LDAP<br />
directory to the <strong>Spotfire</strong> database. To achieve this, you must add manual configuration<br />
to the <strong>Spotfire</strong> <strong>Server</strong>s that are NOT to synchronize. You do this by adding the<br />
following to the file web.xml, located in the /tomcat/<br />
webapps/spotfire/WEB-INF/ directory:<br />
<br />
group.synchronization.disabled<br />
true<br />
<br />
Note: You must add this text to the file web.xml on ALL <strong>Spotfire</strong> <strong>Server</strong> but the one<br />
supposed to perform the synchronization.<br />
9.12 Configuring X.509 Client Certificates in a<br />
Load Balanced Environment<br />
In a load balanced environment, where X.509 Client Certificate authentication is to be<br />
used, the load balancer needs to be aware of the situation and forward the client<br />
certificates to the <strong>Spotfire</strong> <strong>Server</strong>s.<br />
The following instructions assume that you are acquainted with the Apache httpd and<br />
its configuration files. It should be seen as an overview of how HTTPS is setup for use<br />
in load balancing a <strong>Spotfire</strong> system, not as a tutorial on Apache httpd. For more<br />
information, please refer to the Apache httpd manual<br />
1 Configure the <strong>Spotfire</strong> system to use X.509 Client Certificate authentication. See the<br />
section “X.509 Client Certificate” on page 73 for instructions on how to do this.<br />
2 Configure Apache httpd to communicate using the HTTPS protocol. See the section<br />
“Setting up HTTPS in a Load Balanced Environment” on page 97 for instructions on<br />
how to do this.<br />
3 Configure Apache httpd to require and forward X.509 client certificates.<br />
4 Configure mod_jk to forward X.509 client certificates.<br />
Configure Apache httpd to Require and Forward X.509 Client Certificates<br />
Add the following lines to the Apache httpd configuration (for instance, to the load<br />
balancer’s virtual host, where the HTTPS configuration was added):<br />
# Configure client cert<br />
SSLVerifyClient require<br />
SSLVerifyDepth 1<br />
SSLUserName SSL_CLIENT_S_DN_CN<br />
<strong>TIBCO</strong> <strong>Spotfire</strong>® <strong>Server</strong> <strong>3.2.2</strong> 101 (144)
Advanced Procedures<br />
# Configure mod_jk directives<br />
JkMountCopy On<br />
JkOptions +ForwardKeySize +ForwardSSLCertChain<br />
Configure mod_jk to Forward X.509 Client Certificates<br />
Add the following to the mod_jk configuration (typically, a file called mod_jk.conf<br />
included by httpd.conf or httpd-ssl.conf)<br />
JkEnvVar SSL_CLIENT_CERT<br />
You should now have a load balancer that requires and forwards X.509 Client<br />
Certificates.<br />
9.13 Running Database Preparation Scripts<br />
Manually<br />
The automatic create_databases script requires that your database engine supports<br />
username and password authentication. If your database for some reason does not<br />
support this, because, say, you are using Kerberos authentication, you must run the<br />
SQL preparation scripts manually.<br />
The scripts you need to run are:<br />
• create_server_db.sql<br />
• populate_server_db.sql<br />
• create_demotables.sql<br />
• All the SQL files in the folder demodata<br />
Note: Demo SQL scripts are only necessary if you want to install the demo database<br />
shipped with the <strong>Spotfire</strong> <strong>Server</strong>.<br />
Read through the create_databases script to understand how they are run. Below are<br />
some notes regarding the supported database server types.<br />
Oracle<br />
When populating a <strong>Spotfire</strong> database residing on an Oracle <strong>Server</strong> the<br />
create_databases script passes certain variables to these scripts. These variables<br />
include:<br />
• ROOTFOLDER<br />
• CONNECTIDENTIFIER<br />
• SERVER_DATA_TABLESPACE<br />
• SERVER_DATA_TABLESPACE<br />
When you run the SQL scripts manually, you must make sure to pass these variables<br />
along to the scripts. For example:<br />
102 (144) <strong>TIBCO</strong> <strong>Spotfire</strong>® <strong>Server</strong> <strong>3.2.2</strong>
Advanced Procedures<br />
sqlplus @DB<strong>Server</strong> @create_server_env.sql "spotfire_server"<br />
Microsoft SQL <strong>Server</strong><br />
When populating a <strong>Spotfire</strong> database residing on a Microsoft SQL <strong>Server</strong> the<br />
create_databases script passes certain variables to these scripts. These variables<br />
include:<br />
• SERVERDB_NAME<br />
• DEMODB_NAME<br />
When you run the SQL scripts manually, you must make sure to pass these variables<br />
along to the scripts. For example:<br />
sqlcmd -S DB<strong>Server</strong>\DBInstance -i create_server_db.sql -v<br />
SERVERDB_NAME="spotfire_server"<br />
9.14 Resizing Temporary Tablespace<br />
The tablespaces/database files for <strong>Spotfire</strong> <strong>Server</strong> using Oracle/MSSQL Database uses<br />
autoextend/autogrowth by default. If this turns out to be inappropriate for your needs<br />
alter this settings. It might be desirable to alter the amount the files should be extended<br />
by with each increment. For Oracle there is a maxsize for each tablespace which<br />
should be reviewed. For MSSQL, there is an unlimited growth this should also be<br />
reviewed.<br />
9.15 Modifying the Virtual Memory<br />
<br />
If many simultaneous users intend to perform heavy data pivoting via Information<br />
Services or in other ways stress the server, you may need to modify the amount of<br />
memory available to the virtual machine. The application server’s JVM must have<br />
equal settings for the initial and maximum heap sizes, otherwise data pivoting in<br />
Information Services will not work properly and there might be a risk that the server<br />
will run out of memory.<br />
Note: Do not allocate too much heap memory because every JVM has a specific upper<br />
limit for how much memory it can handle. If the memory allocation exceeds this limit,<br />
the JVM may not start. The recommended setting that will work for most installations<br />
is the default value of 1024 MB.<br />
To Set Up the Start Script (not running as a Windows service):<br />
1 Open the file /tomcat/bin/setenv.bat/.sh in a text editor.<br />
2 Find the line that sets the variable JAVA_OPTS:<br />
set JAVA_OPTS=-server -XX:+DisableExplicitGC -XX:MaxPermSize=256M -Xms1024M -Xmx1024M<br />
or<br />
<strong>TIBCO</strong> <strong>Spotfire</strong>® <strong>Server</strong> <strong>3.2.2</strong> 103 (144)
Advanced Procedures<br />
JAVA_OPTS="-server -XX:+DisableExplicitGC -XX:MaxPermSize=256M -Xms1024M -Xmx1024M"<br />
<br />
3 Alter the -xms and the -Xmx values:<br />
-Xms1024M -Xmx1024M<br />
to the amount of memory you wish to allocate.<br />
4 Restart the server.<br />
To Set Up the Windows Service (when running as a Windows service):<br />
1 Stop the <strong>TIBCO</strong> <strong>Spotfire</strong> <strong>Server</strong> service<br />
2 Go to the /tomcat/bin directory<br />
3 Run the command<br />
service.bat remove<br />
4 Edit the /tomcat/bin/service.bat file.<br />
5 Look for the entries:<br />
--JvmMs 1024 --JvmMx 1024<br />
6 Alter the “1024” to suitable memory values (in MB).<br />
7 Run the command<br />
service.bat install<br />
8 Start the <strong>TIBCO</strong> <strong>Spotfire</strong> <strong>Server</strong> service.<br />
9.16 Starting and Stopping the <strong>Spotfire</strong> <strong>Server</strong><br />
Note: When you follow the instructions below, only the <strong>Spotfire</strong> <strong>Server</strong> Controller<br />
will start and stop. To make the servers available to clients, you need to start them in<br />
the configuration console. See the section “Architectural Overview” on page 6 and<br />
“Configure the System” on page 47 for more information.<br />
9.16.1 For Windows, with a Service<br />
<br />
<br />
To start <strong>Spotfire</strong> <strong>Server</strong>:<br />
Start Control Panel > Administrative Tools > Services. Find the service called<br />
“<strong>TIBCO</strong> <strong>Spotfire</strong> <strong>Server</strong> <strong>3.2.2</strong>” and start it.<br />
To stop <strong>Spotfire</strong> <strong>Server</strong>:<br />
Start Control Panel > Administrative Tools > Services. Find the service called<br />
“<strong>TIBCO</strong> <strong>Spotfire</strong> <strong>Server</strong> <strong>3.2.2</strong>” and stop it.<br />
104 (144) <strong>TIBCO</strong> <strong>Spotfire</strong>® <strong>Server</strong> <strong>3.2.2</strong>
Advanced Procedures<br />
9.16.2 For Windows, with No Service<br />
<br />
<br />
To start <strong>Spotfire</strong> <strong>Server</strong>:<br />
1 Log onto the <strong>Spotfire</strong> <strong>Server</strong> machine as an administrator.<br />
2 Start a command prompt.<br />
3 Go to the folder /tomcat/bin<br />
4 Run the startup.bat file.<br />
Response: The <strong>Spotfire</strong> <strong>Server</strong> Controller starts.<br />
Comment: The controller will stop running if you close the command prompt or log<br />
out of the machine.<br />
To stop <strong>Spotfire</strong> <strong>Server</strong>:<br />
1 Log onto the <strong>Spotfire</strong> <strong>Server</strong> machine as an administrator.<br />
2 Start a command prompt.<br />
3 Go to the folder /tomcat/bin<br />
4 Run the shutdown.bat file.<br />
Response: The <strong>Spotfire</strong> <strong>Server</strong> Controller stops.<br />
9.16.3 For Solaris, Red Hat, and SUSE with RC script<br />
<br />
<br />
To start <strong>Spotfire</strong> <strong>Server</strong>:<br />
1 Log in as root.<br />
2 Run the command /etc/init.d/tss start. (Refer to the section “For Solaris, Red Hat, and<br />
SUSE” on page 49 for instructions on how to install this script).<br />
Response: The <strong>Spotfire</strong> <strong>Server</strong> Controller starts.<br />
To stop <strong>Spotfire</strong> <strong>Server</strong>:<br />
1 Log in as root.<br />
2 Run the command /etc/init.d/tss stop. (Refer to the section “For Solaris, Red Hat, and<br />
SUSE” on page 49 for instructions on how to install this script).<br />
Response: The <strong>Spotfire</strong> <strong>Server</strong> Controller stops.<br />
<strong>TIBCO</strong> <strong>Spotfire</strong>® <strong>Server</strong> <strong>3.2.2</strong> 105 (144)
Advanced Procedures<br />
9.16.4 For Solaris, Red Hat, and SUSE, without RC<br />
script<br />
<br />
<br />
To start <strong>Spotfire</strong> <strong>Server</strong>:<br />
1 Log in as the user that installed <strong>Spotfire</strong> <strong>Server</strong>.<br />
2 Execute the command /tomcat/bin/startup.sh.<br />
Response: The <strong>Spotfire</strong> <strong>Server</strong> Controller starts.<br />
To stop <strong>Spotfire</strong> <strong>Server</strong>:<br />
1 Log in as the user that installed <strong>Spotfire</strong> <strong>Server</strong>.<br />
2 Execute the command /tomcat/bin/shutdown.sh.<br />
Response: The <strong>Spotfire</strong> <strong>Server</strong> Controller stops.<br />
9.17 Data Source Templates<br />
9.17.1 What Are Data Source Templates?<br />
One feature of the <strong>Spotfire</strong> system is the ability to create "information links", which<br />
are easy-to-use aids for users to access data stored in databases. Using the Information<br />
Designer tool found in the <strong>TIBCO</strong> <strong>Spotfire</strong> client, a database administrator can<br />
configure which data sources should be available to choose from when creating such<br />
information links.<br />
When a connection is made to a data source it needs information about which type of<br />
database is used, as well as which type of database driver is used to connect to it. To<br />
make it easier to set up multiple data sources in Information Designer, there are a set<br />
of "data source templates" with predefined settings that can be used later in<br />
Information Designer. You can also create custom data source templates. All data<br />
source templates are specified in the <strong>TIBCO</strong> <strong>Spotfire</strong> Configuration Console.<br />
A data source template is an XML configuration. This XML configuration includes a<br />
number of settings that customize the way information links interact with the data<br />
source. Read more about the XML format in “XML Settings” on page 110.<br />
The following data source templates are available by default:<br />
• Oracle (DataDirect driver)<br />
• Microsoft SQL <strong>Server</strong> (DataDirect driver)<br />
When adding more data source templates, you can select to base these on the<br />
following types:<br />
• DB2<br />
106 (144) <strong>TIBCO</strong> <strong>Spotfire</strong>® <strong>Server</strong> <strong>3.2.2</strong>
Advanced Procedures<br />
• DB2 (DataDirect)<br />
• DB2 Type4<br />
• MySQL<br />
• MySQL5<br />
• MySQL (DataDirect)<br />
• Netezza<br />
• ODBC<br />
• Oracle<br />
• Oracle (DataDirect)<br />
• Oracle (delegated Kerberos)<br />
• SAS/SHARE<br />
• SQL <strong>Server</strong><br />
• SQL <strong>Server</strong> 2005<br />
• SQL <strong>Server</strong> (DataDirect)<br />
• SQL <strong>Server</strong> (JTDS)<br />
• Sybase<br />
• Sybase (DataDirect)<br />
• Sybase (JTDS)<br />
• Teradata<br />
For a data source template to become available in the Information Designer, it must be<br />
enabled from the configuration console. For each data source template in the list, there<br />
is a check box that states whether the template is active or not.<br />
Note: For the MySQL5 native driver to work with MySQL data sources that includes<br />
TIMESTAMPS that can potentially be null, you have to edit the template to get it to<br />
work:<br />
Find the section that reads:<br />
<br />
<br />
useDynamicCharsetInfo<br />
false<br />
<br />
<br />
and add the following (within the connection-properties tag):<br />
<br />
noDatetimeStringSync<br />
true<br />
<br />
<strong>TIBCO</strong> <strong>Spotfire</strong>® <strong>Server</strong> <strong>3.2.2</strong> 107 (144)
Advanced Procedures<br />
<br />
zeroDateTimeBehavior
Advanced Procedures<br />
Comment: You will be prompted to stop the entire cluster.<br />
Response: The list of data source templates will become editable.<br />
4 In the list of data source templates, click on the one you want to edit.<br />
Response: The Data Source Template dialog is displayed.<br />
5 Modify the name for your new data source template.<br />
6 Modify the XML settings to correspond to your intended data source and driver. You<br />
can copy/paste information in the edit field.<br />
7 Click Save.<br />
Response: The dialog closes and your data source template is updated in the list.<br />
8 Click the Done button on the toolbar.<br />
9 Click Start Cluster on the toolbar to restart the cluster.<br />
9.17.3 Enabling/Disabling a Data Source Template<br />
<br />
For a data source template to become available in the Information Designer, it must be<br />
enabled from the <strong>TIBCO</strong> <strong>Spotfire</strong> Configuration Console. For each data source<br />
template in the list, there is a check box that states whether the template is active or<br />
not.<br />
To enable/disable a data source template:<br />
1 Start the <strong>TIBCO</strong> <strong>Spotfire</strong> Configuration Console.<br />
2 Go to the Data Source Templates tab.<br />
3 Click the Edit button on the toolbar.<br />
Comment: You will be prompted to stop the entire cluster.<br />
Response: The list of data source templates will become editable.<br />
4 In the list of data source templates, find the one you want to enable/disable.<br />
5 Select the check box on the corresponding row to enable the data source template, or<br />
deselect the check box to disable the data source template.<br />
6 Click the Done button on the toolbar.<br />
Comment: If you have added a data source template that does not use the pre-installed<br />
DataDirect driver, you must manually install this on every <strong>Spotfire</strong> <strong>Server</strong><br />
in the cluster before you restart the cluster. Download the appropriate<br />
driver jar file and place it in the /tomcat/<br />
webapps/spotfire/WEB-INF/lib folder of every server.<br />
<strong>TIBCO</strong> <strong>Spotfire</strong>® <strong>Server</strong> <strong>3.2.2</strong> 109 (144)
Advanced Procedures<br />
7 Click Start Cluster on the toolbar to restart the cluster.<br />
9.17.4 Removing a Data Source Template<br />
<br />
To remove a data source template:<br />
1 Start the <strong>TIBCO</strong> <strong>Spotfire</strong> Configuration Console.<br />
2 Go to the Data Source Templates tab.<br />
3 Click the Edit button on the toolbar.<br />
Comment: You will be prompted to stop the entire cluster.<br />
Response: The list of data source templates will become editable.<br />
4 Click on a row to select that data source template.<br />
5 Click the Remove button.<br />
Response: The data source template is removed from the list.<br />
6 Click the Done button on the toolbar.<br />
7 Click Start Cluster on the toolbar to restart the cluster.<br />
Note: Make sure that you do not have any data sources that use the data source<br />
template before you remove anything. If a data source template is removed, all data<br />
sources using that template will stop working.<br />
9.17.5 XML Settings<br />
The table below shows all settings available. Note that the only mandatory settings<br />
needed in the XML-file are the first four:<br />
• type-name<br />
• display-name<br />
• driver<br />
• connection-url-pattern<br />
If left out, all other settings will automatically use their default values.<br />
Setting Description Default Notes<br />
type-name A unique name for<br />
the configuration<br />
110 (144) <strong>TIBCO</strong> <strong>Spotfire</strong>® <strong>Server</strong> <strong>3.2.2</strong>
Advanced Procedures<br />
display-name<br />
driver<br />
The name shown<br />
in the Information<br />
Designer, Data<br />
Sources<br />
workbench<br />
The JDBC driver<br />
Java class used for<br />
creating<br />
connections<br />
A pattern for the<br />
connection URL<br />
ping-command A dummy<br />
command to test<br />
connections<br />
connectionurl-pattern<br />
connectionproperties<br />
metadataprovider<br />
sql-filter<br />
sql-runtime<br />
fetch-size<br />
JDBC connection<br />
properties<br />
Java class that<br />
provides database<br />
metadata<br />
Java class that<br />
generates SQL<br />
Java class that<br />
handles SQL<br />
execution<br />
A fetch size<br />
specifies the<br />
amount of data<br />
fetched with each<br />
database round<br />
trip for a query.<br />
The fetch size is<br />
measured as the<br />
number of fields,<br />
which is<br />
calculated to the<br />
number of rows<br />
for a particular<br />
query.<br />
SELECT 1<br />
BasicJDBCMetadataProvider<br />
BasicSQLFilter<br />
BasicSQLRuntime<br />
URL syntax is driver<br />
specific<br />
See <strong>Spotfire</strong> Technical<br />
Network for more info.<br />
See <strong>Spotfire</strong> Technical<br />
Network for more info.<br />
See <strong>Spotfire</strong> Technical<br />
Network for more info.<br />
10000 The specified value is<br />
shown as the default<br />
value in ID. May be<br />
changed at instance<br />
level.<br />
<strong>TIBCO</strong> <strong>Spotfire</strong>® <strong>Server</strong> <strong>3.2.2</strong> 111 (144)
Advanced Procedures<br />
batch-size<br />
table-types<br />
max-columnname-length<br />
supportscatalogs<br />
supportsschemas<br />
supportsprocedures<br />
supportsdistinct<br />
supportsorder-by<br />
column-namepattern<br />
table-namepattern<br />
schema-namepattern<br />
A batch size<br />
specifies the<br />
amount of data in<br />
each batch update.<br />
The batch size is<br />
the number of<br />
fields, which is<br />
calculated to the<br />
number of<br />
operations for a<br />
particular type of<br />
operation.<br />
The maximum<br />
length of a<br />
database column<br />
name<br />
Specify which<br />
table types to<br />
retrieve<br />
Tells if the driver<br />
supports catalogs<br />
Tells if the driver<br />
supports schemas<br />
Tells if the driver<br />
supports stored<br />
procedures.<br />
Tells if the driver<br />
supports distinct<br />
option in SQL<br />
queries<br />
Tells if the driver<br />
supports order-by<br />
option in SQL<br />
queries.<br />
Determines how a<br />
column name is<br />
written in the SQL<br />
query.<br />
Determines how a<br />
table name is<br />
written in the SQL<br />
query.<br />
Determines how a<br />
schema name is<br />
written in the SQL<br />
query.<br />
100 The specified value is<br />
shown as the default<br />
value in ID. May be<br />
changed at instance<br />
level.<br />
30 This limit is used when<br />
creating temporary<br />
tables.<br />
TABLE, VIEW<br />
true<br />
true<br />
false<br />
true<br />
true<br />
“$$name$$”<br />
“$$name$$”<br />
“$$name$$”<br />
112 (144) <strong>TIBCO</strong> <strong>Spotfire</strong>® <strong>Server</strong> <strong>3.2.2</strong>
Advanced Procedures<br />
catalog-namepattern<br />
procedurename-pattern<br />
column-aliaspattern<br />
string-literalquote<br />
max-in-clausesize<br />
condition-listthreshold<br />
expand-inclause<br />
tableexpressionpattern<br />
procedureexpressionpattern<br />
Determines how a<br />
catalog name is<br />
written in the SQL<br />
query.<br />
Determines how a<br />
procedure name is<br />
written in the SQL<br />
query.<br />
Determines how a<br />
column alias is<br />
written in the SQL<br />
query.<br />
The character<br />
used as quote for<br />
string literals<br />
The maximum<br />
size of an SQL<br />
IN-clause. Larger<br />
lists are split into<br />
several clauses<br />
that are OR:ed<br />
together.<br />
A temporary table<br />
is used when<br />
executing an SQL<br />
query, where total<br />
size of a condition<br />
list is larger than<br />
this threshold<br />
value.<br />
If true, an SQL<br />
IN-clause will be<br />
expanded into OR<br />
conditions.<br />
Determines how a<br />
table expression is<br />
written in the SQL<br />
query.<br />
Determines how a<br />
procedure<br />
expression is<br />
written in the SQL<br />
query.<br />
“$$name$$”<br />
“$$name$$”<br />
“$$name$$”<br />
1000<br />
SQL-92 standard<br />
10000 Depends on the<br />
maximum SQL query<br />
size.<br />
false<br />
[$$catalog$$.][$$schema$$.]$$table$$<br />
[$$catalog$$.][$$schema$$.]$$procedure$$<br />
catalog and schema<br />
may be optional<br />
(surrounded by<br />
brackets)<br />
<strong>TIBCO</strong> <strong>Spotfire</strong>® <strong>Server</strong> <strong>3.2.2</strong> 113 (144)
Advanced Procedures<br />
date-literalformatexpression<br />
time-formatexpression<br />
time-literalformatexpression<br />
date-timeformatexpression<br />
Integer<br />
representing the<br />
jdbc type<br />
identifying a table<br />
returned form a<br />
procedure as<br />
defined by<br />
java.sql.Types.<br />
proceduretable-jdbc-type<br />
proceduretable-typename<br />
date-formatexpression<br />
Display name for<br />
tables from<br />
procedure.<br />
An expression that<br />
converts a date<br />
field to a string<br />
value on the<br />
format:<br />
"YYYY-MM-<br />
DD", e.g., "2002-<br />
11-19"<br />
An expression that<br />
converts a date<br />
literal on the<br />
format "YYYY-<br />
MM-DD" to a<br />
date field value.<br />
An expression that<br />
converts a time<br />
field to a string<br />
value on the<br />
format:<br />
"HH:MM:SS",<br />
e.g., "14:59:00"<br />
An expression that<br />
converts a time<br />
literal on the<br />
format<br />
"HH:MM:SS" to a<br />
time field value.<br />
An expression that<br />
converts a<br />
datetime field to<br />
string value on the<br />
format: "YYYY-<br />
MM-DD<br />
HH:MM:SS", e.g.<br />
"2002-11-19<br />
14:59:00"<br />
0<br />
null<br />
$$value$$<br />
'$$value$$'<br />
$$value$$<br />
'$$value$$'<br />
$$value$$<br />
This is currently not<br />
visible to the user in<br />
any UI.<br />
Used in WHERE and<br />
HAVING clauses.<br />
The tag $$value$$ is a<br />
placeholder for the date<br />
field.<br />
Used in WHERE and<br />
HAVING clauses.<br />
The tag $$value$$ is a<br />
placeholder for the date<br />
literal.<br />
Used in WHERE and<br />
HAVING clauses.<br />
The tag $$value$$ is a<br />
placeholder for the time<br />
field.<br />
Used in WHERE and<br />
HAVING clauses.<br />
The tag $$value$$ is a<br />
placeholder for the time<br />
literal.<br />
Used in WHERE and<br />
HAVING clauses.<br />
The tag $$value$$ is a<br />
placeholder for the<br />
date-time field.<br />
114 (144) <strong>TIBCO</strong> <strong>Spotfire</strong>® <strong>Server</strong> <strong>3.2.2</strong>
Advanced Procedures<br />
date-timeliteral-formatexpression<br />
An expression that<br />
converts a datetime<br />
literal on the<br />
format "YYYY-<br />
MM-DD<br />
HH:MM:SS" to a<br />
date-time field<br />
value.<br />
'$$value$$'<br />
Used in WHERE and<br />
HAVING clauses.<br />
The tag $$value$$ is a<br />
placeholder for the<br />
date-time literal.<br />
java-to-sqltypeconversions:<br />
String<br />
Integer<br />
Long<br />
Float<br />
Double<br />
Date<br />
Time<br />
DateTime<br />
Type conversions<br />
needed when a<br />
join data source<br />
creates a<br />
temporary table<br />
for result from a<br />
subquery.<br />
For String<br />
conversion %s<br />
will be replaced<br />
by the size of the<br />
string.<br />
A match-lengthí<br />
attribute may be<br />
specified (see<br />
MySQL).<br />
VARCHAR($$value$$)<br />
VARCHAR(255)<br />
INTEGER<br />
BIGINT<br />
REAL<br />
DOUBLE PRECISION<br />
DATE<br />
TIME<br />
TIMESTAMP<br />
Different String types<br />
may be needed<br />
dependant of the length<br />
of the string.<br />
Note that there must be<br />
a VARCHAR<br />
conversion for when the<br />
length of the string is<br />
unknown (255 in the<br />
example here).<br />
When several<br />
VARCHAR mappings<br />
are specified, the<br />
mapping that first<br />
matches the ëmatchlengthí<br />
is used.<br />
temp-tablename-pattern<br />
Determines how<br />
to format a<br />
temporary table<br />
name in an SQL<br />
command.<br />
$$name$$<br />
<strong>TIBCO</strong> <strong>Spotfire</strong>® <strong>Server</strong> <strong>3.2.2</strong> 115 (144)
Advanced Procedures<br />
create-temptablecommand<br />
drop-temptablecommand<br />
data-sourceauthentication<br />
lob-threshold<br />
SQL commands<br />
for creating a<br />
temporary table.<br />
This is used to<br />
store filter values<br />
(when more than<br />
'condition-listthreshold')<br />
and to<br />
store result from<br />
subqueries.<br />
$$name$$ is a<br />
placeholder for<br />
the table name.<br />
$$column_list$$<br />
is a placeholder<br />
for a column list<br />
on the format<br />
"(name type,<br />
name type, ...)"<br />
SQL commands<br />
for deleting a<br />
temporary table.<br />
$$name$$ is a<br />
placeholder for<br />
the table name.<br />
Default value data<br />
source<br />
authentication.<br />
(boolean).<br />
Threshold when<br />
LOB values used<br />
as parameters in a<br />
WHERE clause,<br />
must be written in<br />
temporary tables<br />
CREATE TEMPORARY TABLE $$name$$<br />
$$column_list$$<br />
DROP TABLE $$name$$<br />
The syntax may vary<br />
between databases.<br />
The syntax may vary<br />
between databases.<br />
false<br />
This value can be set<br />
(overridden) in the<br />
Information Interaction<br />
Designer.<br />
-1 The default (-1) means<br />
no limit.<br />
116 (144) <strong>TIBCO</strong> <strong>Spotfire</strong>® <strong>Server</strong> <strong>3.2.2</strong>
Advanced Procedures<br />
<br />
oracle<br />
Oracle<br />
oracle.jdbc.OracleDriver<br />
jdbc:oracle:thin:@<host>:<port1521>:<sid><br />
use-ansii-styleouter-join<br />
credentialstimeout<br />
The default<br />
generated SQL<br />
uses the Oracle<br />
way with “(+)” to<br />
indicate joins. If<br />
this setting is sett<br />
to true an attempt<br />
is made to rewrite<br />
it to standard<br />
ANSII format,<br />
making it possible<br />
to run on non<br />
Oracle databases<br />
Defines the time<br />
in seconds user<br />
credentials are<br />
cached on the<br />
server for a<br />
particular data<br />
source. Value<br />
must be between<br />
900 (15 minutes)<br />
and 604800 (1<br />
week).<br />
false<br />
86400 (24 hours) Applicable only if datasource-authentication<br />
is<br />
set to true.<br />
9.17.5.1 Defining JDBC Connection Properties<br />
The optional parameter block in the <br />
configuration can be used to define JDBC connection properties parameters to be used<br />
when connecting to the data sources of the given type. A typical use case for this<br />
feature is to specify encryption and integrity checksum algorithms for secure database<br />
connections.<br />
Each connection property consists of a key-value pair. The syntax for specifying<br />
JDBC connection properties for a connection pool is shown in the configuration<br />
example below.<br />
If you need different JDBC connection properties for different data sources of the<br />
same type, just duplicate the configuration, rename the<br />
configurations for each variant needed and define the proper JDBC connection<br />
properties. Make sure to update any already existing data sources so that they are of<br />
the correct type.<br />
Example: Defining JDBC Connection Properties for data source of type "oracle":<br />
<strong>TIBCO</strong> <strong>Spotfire</strong>® <strong>Server</strong> <strong>3.2.2</strong> 117 (144)
Advanced Procedures<br />
SELECT 1 FROM DUAL<br />
<br />
<br />
oracle.net.encryption_client<br />
REQUIRED<br />
<br />
<br />
oracle.net.encryption_types_client<br />
( 3DES168 )<br />
<br />
<br />
oracle.net.crypto_checksum_client<br />
REQUIRED<br />
<br />
<br />
oracle.net.crypto_checksum_types_client<br />
( MD5 )<br />
<br />
<br />
...<br />
<br />
9.17.5.2 Advanced Connection Pool Configuration<br />
Beginning with <strong>TIBCO</strong> <strong>Spotfire</strong> Analytics <strong>Server</strong> 10.1, a new type of connection pool<br />
is used for the data sources in Information Services. The new connection pool was<br />
introduced for the user directory and other components from version 9.0. Those<br />
components retrieve their database configurations from the META-INF/database.xml<br />
file, but the configuration templates for the data sources in Information Services still<br />
reside in the datasource template set up in the configuration console.<br />
Not all configuration parameters that appear in the META-INF/database.xml file are<br />
supported for data sources in Information Services, but the following special<br />
parameters are available:<br />
• "spotfire.pooling.data.source.scheme"<br />
(corresponds to the “pooling-scheme” parameter in the meta-inf/database.xml<br />
configuration file.<br />
• "spotfire.pooling.data.source.connection.timeout"<br />
(corresponds to the “connection-timeout” parameter)<br />
• "spotfire.pooling.data.source.login.timeout"<br />
(corresponds to the “login-timeout” parameter).<br />
• "spotfire.kerberos.login.context"<br />
(corresponds to the “kerberos-login-context” parameter)<br />
It is also possible to revert to the old type of connection pool by setting the<br />
"spotfire.connection.pool.factory.data.source" parameter to<br />
"init.commands.data.source". The default value for this parameter is<br />
"pooling.data.source".<br />
All these parameters should be added as JDBC connection properties. However, they<br />
will never be used as real JDBC connection properties and will never be sent to a<br />
database server.<br />
118 (144) <strong>TIBCO</strong> <strong>Spotfire</strong>® <strong>Server</strong> <strong>3.2.2</strong>
Advanced Procedures<br />
Example: Configuring a PoolingDataSource for Oracle databases<br />
<br />
oracle<br />
Oracle<br />
oracle.jdbc.OracleDriver<br />
jdbc:oracle:thin:@<host>:<port1521>:<sid><br />
SELECT 1 FROM DUAL<br />
<br />
<br />
spotfire.pooling.data.source.scheme<br />
WAIT_ADAPTIVE<br />
<br />
<br />
spotfire.pooling.data.source.connection.timeout<br />
1800<br />
<br />
<br />
spotfire.pooling.data.source.login.timeout<br />
30<br />
<br />
<br />
...<br />
<br />
9.17.5.3 Using Kerberos Authentication for JDBC Data Sources<br />
Configuration of Kerberos authentication for JDBC data source is performed in a<br />
similar way to the data sources in data-sources.xml. See also the <strong>TIBCO</strong> <strong>Spotfire</strong><br />
<strong>Server</strong> - Installation and Configuration Manual for more information about how to set<br />
up Kerberos authentication with the <strong>Spotfire</strong> database, which works in a similar<br />
fashion.<br />
Example: Configuring a PoolingDataSource for Oracle databases<br />
<br />
oracle<br />
Oracle<br />
oracle.jdbc.OracleDriver<br />
jdbc:oracle:thin:@<host>:<port1521>:<sid><br />
SELECT 1 FROM DUAL<br />
<br />
<br />
spotfire.kerberos.login.context<br />
DatabaseKerberos<br />
<br />
<br />
oracle.net.authentication_services<br />
( KERBEROS5 )<br />
<br />
<br />
...<br />
<br />
<strong>TIBCO</strong> <strong>Spotfire</strong>® <strong>Server</strong> <strong>3.2.2</strong> 119 (144)
Advanced Procedures<br />
9.17.5.4 Using Kerberos Authentication with Delegated<br />
Credentials<br />
Before configuring JDBC Data Sources for Kerberos authentication with delegated<br />
credentials, it must be verified that it is possible for clients to connect to the <strong>Spotfire</strong><br />
<strong>Server</strong> using Kerberos authentication. When the server is correctly set up and<br />
everything works, it is time to proceed to the next step.<br />
To set up Information Services to use delegated Kerberos credentials when making<br />
connections to database servers, the <strong>Spotfire</strong> <strong>Server</strong>’s service account used for<br />
retrieving the ticket-granting ticket (TGT) must be given the permission to delegate<br />
client credentials. In the “Active Directory Users and Computers” control panel on the<br />
domain controller, the “Account” tab of the properties dialog for the service account<br />
contains an “Account is trusted for delegation” check box that can be checked to give<br />
the service account that permission.<br />
After setting up the service account’s delegation rights, a new JDBC Data Source must<br />
be created in the data source template xml. Copy a non-Kerberos definition for the<br />
same type of data source and add the special JDBC connection property<br />
“spotfire.connection.pool.factory.data.source” with the value “kerberos.data.source”.<br />
All JDBC connection properties required to configure the JDBC driver for Kerberos<br />
authentication should also be added. Please consult your database server’s<br />
documentation for more information about configuring the JDBC driver.<br />
Example: Setting up Kerberos authentication with delegated credentials for an Oracle<br />
database<br />
<br />
oracle-kerberos<br />
Oracle Kerberos<br />
oracle.jdbc.OracleDriver<br />
jdbc:oracle:thin:@<host>:<port1521>:<sid><br />
SELECT 1 FROM DUAL<br />
<br />
<br />
spotfire.connection.pool.factory.data.source<br />
kerberos.data.source<br />
<br />
<br />
oracle.net.authentication_services<br />
(KERBEROS5)<br />
<br />
<br />
...<br />
<br />
9.17.5.5 Verifying a Data Source Template<br />
To verify the data source template from <strong>TIBCO</strong> <strong>Spotfire</strong>:<br />
120 (144) <strong>TIBCO</strong> <strong>Spotfire</strong>® <strong>Server</strong> <strong>3.2.2</strong>
Advanced Procedures<br />
1 Log into <strong>TIBCO</strong> <strong>Spotfire</strong> as an administrator.<br />
2 Select Tools > Create Information Link....<br />
3 Click on the Setup Data Source link.<br />
4 Enter a name for the data source connection.<br />
5 Specify the type of data source.<br />
6 Enter the connection URL.<br />
7 Enter max/min-values for the connection pool.<br />
8 Enter a username and a password to connect to the database.<br />
9 Click Save.<br />
10 Click on the Data sources tab in the left pane.<br />
Response: The data source name should appear in the tree to the left, ready for use.<br />
9.18 Default Join Database<br />
9.18.1 What is Default Join Database?<br />
The default join database is used for creating temporary tables and joining the final<br />
result when running an information link. Most often using the standard <strong>Spotfire</strong><br />
database for the default join database will work fine. However, in certain situations<br />
you may want to configure another database to be used. For example, if you prefer to<br />
run these operations as a specific user on the database, or if you want to use a database<br />
that is specifically optimized for temporary tables.<br />
To set up Default Join Database, start the <strong>TIBCO</strong> <strong>Spotfire</strong> Configuration Console, and<br />
go to the Default Join Database tab. Make the appropriate settings there.<br />
Default Join Database Settings<br />
Option<br />
Configure Custom Default<br />
Join Database<br />
Type<br />
Connection URL<br />
Description<br />
Sets whether you want to configure a Custom Default<br />
Join Database (Yes) or use the standard <strong>Spotfire</strong><br />
database (No).<br />
Sets the type of database and driver you want to use as<br />
the default join database.<br />
This is the connection URL to the database.<br />
<strong>TIBCO</strong> <strong>Spotfire</strong>® <strong>Server</strong> <strong>3.2.2</strong> 121 (144)
Advanced Procedures<br />
Number of Connections<br />
Username and Password<br />
Sets a minimum and maximum Number of<br />
Connections to use when accessing the database.<br />
Sets the Username and Password that will be used to<br />
access the database.<br />
Test Connection<br />
Click the Test Connection button to verify that the<br />
provided information can be used to connect to the<br />
database.<br />
9.19 Login Behavior<br />
9.19.1 What is Login Behavior?<br />
When users start their <strong>TIBCO</strong> <strong>Spotfire</strong> clients you can decide how login should work.<br />
You can configure:<br />
• If the login dialog should be displayed or not.<br />
• If users should be allowed to work offline or if they must always log in.<br />
• If users can select “Save my login information” in the login dialog and store the<br />
login information for future automatic login.<br />
• If users should be forced to log in after working offline for a certain number of<br />
days.<br />
• If you want an RSS feed to be shown in the login dialog.<br />
The <strong>TIBCO</strong> <strong>Spotfire</strong> login dialog<br />
122 (144) <strong>TIBCO</strong> <strong>Spotfire</strong>® <strong>Server</strong> <strong>3.2.2</strong>
Advanced Procedures<br />
9.19.2 Configuring Login Behavior<br />
<br />
To configure login behavior:<br />
1 Start the <strong>TIBCO</strong> <strong>Spotfire</strong> Configuration Console.<br />
2 Go to the Login Behavior tab.<br />
3 Click the Edit button on the toolbar.<br />
Comment: You will be prompted to stop the entire cluster.<br />
Response: The Client Behavior fields will become editable.<br />
4 Set Login dialog display behavior.<br />
• Always (show dialog even if user has chosen Save my login information)<br />
• Never (never show dialog)<br />
• Standard (only show dialog if user has not chosen Save my login information)<br />
5 Set Allow Work offline.<br />
• Yes - users can work offline if they like.<br />
• No - users must always be logged in to the <strong>TIBCO</strong> <strong>Spotfire</strong> <strong>Server</strong> to run <strong>TIBCO</strong><br />
<strong>Spotfire</strong>.<br />
6 Set Allow Save my login information.<br />
• Yes - users can select to store the login information for future automatic login.<br />
• No - users must always provide user name and password when logging in.<br />
7 Set Work offline limit.<br />
• Do Not Set Limit - the users can select to Work Offline and will never be forced<br />
to connect to the <strong>TIBCO</strong> <strong>Spotfire</strong> <strong>Server</strong>.<br />
• Set days client can operate without connecting to server - users can select to<br />
Work Offline but will be prompted and forced to log in after # number of days.<br />
8 Click the Done button on the toolbar.<br />
9 Click Start Cluster on the toolbar to restart the cluster.<br />
9.19.3 Configuring RSS Feed<br />
It is possible to configure the <strong>TIBCO</strong> <strong>Spotfire</strong> <strong>Server</strong> to show messages in the login<br />
dialog for the end users. For example, news of upcoming scheduled maintenance of<br />
the <strong>TIBCO</strong> <strong>Spotfire</strong> <strong>Server</strong> could be shown.<br />
One option is to specify a path to an rss.xml file located on an <strong>TIBCO</strong> <strong>Spotfire</strong> <strong>Server</strong>,<br />
which you can update manually with news. Another is to specify the URL to an<br />
<strong>TIBCO</strong> <strong>Spotfire</strong>® <strong>Server</strong> <strong>3.2.2</strong> 123 (144)
Advanced Procedures<br />
<br />
external RSS feed. Regardless, you must make sure the specified rss-feed complies<br />
with the standard RSS 2.0 specification, and that the source is available to the end<br />
users’ clients. Note that HTML in the RSS feed is not supported.<br />
If you want to make sure all users see the news in the login dialog, you can set the<br />
Display behavior setting to “Always”. This means the login dialog will be shown to all<br />
users regardless of whether they have opted to save their login credentials for<br />
automatic login.<br />
To configure RSS feed:<br />
1 Start the <strong>TIBCO</strong> <strong>Spotfire</strong> Configuration Console.<br />
2 Go to the Login Behavior tab.<br />
3 Click the Edit button on the toolbar.<br />
Comment: You will be prompted to stop the entire cluster.<br />
Response: The Client Behavior fields will become editable.<br />
4 In the RSS Feed field, enter a URL to the RSS feed you want to use.<br />
Comment: If you want to remove an RSS feed, just clear the input field.<br />
5 Click the Done button on the toolbar.<br />
6 Click Start Cluster on the toolbar to restart the cluster.<br />
Below is an example of an RSS 2.0 compliant RSS file:<br />
<br />
<br />
<br />
<strong>TIBCO</strong> <strong>Spotfire</strong> <strong>Server</strong> News<br />
http://myserver/spotfire/rss<br />
My description goes here.<br />
en-us<br />
Wed, 03 Jan 2007 04:00:00 GMT<br />
Mon, 12 Feb 2007 09:41:01 GMT<br />
http://myserver/spotfire/rss <br />
Weblog Editor 2.0<br />
editor@example.com<br />
webmaster@example.com<br />
<br />
<strong>Server</strong> down for maintenance 2008-03-03 <br />
http://sharepoint/news/item1.aspx<br />
<br />
Mon, 12 Feb 2007 09:39:21 GMT<br />
123456<br />
<br />
<br />
Remember to save your work before going home<br />
http://internal/department/test<br />
124 (144) <strong>TIBCO</strong> <strong>Spotfire</strong>® <strong>Server</strong> <strong>3.2.2</strong>
Advanced Procedures<br />
<strong>Server</strong>s will be down this weekend.<br />
Mon, 08 Jan 2007 11:06:42 GMT<br />
123455<br />
<br />
<br />
<br />
9.20 Impersonation<br />
What Is Impersonation?<br />
When the cluster of <strong>TIBCO</strong> <strong>Spotfire</strong> <strong>Server</strong>s is used in conjunction with one or more<br />
<strong>TIBCO</strong> <strong>Spotfire</strong> Web Player servers, which have been configured for certain<br />
authentication methods, for example, NTLM, impersonation also needs to be enabled<br />
on the <strong>TIBCO</strong> <strong>Spotfire</strong> <strong>Server</strong>s for seamless login.<br />
Impersonation means that the <strong>TIBCO</strong> <strong>Spotfire</strong> Web Player is responsible for<br />
authenticating users. Calls from the <strong>TIBCO</strong> <strong>Spotfire</strong> Web Player to the <strong>TIBCO</strong><br />
<strong>Spotfire</strong> <strong>Server</strong> cluster will be made on behalf of the person authenticated.<br />
For example, consider that the <strong>TIBCO</strong> <strong>Spotfire</strong> Web Player server is configured for<br />
certificate authentication. This authentication method is done on the https network<br />
level and there is no user name or password which can be conveyed to the <strong>TIBCO</strong><br />
<strong>Spotfire</strong> <strong>Server</strong> cluster for login. Instead the <strong>TIBCO</strong> <strong>Spotfire</strong> Web Player server is<br />
trusted for impersonation. The <strong>TIBCO</strong> <strong>Spotfire</strong> Web Player server is allowed to make<br />
calls on behalf of any user without the ordinary authentication mechanism. This means<br />
the user will see his/her specific files in the library etc.<br />
Enabling impersonation can pose a potential security issue, which is why this is<br />
disabled by default. To strengthen security there are a number of requirements that can<br />
be imposed on a call in order for it to be allowed to impersonate.<br />
9.20.1 Enabling Impersonation<br />
To enable impersonation, you need to activate it from the <strong>TIBCO</strong> <strong>Spotfire</strong><br />
Configuration Console. There are a number of requirements that you can set up which<br />
decides when to allow impersonation. These requirements are on the impersonate call<br />
from a <strong>TIBCO</strong> <strong>Spotfire</strong> Web Player server to the <strong>TIBCO</strong> <strong>Spotfire</strong> <strong>Server</strong> cluster. All<br />
the requirements you decide to set up must be met for the impersonation call to be<br />
allowed.<br />
If you want to require the impersonation call to be made on https, check the Require<br />
SSL option. If you leave it blank, both http and https are allowed.<br />
The call from a <strong>TIBCO</strong> <strong>Spotfire</strong> Web Player server to the <strong>TIBCO</strong> <strong>Spotfire</strong> <strong>Server</strong><br />
cluster will always require authentication. This is most often done as a certain user<br />
which has been specified in the configuration of the <strong>TIBCO</strong> <strong>Spotfire</strong> Web Player<br />
server. The <strong>TIBCO</strong> <strong>Spotfire</strong> <strong>Server</strong> cluster can be configured to only allow certain<br />
users to be able to issue impersonation calls - typically the very user specified in the<br />
<strong>TIBCO</strong> <strong>Spotfire</strong> Web Player server configuration.<br />
<strong>TIBCO</strong> <strong>Spotfire</strong>® <strong>Server</strong> <strong>3.2.2</strong> 125 (144)
Advanced Procedures<br />
<br />
For the <strong>TIBCO</strong> <strong>Spotfire</strong> <strong>Server</strong> cluster this is specified in the Allowed Users field(s).<br />
You can add as many users as you like. If you do not specify any users, then any<br />
authenticated user can issue impersonate calls. The most common use is to specify the<br />
same user as previously configured on the <strong>TIBCO</strong> <strong>Spotfire</strong> Web Player server. See the<br />
"<strong>TIBCO</strong> <strong>Spotfire</strong> Web Player - Installation and Configuration Manual" for more<br />
information.<br />
Specific requirements can also be made on the origin of an impersonate call. Typically,<br />
you would want to configure the <strong>TIBCO</strong> <strong>Spotfire</strong> <strong>Server</strong> cluster to only allow<br />
impersonation calls originating from the machines running a trusted <strong>TIBCO</strong> <strong>Spotfire</strong><br />
Web Player server.<br />
If one or more servers are listed in the Web Player <strong>Server</strong> field(s), then only calls<br />
originating from these machines are allowed. Allowed machines can be specified in<br />
two ways: originating IP number or originating name. The originating IP number<br />
should be the IP number of the machine, and a specified originating name is resolved<br />
to one (or more) IP numbers using DNS. Only calls originating from one of the<br />
mentioned machines are valid for impersonation. If no information is provided in the<br />
Web Player <strong>Server</strong> field, then calls originating from any machine are valid for<br />
impersonation.<br />
To enable impersonation:<br />
1 Start the <strong>TIBCO</strong> <strong>Spotfire</strong> Configuration Console.<br />
2 Go to the Impersonation tab.<br />
3 Click the Edit button in the toolbar.<br />
Comment: You will be prompted to stop the entire cluster.<br />
Response: The Enable Impersonation drop-down list will become active.<br />
4 Click on the Enable Impersonation drop-down, and select Yes.<br />
Response: The impersonation settings become editable.<br />
5 Select whether you want to require the impersonation call to be made on https by<br />
checking the Require SSL option. If you leave it blank both http and https are<br />
allowed. If you select https then you must make sure both the <strong>TIBCO</strong> <strong>Spotfire</strong> <strong>Server</strong><br />
and the <strong>TIBCO</strong> <strong>Spotfire</strong> Web Player server can communicate using https.<br />
6 Specify whether only certain users should be able to issue impersonation calls by<br />
entering those user names in the Allowed Users field. Only enter one user per row.<br />
Click the plus sign next to the field to add another row where you can specify an<br />
additional user.<br />
7 Specify whether the <strong>TIBCO</strong> <strong>Spotfire</strong> <strong>Server</strong> cluster should only accept impersonation<br />
calls from certain machines. If you want to limit impersonation calls in this way,<br />
specify the originating machine by entering the IP numer or host name in the Web<br />
Player <strong>Server</strong>s field. Only enter one machine per row. Click the plus sign next to the<br />
field to add another row where you can specify an additional machine.<br />
8 Click the Done button in the toolbar.<br />
126 (144) <strong>TIBCO</strong> <strong>Spotfire</strong>® <strong>Server</strong> <strong>3.2.2</strong>
Advanced Procedures<br />
9 Click Start Cluster in the toolbar to restart the cluster.<br />
<strong>TIBCO</strong> <strong>Spotfire</strong>® <strong>Server</strong> <strong>3.2.2</strong> 127 (144)
Backup and Restore<br />
10 Backup and Restore<br />
10.1 Overview<br />
To ensure quick and easy recovery after a crash or disaster in your <strong>Spotfire</strong> system, it<br />
is important that you back up information stored in the system. This information<br />
includes user files, configuration, etc. Most of this is stored in the <strong>Spotfire</strong> Database,<br />
but some of it is stored on the <strong>Spotfire</strong> <strong>Server</strong>(s) and The <strong>Spotfire</strong> Web Player server.<br />
This manual will not describe how to perform backups, only what to back up. It is<br />
assumed that you have some sort of backup software for files and computers, and that<br />
you use the backup tools provided by your database vendor. Refer to their<br />
documentation for instructions on how to perform backups.<br />
10.2 <strong>Spotfire</strong> Database<br />
The most important part of the <strong>Spotfire</strong> system to back up is the <strong>Spotfire</strong> Database.<br />
This is where most of the user data and configuration is stored, and even if you do not<br />
have valid backups of other components of the <strong>Spotfire</strong> system, you will be able to<br />
restore functionality after a crash if the database is backed up. It is therefore vital that<br />
you have a valid and current backup of the <strong>Spotfire</strong> Database.<br />
10.3 <strong>Spotfire</strong> <strong>Server</strong>(s)<br />
Stored on the <strong>Spotfire</strong> <strong>Server</strong>(s) is configuration that is unique to each <strong>Spotfire</strong> <strong>Server</strong><br />
in the cluster, such as authentication information regarding NTLM, Kerberos, Client<br />
Certificates, etc. Even if you lose this data, you will be able to get a <strong>Spotfire</strong> system<br />
back after a crash, by installing a new server and adding it to the cluster. For simple<br />
systems, where no or very little configuration is performed, this may even be enough.<br />
If you have made any configuration changes, however, such as listening ports,<br />
authentication, user directory, etc, you probably want to ensure that you have a valid<br />
backup of your <strong>Spotfire</strong> <strong>Server</strong>(s). Configuration stored on the <strong>Spotfire</strong> <strong>Server</strong>(s)<br />
includes the following:<br />
• Listening ports configuration (see the section “Run Installer” on page 23 and<br />
“<strong>Server</strong>.xml” on page 135 for more information about this)<br />
• Information about how to connect to the <strong>Spotfire</strong> Database (see the section<br />
“Database Connection Configuration” on page 138 for more information about<br />
this)<br />
• Logging configuration (see the section “Changing the Default Log Level of the<br />
<strong>Spotfire</strong> <strong>Server</strong>” on page 132 for more information about this)<br />
• Memory configuration (see the section “Modifying the Virtual Memory” on<br />
page 103 for more information about this)<br />
128 (144) <strong>TIBCO</strong> <strong>Spotfire</strong>® <strong>Server</strong> <strong>3.2.2</strong>
Backup and Restore<br />
• HTTPS (see the section “Setting up HTTPS on a <strong>Spotfire</strong> <strong>Server</strong>” on page 86 for<br />
more information about this)<br />
• Authentication such as Kerberos, NTLM, or Client Certificates (see the section<br />
“Authentication and User Directory” on page 65 for more information about<br />
this).<br />
• Shared Disk. In a cluster of more than one server, you may want to configure the<br />
location of the Shared Disk (see the section “Shared Disk Location in a<br />
Clustered Environment” on page 100 for more information about this).<br />
• Configuration regarding data sources. Each <strong>Spotfire</strong> <strong>Server</strong> needs configuration<br />
regarding database drivers etc for external data sources.<br />
• Any other advanced configuration performed in “Advanced Procedures” on<br />
page 84. When performing advanced configuration, you should always take<br />
backup into consideration.<br />
To back up your <strong>Spotfire</strong> <strong>Server</strong>(s), you should select one of the following methods:<br />
• Back up the entire machine that <strong>Spotfire</strong> <strong>Server</strong> is running on.<br />
• Back up only the files that <strong>Spotfire</strong> <strong>Server</strong> installs on the machine.<br />
There are of course advantages and drawbacks with whichever method you select. If<br />
you back up the entire machine, you will be certain that no files are missing in your<br />
backup. On the other hand, you also have a backup that includes an entire computer<br />
with potentially other software running on it, that you may not want to restore after a<br />
crash. If you run only <strong>Spotfire</strong> <strong>Server</strong> on the machine, this is probably what you should<br />
choose.<br />
If you back up only the files that the <strong>Spotfire</strong> <strong>Server</strong> installs in the , you will potentially have a backup that is more easy to move between<br />
machines. You should however take special notice to back up anything you may have<br />
stored or configured outside the <strong>Spotfire</strong> <strong>Server</strong> installation directory. A typical<br />
example of this would be database drivers necessary to connect to Information<br />
Sources, set up in the Control Panel if running on Windows. Backing up the entire<br />
machine would back up these dependencies as well. Also, if you are running <strong>Spotfire</strong><br />
<strong>Server</strong> on Windows, you will lose the Start Menu shortcuts and the unistall feature in<br />
the Control Panel when restoring this type of backup.<br />
For both methods, you should also consider that authentication such as Kerberos and<br />
Client Certificates could be difficult to restore, due to the fact that their configuration<br />
is tied to the specific hardware they are installed on. If you restore a backup to a<br />
machine different from the original one, you will probably have to set up<br />
authentication anew.<br />
Note that it is not possible to restore a backup of a <strong>Spotfire</strong> <strong>Server</strong> to a machine with a<br />
different operating system than the original one.<br />
For other components in the <strong>Spotfire</strong> system, such as the <strong>Spotfire</strong> Web Player, refer to<br />
their installation manuals for instructions on how to perform backups of them.<br />
If you have more than one <strong>Spotfire</strong> <strong>Server</strong> in the cluster, and they are configured<br />
differently, remember to perform backups of each server.<br />
<strong>TIBCO</strong> <strong>Spotfire</strong>® <strong>Server</strong> <strong>3.2.2</strong> 129 (144)
Backup and Restore<br />
To Restore a <strong>Spotfire</strong> <strong>Server</strong><br />
Note: To perform a restore of a backup, you must restore to the same OS architecture<br />
the backup is from. If this is not possible, you must reinstall the <strong>Spotfire</strong> <strong>Server</strong> using<br />
the installer.<br />
It is recommended that you also restore a <strong>Spotfire</strong> <strong>Server</strong> to a machine with the same<br />
IP adddress and hostname as the old one. This will ensure that any network issues,<br />
such as firewall settings etc, will work smoothly after a restore. Overall, you may want<br />
to try to create the restored system as similar as possible to the old one, for similar<br />
reasons.<br />
Below is a step-by-step instruction for restoring <strong>Spotfire</strong> <strong>Server</strong> software.<br />
1 Restore the backup of to the same physical path on the<br />
machine as on the old.<br />
2 If running on Windows and starting the <strong>Spotfire</strong> <strong>Server</strong> using a Windows Service, run<br />
the script<br />
/tomcat/bin/service.bat install<br />
See the section “For Windows, with Windows Service” on page 48 for more<br />
information about the Windows Service.<br />
3 If running or Solaris, Redhat, or SuSe, and starting the <strong>Spotfire</strong> <strong>Server</strong> automatically<br />
after reboot, run the script<br />
/tomcat/install_startup_script.sh<br />
or copy the script tss to the right place. See the section “For Solaris, Red Hat, and<br />
SUSE” on page 49 for more information about this.<br />
If you are using any authentication such as Kerberos or Client Certificates, you may<br />
also have to set up this anew.<br />
10.4 Disaster Recovery<br />
In the event of a disaster, where you have no valid backups available, you should think<br />
of the following:<br />
• Without a valid backup of the <strong>Spotfire</strong> Database, you will not be available to<br />
restore your <strong>Spotfire</strong> system to its previous state. You must therefore have a<br />
valid and current backup of your <strong>Spotfire</strong> Database.<br />
• Without a valid backup of the <strong>Spotfire</strong> <strong>Server</strong>(s), you can restore your <strong>Spotfire</strong><br />
system to its previous state by installing a new <strong>Spotfire</strong> <strong>Server</strong>, adding it to the<br />
cluster (stored in the database), and configuring it anew.<br />
130 (144) <strong>TIBCO</strong> <strong>Spotfire</strong>® <strong>Server</strong> <strong>3.2.2</strong>
Technical Reference<br />
11 Technical Reference<br />
11.1 <strong>Server</strong> Logs and Diagnostics<br />
For each <strong>TIBCO</strong> <strong>Spotfire</strong> <strong>Server</strong> you can view logs and diagnostics in the <strong>Server</strong> Logs<br />
and Diagnostics tool, available at the URL http://spotfireserver:80/spotfire.<br />
Replace spotfireserver with the name of the <strong>Spotfire</strong> <strong>Server</strong>.<br />
Log in with a user that has either <strong>Spotfire</strong> Administrator or <strong>Spotfire</strong> Diagnostics<br />
Administrator permissions. For more information about <strong>Spotfire</strong> permissions and<br />
administrator roles, see the <strong>TIBCO</strong> <strong>Spotfire</strong> Deploy and Administration Manual.<br />
<strong>Server</strong> Logs will provide detailed information about what is happening on the server,<br />
such as access logs, SOAP communication, Information Links that are used, etc.<br />
Diagnostics will provide information about the server itself, such as information about<br />
the Database <strong>Server</strong>, Operating System, <strong>TIBCO</strong> <strong>Spotfire</strong> <strong>Server</strong>, Cluster<br />
Configuration, Application <strong>Server</strong>, System, and Java version.<br />
11.1.1 Logging Overview<br />
The main purpose of logging is to aid in the detection, diagnosis and resolution of any<br />
problems the server experiences. Therefore, in the normal operation of the server, a<br />
very minimal amount of logging is enabled.<br />
11.1.2 Log Configuration Files<br />
You can determine what should be logged in the log files by applying settings in a<br />
certain Log Configuration File. This configuration file will set the level of detail for<br />
the actual log files. To do this, first select the Log File, then select the Log<br />
Configuration File you want to set for the log, and then click the Set Configuration<br />
button.<br />
There are six "levels" of logging you can choose between by selecting different Log<br />
Configuration Files:<br />
• log4j-minimal.properties - The <strong>Server</strong> Log will only log errors, and the SQL<br />
Log will be deactivated.<br />
• log4j.properties - The default setting. The <strong>Server</strong> Log will log warnings, errors<br />
and basic information. The SQL Log will log basic SQL information.<br />
• log4j-debug.properties - The <strong>Server</strong> Log will log detailed debug information as<br />
well as warnings, errors and other detailed information. The SQL Log will log<br />
more detailed SQL information.<br />
• log4j-debug-soap.properties - The <strong>Server</strong> Log will log detailed SOAP<br />
information in addition to all the debug information from log4jdebug.properties.<br />
<strong>TIBCO</strong> <strong>Spotfire</strong>® <strong>Server</strong> <strong>3.2.2</strong> 131 (144)
Technical Reference<br />
• log4j-trace.properties - This <strong>Server</strong> Log will log extremely low-level debug<br />
information including all the debug information from log4j-debug.properties.<br />
• log4j-trace-soap.properties - This <strong>Server</strong> Log will log extremely low-level<br />
SOAP information including all the debug information from log4jtrace.properties.<br />
Note: If you wish to limit the number of choices of log configurations available in the<br />
<strong>Server</strong> Logs and Diagnostics tool, you can move or remove these files from the<br />
/tomcat/webapps/META-INF directory.<br />
Warning: Do not use the "Debug", "Debug with SOAP" "Trace" or "Trace with<br />
SOAP" modes for continuous server use, since doing so decreases the performance of<br />
the server, and also produces very large log files.<br />
If you want to configure the logs in other ways than the above options allow, you can<br />
create your own Log Configuration File using standard Log4j syntax (more<br />
information can be found at http://logging.apache.org/log4j/docs/<br />
documentation.html).<br />
Placing a new log4j configuration file with the name matching the pattern<br />
log4j*.properties in the /tomcat/webapps/META-INF<br />
directory, will cause it to appear in the drop-down list among the other Log<br />
Configuration Files and can thus be selected.<br />
Note: When you restart the server, the Log Configuration File will revert to the default<br />
selection. To set the default log level, see the instructions below.<br />
11.1.3 Changing the Default Log Level of the <strong>Spotfire</strong><br />
<strong>Server</strong><br />
To change the default log level of the <strong>Spotfire</strong> <strong>Server</strong>, you need to manually edit a<br />
configuration file located on each server.<br />
<br />
To Change the Default Log Level of the <strong>Spotfire</strong> <strong>Server</strong><br />
1 Open the file /tomcat/webapps/spotfire/WEB-INF/<br />
web.xml in a text or xml editor.<br />
2 Look for the param-name com.spotfire.logging.config.file.<br />
3 Change the param-name to one one of the log configuration files described above.<br />
4 Restart the <strong>Spotfire</strong> <strong>Server</strong>.<br />
To change the default log level of the Configuration Console, edit the file /tomcat/webapps/admin/WEB-INF/web.xml instead.<br />
To change the default log level of the <strong>Spotfire</strong> Controller, edit the file /tomcat/webapps/controller/WEB-INF/web.xml instead.<br />
132 (144) <strong>TIBCO</strong> <strong>Spotfire</strong>® <strong>Server</strong> <strong>3.2.2</strong>
Technical Reference<br />
11.1.4 Console Debugging:<br />
All levels of logging are also available in "Console Debugging" versions:<br />
• log4j-minimal-with-console.properties<br />
• log4j-with-console.properties<br />
• log4j-debug-with-console.properties<br />
• log4j-debug-soap-with-console.properties<br />
• log4j-trace-with-console.properties<br />
• log4j-trace-soap-with-console.properties<br />
These should only be used temporarily when running the server in console mode. This<br />
will provide real-time logging in a console window.<br />
Do NOT use these while running the <strong>Spotfire</strong> <strong>Server</strong> as a Windows service, since this<br />
may rapidly create huge log files.<br />
11.1.5 Log Files<br />
<strong>TIBCO</strong> <strong>Spotfire</strong> <strong>Server</strong> uses rolling logs, which means that when a log file gets too big<br />
it splits into several files. These are indexed by a number, (the higher the number, the<br />
older the log) and can be selected in the drop-down list in the <strong>Server</strong> Log Files<br />
interface. When a rolled log file reaches a certain number it is deleted.<br />
The log files are located in the /tomcat/logs/spotfire,<br />
/tomcat/logs/admin, and /tomcat/logs/<br />
controller directories.<br />
There are several log files that you can configure and view:<br />
<strong>Server</strong> Log<br />
SQL Log<br />
SOAP Log<br />
Actual file located in /tomcat/logs/spotfire/<br />
dss.log.<br />
This file logs all activity on the server except the events recorded in the<br />
<strong>Server</strong> Access Log. It includes the SQL log and a simplified version of<br />
the <strong>Server</strong> Access log. You can set the detail level of what this file logs by<br />
selecting different Log Configuration Files.<br />
Actual file located in /tomcat/logs/spotfire/<br />
sql.log.<br />
This file logs the SQL that is generated each time a user executes an<br />
information link. You can set the detail level of what this file logs by<br />
selecting different Log Configuration File.<br />
This log stores information about the SOAP communication on the<br />
server.<br />
<strong>TIBCO</strong> <strong>Spotfire</strong>® <strong>Server</strong> <strong>3.2.2</strong> 133 (144)
Technical Reference<br />
<strong>Server</strong> Diagnostics<br />
Log<br />
Actual file located in /tomcat/logs/spotfire/serverdiagnostics.log<br />
This log is always enabled and contains diagnostic information collected<br />
during server startup. It shows whether or not the server could be started<br />
successfully and other vital information collected from various parts of<br />
the server. This log is always enabled and unaffected by Log<br />
Configuration File settings.<br />
<strong>Server</strong> Access Log Actual file located in /tomcat/logs/spotfire/<br />
access.log<br />
This log is always enabled and contains all access attempts to the <strong>TIBCO</strong><br />
<strong>Spotfire</strong> <strong>Server</strong>. It shows which user has accessed what files on the server,<br />
when the access took place, and whether or not the access was granted. It<br />
uses standard "W3C common logfile format".<br />
<strong>Server</strong> Usage Log Actual file located in /tomcat/logs/spotfire/<br />
usage.log.<br />
This file is a lighter alternative to the server access log described above as<br />
it does not contain information regarding the file accessed. Apart from<br />
that, the two files contain the same information. This log is always<br />
enabled and unaffected by Log Configuration File settings.<br />
dss-cxf.log This file logs the CXF SOAP tool from Apache.<br />
isusage.log Actual file located in /tomcat/logs/spotfire/<br />
isusage.log.<br />
This log file contains information about what user accesses which<br />
Information Link and when.<br />
library.log Actual file located in /tomcat/logs/spotfire/<br />
library.log.<br />
This log file logs whenever a user stores, opens or deletes a file from the<br />
library.<br />
impex.log This file logs library import and export.<br />
Tomcat StdOut This file cannot be viewed in the UI, you must open the actual log file.<br />
Log<br />
Actual file located in<br />
/tomcat/logs/spotfire/stdout_yyyyMM dd.log,<br />
where yyyyMMdd is replaced by the log file’s creation date.<br />
The Tomcat application server redirects all output to StdOut to this log<br />
file. Note: By default, this log file is not rolled.<br />
Tomcat StdErr Log This file cannot be viewed in the UI, you must open the actual log file.<br />
Actual file located in<br />
/tomcat/logs/spotfire/stderr_yyyyMMdd.log,<br />
where yyyyMMdd is replaced by the log file’s creation date.<br />
The Tomcat application server redirects all output to StdErr to this log<br />
file. Note: By default, this log file is not rolled.<br />
134 (144) <strong>TIBCO</strong> <strong>Spotfire</strong>® <strong>Server</strong> <strong>3.2.2</strong>
Technical Reference<br />
Jakarta Service<br />
Log<br />
This file cannot be viewed in the UI, you must open the actual log file.<br />
Actual file located in<br />
/tomcat/logs/spotfire/jakarta_service_yyyyMM<br />
dd.log, where yyyyMMdd is replaced by the log file’s creation date.<br />
This log file contains information about when the Tomcat service is<br />
started and stopped.<br />
11.1.6 Export Log File<br />
By clicking on the Export Log File button, you can save the current log file to disk.<br />
Note: This only exports the <strong>Spotfire</strong> <strong>Server</strong> log, not the logs of the Configuration and<br />
Console and <strong>Spotfire</strong> Controller.<br />
11.1.7 Log Out<br />
For security reasons, always make sure to exit your browser when logging out of<br />
<strong>Server</strong> Logs and Diagnostics. This makes sure no session cookies are retained.<br />
11.2 <strong>Server</strong>.xml<br />
<strong>Spotfire</strong> <strong>Server</strong> is implemented as a Tomcat web application. For this reason, it uses a<br />
standard Tomcat web application configuration file, server.xml, to store information it<br />
needs when starting. This file is stored in /tomcat/conf/>. You<br />
should only need to make changes to this server if you need to change port numbers<br />
after installation, or if you need to tweak Tomcat behavior. Note that each <strong>Spotfire</strong><br />
<strong>Server</strong> in a cluster has a server.xml. Therefore, if you need to make changes to it, you<br />
need to make those changes to all the servers in the cluster.<br />
The standard server.xml delivered with <strong>Spotfire</strong> <strong>Server</strong> looks like this:<br />
<br />
<br />
<br />
<br />
<br />
Technical Reference<br />
unpackWARs="false" autoDeploy="false"<br />
xmlValidation="false" xmlNamespaceAware="false"<br />
deployOnStartup="false"><br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
136 (144) <strong>TIBCO</strong> <strong>Spotfire</strong>® <strong>Server</strong> <strong>3.2.2</strong>
Technical Reference<br />
<br />
<br />
<br />
<br />
Note: The variables [<strong>Spotfire</strong>Port], [MCPort], and [ControllerPort] are set by<br />
selections made in the <strong>Spotfire</strong> <strong>Server</strong> installer. The variables [<strong>Server</strong>Hostname]-srv<br />
and [<strong>Server</strong>Hostname]-adm are automatically set by the installer by adding the strings<br />
“-srv” and “-adm” to the server’s hostname. Also note that these variables must not<br />
have any characters that could potentially need “escaping”, such as “.” (for instance<br />
spotfireserver1.company.com).<br />
For detailed information about the server.xml syntax, see the Apache Tomcat<br />
documentation located at http://tomcat.apache.org/<br />
11.3 krb5.conf<br />
This file contains settings for Kerberos. Listed below is an unmodified version of the<br />
file, as it is shipped, and also a version with example values filled in.<br />
[libdefaults]<br />
default_realm = MYDOMAIN<br />
default_keytab_name = spotfire.keytab<br />
default_tkt_enctypes = rc4-hmac<br />
default_tgs_enctypes = rc4-hmac<br />
[realms]<br />
MYDOMAIN = {<br />
kdc = mydc.mydomain<br />
admin_server = mydc.mydomain<br />
default_domain = mydomain<br />
}<br />
[domain_realm]<br />
.mydomain = MYDOMAIN<br />
mydomain = MYDOMAIN<br />
[appdefaults]<br />
autologin = true<br />
forward = true<br />
forwardable = true<br />
encrypt = true<br />
[libdefaults]<br />
default_realm = RESEARCH.EXAMPLE.COM<br />
default_keytab_name = spotfire.keytab<br />
default_tkt_enctypes = rc4-hmac<br />
default_tgs_enctypes = rc4-hmac<br />
[realms]<br />
RESEARCH.EXAMPLE.COM = {<br />
kdc = example-dc.research.example.com<br />
admin_server = example-dc.research.example.com<br />
default_domain = research.example.com<br />
}<br />
<strong>TIBCO</strong> <strong>Spotfire</strong>® <strong>Server</strong> <strong>3.2.2</strong> 137 (144)
Technical Reference<br />
[domain_realm]<br />
.research.example.com = RESEARCH.EXAMPLE.COM<br />
research.example.com = RESEARCH.EXAMPLE.COM<br />
[appdefaults]<br />
autologin = true<br />
forward = true<br />
forwardable = true<br />
encrypt = true<br />
11.4 Database Connection Configuration<br />
The <strong>Spotfire</strong> database, discussed previously in this manual, holds information<br />
important to the <strong>Spotfire</strong> <strong>Server</strong>s. When logging into the configuration console for the<br />
first time, a prompt will appear asking for a valid URL to the database. The<br />
information entered here is stored by the configuration console and then distributed to<br />
each server added to the cluster. See the section “Starting the Configuration Console”<br />
on page 50 for more information about this.<br />
If the connection information of the database changes for some reason, you need to<br />
reconfigure the <strong>Spotfire</strong> <strong>Server</strong>s and the configuration console so that they are able to<br />
connect to the database. For the configuration console, you must edit the file<br />
connections.xml, found in the /tomcat/webapps/admin/WEB-INF/<br />
directory on the machine running the configuration console. For the <strong>Spotfire</strong> <strong>Server</strong>s,<br />
you can either remove them from the cluster and re-add them, or edit the file<br />
database.xml, found in the tomcat/webapps/META-INF/ directory<br />
on each <strong>Spotfire</strong> <strong>Server</strong>. Below is a description of how these files look.<br />
connections.xml<br />
<br />
<strong>Server</strong>.Default<br />
<br />
0<br />
<strong>Server</strong>.Default<br />
[DriverClass]<br />
[DB<strong>Server</strong>URL]<br />
false<br />
WAIT_CONSERVATIVE<br />
-1<br />
0<br />
600<br />
false<br />
true<br />
<br />
<br />
<br />
<br />
The strings [DriverClass] and [DB<strong>Server</strong>URL] will be automatically set to<br />
appropriate values by the configuration console when you add a server to a cluster.<br />
You can also change the string tibcosoftwareinc.jdbc.sqlserver.SQL<strong>Server</strong>Driver if<br />
you intend to use a different database driver. See the section “Database Drivers” on<br />
138 (144) <strong>TIBCO</strong> <strong>Spotfire</strong>® <strong>Server</strong> <strong>3.2.2</strong>
Technical Reference<br />
page 47 for more information about this. Different database drivers might offer<br />
different options to include in the URL.<br />
database.xml<br />
<br />
<br />
<br />
<br />
base64<br />
true<br />
<br />
<br />
key<br />
52b896a2-3d9b-4de1-9249-2eeee4276f35<br />
<br />
<br />
com.spotfire.util.transform.DESedeCredentialTransform<br />
<br />
<br />
<strong>Server</strong>.Default<br />
<br />
0<br />
<strong>Server</strong>.Default<br />
[DriverClass]<br />
[DB<strong>Server</strong>URL]<br />
[DBUserName]<br />
[DBPassword]<br />
false<br />
WAIT_CONSERVATIVE<br />
20<br />
5<br />
600<br />
false<br />
true<br />
<br />
<br />
<br />
MaxPooledStatements<br />
20<br />
<br />
<br />
<br />
<br />
<br />
The strings [DriverClass], [DB<strong>Server</strong>URL], [DBUserName], and [DBPassword] will<br />
be automatically set to appropriate values by the configuration console when you add<br />
a server to a cluster. If you need to change database driver or URL, see examples<br />
below.<br />
Note: The [DBPassword] will be encrypted in this file.<br />
Driver Class Definition Examples<br />
The driver class definition looks different depending on which database driver is in<br />
use. It must be added to each definition in each configuration file<br />
described above. These are the different types supported by <strong>Spotfire</strong> <strong>Server</strong>:<br />
<strong>TIBCO</strong> <strong>Spotfire</strong>® <strong>Server</strong> <strong>3.2.2</strong> 139 (144)
Technical Reference<br />
Oracle (DataDirect Driver)<br />
tibcosoftwareinc.jdbc.oracle.OracleDriver<br />
Oracle (Native Driver, ojdbc6.jar)<br />
oracle.jdbc.OracleDriver<br />
Microsoft SQL <strong>Server</strong> (DataDirect Driver)<br />
tibcosoftwareinc.jdbc.sqlserver.SQL<strong>Server</strong>Driver<br />
Microsoft SQL <strong>Server</strong>(Native Driver, sqljdbc4.jar)<br />
com.microsoft.sqlserver.jdbc.SQL<strong>Server</strong>Driver<br />
jTDS (Native Driver, jtds.jar)<br />
net.sourceforge.jtds.jdbc.Driver<br />
Database Connection URL Components and Examples<br />
Component<br />
API<br />
Database Driver<br />
<strong>Server</strong> Type<br />
Hostname<br />
Port<br />
Database Name or SID<br />
Options<br />
Description<br />
Specifies which API to use. This is always jdbc.<br />
Specifies which database driver to use to connect to the<br />
database. Default tibcospotfireinc, which will use the<br />
<strong>Spotfire</strong> Datadirect driver. If you have installed a different<br />
driver, you may provide this here.<br />
Specifies the type of database server. Either sqlserver or<br />
oracle.<br />
Note: <strong>Server</strong> Type is only applicable when using the<br />
DataDirect driver.<br />
Specifies the hostname of the database server.<br />
Specifies the port which the database server listens to; for<br />
example 1433.<br />
Specifies the name (MSSQL) or SID (Oracle) that defines<br />
your <strong>Spotfire</strong> database.<br />
Specifies further options, separated with semicolons. Only<br />
necessary if you need to set something specific for your<br />
database server. This may include information such as a<br />
named Instance in an MSSQL server, for example. See<br />
example below.<br />
For the different supported database drivers this becomes:<br />
Oracle (DataDirect Driver)<br />
[API]:[DBDriver]:[<strong>Server</strong>Type]://[Hostname]:[Port];SID=[SID]<br />
140 (144) <strong>TIBCO</strong> <strong>Spotfire</strong>® <strong>Server</strong> <strong>3.2.2</strong>
Technical Reference<br />
Example:<br />
jdbc:tibcospotfireinc:oracle://dbsrv.company.com:1433;SID=spotfire_server<br />
Oracle (Native Driver, ojdbc6.jar)<br />
[API]:[DBDriver]:[DriverType]://[Hostname]:[Port];SID=[SID]<br />
Example:<br />
jdbc:j@dbsrv.company.com:1521:spotfire_server<br />
Microsoft SQL <strong>Server</strong> (DataDirect Driver)<br />
[API]:[DBDriver]:[<strong>Server</strong>Type]://[Hostname]:[Port];DatabaseName=[DBName]<br />
Example:<br />
jdbc:tibcosoftwareinc:sqlserver://dbsrv.company.com:1433;DatabaseName=spotfire_server<br />
Example using Integrated Authentication<br />
jdbc:tibcosoftwareinc:sqlserver://<br />
dbsrv.company.com:1433;DatabaseName=spotfire_server;AuthenticationMethod=ntlm;LoadLibra<br />
ryPath=c:/tibco/tss/<strong>3.2.2</strong>/tomcat/lib<br />
Note: Make sure that the LoadLibraryPath has the correct path to the tomcat/lib<br />
directory in the <strong>Spotfire</strong> <strong>Server</strong> installation directory.<br />
Microsoft SQL <strong>Server</strong> (Native Driver, sqljdbc4.jar)<br />
[API]:[DBDriver]://[Hostname]:[Port];DatabaseName=[DBName]<br />
Example:<br />
jdbc:sqlserver://<br />
dbsrv.company.com:1433;DatabaseName=spotfire_server;selectMethod=cursor<br />
Note: Due to a restriction in the native Microsoft SQL <strong>Server</strong> driver, you may need to<br />
add the option responseBuffering=adaptive to your connection string. This is<br />
necessary if you are going to store large analysis files in the library.<br />
Example using Integrated Authentication:<br />
jdbc:sqlserver://<br />
dbsrv.company.com:1433;DatabaseName=spotfire_server;selectMethod=cursor;integratedSecur<br />
ity=true;<br />
Note: For integrated authentication to work, you must place the file sqljdbc_auth.dll in<br />
a folder in the system path, such as C:\Windows\System32. This file is included with<br />
the native drivers from Microsoft.<br />
jdbc:sqlserver://<br />
dbsrv.company.com:1433;databaseName=spotfire_server;selectMethod=cursor;responseBufferi<br />
ng=adaptive<br />
<strong>TIBCO</strong> <strong>Spotfire</strong>® <strong>Server</strong> <strong>3.2.2</strong> 141 (144)
Technical Reference<br />
jTDS (Native Driver, jtds.jar)<br />
jdbc:jtds:sqlserver://[Hostname]:[Port]/[DatabaseName]<br />
Example:<br />
jdbc:jtds:sqlserver://dbsrv.company.com:1433/spotfire_server<br />
Microsoft SQL <strong>Server</strong> with Named Instance<br />
If your database server uses a named Instance, you must add an option to the end of<br />
the connection string to identify it. Note that this option is not limited to the jTDS<br />
driver. You can add this option regardless of what driver you are using.<br />
jdbc:jtds:sqlserver://[Hostname]:[Port]/[DatabaseName];instance=[InstanceName]<br />
Example:<br />
jdbc:jtds:sqlserver://dbsrv.company.com:1433/spotfire_server;instance=FirstInstance<br />
Note: To use other drivers than the DataDirect ones, you need to install them onto each<br />
<strong>Spotfire</strong> <strong>Server</strong>. Refer to the section “Database Drivers” on page 47 for more<br />
information about this.<br />
142 (144) <strong>TIBCO</strong> <strong>Spotfire</strong>® <strong>Server</strong> <strong>3.2.2</strong>
Uninstall<br />
12 Uninstall<br />
12.1 <strong>Server</strong> Software Uninstall<br />
For uninstall purposes, an uninstall application is created automatically upon<br />
installation. This application is found in the directory<br />
/installer/uninstaller> and is called Uninstall <strong>TIBCO</strong><br />
<strong>Spotfire</strong> <strong>Server</strong> <strong>3.2.2</strong>.exe or Uninstall <strong>TIBCO</strong> <strong>Spotfire</strong> <strong>Server</strong> <strong>3.2.2</strong>.bin. Run this<br />
application and follow the directions.<br />
On Solaris, Red Hat, and SUSE systems, you must also remove the startup script<br />
/etc/init.d/tss manually (if you have installed it).<br />
Note: In Windows, it is also possible to start the uninstall application using “Programs<br />
and Features” found in the Control Panel.<br />
If you have placed any additional files in the installation directory or any of its<br />
subfolders, such as <strong>Spotfire</strong> Library export files, you should move these files to a<br />
secure location before uninstalling.<br />
If you have performed a restore from a backup of the <strong>Spotfire</strong> <strong>Server</strong> using the<br />
instructions in the section “Technical Reference” on page 131, there is no Uninstall<br />
application in place. To uninstall <strong>Spotfire</strong> <strong>Server</strong> manually, first remove the Windows<br />
Service, if present, by running the bat file<br />
/tomcat/bin/service.bat remove<br />
Then remove the installation directory. On Solaris, Red Hat, and SUSE systems, you<br />
must also remove the startup script /etc/init.d/tss manually (if you have installed<br />
it).<br />
12.2 Database Removal<br />
In the scripts/oracle_install/utilities and scripts/mssql_install/utilities folders on the<br />
<strong>Spotfire</strong> <strong>Server</strong> installation media, there are a number of scripts that can be used to<br />
remove the <strong>Spotfire</strong> and Demo databases:<br />
Microsoft SQL <strong>Server</strong><br />
• drop_databases.bat. Use this if you are using database authentication with your<br />
Microsoft SQL server.<br />
• drop_databases_ia.bat. Use this if you are using Windows Integrated<br />
Authentication with your Microsoft SQL <strong>Server</strong>.<br />
Oracle<br />
• drop.databases.bat. Use this if your are running Oracle on a Windows server.<br />
• drop_databases.sh. Use this if you are running Oracle on a Unix server.<br />
<strong>TIBCO</strong> <strong>Spotfire</strong>® <strong>Server</strong> <strong>3.2.2</strong> 143 (144)
Uninstall<br />
Before you run it, you must open it in a text editor and edit a number of variables.<br />
These variables are the same that were set during database preparation. See the section<br />
“Prepare the Database” on page 16 for detailed information about these variables.<br />
144 (144) <strong>TIBCO</strong> <strong>Spotfire</strong>® <strong>Server</strong> <strong>3.2.2</strong>