1

Welcome to the first part of the TIBCO Spotfire Administration Orientation. In this

presentation, I’ll discuss the basics of Spotfire architecture, what the options are for

authenticating with Spotfire, how Spotfire can connect to enterprise data, and the other

Spotfire Server functions.

The Spotfire Server is the heart of every Spotfire implementation. The server provides five

main functions:

• It authenticates and authorizes Spotfire users with the help of the Spotfire User

Directory.

• Its Information Services serve as the gateway to some of the supported data sources

(we’ll talk more about the options for accessing data later in this presentation).

• It provides access to a server-based store of analyses called the Spotfire Library.

• It gathers analyzable information on server events, client actions, and server

performance through the Action Logs and System Monitoring function.

• And lastly, it distributes updates to the Spotfire Analyst client through its Deployment

Services.

2

Speaking of clients, let’s talk about the various ways that users can connect to Spotfire.

First off, we have Spotfire Analyst (formerly known as Spotfire Professional). Spotfire

Analyst is installed on enterprise users’ local computers, and is a fully-featured client for

working with data sources and creating complex analyses.

We also have a browser-based client with two licensing options: Consumer or Business

Author. With the Consumer license, users can view interactive analyses. With the Business

Author license, they can also create and edit simple analyses. Browser-based users connect

through the Web Player Server. The Web Player Server then connects to the Spotfire Server,

acting as a client to retrieve analyses and render them in HTML and JavaScript for the

browser.

For mobile users, we have an app for iPads which allows them to view interactive analyses,

again through the Web Player Server. You may have also heard another client mentioned,

Spotfire Desktop. Spotfire Desktop is a standalone version of Spotfire Analyst built for

individual, non-enterprise users who do not have access to a Spotfire Server.

3

In an enterprise implementation of Spotfire, administrators typically set up a cluster of

Spotfire Servers to support the necessary workload and provide server failover. In this case,

clients access Spotfire through a load balancer.

In the same fashion, you can also have a cluster of Web Player Servers with a load balancer.

Both Spotfire Server and Web Player Server can use any load balancer that supports session

affinity, otherwise known as sticky sessions.

4

There are two ways organizations can implement Spotfire: with a traditional on-premise

installation, or through our Spotfire Cloud Enterprise offering. Cloud Enterprise gives

organizations a dedicated cloud environment with a complete deployment of the Spotfire

platform.

I’ll give you a quick overview of the differences between an on-premise implementation

and Cloud Enterprise now, and in a few slides we’ll have a look at Cloud Enterprise in more

technical detail. I’ll also mention variations for Cloud Enterprise as needed when I cover

authentication and connecting to data.

The installation type for on-premise is, of course, a traditional set-up where Spotfire is

installed on the organization’s own servers. Cloud Enterprise is a Platform-as-a-Service

offering. One of the biggest advantages of Cloud Enterprise is the time it takes to provision

a new implementation: three to five days, versus two to six months for on-premise. On-

premise customers perform upgrades themselves on their own schedule; Cloud Enterprise

environments are upgraded automatically by Spotfire with the latest versions and the latest

patches.

Lastly, all Cloud Enterprise implementations use the same, best-practices architecture and

have access to the standard client features; on-premise customers are able to customize

their Spotfire architecture and add custom client features using the Spotfire API.

5

Let’s get into a little more technical detail about the Spotfire Server. The server itself is a

web application that runs inside a bundled Apache Tomcat server. Clients communicate

with the server by HTTP or HTTPS. Spotfire Server installers are available for Windows,

Solaris, Red Hat Linux, and SUSE Linux.

The server requires access to a database. This database stores Spotfire meta-data, including

the User Directory and the Library. The supported database types are Oracle 10g or 11g

and Microsoft SQL Server. Remember that the Spotfire Database is separate from the

enterprise data sources used for analysis. We’ll talk about connecting to enterprise data

later in this presentation.

For detailed and up-to-date information on the supported operating systems and database

types, see the Spotfire Server System Requirements webpage.

6

Web Player Server is a web application that runs under Microsoft Internet Information

Services, or IIS. As previously discussed, Web Player Server acts as a client of the Spotfire

Server, communicating with it by HTTP or HTTPS.

At this time, Web Player Server can be installed on Windows Server 2012 or Windows

Server 2008. It also requires version 4.5 of the Microsoft .NET Framework.

You can visit the Spotfire System Requirements page for current information on the

supported environments and required software.

7

Each customer using our Cloud Enterprise offering is given a single-tenant environment

hosted on Amazon Web Services, in what Amazon calls a Virtual Private Cloud, or VPC.

Nothing is shared between environments.

Clients connect to a load balancer in a public subnet by HTTPS. The rest of the Spotfire

implementation is kept in a private subnet that is completely inaccessible to anyone but

Spotfire administrators.

Cloud Enterprise environments include Spotfire Server, Web Player Server, Automation

Services, Statistics Services, and Advanced Data Services. We’ll talk more about those

products in Part 2 of this orientation.

Connections are made to enterprise data using IPSec tunnels to ensure data security.

Because Cloud Enterprise implementations exist outside of an organization’s firewall,

customers have the opportunity to easily collaborate with partner organizations, such as

suppliers or retailers, on data analysis. Partners can be given the ability to view certain

analyses through Spotfire Consumer and connections to partner data can be added to the

implementation.

8

In this section, we’ll have a closer look at the options you have for configuring

authentication and authorization in a Spotfire environment.

9

In case you’re not familiar with these terms, here’s a quick explanation. When users log in

to a server, there are two things that happen before they get access. The first is

authentication. Authentication is the process of validating users’ identities – do we know

who a user is? Once we are confident users are who they say they are, we move on to

authorization. Authorizing users determines what their access rights are within a system –

in other words, what they’re allowed to do.

10

Your options for authentication in Spotfire depend on which client is being used. Spotfire

Analyst users can authenticate with the Spotfire Server either by using a username and

password, or through single sign-on.

If a username and password is used, it can be checked against the internal Spotfire User

Directory, a custom Java Authentication and Authorization Service module, or – the most

common option – an external LDAP directory. Spotfire has built-in support for Microsoft

Active Directory and the Directory Server product family, which includes Oracle Directory

Server, Sun Java Directory Server, and Sun ONE Directory Server. Other LDAP servers can

also be used.

For single sign-on, Spotfire supports NTLM, Kerberos, and X.509 Certificates.

Our Cloud Enterprise offering is configured to be able to use the Spotfire User Directory or

an external LDAP server immediately. With some assistance from our Professional Services

Group, Cloud Enterprise customers can also use any of the other methods.

11

Web clients log in to the Web Player Server, which then passes their authentication through

to the Spotfire Server. Here are the four basic options for authentication. The first is using a

username and password. The user’s credentials are passed along to the Spotfire Server,

which verifies them the same way it’s configured to verify Spotfire Analyst users. This is the

default authentication method.

The second option is Integrated Windows Authentication. In this case, users who have

logged in to the appropriate Windows Domain will not be prompted for a username and

password. Their Windows credentials will be passed along automatically to the Web Player

Server and the Spotfire Server.

Third, you can use X.509 certificates. With this option, when users access the Web Player

Server, they are automatically logged on using a client certificate stored on their local

machine. The certificate is then passed to the Spotfire Server, which must be configured to

be able to authenticate client certificates.

Lastly, you can allow all users anonymous access to the Web Player Server. In that case, a

preconfigured Spotfire user identity is used to authenticate with the Spotfire Server. All

web users will appear to be the same single user on the Spotfire Server. Keep in mind that

this is a simplified view of the options; for more information, see the Spotfire Web Player

Installation and Configuration Manual, Pre-Installation Planning, Authentication

Alternatives.

12

Authentication methods for the iPad app are limited to username and password or

Integrated Windows Authentication using NTLM.

13

Regardless of how the Spotfire clients were authenticated, the process of authorization is

the same. The Spotfire Server checks the Spotfire User Directory to determine users’

privileges, which control which functions and analyses they can access within Spotfire.

Optionally, the user and group accounts in the Spotfire User Directory can be configured to

be synchronized from an external LDAP directory. Spotfire supports the same LDAP servers

for directory synchronization as it does for authentication.

14

Now let’s have a look at the various ways Spotfire can connect to enterprise data.

15

The basic Spotfire environment provides three ways for clients to connect to data: opening

a local file, using a native Spotfire connector, or connecting through the Information

Services function of the Spotfire Server. Analysts can combine data from multiple sources in

a single Spotfire analysis.

Cloud Enterprise customers can use all the same data sources and connection methods as

we support in on-premise installations, although our Professional Services Group may need

to be involved in order to set up secure connections.

We’ll talk about each of these three methods in more depth on the following slides.

16

Spotfire Analyst users can open any file that can be accessed from their local machine or

network for analysis. Business Author users can upload files to the Web Player Server to

use in their analyses.

These are some of the file types Spotfire supports: Microsoft Excel workbooks, text files

with comma-separated values, Microsoft Access databases, and SAS data files. For the full

list, see the Spotfire Data Sources page.

17

Spotfire native connectors provide a mechanism for Spotfire clients to make a direct

connection with enterprise data. Analysts can choose to load the entire raw data set in the

memory of the client or only retrieve aggregated results and make new queries as needed

for more detail.

Spotfire has a long list of native connectors, with more being added with every release. Our

current offerings including connectors for Apache Hive, Cloudera Impala, Hortonworks Data

Platform, Microsoft SQL Server, Oracle and Oracle Exadata, Pivotal, PostgreSQL, Teradata

and Teradata Aster, SAP BW, and SAP HANA.

For a detailed up-to-date list, see the Spotfire Data Connectors System Requirements page.

18

Using the Spotfire Server’s Information Services is another option for connecting to

enterprise data. In this case, the Spotfire Server makes connections to data sources on the

clients’ behalf using information links saved in the Spotfire Library. The raw data sets are

loaded into the server’s memory.

The data sources available out of the box are Oracle, Microsoft SQL Server, Teradata,

Sybase, SAS/Share, MySQL, and DB2. On-premise customers can also add custom JDBC

source types.

For the list of data sources and more details on how to configure them, see the Spotfire

Server Installation and Configuration Manual and have a look at the Data Source Templates

section of the Advanced Procedures chapter.

19

Along with the three methods for accessing data that Spotfire provides out of the box,

organizations can also implement an add-on product called Spotfire Advanced Data

Services, or ADS.

In an environment that includes ADS, clients can use a native connector or Information

Services to connect to an ADS server. ADS then connects to the data source and returns the

required data to Spotfire. Looking behind the scenes, ADS is actually an implementation of

a third-party product called Cisco Information Server, formerly known as Composite

Information Server.

ADS offers the ability to create complex data models and connect to data sources that

Spotfire doesn’t currently support. ADS can connect to dozens of data source types,

including web services, Salesforce, Cloudera CDH4, XML files, Siebel, and Informix. For the

full list, look for the latest Cisco Information Server datasheet on Cisco’s Data Virtualization

site.

20

Once data has been brought into Spotfire, there are a number of options for how it is

handled.

The default option is for data tables to be linked to the original source. The data will be

reloaded automatically when the analysis is opened, which requires all viewers to have

access to the data source.

Alternatively, data that was loaded in the memory of the Spotfire client or server can be

embedded in the analysis. In this case, the data will not be reloaded when the analysis is

opened. Viewers can choose to refresh the data manually if they have access to the data

source.

Lastly, all or part of the data set can be saved to the Spotfire Library or exported as a file for

use in other analyses (you can also save the entire analysis, of course!). Analysts can select

different options for the various data tables in an analysis.

21

So far in this presentation, I’ve talked in detail about two of the functions of the Spotfire

Server: authentication and Information Services. I’ll now briefly discuss the other functions

I mentioned earlier: Deployment Services, the Spotfire Library, and the Action Logs and

System Monitoring feature.

22

The Deployments Services function helps administrators keep Spotfire Analyst clients up to

date.

The Spotfire Server hosts the current set of packages that make up the Spotfire Analyst

client, along with a manifest listing them. When Analyst users log in, their local manifest is

checked against the server manifest. If their clients are out of date, users are prompted to

accept an update. Administrators can also choose to force particular deployments, in which

case users will not see a prompt and their clients will be updated automatically.

Deployment Services can be used to add new client packages, update existing ones to a

newer or older version, or even remove packages.

Administrators can create multiple deployment areas, such as “Production” and “Staging”.

This allows administrators to test new deployments before rolling them out to the entire

client base or maintain different deployments for different groups of users.

The Deployment Services function is also used to keep the Web Player Server up to date.

23

As mentioned earlier, the Spotfire database contains the Spotfire Library. The Library is

accessible to Spotfire Analyst, browser, and mobile users through the Spotfire Server,

allowing them to easily share and reuse their work.

It stores Spotfire analyses, Spotfire data files, custom Spotfire data functions, Information

Links, shared connections created with Spotfire native connectors, and visualization color

schemes.

The Library is organized into hierarchical folders, which are also used to control access to

folder content.

24

The Action Logs and System Monitoring feature helps administrators keep an eye on the

health of their Spotfire implementation.

The action logs collect information about system events that is sent through a web service

from Spotfire Analyst, Automation Services, and Web Player Server to the Spotfire Server.

These event logs, along with those from the Spotfire Server itself, can be saved either to

files or in a database.

System monitoring takes periodic snapshots of key metrics on the Spotfire Server and Web

Player Server and stores this information in the same location as the action logs. The logs

can then be analyzed in Spotfire.

Administrators have many options for how to configure this feature, including which events

and system statistics should be logged, from which hosts logging information will be

collected, and how the logs are pruned or archived.

This feature is disabled by default to avoid logs accumulating without administrator

oversight.

25

This concludes the first part of our Spotfire Administration Orientation, which covered the

basics of Spotfire architecture. In the second presentation, I’ll talk about the other TIBCO

products you can add to enhance a Spotfire implementation.

For more detail on the topics in this presentation, please see the following courses: SP301

TIBCO Spotfire Administration Essentials I, SP302 TIBCO Spotfire Administration Essentials

II, SP311 TIBCO Spotfire Information Services, and SP312 TIBCO Spotfire Connecting to Big

Data.

26