Welcome to the first part of the TIBCO Spotfire Administration Orientation.

In this
presentation, Ill discuss the basics of Spotfire architecture, what the options are for
authenticating with Spotfire, how Spotfire can connect to enterprise data, and the other
Spotfire Server functions.

The Spotfire Server is the heart of every Spotfire implementation. The server provides five
main functions:
It authenticates and authorizes Spotfire users with the help of the Spotfire User
Directory.
Its Information Services serve as the gateway to some of the supported data sources
(well talk more about the options for accessing data later in this presentation).
It provides access to a server-based store of analyses called the Spotfire Library.
It gathers analyzable information on server events, client actions, and server
performance through the Action Logs and System Monitoring function.
And lastly, it distributes updates to the Spotfire Analyst client through its Deployment
Services.

Speaking of clients, lets talk about the various ways that users can connect to Spotfire.
First off, we have Spotfire Analyst (formerly known as Spotfire Professional). Spotfire
Analyst is installed on enterprise users local computers, and is a fully-featured client for
working with data sources and creating complex analyses.
We also have a browser-based client with two licensing options: Consumer or Business
Author. With the Consumer license, users can view interactive analyses. With the Business
Author license, they can also create and edit simple analyses. Browser-based users connect
through the Web Player Server. The Web Player Server then connects to the Spotfire Server,
acting as a client to retrieve analyses and render them in HTML and JavaScript for the
browser.
For mobile users, we have an app for iPads which allows them to view interactive analyses,
again through the Web Player Server. You may have also heard another client mentioned,
Spotfire Desktop. Spotfire Desktop is a standalone version of Spotfire Analyst built for
individual, non-enterprise users who do not have access to a Spotfire Server.

In an enterprise implementation of Spotfire, administrators typically set up a cluster of

Spotfire Servers to support the necessary workload and provide server failover. In this case,
clients access Spotfire through a load balancer.
In the same fashion, you can also have a cluster of Web Player Servers with a load balancer.
Both Spotfire Server and Web Player Server can use any load balancer that supports session
affinity, otherwise known as sticky sessions.

There are two ways organizations can implement Spotfire: with a traditional on-premise
installation, or through our Spotfire Cloud Enterprise offering. Cloud Enterprise gives
organizations a dedicated cloud environment with a complete deployment of the Spotfire
platform.
Ill give you a quick overview of the differences between an on-premise implementation
and Cloud Enterprise now, and in a few slides well have a look at Cloud Enterprise in more
technical detail. Ill also mention variations for Cloud Enterprise as needed when I cover
authentication and connecting to data.
The installation type for on-premise is, of course, a traditional set-up where Spotfire is
installed on the organizations own servers. Cloud Enterprise is a Platform-as-a-Service
offering. One of the biggest advantages of Cloud Enterprise is the time it takes to provision
a new implementation: three to five days, versus two to six months for on-premise. Onpremise customers perform upgrades themselves on their own schedule; Cloud Enterprise
environments are upgraded automatically by Spotfire with the latest versions and the latest
patches.
Lastly, all Cloud Enterprise implementations use the same, best-practices architecture and
have access to the standard client features; on-premise customers are able to customize
their Spotfire architecture and add custom client features using the Spotfire API.

Lets get into a little more technical detail about the Spotfire Server. The server itself is a
web application that runs inside a bundled Apache Tomcat server. Clients communicate
with the server by HTTP or HTTPS. Spotfire Server installers are available for Windows,
Solaris, Red Hat Linux, and SUSE Linux.
The server requires access to a database. This database stores Spotfire meta-data, including
the User Directory and the Library. The supported database types are Oracle 10g or 11g
and Microsoft SQL Server. Remember that the Spotfire Database is separate from the
enterprise data sources used for analysis. Well talk about connecting to enterprise data
later in this presentation.
For detailed and up-to-date information on the supported operating systems and database
types, see the Spotfire Server System Requirements webpage.

Web Player Server is a web application that runs under Microsoft Internet Information
Services, or IIS. As previously discussed, Web Player Server acts as a client of the Spotfire
Server, communicating with it by HTTP or HTTPS.
At this time, Web Player Server can be installed on Windows Server 2012 or Windows
Server 2008. It also requires version 4.5 of the Microsoft .NET Framework.
You can visit the Spotfire System Requirements page for current information on the
supported environments and required software.

Each customer using our Cloud Enterprise offering is given a single-tenant environment
hosted on Amazon Web Services, in what Amazon calls a Virtual Private Cloud, or VPC.
Nothing is shared between environments.
Clients connect to a load balancer in a public subnet by HTTPS. The rest of the Spotfire
implementation is kept in a private subnet that is completely inaccessible to anyone but
Spotfire administrators.
Cloud Enterprise environments include Spotfire Server, Web Player Server, Automation
Services, Statistics Services, and Advanced Data Services. Well talk more about those
products in Part 2 of this orientation.
Connections are made to enterprise data using IPSec tunnels to ensure data security.
Because Cloud Enterprise implementations exist outside of an organizations firewall,
customers have the opportunity to easily collaborate with partner organizations, such as
suppliers or retailers, on data analysis. Partners can be given the ability to view certain
analyses through Spotfire Consumer and connections to partner data can be added to the
implementation.

In this section, well have a closer look at the options you have for configuring
authentication and authorization in a Spotfire environment.

In case youre not familiar with these terms, heres a quick explanation. When users log in
to a server, there are two things that happen before they get access. The first is
authentication. Authentication is the process of validating users identities do we know
who a user is? Once we are confident users are who they say they are, we move on to
authorization. Authorizing users determines what their access rights are within a system
in other words, what theyre allowed to do.

10

Your options for authentication in Spotfire depend on which client is being used. Spotfire
Analyst users can authenticate with the Spotfire Server either by using a username and
password, or through single sign-on.
If a username and password is used, it can be checked against the internal Spotfire User
Directory, a custom Java Authentication and Authorization Service module, or the most
common option an external LDAP directory. Spotfire has built-in support for Microsoft
Active Directory and the Directory Server product family, which includes Oracle Directory
Server, Sun Java Directory Server, and Sun ONE Directory Server. Other LDAP servers can
also be used.
For single sign-on, Spotfire supports NTLM, Kerberos, and X.509 Certificates.
Our Cloud Enterprise offering is configured to be able to use the Spotfire User Directory or
an external LDAP server immediately. With some assistance from our Professional Services
Group, Cloud Enterprise customers can also use any of the other methods.

11

Web clients log in to the Web Player Server, which then passes their authentication through
to the Spotfire Server. Here are the four basic options for authentication. The first is using a
username and password. The users credentials are passed along to the Spotfire Server,
which verifies them the same way its configured to verify Spotfire Analyst users. This is the
default authentication method.
The second option is Integrated Windows Authentication. In this case, users who have
logged in to the appropriate Windows Domain will not be prompted for a username and
password. Their Windows credentials will be passed along automatically to the Web Player
Server and the Spotfire Server.
Third, you can use X.509 certificates. With this option, when users access the Web Player
Server, they are automatically logged on using a client certificate stored on their local
machine. The certificate is then passed to the Spotfire Server, which must be configured to
be able to authenticate client certificates.
Lastly, you can allow all users anonymous access to the Web Player Server. In that case, a
preconfigured Spotfire user identity is used to authenticate with the Spotfire Server. All
web users will appear to be the same single user on the Spotfire Server. Keep in mind that
this is a simplified view of the options; for more information, see the Spotfire Web Player
Installation and Configuration Manual, Pre-Installation Planning, Authentication
Alternatives.

12

Authentication methods for the iPad app are limited to username and password or
Integrated Windows Authentication using NTLM.

13

Regardless of how the Spotfire clients were authenticated, the process of authorization is
the same. The Spotfire Server checks the Spotfire User Directory to determine users
privileges, which control which functions and analyses they can access within Spotfire.
Optionally, the user and group accounts in the Spotfire User Directory can be configured to
be synchronized from an external LDAP directory. Spotfire supports the same LDAP servers
for directory synchronization as it does for authentication.

14

Now lets have a look at the various ways Spotfire can connect to enterprise data.

15

The basic Spotfire environment provides three ways for clients to connect to data: opening
a local file, using a native Spotfire connector, or connecting through the Information
Services function of the Spotfire Server. Analysts can combine data from multiple sources in
a single Spotfire analysis.
Cloud Enterprise customers can use all the same data sources and connection methods as
we support in on-premise installations, although our Professional Services Group may need
to be involved in order to set up secure connections.
Well talk about each of these three methods in more depth on the following slides.

16

Spotfire Analyst users can open any file that can be accessed from their local machine or
network for analysis. Business Author users can upload files to the Web Player Server to
use in their analyses.
These are some of the file types Spotfire supports: Microsoft Excel workbooks, text files
with comma-separated values, Microsoft Access databases, and SAS data files. For the full
list, see the Spotfire Data Sources page.

17

Spotfire native connectors provide a mechanism for Spotfire clients to make a direct
connection with enterprise data. Analysts can choose to load the entire raw data set in the
memory of the client or only retrieve aggregated results and make new queries as needed
for more detail.
Spotfire has a long list of native connectors, with more being added with every release. Our
current offerings including connectors for Apache Hive, Cloudera Impala, Hortonworks Data
Platform, Microsoft SQL Server, Oracle and Oracle Exadata, Pivotal, PostgreSQL, Teradata
and Teradata Aster, SAP BW, and SAP HANA.
For a detailed up-to-date list, see the Spotfire Data Connectors System Requirements page.

18

Using the Spotfire Servers Information Services is another option for connecting to
enterprise data. In this case, the Spotfire Server makes connections to data sources on the
clients behalf using information links saved in the Spotfire Library. The raw data sets are
loaded into the servers memory.
The data sources available out of the box are Oracle, Microsoft SQL Server, Teradata,
Sybase, SAS/Share, MySQL, and DB2. On-premise customers can also add custom JDBC
source types.
For the list of data sources and more details on how to configure them, see the Spotfire
Server Installation and Configuration Manual and have a look at the Data Source Templates
section of the Advanced Procedures chapter.

19

Along with the three methods for accessing data that Spotfire provides out of the box,
organizations can also implement an add-on product called Spotfire Advanced Data
Services, or ADS.
In an environment that includes ADS, clients can use a native connector or Information
Services to connect to an ADS server. ADS then connects to the data source and returns the
required data to Spotfire. Looking behind the scenes, ADS is actually an implementation of
a third-party product called Cisco Information Server, formerly known as Composite
Information Server.
ADS offers the ability to create complex data models and connect to data sources that
Spotfire doesnt currently support. ADS can connect to dozens of data source types,
including web services, Salesforce, Cloudera CDH4, XML files, Siebel, and Informix. For the
full list, look for the latest Cisco Information Server datasheet on Ciscos Data Virtualization
site.

20

Once data has been brought into Spotfire, there are a number of options for how it is
handled.
The default option is for data tables to be linked to the original source. The data will be
reloaded automatically when the analysis is opened, which requires all viewers to have
access to the data source.
Alternatively, data that was loaded in the memory of the Spotfire client or server can be
embedded in the analysis. In this case, the data will not be reloaded when the analysis is
opened. Viewers can choose to refresh the data manually if they have access to the data
source.
Lastly, all or part of the data set can be saved to the Spotfire Library or exported as a file for
use in other analyses (you can also save the entire analysis, of course!). Analysts can select
different options for the various data tables in an analysis.

21

So far in this presentation, Ive talked in detail about two of the functions of the Spotfire
Server: authentication and Information Services. Ill now briefly discuss the other functions
I mentioned earlier: Deployment Services, the Spotfire Library, and the Action Logs and
System Monitoring feature.

22

The Deployments Services function helps administrators keep Spotfire Analyst clients up to
date.
The Spotfire Server hosts the current set of packages that make up the Spotfire Analyst
client, along with a manifest listing them. When Analyst users log in, their local manifest is
checked against the server manifest. If their clients are out of date, users are prompted to
accept an update. Administrators can also choose to force particular deployments, in which
case users will not see a prompt and their clients will be updated automatically.
Deployment Services can be used to add new client packages, update existing ones to a
newer or older version, or even remove packages.
Administrators can create multiple deployment areas, such as Production and Staging.
This allows administrators to test new deployments before rolling them out to the entire
client base or maintain different deployments for different groups of users.
The Deployment Services function is also used to keep the Web Player Server up to date.

23

As mentioned earlier, the Spotfire database contains the Spotfire Library. The Library is
accessible to Spotfire Analyst, browser, and mobile users through the Spotfire Server,
allowing them to easily share and reuse their work.
It stores Spotfire analyses, Spotfire data files, custom Spotfire data functions, Information
Links, shared connections created with Spotfire native connectors, and visualization color
schemes.
The Library is organized into hierarchical folders, which are also used to control access to
folder content.

24

The Action Logs and System Monitoring feature helps administrators keep an eye on the
health of their Spotfire implementation.
The action logs collect information about system events that is sent through a web service
from Spotfire Analyst, Automation Services, and Web Player Server to the Spotfire Server.
These event logs, along with those from the Spotfire Server itself, can be saved either to
files or in a database.
System monitoring takes periodic snapshots of key metrics on the Spotfire Server and Web
Player Server and stores this information in the same location as the action logs. The logs
can then be analyzed in Spotfire.
Administrators have many options for how to configure this feature, including which events
and system statistics should be logged, from which hosts logging information will be
collected, and how the logs are pruned or archived.
This feature is disabled by default to avoid logs accumulating without administrator
oversight.

25

This concludes the first part of our Spotfire Administration Orientation, which covered the
basics of Spotfire architecture. In the second presentation, Ill talk about the other TIBCO
products you can add to enhance a Spotfire implementation.
For more detail on the topics in this presentation, please see the following courses: SP301
TIBCO Spotfire Administration Essentials I, SP302 TIBCO Spotfire Administration Essentials
II, SP311 TIBCO Spotfire Information Services, and SP312 TIBCO Spotfire Connecting to Big
Data.

26