Preview only show first 10 pages with watermark. For full document please download

Spectrum Spatial Administration Guide - Support

   EMBED


Share

Transcript

Spectrum™ Technology Platform Version 9.0 Spectrum Spatial Administration Guide Contents Chapter 1: Introduction.......................................................................................7 Welcome and Overview........................................................................................8 Chapter 2: Configuring Your System................................................................9 Changing the Default Port Number for Spectrum Spatial...............................10 Changing Your Repository Database................................................................11 Set Up a PostgreSQL Repository Database .............................................11 Set Up an Oracle Database .......................................................................13 Accessing the Repository using WebDAV........................................................14 Reload the Service Configuration using JMX Console...............................14 Uploading and Accessing Resources using Third Party Tools......................15 Using WebFolders to Access the Repository Resources...........................15 Using DAVExplorer to Access the Repository Resources..........................15 Configuring the Web Services...........................................................................17 About Web Service Configurations.............................................................17 How to Change Web Service Configuration Settings.................................17 Running Spectrum™ Technology Platform as a Linux Service......................17 How to Run Spectrum™ Technology Platform as a Linux Service.............18 PBSpectrum Script.....................................................................................18 Chapter 3: Managing Security..........................................................................21 Security for the Spectrum™ Technology Platform...........................................22 Security Model............................................................................................22 Users..........................................................................................................23 Roles..........................................................................................................25 Secured Entity Overrides............................................................................28 Security for the Location Intelligence Module..................................................29 Example: Overriding Permissions at the Role Level..................................31 Example: Overriding Permissions at the User Level..................................34 Creating a Named Resources Administrator..............................................36 Creating a Spatial Dataflow Designer.........................................................37 Turning off Security for Services and the Repository.................................38 Disabling Platform Security Versus Turning Off Spatial Security..................40 Limiting Server Directory Access......................................................................40 Configuring HTTPS Communication.................................................................42 Chapter 4: Monitoring Your System................................................................45 Event Log.............................................................................................................46 Viewing the Event Log................................................................................46 Setting Event Log Options..........................................................................46 Spatial Logging...................................................................................................47 Configuring E-mail Notification.........................................................................49 Configuring License Expiration Notification....................................................49 Viewing Version Information..............................................................................50 Viewing and Exporting License Information....................................................50 Monitoring Performance.....................................................................................50 Monitoring Memory Usage.................................................................................51 Chapter 5: Managing Memory and Threading................................................53 Introduction to Managing Memory and Threading...........................................54 Spectrum Performance Tuning..........................................................................54 JVM Tuning.................................................................................................54 Remote Components Configuration...........................................................54 Increasing Heap Memory for Spatial Components..........................................55 Increasing Heap Memory for the Platform........................................................55 Chapter 6: Load Balancing Spatial Services Tutorial....................................57 About this Tutorial ..............................................................................................58 Deployment Architecture ...................................................................................58 Install Spectrum..................................................................................................60 Set Up a Map Image File Share..........................................................................60 Configure Spectrum............................................................................................61 Add the Map File Share to Spectrum.........................................................61 Modify the Service Configurations..............................................................61 Modify Java Properties File........................................................................62 Configure Ports for Multiple Spectrum Instances.......................................62 Configure Common Repository.........................................................................62 Bulk Export Using WebDAV........................................................................62 Set Up the Common Repository Database ...............................................63 Import the Repository Content....................................................................64 Shared Spectrum Local Data.............................................................................65 Performance Tuning............................................................................................65 Set Up Load Balancer.........................................................................................65 Chapter 7: Troubleshooting Your System.......................................................69 Rebuilding a Corrupt Repository Index............................................................70 Monitoring Memory Usage of a Non-Responsive Server................................70 4 Spectrum™ Technology Platform 9.0 Chapter 8: Appendix - Managing Security with the User Management Service................................................................................................................73 Introduction..........................................................................................................74 What Is the User Management Service?....................................................74 Service URL Formats.................................................................................74 Creating and Managing Users For Spectrum™ Technology Platform........74 Rules Using the User Management Service SOAP Interface....................75 Managing Users...................................................................................................75 Starting the Management Console.............................................................75 Enabling User Permissions For Consoles..................................................76 Managing User Accounts...........................................................................76 Setting User Permissions...................................................................................77 GetPermissionsRequest.............................................................................77 SetPermissionsRequest.............................................................................78 AddPermissionsRequest............................................................................79 RemovePermissionsRequest.....................................................................80 Spectrum Spatial Administration Guide 5 Introduction In this section: • Welcome and Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . .8 1 Welcome and Overview Welcome and Overview Welcome to the Spectrum Spatial Administration Guide. This guide will help you build a web mapping application or embed mapping in an existing application using a variety of web services, capabilities, tools and sample code. Addressed in this guide are: • Configuring your system by changing the default port number or repository database; accessing the repository; accessing and uploading resources; configuring web services; and running Spectrum™ Technology Platform as a Linux service • Managing security using the Management Console, including how to add users and roles, as well as how to apply security entity overrides • Monitoring your system, including logging, viewing version and license information, using the JMX Console to monitor performance, and monitoring memory usage • Managing memory and threading, including JVM performance tuning, adjusting pool size, and increasing heap memory • Load balancing spatial services for resilience or high capacity • Troubleshooting your system, including rebuilding a corrupt repository index and monitory memory usage of a non-responsive server • Managing security using the User Management Service (deprecated for the next release) Additional Spectrum™ Technology Platform and Location Intelligence Module documentation is located online at support.pb.com. 8 Spectrum™ Technology Platform 9.0 Configuring Your System In this section: • • • • Changing the Default Port Number for Spectrum Spatial .10 Changing Your Repository Database . . . . . . . . . . . . . . . .11 Accessing the Repository using WebDAV . . . . . . . . . . . .14 Uploading and Accessing Resources using Third Party Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15 • Configuring the Web Services . . . . . . . . . . . . . . . . . . . . . .17 • Running Spectrum™ Technology Platform as a Linux Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17 2 Changing the Default Port Number for Spectrum Spatial Changing the Default Port Number for Spectrum Spatial After you install the Spectrum™ Technology Platform, you can change the default port settings that were assigned during installation by manually editing the global, startup, and individual service configuration files (particularly the port of the repository). There are several reasons for needing to change the default port number: • Currently, the silent installer for Spectrum does not allow you to specify the port; it can only be specified after the install. • A port conflict occurs after the install. • You need a proxy on port 8080 but have a limited number of ports to expose externally, so you would like to move Spectrum without re-creating all your settings and data flows. • You want to try out a new version of Spectrum without removing your old one. Since you cannot install them both, you can turn off the existing one and put down a Spectrum image which uses a different port. Note: This task is only for experienced administrators who have application server experience changing port numbers, as network port conflicts can result in module components failing to start up. One indication that a component has failed to start up is if it does not appear in the Management Console. To troubleshoot the problem, look at the Spectrum Spatial server log file. This log shows which port is causing the problem. You can find the Spectrum Spatial Server log file in: [install folder]\server\app\repository\logs\server.log. The install folder default is C:\Program Files\Pitney Bowes\Spectrum. To change the default port number, you can either copy the entire configuration folder then edit the files locally, or you can edit the configuration files in place. If you copy locally, you cannot put the configuration folder back while the server is running; you must restart all the Spatial services after making the changes. If you edit in place, you do not need to stop the server; however, the changes will not take effect until you restart the server. The following network ports are used by default: 10 Port Property Description 2424-2430 spectrum.orientdb.binary.port This port is used by the Spectrum™ Technology Platform server's internal configuration database. 2434 spectrum.orientdb.hazelcast.port This port is used by the Spectrum™ Technology Platform server's internal configuration database. 2480-2486 spectrum.orientdb.http.port This port is used by the Spectrum™ Technology Platform server's internal configuration database. 5701 spectrum.hazelcast.port This port is used by Hazelcast for managing distributed processing between Spectrum™ Technology Platform servers in a cluster. 8080 spectrum.http.port The port used for communication between the server and Enterprise Designer, Management Console, and Interactive Driver. This port is also used by web services. Spectrum™ Technology Platform 9.0 Chapter 2: Configuring Your System Port Property Description 10119 spectrum.socketgateway.port This port is used for API calls made to services. To change the default port number, with Spectrum™ Technology Platform running: 1. Decide whether to edit a local copy of the configuration files or in place. If you are going to edit the configuration files locally, use WebDAV to copy the Configuration folder from the repository to a local disk. 2. Edit all the configuration files (either in place or in a local copy) by changing all the ports. Note: There are other ports besides the repository port (for example, where the map images get accessed, the access port for WMS, WFS, and CSW). Change all references to the new port. 3. Stop the Spectrum server (via the tray control or services.msc). 4. Update the spectrum-container.properties file in [install folder]\server\app\conf (for example, C:\Program Files\Pitney Bowes\Spectrum\server\app\conf): # Server ports spectrum.http.port=8080 5. Update the java.properties file for Spatial in [install folder]\server\modules\spatial (for example, C:\Program Files\Pitney Bowes\Spectrum\server\modules\spatial. Change all references to port numbers for each service. 6. Restart Spectrum. • If you edited the configuration files in place everything should be working. • If you edited locally, Spectrum should be working but not much of Spectrum Spatial will be working, since all the repository URL ports have the old values. 1. Copy in the entire Configuration folder or its files from local copy to the Configuration folder of the repository via WebDAV. 2. Restart the Spatial services via JMX (one by one) or restart the server. Changing Your Repository Database Spectrum stores named resources (maps, layers, tables and styles), geographic metadata and configuration in a repository. In the default single server installation an embedded database is used to store these resources on the local server. There are several reasons you may need to use a database other than the embedded Derby database: • To create a scalable solution that uses a resilient independent database. • To use an in-house database preferred or dictated by your company. In this release, Spectrum supports Oracle, PostGreSQL(PostGIS) and Microsoft SQL Server as repository databases. Set Up a PostgreSQL Repository Database These steps describe how to set up your repository on a PostgreSQL database: 1. Copy all resources to a local folder using WebDAV. 2. Back up the folder //server/modules/spatial/jackrabbit to a local directory or disk. 3. Stop Spectrum. 4. Add the database JDBC drivers to the Spectrum common lib directory to allow it to use the selected database. Spectrum Spatial Administration Guide 11 Changing Your Repository Database Copy the //server/modules/spatial/lib/postgresql-8.4-701.jdbc4.jar file to //server/app/lib/postgresql-8.4-701.jdbc4.jar. 5. Edit the //server/modules/spatial/jackrabbit/repository.xml file to point the repository to a database and add clustering. There are four separate changes you need to make: a) Modify the two FileSystem sections within the Repository and Workspace sections of the file: b) Modify the Persistence Manager within the Workspace: c) Enable Clustering at the end of the file, right above the tag. Each instance of Spectrum will need to have a distinct id to enable synchronization of clustering to work. The delay defines the time delay for synchronization in milliseconds. d) Comment out the DataStore section: 6. Restore the resources by copying them from the local folder into the Repository using WebDAV. 7. Remove the following folders from the /server/modules/spatial/jackrabbit directory for each instance of Spectrum: repository, version, workspaces. 8. If your PostgreSQL database has previously had repository content added, you must remove tables from your database so a clean repository can be created. If you are starting with a new database, please make sure the tables do not exist. The following tables need to be removed from the database: public.default_names_id_seq public.default_binval public.default_bundle public.default_names public.default_refs 12 Spectrum™ Technology Platform 9.0 Chapter 2: Configuring Your System public rep_fsentry public.rep_global_revision public.rep_journal public.rep_local_revisions public.security_binval public.security_bundle public.security_names public.security_refs Set Up an Oracle Database These steps describe how to set up your repository on an Oracle database: 1. Copy all resources to a local folder using WebDAV. 2. Back up the folder //server/modules/spatial/jackrabbit to a local directory or disk. 3. Stop Spectrum. 4. Add the database JDBC drivers to the Spectrum common lib directory to allow it to use the selected database. Copy the //server/modules/spatial/lib/postgresql-8.4-701.jdbc4.jar file to //server/app/lib/postgresql-8.4-701.jdbc4.jar. 5. Edit the //server/modules/spatial/jackrabbit/repository.xml file to point the repository to a database and add clustering. There are four separate changes you need to make: a) Modify the two FileSystem sections within the Repository and Workspace sections of the file: b) Modify the Persistence Manager within the Workspace: c) Enable Clustering at the end of the file, right above the tag. Each instance of Spectrum will need to have a distinct id to enable synchronization of clustering to work. The delay defines the time delay for synchronization in milliseconds. Spectrum Spatial Administration Guide 13 Accessing the Repository using WebDAV d) Comment out the DataStore section: 6. Restore the resources by copying them from the local folder into the Repository using WebDAV. 7. Remove the following folders from the /server/modules/spatial/jackrabbit directory for each instance of Spectrum: repository, version, workspaces. 8. If your Oracle database has previously had repository content added, you must remove tables from your database so a clean repository can be created. If you are starting with a new database, please make sure the tables do not exist. The following tables need to be removed from the database: public.default_names_id_seq public.default_binval public.default_bundle public.default_names public.default_refs public rep_fsentry public.rep_global_revision public.rep_journal public.rep_local_revisions public.security_binval public.security_bundle public.security_names public.security_refs Accessing the Repository using WebDAV Configuration files are pre-loaded in the repository for each service. These configuration files are located at http://localhost:8080/RepositoryService/repository/default/Configuration/. To configure the services, you must use a WebDAV protocol tool to access the JCR repository, make changes to the configuration file, and reload the configuration using the JMX Console. There are many tools available to accomplish the WebDAV connection tasks. We have provided examples using WebFolders and DAVExplorer. Reload the Service Configuration using JMX Console Once you have modified a service configuration, you must reload the configuration in the repository using the JMX Console. The JMX console allows you to reload and administer a service, without having to restart the application container. To reload the service configuration: 1. Access the JMX Console using the following URL: http://localhost:8080/jmx-console/ 2. Under the Domain: Spatial section, select the administration link for the service. For example, Spatial:name=Administration,type=WMS Service. 3. Click the Invoke button for the reloadConfiguration operation. You will get a message on the status of the invocation. 14 Spectrum™ Technology Platform 9.0 Chapter 2: Configuring Your System Uploading and Accessing Resources using Third Party Tools Named resource files are stored in the repository. A number of sample files that ship with Spectrum™ Technology Platform are located at http://localhost:8080/RepositoryService/repository/default/Samples under a particular folder. For example: • • • • • NamedLayers NamedMaps NamedStyles NamedTables NamedTiles For your own named resources, you can create any folder name you wish. You can access these files manually using a WebDAV compliant tool. This section describes the manual method. To access resources manually, you must use a WebDAV protocol tool to access the JCR repository. There are many tools available to add and access resources in the repository using the WebDAV. We have provided two examples: Using WebFolders to Access the Repository Resources To add or modify a resource, you must copy the resource to or from the repository using a WebDAV tool. Using WebFolders is an easy way to access the repository and the resources contained in the repository. Note: WebFolders is for Windows machines only. To access the repository, you must be on the same machine where Spectrum™ Technology Platform and the repository are installed. To configure a WebFolder on Windows 7: 1. Using Windows Explorer, select Map Network Drive... 2. In the pop-up window, click on the link 'Connect to a website...' to open the Add Network Location Wizard. 3. Click Next and select Choose a custom network location. Click Next. 4. In the Internet or network address field add the repository URL; for example, http://localhost:8080/RepositoryService/repository/default/. Click Next. 5. Enter your credentials (username and password) if you are prompted for them. 6. Give this connection a name; for example, Spectrum Spatial Repository. Click Next. Once finished, you will have a folder connection to the contents of the repository under your network places. The WebFolder connection to the repository can be used like any other Windows Explorer folder. Using DAVExplorer to Access the Repository Resources To add or modify a resource, you must copy the resource to or from the repository using a WebDAV tool. Using DAVExplorer is an easy way to access the repository and the resources contained in the repository. DAVExplorer is a freely available WebDAV client application. This software is available from http://www.davexplorer.org. Note: DAVExplorer is for Windows machines only. To access the repository, you must be on the same machine where Spectrum™ Technology Platform and the repository are installed. To get or add resources from the repository using DAVExplorer, use the following instructions: Spectrum Spatial Administration Guide 15 Uploading and Accessing Resources using Third Party Tools Getting Resources From the Repository Using DAVExplorer Use the following steps to get resources from the repository using DAVExplorer: 1. Open DAVExplorer. 2. In DAVExplorer, enter the URL of the Spectrum™ Technology Platform repository and click the Connect button. For example, enter localhost:8080/RepositoryService/repository/default/. (Note that DAVExplorer prepends http:// automatically.) If prompted, enter the admin/admin login name and password required to connect to the repository. Once you are connected to the repository, a node for the repository appears in the treeview pane on the left. 3. In the treeview pane on the left, expand the nodes under the repository node until you see the node that contains the type of resource you want to get. For example, if the named resource you want to get is a configuration, expand the repository nodes until you see the Configuration node. Click on the node to select it. The named configuration resources in the repository are then listed in the right pane. 4. In the right pane, click on the resource you want to get. You may click on any of the fields of the named resource to select it. 5. On the File menu, select Get File. The Save As dialog box opens. 6. In the Save As dialog box, enter a name for the named resource definition file and select the directory in which you want to save it, then click the Save button. The selected named resource definition file is saved to the selected file location. Note: You should always save the resource as the same name as it appears in the repository. By using this technique, you will never have a conflict when adding the resource back to the repository. Adding Resources to the Repository Using DAVExplorer Use the following steps to add resources to the repository using DAVExplorer: 1. Open DAVExplorer. 2. In DAVExplorer, enter the URL of the Spectrum™ Technology Platform repository and click the Connect button. For example, enter localhost:8080/RepositoryService/repository/default/. (Note that DAVExplorer prepends http:// automatically.) If prompted, enter the admin/admin login name and password required to connect to the repository. Once you are connected to the repository, a node for the repository appears in the treeview pane on the left. 3. In the treeview pane on the left, expand the nodes under the repository node until you see the node that corresponds to the type of resource you are adding. For example, if you are adding a configuration resource, expand the repository nodes until you see the Configuration node. Click on the node to select it. 4. On the File menu, select Write File. The Write File dialog box opens. 5. In the Write File dialog box, select the definition file of the resource you want to add to the repository, then click the Open button. The selected resource is added to the repository. 16 Spectrum™ Technology Platform 9.0 Chapter 2: Configuring Your System Configuring the Web Services This section provides information about how to configure the Location Intelligence Module web services. About Web Service Configurations You can, and frequently must, explicitly specify the desired behavior of the Location Intelligence Module web services via settings in each web service's configuration file. The configuration file for each web 1 service is held in the Location Intelligence Module repository as a named configuration. Note: Named configurations are not like other named resources that are held in the repository. You cannot use the Named Resource Service to access named configurations. Instead, you must use a WebDAV tool of your choice, such as DAVExplorer or Windows web folders. For information about the name and location of each web service's named configuration in the repository, as well as a list of the configuration parameters for each web service, refer to the "Working With Spatial Services" chapter in the Spectrum Spatial Developer Guide. How to Change Web Service Configuration Settings To change web service configuration settings: 1. Pull the named configuration file for the web service out of the repository using your favorite WebDAV tool. Note: You cannot use the Named Resource Service to extract a named configuration file from the repository. 2. Using a text editor, make any required changes to the named configuration file. 3. Re-add the named configuration file back into the repository using your favorite WebDAV tool. Note: You cannot use the Named Resource Service to add a named configuration file to the repository. 4. Do one of the following to reload the web service configuration: • Restart the web service. • Use the Spectrum™ Technology Platform JMX Console (available at http://hostname[:portnumber]/jmx-console) to reload the configuration without restarting the web service. Running Spectrum™ Technology Platform as a Linux Service This tutorial will show you the steps you need to follow to run Spectrum™ Technology Platform as a Linux service. 1 The Geometry Service alone does not have a corresponding named configuration because the Geometry Service has no configurable settings. Spectrum Spatial Administration Guide 17 Running Spectrum™ Technology Platform as a Linux Service How to Run Spectrum™ Technology Platform as a Linux Service These instructions describe how to run the Spectrum™ Technology Platform as a Linux service. 1. Modify the provided pbspectrum script which is located here: PBSpectrum Script on page 18. a) Modify the chkconfig parameter at line# 5. By Default this parameter is: # chkconfig: 35 90 10 First value(35) is runlevel. Use 'man init' for more information. Second value(90) is start priority Third value(10) is stop priority. Start and stop priority should be set according to the dependent services. For example, if Oracle Server is running on the same machine and is used by Spectrum™ Technology Platform then the Spectrum™ Technology Platform starting priority should be less than the Oracle Service and stopping priority should be higher than the Oracle service. Use 'man chkconfig' for more information. b) Modify SPECTRUM_ROOT variable at line #11 with your Spectrum™ Technology Platform installation directory. 2. Copy the modified pbspectrum script to either /etc/rc.d/init.d for RedHat Linux or /etc/init.d for Suse Linux. 3. Change the mode of the pbspectrum script to executable. /etc/rc.d/init.d for RedHat Linux or /etc/init.d for Suse Linux. cd /etc/init.d or cd /etc/rc.d/init.d depending on your Linux version. run chmod +x pbspectrum 4. Run chkconfig --add pbspectrum 5. Verify the script is working by restarting the machine. Use shutdown -r now to reboot from shell. Once completed, you may also use the following: • service pbspectrum start to start Spatial Server • service pbspectrum stop to stop Spatial Server • service pbspectrum restart to restart Spatial Server Note: The provided script runs the command 'ulimit -n 8192' which is required to increase the number of open files in Linux. PBSpectrum Script The following script is used as the basis for this procedure: How to Run Spectrum™ Technology Platform as a Linux Service on page 18. #! /bin/bash # # # # # # # # pbspectrum Bring up/down PB Spectrum platform chkconfig: 35 90 10 description: Starts and stops the spectrum /etc/rc.d/init.d/pbspectrum See how we were called. SPECTRUM_ROOT=/root/PBSpectrum start() { . $SPECTRUM_ROOT/server/bin/setup ulimit -n 8192 18 Spectrum™ Technology Platform 9.0 Chapter 2: Configuring Your System $SPECTRUM_ROOT/server/bin/server.start RETVAL=$? return $RETVAL } stop() { . $SPECTRUM_ROOT/server/bin/setup $SPECTRUM_ROOT/server/bin/server.stop RETVAL=$? return $RETVAL } # See how we were called. case "$1" in start) start ;; stop) stop ;; restart) stop start ;; *) echo $"Usage: pbspectrum {start|stop|restart}" exit 1 esac exit $RETVAL Spectrum Spatial Administration Guide 19 Managing Security The Location Intelligence Module uses the same role-based security model that is used for the Spectrum™ Technology Platform. Because security is handled at the platform level, the Management Console can be used to manage all Location Intelligence Module security activities. In this section: • Security for the Spectrum™ Technology Platform . . . . .22 • Security for the Location Intelligence Module . . . . . . . . .29 • Disabling Platform Security Versus Turning Off Spatial Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .40 • Limiting Server Directory Access . . . . . . . . . . . . . . . . . . .40 • Configuring HTTPS Communication . . . . . . . . . . . . . . . . .42 3 Security for the Spectrum™ Technology Platform Security for the Spectrum™ Technology Platform The topics in this section cover the security model and procedures at the platform level that pertain to all modules. See Security for the Location Intelligence Module on page 29 for additional security information that is specific to the Location Intelligence Module. Security Model Spectrum™ Technology Platform uses a role-based security model to control access to the system. The following diagram illustrates the key concepts in the Spectrum™ Technology Platform security model: A user is an account assigned to an individual person which the person uses to authenticate to Spectrum™ Technology Platform, either to one of the client tools such as Enterprise Designer or Management Console, or when calling a service through the API. A user has one or more roles assigned to it. A role is a collection of permissions that grant or deny access to different parts of the system. Roles typically reflect the kinds of interactions that a particular type of user has with the system. For example, you may have one role for dataflow designers which grants access to create and modify dataflows, and another role for people who only need to process data through existing dataflows. A role grants permissions to secured entity types. A secured entity type is a category of items to which you want to grant or deny access. For example, there is a secured entity type called "Dataflows" which controls the default permissions for all dataflows on the system. If you need to fine-tune access you can optionally specify secured entity overrides. A secured entity override controls access to a specific secured entity on the system. For example, the secured entity type "Dataflows" specifies the default permissions for all dataflows on the system, while each individual dataflow is a secured entity. If you want to grant or deny access to a specific dataflow, you would specify a secured entity override for the dataflow. You can specify secured entity overrides for a user, which overrides the permissions granted to the user by the user's roles. You can also specify secured entity overrides for roles, which applies the overrides to all users who have that role. You can only apply overrides for roles and users that you create, not for predefined roles and users. 22 Spectrum™ Technology Platform 9.0 Chapter 3: Managing Security Related Links Disabling User Security on page 23 Creating a User on page 23 Creating a Role on page 25 Creating a Secured Entity Override on page 28 Users Spectrum™ Technology Platform user accounts control the types of actions users can perform on the system. User accounts are required to: • • • • Use Management Console, Enterprise Designer, or Interactive Driver Run jobs on a schedule Run jobs from the command line Access services through web services or the API There is an administrative account called admin that comes with the system. This account has full access. The initial password is "admin". Important: You should change the admin password immediately after installing Spectrum™ Technology Platform to prevent unauthorized administrative access to your system. In addition to these default accounts you can create as many user accounts as your business requires. Related Links Creating a Secured Entity Override on page 28 Disabling User Security User security is enabled by default. This means that the security restrictions assigned to users through roles are enforced. If you want to disable user security, the security restrictions assigned to users will not be enforced and all users will be able to access all parts of the system. Note that a valid user account is always required to access services even if you disable user security. This procedure describes how to disable user security. Warning: If you follow this procedure all users will have full access to your Spectrum™ Technology Platform system. 1. Open the Management Console. 2. Expand Security then click Options. 3. Clear the Limit access according to user permissions check box. Related Links Security Model on page 22 Disabling Platform Security Versus Turning Off Spatial Security on page 40 Creating a User This procedure describes how to create a Spectrum™ Technology Platform user account and assign a role to the account. 1. Open the Management Console. 2. Expand Security then click Users. 3. Click Add. The New User window appears. 4. Leave the Enable user box checked if you want this user account to be available for use. 5. Enter the user name in the User name field. Spectrum Spatial Administration Guide 23 Security for the Spectrum™ Technology Platform Note: User names can only contain ASCII characters. 6. Enter the user's password in the Password field. 7. Reenter the user's password in the Confirm password field. 8. Enter the user's email address in the Email address field. 9. Enter a description of the user in the Description field. 10. Select the roles you want to give to this user. 11. Click OK. Related Links Security Model on page 22 Modifying a User This procedure describes how to modify an existing Spectrum™ Technology Platform user account. Note: You can modify all user information except user name. If you need to change a user name, you must first delete the user then create a user with the new user name. 1. Open the Management Console. 2. Expand Security then click Users. 3. Click Modify. The User Properties window appears. 4. Leave the Enable user box checked if you want this user account to be available for use. 5. Enter the user's password in the Password field. 6. Reenter the user's password in the Confirm password field. 7. Enter the user's email address in the Email address field. 8. Enter the description of the user in the Description field. 9. Select the roles you want to give to this user. 10. Click OK. Disabling a User Account You can disable a user account so that it cannot be used to gain access to Spectrum™ Technology Platform. When a user account is disabled it cannot be used to access Management Console, Enterprise Designer, or Interactive driver. In addition, any jobs that run on a schedule using a disabled user account will not run. API calls that use a disabled user account will also not work. Note: The user account "admin" cannot be disabled. 1. Open Management Console. 2. Expand Security then click Users. 3. Select the user account you want to disable and click Modify. 4. Clear the Enable user check box. The user account is now disabled and cannot be used to gain access to Spectrum™ Technology Platform. Deleting a User This procedure describes how to permanently delete a Spectrum™ Technology Platform user account. Tip: User accounts can also be disabled, which prevents the account from being used to access the system without deleting the account. 1. Open the Management Console. 2. Expand Security then click Users. 24 Spectrum™ Technology Platform 9.0 Chapter 3: Managing Security 3. From the User Management screen, select the user you want to delete and click Delete. 4. Click Yes to delete or No to cancel. Note: The user account "admin" cannot be deleted. Roles A role is a collection of permissions that grant or deny access to different parts of the system. Roles typically reflect the kinds of interactions that a particular type of user has with the system. For example, you may have one role for dataflow designers which grants access to create and modify dataflows, and another role for people who only need to process data through existing dataflows. The following roles are predefined: admin This role has full access to all parts of the system. designer This role is for users that create dataflows and process flows in Enterprise Designer. It provides the ability to design and run dataflows. integrator This role is for users who need to process data through Spectrum™ Technology Platform but does not need to create or modify dataflows. It allows the user to access services through web services and the API, and to run batch jobs. spatial-admin This role is available only when the Location Intelligence Module module is installed. It provides full access to named resources for this module when using spatial services. (Additional access is required to manage spatial resources using Management Console. See Security for the Location Intelligence Module on page 29 for more information.) spatial-user This role is available only when the Location Intelligence Module module is installed. It provides read-only access to named resources for this module when using spatial services. (Additional access is required to view spatial resources using Management Console. See Security for the Location Intelligence Module on page 29 for more information.) user This is the default role. It provides no access to the system. Users who have this role will only gain access to the system if you grant permission through secured entity overrides. To view the permissions granted to each of these roles, open Management Console, go to Security and click Roles. Then select the role you want to view and click View. Tip: You cannot modify the predefined roles. However, you can create new roles using the predefined roles as a starting point. Related Links Creating a Secured Entity Override on page 28 Creating a Role A role is a collection of permissions that you assign to a user. If the predefined roles that come with Spectrum™ Technology Platform do not fit your organization's needs, you can create your own roles. 1. In the Management Console, browse to Security then expand Roles. 2. Click Add. 3. In the Role field, enter the name you want to give to this role. The name can be anything you choose. 4. If you want to use one of the predefined roles as a starting point for your new role, check the Copy from box then select the role that you want to use as a starting point. The predefined role's permissions are selected for you. 5. Optional: Since the list of secured entity types can be long, you may want to display only a certain group of secured entity types. This can be useful if you want to apply the same permissions to all entities in a group. For example, if you want to remove the Modify permission from all database resources, you could filter to show just the Database Resources group. To display and modify only one group: Spectrum Spatial Administration Guide 25 Security for the Spectrum™ Technology Platform a) b) c) d) Check the Enable group filtering box. Click the funnel icon in the header of the Group column and select the group you want to display. Check or clear the box in the column header of the permission you want to apply. To return to the full list of secured entity types, click the filter icon and select (All) then clear the Enable group filtering box. 6. Select the permissions you want to grant for each entity type. The permissions are: View Allows the user to view entities contained by the entity type. For example, if you allow the View permission for the JDBC Connection entity type, users with this role would be able to view database connections in Management Console. Modify Allows the user to modify entities contained by the entity type. For example, if you allow the Modify permission for the JDBC Connection entity type, users with this role would be able to modify database connections in Management Console. Create Allows the user to create entities that fall into this entity type's category. For example, if you allow the Create permission for the JDBC Connection entity type, users with this role would be able to create new database connections in Management Console. Delete Allows the user to delete entities contained by the entity type. For example, if you allow the Delete permission for the JDBC Connection entity type, users with this role would be able to delete database connections in Management Console. Execute Allows the user to initiate processing of jobs, services, and process flows. For example, if you allow the Execute permission for the Job entity type, users with this role would be able to run batch jobs. If you allow the Execute permission for the Service entity type, users with this role would be able to access services running on Spectrum™ Technology Platform through the API or web services. 7. Click OK. The role is now available to be assigned to a user. Note: You can delete a role that you create, but only after you unassign it from all user accounts. Related Links Security Model on page 22 Secured Entity Types - Platform An entity type is a category of items to which you want to grant or deny access. For example, there is an entity type called "Dataflows" which controls permissions for all dataflows on the system. Platform entity types apply to all Spectrum™ Technology Platform installations, as compared to module-specific entity types that apply only if you have installed particular modules. The platform-level entity types are: 26 Dataflows Controls access to all dataflow types (jobs, services, and subflows) in Enterprise Designer. Dataflows - Expose Controls the ability in Enterprise Designer to make dataflows available for execution. Event Log Controls access to the Event Log node in Management Console. Execution - File Monitor and Scheduling Controls access to job schedule and file monitor configuration in Management Console. Execution - Job Options Controls access to the Job Options node in Management Console. All users have View access to job options. You cannot remove View access. Execution - Report Options Controls access to the Report Options node in Management Console. All users have View access to report options. You cannot remove View access. Spectrum™ Technology Platform 9.0 Chapter 3: Managing Security Execution - Sort Performance Controls access to the Sort Performance node in Management Console. All users have View access to sort performance options. You cannot remove View access. Execution - Type Conversion Options Controls access to the Type Conversion node in Management Console. All users have View access to type conversion options. You cannot remove View access. Execution History - Jobs Controls access to job execution history in Enterprise Designer and Management Console. Execution History - Process Flows Controls access to process flow execution history in Management Console and Enterprise Designer. Jobs Controls the ability to execute jobs in Enterprise Designer, Management Console, and job executor. Notification - License Expiration Controls access to configure license expiration notification emails in Management Console. Notification - SMTP Settings Controls access to the email notification options in Management Console. Process Flows Controls access to process flows in Enterprise Designer. Process Flows - Expose Controls the ability in Enterprise Designer to make process flows available for execution. Remote Server Controls access to the Remote Servers node in Management Console. Resources - Database Connections Controls the ability to configure JDBC connections in Management Console. Resources - External Web Services Controls access to managing external web services in Management Console. Resources - File Servers Controls the ability to configure file servers in Management Console. Resources - JDBC Drivers Controls the ability to configure JDBC drivers in Management Console. Resources - Restrict server directory access Controls the ability to enable or disable restrictions on server directory resources in Management Console. Resources - Server directory paths Controls the ability to configure server directory resources in Management Console. Security - Options Controls access to the Security Options node in Management Console. Security - Roles Controls access to role configuration in Management Console. Security - Secured Entity Overrides Controls access to secured entity overrides in Management Console. Security - Users Controls access for managing user accounts in the Users node of Management Console. Services Controls the ability to execute services through the API and web services. Stages Controls whether exposed subflows are available as a stage in dataflows in Enterprise Designer. System - Licensing Controls access to the license information displayed in Management Console. Spectrum Spatial Administration Guide 27 Security for the Spectrum™ Technology Platform System - Version Information Controls access to the Version Information node in Management Console. Transaction History Controls access to the Transaction History node in Management Console. Secured Entity Types - Location Intelligence Module An entity type is a category of items to which you want to grant or deny access. The Location Intelligence Module has the following module-specific entity type: Named Resources Controls permissions to all named resources in the Location Intelligence Module, including named maps, named tiles, named tables, and named connections. Users of Location Intelligence Module services must have at least read permissions for the resources they use as well as for any dependent resources. Secured Entity Overrides A secured entity override controls access to a specific secured entity on the system. For example, the secured entity type "Dataflows" specifies the default permissions for all dataflows on the system, while each individual dataflow is a secured entity. If you want to grant or deny access to a specific dataflow, you would specify a secured entity override for the dataflow. You can specify secured entity overrides for a user, which overrides the permissions granted to the user by the user's roles. You can also specify secured entity overrides for roles, which applies the overrides to all users who have that role. You can only apply overrides for roles and users that you create, not for predefined roles and users. Creating a Secured Entity Override A secured entity override specifies permissions for specific secured entities in the system, such as specific dataflows or specific database connections. To create a secured entity override: 1. In Management Console, expand Security then click Secured Entity Overrides. 2. Do one of the following: • If you want to specify a secured entity override for a role, click Role. The overrides you specify will affect all users who have the role you choose. • If you want to specify a secured entity override for a user, click User. The overrides you specify will only affect the user you choose. 3. Click Browse to select the specific role or user then click OK. 4. Click Add then Browse. The Select Secured Entity Type window appears. 5. Select the secured entity type that contains the secured entity you want to override then click OK. For example, if you want to override a dataflow secured entity, choose Platform.Dataflows. Tip: To select multiple secured entity overrides, use CTRL+click. To select a range of secured entity overrides, use SHIFT+click. 6. Choose the secured entity that you want to override. Click Add then Close. The secured entities you chose are displayed. The secured entity type's row shows the permissions in effect for the selected role or user. A gray checked box indicates that the permission is enabled and a gray empty box indicates that the permission is disabled. 7. Specify the secured entity overrides you want. Each permission can have one of the following settings: There is no override for the permission. The permission is the default permission granted to the user or role. The permission is denied to the user or role, overriding whatever permission is specified in the secured entity type. 28 Spectrum™ Technology Platform 9.0 Chapter 3: Managing Security The permission is granted to the user or role, overriding whatever permission is specified in the secured entity type. Related Links Security Model on page 22 Users on page 23 Roles on page 25 Viewing a Secured Entity Override A secured entity override specifies permissions for specific secured entities in the system, such as specific dataflows or specific database connections. To view secured entity overrides for a role or user: 1. In Management Console, expand Security then click Secured Entity Overrides. 2. Do one of the following: • If you want to view a secured entity override for a role, click Role. • If you want to view a secured entity override for a user, click User. 3. Click Browse to select the specific role or user then click OK. The secured entities with overrides for the role or user you chose are displayed. The secured entity type's row (for example, Platform.Dataflows) shows the permissions in effect for the selected role or user. A gray checked box indicates that the permission is enabled and a gray empty box indicates that the permission is disabled. The secured entity rows (for example, the specific dataflow GeocodeAddress) shows the permissions in effect for that entity, each of which can have one of the following settings: There is no override for the permission. The permission is the default permission granted to the user or role. The permission is denied to the user or role, overriding whatever permission is specified in the secured entity type. The permission is granted to the user or role, overriding whatever permission is specified in the secured entity type. Security for the Location Intelligence Module The Location Intelligence Module uses the same role-based security that is used for the Spectrum™ Technology Platform. Because security is handled at the platform level, the Management Console can be used to manage all Location Intelligence Module security activities. This includes setting permissions for named resources in addition to managing user accounts (that is, creating, modifying, and deleting user accounts). Note: The User Management Service can still be used to set permissions if desired; however, permissions are stored in the platform and not the repository, and cannot be set at the folder or directory level. The User Management Service is set to be deprecated in the next release. After you install the Location Intelligence Module, two predefined roles are available in Management Console, spatial-admin and spatial-user. The spatial-admin role provides full permissions (View/Modify/Create/Delete) for all named resources (named maps, named tiles, named connections, and named tables), whereas the spatial-user role provides only View permissions to these resources. These permissions are controlled using the Location Intelligence Module's secured entity type, Location Intelligence.Named Resources. Users of Location Intelligence Module services must have at least View permissions for the resources they use as well as for any dependent resources. Spectrum Spatial Administration Guide 29 Security for the Location Intelligence Module These predefined spatial roles, when assigned to a user, provide access to named resources only when using spatial services. They do not allow access to named resources in Management Console. The "admin" user in Spectrum has full access to manage all parts of the system, including named resources, via the Management Console. If you also want users who can access only named resources via the Management Console, you must manually create a "named resources administrator" role, using one of the predefined spatial roles as a base, that provides access to named resources in the repository then assign that role to a "named resources administrator" user account. For instructions on creating this additional resource-administrator role, see Creating a Named Resources Administrator on page 36. Dataflow designers who require access to named resources also need additional permissions beyond that of the "designer" role. For instructions on creating a spatial dataflow designer, see Creating a Spatial Dataflow Designer on page 37. Roles and associated permissions on the Location Intelligence.Named Resources secured entity type can all be viewed using Management Console. • Predefined roles, which are not editable: • Permissions for spatial-admin, on the Location Intelligence.Named Resources secured entity: • Permissions for spatial-user, on the Location Intelligence.Named Resources secured entity: Note: The permission settings in the User Management Service are mapped to the Spectrum™ Technology Platform as follows: Read>View, Modify>Modify, Add>Create, and Remove>Delete. You can create custom roles based on the predefined spatial roles, assign them to user accounts, then fine-tune access to named resources for those roles and users by applying secured entity overrides to 30 Spectrum™ Technology Platform 9.0 Chapter 3: Managing Security individual named resources. Overrides cannot be applied to folders or directories, so anytime a named resource is added you must specify any necessary overrides for that resource. Related Links Appendix - Managing Security with the User Management Service on page 73 Example: Overriding Permissions at the Role Level A typical scenario and best practice for setting security for the Location Intelligence Module involves creating a custom role with no permissions, applying specific overrides to the custom role, then assigning that role to a user. In this example, you will create a custom role with no permissions, apply overrides to the custom role allowing modify and delete permissions for named tables in the repository, then create a user account and assign the custom role along with a predefined spatial role to it. 1. Create a Custom Role. If the predefined roles that come with do not fit your organization's needs, you can create your own roles. In this first step of this example, you will create a custom role called table-modifier that initially has no permissions. Before you begin, verify that security is enabled, see Disabling User Security on page 23. a) In the Management Console, browse to Security then click Roles. b) Click Add. The Add Role dialog appears. c) In the Name field, enter the name you want to give to this role, table-modifier. No permissions are set for this role. Spectrum Spatial Administration Guide 31 Security for the Location Intelligence Module d) Click OK. The custom role is now available to be assigned overrides. 2. Apply Overrides to a Role. A secured entity override grants permissions for specific secured entities in the system, such as named tables that are in the repository. In this step of the example, you will create an override for the table-modifier role that allows modifying and deleting of named tables. a) In Management Console, expand Security then click Secured Entity Overrides. b) Click Role then Browse. The Select Role dialog appears. c) Select the table-modifier role and click OK. d) Click Add. The Select Items dialog appears. e) Click Browse. The Select Secured Entity Type window appears. f) Select the Location Intelligence.Named Resources secured entity type. Click OK. A list of all secured entities that are named resources appears. 32 Spectrum™ Technology Platform 9.0 Chapter 3: Managing Security g) From the list of secured entities, locate then select all the named table resources (use the Shift key to select multiple consecutive items in this dialog). Note: Overrides can be applied only to individual named resources, not to folders or directories. h) Click Add then Close. The secured entities (named tables) you chose are displayed. The secured entity type's row shows the permissions in effect for the table-modifier role. A gray checked box indicates that the permission is enabled and a gray empty box indicates that the permission is disabled. i) Specify overrides on each secured entity (named table) by selecting all checkboxes in the Modify and Delete columns: j) Click Save or select File > Save. The asterisk next to the "Secured Entity Overrides" window title no longer appears, indicating that the changes are saved. The table-modifier role now permits modifying and deleting of named tables, and can be assigned to a user account. Note: If named tables are subsequently added to the repository, you will need to add security entity overrides for each of those named tables. 3. Create a User. In the final step of this example, you will create a user account to which you will assign both the pre-defined spatial-user role (which provides view-only permissions to named resources) as well as the custom table-modifier role (which grants additional permissions for modifying and deleting named tables). a) In Management Console, expand Security then click Users. b) Click Add. The New User window appears. c) d) e) f) g) h) i) Leave the Enable user box checked if you want this user account to be available for use. Enter the user name (user-tables) in the User name field. Enter the user's password in the Password field. Re-enter the user's password in the Confirm password field. Enter the user's email address in the Email address field. Enter a description of the user in the Description field. Select the spatial-user and table-modifier roles. Spectrum Spatial Administration Guide 33 Security for the Location Intelligence Module j) Click OK. A user-tables user account is now available with view-only permissions to all named resources as well as modify and delete permissions for named tables. Example: Overriding Permissions at the User Level A common scenario for setting security for the Location Intelligence Module involves establishing override permissions for a single user. In this example, you will create a user with view-only permissions to named resources, then apply overrides to the user account that allow modifying and deleting of a specific named tile. 1. Create a User with View Permissions. First, you will create a user account to which you will assign the pre-defined spatial-user role. This role provides view-only permissions to named resources. a) In Management Console, expand Security then click Users. b) Click Add. The New User window appears. c) d) e) f) g) h) i) 34 Leave the Enable user box checked if you want this user account to be available for use. Enter the user name (user-tiles) in the User name field. Enter the user's password in the Password field. Re-enter the user's password in the Confirm password field. Enter the user's email address in the Email address field. Enter a description of the user in the Description field. Select the spatial-user role. Spectrum™ Technology Platform 9.0 Chapter 3: Managing Security j) Click OK. A user-tiles user account is now available with view-only permissions to all named resources. 2. Apply Overrides to a User. A secured entity override grants permissions for specific secured entities in the system. In the final step of this example, you will create an override that allows a single user (user-tiles) to modify and delete a specific named tile in addition to being able to view all types of named resources. a) In Management Console, expand Security then click Secured Entity Overrides. b) Click User then Browse. The Select User dialog appears. c) Select the user (user-tiles) and click OK. d) Click Add. The Select Items dialog appears. e) Click Browse. The Select Secured Entity Type window appears. f) Select the Location Intelligence.Named Resources secured entity type. Click OK. A list of all secured entities that are named resources appears. g) From the list of secured entities, locate then select /Samples/NamedTiles/USATile. h) Click Add then Close. The secured entity (named tile) you chose is displayed. The secured entity type's row shows the permissions in effect for the user-tiles user. A gray checked box indicates that the permission is enabled and a gray empty box indicates that the permission is disabled. i) Specify overrides on the secured entity (named tile) by selecting the checkboxes in the Modify and Delete columns: Spectrum Spatial Administration Guide 35 Security for the Location Intelligence Module j) Click Save or select File > Save. The asterisk next to the "Secured Entity Overrides" window title no longer appears, indicating that the changes are saved. The user-tiles user can now modify, delete, and view a specific named tile (/Samples/NamedTiles/USATile), but can only view all other named tiles and named resources. Creating a Named Resources Administrator To view or manage named resources in the repository using Management Console, a user must have an assigned role that allows full access to those resources in addition to the access that is provided by the predefined spatial roles. The predefined spatial roles cannot be modified and a predefined "Named Resources Administrator" role is not provided by the Spectrum™ Technology Platform; however, you can create such a role using a predefined spatial role as a base. 1. In the Management Console, browse to Security then click Roles. 2. Click Add. 3. In the Name field, enter the name you want to give to this role (for example, "resource-admin"). 4. Check the Copy from box then select either the spatial-admin or spatial-user role to use as a starting point. The spatial-admin role provides View, Modify, Create, and Delete permissions for the Location Intelligence Module.Named Resources secured entity type; the spatial-user role provides View permissions. 5. Set additional permissions as follows for these secured entity types: Database Resources: • Centrus Database Resources to View/Modify/Create/Delete/Execute (if required) • Enterprise Routing to View/Modify/Create/Delete/Execute (if required) • Spatial Database Resources to View/Modify/Create/Delete/Execute for a spatial-admin, or to View/Execute for a spatial-user Platform: • • • • 36 Resources - File Servers to View Resources - JDBC Drivers to View Services to View/Modify/Execute System - Version Information to View Spectrum™ Technology Platform 9.0 Chapter 3: Managing Security 6. Click OK to save the new resource-admin role. 7. Under Security, click Users. 8. Either select an existing user and click Modify, or click Add to create a new user. 9. Assign the new "resource-admin" role to the user account to allow it to manage and/or view named resources in Management Console. The user now has the access required to view and/or manage named resources in Management Console. Creating a Spatial Dataflow Designer To create dataflows for Location Intelligence Module stages and services, a user must have both the designer and spatial-user roles assigned. The spatial-user role provides View access to named resources under the Location Intelligence.Named Resources secured entity type. The designer role provides the necessary access to Platform secured entity types such as Dataflows. 1. In the Management Console, browse to Security then click Users. 2. Either select an existing user and click Modify, or click Add to create a new user. Spectrum Spatial Administration Guide 37 Security for the Location Intelligence Module 3. Assign both the designer and spatial-user roles to the user account. The user now has permission to view named resources and design dataflows using those resources for Location Intelligence Module stages and services. Turning off Security for Services and the Repository All services and access to resources used by the Spectrum™ Technology Platform Location Intelligence Module are configured, by default, with authentication turned on. This allows certain functionality to restrict access to resources and the ability to modify resources in the repository. For example, the Named Resource Service AddNamedResource operation, and the CSW service Harvest operation both require authentication, as both of these operations require write permissions to the repository. The service-level authentication can be turned off for all services and the repository. This is useful if you have your own high-level authentication built into the solution that is using the Location Intelligence Module services. To turn off service and repository security, use the JMX console. 1. Access the JMX Console using the following URL: http://localhost:8080/jmx-console/ (replacing localhost and port 8080 with your correct configuration). 2. Under the Domain: com.pb.spectrum.platform.config section, select the administration link for the WebServiceSecurityConfigurationManager. 3. For RestServiceSecurityType and SoapServiceSecurityType enter OPEN in the value field and click set for each. 4. Restart the server. Once finished, security is turned off for the services and repository. Related Links 38 Spectrum™ Technology Platform 9.0 Chapter 3: Managing Security Disabling Platform Security Versus Turning Off Spatial Security on page 40 Turning off Security for the Repository To turn off repository security: 1. Launch the User Management Service Demo page at http://localhost:8080/Spatial/UserManagementService/DemoPage.html (replacing localhost and port 8080 with your correct configuration). 2. Using admin credentials in the User and Password fields, set the everyone user with the all permission using the following request: everyone / all false Once finished, security is turned off for the repository. Turning off Security for the REST Services To turn off security for REST services: 1. Access the JMX Console using the following URL: http://localhost:8080/jmx-console/ (replacing localhost and port 8080 with your correct configuration). 2. Under the Domain: com.pb.spectrum.platform.config section, select the administration link for the WebServiceSecurityConfigurationManager. 3. For RestServiceSecurityType enter OPEN in the value field and click set. 4. Restart the server. Once finished, security is turned off for the REST services. Turning off Security for the SOAP services To turn off security for SOAP services: 1. Access the JMX Console using the following URL: http://localhost:8080/jmx-console/ (replacing localhost and port 8080 with your correct configuration). 2. Under the Domain: com.pb.spectrum.platform.config section, select the administration link for the WebServiceSecurityConfigurationManager. 3. For SoapServiceSecurityType enter OPEN in the value field and click set. 4. Restart the server. Once finished, security is turned off for the SOAP services. Spectrum Spatial Administration Guide 39 Disabling Platform Security Versus Turning Off Spatial Security Disabling Platform Security Versus Turning Off Spatial Security The Spectrum™ Technology Platform allows you to disable role-based security at the platform level and service-level security as two separate operations. Disabling role-based security at the platform level (by deselecting ‘Limit access according to user permissions’ on the Security > Options node in Management Console) means that the permissions assigned to users (via roles and secured entity overrides) will not be enforced and all users will be able to access all parts of the system. The Location Intelligence Module will then allow access to any named resource in the repository. Turning off service-level security on the JMX Console (by setting RestServiceSecurityType and SoapServiceSecurityType to OPEN) causes the execution of service requests to use the admin user. For the Location Intelligence Module this means that any named resource that is added to the repository is “owned” by the admin user; therefore, running the User Management Service’s getPermissions request will show that non-admin users have only "Read" permissions. Disabling both service-level and role-based security completely opens up the Location Intelligence Module's services and named resources. Running the User Management Service’s getPermissions request will also show that non-admin users now have "All" permissions Related Links Disabling User Security on page 23 Turning off Security for Services and the Repository on page 38 Limiting Server Directory Access Enterprise Designer and Management Console users have the ability to browse the Spectrum™ Technology Platform server's folders and files, such as when selecting an input or output file when configuring a source or sink stage in a dataflow, or defining a database resource. You may want to restrict file browsing so that sensitive portions of the server are kept off limits. You can prevent all browsing or you can specify the folders that you want users to be able to browse. The folders you specify appear as the top-level folders in users' file browse windows. For example, if you allow users to only access a folder on the server named WestRegionCustomers, when users browse the server they would only see that folder, as shown here: 40 Spectrum™ Technology Platform 9.0 Chapter 3: Managing Security To restrict access to the server's file system, follow this procedure. 1. Open Management Console. 2. Under Resources, select Server Directory Access. 3. Do one of the following: • To prevent users from browsing the server entirely, check the box Restrict server directory access and do not perform any of the following steps. Users will have no access to any of the files or folders on the server. • To allow access to some folders on the server, proceed to the following step. 4. Click Add. 5. In the Name field, give a meaningful name for the folder to which you are granting access. 6. In the Path field, specify the folder to which you want to grant access. Note: Users will be able to access all subfolders contained in the folder you specify. 7. Click OK. 8. If you want to grant access to additional folders, repeat the previous steps as needed. 9. Enforce the restrictions by checking the Restrict server directory access box. Users will now only have access to the folders you have specified. Note: If there are any dataflows that had previously accessed files that are no longer available because of file browsing restrictions, those dataflows will fail. Spectrum Spatial Administration Guide 41 Configuring HTTPS Communication Configuring HTTPS Communication By default, Spectrum™ Technology Platform communication with the client tools (Enterprise Designer, Management Console, and Interactive Driver) and API occurs over HTTP. You can configure Spectrum™ Technology Platform to use HTTPS if you want to secure these network communications. 1. Stop the Spectrum™ Technology Platform server. • To stop the server on Windows, right-click the Spectrum™ Technology Platform icon in the Windows system tray and select Stop Server. Alternatively, you can use the Windows Services control panel and stop the Pitney Bowes Spectrum™ Technology Platform service. • To stop the server on Unix or Linux, source the /server/bin/setup script then execute the /server/bin/server.stop script. 2. Create a certificate and load it into a JSSE keystore. For more information, see http://docs.codehaus.org/display/JETTY/How+to+configure+SSL. 3. Create an XML file named spectrum-override-container-ssl.xml containing the following: 4. Modify the following lines as needed to reflect your environment: Modify the value to be the relative path from /server/app/conf/spring to the keystore you are using. This example assumes the keystore in the root of the drive on which the Spectrum™ Technology Platform server is installed. Modify the value to be the password to the key within the keystore. 5. Save the spectrum-override-ssl.xml file to /server/app/conf/spring. 6. Using a text editor, open the file spectrum-container.properties located in /server/app/conf and set the following properties: 42 Spectrum™ Technology Platform 9.0 Chapter 3: Managing Security spectrum.http.port=8443 spectrum.runtime.hostname=dnsname Where dnsname is the external DNS for the server. 7. Start the Spectrum™ Technology Platform server. • To start the server on Windows, right-click the Spectrum™ Technology Platform icon in the Windows system tray and select Start Server. Alternatively, you can use the Windows Services control panel to start the Pitney Bowes Spectrum™ Technology Platform service. • To start the server on Unix or Linux, execute the /server/bin/server.start script. Spectrum Spatial Administration Guide 43 Monitoring Your System In this section: • • • • • • • • Event Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .46 Spatial Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .47 Configuring E-mail Notification . . . . . . . . . . . . . . . . . . . . .49 Configuring License Expiration Notification . . . . . . . . . .49 Viewing Version Information . . . . . . . . . . . . . . . . . . . . . . .50 Viewing and Exporting License Information . . . . . . . . . .50 Monitoring Performance . . . . . . . . . . . . . . . . . . . . . . . . . .50 Monitoring Memory Usage . . . . . . . . . . . . . . . . . . . . . . . . .51 4 Event Log Event Log Viewing the Event Log The event log displays messages from the Spectrum™ Technology Platform server's wrapper log. The event log contains information about server operations as well as requests made to services from the API and through web services. Use the event log when you experience trouble and are looking for information about possible causes. 1. Open the Management Console. 2. Expand Event Log then click Events. 3. Click Refresh to view the latest entries. 4. Check Show events upon open to automatically load the event log. If you do not check this option you must click the Refresh button to view the latest information. You can also view the event log by using a text editor and opening the file \server\app\repository\logs\wrapper.log. Setting Event Log Options You can specify the default logging level as well as logging levels for each service on your system. When you change logging levels the change will not be reflected in the log entries made before the change. 1. Open the Management Console. 2. Expand Event Log then click Options. 3. Click the System default logging level drop-down list to select an event logging level. Event logging levels include the following: • Disabled—no event logging enabled. • Fatal—minimal logging, logs only fatal errors. Fatal errors are those that make the system unusable. • Error—logs only errors and fatal errors. Errors make a single call unusable, possibly a single service, but not the whole system. The inability to load a specific service might be an error since other services would be available. • Warn—event warnings and errors are logged. Warnings indicate problems that do not stop the system from working (for example, when loading a service where a parameter has an invalid value, a warning is issued and the default parameter is used). During the use of a service, if results are returned but there is a problem, a warning will be logged. An example might be that casing was set to lower case, but Canadian does not support casing. Results are returned with a warning that the casing option was ignored. • Info—logging of high-level system information. This is the most detailed logging level suitable for production. Info level will typically be used during startup and initialization, providing product and version information, which services were loaded, etc. • Debug—a highly detailed level of logging, suitable for debugging problems with the system. • Trace—the most detailed level of logging, tracing program execution (method entry and exit). It provides detailed program flow information for debugging. Each logging level includes the ones above it on the list. In other words, if Warning is selected as the logging level, errors and fatal errors will also be logged. If Info is selected, informational messages, warnings, errors, and fatal errors will be logged. Note: Selecting the most intensive logging level can affect system performance. Therefore, you should select the least intensive setting that meets your particular logging requirements. 4. If you want to specify different logging levels for each service choose the logging level you want. 46 Spectrum™ Technology Platform 9.0 Chapter 4: Monitoring Your System Spatial Logging The JMX Console is equivalent to logger name="com.mapinfo.midev" in the logback.xml file. If you want to see debug info for a short time, use JMX Console, otherwise, use logback. The remote components (feature and mapping) in the JMX Console can be configured individually: • Spatial:name=Logging,type=Remote Feature Component • • • • • • Feature Service Geometry Service Named Resource Service User Management Service WFS CSW • Spatial:name=Logging,type=Remote Mapping Component • Mapping Service • Map Tiling Service • WMS Users can enable debugging and specify additional output file for each one of them. By default, log messages go into wrapper.log. Services in a component will output to the same file and cannot be further split. The configuration change made here will not persist, and will be lost after restart. The logback.xml file provides finer control on logging behavior, such as sending output to a log file instead of by default sending it to the console which redirects to the wrapper.log. You can also set the log level to turn off logging altogether or log only fatal errors, for example. As described above for the JMX Console, the log can only be redirected based on components (feature and mapping), not by services. Default logback file: [${component.name}] - [%thread] %-5level %logger{35} %msg%n ${g1.server.modules.dir}/spatial/${component.name}.log %d [%thread] %-5level %logger{35} - %msg%n true 10MB ${component.name}.log.%i 1 48 Option Values Level • • • • • Output • CONSOLE-SPATIAL –sends log information to the JMX Console [default] • FILE-SPATIALL–sends log information to a log file based on component (feature or mapping) OFF–turn off logging ERROR–log runtime or unexpected errors WARN–log warnings only; for example, using a deprecated API INFO–log runtime events such as startup or shutdown [default] DEBUG–log detailed debugging information Spectrum™ Technology Platform 9.0 Chapter 4: Monitoring Your System Configuring E-mail Notification Spectrum™ Technology Platform can alert you to potential problems to ensure that critical business processes are not interrupted. Notifications are sent as a result of conditions within dataflows and process flows. The messages can be formatted to contain context-sensitive information about the event that occurred. 1. Open the Management Console. 2. Expand System then click Notification. 3. In the Host field, enter a valid host name or IP address. 4. Enter a valid port number or range in the Port field. The default is 25. 5. Enter the user name for logging on to the SMTP server in the User Name field. 6. Enter a password for logging on to the SMTP server in the Password field. 7. If you completed the Password field, re-enter the password for logging on to the SMTP server in the Confirm Password field. 8. Enter a valid e-mail address to where notification e-mail will be sent in the From Address field. 9. Enter a valid e-mail address to where notification e-mail will be sent in the Test Address field. This is used to ensure the notification process works. 10. Click Test to send a test message. Configuring License Expiration Notification You can have Spectrum™ Technology Platform send an email notification when a license is about to expire. 1. Open the Management Console. 2. Expand System then click Notification. 3. In the Host field, enter a valid host name or IP address. 4. Enter a valid port number or range in the Port field. The default is 25. 5. Enter the user name for logging on to the SMTP server in the User Name field. 6. Enter a password for logging on to the SMTP server in the Password field. 7. If you completed the Password field, re-enter the password for logging on to the SMTP server in the Confirm Password field. 8. Enter a valid e-mail address to where notification e-mail will be sent in the From Address field. 9. Enter a valid e-mail address to where notification e-mail will be sent in the Test Address field. This is used to ensure the notification process works. 10. Click Test to send a test message. 11. Click the Expiration Settings tab. 12. In the Days before expiration to send notification field, specify the number of days in advance that you want to be notified of a pending license or data expiration. For example, if you want to be notified 30 days before a license expires, specify 30. 13. Check the Send expiration notification check box. 14. Click Add and specify the email address you want to receive the notification. 15. Select File > Save. Spectrum Spatial Administration Guide 49 Viewing Version Information Viewing Version Information 1. In Management Console, expand System then click Version Information. 2. The Version Information window presents information on the configured services. Expanding the Server Information, System Information, Service Information, and Component Information folders will present the corresponding details. This includes versions numbers of the server, the operating system, the service software, and component versions. Note: This information is view-only. Viewing and Exporting License Information 1. Open the Management Console. 2. Expand System then click Licensing. 3. Click the Expiration Info tab to view a list of licenses that are about to expire. Only licenses that are within the period specified on in the Notification node, Expiration Settings tab, are displayed. 4. Click the License Information tab to view a complete listing of all licenses installed on your system. To export your license information to a .lic file, click Export. This is helpful when resolving license issues with technical support. Monitoring Performance The Spectrum™ Technology Platform JMX console provides a performance monitoring tool that records performance statistics for each stage in a dataflow. Use the JMX console to identify bottlenecks and observe the effects of different performance tuning adjustments. 1. Open a web browser and go to http://:/jmx-console Where: is the IP address or hostname of your Spectrum™ Technology Platform server. is the HTTP port used by Spectrum™ Technology Platform. The default is 8080. 2. Enter "admin" for both the user name and password. 3. Under " Domain: com.pb.spectrum.platform.performance", click com.pb.spectrumplatform.performance:server=PerformanceMonitorManager. 4. Click the Invoke button next to enable. 5. Click Return to MBean View to go back to the PerformanceMonitorManager screen. Performance monitoring is now enabled. When a dataflow runs, the performance statistics will display at the top of the PerformanceMonitorManager screen. 50 Spectrum™ Technology Platform 9.0 Chapter 4: Monitoring Your System Note the following: • The statistics are reported in a semicolon-delimited format. The first row is the column header. We recommend putting the data into a spreadsheet for easier viewing. • The time values in the report (Avg, Min, Max, Total) are displayed in milliseconds. • You must refresh the screen to see updates. • To reset the counters, click the Invoke button next to reset. • If you stop the Spectrum™ Technology Platform server, performance monitoring will be turned off. You will have to turn it back on when you start the server again. Monitoring Memory Usage The JMX Console allows you to monitor the JVM heap usage of each remote component. The monitoring processes for Spectrum Spatial are: • Spatial:name=Process,type=Remote Feature Component • • • • • • Feature Service Geometry Service Named Resource Service User Management Service WFS CSW • Spatial:name=Process,type=Remote Mapping Component • Mapping Service • Map Tiling Service • WMS Spectrum Spatial Administration Guide 51 Monitoring Memory Usage Memory usage (HeapMemoryUsage and NonHeapMemoryUsage) is based on the standard JVM memory MBean. It shows the memory usage of the JVM that the remote component running on. It includes the amount of init, max, committed and used memory. RuntimeName includes the process ID that you can use to find more information from the operating system (for example, by using the Windows Task Manager), or even kill the process. In the heap sections, ={committed=72351744, init=65157504, max=954466304, used=6559552}) are shown in bytes. The number is for a particular remote component, which includes multiple services. Each remote component runs in its own JVM, and the JVM only runs this component. Init is the initial amount JVM allocated (-Xms); max is the one specified by –Xmx. Used is the amount of memory that used by JVM for objects. The relationship is like this: –Xms < committed < -Xmx, and used < committed. You can modify the heap memory by modifying the -Xm in the java.vmargs file under the spatial folder (\Pitney Bowes\Spectrum\server\modules\spatial\java.vmargs). See Increasing Heap Memory for more instructions. 52 Spectrum™ Technology Platform 9.0 Managing Memory and Threading In this section: • • • • Introduction to Managing Memory and Threading . . . . .54 Spectrum Performance Tuning . . . . . . . . . . . . . . . . . . . . .54 Increasing Heap Memory for Spatial Components . . . . .55 Increasing Heap Memory for the Platform . . . . . . . . . . . .55 5 Introduction to Managing Memory and Threading Introduction to Managing Memory and Threading This section describes approaches for improving performance by managing memory and threading, and also relates best practices for optimizing the performance of the Location Intelligence Module. It is intended for experienced administrators. Spectrum Performance Tuning Spectrum provides several tuning options to optimize performance of the server. The optimal selection of settings is dependent on the nature of the deployment. To create a well-tuned server environment, it is recommended that performance tests should be executed in the deployed environment to determine optimal settings. This section provides some general guidance on performance tuning. JVM Tuning Spectrum is a Java server, and as a result, JVM tuning parameters can be used to optimize performance of remote components. The JVM can be configured through the //server/modules/spatial/java.vmargs file. To optimize Spectrum's performance using JVM tuning parameters: 1. Stop the Spectrum server. 2. Open the java.vmargs file in a text editor. Set the maximum memory allocation on the JVM. An allocation of 512m for each active CPU core is generally appropriate. Do not exceed the maximum memory available to your operating system and leave a suitable space for the operating system to do its work. 3. Save the file. 4. Restart Spectrum. Remote Components Configuration Each spatial service component in Spectrum™ Technology Platform is deployed into its own JVM instance separate from the platform run time. This ensures the platform is independent of the modules within it and that JVM configuration can be applied per service, allowing flexibility of memory allocation and tuning for performance based on the characteristics of the service. Remote components supply spatial functions to spatial services and stages. The pool size for a remote component is the number of requests the component can handle concurrently. This affects the throughput of both spatial services and spatial stages. Two remote components exist for the Location Intelligence Module: feature and mapping. Each of these components encompasses several services: • spatial.feature • • • • • Feature Service Geometry Service Named Resource Service WFS CSW • spatial.mapping • Mapping Service 54 Spectrum™ Technology Platform 9.0 Chapter 5: Managing Memory and Threading • Map Tiling Service • WMS Modifying the Pool Size In addition to JVM tuning, you can also adjust the pool size of the spatial remote components. The pool size for a remote component is the number of requests the component can handle concurrently. This setting represents the number of threads on the components that are listening for service requests from the Spectrum™ Technology Platform or executing a Location Intelligence Module stage (that is, the maximum number of managed connections). Every web service request enters Spectrum from the platform and is passed to the components. The default value of 1 can be increased to accommodate greater request loads. A pool size that matches the number of CPUs is recommended. The maximum setting should not go above twice the number of the CPU core; for example, on a 4 CPU machine the combined number of threads for all services should not exceed 8. Performance tests should be run with various settings until optimal performance is achieved for the usage. You have the ability to adjust the pool size in Management Console for the spatial remote components: 1. Open the Management Console. 2. Expand Modules > Location Intelligence > Tools then click Remote Components. 3. Select the spatial component for which you want to adjust the pool size: spatial.feature or spatial.mapping. 4. Click Modify. The Modify Pool Size dialog box appears. 5. Change the pool size using the arrows or by typing in a value. 6. Click OK. 7. If you decreased the pool size, restart the server. (Increasing the pool size does not require a server restart.) Related Links Remote Components Configuration on page 54 Increasing Heap Memory for Spatial Components To increase the heap memory for spatial remote components: 1. Stop the Spectrum server. 2. In a text editor, open the java.vmargs file from \Pitney Bowes\Spectrum\server\modules\spatial\java.vmargs. 3. Change the vmargs default of 1GB (1024MB). For example, to increase the memory to 2GB, change the vmargs from the default of -Xmx1024m -Djava.io.tmpdir=../app/tmp to -Xmx1536m -Djava.io.tmpdir=../app/tmp. This increases the memory of each spatial remote component to 1.5GB and enables remote components to connect via Jconsole for debugging. 4. Save the java.vmargs file. 5. Restart the Spectrum server. Increasing Heap Memory for the Platform To increase the heap memory for the Spectrum platform: 1. Stop the Spectrum server. Spectrum Spatial Administration Guide 55 Increasing Heap Memory for the Platform 2. In a text editor, open the wrapper.conf file from \Pitney Bowes\Spectrum\server\bin\wrapper. 3. Change the vmargs default of 1GB (1024MB). For example, to increase the memory to 2GB: # Maximum Java Heap Size (in MB) wrapper.java.maxmemory=2048 4. Save the java.vmargs file. 5. Restart the Spectrum server. 56 Spectrum™ Technology Platform 9.0 Load Balancing Spatial Services Tutorial In this section: • • • • • • • • • About this Tutorial . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .58 Deployment Architecture . . . . . . . . . . . . . . . . . . . . . . . . .58 Install Spectrum . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .60 Set Up a Map Image File Share . . . . . . . . . . . . . . . . . . . . .60 Configure Spectrum . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .61 Configure Common Repository . . . . . . . . . . . . . . . . . . . . .62 Shared Spectrum Local Data . . . . . . . . . . . . . . . . . . . . . . .65 Performance Tuning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .65 Set Up Load Balancer . . . . . . . . . . . . . . . . . . . . . . . . . . . . .65 6 About this Tutorial About this Tutorial The Spectrum spatial services that are included with the Location Intelligence Module are designed to support enterprise scale deployment requirements. This includes deployment configurations for high availability and support for horizontal and vertical scaling. Spectrum's high availability configuration enables organizations to create fault tolerant deployments supporting requirements for continuous service provision. Spectrum’s configurations for horizontal and vertical scaling provide the ability to grow the capacity of a system to support greater load. The horizontal scaling configuration supports additional load through addition of more servers to the cluster. The vertical scaling configuration grows the capacity of the system to support larger loads through the addition of greater hardware resources. Spectrum uses a load balancing based approach to deliver resilience and horizontal scaling architectures. The goal of this tutorial is to illustrate the concepts of load balancing a Spectrum installation with the spatial services for resilience or high capacity. Both the concepts and the steps outlined in this tutorial can apply to virtualized and native environments. The tutorial will provide information on scaling spatial server horizontally and vertically. This tutorial uses the following hardware/software and Spectrum components: • Spectrum LIM Mapping Service • PostGres database 9.0.3 • RedHat Linux 5.4 Deployment Architecture In this tutorial we will create a load balanced Spectrum deployment. The diagram below illustrates the deployment architecture of the configuration we will create. Load balancing can be used to support high availability and scaling. The deployment architecture includes a load balancer, Spectrum spatial services cluster, database and a file share. With this approach it is possible to scale both horizontally and vertically. 58 Spectrum™ Technology Platform 9.0 Chapter 6: Load Balancing Spatial Services Tutorial Load Balancer The load balancer spreads requests between the Spectrum instances. Any load balancer that supports load balancing HTTP/HTTPs requests can be used. Spectrum Cluster The cluster is a collection of Spectrum instances with LIM sharing administration, named resources, geographical metadata content and configuration settings. Additional nodes can be added to the cluster for resilience or to deliver support for greater loads. Each node can be scaled vertically through additional hardware resources and/or additional instances should this be required for hardware with massive resources. Spectrum can be configured to use restricted numbers of CPUs. Database Spectrum stores named resources (maps, layers, tables and styles), geographic metadata and configuration in a repository. In the default single server installation an embedded database is used to store these resources on the local server. To create a resilient scalable solution this embedded database should be replaced with a resilient independent database. In this release Spectrum supports Oracle, PostGreSQL(PostGIS) and Microsoft SQL Server as repository databases. In the load balanced configuration Spectrum nodes cache these resources in a local cache and search index in each node in the cluster. When a Spectrum node receives a request it uses the local cache and Spectrum Spatial Administration Guide 59 Install Spectrum index to find resources. Named resources can be added through any node in the cluster. Each node keeps its cache current by checking for differences between its local cache and the central database. This check occurs every 2 seconds by default. Time frequency can be configured. This architecture ensures the server delivers high performance transactions and the load on the repository database is kept to a minimum. If a new Spectrum is added to the cluster the cache and index are created automatically. Such a scenario can occur to remedy a node failure or grow the capability of the deployment. File Share The file share provides a folder to hold map images generated by Spectrum. When maps are renderer using the web services the server supports the map images being returned through URLs or returned as a base 64 encoded image. When a URL is returned the map image is stored as a file and served on request of the URL. To ensure any Spectrum node can return the map image a file share is used to store the images. Install Spectrum In this step we will create a Spectrum deployment. To install Spectrum into your VM instance: 1. Copy the Spectrum Linux installer to the target server with Red Hat operating system. 2. Install Spectrum. For this tutorial we will follow the default installation but not install the license key. The installation guide for UNIX and Linux provides more information on the installation process. a) Locate the install.sh installer b) Ensure the user has execute permission chmod a+x install.sh c) Execute install.sh install.sh The installer will walk you through the installation process. 3. Copy the license key into the server/app/import directory of each Spectrum installed. 4. Start Spectrum It is possible to install multiple installations of Spectrum on the same operating system. This can be used to provide flexibility when vertically scaling the server. To support multiple installations on the same machine the hidden file /var/.com.zerog.registry.xml needs to be renamed to enable a new installation to a different folder and port on the same machine. Spectrum is now installed. The next step is to configure the Spectrum load balanced cluster deployment. Set Up a Map Image File Share The file share provides a folder to hold map images generated by Spectrum . Create a shared folder accessible to all Spectrum nodes. The file share is not required if maps are returned from the web services as base 64 encoded images. To set up a map image file share: 60 Spectrum™ Technology Platform 9.0 Chapter 6: Load Balancing Spatial Services Tutorial 1. Mount a shared folder on each operating system hosting Spectrum. The commands below mount a drive on a Microsoft Windows Server or network drive supporting CIFS. mkdir /mnt/ mount -t cifs /// /mnt/-o username=shareuser,password=sharepassword,domain=pbi 2. Set the image share to load at startup in /etc/fstab. ///share /path_to/mount cifs username=server_user,password=secret,_netdev 0 0 Configure Spectrum Once Spectrum is installed, you need to configure your instance before you can replicate it to another virtual machine. If you are not using a virtual machine environment, you will need to perform these steps on each of your Spectrum installations. Add the Map File Share to Spectrum Context for the current task 1. Modify the Mapping service configuration by pointing to a shared image folder and load balance server. In the ImageCache change the Directory parameter to a common image directory, and change the AccessBaseURL parameter to the load balancer machine image URL. If using a virtual machine environment, remember this IP address, as you must set the load balancer VM to this IP in the section Set Up Load Balancer on page 65. /mnt//images http:///Spatial/images 30 30 2. Set up symbolic link to enable map images to go to the shared file system. cd //server/modules/spatial rm –Rf images ln -s / mnt//images Modify the Service Configurations To modify the service configurations for load balancing: In each service configuration file, change the to point to the load balance server repository URL. The RepositoryURL should change to point to the balancer from http:///RepositoryService/rmi to http:///RepositoryService/rmi. Spectrum Spatial Administration Guide 61 Configure Common Repository Modify Java Properties File To modify the java properties for Spectrum™ Technology Platform: 1. Modify the java.properties file, located in /server/modules/spatial/java.properties, to point to the load balance server. 2. Change the images.webapp.url and all of the service host and port numbers to point to the load balance server. Configure Ports for Multiple Spectrum Instances If you have multiple Spectrum™ Technology Platform instances on a single machine, you must change the port numbers. To change the port numbers for each Spectrum instance: 1. Change all ports in /server/app/conf/spectrum-container.properties to new port values that are not in use. The http port reflects the port number entered in the installer. 2. Update the rmi port in bootstrap.properties in the bin/jackrabbit folder (e.g. 11099). The default is 1099. Configure Common Repository The next step is to configure Spectrum to use a common repository database for the cluster. This ensures that named resources, geographic metadata and configuration settings are managed across the cluster. The description below describes how to configure Spectrum to use a common repository database. This tutorial will use a PostgreSQL database. It is possible to use an Oracle or Microsoft SQL Server database. The repository is installed with a set of named resources, geographic metadata and configuration files. To migrate these resources to the common database repository the resources need to be exported from the default internal repository database and reimported into the new shared repository database. To provide support for bulk export/import of repository content Spectrum repository provides a WebDAV interface. Bulk Export Using WebDAV You need to export the contents of the installed repository. This step only needs to be performed once as the contents of the repository should be the same at this point for all instances of Spectrum. There are many free WebDAV clients including Microsoft Windows Explorer and GNOME- Nautilus. For this Linux focused tutorial we will use GNOME- Nautilus to export the resources from Spectrum. 1. Start Spectrum. 2. Connect to Spectrum using WebDAV: a) Connect to the WebDAV Directory using GNOME – Nautilus. b) Select Connect to Server in the Places menu. This will open a File Browser window. The repository is at the following location. http://:/RepositoryService/repository/default 62 Spectrum™ Technology Platform 9.0 Chapter 6: Load Balancing Spatial Services Tutorial 3. Copy the content of the repository to a local drive. Set Up the Common Repository Database These steps need to be performed on all instances of Spectrum in your load balanced environment: 1. Stop Spectrum. 2. Add the database JDBC drivers to the Spectrum common lib directory to allow it to use the selected database. In this tutorial we are using PostGreSQL JDBC drivers. Copy the //server/modules/spatial/lib/postgresql-8.4-701.jdbc4.jar file to //server/app/lib/postgresql-8.4-701.jdbc4.jar 3. Edit the //server/modules/spatial/jackrabbit/repository.xml file to point the repository to a database and add clustering. There are four separate changes you need to make: a) Modify the two FileSystem sections within the Repository and Workspace sections of the file: b) Modify the Persistence Manager within the Workspace: Spectrum Spatial Administration Guide 63 Configure Common Repository c) Enable Clustering at the end of the file, right above the tag. Each instance of Spectrum will need to have a distinct id to enable synchronization of clustering to work. The delay defines the time delay for synchronization in milliseconds. d) Comment out the DataStore section: 4. Remove the following folders from the /server/modules/spatial/jackrabbit directory for each instance of Spectrum: repository, version, workspaces. 5. If your PostGIS database has previously had repository content added, you must remove tables from your database so a clean repository can be created. If you are starting with a new database, please make sure the tables do not exist. The following tables need to be removed from the database: public.default_names_id_seq public.default_binval public.default_bundle public.default_names public.default_refs public rep_fsentry public.rep_global_revision public.rep_journal public.rep_local_revisions public.security_binval public.security_bundle public.security_names public.security_refs Import the Repository Content Next, import the content of the repository we previously exported back into the repository. This step only needs to be performed on one of the Spectrum instances. 1. Start Spectrum 2. Copy the previously exported content of the repository back into the repository. First, connect to Spectrum using WebDAV: a) Connect to the WebDAV Directory using GNOME – Nautilus. Select “Connect to Server....” in the Places menu. This will open a File Browser window. The repository is at the following location. http://:/RepositoryService/repository/default. 64 Spectrum™ Technology Platform 9.0 Chapter 6: Load Balancing Spatial Services Tutorial b) Copy the content to the repository root directory. Spectrum is now configured and ready to be load balanced. Shared Spectrum Local Data If you are using TAB file data on the file system, this data needs to be in a shared location accessible by all instances of Spectrum in the load balanced environment. It is also important to note that all named resources in the repository accessing data on the file system should point to this shared location. Each VM or machine hosting Spectrum needs to have access to the mounted shared drive. Note: Using named resources that point to database tables do not require a shared drive, as the named resources in the repository do not access the data using a file path; rather they use a named connection to the data in the database. Performance Tuning See Spectrum Performance Tuning on page 54 for general guidance on optimizing the performance of the Spectrum server. Set Up Load Balancer Now that multiple instances of Spectrum are deployed and configured, the instances need to be load balanced. In this tutorial Apache HTTP Server is used as a load balancer. Any load balancer with support for load balancing http requests can be used. In the Apache HTTP Server configuration (httpd.conf file e.g., /etc/httpd/conf/) turn on the proxy and load balance modules by adding the following sections at the end of the file. You will need to add Spectrum Spatial Administration Guide 65 Set Up Load Balancer the IP addresses for the number of Spectrum instances you have created (replace : with the correct IP address for each VM or system address. ProxyRequests Off Order deny,allow Allow from all ProxyPreserveHost On #Load Balancer Manager SetHandler balancer-manager Order deny,allow Allow from all #MappingService BalancerMember http://:8080/Spatial BalancerMember http://:8080/Spatial BalancerMember http://:8080/Spatial BalancerMember http://:8080/Spatial ProxyPass /Spatial balancer://Spatial #MappingService BalancerMember http://:8080/soap BalancerMember http://:8080/soap BalancerMember http://:8080/soap BalancerMember http://:8080/soap ProxyPass /soap balancer://soap #RepositoryService BalancerMember http://:8080/RepositoryService BalancerMember http://:8080/RepositoryService BalancerMember http://:8080/RepositoryService BalancerMember http://:8080/RepositoryService ProxyPass /RepositoryService balancer://RepositoryService #REST Service BalancerMember http://:8080/rest BalancerMember http://:8080/rest BalancerMember http://:8080/rest BalancerMember http://:8080/rest ProxyPass /rest balancer://rest For load balancing Spectrum, the following modules need to be loaded. • • • • • LoadModule proxy_module modules/mod_proxy.so LoadModule proxy_balancer_module modules/mod_proxy_balancer.so LoadModule proxy_ftp_module modules/mod_proxy_ftp.so LoadModule proxy_http_module modules/mod_proxy_http.so LoadModule proxy_connect_module modules/mod_proxy_connect.so You do not need to perform this task for load balancing the Apache HTTP Server that ships with the CentOS. These modules are loaded by default. 66 Spectrum™ Technology Platform 9.0 Chapter 6: Load Balancing Spatial Services Tutorial Once you have updated your conf file save the changes and restart the load balancer. Use the following command to restart the Apache HTTP Server load balancer: • service httpd start • chkconfig httpd on Note: Sending a request through the load balance server might time out if the firewall of the Spectrum instances are turned on. In this scenario, either turn off the firewall on these machines, or modify the service configuration files (e.g., MappingConfiguration) to point to the Spectrum instance for that machine. For instance change the RepositoryURL from the load balance server http:///RepositoryService/rmi to the local Spectrum instance http:///RepositoryService/rmi. Spectrum Spatial Administration Guide 67 Troubleshooting Your System In this section: • Rebuilding a Corrupt Repository Index . . . . . . . . . . . . . .70 • Monitoring Memory Usage of a Non-Responsive Server .70 7 Rebuilding a Corrupt Repository Index Rebuilding a Corrupt Repository Index Sometimes the repository can become corrupt if the server is shut down abruptly or the Java process is killed (manually or due to a power outage). As a result, you may be unable to get resources that were previously searchable, and there will be no errors or warnings in the logs. Once you verify that permission changes are not the cause, rebuild the index to fix this issue: 1. Shut down the server. 2. Delete the index directory at the following locations: • \server\modules\spatial\jackrabbit\workspaces\default • \server\modules\spatial\jackrabbit\workspaces\security • \server\modules\spatial\jackrabbit\repository 3. Restart the server. Jackrabbit re-creates the index at the above locations while booting. After rebuilding the index, the search works correctly again. Monitoring Memory Usage of a Non-Responsive Server If your Spectrum server stops responding, you can follow the steps below to monitor its performance and resource consumption. This monitoring provides information you can use to adjust memory and threading usage. 1. Check whether a service other than the Mapping Service is working. For example, start the Feature Service on the demo page: http://:/Spatial/FeatureService//DemoPage.html. This determines whether the whole server is down or just the Mapping Service. 2. Verify you have enough disk space for both Mapping and MapTiling images to be stored by inspecting the configuration files: • Mapping: http://localhost:8080/RepositoryService/repository/default/Configuration/MappingConfiguration under " C:\Program Files\Pitney Bowes\Spectrum/server/modules/spatial/images " • MapTiling: "http://localhost:8080/RepositoryService/repository/default/Configuration/MapTilingConfiguration" under "" 3. Stop the Spectrum server. 4. In a text editor, open the java.vmargs files from \Pitney Bowes\Spectrum\server\modules\spatial\java.vmargs. 5. Change the vmargs from the default of -Xmx1024m -Djava.io.tmpdir=../app/tmp to -Xmx1536m -Djava.io.tmpdir=../app/tmp . This increases the memory of each spatial remote component to 1.5GB and enables remote components to connect via Jconsole for debugging. Note: You can increase memory to 2 GB if you have enough memory on the server (for example,-Xmx2048m). 6. Save the java.vmargs file. 7. Start the server wrapper: a) Open a command prompt as Administrator. 70 Spectrum™ Technology Platform 9.0 Chapter 7: Troubleshooting Your System b) Go to \Pitney Bowes\Spectrum\server\bin\wrapper directory and type wrapper.exe -c. This Spectrum server will start in a few minutes. 8. When the server is started, run the following requests from the demo pages: a) Open http://:/Spatial/MappingService/DemoPage.html and run the List Named Maps request. b) Open http://:/Spatial/FeatureService/DemoPage.html and run the List Table Names request. 9. Go to \Pitney Bowes\Spectrum\java64\bin and run jconsole.exe. 10. Under Local Process, select the wrapper process. 11. In Jconsole, add a new session and select the Feature Service process. 12. In Jconsole, add a new session and select the Mapping Service process. 13. Leave Jconsole running to monitor the memory, CPU, threads, and so on for the Spectrum Platform wrapper for Feature Service and Mapping Service. Spectrum Spatial Administration Guide 71 Appendix - Managing Security with the User Management Service In this section: • Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .74 • Managing Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .75 • Setting User Permissions . . . . . . . . . . . . . . . . . . . . . . . . .77 8 Introduction Introduction This chapter provides a basic introduction to the User Management Service. It describes what the User Management Service is and rules for using it. What Is the User Management Service? The User Management Service provides a simplified interface to manage security for the repository, focused on how to restrict who can access the resources in the repository. Setting security allows you to expose or restrict different resources (subsets of your data and resources) to different users or departments. To enforce this, security has been added to Spectrum™ Technology Platform that allows you to specify which users get to see what resources. The Spectrum™ Technology Platform repository security is managed using an internal ACL (Access Control List). This allows you to specify which users are granted access to resources, as well as what operations are allowed on given resources. The operations for repository user management are performed using the User Management SOAP interface. Service URL Formats The URL endpoint for the User Management SOAP service has the following general form: http://localhost:8080/soap/UserManagementService The URL for the User Management WSDL has the following general form: http://localhost:8080/soap/UserManagementService?wsdl The URL for the User Management service Demo page has the following general form: http://localhost:8080/Spatial/UserManagementService/DemoPage.html Creating and Managing Users For Spectrum™ Technology Platform Creating and managing users is a two step process: 1. Create the user using the Spectrum™ Technology Platform Management Console. This allows the user to authenticate with the Spectrum™ Technology Platform services. 2. Give the user permissions using the User Management Service SOAP interface. This allows the user to access resources in the repository. Note: You do not have to add the admin or guest users to Spectrum™ Technology Platform. These users have already been created. 74 Spectrum™ Technology Platform 9.0 Chapter 8: Appendix - Managing Security with the User Management Service Rules Using the User Management Service SOAP Interface The following rules apply when setting permissions for users using the User Management SOAP Interface: 1. You must first have created users in the Spectrum™ Technology Platform Management Console (giving them access to the services). 2. There is a default 'everyone' user group that is applied to resources when you do not specify set permissions. This user group has READ permissions. So all users have READ permissions on a resource unless modified using the User Management SOAP Interface. 3. You need to provide a user read, add, and modify permissions to allow them the ability to add Named Tables using the Management Console, modify any resources in the repository, add or modify any resources using the Named Resource Service, or perform a harvest operation using the CSW Service. 4. You do not have to add the admin or guest users. These users have already been created. The following permissions are required for performing the following actions, either directly using WebDAV or WebFolder, using the Resource Management service, or harvesting metadata using the CSW service: Action Read Access a subfolder X Add a subfolder X Remove a subfolder X Add files to a folder X Remove files from a folder X Update files in a folder X Add Remove Modify All X X X X X Modify permissions of a folder X X X Managing Users This section describes how to manage users in Spectrum™ Technology Platform, specifically create, modify, and delete users that access the management consoles and services. You must create all users using the Management Console, and set permissions to access the repository using the User Management Service. Starting the Management Console Start the Spectrum™ Technology Platform Management Console by selecting Start > Programs > Pitney Bowes > Spectrum™ Technology Platform > Client Tools > Management Console from your desktop. To connect to the Spectrum™ Technology Platform Management Console: 1. Type in the server name or select it from the drop-down list. Note: If you have multiple instances of the Management Console accessing the same Spectrum™ Technology Platform server, it is possible for one user to overwrite another user's changes. Therefore, it is recommended that you do not run multiple instances of the Management Console against the same server. 2. Enter your user name, password, and the port number. 3. Click the Use secure connection box if you want communication between the client and the server to take place over an HTTPS connection. 4. Click Login. If this is your first time connecting, the user will default to "admin" and you must connect with a password. Spectrum Spatial Administration Guide 75 Managing Users Note: The default port number is 8080 for HTTP connections. Use the port number appropriate for your environment. Once you have successfully connected, this value will default for the next connection attempt. Enabling User Permissions For Consoles Spectrum™ Technology Platform can enforce permissions on user accounts when accessing the client consoles, providing you with additional control of the actions a user can take. 1. Open the Management Console. 2. Expand Security then click Options. 3. Click the Limit access according to user permissions checkbox to limit access to the permissions established for individual users. For instructions on defining permissions for each user, see Adding a New User on page 76, Modifying a User on page 76, or Deleting a User on page 76. Managing User Accounts This section describes you how to create users and set user security privileges for Spectrum™ Technology Platform consoles. Adding a New User 1. Open the Management Console. 2. Expand Security then click Users. 3. Click Add. The New User window appears. 4. Leave the Enable user box checked if you want this user account to be available for use. 5. Enter the user name in the User name field. Note: User names can only contain ASCII characters. 6. Enter the user's password in the Password field. 7. Reenter the user's password in the Confirm password field. 8. Enter the user's email address in the Email address field. 9. Enter a description of the user in the Description field. 10. Select the roles, if any, you want to assign to this user. 11. Click OK. Modifying a User 1. Open the Management Console. 2. Expand Security then click Users. 3. Select the user whose permissions you want to modify and click Modify. The User Properties window appears in which can modify the user name, password, email address, description, and roles. 4. Click OK to save your changes. Deleting a User 1. Open the Management Console. 2. Expand Security then click Users. 3. From the User Management screen, select the user you want to delete and click Delete. 4. Click Yes to delete or No to cancel. 76 Spectrum™ Technology Platform 9.0 Chapter 8: Appendix - Managing Security with the User Management Service Note: The admin user account cannot be deleted. Setting User Permissions This section introduces the User Management SOAP Interface for managing users and permissions for resources in the repository. This interface allows you to get, set, add, or remove permissions for a user. Use the demo page for the User Management Service as a quick tool for managing user permissions. Simply modify the sample requests to meet your needs. The User Management Service demo page is located at http://localhost:8080/Spatial/UserManagementService/DemoPage.html The User Management Service provides the following operations: GetPermissionsRequest Returns the permissions for a particular user for a specified repository resource. Parameters The following parameters are used: Parameter Example Description action GetPermissionsRequest Specifies the method name to get the permissions for a user. UserName user1 Specifies the user to return permissions. ResourcePath /NamedTables/WorldTable Specifies the resource to return the permissions. The resources specified in resourcePath are listed from the top level of the repository http://localhost:8080/RepositoryService/repository/default/. Example The following example returns the permissions on the WorldTable resource for the user user1. user1 /Samples/NamedTables/WorldTable Spectrum Spatial Administration Guide 77 Setting User Permissions SetPermissionsRequest Defines the permissions for a particular user for a specified repository resource. When you set permissions, the basic read permissions are always kept for the user, however any additional permissions that were previously set or added are removed. For example if you set the modify permission for a user who currently had the all permission, that user will now have only read and modify permissions, and no longer have the all permission. Parameters The following parameters are used: Parameter Example Description action SetPermissionsRequest Specifies the method name to set permissions for a user. UserName user1 Specifies the user to set permissions. ResourcePath /NamedTables/WorldTable Specifies the resource to set the permissions. The resources specified in resourcePath are listed from the top level of the repository http://localhost:8080/RepositoryService/repository/default/. Permissions add Specifies the permissions. There are five valid permission types: read, all, add, modify, and remove. Recursive Specifies if this operation should be performed recursively on all child nodes of the given node in the repository. The default for recursive permission setting is false. If setting permissions on individual resources in the repository, the Recursive option will have no effect. false Note: The ability to set permissions on a node or directory is no longer supported. Example The following example sets the permissions for user1 on the WorldTable resource to add and modify. After performing this operation the user1 will have read, add, and modify permissions on the WorldTable resource. user1 /Samples/NamedTables/WorldTable add modify false 78 Spectrum™ Technology Platform 9.0 Chapter 8: Appendix - Managing Security with the User Management Service AddPermissionsRequest Adds new permissions to the users set of permissions for a specified repository resource. When you add permissions, the existing permissions are always kept for the user, and the new permissions are appended. For example if you add a modify permission for a user that currently has read and remove permissions, that user will now have read, remove, and modify permissions. Parameters The following parameters are used: Parameter Example Description action AddPermissionsRequest Specifies the method name to add permissions for a user. UserName user1 Specifies the user to add permissions. ResourcePath /NamedTables Specifies the resource to add the permissions. The resources specified in resourcePath are listed from the top level of the repository http://localhost:8080/RepositoryService/repository/default/. Permissions add Specifies the permissions. There are five valid permission types: read, all, add, modify, and remove. Recursive Specifies if this operation should be performed recursively on all child nodes of the given node in the repository. The default for recursive permission setting is false. If setting permissions on individual resources in the repository, the Recursive option will have no effect. false Note: The ability to set permissions on a node or directory is no longer supported. Example The following example adds the modify permission for user1 on the WorldTable resource. user1 /Samples/NamedTables/WorldTable modify false Spectrum Spatial Administration Guide 79 Setting User Permissions RemovePermissionsRequest Removes permissions from the users set of permissions for a specified repository resource. When you remove permissions, the specified permissions are removed from the existing set of permissions. This is the easiest way to restrict a user from accessing a particular resource. By removing the read permission for a user for a particular repository node or resource, they cannot be accessed by that user. Parameters The following parameters are used: Parameter Example Description action RemovePermissionsRequest Specifies the method name to remove permissions for a user. UserName user1 Specifies the user to remove permissions. ResourcePath /NamedTables Specifies the resource to remove the permissions. The resources specified in resourcePath are listed from the top level of the repository http://localhost:8080/RepositoryService/repository/default/. Permissions read Specifies the permissions. By removing the read permission, a user would no longer have access to a resource. There are five valid permission types: read, all, add, modify, and remove. Recursive Specifies if this operation should be performed recursively on all child nodes of the given node in the repository. The default for recursive permission setting is false. If setting permissions on individual resources in the repository, the Recursive option will have no effect. false Note: The ability to set permissions on a node or directory is no longer supported. Example The following example removes the read permission for user1 on the WorldTable resource. user1 /Samples/NamedTables/WorldTable read false 80 Spectrum™ Technology Platform 9.0 Chapter 8: Appendix - Managing Security with the User Management Service Spectrum Spatial Administration Guide 81 Notices © 2013 Pitney Bowes Software Inc. All rights reserved. MapInfo and Group 1 Software are trademarks of Pitney Bowes Software Inc. All other marks and trademarks are property of their respective holders. ® USPS Notices ® Pitney Bowes Inc. holds a non-exclusive license to publish and sell ZIP + 4 databases on optical and magnetic media. The following trademarks are owned by the United States Postal Service: CASS, CASS Link Link Certified, DPV, eLOT, FASTforward, First-Class Mail, Intelligent Mail, LACS , NCOA , PAVE, Link PLANET Code, Postal Service, POSTNET, Post Office, RDI, Suite , United States Postal Service, Standard Mail, United States Post Office, USPS, ZIP Code, and ZIP + 4. This list is not exhaustive of the trademarks belonging to the Postal Service. ® Link® Pitney Bowes Inc. is a non-exclusive licensee of USPS for NCOA processing. Prices for Pitney Bowes Software's products, options, and services are not established, controlled, or ™ approved by USPS® or United States Government. When utilizing RDI data to determine parcel-shipping ® costs, the business decision on which parcel delivery company to use is not made by the USPS or United States Government. Data Provider and Related Notices Data Products contained on this media and used within Pitney Bowes Software applications are protected by various trademarks and by one or more of the following copyrights: © Copyright United States Postal Service. All rights reserved. © 2013 TomTom. All rights reserved. TomTom and the TomTom logo are registered trademarks of TomTom N.V. © Copyright NAVTEQ. All rights reserved Data © 2013 NAVTEQ North America, LLC Fuente: INEGI (Instituto Nacional de Estadística y Geografía) Based upon electronic data © National Land Survey Sweden. © Copyright United States Census Bureau © Copyright Nova Marketing Group, Inc. Portions of this program are © Copyright 1993-2007 by Nova Marketing Group Inc. All Rights Reserved © Copyright Canada Post Corporation This CD-ROM contains data from a compilation in which Canada Post Corporation is the copyright owner. © 2007 Claritas, Inc. The Geocode Address World data set contains data licensed from the GeoNames Project (www.geonames.org) provided under the Creative Commons Attribution License ("Attribution License") located at http://creativecommons.org/licenses/by/3.0/legalcode. Your use of the GeoNames data (described in the Spectrum™ Technology Platform User Manual) is governed by the terms of the Attribution License, and any conflict between your agreement with Pitney Bowes Software, Inc. and the Attribution License will be resolved in favor of the Attribution License solely as it relates to your use of the GeoNames data. ICU Notices Copyright © 1995-2011 International Business Machines Corporation and others. All rights reserved. Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, provided that the above 84 Spectrum™ Technology Platform 9.0 Copyright copyright notice(s) and this permission notice appear in all copies of the Software and that both the above copyright notice(s) and this permission notice appear in supporting documentation. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR HOLDERS INCLUDED IN THIS NOTICE BE LIABLE FOR ANY CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. Except as contained in this notice, the name of a copyright holder shall not be used in advertising or otherwise to promote the sale, use or other dealings in this Software without prior written authorization of the copyright holder. Spectrum Spatial Administration Guide 85