Security Considerations
Security Points Diagram
The following diagram shows the various types of security supported for communication with ThingWorx Analytics.
For more information about specific security considerations, see the sections below.
General Security Measures
When deploying a ThingWorx Analytics Server, especially in a production environment, be sure to observe all best practice security measures. Before making the server or its components accessible to other users, consider the following security measures:
• Change default passwords
• Disable the administrative privileges for SSH access
• Install an IP address-filtering firewall
DataFlowML pipelines communicate over the same TCP ports that ThingWorx Analytics microservers use. The specific ports in use will vary depending on your network configuration. The flow and direction of data is shown in the image above. Ensure that the connection points between systems are adequately protected by firewalls.
Secure Server Deployment
All datasets, services, and results, including those generated from DataFlowML pipelines, are globally available within a specific ThingWorx Analytics Server deployment. Any user, with access to the Things that represent the server deployment, can access any dataset, service, job, or result. To restrict access to these objects, multiple Analytics Server deployments are necessary. There are two ways to set up multiple deployments:
• Multiple deployments that connect to a single ThingWorx server – In this scenario, use the ThingWorx permissions and visibility functionality to restrict access, to the Things associated with each deployment, to specific users, groups, and organizations.
• Multiple deployments that each connect to a different ThingWorx server – In this scenario, there should be a one-to-one correspondence between the Analytics server and the ThingWorx server. Users would only be able to access the Things associated with the deployment they are authenticated through.
Secure HDFS
If you want to restrict access to your HDFS instance, configure it to require authentication via Kerberos. For information about Kerberos authentication setup, see
Configure HDFS.
TLS Authentication Support
Support is available for two types TLS authentication, depending on which release and which components of ThingWorx Analytics are deployed:
• Communication between ThingWorx Analytics and the ThingWorx server – TLS protection for this connection has been available since integration with ThingWorx became possible. The Use TLS option is available during Analytics Server installation.
• Communication with the internal ThingWorx Analytics API layer – Beginning in 8.5.0, TLS protection is available for communication directly with the ThingWorx Analytics microservice APIs. This type of TLS authentication also protects internal interactions between the APIs themselves.
ThingWorx Analytics API Key
Beginning in 8.5.0, the internal
ThingWorx Analytics API layer is protected by an API Key. No access to the internal APIs is possible without this key. The API Key is generated automatically during installation and, as an added measure of security, the key is also encrypted. For security, the key is not stored in plain text anywhere and it cannot be changed. To update the key, you will need to generate a new one. For more information, see Update a ThingWorx Analytics API Key for a
Linux environment or a
Windows environment.