Security Overview
Security Points Diagram
The following diagram shows the various types of security supported for communication with ThingWorx Analytics.
For more information about specific security considerations, see the sections below.
General Security Measures
When deploying Analytics functionality, especially in a production environment, be sure to observe all best practice security measures. Before making the server or its components accessible to other users, consider the following security measures:
• Change default passwords
• Disable root or Administrator login for SSH access
• Install an IP address-filtering firewall
If integrating with ThingWorx, it is recommended that all components run in the same security zone or subnet where the ThingWorx server is running.
Secure Server Deployment with ThingWorx
All datasets, services, and results are globally available within a specific ThingWorx Analytics deployment. Any user with access to the Things that represent the server deployments can access any dataset, service, job, or result. To restrict access to these objects, multiple ThingWorx Analytics deployments are necessary. There are two ways to set up multiple deployments:
• Multiple deployments that connect to a single ThingWorx server – In this scenario, use the ThingWorx permissions and visibility functionality to restrict access to Things associated with each deployment to specific users, groups, and organizations.
• Multiple deployments that each connect to a different ThingWorx server – In this scenario, there should be a one-to-one correspondence between ThingWorx Analytics and the ThingWorx server. Users would only be able to access the Things associated with the deployment they are authenticated through.
SSL Authentication Support
Support is available for two types SSL authentication, depending on which release and which components of ThingWorx Analytics are deployed:
• Communication with the internal ThingWorx Analytics API layer – Beginning in 8.5.0, SSL protection is available for communication with the ThingWorx Analytics microservice APIs. This type of SSL authentication also protects internal interactions between the APIs themselves. For more information, see SSL Support for Analytics Server APIs.
• Communication between ThingWorx Analytics and the ThingWorx server – SSL protection for this connection has been available since integration with ThingWorx became possible. The option to use SSL is available during both Analytics Server and Platform Analytics installations. For more information, see SSL Support for ThingWorx.
ThingWorx Analytics API Key
Beginning in 8.5.0, the internal ThingWorx Analytics API layer is protected by an API Key. No access to the internal APIs is possible without this key. The API Key is generated automatically during installation and, as an added measure of security, the key is also encrypted. For security, the key is not stored in plain text anywhere and it cannot be changed. To update the key, you will need to generate a new one. For more information, see Update a ThingWorx Analytics API Key for a Linux environment or a Windows environment.