FME Flow Administration: Post-Installation Configurations

Liz Sanderson
Liz Sanderson
  • Updated

Introduction

After FME Flow (formerly FME Server) has been installed, you may wish to perform some additional configurations; these are for enhanced security on FME Flow. This guide is intended to provide you with all the relevant information and share additional considerations/observations noted from experience by the FME Flow Technical Support team.
 

Verify the Installation

Before proceeding with any of the following configurations, we recommend that you verify your FME Flow installation was successful by logging into FME Flow and running a job. 

For full instructions on this process, please see Verify the Installation.

If you run into a problem at any step, you should troubleshoot that issue before carrying out additional configurations. We have extensive troubleshooting guides available for each step:

 

Securing FME Flow Traffic

Configuring for HTTPS

Out-of-the-box FME Flow is accessible over HTTP. For enhanced security, it is recommended to configure FME Flow with HTTPS to encrypt traffic and allow for secure communication over your network. If you plan to implement SAML or Azure AD, this configuration is a requirement. 

The steps vary depending on the certificate type and the operating system, but full instructions can be found in Configuring FME Flow for HTTPS

The HTTPS configuration is a multi-step process that can result in errors. If you encounter an issue, please review FME Flow Troubleshooting: Configuring for HTTPS/SSL.


Using a Reverse Proxy 

In addition to, or as an alternative to configuring FME Flow to HTTPS, you can set up FME Flow with a reverse proxy. A reverse proxy sits in front of FME Flow, intercepting requests before forwarding them on. This is not necessary but may be a requirement set by your IT department. 

Different reverse proxies require different implementations, but some examples are documented in ​Use a Reverse Proxy with FME Flow. 


Using a Forward Proxy 

Your organization may have a proxy server on your network for enhanced security. This intermediary server acts as a gateway for traffic from the internet to your server. If you have a proxy server and have not set up FME Flow to use this proxy, you will experience issues running certain jobs. 

The proxy configuration applies to both the core and engine processes, and in addition to any connections in the workspaces, it includes Web Connection authorization, Azure AD authentication, and the automatic licensing process.

For full instructions on this setup, please see Configuring a System Proxy.

Common issues users have encountered are recorded in FME Flow Troubleshooting: Proxies.


Securing FME Flow User & Data Access

There are a number of configurations on the FME Flow Web UI that Administrators should be aware of. As a best practice, we recommend following these configurations for enhanced security on your FME Flow. Key points have been highlighted below. However, the following guides should be reviewed in full: 


User Authentication & Authorization & Permissions

FME Flow provides user-based access. Users can be created on the system or imported from a variety of third-party authentication services, including SAML Identity Providers, Windows, and Azure Active Directory. 

For System users, a password policy, expiration, and reuse can be enforced. 

By default, users can run multiple FME Flow sessions simultaneously. This can be disabled.


Data Encryption

System user account passwords and tokens, and other passwords are stored in FME Flow. Web connections, database connections, and workspace-published parameters are encrypted and stored in the system database. By default, this encryption is managed using an encryption key that is common to any FME Flow installation; it is recommended to generate your own custom encryption keys. 

For full instructions on how to set this up, see System Encryption

Note: we do not encrypt customer data used within workspaces or stored in the FME Flow System Share. 


Service Accounts

By default, FME Flow Services run under the local system account, which does not have network permissions. The account running the FME Engine Service must have access to your organization's data to run workspaces successfully.

For full instructions on how to set this up, see:


Configuration File Changes

Securing the Web Application Server

FME Flow ships Apache Tomcat as the FME Web Application Server Services. We’d recommend you evaluate the following list of known vulnerabilities in Apache Tomcat and perform the remediation steps for enhanced security.
 

Summary Remediation Steps
X-Frame-Options Header is not enabled FME Flow Apache Tomcat Vulnerability with X-Frame-Options header
HSTS and X-Content-Type-Options header is not enabled  Enabling HTTP Response Headers to Secure the FME Flow Web Application Server
Default error pages information disclosure FME Flow Apache Tomcat Vulnerability with Default Files [Resolved by default in 2022.2+]
AJP Connector is enabled (CVE-2020-1938) FME Flow Apache Tomcat Vulnerability with AJP Connector [Resolved by default in 2020.0.1+]


If you have performed a penetration test that has captured a vulnerability not listed above, please contact Safe Software Support and share the summary and description, as well as the CVE #, if applicable, for us to provide further comment.  


Other Configurable Parameters

Depending on your installation, some directives in the FME Flow configuration files may benefit from being updated. In this section, you’ll find a list of the common parameters the FME Server Technical Support team has seen. These parameter changes are optional, depending on your installation.

Directive Configuration File What does it do? 
MAX_FAILED_
TRANSACTION_
REQUEST_RETRIES
fmeFlowConfig.txt After FME Flow submits a translation request to an FME Engine, it monitors the connection to that engine until a response is returned. If the connection to the engine is lost, FME Flow resubmits a job. The engine may still be processing the original job, and this could result in duplicate job processing. We’d recommend performing testing and assessing what behavior is preferred for your organization.
[More Information]
RECEIVE_TIMEOUT fmeEngineConfig.tx FME Engine waits indefinitely for requests and never shuts down due to a lack of incoming requests. However, in some setups, a network monitor shuts down connections that remain inactive beyond a preset period of time. This can cause the Engine to enter a hung state. Setting this directive to a non-zero value forces the Engine to terminate itself after it does not receive a translation request for the specified time, breaking it out of the hung state. We’d recommend performing testing first and only setting this value if you are finding your engines disconnect from the core and do not recover. 
[More Information]
FME_SERVER_PORT
_POOL
fmeFlowConfig.txt For certain processes, ports are used to establish an initial connection, after which another random port is opened for dedicated communication, freeing up the original port to connect with other services. You may need to define a dedicated pool of ports that FME Flow can use for the random port assignment. If you have distributed engines, we’d recommend setting this directive. 
[More Information]

 

What's Next?

After reviewing all of the post-installation configurations, establishing a regular backup schedule of the FME Flow configuration is the best practice. This is particularly important if you are planning for disaster recovery. To get started, we recommend enabling a daily schedule to perform this task Performing a Scheduled Backup of an FME Flow Configuration. For further guidance, see FME Flow Administration: Backup, Migrations and Upgrades

Was this article helpful?

Comments

0 comments

Please sign in to leave a comment.