Introduction
After FME Flow (formerly FME Server) has been installed, you may wish to perform some additional configurations; these are for enhanced security on FME Flow. This guide is intended to provide you with all the relevant information and share additional considerations/observations noted from experience by the FME Flow Technical Support team.
Verify the Installation
Before proceeding with any of the following configurations, we recommend that you verify your FME Flow installation was successful by logging into FME Flow and running a job.
For full instructions on this process, please see Verify the Installation.
If you run into a problem at any step, you should troubleshoot that issue before carrying out additional configurations. We have extensive troubleshooting guides available for each step:
Securing FME Flow Traffic
Configuring for HTTPS
Out-of-the-box FME Flow is accessible over HTTP. For enhanced security, it is recommended to configure FME Flow with HTTPS to encrypt traffic and allow for secure communication over your network. If you plan to implement SAML or Azure AD, this configuration is a requirement.
The steps vary depending on the certificate type and the operating system, but full instructions can be found in Configuring FME Flow for HTTPS.
The HTTPS configuration is a multi-step process that can result in errors. If you encounter an issue, please review FME Flow Troubleshooting: Configuring for HTTPS/SSL.
Using a Reverse Proxy
In addition to, or as an alternative to configuring FME Flow to HTTPS, you can set up FME Flow with a reverse proxy. A reverse proxy sits in front of FME Flow, intercepting requests before forwarding them on. This is not necessary but may be a requirement set by your IT department.
Different reverse proxies require different implementations, but some examples are documented in Use a Reverse Proxy with FME Flow.
Using a Forward Proxy
Your organization may have a proxy server on your network for enhanced security. This intermediary server acts as a gateway for traffic from the internet to your server. If you have a proxy server and have not set up FME Flow to use this proxy, you will experience issues running certain jobs.
The proxy configuration applies to both the core and engine processes, and in addition to any connections in the workspaces, it includes Web Connection authorization, Azure AD authentication, and the automatic licensing process.
For full instructions on this setup, please see Configuring a System Proxy.
Common issues users have encountered are recorded in FME Flow Troubleshooting: Proxies.
Securing FME Flow User & Data Access
There are a number of configurations on the FME Flow Web UI that Administrators should be aware of. As a best practice, we recommend following these configurations for enhanced security on your FME Flow. Key points have been highlighted below. However, the following guides should be reviewed in full:
User Authentication & Authorization & Permissions
FME Flow provides user-based access. Users can be created on the system or imported from a variety of third-party authentication services, including SAML Identity Providers, Windows, and Azure Active Directory.
For System users, a password policy, expiration, and reuse can be enforced.
By default, users can run multiple FME Flow sessions simultaneously. This can be disabled.
Data Encryption
System user account passwords and tokens, and other passwords are stored in FME Flow. Web connections, database connections, and workspace-published parameters are encrypted and stored in the system database. By default, this encryption is managed using an encryption key that is common to any FME Flow installation; it is recommended to generate your own custom encryption keys.
For full instructions on how to set this up, see System Encryption.
Note: we do not encrypt customer data used within workspaces or stored in the FME Flow System Share.
Service Accounts
By default, FME Flow Services run under the local system account, which does not have network permissions. The account running the FME Engine Service must have access to your organization's data to run workspaces successfully.
For full instructions on how to set this up, see:
Configuration File Changes
Securing the Web Application Server
FME Flow ships Apache Tomcat as the FME Web Application Server Services. We’d recommend you evaluate the following list of known vulnerabilities in Apache Tomcat and perform the remediation steps for enhanced security.
Summary | Remediation Steps |
---|---|
X-Frame-Options Header is not enabled | FME Flow Apache Tomcat Vulnerability with X-Frame-Options header |
HSTS and X-Content-Type-Options header is not enabled | Enabling HTTP Response Headers to Secure the FME Flow Web Application Server |
Default error pages information disclosure | FME Flow Apache Tomcat Vulnerability with Default Files [Resolved by default in 2022.2+] |
AJP Connector is enabled (CVE-2020-1938) | FME Flow Apache Tomcat Vulnerability with AJP Connector [Resolved by default in 2020.0.1+] |
If you have performed a penetration test that has captured a vulnerability not listed above, please contact Safe Software Support and share the summary and description, as well as the CVE #, if applicable, for us to provide further comment.
Other Configurable Parameters
Depending on your installation, some directives in the FME Flow configuration files may benefit from being updated. In this section, you’ll find a list of the common parameters the FME Server Technical Support team has seen. These parameter changes are optional, depending on your installation.
Directive | Configuration File | What does it do? |
---|---|---|
MAX_FAILED_ TRANSACTION_ REQUEST_RETRIES |
fmeFlowConfig.txt | After FME Flow submits a translation request to an FME Engine, it monitors the connection to that engine until a response is returned. If the connection to the engine is lost, FME Flow resubmits a job. The engine may still be processing the original job, and this could result in duplicate job processing. We’d recommend performing testing and assessing what behavior is preferred for your organization. [More Information] |
RECEIVE_TIMEOUT | fmeEngineConfig.tx | FME Engine waits indefinitely for requests and never shuts down due to a lack of incoming requests. However, in some setups, a network monitor shuts down connections that remain inactive beyond a preset period of time. This can cause the Engine to enter a hung state. Setting this directive to a non-zero value forces the Engine to terminate itself after it does not receive a translation request for the specified time, breaking it out of the hung state. We’d recommend performing testing first and only setting this value if you are finding your engines disconnect from the core and do not recover. [More Information] |
FME_SERVER_PORT _POOL |
fmeFlowConfig.txt | For certain processes, ports are used to establish an initial connection, after which another random port is opened for dedicated communication, freeing up the original port to connect with other services. You may need to define a dedicated pool of ports that FME Flow can use for the random port assignment. If you have distributed engines, we’d recommend setting this directive. [More Information] |
What's Next?
After reviewing all of the post-installation configurations, establishing a regular backup schedule of the FME Flow configuration is the best practice. This is particularly important if you are planning for disaster recovery. To get started, we recommend enabling a daily schedule to perform this task Performing a Scheduled Backup of an FME Flow Configuration. For further guidance, see FME Flow Administration: Backup, Migrations and Upgrades
Comments
0 comments
Please sign in to leave a comment.