Spectrum Spatial Administration Guide -...

Spectrum™ Technology PlatformVersion 9.0

Spectrum Spatial Administration Guide

Contents

Chapter 1: Introduction.......................................................................................7Welcome and Overview........................................................................................8

Chapter 2: Configuring Your System................................................................9Changing the Default Port Number for Spectrum Spatial...............................10Changing Your Repository Database................................................................11

Set Up a PostgreSQL Repository Database .............................................11Set Up an Oracle Database .......................................................................13

Accessing the Repository using WebDAV........................................................14Reload the Service Configuration using JMX Console...............................14

Uploading and Accessing Resources using Third Party Tools......................15Using WebFolders to Access the Repository Resources...........................15Using DAVExplorer to Access the Repository Resources..........................15

Configuring the Web Services...........................................................................17About Web Service Configurations.............................................................17How to Change Web Service Configuration Settings.................................17

Running Spectrum™ Technology Platform as a Linux Service......................17How to Run Spectrum™ Technology Platform as a Linux Service.............18PBSpectrum Script.....................................................................................18

Chapter 3: Managing Security..........................................................................21Security for the Spectrum™ Technology Platform...........................................22

Security Model............................................................................................22Users..........................................................................................................23Roles..........................................................................................................25Secured Entity Overrides............................................................................28

Security for the Location Intelligence Module..................................................29Example: Overriding Permissions at the Role Level..................................31Example: Overriding Permissions at the User Level..................................34Creating a Named Resources Administrator..............................................36Creating a Spatial Dataflow Designer.........................................................37Turning off Security for Services and the Repository.................................38

Disabling Platform Security Versus Turning Off Spatial Security..................40Limiting Server Directory Access......................................................................40

Configuring HTTPS Communication.................................................................42

Chapter 4: Monitoring Your System................................................................45Event Log.............................................................................................................46

Viewing the Event Log................................................................................46Setting Event Log Options..........................................................................46

Spatial Logging...................................................................................................47Configuring E-mail Notification.........................................................................49Configuring License Expiration Notification....................................................49Viewing Version Information..............................................................................50Viewing and Exporting License Information....................................................50Monitoring Performance.....................................................................................50Monitoring Memory Usage.................................................................................51

Chapter 5: Managing Memory and Threading................................................53Introduction to Managing Memory and Threading...........................................54Spectrum Performance Tuning..........................................................................54

JVM Tuning.................................................................................................54Remote Components Configuration...........................................................54

Increasing Heap Memory for Spatial Components..........................................55Increasing Heap Memory for the Platform........................................................55

Chapter 6: Load Balancing Spatial Services Tutorial....................................57About this Tutorial ..............................................................................................58Deployment Architecture ...................................................................................58Install Spectrum..................................................................................................60Set Up a Map Image File Share..........................................................................60Configure Spectrum............................................................................................61

Add the Map File Share to Spectrum.........................................................61Modify the Service Configurations..............................................................61Modify Java Properties File........................................................................62Configure Ports for Multiple Spectrum Instances.......................................62

Configure Common Repository.........................................................................62Bulk Export Using WebDAV........................................................................62Set Up the Common Repository Database ...............................................63Import the Repository Content....................................................................64

Shared Spectrum Local Data.............................................................................65Performance Tuning............................................................................................65Set Up Load Balancer.........................................................................................65

Chapter 7: Troubleshooting Your System.......................................................69Rebuilding a Corrupt Repository Index............................................................70Monitoring Memory Usage of a Non-Responsive Server................................70

Spectrum™ Technology Platform 9.04

Chapter 8: Appendix - Managing Security with the User ManagementService................................................................................................................73

Introduction..........................................................................................................74What Is the User Management Service?....................................................74Service URL Formats.................................................................................74Creating and Managing Users For Spectrum™ Technology Platform........74Rules Using the User Management Service SOAP Interface....................75

Managing Users...................................................................................................75Starting the Management Console.............................................................75Enabling User Permissions For Consoles..................................................76Managing User Accounts...........................................................................76

Setting User Permissions...................................................................................77GetPermissionsRequest.............................................................................77SetPermissionsRequest.............................................................................78AddPermissionsRequest............................................................................79RemovePermissionsRequest.....................................................................80

5Spectrum Spatial Administration Guide

1Introduction

In this section:

• Welcome and Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . .8

Welcome and OverviewWelcome to the Spectrum Spatial Administration Guide. This guide will help you build a web mappingapplication or embed mapping in an existing application using a variety of web services, capabilities,tools and sample code.

Addressed in this guide are:

• Configuring your system by changing the default port number or repository database; accessing therepository; accessing and uploading resources; configuring web services; and running Spectrum™

Technology Platform as a Linux service• Managing security using the Management Console, including how to add users and roles, as well ashow to apply security entity overrides

• Monitoring your system, including logging, viewing version and license information, using the JMXConsole to monitor performance, and monitoring memory usage

• Managingmemory and threading, including JVM performance tuning, adjusting pool size, and increasingheap memory

• Load balancing spatial services for resilience or high capacity• Troubleshooting your system, including rebuilding a corrupt repository index and monitory memoryusage of a non-responsive server

• Managing security using the User Management Service (deprecated for the next release)

Additional Spectrum™ Technology Platform and Location Intelligence Module documentation is locatedonline at support.pb.com.


Welcome and Overview

http://support.pb.com/ekip/index?page=product_content&cat=SC_SPECTRUM_TECHNOLOGY_PLATFORM

2Configuring Your System

In this section:

• Changing the Default Port Number for Spectrum Spatial .10• Changing Your Repository Database . . . . . . . . . . . . . . . .11• Accessing the Repository using WebDAV . . . . . . . . . . . .14• Uploading and Accessing Resources using Third Party

Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15• Configuring the Web Services . . . . . . . . . . . . . . . . . . . . . .17• Running Spectrum™ Technology Platform as a Linux

Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17

Changing the Default Port Number for SpectrumSpatial

After you install the Spectrum™ Technology Platform, you can change the default port settings that wereassigned during installation by manually editing the global, startup, and individual service configurationfiles (particularly the port of the repository). There are several reasons for needing to change the defaultport number:

• Currently, the silent installer for Spectrum does not allow you to specify the port; it can only be specifiedafter the install.

• A port conflict occurs after the install.• You need a proxy on port 8080 but have a limited number of ports to expose externally, so you wouldlike to move Spectrum without re-creating all your settings and data flows.

• You want to try out a new version of Spectrum without removing your old one. Since you cannot installthem both, you can turn off the existing one and put down a Spectrum image which uses a differentport.

This task is only for experienced administrators who have application server experience changingport numbers, as network port conflicts can result in module components failing to start up. One

Note:

indication that a component has failed to start up is if it does not appear in the ManagementConsole. To troubleshoot the problem, look at the Spectrum Spatial server log file. This log showswhich port is causing the problem. You can find the Spectrum Spatial Server log file in: [installfolder]\server\app\repository\logs\server.log. The install folder default is C:\Program Files\PitneyBowes\Spectrum.

To change the default port number, you can either copy the entire configuration folder then edit the fileslocally, or you can edit the configuration files in place. If you copy locally, you cannot put the configurationfolder back while the server is running; you must restart all the Spatial services after making the changes.If you edit in place, you do not need to stop the server; however, the changes will not take effect untilyou restart the server.

The following network ports are used by default:

DescriptionPropertyPort

This port is used by the Spectrum™

Technology Platform server's internalconfiguration database.

spectrum.orientdb.binary.port2424-2430



spectrum.orientdb.hazelcast.port2434



spectrum.orientdb.http.port2480-2486

This port is used by Hazelcast formanaging distributed processing

spectrum.hazelcast.port5701

between Spectrum™ TechnologyPlatform servers in a cluster.

The port used for communicationbetween the server and Enterprise

spectrum.http.port8080

Designer, Management Console, andInteractive Driver. This port is also usedby web services.


Changing the Default Port Number for Spectrum Spatial

DescriptionPropertyPort

This port is used for API calls made toservices.

spectrum.socketgateway.port10119

To change the default port number, with Spectrum™ Technology Platform running:

1. Decide whether to edit a local copy of the configuration files or in place. If you are going to edit theconfiguration files locally, use WebDAV to copy the Configuration folder from the repository to a localdisk.

2. Edit all the configuration files (either in place or in a local copy) by changing all the ports.

There are other ports besides the repository port (for example, where the map images getaccessed, the access port for WMS,WFS, and CSW). Change all references to the new port.

Note:

3. Stop the Spectrum server (via the tray control or services.msc).4. Update the spectrum-container.properties file in [install folder]\server\app\conf (for example,

C:\Program Files\Pitney Bowes\Spectrum\server\app\conf):

# Server ports

spectrum.http.port=8080

5. Update the java.properties file for Spatial in [install folder]\server\modules\spatial (for example,C:\Program Files\Pitney Bowes\Spectrum\server\modules\spatial. Change all references to portnumbers for each service.

6. Restart Spectrum.

• If you edited the configuration files in place everything should be working.• If you edited locally, Spectrum should be working but not much of Spectrum Spatial will be working,since all the repository URL ports have the old values.

1. Copy in the entire Configuration folder or its files from local copy to the Configuration folder ofthe repository via WebDAV.

2. Restart the Spatial services via JMX (one by one) or restart the server.

Changing Your Repository DatabaseSpectrum stores named resources (maps, layers, tables and styles), geographic metadata andconfiguration in a repository. In the default single server installation an embedded database is used tostore these resources on the local server. There are several reasons you may need to use a databaseother than the embedded Derby database:

• To create a scalable solution that uses a resilient independent database.• To use an in-house database preferred or dictated by your company.

In this release, Spectrum supports Oracle, PostGreSQL(PostGIS) andMicrosoft SQL Server as repositorydatabases.

Set Up a PostgreSQL Repository DatabaseThese steps describe how to set up your repository on a PostgreSQL database:

1. Copy all resources to a local folder using WebDAV.2. Back up the folder /<spectrum root>/server/modules/spatial/jackrabbit to a local directory or disk.3. Stop Spectrum.4. Add the database JDBC drivers to the Spectrum common lib directory to allow it to use the selected

database.


Chapter 2: Configuring Your System

Copy the /<spectrum root>/server/modules/spatial/lib/postgresql-8.4-701.jdbc4.jar file to /<spectrumroot>/server/app/lib/postgresql-8.4-701.jdbc4.jar.

5. Edit the /<spectrum root>/server/modules/spatial/jackrabbit/repository.xml file to point the repositoryto a database and add clustering. There are four separate changes you need to make:a) Modify the two FileSystem sections within the Repository and Workspace sections of the file:

<FileSystem class="org.apache.jackrabbit.core.fs.db.DbFileSystem"><param name="driver" value="org.postgresql.Driver"/><param name="url"

value="jdbc:postgresql://<hostname>:<port>/<databasename>"/><param name="schema" value="postgresql"/><param name="user" value="<user>"/><param name="password" value="<pwd>"/><param name="schemaObjectPrefix" value="rep_"/></FileSystem>

b) Modify the Persistence Manager within the Workspace:

<PersistenceManagerclass="org.apache.jackrabbit.core.persistence.bundle.PostgreSQLPersistenceManager">

<param name="url"value="jdbc:postgresql://<hostname>:<port>/<databasename>"/>

<param name="schema" value="postgresql"/><param name="user" value="<user>"/><param name="password" value="<pwd>"/><param name="schemaObjectPrefix" value="${wsp.name}_"/><param name="externalBLOBs" value="false"/></PersistenceManager>

c) Enable Clustering at the end of the file, right above the </Repository> tag. Each instance ofSpectrum will need to have a distinct id to enable synchronization of clustering to work. The delaydefines the time delay for synchronization in milliseconds.

<Cluster id="node1" syncDelay="2000"><Journal class="org.apache.jackrabbit.core.journal.DatabaseJournal">

<param name="revision" value="${rep.home}/revision.log" /><param name="driver" value="org.postgresql.Driver" /><param name="url"

value="jdbc:postgresql://<hostname>:<port>/<databasename>" /><param name="schema" value="postgresql"/><param name="schemaObjectPrefix" value="rep_"/><param name="user" value="<user>"/><param name="password" value="<pwd>"/><param name="databaseType" value="postgresql"/></Journal></Cluster>

d) Comment out the DataStore section:

<DataStore class="org.apache.jackrabbit.core.data.FileDataStore"/>

6. Restore the resources by copying them from the local folder into the Repository using WebDAV.7. Remove the following folders from the /server/modules/spatial/jackrabbit directory for each instance

of Spectrum: repository, version, workspaces.8. If your PostgreSQL database has previously had repository content added, you must remove tables

from your database so a clean repository can be created. If you are starting with a new database,please make sure the tables do not exist. The following tables need to be removed from the database:

public.default_names_id_seqpublic.default_binvalpublic.default_bundlepublic.default_namespublic.default_refs


Changing Your Repository Database

public rep_fsentrypublic.rep_global_revisionpublic.rep_journalpublic.rep_local_revisionspublic.security_binvalpublic.security_bundlepublic.security_namespublic.security_refs

Set Up an Oracle DatabaseThese steps describe how to set up your repository on an Oracle database:

1. Copy all resources to a local folder using WebDAV.2. Back up the folder /<spectrum root>/server/modules/spatial/jackrabbit to a local directory or disk.3. Stop Spectrum.4. Add the database JDBC drivers to the Spectrum common lib directory to allow it to use the selected

database.

Copy the /<spectrum root>/server/modules/spatial/lib/postgresql-8.4-701.jdbc4.jar file to /<spectrumroot>/server/app/lib/postgresql-8.4-701.jdbc4.jar.


<FileSystem class="org.apache.jackrabbit.core.fs.db.OracleFileSystem">

<param name="driver" value="oracle.jdbc.OracleDriver" /><param name="url"

value="jdbc:oracle:thin:@//<hostname>:<port>/<databasename>" /><param name="user" value="<user>" /><param name="password" value="<pwd>" /><param name="schema" value="oracle"/><param name="schemaObjectPrefix" value="rep_"/><param name="tableSpace" value=""/>

</FileSystem>


<PersistenceManagerclass="org.apache.jackrabbit.core.persistence.pool.OraclePersistenceManager">

<param name="driver" value="oracle.jdbc.OracleDriver" /><param name="url"

value="jdbc:oracle:thin:@//<hostname>:<port>/<databasename>" /><param name="user" value="<user>" /><param name="password" value="<pwd>" /><param name="schema" value="oracle"/><param name="schemaObjectPrefix" value="${wsp.name}_"/><param name="tableSpace" value=""/><param name="externalBLOBs" value="false"/>

</PersistenceManager>


<Cluster id="node1" syncDelay="2000"><Journal

class="org.apache.jackrabbit.core.journal.OracleDatabaseJournal"><param name="driver" value="oracle.jdbc.OracleDriver" /><param name="url"

value="jdbc:oracle:thin:@//<hostname>:<port>/<databasename>" />



<param name="user" value="<user>" /><param name="password" value="<pwd>" /><param name="databaseType" value="oracle"/><param name="revision" value="${rep.home}/revision.log" />

</Journal></Cluster>



6. Restore the resources by copying them from the local folder into the Repository using WebDAV.7. Remove the following folders from the /server/modules/spatial/jackrabbit directory for each instance

of Spectrum: repository, version, workspaces.8. If your Oracle database has previously had repository content added, you must remove tables from

your database so a clean repository can be created. If you are starting with a new database, pleasemake sure the tables do not exist. The following tables need to be removed from the database:

public.default_names_id_seqpublic.default_binvalpublic.default_bundlepublic.default_namespublic.default_refspublic rep_fsentrypublic.rep_global_revisionpublic.rep_journalpublic.rep_local_revisionspublic.security_binvalpublic.security_bundlepublic.security_namespublic.security_refs

Accessing the Repository using WebDAVConfiguration files are pre-loaded in the repository for each service. These configuration files are locatedat http://localhost:8080/RepositoryService/repository/default/Configuration/.

To configure the services, you must use a WebDAV protocol tool to access the JCR repository, makechanges to the configuration file, and reload the configuration using the JMX Console. There are manytools available to accomplish the WebDAV connection tasks. We have provided examples usingWebFolders and DAVExplorer.

Reload the Service Configuration using JMX ConsoleOnce you have modified a service configuration, you must reload the configuration in the repositoryusing the JMX Console. The JMX console allows you to reload and administer a service, without havingto restart the application container.

To reload the service configuration:

1. Access the JMX Console using the following URL: http://localhost:8080/jmx-console/2. Under the Domain: Spatial section, select the administration link for the service. For example,

Spatial:name=Administration,type=WMS Service.3. Click the Invoke button for the reloadConfiguration operation.

You will get a message on the status of the invocation.


Accessing the Repository using WebDAV

http://localhost:8080/RepositoryService/repository/default/Configuration/

http://localhost:8080/jmx-console/

Uploading and Accessing Resources using ThirdParty Tools

Named resource files are stored in the repository. A number of sample files that ship with Spectrum™

Technology Platform are located athttp://localhost:8080/RepositoryService/repository/default/Samples under a particular folder. Forexample:

• NamedLayers• NamedMaps• NamedStyles• NamedTables• NamedTiles

For your own named resources, you can create any folder name you wish.

You can access these files manually using a WebDAV compliant tool. This section describes the manualmethod. To access resources manually, you must use a WebDAV protocol tool to access the JCRrepository. There are many tools available to add and access resources in the repository using theWebDAV. We have provided two examples:

Using WebFolders to Access the Repository ResourcesTo add or modify a resource, you must copy the resource to or from the repository using a WebDAVtool. Using WebFolders is an easy way to access the repository and the resources contained in therepository.

WebFolders is for Windows machines only. To access the repository, you must be on the samemachine where Spectrum™ Technology Platform and the repository are installed.

Note:

To configure a WebFolder on Windows 7:

1. Using Windows Explorer, select Map Network Drive...

2. In the pop-up window, click on the link 'Connect to a website...' to open the Add NetworkLocation Wizard.

3. Click Next and select Choose a custom network location. Click Next.4. In the Internet or network address field add the repository URL; for example,

http://localhost:8080/RepositoryService/repository/default/. Click Next.5. Enter your credentials (username and password) if you are prompted for them.6. Give this connection a name; for example, Spectrum Spatial Repository. Click Next.

Once finished, you will have a folder connection to the contents of the repository under your networkplaces.

The WebFolder connection to the repository can be used like any other Windows Explorer folder.

Using DAVExplorer to Access the Repository ResourcesTo add or modify a resource, you must copy the resource to or from the repository using a WebDAVtool. Using DAVExplorer is an easy way to access the repository and the resources contained in therepository. DAVExplorer is a freely available WebDAV client application. This software is available fromhttp://www.davexplorer.org.

DAVExplorer is for Windows machines only. To access the repository, you must be on the samemachine where Spectrum™ Technology Platform and the repository are installed.

Note:

To get or add resources from the repository using DAVExplorer, use the following instructions:



http://localhost:8080/RepositoryService/repository/default/Samples

http://www.davexplorer.org/

Getting Resources From the Repository Using DAVExplorerUse the following steps to get resources from the repository using DAVExplorer:

1. Open DAVExplorer.2. In DAVExplorer, enter the URL of the Spectrum™ Technology Platform repository and click the

Connect button.

For example, enter localhost:8080/RepositoryService/repository/default/. (Notethat DAVExplorer prepends http:// automatically.)

If prompted, enter the admin/admin login name and password required to connect to the repository.

Once you are connected to the repository, a node for the repository appears in the treeview paneon the left.

3. In the treeview pane on the left, expand the nodes under the repository node until you see the nodethat contains the type of resource you want to get.

For example, if the named resource you want to get is a configuration, expand the repository nodesuntil you see the Configuration node. Click on the node to select it. The named configurationresources in the repository are then listed in the right pane.

4. In the right pane, click on the resource you want to get.

You may click on any of the fields of the named resource to select it.

5. On the File menu, select Get File.

The Save As dialog box opens.

6. In the Save As dialog box, enter a name for the named resource definition file and select the directoryin which you want to save it, then click the Save button.

The selected named resource definition file is saved to the selected file location.

You should always save the resource as the same name as it appears in the repository. Byusing this technique, you will never have a conflict when adding the resource back to therepository.

Note:

Adding Resources to the Repository Using DAVExplorerUse the following steps to add resources to the repository using DAVExplorer:

1. Open DAVExplorer.2. In DAVExplorer, enter the URL of the Spectrum™ Technology Platform repository and click the

Connect button.

For example, enter localhost:8080/RepositoryService/repository/default/. (Notethat DAVExplorer prepends http:// automatically.)

If prompted, enter the admin/admin login name and password required to connect to the repository.

Once you are connected to the repository, a node for the repository appears in the treeview paneon the left.

3. In the treeview pane on the left, expand the nodes under the repository node until you see the nodethat corresponds to the type of resource you are adding.

For example, if you are adding a configuration resource, expand the repository nodes until you seethe Configuration node. Click on the node to select it.

4. On the File menu, select Write File.

The Write File dialog box opens.

5. In the Write File dialog box, select the definition file of the resource you want to add to the repository,then click the Open button.

The selected resource is added to the repository.


Uploading and Accessing Resources using Third Party Tools

Configuring the Web ServicesThis section provides information about how to configure the Location Intelligence Module web services.

About Web Service ConfigurationsYou can, and frequently must, explicitly specify the desired behavior of the Location Intelligence Moduleweb services via settings in each web service's configuration file. The configuration file for each webservice is held in the Location Intelligence Module repository as a named configuration.1

Named configurations are not like other named resources that are held in the repository. Youcannot use the Named Resource Service to access named configurations. Instead, you mustuse a WebDAV tool of your choice, such as DAVExplorer or Windows web folders.

Note:

For information about the name and location of each web service's named configuration in the repository,as well as a list of the configuration parameters for each web service, refer to the "Working With SpatialServices" chapter in the Spectrum Spatial Developer Guide.

How to Change Web Service Configuration SettingsTo change web service configuration settings:

1. Pull the named configuration file for the web service out of the repository using your favorite WebDAVtool.

You cannot use the Named Resource Service to extract a named configuration file from therepository.

Note:

2. Using a text editor, make any required changes to the named configuration file.3. Re-add the named configuration file back into the repository using your favorite WebDAV tool.

You cannot use the Named Resource Service to add a named configuration file to therepository.

Note:

4. Do one of the following to reload the web service configuration:

• Restart the web service.• Use the Spectrum™ Technology Platform JMX Console (available athttp://hostname[:portnumber]/jmx-console) to reload the configuration without restartingthe web service.

Running Spectrum™ Technology Platform as a LinuxService

This tutorial will show you the steps you need to follow to run Spectrum™ Technology Platform as aLinux service.

1 TheGeometry Service alone does not have a corresponding named configuration because the GeometryService has no configurable settings.



How to Run Spectrum™ Technology Platform as a Linux ServiceThese instructions describe how to run the Spectrum™ Technology Platform as a Linux service.

1. Modify the provided pbspectrum script which is located here: PBSpectrum Script on page 18.a) Modify the chkconfig parameter at line# 5. By Default this parameter is: # chkconfig: 35

90 10

First value(35) is runlevel. Use 'man init' for more information.

Second value(90) is start priority

Third value(10) is stop priority.

Start and stop priority should be set according to the dependent services. For example, if OracleServer is running on the same machine and is used by Spectrum™ Technology Platform thenthe Spectrum™ Technology Platform starting priority should be less than the Oracle Service andstopping priority should be higher than the Oracle service. Use 'man chkconfig' for moreinformation.

b) Modify SPECTRUM_ROOT variable at line #11 with your Spectrum™ Technology Platforminstallation directory.

2. Copy the modified pbspectrum script to either /etc/rc.d/init.d for RedHat Linux or/etc/init.d for Suse Linux.

3. Change the mode of the pbspectrum script to executable. /etc/rc.d/init.d for RedHat Linuxor /etc/init.d for Suse Linux.

cd /etc/init.d or cd /etc/rc.d/init.d depending on your Linux version.

run chmod +x pbspectrum

4. Run chkconfig --add pbspectrum

5. Verify the script is working by restarting the machine. Use shutdown -r now to reboot from shell.

Once completed, you may also use the following:

• service pbspectrum start to start Spatial Server• service pbspectrum stop to stop Spatial Server• service pbspectrum restart to restart Spatial Server

The provided script runs the command 'ulimit -n 8192' which is required to increase the numberof open files in Linux.

Note:

PBSpectrum ScriptThe following script is used as the basis for this procedure: How to Run Spectrum™ TechnologyPlatform as a Linux Service on page 18.

#! /bin/bash## pbspectrum Bring up/down PB Spectrum platform## chkconfig: 35 90 10# description: Starts and stops the spectrum## /etc/rc.d/init.d/pbspectrum# See how we were called.

SPECTRUM_ROOT=/root/PBSpectrum

start() {. $SPECTRUM_ROOT/server/bin/setupulimit -n 8192


Running Spectrum™ Technology Platform as a Linux Service

$SPECTRUM_ROOT/server/bin/server.startRETVAL=$?return $RETVAL

}

stop() {. $SPECTRUM_ROOT/server/bin/setup$SPECTRUM_ROOT/server/bin/server.stopRETVAL=$?return $RETVAL

}

# See how we were called.case "$1" instart)

start;;

stop)stop;;

restart)stopstart;;

*)echo $"Usage: pbspectrum {start|stop|restart}"exit 1

esac

exit $RETVAL



3Managing Security

The Location Intelligence Module uses the same role-based security model thatis used for the Spectrum™ Technology Platform. Because security is handled atthe platform level, the Management Console can be used to manage all LocationIntelligence Module security activities.

In this section:

• Security for the Spectrum™ Technology Platform . . . . .22• Security for the Location Intelligence Module . . . . . . . . .29• Disabling Platform Security Versus Turning Off Spatial

Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .40• Limiting Server Directory Access . . . . . . . . . . . . . . . . . . .40• Configuring HTTPS Communication . . . . . . . . . . . . . . . . .42

Security for the Spectrum™ Technology PlatformThe topics in this section cover the security model and procedures at the platform level that pertain toall modules. See Security for the Location Intelligence Module on page 29 for additional securityinformation that is specific to the Location Intelligence Module.

Security ModelSpectrum™ Technology Platform uses a role-based security model to control access to the system. Thefollowing diagram illustrates the key concepts in the Spectrum™ Technology Platform security model:

A user is an account assigned to an individual person which the person uses to authenticate to Spectrum™

Technology Platform, either to one of the client tools such as Enterprise Designer or ManagementConsole, or when calling a service through the API.

A user has one or more roles assigned to it. A role is a collection of permissions that grant or deny accessto different parts of the system. Roles typically reflect the kinds of interactions that a particular type ofuser has with the system. For example, you may have one role for dataflow designers which grantsaccess to create and modify dataflows, and another role for people who only need to process datathrough existing dataflows.

A role grants permissions to secured entity types. A secured entity type is a category of items to whichyou want to grant or deny access. For example, there is a secured entity type called "Dataflows" whichcontrols the default permissions for all dataflows on the system.

If you need to fine-tune access you can optionally specify secured entity overrides. A secured entityoverride controls access to a specific secured entity on the system. For example, the secured entity type"Dataflows" specifies the default permissions for all dataflows on the system, while each individualdataflow is a secured entity. If you want to grant or deny access to a specific dataflow, you would specifya secured entity override for the dataflow. You can specify secured entity overrides for a user, whichoverrides the permissions granted to the user by the user's roles. You can also specify secured entityoverrides for roles, which applies the overrides to all users who have that role. You can only applyoverrides for roles and users that you create, not for predefined roles and users.


Security for the Spectrum™ Technology Platform

Related LinksDisabling User Security on page 23Creating a User on page 23Creating a Role on page 25Creating a Secured Entity Override on page 28

UsersSpectrum™ Technology Platform user accounts control the types of actions users can perform on thesystem. User accounts are required to:

• Use Management Console, Enterprise Designer, or Interactive Driver• Run jobs on a schedule• Run jobs from the command line• Access services through web services or the API

There is an administrative account called admin that comes with the system. This account has fullaccess. The initial password is "admin".

You should change the admin password immediately after installing Spectrum™ TechnologyPlatform to prevent unauthorized administrative access to your system.

Important:

In addition to these default accounts you can create as many user accounts as your business requires.

Related LinksCreating a Secured Entity Override on page 28

Disabling User SecurityUser security is enabled by default. This means that the security restrictions assigned to users throughroles are enforced. If you want to disable user security, the security restrictions assigned to users willnot be enforced and all users will be able to access all parts of the system. Note that a valid user accountis always required to access services even if you disable user security.

This procedure describes how to disable user security.

If you follow this procedure all users will have full access to your Spectrum™ TechnologyPlatform system.

Warning:

1. Open the Management Console.2. Expand Security then click Options.3. Clear the Limit access according to user permissions check box.

Related LinksSecurity Model on page 22Disabling Platform Security Versus Turning Off Spatial Security on page 40

Creating a UserThis procedure describes how to create a Spectrum™ Technology Platform user account and assign arole to the account.

1. Open the Management Console.2. Expand Security then click Users.3. Click Add.

The New User window appears.

4. Leave the Enable user box checked if you want this user account to be available for use.5. Enter the user name in the User name field.


Chapter 3: Managing Security

User names can only contain ASCII characters.Note:

6. Enter the user's password in the Password field.7. Reenter the user's password in the Confirm password field.8. Enter the user's email address in the Email address field.9. Enter a description of the user in the Description field.10. Select the roles you want to give to this user.11. Click OK.

Related LinksSecurity Model on page 22

Modifying a UserThis procedure describes how to modify an existing Spectrum™ Technology Platform user account.

You can modify all user information except user name. If you need to change a user name, youmust first delete the user then create a user with the new user name.

Note:

1. Open the Management Console.2. Expand Security then click Users.3. Click Modify.

The User Properties window appears.

4. Leave the Enable user box checked if you want this user account to be available for use.5. Enter the user's password in the Password field.6. Reenter the user's password in the Confirm password field.7. Enter the user's email address in the Email address field.8. Enter the description of the user in the Description field.9. Select the roles you want to give to this user.10. Click OK.

Disabling a User AccountYou can disable a user account so that it cannot be used to gain access to Spectrum™ TechnologyPlatform.When a user account is disabled it cannot be used to access Management Console, EnterpriseDesigner, or Interactive driver. In addition, any jobs that run on a schedule using a disabled user accountwill not run. API calls that use a disabled user account will also not work.

The user account "admin" cannot be disabled.Note:

1. Open Management Console.2. Expand Security then click Users.3. Select the user account you want to disable and click Modify.4. Clear the Enable user check box.

The user account is now disabled and cannot be used to gain access to Spectrum™ Technology Platform.

Deleting a UserThis procedure describes how to permanently delete a Spectrum™ Technology Platform user account.

User accounts can also be disabled, which prevents the account from being used to access thesystem without deleting the account.

Tip:

1. Open the Management Console.2. Expand Security then click Users.



3. From the User Management screen, select the user you want to delete and click Delete.4. Click Yes to delete or No to cancel.

The user account "admin" cannot be deleted.Note:

RolesA role is a collection of permissions that grant or deny access to different parts of the system. Rolestypically reflect the kinds of interactions that a particular type of user has with the system. For example,you may have one role for dataflow designers which grants access to create and modify dataflows, andanother role for people who only need to process data through existing dataflows.

The following roles are predefined:

This role has full access to all parts of the system.admin

This role is for users that create dataflows and process flows in Enterprise Designer.It provides the ability to design and run dataflows.

designer

This role is for users who need to process data through Spectrum™ TechnologyPlatform but does not need to create or modify dataflows. It allows the user to accessservices through web services and the API, and to run batch jobs.

integrator

This role is available only when the Location Intelligence Module module is installed.It provides full access to named resources for this module when using spatial services.

spatial-admin

(Additional access is required to manage spatial resources using ManagementConsole. See Security for the Location Intelligence Module on page 29 for moreinformation.)

This role is available only when the Location Intelligence Module module is installed.It provides read-only access to named resources for this module when using spatial

spatial-user

services. (Additional access is required to view spatial resources using ManagementConsole. See Security for the Location Intelligence Module on page 29 for moreinformation.)

This is the default role. It provides no access to the system. Users who have this rolewill only gain access to the system if you grant permission through secured entityoverrides.

user

To view the permissions granted to each of these roles, open Management Console, go to Security andclick Roles. Then select the role you want to view and click View.

You cannot modify the predefined roles. However, you can create new roles using the predefinedroles as a starting point.

Tip:

Related LinksCreating a Secured Entity Override on page 28

Creating a RoleA role is a collection of permissions that you assign to a user. If the predefined roles that come withSpectrum™ Technology Platform do not fit your organization's needs, you can create your own roles.

1. In the Management Console, browse to Security then expand Roles.2. Click Add.3. In the Role field, enter the name you want to give to this role. The name can be anything you choose.4. If you want to use one of the predefined roles as a starting point for your new role, check the Copy

from box then select the role that you want to use as a starting point. The predefined role's permissionsare selected for you.

5. Optional: Since the list of secured entity types can be long, you may want to display only a certaingroup of secured entity types. This can be useful if you want to apply the same permissions to allentities in a group. For example, if you want to remove the Modify permission from all databaseresources, you could filter to show just the Database Resources group. To display and modify onlyone group:



a) Check the Enable group filtering box.b) Click the funnel icon in the header of the Group column and select the group you want to display.c) Check or clear the box in the column header of the permission you want to apply.d) To return to the full list of secured entity types, click the filter icon and select (All) then clear the

Enable group filtering box.

6. Select the permissions you want to grant for each entity type. The permissions are:

Allows the user to view entities contained by the entity type. For example, if you allowthe View permission for the JDBC Connection entity type, users with this role wouldbe able to view database connections in Management Console.

View

Allows the user to modify entities contained by the entity type. For example, if youallow the Modify permission for the JDBC Connection entity type, users with this rolewould be able to modify database connections in Management Console.

Modify

Allows the user to create entities that fall into this entity type's category. For example,if you allow the Create permission for the JDBC Connection entity type, users withthis role would be able to create new database connections in Management Console.

Create

Allows the user to delete entities contained by the entity type. For example, if youallow the Delete permission for the JDBC Connection entity type, users with this rolewould be able to delete database connections in Management Console.

Delete

Allows the user to initiate processing of jobs, services, and process flows. For example,if you allow the Execute permission for the Job entity type, users with this role would

Execute

be able to run batch jobs. If you allow the Execute permission for the Service entitytype, users with this role would be able to access services running on Spectrum™

Technology Platform through the API or web services.

7. Click OK.

The role is now available to be assigned to a user.

You can delete a role that you create, but only after you unassign it from all user accounts.Note:

Related LinksSecurity Model on page 22

Secured Entity Types - PlatformAn entity type is a category of items to which you want to grant or deny access. For example, there isan entity type called "Dataflows" which controls permissions for all dataflows on the system. Platformentity types apply to all Spectrum™ Technology Platform installations, as compared to module-specificentity types that apply only if you have installed particular modules. The platform-level entity types are:

Controls access to all dataflow types (jobs, services, and subflows)in Enterprise Designer.

Dataflows

Controls the ability in Enterprise Designer to make dataflowsavailable for execution.

Dataflows - Expose

Controls access to the Event Log node in Management Console.Event Log

Controls access to job schedule and file monitor configuration inManagement Console.

Execution - File Monitor andScheduling

Controls access to the Job Options node in Management Console.All users have View access to job options. You cannot removeView access.

Execution - Job Options

Controls access to the Report Options node in ManagementConsole. All users have View access to report options. You cannotremove View access.

Execution - Report Options



Controls access to the Sort Performance node in ManagementConsole. All users have View access to sort performance options.You cannot remove View access.

Execution - Sort Performance

Controls access to the Type Conversion node in ManagementConsole. All users have View access to type conversion options.You cannot remove View access.

Execution - Type ConversionOptions

Controls access to job execution history in Enterprise Designerand Management Console.

Execution History - Jobs

Controls access to process flow execution history in ManagementConsole and Enterprise Designer.

Execution History - ProcessFlows

Controls the ability to execute jobs in Enterprise Designer,Management Console, and job executor.

Jobs

Controls access to configure license expiration notification emailsin Management Console.

Notification - License Expiration

Controls access to the email notification options in ManagementConsole.

Notification - SMTP Settings

Controls access to process flows in Enterprise Designer.Process Flows

Controls the ability in Enterprise Designer to make process flowsavailable for execution.

Process Flows - Expose

Controls access to the Remote Servers node in ManagementConsole.

Remote Server

Controls the ability to configure JDBC connections in ManagementConsole.

Resources - DatabaseConnections

Controls access tomanaging external web services in ManagementConsole.

Resources - External WebServices

Controls the ability to configure file servers in ManagementConsole.

Resources - File Servers

Controls the ability to configure JDBC drivers in ManagementConsole.

Resources - JDBC Drivers

Controls the ability to enable or disable restrictions on serverdirectory resources in Management Console.

Resources - Restrict serverdirectory access

Controls the ability to configure server directory resources inManagement Console.

Resources - Server directorypaths

Controls access to the Security Options node in ManagementConsole.

Security - Options

Controls access to role configuration in Management Console.Security - Roles

Controls access to secured entity overrides in ManagementConsole.

Security - Secured EntityOverrides

Controls access for managing user accounts in the Users node ofManagement Console.

Security - Users

Controls the ability to execute services through the API and webservices.

Services

Controls whether exposed subflows are available as a stage indataflows in Enterprise Designer.

Stages

Controls access to the license information displayed inManagementConsole.

System - Licensing



Controls access to the Version Information node in ManagementConsole.

System - Version Information

Controls access to the Transaction History node in ManagementConsole.

Transaction History

Secured Entity Types - Location Intelligence ModuleAn entity type is a category of items to which you want to grant or deny access. The Location IntelligenceModule has the following module-specific entity type:

Named Resources

Controls permissions to all named resources in the Location Intelligence Module, including named maps,named tiles, named tables, and named connections. Users of Location Intelligence Module servicesmust have at least read permissions for the resources they use as well as for any dependent resources.

Secured Entity OverridesA secured entity override controls access to a specific secured entity on the system. For example, thesecured entity type "Dataflows" specifies the default permissions for all dataflows on the system, whileeach individual dataflow is a secured entity. If you want to grant or deny access to a specific dataflow,you would specify a secured entity override for the dataflow. You can specify secured entity overridesfor a user, which overrides the permissions granted to the user by the user's roles. You can also specifysecured entity overrides for roles, which applies the overrides to all users who have that role. You canonly apply overrides for roles and users that you create, not for predefined roles and users.

Creating a Secured Entity OverrideA secured entity override specifies permissions for specific secured entities in the system, such asspecific dataflows or specific database connections. To create a secured entity override:

1. In Management Console, expand Security then click Secured Entity Overrides.2. Do one of the following:

• If you want to specify a secured entity override for a role, click Role. The overrides you specify willaffect all users who have the role you choose.

• If you want to specify a secured entity override for a user, click User. The overrides you specifywill only affect the user you choose.

3. Click Browse to select the specific role or user then click OK.4. Click Add then Browse.

The Select Secured Entity Type window appears.5. Select the secured entity type that contains the secured entity you want to override then click OK.

For example, if you want to override a dataflow secured entity, choose Platform.Dataflows.

To select multiple secured entity overrides, use CTRL+click. To select a range of secured entityoverrides, use SHIFT+click.

Tip:

6. Choose the secured entity that you want to override. Click Add then Close.

The secured entities you chose are displayed. The secured entity type's row shows the permissionsin effect for the selected role or user. A gray checked box indicates that the permission is enabledand a gray empty box indicates that the permission is disabled.

7. Specify the secured entity overrides you want. Each permission can have one of the following settings:

There is no override for the permission. The permission is the default permission grantedto the user or role.

The permission is denied to the user or role, overriding whatever permission is specifiedin the secured entity type.



The permission is granted to the user or role, overriding whatever permission is specifiedin the secured entity type.

Related LinksSecurity Model on page 22Users on page 23Roles on page 25

Viewing a Secured Entity OverrideA secured entity override specifies permissions for specific secured entities in the system, such asspecific dataflows or specific database connections. To view secured entity overrides for a role or user:

1. In Management Console, expand Security then click Secured Entity Overrides.2. Do one of the following:

• If you want to view a secured entity override for a role, click Role.• If you want to view a secured entity override for a user, click User.

3. Click Browse to select the specific role or user then click OK.

The secured entities with overrides for the role or user you chose are displayed.

The secured entity type's row (for example, Platform.Dataflows) shows the permissions in effect forthe selected role or user. A gray checked box indicates that the permission is enabled and a grayempty box indicates that the permission is disabled.

The secured entity rows (for example, the specific dataflow GeocodeAddress) shows the permissionsin effect for that entity, each of which can have one of the following settings:

There is no override for the permission. The permission is the default permission grantedto the user or role.

The permission is denied to the user or role, overriding whatever permission is specifiedin the secured entity type.

The permission is granted to the user or role, overriding whatever permission is specifiedin the secured entity type.

Security for the Location Intelligence ModuleThe Location Intelligence Module uses the same role-based security that is used for the Spectrum™

Technology Platform. Because security is handled at the platform level, the Management Console canbe used to manage all Location Intelligence Module security activities. This includes setting permissionsfor named resources in addition to managing user accounts (that is, creating, modifying, and deletinguser accounts).

The User Management Service can still be used to set permissions if desired; however,permissions are stored in the platform and not the repository, and cannot be set at the folder ordirectory level. The User Management Service is set to be deprecated in the next release.

Note:

After you install the Location Intelligence Module, two predefined roles are available in ManagementConsole, spatial-admin and spatial-user.

The spatial-admin role provides full permissions (View/Modify/Create/Delete) for all named resources(named maps, named tiles, named connections, and named tables), whereas the spatial-user roleprovides only View permissions to these resources. These permissions are controlled using the LocationIntelligence Module's secured entity type, Location Intelligence.Named Resources. Users of LocationIntelligence Module services must have at least View permissions for the resources they use as well asfor any dependent resources.



These predefined spatial roles, when assigned to a user, provide access to named resources only whenusing spatial services. They do not allow access to named resources in Management Console. The"admin" user in Spectrum has full access to manage all parts of the system, including named resources,via the Management Console. If you also want users who can access only named resources via theManagement Console, you must manually create a "named resources administrator" role, using one ofthe predefined spatial roles as a base, that provides access to named resources in the repository thenassign that role to a "named resources administrator" user account. For instructions on creating thisadditional resource-administrator role, see Creating a Named Resources Administrator on page 36.Dataflow designers who require access to named resources also need additional permissions beyondthat of the "designer" role. For instructions on creating a spatial dataflow designer, seeCreating a SpatialDataflow Designer on page 37.

Roles and associated permissions on the Location Intelligence.Named Resources secured entity typecan all be viewed using Management Console.

• Predefined roles, which are not editable:

• Permissions for spatial-admin, on the Location Intelligence.Named Resources secured entity:

• Permissions for spatial-user, on the Location Intelligence.Named Resources secured entity:

The permission settings in the User Management Service are mapped to the Spectrum™

Technology Platform as follows: Read>View, Modify>Modify, Add>Create, and Remove>Delete.Note:

You can create custom roles based on the predefined spatial roles, assign them to user accounts, thenfine-tune access to named resources for those roles and users by applying secured entity overrides to


Security for the Location Intelligence Module

individual named resources. Overrides cannot be applied to folders or directories, so anytime a namedresource is added you must specify any necessary overrides for that resource.

Related LinksAppendix - Managing Security with the User Management Service on page 73

Example: Overriding Permissions at the Role LevelA typical scenario and best practice for setting security for the Location Intelligence Module involvescreating a custom role with no permissions, applying specific overrides to the custom role, then assigningthat role to a user.

In this example, you will create a custom role with no permissions, apply overrides to the custom roleallowing modify and delete permissions for named tables in the repository, then create a user accountand assign the custom role along with a predefined spatial role to it.

1. Create a Custom Role. If the predefined roles that come with do not fit your organization's needs,you can create your own roles. In this first step of this example, you will create a custom role calledtable-modifier that initially has no permissions. Before you begin, verify that security is enabled, seeDisabling User Security on page 23.a) In the Management Console, browse to Security then click Roles.b) Click Add.

The Add Role dialog appears.

c) In the Name field, enter the name you want to give to this role, table-modifier.No permissions are set for this role.



d) Click OK.The custom role is now available to be assigned overrides.

2. Apply Overrides to a Role. A secured entity override grants permissions for specific secured entitiesin the system, such as named tables that are in the repository. In this step of the example, you willcreate an override for the table-modifier role that allows modifying and deleting of named tables.a) In Management Console, expand Security then click Secured Entity Overrides.b) Click Role then Browse.

The Select Role dialog appears.

c) Select the table-modifier role and click OK.d) Click Add.

The Select Items dialog appears.

e) Click Browse.The Select Secured Entity Type window appears.

f) Select the Location Intelligence.Named Resources secured entity type. Click OK.A list of all secured entities that are named resources appears.



g) From the list of secured entities, locate then select all the named table resources (use the Shiftkey to select multiple consecutive items in this dialog).

Overrides can be applied only to individual named resources, not to folders or directories.Note:

h) Click Add then Close.

The secured entities (named tables) you chose are displayed. The secured entity type's rowshows the permissions in effect for the table-modifier role. A gray checked box indicates that thepermission is enabled and a gray empty box indicates that the permission is disabled.

i) Specify overrides on each secured entity (named table) by selecting all checkboxes in the Modifyand Delete columns:

j) Click Save or select File > Save.

The asterisk next to the "Secured Entity Overrides" window title no longer appears, indicatingthat the changes are saved.

The table-modifier role now permits modifying and deleting of named tables, and can be assignedto a user account.

If named tables are subsequently added to the repository, you will need to add securityentity overrides for each of those named tables.

Note:

3. Create a User. In the final step of this example, you will create a user account to which you willassign both the pre-defined spatial-user role (which provides view-only permissions to namedresources) as well as the custom table-modifier role (which grants additional permissions for modifyingand deleting named tables).a) In Management Console, expand Security then click Users.b) Click Add.


c) Leave the Enable user box checked if you want this user account to be available for use.d) Enter the user name (user-tables) in the User name field.e) Enter the user's password in the Password field.f) Re-enter the user's password in the Confirm password field.g) Enter the user's email address in the Email address field.h) Enter a description of the user in the Description field.i) Select the spatial-user and table-modifier roles.



j) Click OK.

A user-tables user account is now available with view-only permissions to all named resources as wellas modify and delete permissions for named tables.

Example: Overriding Permissions at the User LevelA common scenario for setting security for the Location Intelligence Module involves establishing overridepermissions for a single user.

In this example, you will create a user with view-only permissions to named resources, then applyoverrides to the user account that allow modifying and deleting of a specific named tile.

1. Create a User with View Permissions. First, you will create a user account to which you will assignthe pre-defined spatial-user role. This role provides view-only permissions to named resources.a) In Management Console, expand Security then click Users.b) Click Add.


c) Leave the Enable user box checked if you want this user account to be available for use.d) Enter the user name (user-tiles) in the User name field.e) Enter the user's password in the Password field.f) Re-enter the user's password in the Confirm password field.g) Enter the user's email address in the Email address field.h) Enter a description of the user in the Description field.i) Select the spatial-user role.



j) Click OK.A user-tiles user account is now available with view-only permissions to all named resources.

2. Apply Overrides to a User. A secured entity override grants permissions for specific secured entitiesin the system. In the final step of this example, you will create an override that allows a single user(user-tiles) to modify and delete a specific named tile in addition to being able to view all types ofnamed resources.a) In Management Console, expand Security then click Secured Entity Overrides.b) Click User then Browse.

The Select User dialog appears.

c) Select the user (user-tiles) and click OK.d) Click Add.

The Select Items dialog appears.

e) Click Browse.The Select Secured Entity Type window appears.

f) Select the Location Intelligence.Named Resources secured entity type. Click OK.A list of all secured entities that are named resources appears.

g) From the list of secured entities, locate then select /Samples/NamedTiles/USATile.h) Click Add then Close.

The secured entity (named tile) you chose is displayed. The secured entity type's row shows thepermissions in effect for the user-tiles user. A gray checked box indicates that the permission isenabled and a gray empty box indicates that the permission is disabled.

i) Specify overrides on the secured entity (named tile) by selecting the checkboxes in the Modifyand Delete columns:



j) Click Save or select File > Save.

The asterisk next to the "Secured Entity Overrides" window title no longer appears, indicatingthat the changes are saved.

The user-tiles user can now modify, delete, and view a specific named tile(/Samples/NamedTiles/USATile), but can only view all other named tiles and named resources.

Creating a Named Resources AdministratorTo view or manage named resources in the repository using Management Console, a user must havean assigned role that allows full access to those resources in addition to the access that is provided bythe predefined spatial roles. The predefined spatial roles cannot be modified and a predefined "NamedResources Administrator" role is not provided by the Spectrum™ Technology Platform; however, youcan create such a role using a predefined spatial role as a base.

1. In the Management Console, browse to Security then click Roles.2. Click Add.3. In the Name field, enter the name you want to give to this role (for example, "resource-admin").4. Check theCopy from box then select either the spatial-admin or spatial-user role to use as a starting

point. The spatial-admin role provides View, Modify, Create, and Delete permissions for the LocationIntelligence Module.Named Resources secured entity type; the spatial-user role provides Viewpermissions.

5. Set additional permissions as follows for these secured entity types:

Database Resources:

• Centrus Database Resources to View/Modify/Create/Delete/Execute (if required)• Enterprise Routing to View/Modify/Create/Delete/Execute (if required)• Spatial Database Resources to View/Modify/Create/Delete/Execute for a spatial-admin, or toView/Execute for a spatial-user

Platform:

• Resources - File Servers to View• Resources - JDBC Drivers to View• Services to View/Modify/Execute• System - Version Information to View



6. Click OK to save the new resource-admin role.7. Under Security, click Users.8. Either select an existing user and click Modify, or click Add to create a new user.9. Assign the new "resource-admin" role to the user account to allow it to manage and/or view named

resources in Management Console.

The user now has the access required to view and/or manage named resources in Management Console.

Creating a Spatial Dataflow DesignerTo create dataflows for Location Intelligence Module stages and services, a user must have both thedesigner and spatial-user roles assigned. The spatial-user role provides View access to named resourcesunder the Location Intelligence.Named Resources secured entity type. The designer role provides thenecessary access to Platform secured entity types such as Dataflows.

1. In the Management Console, browse to Security then click Users.2. Either select an existing user and click Modify, or click Add to create a new user.



3. Assign both the designer and spatial-user roles to the user account.

The user now has permission to view named resources and design dataflows using those resources forLocation Intelligence Module stages and services.

Turning off Security for Services and the RepositoryAll services and access to resources used by the Spectrum™ Technology Platform Location IntelligenceModule are configured, by default, with authentication turned on. This allows certain functionality torestrict access to resources and the ability to modify resources in the repository. For example, the NamedResource Service AddNamedResource operation, and the CSW service Harvest operation both requireauthentication, as both of these operations require write permissions to the repository.

The service-level authentication can be turned off for all services and the repository. This is useful if youhave your own high-level authentication built into the solution that is using the Location IntelligenceModule services.

To turn off service and repository security, use the JMX console.

1. Access the JMX Console using the following URL: http://localhost:8080/jmx-console/ (replacinglocalhost and port 8080 with your correct configuration).

2. Under the Domain: com.pb.spectrum.platform.config section, select the administrationlink for the WebServiceSecurityConfigurationManager.

3. For RestServiceSecurityType and SoapServiceSecurityType enter OPEN in the valuefield and click set for each.

4. Restart the server.

Once finished, security is turned off for the services and repository.

Related Links




Disabling Platform Security Versus Turning Off Spatial Security on page 40

Turning off Security for the RepositoryTo turn off repository security:

1. Launch the User Management Service Demo page athttp://localhost:8080/Spatial/UserManagementService/DemoPage.html (replacing localhost andport 8080 with your correct configuration).

2. Using admin credentials in the User and Password fields, set the everyone user with the allpermission using the following request:

<?xml version="1.0"?><soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"xmlns:v1="http://www.mapinfo.com/midev/service/usermanagement/v1">

<soapenv:Header/><soapenv:Body>

<v1:SetPermissionsRequest><v1:UserName>everyone</v1:UserName><v1:ResourcePath>/</v1:ResourcePath><v1:Permissions>

<v1:Permission>all</v1:Permission></v1:Permissions><v1:Recursive>false</v1:Recursive>

</v1:SetPermissionsRequest></soapenv:Body>

</soapenv:Envelope>

Once finished, security is turned off for the repository.

Turning off Security for the REST ServicesTo turn off security for REST services:



3. For RestServiceSecurityType enter OPEN in the value field and click set.4. Restart the server.

Once finished, security is turned off for the REST services.

Turning off Security for the SOAP servicesTo turn off security for SOAP services:



3. For SoapServiceSecurityType enter OPEN in the value field and click set.4. Restart the server.

Once finished, security is turned off for the SOAP services.



http://localhost:8080/Spatial/UserManagementService/DemoPage.html



Disabling Platform Security Versus Turning OffSpatial Security

The Spectrum™ Technology Platform allows you to disable role-based security at the platform level andservice-level security as two separate operations.

Disabling role-based security at the platform level (by deselecting ‘Limit access according to userpermissions’ on the Security > Options node in Management Console) means that the permissionsassigned to users (via roles and secured entity overrides) will not be enforced and all users will be ableto access all parts of the system. The Location Intelligence Module will then allow access to any namedresource in the repository.

Turning off service-level security on the JMX Console (by setting RestServiceSecurityType andSoapServiceSecurityType to OPEN) causes the execution of service requests to use the adminuser. For the Location Intelligence Module this means that any named resource that is added to therepository is “owned” by the admin user; therefore, running the User Management Service’sgetPermissions request will show that non-admin users have only "Read" permissions.

Disabling both service-level and role-based security completely opens up the Location IntelligenceModule's services and named resources. Running the User Management Service’s getPermissionsrequest will also show that non-admin users now have "All" permissions

Related LinksDisabling User Security on page 23Turning off Security for Services and the Repository on page 38

Limiting Server Directory AccessEnterprise Designer and Management Console users have the ability to browse the Spectrum™

Technology Platform server's folders and files, such as when selecting an input or output file whenconfiguring a source or sink stage in a dataflow, or defining a database resource. You may want to restrictfile browsing so that sensitive portions of the server are kept off limits. You can prevent all browsing oryou can specify the folders that you want users to be able to browse. The folders you specify appear asthe top-level folders in users' file browse windows. For example, if you allow users to only access a folderon the server named WestRegionCustomers, when users browse the server they would only see thatfolder, as shown here:


Disabling Platform Security Versus Turning Off Spatial Security

To restrict access to the server's file system, follow this procedure.

1. Open Management Console.2. Under Resources, select Server Directory Access.3. Do one of the following:

• To prevent users from browsing the server entirely, check the box Restrict server directoryaccess and do not perform any of the following steps. Users will have no access to any of the filesor folders on the server.

• To allow access to some folders on the server, proceed to the following step.

4. Click Add.5. In the Name field, give a meaningful name for the folder to which you are granting access.6. In the Path field, specify the folder to which you want to grant access.

Users will be able to access all subfolders contained in the folder you specify.Note:

7. Click OK.8. If you want to grant access to additional folders, repeat the previous steps as needed.9. Enforce the restrictions by checking the Restrict server directory access box.

Users will now only have access to the folders you have specified.

If there are any dataflows that had previously accessed files that are no longer available becauseof file browsing restrictions, those dataflows will fail.

Note:



Configuring HTTPS CommunicationBy default, Spectrum™ Technology Platform communication with the client tools (Enterprise Designer,Management Console, and Interactive Driver) and API occurs over HTTP. You can configure Spectrum™

Technology Platform to use HTTPS if you want to secure these network communications.

1. Stop the Spectrum™ Technology Platform server.

• To stop the server onWindows, right-click the Spectrum™ Technology Platform icon in theWindowssystem tray and select Stop Server. Alternatively, you can use theWindows Services control paneland stop the Pitney Bowes Spectrum™ Technology Platform service.

• To stop the server on Unix or Linux, source the <SpectrumLocation>/server/bin/setupscript then execute the <SpectrumLocation>/server/bin/server.stop script.

2. Create a certificate and load it into a JSSE keystore. For more information, seehttp://docs.codehaus.org/display/JETTY/How+to+configure+SSL.

3. Create an XML file named spectrum-override-container-ssl.xml containing the following:

<beans xmlns="http://www.springframework.org/schema/beans"xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"xmlns:util="http://www.springframework.org/schema/util"xsi:schemaLocation="http://www.springframework.org/schema/beans

http://www.springframework.org/schema/beans/spring-beans-3.0.xsdhttp://www.springframework.org/schema/util

http://www.springframework.org/schema/util/spring-util-3.0.xsd">

<bean id="defaultWebServerConnector"class="com.g1.dcg.server.jetty.JettyDelayedServerConnector">

<constructor-arg ref="webServer"/><constructor-arg>

<bean class="org.eclipse.jetty.util.ssl.SslContextFactory"><property name="keyStorePath" value="/SpectrumKeystore"/>

<property name="keyManagerPassword" value="password"/><property name="keyStorePassword" value="password"/>

</bean></constructor-arg><property name="host" value="${spectrum.bind.address}"/><property name="port" value="${spectrum.http.port}"/><property name="idleTimeout" value="-1"/>

</bean></beans>

4. Modify the following lines as needed to reflect your environment:

Modify the value to be the relative path from<ServerLocation>/server/app/conf/spring

<property name="keyStorePath"value="/SpectrumKeystore"/>

to the keystore you are using. This exampleassumes the keystore in the root of the drive onwhich the Spectrum™ Technology Platform serveris installed.

Modify the value to be the password to thekeystore.

<property name="keyManagerpassword"value="password"/>

Modify the value to be the password to the keywithin the keystore.

<property name="keyStorePassword"value="password"/>

5. Save the spectrum-override-ssl.xml file to<SpectrumLocation>/server/app/conf/spring.

6. Using a text editor, open the file spectrum-container.properties located in<SpectrumLocation>/server/app/conf and set the following properties:


Configuring HTTPS Communication

http://docs.codehaus.org/display/JETTY/How+to+configure+SSL

spectrum.http.port=8443spectrum.runtime.hostname=dnsnameWhere dnsname is the external DNS for the server.

7. Start the Spectrum™ Technology Platform server.

• To start the server onWindows, right-click the Spectrum™ Technology Platform icon in theWindowssystem tray and select Start Server. Alternatively, you can use the Windows Services controlpanel to start the Pitney Bowes Spectrum™ Technology Platform service.

• To start the server on Unix or Linux, execute the<SpectrumInstallDirectory>/server/bin/server.start script.



4Monitoring Your System

In this section:

• Event Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .46• Spatial Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .47• Configuring E-mail Notification . . . . . . . . . . . . . . . . . . . . .49• Configuring License Expiration Notification . . . . . . . . . .49• Viewing Version Information . . . . . . . . . . . . . . . . . . . . . . .50• Viewing and Exporting License Information . . . . . . . . . .50• Monitoring Performance . . . . . . . . . . . . . . . . . . . . . . . . . .50• Monitoring Memory Usage . . . . . . . . . . . . . . . . . . . . . . . . .51

Event Log

Viewing the Event LogThe event log displays messages from the Spectrum™ Technology Platform server's wrapper log. Theevent log contains information about server operations as well as requests made to services from theAPI and through web services. Use the event log when you experience trouble and are looking forinformation about possible causes.

1. Open the Management Console.2. Expand Event Log then click Events.3. Click Refresh to view the latest entries.4. Check Show events upon open to automatically load the event log. If you do not check this option

you must click the Refresh button to view the latest information.

You can also view the event log by using a text editor and opening the file<ServerLocation>\server\app\repository\logs\wrapper.log.

Setting Event Log OptionsYou can specify the default logging level as well as logging levels for each service on your system. Whenyou change logging levels the change will not be reflected in the log entries made before the change.

1. Open the Management Console.2. Expand Event Log then click Options.3. Click the System default logging level drop-down list to select an event logging level. Event logging

levels include the following:

• Disabled—no event logging enabled.• Fatal—minimal logging, logs only fatal errors. Fatal errors are those that make the system unusable.• Error—logs only errors and fatal errors. Errors make a single call unusable, possibly a singleservice, but not the whole system. The inability to load a specific service might be an error sinceother services would be available.

• Warn—event warnings and errors are logged. Warnings indicate problems that do not stop thesystem from working (for example, when loading a service where a parameter has an invalid value,a warning is issued and the default parameter is used). During the use of a service, if results arereturned but there is a problem, a warning will be logged. An example might be that casing wasset to lower case, but Canadian does not support casing. Results are returned with a warning thatthe casing option was ignored.

• Info—logging of high-level system information. This is the most detailed logging level suitable forproduction. Info level will typically be used during startup and initialization, providing product andversion information, which services were loaded, etc.

• Debug—a highly detailed level of logging, suitable for debugging problems with the system.• Trace—the most detailed level of logging, tracing program execution (method entry and exit). Itprovides detailed program flow information for debugging.

Each logging level includes the ones above it on the list. In other words, if Warning is selected asthe logging level, errors and fatal errors will also be logged. If Info is selected, informational messages,warnings, errors, and fatal errors will be logged.

Selecting the most intensive logging level can affect system performance. Therefore, youshould select the least intensive setting that meets your particular logging requirements.

Note:

4. If you want to specify different logging levels for each service choose the logging level you want.


Event Log

Spatial LoggingThe JMX Console is equivalent to logger name="com.mapinfo.midev" in the logback.xml file. Ifyou want to see debug info for a short time, use JMX Console, otherwise, use logback.

The remote components (feature and mapping) in the JMX Console can be configured individually:

• Spatial:name=Logging,type=Remote Feature Component

• Feature Service• Geometry Service• Named Resource Service• User Management Service• WFS• CSW

• Spatial:name=Logging,type=Remote Mapping Component

• Mapping Service• Map Tiling Service• WMS

Users can enable debugging and specify additional output file for each one of them. By default, logmessages go into wrapper.log. Services in a component will output to the same file and cannot be furthersplit. The configuration change made here will not persist, and will be lost after restart.

The logback.xml file provides finer control on logging behavior, such as sending output to a log file insteadof by default sending it to the console which redirects to the wrapper.log. You can also set the log levelto turn off logging altogether or log only fatal errors, for example. As described above for the JMXConsole,the log can only be redirected based on components (feature and mapping), not by services.

Default logback file:

<?xml version="1.0" encoding="UTF-8"?><!-- Logger configuration for remote components


Chapter 4: Monitoring Your System

--><configuration><appender name="CONSOLE-SPATIAL"class="ch.qos.logback.core.ConsoleAppender"><encoder><pattern>[${component.name}] - [%thread] %-5level %logger{35} -

%msg%n</pattern></encoder></appender><appender name="FILE-SPATIAL"class="ch.qos.logback.core.rolling.RollingFileAppender"><file>${g1.server.modules.dir}/spatial/${component.name}.log</file><encoder><pattern>%d [%thread] %-5level %logger{35} - %msg%n</pattern></encoder><append>true</append><triggeringPolicy

class="ch.qos.logback.core.rolling.SizeBasedTriggeringPolicy"><maxFileSize>10MB</maxFileSize></triggeringPolicy><rollingPolicy

class="ch.qos.logback.core.rolling.FixedWindowRollingPolicy"><fileNamePattern>${component.name}.log.%i</fileNamePattern><maxIndex>1</maxIndex></rollingPolicy></appender><logger name="com.mapinfo.midev" level="INFO" additivity="false"><appender-ref ref="CONSOLE-SPATIAL"/></logger></configuration>

ValuesOption

Level • OFF–turn off logging• ERROR–log runtime or unexpected errors• WARN–log warnings only; for example, using a deprecated API• INFO–log runtime events such as startup or shutdown [default]• DEBUG–log detailed debugging information

Output • CONSOLE-SPATIAL –sends log information to the JMX Console[default]

• FILE-SPATIALL–sends log information to a log file based oncomponent (feature or mapping)


Spatial Logging

Configuring E-mail NotificationSpectrum™ Technology Platform can alert you to potential problems to ensure that critical businessprocesses are not interrupted. Notifications are sent as a result of conditions within dataflows and processflows. The messages can be formatted to contain context-sensitive information about the event thatoccurred.

1. Open the Management Console.2. Expand System then click Notification.3. In the Host field, enter a valid host name or IP address.4. Enter a valid port number or range in the Port field. The default is 25.5. Enter the user name for logging on to the SMTP server in the User Name field.6. Enter a password for logging on to the SMTP server in the Password field.7. If you completed the Password field, re-enter the password for logging on to the SMTP server in the

Confirm Password field.8. Enter a valid e-mail address to where notification e-mail will be sent in the From Address field.9. Enter a valid e-mail address to where notification e-mail will be sent in the Test Address field. This

is used to ensure the notification process works.10. Click Test to send a test message.

Configuring License Expiration NotificationYou can have Spectrum™ Technology Platform send an email notification when a license is about toexpire.

1. Open the Management Console.2. Expand System then click Notification.3. In the Host field, enter a valid host name or IP address.4. Enter a valid port number or range in the Port field. The default is 25.5. Enter the user name for logging on to the SMTP server in the User Name field.6. Enter a password for logging on to the SMTP server in the Password field.7. If you completed the Password field, re-enter the password for logging on to the SMTP server in the

Confirm Password field.8. Enter a valid e-mail address to where notification e-mail will be sent in the From Address field.9. Enter a valid e-mail address to where notification e-mail will be sent in the Test Address field. This

is used to ensure the notification process works.10. Click Test to send a test message.11. Click the Expiration Settings tab.12. In the Days before expiration to send notification field, specify the number of days in advance

that you want to be notified of a pending license or data expiration. For example, if you want to benotified 30 days before a license expires, specify 30.

13. Check the Send expiration notification check box.14. Click Add and specify the email address you want to receive the notification.15. Select File > Save.



Viewing Version Information1. In Management Console, expand System then click Version Information.2. The Version Information window presents information on the configured services. Expanding the

Server Information, System Information, Service Information, and Component Information folderswill present the corresponding details. This includes versions numbers of the server, the operatingsystem, the service software, and component versions.

This information is view-only.Note:

Viewing and Exporting License Information1. Open the Management Console.2. Expand System then click Licensing.3. Click the Expiration Info tab to view a list of licenses that are about to expire. Only licenses that are

within the period specified on in the Notification node, Expiration Settings tab, are displayed.4. Click the License Information tab to view a complete listing of all licenses installed on your system.

To export your license information to a .lic file, click Export. This is helpful when resolving licenseissues with technical support.

Monitoring PerformanceThe Spectrum™ Technology Platform JMX console provides a performance monitoring tool that recordsperformance statistics for each stage in a dataflow. Use the JMX console to identify bottlenecks andobserve the effects of different performance tuning adjustments.

1. Open a web browser and go to http://<server>:<port>/jmx-console

Where:

<server> is the IP address or hostname of your Spectrum™ Technology Platform server.

<port> is the HTTP port used by Spectrum™ Technology Platform. The default is 8080.

2. Enter "admin" for both the user name and password.3. Under " Domain: com.pb.spectrum.platform.performance", click

com.pb.spectrumplatform.performance:server=PerformanceMonitorManager.4. Click the Invoke button next to enable.5. Click Return to MBean View to go back to the PerformanceMonitorManager screen.

Performance monitoring is now enabled. When a dataflow runs, the performance statistics will displayat the top of the PerformanceMonitorManager screen.


Viewing Version Information

Note the following:

• The statistics are reported in a semicolon-delimited format. The first row is the column header. Werecommend putting the data into a spreadsheet for easier viewing.

• The time values in the report (Avg, Min, Max, Total) are displayed in milliseconds.• You must refresh the screen to see updates.• To reset the counters, click the Invoke button next to reset.• If you stop the Spectrum™ Technology Platform server, performance monitoring will be turned off. Youwill have to turn it back on when you start the server again.

Monitoring Memory UsageThe JMX Console allows you to monitor the JVM heap usage of each remote component.

The monitoring processes for Spectrum Spatial are:

• Spatial:name=Process,type=Remote Feature Component

• Feature Service• Geometry Service• Named Resource Service• User Management Service• WFS• CSW

• Spatial:name=Process,type=Remote Mapping Component

• Mapping Service• Map Tiling Service• WMS



Memory usage (HeapMemoryUsage and NonHeapMemoryUsage) is based on the standard JVMmemoryMBean. It shows the memory usage of the JVM that the remote component running on. It includes theamount of init, max, committed and used memory.

RuntimeName includes the process ID that you can use to find more information from the operatingsystem (for example, by using the Windows Task Manager), or even kill the process.

In the heap sections, ={committed=72351744, init=65157504, max=954466304,used=6559552}) are shown in bytes. The number is for a particular remote component, which includesmultiple services. Each remote component runs in its own JVM, and the JVM only runs this component.

Init is the initial amount JVM allocated (-Xms); max is the one specified by –Xmx. Used is the amountof memory that used by JVM for objects. The relationship is like this: –Xms < committed < -Xmx, andused < committed.

You can modify the heap memory by modifying the -Xm in the java.vmargs file under the spatial folder(<Installed>\Pitney Bowes\Spectrum\server\modules\spatial\java.vmargs). See Increasing Heap Memoryfor more instructions.


Monitoring Memory Usage

5Managing Memory andThreading

In this section:

• Introduction to Managing Memory and Threading . . . . .54• Spectrum Performance Tuning . . . . . . . . . . . . . . . . . . . . .54• Increasing Heap Memory for Spatial Components . . . . .55• Increasing Heap Memory for the Platform . . . . . . . . . . . .55

Introduction to Managing Memory and ThreadingThis section describes approaches for improving performance by managing memory and threading, andalso relates best practices for optimizing the performance of the Location Intelligence Module. It isintended for experienced administrators.

Spectrum Performance TuningSpectrum provides several tuning options to optimize performance of the server. The optimal selectionof settings is dependent on the nature of the deployment. To create a well-tuned server environment, itis recommended that performance tests should be executed in the deployed environment to determineoptimal settings. This section provides some general guidance on performance tuning.

JVM TuningSpectrum is a Java server, and as a result, JVM tuning parameters can be used to optimize performanceof remote components. The JVM can be configured through the /<spectrumroot>/server/modules/spatial/java.vmargs file.

To optimize Spectrum's performance using JVM tuning parameters:

1. Stop the Spectrum server.2. Open the java.vmargs file in a text editor. Set the maximum memory allocation on the JVM.

An allocation of 512m for each active CPU core is generally appropriate. Do not exceed the maximummemory available to your operating system and leave a suitable space for the operating system todo its work.

3. Save the file.4. Restart Spectrum.

Remote Components ConfigurationEach spatial service component in Spectrum™ Technology Platform is deployed into its own JVM instanceseparate from the platform run time. This ensures the platform is independent of the modules within itand that JVM configuration can be applied per service, allowing flexibility of memory allocation and tuningfor performance based on the characteristics of the service.

Remote components supply spatial functions to spatial services and stages. The pool size for a remotecomponent is the number of requests the component can handle concurrently. This affects the throughputof both spatial services and spatial stages.

Two remote components exist for the Location Intelligence Module: feature and mapping. Each of thesecomponents encompasses several services:

• spatial.feature

• Feature Service• Geometry Service• Named Resource Service• WFS• CSW

• spatial.mapping

• Mapping Service


Introduction to Managing Memory and Threading

• Map Tiling Service• WMS

Modifying the Pool SizeIn addition to JVM tuning, you can also adjust the pool size of the spatial remote components. The poolsize for a remote component is the number of requests the component can handle concurrently. Thissetting represents the number of threads on the components that are listening for service requests fromthe Spectrum™ Technology Platform or executing a Location Intelligence Module stage (that is, themaximum number of managed connections).

Every web service request enters Spectrum from the platform and is passed to the components. Thedefault value of 1 can be increased to accommodate greater request loads. A pool size that matchesthe number of CPUs is recommended. The maximum setting should not go above twice the number ofthe CPU core; for example, on a 4 CPUmachine the combined number of threads for all services shouldnot exceed 8. Performance tests should be run with various settings until optimal performance is achievedfor the usage.

You have the ability to adjust the pool size in Management Console for the spatial remote components:

1. Open the Management Console.2. Expand Modules > Location Intelligence > Tools then click Remote Components.3. Select the spatial component for which you want to adjust the pool size: spatial.feature or

spatial.mapping.4. Click Modify. The Modify Pool Size dialog box appears.5. Change the pool size using the arrows or by typing in a value.6. Click OK.7. If you decreased the pool size, restart the server. (Increasing the pool size does not require a server

restart.)

Related LinksRemote Components Configuration on page 54

Increasing Heap Memory for Spatial ComponentsTo increase the heap memory for spatial remote components:

1. Stop the Spectrum server.2. In a text editor, open the java.vmargs file from <Installed>\Pitney

Bowes\Spectrum\server\modules\spatial\java.vmargs.3. Change the vmargs default of 1GB (1024MB). For example, to increase the memory to 2GB, change

the vmargs from the default of -Xmx1024m -Djava.io.tmpdir=../app/tmp to -Xmx1536m-Djava.io.tmpdir=../app/tmp. This increases the memory of each spatial remote componentto 1.5GB and enables remote components to connect via Jconsole for debugging.

4. Save the java.vmargs file.5. Restart the Spectrum server.

Increasing Heap Memory for the PlatformTo increase the heap memory for the Spectrum platform:

1. Stop the Spectrum server.


Chapter 5: Managing Memory and Threading

2. In a text editor, open the wrapper.conf file from <Installed>\PitneyBowes\Spectrum\server\bin\wrapper.

3. Change the vmargs default of 1GB (1024MB). For example, to increase the memory to 2GB:

# Maximum Java Heap Size (in MB)wrapper.java.maxmemory=2048

4. Save the java.vmargs file.5. Restart the Spectrum server.


Increasing Heap Memory for the Platform

6Load Balancing SpatialServices Tutorial

In this section:

• About this Tutorial . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .58• Deployment Architecture . . . . . . . . . . . . . . . . . . . . . . . . .58• Install Spectrum . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .60• Set Up a Map Image File Share . . . . . . . . . . . . . . . . . . . . .60• Configure Spectrum . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .61• Configure Common Repository . . . . . . . . . . . . . . . . . . . . .62• Shared Spectrum Local Data . . . . . . . . . . . . . . . . . . . . . . .65• Performance Tuning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .65• Set Up Load Balancer . . . . . . . . . . . . . . . . . . . . . . . . . . . . .65

About this TutorialThe Spectrum spatial services that are included with the Location Intelligence Module are designed tosupport enterprise scale deployment requirements. This includes deployment configurations for highavailability and support for horizontal and vertical scaling. Spectrum's high availability configurationenables organizations to create fault tolerant deployments supporting requirements for continuous serviceprovision. Spectrum’s configurations for horizontal and vertical scaling provide the ability to grow thecapacity of a system to support greater load. The horizontal scaling configuration supports additionalload through addition of more servers to the cluster. The vertical scaling configuration grows the capacityof the system to support larger loads through the addition of greater hardware resources. Spectrum usesa load balancing based approach to deliver resilience and horizontal scaling architectures.

The goal of this tutorial is to illustrate the concepts of load balancing a Spectrum installation with thespatial services for resilience or high capacity. Both the concepts and the steps outlined in this tutorialcan apply to virtualized and native environments. The tutorial will provide information on scaling spatialserver horizontally and vertically.

This tutorial uses the following hardware/software and Spectrum components:

• Spectrum LIM Mapping Service• PostGres database 9.0.3• RedHat Linux 5.4

Deployment ArchitectureIn this tutorial we will create a load balanced Spectrum deployment. The diagram below illustrates thedeployment architecture of the configuration we will create. Load balancing can be used to support highavailability and scaling. The deployment architecture includes a load balancer, Spectrum spatial servicescluster, database and a file share. With this approach it is possible to scale both horizontally and vertically.


About this Tutorial

Load Balancer

The load balancer spreads requests between the Spectrum instances. Any load balancer that supportsload balancing HTTP/HTTPs requests can be used.

Spectrum Cluster

The cluster is a collection of Spectrum instances with LIM sharing administration, named resources,geographical metadata content and configuration settings. Additional nodes can be added to the clusterfor resilience or to deliver support for greater loads. Each node can be scaled vertically through additionalhardware resources and/or additional instances should this be required for hardware with massiveresources. Spectrum can be configured to use restricted numbers of CPUs.

Database

Spectrum stores named resources (maps, layers, tables and styles), geographic metadata andconfiguration in a repository. In the default single server installation an embedded database is used tostore these resources on the local server. To create a resilient scalable solution this embedded databaseshould be replaced with a resilient independent database. In this release Spectrum supports Oracle,PostGreSQL(PostGIS) and Microsoft SQL Server as repository databases.

In the load balanced configuration Spectrum nodes cache these resources in a local cache and searchindex in each node in the cluster. When a Spectrum node receives a request it uses the local cache and


Chapter 6: Load Balancing Spatial Services Tutorial

index to find resources. Named resources can be added through any node in the cluster. Each nodekeeps its cache current by checking for differences between its local cache and the central database.This check occurs every 2 seconds by default. Time frequency can be configured. This architectureensures the server delivers high performance transactions and the load on the repository database iskept to a minimum. If a new Spectrum is added to the cluster the cache and index are createdautomatically. Such a scenario can occur to remedy a node failure or grow the capability of the deployment.

File Share

The file share provides a folder to hold map images generated by Spectrum. When maps are rendererusing the web services the server supports the map images being returned through URLs or returnedas a base 64 encoded image. When a URL is returned the map image is stored as a file and served onrequest of the URL. To ensure any Spectrum node can return the map image a file share is used to storethe images.

Install SpectrumIn this step we will create a Spectrum deployment.

To install Spectrum into your VM instance:

1. Copy the Spectrum Linux installer to the target server with Red Hat operating system.2. Install Spectrum.

For this tutorial we will follow the default installation but not install the license key. The installationguide for UNIX and Linux provides more information on the installation process.

a) Locate the install.sh installerb) Ensure the user has execute permission

chmod a+x install.sh

c) Execute install.sh

install.sh

The installer will walk you through the installation process.

3. Copy the license key into the server/app/import directory of each Spectrum installed.4. Start Spectrum

It is possible to install multiple installations of Spectrum on the same operating system. This can beused to provide flexibility when vertically scaling the server. To support multiple installations on thesame machine the hidden file /var/.com.zerog.registry.xml needs to be renamed to enable a newinstallation to a different folder and port on the same machine.

Spectrum is now installed. The next step is to configure the Spectrum load balanced cluster deployment.

Set Up a Map Image File ShareThe file share provides a folder to hold map images generated by Spectrum . Create a shared folderaccessible to all Spectrum nodes. The file share is not required if maps are returned from the web servicesas base 64 encoded images.

To set up a map image file share:


Install Spectrum

1. Mount a shared folder on each operating system hosting Spectrum. The commands below mount adrive on a Microsoft Windows Server or network drive supporting CIFS.

mkdir /mnt/<linux mount>mount -t cifs //<windows host>/<windows share> /mnt/<linux mount>-ousername=shareuser,password=sharepassword,domain=pbi

2. Set the image share to load at startup in /etc/fstab.

//<windows ip address for share>/share /path_to/mount cifsusername=server_user,password=secret,_netdev 0 0

Configure SpectrumOnce Spectrum is installed, you need to configure your instance before you can replicate it to anothervirtual machine. If you are not using a virtual machine environment, you will need to perform these stepson each of your Spectrum installations.

Add the Map File Share to SpectrumContext for the current task

1. Modify the Mapping service configuration by pointing to a shared image folder and load balanceserver. In the ImageCache change the Directory parameter to a common image directory, and changethe AccessBaseURL parameter to the load balancer machine image URL.

If using a virtual machine environment, remember this IP address, as you must set the load balancerVM to this IP in the section Set Up Load Balancer on page 65.

<ImageCache><Directory>/mnt/<linux mount>/images</Directory><AccessBaseURL>http://<loadbalance_IP_address>/Spatial/images</AccessBaseURL>

<FileExpire>30</FileExpire><ScanInterval>30</ScanInterval></ImageCache>

2. Set up symbolic link to enable map images to go to the shared file system.

cd /<spatial server root>/server/modules/spatialrm –Rf imagesln -s / mnt/<linux mount>/images

Modify the Service ConfigurationsTo modify the service configurations for load balancing:

In each service configuration file, change the <RepositoryURL> to point to the load balance serverrepository URL.The RepositoryURL should change to point to the balancer fromhttp://<Spectrum>/RepositoryService/rmi tohttp://<Balancer>/RepositoryService/rmi.



Modify Java Properties FileTo modify the java properties for Spectrum™ Technology Platform:

1. Modify the java.properties file, located in <spectrum>/server/modules/spatial/java.properties, to pointto the load balance server.

2. Change the images.webapp.url and all of the service host and port numbers to point to the loadbalance server.

Configure Ports for Multiple Spectrum InstancesIf you have multiple Spectrum™ Technology Platform instances on a single machine, you must changethe port numbers.

To change the port numbers for each Spectrum instance:

1. Change all ports in <Spectrum root>/server/app/conf/spectrum-container.properties to new portvalues that are not in use. The http port reflects the port number entered in the installer.

2. Update the rmi port in bootstrap.properties in the bin/jackrabbit folder (e.g. 11099). The default is1099.

Configure Common RepositoryThe next step is to configure Spectrum to use a common repository database for the cluster. This ensuresthat named resources, geographic metadata and configuration settings are managed across the cluster.The description below describes how to configure Spectrum to use a common repository database. Thistutorial will use a PostgreSQL database. It is possible to use an Oracle or Microsoft SQL Server database.

The repository is installed with a set of named resources, geographic metadata and configuration files.To migrate these resources to the common database repository the resources need to be exported fromthe default internal repository database and reimported into the new shared repository database.

To provide support for bulk export/import of repository content Spectrum repository provides a WebDAVinterface.

Bulk Export Using WebDAVYou need to export the contents of the installed repository. This step only needs to be performed onceas the contents of the repository should be the same at this point for all instances of Spectrum. Thereare many free WebDAV clients including Microsoft Windows Explorer and GNOME- Nautilus. For thisLinux focused tutorial we will use GNOME- Nautilus to export the resources from Spectrum.

1. Start Spectrum.2. Connect to Spectrum using WebDAV:

a) Connect to the WebDAV Directory using GNOME – Nautilus.b) Select Connect to Server in the Places menu. This will open a File Browser window.

The repository is at the following location.http://<YourMachine>:<Port>/RepositoryService/repository/default


Configure Common Repository

3. Copy the content of the repository to a local drive.

Set Up the Common Repository DatabaseThese steps need to be performed on all instances of Spectrum in your load balanced environment:

1. Stop Spectrum.2. Add the database JDBC drivers to the Spectrum common lib directory to allow it to use the selected

database.

In this tutorial we are using PostGreSQL JDBC drivers. Copy the /<spectrumroot>/server/modules/spatial/lib/postgresql-8.4-701.jdbc4.jar file to /<spectrumroot>/server/app/lib/postgresql-8.4-701.jdbc4.jar


<FileSystem class="org.apache.jackrabbit.core.fs.db.DbFileSystem"><param name="driver" value="org.postgresql.Driver"/><param name="url"

value="jdbc:postgresql://<hostname>:<port>/<databasename>"/><param name="schema" value="postgresql"/><param name="user" value="<user>"/><param name="password" value="<pwd>"/><param name="schemaObjectPrefix" value="rep_"/></FileSystem>


<PersistenceManagerclass="org.apache.jackrabbit.core.persistence.bundle.PostgreSQLPersistenceManager">

<param name="url"value="jdbc:postgresql://<hostname>:<port>/<databasename>"/>

<param name="schema" value="postgresql"/><param name="user" value="<user>"/><param name="password" value="<pwd>"/><param name="schemaObjectPrefix" value="${wsp.name}_"/><param name="externalBLOBs" value="false"/></PersistenceManager>




<Cluster id="node1" syncDelay="2000"><Journal class="org.apache.jackrabbit.core.journal.DatabaseJournal">

<param name="revision" value="${rep.home}/revision.log" /><param name="driver" value="org.postgresql.Driver" /><param name="url"

value="jdbc:postgresql://<hostname>:<port>/<databasename>" /><param name="schema" value="postgresql"/><param name="schemaObjectPrefix" value="rep_"/><param name="user" value="<user>"/><param name="password" value="<pwd>"/><param name="databaseType" value="postgresql"/></Journal></Cluster>



4. Remove the following folders from the /server/modules/spatial/jackrabbit directory for each instanceof Spectrum: repository, version, workspaces.

5. If your PostGIS database has previously had repository content added, you must remove tables fromyour database so a clean repository can be created. If you are starting with a new database, pleasemake sure the tables do not exist. The following tables need to be removed from the database:

public.default_names_id_seqpublic.default_binvalpublic.default_bundlepublic.default_namespublic.default_refspublic rep_fsentrypublic.rep_global_revisionpublic.rep_journalpublic.rep_local_revisionspublic.security_binvalpublic.security_bundlepublic.security_namespublic.security_refs

Import the Repository ContentNext, import the content of the repository we previously exported back into the repository. This step onlyneeds to be performed on one of the Spectrum instances.

1. Start Spectrum2. Copy the previously exported content of the repository back into the repository. First, connect to

Spectrum using WebDAV:a) Connect to the WebDAV Directory using GNOME – Nautilus. Select “Connect to Server....” in the

Places menu. This will open a File Browser window.

The repository is at the following location.http://<YourMachine>:<Port>/RepositoryService/repository/default.


Configure Common Repository

b) Copy the content to the repository root directory.

Spectrum is now configured and ready to be load balanced.

Shared Spectrum Local DataIf you are using TAB file data on the file system, this data needs to be in a shared location accessibleby all instances of Spectrum in the load balanced environment. It is also important to note that all namedresources in the repository accessing data on the file system should point to this shared location.

Each VM or machine hosting Spectrum needs to have access to the mounted shared drive.

Using named resources that point to database tables do not require a shared drive, as the namedresources in the repository do not access the data using a file path; rather they use a namedconnection to the data in the database.

Note:

Performance TuningSee Spectrum Performance Tuning on page 54 for general guidance on optimizing the performanceof the Spectrum server.

Set Up Load BalancerNow that multiple instances of Spectrum are deployed and configured, the instances need to be loadbalanced. In this tutorial Apache HTTP Server is used as a load balancer. Any load balancer with supportfor load balancing http requests can be used.

In the Apache HTTP Server configuration (httpd.conf file e.g., /etc/httpd/conf/) turn on the proxyand load balance modules by adding the following sections at the end of the file. You will need to add



the IP addresses for the number of Spectrum instances you have created (replace <VMCloneIP1>:<PortNumber> with the correct IP address for each VM or system address.

<IfModule proxy_module>ProxyRequests Off<Proxy *>Order deny,allowAllow from all</Proxy>ProxyPreserveHost On

#Load Balancer Manager<Location /balancer-manager>SetHandler balancer-manager

Order deny,allowAllow from all</Location>

#MappingService<Proxy balancer://Spatial >BalancerMember http://<VMCloneIP1>:8080/SpatialBalancerMember http://<VMCloneIP2>:8080/SpatialBalancerMember http://<VMCloneIP3>:8080/SpatialBalancerMember http://<VMCloneIP4>:8080/Spatial</Proxy>ProxyPass /Spatial balancer://Spatial

#MappingService<Proxy balancer://soap>BalancerMember http://<VMCloneIP1>:8080/soapBalancerMember http://<VMCloneIP2>:8080/soapBalancerMember http://<VMCloneIP3>:8080/soapBalancerMember http://<VMCloneIP4>:8080/soap</Proxy>ProxyPass /soap balancer://soap

#RepositoryService<Proxy balancer://RepositoryService>

BalancerMember http://<VMCloneIP1>:8080/RepositoryService



BalancerMember http://<VMCloneIP4>:8080/RepositoryService</Proxy>

ProxyPass /RepositoryService balancer://RepositoryService

#REST Service<Proxy balancer://rest>

BalancerMember http://<VMCloneIP1>:8080/restBalancerMember http://<VMCloneIP2>:8080/restBalancerMember http://<VMCloneIP3>:8080/restBalancerMember http://<VMCloneIP4>:8080/rest

</Proxy>ProxyPass /rest balancer://rest

</IfModule>

For load balancing Spectrum, the following modules need to be loaded.

• LoadModule proxy_module modules/mod_proxy.so• LoadModule proxy_balancer_module modules/mod_proxy_balancer.so• LoadModule proxy_ftp_module modules/mod_proxy_ftp.so• LoadModule proxy_http_module modules/mod_proxy_http.so• LoadModule proxy_connect_module modules/mod_proxy_connect.so

You do not need to perform this task for load balancing the Apache HTTP Server that ships with theCentOS. These modules are loaded by default.


Set Up Load Balancer

Once you have updated your conf file save the changes and restart the load balancer. Use the followingcommand to restart the Apache HTTP Server load balancer:

• service httpd start• chkconfig httpd on

Sending a request through the load balance server might time out if the firewall of the Spectruminstances are turned on. In this scenario, either turn off the firewall on these machines, or modify

Note:

the service configuration files (e.g., MappingConfiguration) to point to the Spectrum instance forthat machine. For instance change the RepositoryURL from the load balance serverhttp://<Balancer>/RepositoryService/rmi to the local Spectrum instancehttp://<Spectrum>/RepositoryService/rmi.



7Troubleshooting YourSystem

In this section:

• Rebuilding a Corrupt Repository Index . . . . . . . . . . . . . .70• Monitoring Memory Usage of a Non-Responsive Server .70

Rebuilding a Corrupt Repository IndexSometimes the repository can become corrupt if the server is shut down abruptly or the Java processis killed (manually or due to a power outage). As a result, you may be unable to get resources that werepreviously searchable, and there will be no errors or warnings in the logs. Once you verify that permissionchanges are not the cause, rebuild the index to fix this issue:

1. Shut down the server.2. Delete the index directory at the following locations:

• <Spectrum>\server\modules\spatial\jackrabbit\workspaces\default• <Spectrum>\server\modules\spatial\jackrabbit\workspaces\security• <Spectrum>\server\modules\spatial\jackrabbit\repository

3. Restart the server.Jackrabbit re-creates the index at the above locations while booting.

After rebuilding the index, the search works correctly again.

Monitoring Memory Usage of a Non-ResponsiveServer

If your Spectrum server stops responding, you can follow the steps below to monitor its performanceand resource consumption. This monitoring provides information you can use to adjust memory andthreading usage.

1. Check whether a service other than the Mapping Service is working. For example, start the FeatureService on the demo page: http://<servername>:<port>/Spatial/FeatureService//DemoPage.html.This determines whether the whole server is down or just the Mapping Service.

2. Verify you have enough disk space for both Mapping and MapTiling images to be stored by inspectingthe configuration files:

• Mapping:http://localhost:8080/RepositoryService/repository/default/Configuration/MappingConfigurationunder "<Directory> C:\Program Files\PitneyBowes\Spectrum/server/modules/spatial/images </Directory>"

• MapTiling:"http://localhost:8080/RepositoryService/repository/default/Configuration/MapTilingConfiguration"under "<Property name="diskPath" value="C:/Program Files/PitneyBowes/Spectrum/server/modules/spatial/TileCache"/>"

3. Stop the Spectrum server.4. In a text editor, open the java.vmargs files from <Installed>\Pitney

Bowes\Spectrum\server\modules\spatial\java.vmargs.5. Change the vmargs from the default of -Xmx1024m -Djava.io.tmpdir=../app/tmp to

-Xmx1536m -Djava.io.tmpdir=../app/tmp . This increases the memory of each spatialremote component to 1.5GB and enables remote components to connect via Jconsole for debugging.

You can increase memory to 2 GB if you have enough memory on the server (forexample,-Xmx2048m).

Note:

6. Save the java.vmargs file.7. Start the server wrapper:

a) Open a command prompt as Administrator.


Rebuilding a Corrupt Repository Index

b) Go to <Installed>\Pitney Bowes\Spectrum\server\bin\wrapper directory and typewrapper.exe -c.

This Spectrum server will start in a few minutes.8. When the server is started, run the following requests from the demo pages:

a) Open http://<servername>:<port>/Spatial/MappingService/DemoPage.html and run the ListNamed Maps request.

b) Open http://<servername>:<port>/Spatial/FeatureService/DemoPage.html and run the List TableNames request.

9. Go to <Installed>\Pitney Bowes\Spectrum\java64\bin and run jconsole.exe.10. Under Local Process, select the wrapper process.11. In Jconsole, add a new session and select the Feature Service process.12. In Jconsole, add a new session and select the Mapping Service process.13. Leave Jconsole running to monitor the memory, CPU, threads, and so on for the Spectrum Platform

wrapper for Feature Service and Mapping Service.


Chapter 7: Troubleshooting Your System

8Appendix - ManagingSecurity with the UserManagement Service

In this section:

• Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .74• Managing Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .75• Setting User Permissions . . . . . . . . . . . . . . . . . . . . . . . . .77

IntroductionThis chapter provides a basic introduction to the User Management Service. It describes what the UserManagement Service is and rules for using it.

What Is the User Management Service?The User Management Service provides a simplified interface to manage security for the repository,focused on how to restrict who can access the resources in the repository. Setting security allows youto expose or restrict different resources (subsets of your data and resources) to different users ordepartments. To enforce this, security has been added to Spectrum™ Technology Platform that allowsyou to specify which users get to see what resources.

The Spectrum™ Technology Platform repository security is managed using an internal ACL (AccessControl List). This allows you to specify which users are granted access to resources, as well as whatoperations are allowed on given resources. The operations for repository user management are performedusing the User Management SOAP interface.

Service URL FormatsThe URL endpoint for the User Management SOAP service has the following general form:

http://localhost:8080/soap/UserManagementService

The URL for the User Management WSDL has the following general form:

http://localhost:8080/soap/UserManagementService?wsdl

The URL for the User Management service Demo page has the following general form:


Creating and Managing Users For Spectrum™ Technology PlatformCreating and managing users is a two step process:

1. Create the user using the Spectrum™ Technology Platform Management Console. This allows theuser to authenticate with the Spectrum™ Technology Platform services.

2. Give the user permissions using the User Management Service SOAP interface. This allows the userto access resources in the repository.

You do not have to add the admin or guest users to Spectrum™ Technology Platform. Theseusers have already been created.

Note:


Introduction

Rules Using the User Management Service SOAP InterfaceThe following rules apply when setting permissions for users using the User Management SOAP Interface:

1. You must first have created users in the Spectrum™ Technology Platform Management Console(giving them access to the services).

2. There is a default 'everyone' user group that is applied to resources when you do not specify setpermissions. This user group has READ permissions. So all users have READ permissions on aresource unless modified using the User Management SOAP Interface.

3. You need to provide a user read, add, and modify permissions to allow them the ability to addNamed Tables using the Management Console, modify any resources in the repository, add or modifyany resources using the Named Resource Service, or perform a harvest operation using the CSWService.

4. You do not have to add the admin or guest users. These users have already been created.

The following permissions are required for performing the following actions, either directly usingWebDAVorWebFolder, using the Resource Management service, or harvesting metadata using the CSW service:

AllModifyRemoveAddReadAction

XAccess a subfolder

XXAdd a subfolder

XXRemove a subfolder

XXXAdd files to a folder

XXXRemove files from a folder

XXUpdate files in a folder

XModify permissions of a folder

Managing UsersThis section describes how to manage users in Spectrum™ Technology Platform, specifically create,modify, and delete users that access the management consoles and services. You must create all usersusing theManagement Console, and set permissions to access the repository using the User ManagementService.

Starting the Management ConsoleStart the Spectrum™ Technology PlatformManagement Console by selecting Start > Programs > PitneyBowes >Spectrum™ Technology Platform >Client Tools >Management Console from your desktop.

To connect to the Spectrum™ Technology Platform Management Console:

1. Type in the server name or select it from the drop-down list.

If you have multiple instances of the Management Console accessing the same Spectrum™

Technology Platform server, it is possible for one user to overwrite another user's changes.Note:

Therefore, it is recommended that you do not run multiple instances of the ManagementConsole against the same server.

2. Enter your user name, password, and the port number.3. Click the Use secure connection box if you want communication between the client and the server

to take place over an HTTPS connection.4. Click Login. If this is your first time connecting, the user will default to "admin" and you must connect

with a password.


Chapter 8: Appendix - Managing Security with the User Management Service

The default port number is 8080 for HTTP connections. Use the port number appropriate foryour environment. Once you have successfully connected, this value will default for the nextconnection attempt.

Note:

Enabling User Permissions For ConsolesSpectrum™ Technology Platform can enforce permissions on user accounts when accessing the clientconsoles, providing you with additional control of the actions a user can take.

1. Open the Management Console.2. Expand Security then click Options.3. Click the Limit access according to user permissions checkbox to limit access to the permissions

established for individual users.

For instructions on defining permissions for each user, see Adding a New User on page 76,Modifying a User on page 76, or Deleting a User on page 76.

Managing User AccountsThis section describes you how to create users and set user security privileges for Spectrum™ TechnologyPlatform consoles.

Adding a New User1. Open the Management Console.2. Expand Security then click Users.3. Click Add. The New User window appears.4. Leave the Enable user box checked if you want this user account to be available for use.5. Enter the user name in the User name field.

User names can only contain ASCII characters.Note:

6. Enter the user's password in the Password field.7. Reenter the user's password in the Confirm password field.8. Enter the user's email address in the Email address field.9. Enter a description of the user in the Description field.10. Select the roles, if any, you want to assign to this user.11. Click OK.

Modifying a User1. Open the Management Console.2. Expand Security then click Users.3. Select the user whose permissions you want to modify and click Modify. The User Properties

window appears in which can modify the user name, password, email address, description, and roles.4. Click OK to save your changes.

Deleting a User1. Open the Management Console.2. Expand Security then click Users.3. From the User Management screen, select the user you want to delete and click Delete.4. Click Yes to delete or No to cancel.


Managing Users

The admin user account cannot be deleted.Note:

Setting User PermissionsThis section introduces the User Management SOAP Interface for managing users and permissions forresources in the repository. This interface allows you to get, set, add, or remove permissions for a user.

Use the demo page for the User Management Service as a quick tool for managing user permissions.Simply modify the sample requests to meet your needs. The User Management Service demo page islocated at http://localhost:8080/Spatial/UserManagementService/DemoPage.html

The User Management Service provides the following operations:

GetPermissionsRequestReturns the permissions for a particular user for a specified repository resource.

Parameters

The following parameters are used:

DescriptionExampleParameter

Specifies the method name to get the permissions for auser.

GetPermissionsRequestaction

Specifies the user to return permissions.user1UserName

Specifies the resource to return the permissions. Theresources specified in resourcePath are listed from the

/NamedTables/WorldTableResourcePath

top level of the repositoryhttp://localhost:8080/RepositoryService/repository/default/.

Example

The following example returns the permissions on the WorldTable resource for the user user1.



<v1:GetPermissionsRequest><v1:UserName>user1</v1:UserName>

<v1:ResourcePath>/Samples/NamedTables/WorldTable</v1:ResourcePath>

</v1:GetPermissionsRequest></soapenv:Body>

</soapenv:Envelope>




SetPermissionsRequestDefines the permissions for a particular user for a specified repository resource.When you set permissions,the basic read permissions are always kept for the user, however any additional permissions that werepreviously set or added are removed. For example if you set the modify permission for a user whocurrently had the all permission, that user will now have only read and modify permissions, and nolonger have the all permission.

Parameters



Specifies the method name to set permissions for a user.SetPermissionsRequestaction

Specifies the user to set permissions.user1UserName

Specifies the resource to set the permissions. Theresources specified in resourcePath are listed from the

/NamedTables/WorldTableResourcePath


Specifies the permissions. There are five validpermission types: read, all, add, modify, andremove.

addPermissions

Specifies if this operation should be performedrecursively on all child nodes of the given node in the

falseRecursive

repository. The default for recursive permission settingis false. If setting permissions on individual resourcesin the repository, the Recursive option will have no effect.

The ability to set permissions on a node ordirectory is no longer supported.

Note:

Example

The following example sets the permissions for user1 on the WorldTable resource to add and modify.After performing this operation the user1 will have read, add, and modify permissions on the WorldTableresource.



<v1:SetPermissionsRequest><v1:UserName>user1</v1:UserName>


<v1:Permissions><v1:Permission>add</v1:Permission><v1:Permission>modify</v1:Permission>

</v1:Permissions><v1:Recursive>false</v1:Recursive>

</v1:SetPermissionsRequest></soapenv:Body>

</soapenv:Envelope>


Setting User Permissions

AddPermissionsRequestAdds new permissions to the users set of permissions for a specified repository resource. When youadd permissions, the existing permissions are always kept for the user, and the new permissions areappended. For example if you add a modify permission for a user that currently has read and removepermissions, that user will now have read, remove, and modify permissions.

Parameters



Specifies the method name to add permissions for auser.

AddPermissionsRequestaction

Specifies the user to add permissions.user1UserName

Specifies the resource to add the permissions. Theresources specified in resourcePath are listed from the

/NamedTablesResourcePath


Specifies the permissions. There are five validpermission types: read, all, add, modify, andremove.

addPermissions


falseRecursive



Note:

Example

The following example adds the modify permission for user1 on the WorldTable resource.



<v1:AddPermissionsRequest><v1:UserName>user1</v1:UserName>


<v1:Permissions><v1:Permission>modify</v1:Permission>


</v1:AddPermissionsRequest></soapenv:Body>



</soapenv:Envelope>

RemovePermissionsRequestRemoves permissions from the users set of permissions for a specified repository resource. When youremove permissions, the specified permissions are removed from the existing set of permissions. Thisis the easiest way to restrict a user from accessing a particular resource. By removing the read permissionfor a user for a particular repository node or resource, they cannot be accessed by that user.

Parameters



Specifies the method name to remove permissions fora user.

RemovePermissionsRequestaction

Specifies the user to remove permissions.user1UserName

Specifies the resource to remove the permissions. Theresources specified in resourcePath are listed from the

/NamedTablesResourcePath


Specifies the permissions. By removing the readpermission, a user would no longer have access to a

readPermissions

resource. There are five valid permission types: read,all, add, modify, and remove.


falseRecursive



Note:

Example

The following example removes the read permission for user1 on the WorldTable resource.



<v1:RemovePermissionsRequest><v1:UserName>user1</v1:UserName>


<v1:Permissions><v1:Permission>read</v1:Permission>



Setting User Permissions

</v1:RemovePermissionsRequest></soapenv:Body>

</soapenv:Envelope>



Notices

© 2013 Pitney Bowes Software Inc. All rights reserved. MapInfo and Group 1 Software are trademarksof Pitney Bowes Software Inc. All other marks and trademarks are property of their respective holders.

USPS® Notices

Pitney Bowes Inc. holds a non-exclusive license to publish and sell ZIP + 4® databases on optical andmagnetic media. The following trademarks are owned by the United States Postal Service: CASS, CASSCertified, DPV, eLOT, FASTforward, First-Class Mail, Intelligent Mail, LACSLink, NCOALink, PAVE,PLANET Code, Postal Service, POSTNET, Post Office, RDI, SuiteLink , United States Postal Service,Standard Mail, United States Post Office, USPS, ZIP Code, and ZIP + 4. This list is not exhaustive ofthe trademarks belonging to the Postal Service.

Pitney Bowes Inc. is a non-exclusive licensee of USPS® for NCOALink® processing.

Prices for Pitney Bowes Software's products, options, and services are not established, controlled, orapproved by USPS® or United States Government. When utilizing RDI™ data to determine parcel-shippingcosts, the business decision on which parcel delivery company to use is not made by the USPS® orUnited States Government.

Data Provider and Related Notices

Data Products contained on this media and used within Pitney Bowes Software applications are protectedby various trademarks and by one or more of the following copyrights:

© Copyright United States Postal Service. All rights reserved.

© 2013 TomTom. All rights reserved. TomTom and the TomTom logo are registered trademarks ofTomTom N.V.

© Copyright NAVTEQ. All rights reserved

Data © 2013 NAVTEQ North America, LLC

Fuente: INEGI (Instituto Nacional de Estadística y Geografía)

Based upon electronic data © National Land Survey Sweden.

© Copyright United States Census Bureau

© Copyright Nova Marketing Group, Inc.

Portions of this program are © Copyright 1993-2007 by Nova Marketing Group Inc. All Rights Reserved

© Copyright Canada Post Corporation

This CD-ROM contains data from a compilation in which Canada Post Corporation is the copyright owner.

© 2007 Claritas, Inc.

The Geocode Address World data set contains data licensed from the GeoNames Project(www.geonames.org) provided under the Creative Commons Attribution License ("Attribution License")located at http://creativecommons.org/licenses/by/3.0/legalcode. Your use of the GeoNames data(described in the Spectrum™ Technology PlatformUser Manual) is governed by the terms of the AttributionLicense, and any conflict between your agreement with Pitney Bowes Software, Inc. and the AttributionLicense will be resolved in favor of the Attribution License solely as it relates to your use of the GeoNamesdata.

ICU Notices

Copyright © 1995-2011 International Business Machines Corporation and others.

All rights reserved.

Permission is hereby granted, free of charge, to any person obtaining a copy of this software andassociated documentation files (the "Software"), to deal in the Software without restriction, includingwithout limitation the rights to use, copy, modify, merge, publish, distribute, and/or sell copies of theSoftware, and to permit persons to whom the Software is furnished to do so, provided that the above


http://www.geonames.org

http://creativecommons.org/licenses/by/3.0/legalcode

copyright notice(s) and this permission notice appear in all copies of the Software and that both theabove copyright notice(s) and this permission notice appear in supporting documentation.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS ORIMPLIED, INCLUDING BUT NOT LIMITED TO THEWARRANTIES OF MERCHANTABILITY, FITNESSFOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. IN NOEVENT SHALL THE COPYRIGHT HOLDER OR HOLDERS INCLUDED IN THIS NOTICE BE LIABLEFORANYCLAIM,ORANYSPECIAL INDIRECTORCONSEQUENTIALDAMAGES,ORANYDAMAGESWHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTIONOF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR INCONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

Except as contained in this notice, the name of a copyright holder shall not be used in advertising orotherwise to promote the sale, use or other dealings in this Software without prior written authorizationof the copyright holder.


Copyright

Spectrum Spatial Administration Guide -...

Documents

Transcript of Spectrum Spatial Administration Guide -...