Security

Apparently since fixing this problem https://support.safe.com/hc/en-us/articles/25407612007949-Known-Issue-FME-Flow-Apache-Tomcat-Vulnerability-with-X-Frame-Options-headerIn FME Flow 2025.1, embedding FME Flow content to other pages is disabled entirely by default.  Is there any chance to allow embedding from known sources or is embedding considered so risky that this would not be even considered? 

For those who have a connection setup to use a SharepointOnlineConnector in FME Flow. If you’re running 2024.1 or above, have you changed to use Application permissions with a tenant id, client id and client secret rather than using a delegated permission and authenticating with a username and password? Any issues with updating?

Hi, Looking to call a PowerShell script that will need to be run as a different user to the service account that runs the FME Flow service.FME Flow is a shared server and these credentials need to be secure from other users scheduling flows.I could use an encrypted xml file for the credentials, but then all who use the server would have access via the FME Flow service account. Putting the password in the workspace as a password, I still see it in plain text.While these work and I can make the exposure risk lower, still don’t seem ideal,What are my other options?

I am new to FME Flow. My organization had setup a FME Flow 2024.2 and integrated SAML for user login. I am just wondering whether I could use SAML account in FME Flow REST API and how to use it to generate a token for further REST API requests. Furthermore, is the generated token secure enough to prevent accessing other users’ resources, workspaces and data connections.Thanks in advance,Henry from TfNSW

 Since using FME Flow version 2024.2.3, running on Windows Server 2022. we face the following issues.BackgroundWe found that in FME Flow 2024.2.3 the network security protocol TLS1.3 is not configured by default. We expect it to work, see e.g. FME Community TLSv1.3 Support).  Also, for TLSv1.3, the minimum requirements for the versions of OpenSSL and Java used are:Tomcat 9.0.13 and later versions have built-in TLS 1.3 support For TLS 1.3 support, you need JDK 1.8.0_170 or later.As FME Support Third Party Component Versions reports, FME Flow 2024.2.3 uses Tomcat 9.0.91 and Java JDK 17.0.12+7.Actions First step: We enabled TLSv1.3 on our Server, by including the following keys in the Windows Registry: Windows Registry Editor Version 5.00 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server "Enabled"=dword:00000001 "DisabledByDefa

Hi,I created a token that is used in an HTTPCaller to download Workspaces from Flow via the Flow REST API. I granted the token only permission to access Repositories which worked fine but the problem is that as soon as a new repository is created, the initial permission is not extended for this new repos.  It seems that I either have to manually re-grant permissions everytime a new repository is created or grant “All Permissions”. Is there any better option?   

We use Azure Entra ID (formerly known as Azure Active Directory) with FME Flow to login the application.So now we have two methods: 1. user name and password2. button "Sign in with Microsoft"My colleagues often use the first method, which does not work for them.I set up the system events to notify me when a login is failed. But now I would like to know who tried and failed to login. Is there a log that shows the username someone used to try to login? Does anyone know which logfile it is in?ps it would be nice if I could hide the first login method. But that method is used by the admin-account. So I guess that is not an option.

Hi!After FME Flow upgrade from 2022.2.1. to 2023.1 our organization is not able to use login with Windows credentials (Active Directory) anymore. It seems to be similar issue to Known Issue: FME Server SSO failed login due to insufficient credentials (safe.com), the error message is Failed login by user YIIJygYGKwYBBQUCoIIJvjCCCbqgMDAu... due to insufficient credentials. We haven't changed the configuration and until now the upgrades to a newer version haven't broken login with Active Directory user. 

Hello,I am a newbie and want to use fmedownload api in our new webpage.what is the best way to integrate security?at the moment I would call the the get token service with user and password to get a temporary token.Then I would use this token and call fmedownload.Is that the best way? Will the token service be available in the future?thanksbest regards Gerhard

Hi,I get from our Security officer anmessage that there is an vulnerability dected on one of our servers.This server is has FME Flow 2023.2.2 Build 23781 - win64 which depend on Apache Tomcat.Can you tell me if there is an security risk? And how we can solve this?Thread is registered under: CVE-2023-44487.Thank you

Hi,I would like to ask if there is a way to share webconnections to group of users with partial permission (ie only access permission) not full permission. the issue with full permission that the shared users can be able to delete web connections I shared. I have to tried to take off their manager and create permission but still wont be able to let them do not remove the share connection.We are looking for a way can do partial permission setting up. Thank you very much. 😁 

I just reinstalled a test FME Flow 2024 (from .0 to .2), but was unable to restore a backup from the previous version. Something to do with encryption.This worries me, as we are getting close to wanting to upgrade our current 2022 servers.How can I make sure that backups from the old 2022 servers can be read by the new (2024) servers ?Thanks in advance.

Hi! I am getting a warning that FMEFlow is affected by CVE-2024-56337. I am running FME Flow 2023.1.1Is this correct?Is there a fix or are these CVE not applicable? Best regards/Kim 

 We're sending CORS headers, but not getting them back. How do we get them back?

Using FME Server 2021.1 Build 21607 - win64,  we have applied the Security Update: FME Flow Privilege Escalation Vulnerability using this link https://support.safe.com/hc/en-us/articles/31265482270349-Security-Update-FME-Flow-Privilege-Escalation-Vulnerability but even after applying the patch and re-starting FME services and even rebooting the hosting VM we are still seeing this message!  I know it is possible to just click on X and close this notification on admin page but I noticed that other team members who didn't close the notification still seeing that on page!Should we ask everyone to ignore it! shouldn't system automatically clear it?

Hey guys,Why do I get the error (some texts replaced for security reasons):Failed to load http://fme-serverdomain.com/fmedatadownload/repository/workspace.fmw?param1=somefile&param2=sometext&opt_responseformat=json&token=123456789&detail=high: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://someotherdomain.com' is therefore not allowed access.although I configured CORS to allow all hosts

Hi, I am trying to send EMAIL on Port 587 from FME Flow application (V 2023.1.1) and I get below error. Can someone please help on how to resolve this error? Do I need to specify port 587 on any configuration file? 

HiWe are about to configure Azure AD (Entra ID) Integration to authenticate users to our FME Flow. There are some workspace applications (flow apps) that are embedded into an ArcGIS Portal Experience builder app. The authentication to the ArcGIS Portal is also done with Azure AD accounts. The idea is, that the end user will open the ArcGIS Portal web application and access the FME Flow workspace application from that platform, rather than re-navigate to the Flow app. If SSO is enabled, will the FME Workspace/Flow app application authenticate automatically without extra login to the workspace application, when it is accessed from the ArcGIS Portal Experience application, as it is embedded to the application? Current setup with basic user authentication and FME Flow user access control fully inside FME Flow naturally requires a log-in to the app OR requires the Flow app to be published without authentication, but we want to ensure security. Does anyone have experience with this kind of s

HiI am the admin in my organisation for FME Flow and I woke this mornig with this messagehttps://support.safe.com/hc/en-us/articles/31265482270349-Security-Update-FME-Flow-Privilege-Escalation-VulnerabilityThe problem is that I can’t access it even after it asked me to log in.​@safe can you point me out to the right issue so I can understand the vulnerability that it might implicate in out environment?Best regards,Felipe Verdú

Today we saw this broadcast message from Safe Software on our FME Flow servers (2023.2.2):The link in the message is not working and I do not see any recent security issues. We have only external ports configured for dynamic engines and licenses. The FME Flow instance is not accesible from outside out network.I find a strange that they can create broadcast messages on our servers.That is all a bit suspicious, is anyone else experiencing the same? 

Hi Folks,I have previously installed and worked on FME Server, with my last usage being approximately 2–3 months ago.However, I am currently unable to log in, and the system displays the following error message:Could someone please assist in identifying the cause of this issue and guide me on resolving it?Thank you in advance for your support.

Out-of-the-box, FME Flow has an admin login for administration (member of fmeadmin and fmesuperuser).As a measure of added security, can a different, less common, login name be used for administration? In other words, if I were to create a login for administration purpose named MickeyMouse, add MickeyMouse to fmeadmin and fmesuperuser roles, and disable admin, does that work? Are there gotcha’s with doing that? Is it a measure of added security?

We currently have a process where an automation is stopped by any upstream failure triggering a workspace which contains a httpcaller with a call to the fme rest api to stop the automation. The request is configured to use $(FME_SERVER_WEB_URL) and an the Automation General Attribute/Key AutomationID to construct the request for the api so in this way it is generic. I’m wondering if there’s any way to use the user running the automation as authentication for the http request?

Hi, looking for help please. We are using FME Flow 2024.1.3 Build 24627 - linux-x64 on Ubuntu 24.04 and trying to connect to an external FTP server to transfer files from FME Flow. Our client who owns the FTP Server are asking us to authenticate with both username / password and public / private keys ; we’ve supplied our client with the public key which they’ve loaded successfully. We can connect ok manually using both username / password and public / private keys, but when we try from FME Flow it fails on the public / private key and forces us to enter the password.What we are looking for is a way to call using the public / private key and also specifying a password.  

I have created an FME Server App. Is it possible to provide permission for another user to edit the App?I have granted full permission to Create Apps and also to the specific App to my other user but I get this error message when the user tries to edit the App:This Server App is owned by "admin". Only the owner or a user who can manage FME Server security permissions can edit this App.This seems to be highly restrictive.