Security

I see a description of the FME_SERVER_WEB_URL in documentation. Question: What does it do? With a setup that has a proxy server that relays requests to the FME Flow server via URL ReWrite and ARR, a flawed web-hook request (e.g., a parameter name address is given to a web hook that doesn’t have an address parameter) causes an error message to be returned to client--with details such as the internal server name (as set by FME_SERVER_WEB_URL, which is set to the internal server out-of-the-box) and the FME Flow username of user who published workspace. I understand changing service URLs for this sort of setup; that seems to be how the client knows how to download/stream the result. But FME_SERVER_WEB_URL seems to be more for just info provision (logging, etc.). What if I don’t want the FME_SERVER_WEB_URL parameter to show the internal server name in error messages from bad web-hook requests?

We are upgrading to FME Flow 2024 and wanting to make some improvements. As part of this we want to know if we can have a user upload workbenches to FME Flow. Then login to FME Flow with their user account, but somehow build automations, streams, apps, and scheduled jobs to run under a different user account. We are trying to migrate from putting the all the running automations, schedules, and other items under individual user accounts. Instead we want to assign to a departmental account. Since we have FME Flow tied into our Active Directory this will prevent any permission issues of jobs not working when an employee leaves the company and their AD account is suspended. I didn’t really want to have every user login to FME Flow with the departmental user account. Then we won’t keep the individual repositories for workspaces and will become a mess. I know the GUI/Web Front End as-is doesn’t support this but trying to decide what approach I could do to solve this.My easiest thought is to

Apparently since fixing this problem https://support.safe.com/hc/en-us/articles/25407612007949-Known-Issue-FME-Flow-Apache-Tomcat-Vulnerability-with-X-Frame-Options-headerIn FME Flow 2025.1, embedding FME Flow content to other pages is disabled entirely by default.  Is there any chance to allow embedding from known sources or is embedding considered so risky that this would not be even considered? 

For those who have a connection setup to use a SharepointOnlineConnector in FME Flow. If you’re running 2024.1 or above, have you changed to use Application permissions with a tenant id, client id and client secret rather than using a delegated permission and authenticating with a username and password? Any issues with updating?

Hi, Looking to call a PowerShell script that will need to be run as a different user to the service account that runs the FME Flow service.FME Flow is a shared server and these credentials need to be secure from other users scheduling flows.I could use an encrypted xml file for the credentials, but then all who use the server would have access via the FME Flow service account. Putting the password in the workspace as a password, I still see it in plain text.While these work and I can make the exposure risk lower, still don’t seem ideal,What are my other options?

I am new to FME Flow. My organization had setup a FME Flow 2024.2 and integrated SAML for user login. I am just wondering whether I could use SAML account in FME Flow REST API and how to use it to generate a token for further REST API requests. Furthermore, is the generated token secure enough to prevent accessing other users’ resources, workspaces and data connections.Thanks in advance,Henry from TfNSW

 Since using FME Flow version 2024.2.3, running on Windows Server 2022. we face the following issues.BackgroundWe found that in FME Flow 2024.2.3 the network security protocol TLS1.3 is not configured by default. We expect it to work, see e.g. FME Community TLSv1.3 Support).  Also, for TLSv1.3, the minimum requirements for the versions of OpenSSL and Java used are:Tomcat 9.0.13 and later versions have built-in TLS 1.3 support For TLS 1.3 support, you need JDK 1.8.0_170 or later.As FME Support Third Party Component Versions reports, FME Flow 2024.2.3 uses Tomcat 9.0.91 and Java JDK 17.0.12+7.Actions First step: We enabled TLSv1.3 on our Server, by including the following keys in the Windows Registry: Windows Registry Editor Version 5.00 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server "Enabled"=dword:00000001 "DisabledByDefa

Hi,I created a token that is used in an HTTPCaller to download Workspaces from Flow via the Flow REST API. I granted the token only permission to access Repositories which worked fine but the problem is that as soon as a new repository is created, the initial permission is not extended for this new repos.  It seems that I either have to manually re-grant permissions everytime a new repository is created or grant “All Permissions”. Is there any better option?   

We use Azure Entra ID (formerly known as Azure Active Directory) with FME Flow to login the application.So now we have two methods: 1. user name and password2. button "Sign in with Microsoft"My colleagues often use the first method, which does not work for them.I set up the system events to notify me when a login is failed. But now I would like to know who tried and failed to login. Is there a log that shows the username someone used to try to login? Does anyone know which logfile it is in?ps it would be nice if I could hide the first login method. But that method is used by the admin-account. So I guess that is not an option.

Hi!After FME Flow upgrade from 2022.2.1. to 2023.1 our organization is not able to use login with Windows credentials (Active Directory) anymore. It seems to be similar issue to Known Issue: FME Server SSO failed login due to insufficient credentials (safe.com), the error message is Failed login by user YIIJygYGKwYBBQUCoIIJvjCCCbqgMDAu... due to insufficient credentials. We haven't changed the configuration and until now the upgrades to a newer version haven't broken login with Active Directory user. 

Hello,I am a newbie and want to use fmedownload api in our new webpage.what is the best way to integrate security?at the moment I would call the the get token service with user and password to get a temporary token.Then I would use this token and call fmedownload.Is that the best way? Will the token service be available in the future?thanksbest regards Gerhard

Hi,I get from our Security officer anmessage that there is an vulnerability dected on one of our servers.This server is has FME Flow 2023.2.2 Build 23781 - win64 which depend on Apache Tomcat.Can you tell me if there is an security risk? And how we can solve this?Thread is registered under: CVE-2023-44487.Thank you

Hi,I would like to ask if there is a way to share webconnections to group of users with partial permission (ie only access permission) not full permission. the issue with full permission that the shared users can be able to delete web connections I shared. I have to tried to take off their manager and create permission but still wont be able to let them do not remove the share connection.We are looking for a way can do partial permission setting up. Thank you very much. 😁 

I just reinstalled a test FME Flow 2024 (from .0 to .2), but was unable to restore a backup from the previous version. Something to do with encryption.This worries me, as we are getting close to wanting to upgrade our current 2022 servers.How can I make sure that backups from the old 2022 servers can be read by the new (2024) servers ?Thanks in advance.

Hi! I am getting a warning that FMEFlow is affected by CVE-2024-56337. I am running FME Flow 2023.1.1Is this correct?Is there a fix or are these CVE not applicable? Best regards/Kim 

 We're sending CORS headers, but not getting them back. How do we get them back?

Using FME Server 2021.1 Build 21607 - win64,  we have applied the Security Update: FME Flow Privilege Escalation Vulnerability using this link https://support.safe.com/hc/en-us/articles/31265482270349-Security-Update-FME-Flow-Privilege-Escalation-Vulnerability but even after applying the patch and re-starting FME services and even rebooting the hosting VM we are still seeing this message!  I know it is possible to just click on X and close this notification on admin page but I noticed that other team members who didn't close the notification still seeing that on page!Should we ask everyone to ignore it! shouldn't system automatically clear it?

Hey guys,Why do I get the error (some texts replaced for security reasons):Failed to load http://fme-serverdomain.com/fmedatadownload/repository/workspace.fmw?param1=somefile&param2=sometext&opt_responseformat=json&token=123456789&detail=high: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://someotherdomain.com' is therefore not allowed access.although I configured CORS to allow all hosts

Hi, I am trying to send EMAIL on Port 587 from FME Flow application (V 2023.1.1) and I get below error. Can someone please help on how to resolve this error? Do I need to specify port 587 on any configuration file? 

HiWe are about to configure Azure AD (Entra ID) Integration to authenticate users to our FME Flow. There are some workspace applications (flow apps) that are embedded into an ArcGIS Portal Experience builder app. The authentication to the ArcGIS Portal is also done with Azure AD accounts. The idea is, that the end user will open the ArcGIS Portal web application and access the FME Flow workspace application from that platform, rather than re-navigate to the Flow app. If SSO is enabled, will the FME Workspace/Flow app application authenticate automatically without extra login to the workspace application, when it is accessed from the ArcGIS Portal Experience application, as it is embedded to the application? Current setup with basic user authentication and FME Flow user access control fully inside FME Flow naturally requires a log-in to the app OR requires the Flow app to be published without authentication, but we want to ensure security. Does anyone have experience with this kind of s

HiI am the admin in my organisation for FME Flow and I woke this mornig with this messagehttps://support.safe.com/hc/en-us/articles/31265482270349-Security-Update-FME-Flow-Privilege-Escalation-VulnerabilityThe problem is that I can’t access it even after it asked me to log in.​@safe can you point me out to the right issue so I can understand the vulnerability that it might implicate in out environment?Best regards,Felipe Verdú

Today we saw this broadcast message from Safe Software on our FME Flow servers (2023.2.2):The link in the message is not working and I do not see any recent security issues. We have only external ports configured for dynamic engines and licenses. The FME Flow instance is not accesible from outside out network.I find a strange that they can create broadcast messages on our servers.That is all a bit suspicious, is anyone else experiencing the same? 

Hi Folks,I have previously installed and worked on FME Server, with my last usage being approximately 2–3 months ago.However, I am currently unable to log in, and the system displays the following error message:Could someone please assist in identifying the cause of this issue and guide me on resolving it?Thank you in advance for your support.

Out-of-the-box, FME Flow has an admin login for administration (member of fmeadmin and fmesuperuser).As a measure of added security, can a different, less common, login name be used for administration? In other words, if I were to create a login for administration purpose named MickeyMouse, add MickeyMouse to fmeadmin and fmesuperuser roles, and disable admin, does that work? Are there gotcha’s with doing that? Is it a measure of added security?

We currently have a process where an automation is stopped by any upstream failure triggering a workspace which contains a httpcaller with a call to the fme rest api to stop the automation. The request is configured to use $(FME_SERVER_WEB_URL) and an the Automation General Attribute/Key AutomationID to construct the request for the api so in this way it is generic. I’m wondering if there’s any way to use the user running the automation as authentication for the http request?