Planning for Security Updates

All installations of FME Server, regardless of type, include the FME Server Core and FME Engines. These components are always provided directly from the FME Server installation package. Two additional components - a Web Application Server and a server for the FME Server Database - must also be installed. When you choose an Express installation of FME Server, the install package provides its own versions of these components, including an Apache Tomcat web application servlet, and a PostgreSQL database server. If you choose a Distributed/Fault-Tolerant installation of FME Server, you may need to provide your own database server and web application server, depending on the scenario.

One factor in deciding between a stand-alone or distributed installation of FME Server is the degree of control you want in applying security updates to the web application and database servers. If you install a full, stand-alone FME Server (Express), keep in mind that any security updates to these components are dependent on updates to FME Server releases in general. Each time FME Server releases an update to its software (including both major and minor releases), any security updates for these components are included in that release.

If you do not want to rely on updates to the FME Server software in general for security updates to the web application and database servers, then we recommend a Distributed/Fault Tolerant installation. You can provide these components on your own, and maintain security for them separately. In the case of the web application server, Apache Tomcat and Oracle WebLogic are supported. The FME Server Database supports PostgreSQL, Oracle, and SQL Server. Alternatively, if your FME Server is entirely internal to your organization, and behind a firewall, then you may be more comfortable with the security updates provided with a full installation.

Reporting Potential Vulnerabilities

FME Server is comprised of many Java and 3rd-party libraries. It is possible for virus scanners to identify security vulnerabilities at any time during the life of an FME Server installation. When this occurs, you can search the FME Community for more information, or contact Safe Software Support to report the vulnerability. Safe Software takes all security vulnerability concerns seriously. Each concern is handled individually and we will report on the appropriate action once investigated.