Security

Windows

If the password needs to be reset for the super admin (username 'Administrator'), follow these steps:

  1. Stop the Data Studio service (Experian Aperture Data Studio Database Server), if running.

  2. On the machine running Data Studio, locate it's installation directory. By default, this will be in C:\Program Files\Experian\Aperture Data Studio {version}

  3. Open a command prompt as administrator and enter:
    "{path to Data Studio}\java64\bin\java.exe" -jar "{path to Data Studio}\servicerunner-{version}.jar" STARTUP RESETADMINPASSWORD
    Where {version} is the version of Data Studio you have installed, for example 2.0.14

  4. This will start the Data Studio server in the command line and prompt you to enter a new password (in the command line console).

  5. Once a valid password and been entered and confirmed, the Data Studio server will be started, the password will be updated and the server will be automatically shutdown.

  6. The Data Studio service can now be started as usual.

  7. Log in using the newly created password. You will be prompted to update it again via the UI for additional security.

Linux

  1. Remote into the container by executing sudo docker exec -it ads_datastudio_1 /bin/bash, where the ads_datastudio_1 is referring to the to the provisioned DataStudio container.
  2. On the container, run the command java -jar servicerunner-[version].jar STARTUP RESETADMINPASSWORD, where the version referring to current DataStudio version.
  3. Enter new password and confirm new password.
  4. Exit from the container by using exit command.
  5. Restart the containers by using docker-compose command.

Problem: Unable to access Data Studio with the error: Your connection is not private and the Advanced section containing the message: You cannot visit {Data Studio URL} right now because the website uses HSTS.

Cause: HTTP Strict Transport Security (HSTS) is a security mechanism which once enabled, only allows Data Studio to be accessed over HTTPS with a valid SSL certificate. This error means there is an issue with the SSL configuration and therefore HSTS is blocking access to Data Studio.

Resolution: The most common cause of this error is an expired SSL certificate. To update Data Studio with a new SSL certificate, you can either use a different browser (which hasn't had the HSTS policy set) or remove the HSTS policy from your existing browser. To remove the policy in Chrome:

  1. Navigate to chrome://net-internals/#hsts in a new tab.
  2. Enter the Data Studio domain in the Delete domain security policies field and press delete.

Data Studio will still show the same error message but now when clicking on Advanced, you should have the additional option to Proceed to {Data Studio URL}.

Problem: SSL certificate file cacerts is not found or applied certificates are not being utilised.

Cause: The SSL certificates file that is used by Aperture Data Studio is either not found or has not been updated with the correct certificate.

Resolution: The certificate file that is used by Aperture Data Studio is located in \certificates\cacerts, and a reference to this is located in the installation's Aperture Data Studio Service 64bit.ini file which must be correct. If you have moved the repository you must update the .ini file's reference to this file accordingly.
All public SSL certificates must be added to this file. Find out more about private CA root certificates.

SAML authentication

Problem: Unable to authenticate via your identity provider (IdP) to access Data Studio.

Cause: SAML settings have been misconfigured. This can range from a mismatch in certificate fingerprint to incorrectly populated URL values.

Resolution: Review the log file for the specific error. Below are several examples of specific errors and how to resolve them.

IdP signing certificate doesn't match provided certificate fingerprint

  • This indicates that the certificate fingerprint in Data Studio does not match the one provided by the IdP. Please recheck the certificate fingerprint, ensuring that you are providing Data Studio with the correct fingerprint, and that the fingerprint algorithm is correct.

    Note that the fingerprint algorithm is not the same as the signing algorithm. You can determine which fingerprint algorithm was used to generate your certificate fingerprint using the table below:

    Length of fingerprint (excluding colons) Fingerprint algorithm
    40 SHA1
    64 SHA256
    96 SHA384
    128 SHA512

Response received before/after the assertion lifetime

  • Either of these errors indicate that the Data Studio server and IdP server have clock settings that may be out of sync. Please ensure that they are aligned.

Problem: When accessing Data Studio via single sign-on (SSO), login fails due to a timeout.

Cause: The request generated by Data Studio for the user to authenticate via IdP has expired for security purposes.

Resolution: Use the Log in with SSO button on the Data Studio login page and try again.

Problem: Unable to access the Data Studio interface.

Cause: This can happen after disabling SSL in Data Studio and can occur in certain browsers due to their interaction with HTTPS cookies.

Resolution: Delete all browser cookies for the Data Studio domain and retry.

Communication

Problem: SMTP Test connection failed: Could not convert socket to TLS and an error reported in the datastudio.log: Unable to find valid certification path to requested target

Cause: If any certificates are missing in the Data Studio trust store, Data Studio will fail to connect to the SMTP server with the above error.

Resolution: We have to generate the certificate from OpenSSL (ensure OpenSSL is installed in the server) and save it as .crt file and import it into the java trust store. This is mainly for SMTP servers that work with the STARTTLS protocol, where the connection is first established usually on port 25, and then after an initial server handshake, the socket is converted to TLS.

To get the certificate use OpenSSL Command:
openssl s_client -starttls smtp -crlf -connect <SMTP Server>:25

The certificate will be the text beginning with
-----BEGIN CERTIFICATE-----

and ending in
-----END CERTIFICATE-----

Then save the certificate as a .crt file and add it to the Data Studio Java truststore.
Finally, configure the SMTP connection:

  • Email Protocol: SMTP
  • SMTP Host Name: Your SMTP server
  • Port: Port, typically 25
  • Username: Username for authentication
  • Password: password
  • From address: For example no-reply@aperture.co.uk
  • Subject prefix: Optional subject prefix for all emails sent by Data Studio

Problem: An email notification from Aperture Data Studio contains a URL that is not reachable/shows IP address instead of the DNS hostname.

Cause: The Server.externalHttpHostAddress property is not setup correctly. This is used to translate the IP address to publicly accessible DNS hostname for email notifications.

Resolution: Set the server property Server.externalHttpHostAddress to the correct DNS name, where the server is publicly accessible.

Validate addresses

Your Experian Batch isn't configured correctly.

To check, go to the addressValidate\runtime folder in your Data Studio installation (e.g. C:\ProgramData\Experian\addressValidate\runtime).

Using the Command Prompt, run BATWV64.EXE (the Experian Batch API test harness). You should see the list of available address layouts. For Use layout number enter the number of the layout from the list that corresponds to a country you have configured.

If you get an error, Experian Batch hasn't been configured correctly. Contact us for help.

By default, the qaworld.ini contains all the address and component layouts used by each data set.

You shouldn't delete these layouts but you can make modifications as long as the layout continues to be valid (i.e. it works in the test harness).

If the qaworld.ini no longer contains address and component layouts, we recommend rolling back to the default version which can be found in addressValidate\templates.

The address validation engine has a hard limit of 32 handles. If you reach that limit, an error occurs and a message will be shown on screen: 4003: An error occurred in the Address validation engine: 'No free API handles' (-8610).

The number of handles that are currently in use is reported in the log.

12:36:06.266 [Thread-136] INFO  com.experian.datastudio.Qas.BatchObjectLayer.QasSearch - Batch handle count decreased from QasSearch: 29
12:36:06.272 [Thread-100] INFO  com.experian.datastudio.Qas.BatchObjectLayer.QasSearch - Batch handle count decreased from QasSearch: 28

Users will have to wait for address validation engine handles to be available before continuing.

Find duplicates

Local instance of Find duplicates

Problem: An error is reported when running Find duplicates: An error occurred running Find Duplicates step: Failed to connect to Standardization server.

Cause: The Standardize service is not running.

Resolution:
To fix the issue:

  1. Search for services from the start menu or go to Control Panel > System and Security > Administrative Tools > Services.
  2. Locate Experian Aperture Data Studio {version number} Standardize Server, right-click it and select Properties.
  3. Open the Log On tab.
  4. Select This account and enter NT AUTHORITY\NETWORK SERVICE as the account.
  5. Click Apply to save changes.
  6. Right-click on Experian Aperture Data Studio {version number} Standardize Server and select Start.

Remote instance of Find duplicates

Problem: An error is reported when running Find duplicates: An error occurred running Find Duplicates step: Failed to connect to Standardization server.

Cause: The Standardize service is not running.

Resolution:
To fix the issue, you need to check you have sufficient privileges to start system services:

  1. Search for services from the start menu or go to Control Panel > System and Security > Administrative Tools > Services.
  2. Locate GdqStandardizeServer, right-click it and select Properties.
  3. Open the Log On tab.
  4. Select This account and enter NT AUTHORITY\NETWORK SERVICE as the account.
  5. Click Apply to save changes.
  6. Right-click on the GdqStandardizeServer service and select Start.

Problem: When attempting to start the Tomcat service, the service startup fails. This occurs for two main reasons, outlined below.

Cause 1: Tomcat is unable to find java installed on that machine.

Resolution 1: Configure the JAVA_HOME environment variable.

  1. Right-click the Computer icon and choose Properties, or in Windows Control Panel, choose System.
  2. Choose Advanced system settings.
  3. On the Advanced tab, click Environment Variables.
  4. In System variables, click New to create a new JAVA_HOME setting, or Edit to modify an existing setting.
  5. Set the path to the local Java 17 installation folder.
    System variables window showing the path of JAVA_HOME set to the local Java 17 installation folder.

Cause 2: There is insufficient memory allocated to Tomcat.

Resolution 2:
It is recommended that a minimum of 8GB RAM is allocated to Tomcat.

  1. Navigate to the \bin folder in the Tomcat installation location.
  2. Run tomcat10w.exe
  3. In the Java tab, set the minimum and maximum memory pool.
    Example memory pool allocation in the Java tab.

Problem: The Find Duplicates server is running and the Find Duplicates Swagger page (http://{host}:8080/match/docs/index.html, or http://{host}:8080/match-rest-api-{version}/match/docs/index.html if this is a Tomcat deployment) is accessible, but Data Studio reports an invalid URL when testing the connection and calling the \system endpoint from Swagger returns a 500 internal server error

Cause: The most likely cause for this is that the Find Duplicates service (or Tomcat if this is a web server deployment) does not have permissions to access the licensing folder (by default C:\ProgramData\Experian). This normally occurs if the service is running as a named user or as LOCAL_SERVICE.

Resolution: Two options exist for resolution.

  1. Change the service to run as LOCAL_SYSTEM
    • Open the Windows service manager
    • Select Properties for the Find Duplicates (or Apache Tomcat) service.
    • Select the Log On tab
    • Change the service to log on as the Local System account.
      Local system account selected in the Log On tab.
  2. Give the user account the service is running under full access to the licensing folder (by default C:\ProgramData\Experian).

Backup and restore

Data Studio data may be backed up by archiving the complete data directory structure as well as some other files stored in the program directory.

Log files

Data Studio generates log files which can be useful for monitoring or troubleshooting the application. These can be found in ApertureDataStudio/data/log folder or where otherwise configured.

To enable log downloads:

  1. Add Server.LogDownloads=true to the server.properties file and restart Data Studio server. Alternatively, turn on the Enable server log downloads option in Settings > System.
  2. Allocate the Download Server Logs permission to the relevant user(s).

By default, only the super admin will have access.

To access the logs go to System > Server logs.