Distributed Computing Cluster Machine Security
Important: The encryption and authentication settings for Distributed Computing Cluster are dependent on each other. If the Encryption Mode is set to None, the Authentication Mode must also be set to None.
Important:Distributed Computing Cluster is performing OCR jobs, images are downloaded to the following directory on the DCCWorker machines: C:\ProgramData\Laserfiche\Distributed Computing Cluster\Temp. Although DCC cleans these files up, Administrators should be aware of this and apply security to these folders if necessary.
Encryption
You can secure the communication channels between the Distributed Computing Cluster services and Laserfiche applications by specifying the encryption mode for each Scheduler and Worker. The encryption mode can be set to Windows TLS, SSL, or none. If you use SSL, an appropriate x.509 certificate must be installed on each machine the service will communicate with.
Authentication
By default, the Distributed Computing Cluster service does not attempt to authenticate users communicating with it (whether on behalf of Laserfiche applications or as Workers or Schedulers). You can configure Distributed Computing Cluster to use authentication by changing its authentication mode to Windows Authentication in the Laserfiche Web Administration Console or PowerShell.
To enable Windows Authentication for a Distributed Computing Cluster Machine
- Log in as a System Manager to the Laserfiche Web Administration Console where your Distributed Computing Cluster Scheduler is registered.
- Click Distributed Computing Clusters.
- Expand the cluster you want to enable Windows Authentication for. Then, click Machines.
- Click a machine.
- In the configuration for that machine, click the Settings tab.
- In the Authentication Mode drop-down list, select Windows Users.
- Click Save to save your changes.
Note: Changing the authentication settings for a Worker or Scheduler will cause it to restart.
When Windows Authentication is enabled, Distributed Computing Cluster uses role-based authorization to determine whether services or client applications can perform certain tasks. By default, these roles are given to one or more Windows groups.
When you install the Distributed Computing Cluster service or any Laserfiche application, you specify the Windows account it will run as. These Windows accounts typically are in the Administrators or Everyone Windows group, and the roles available in Distributed Computing Cluster have been set up to reflect this. The table below lists the four authorization roles available to Schedulers, Workers, and Laserfiche applications.
| Role | Description | Default Windows Group |
|---|---|---|
| Admin | Can view administrative information for a Distributed Computing Cluster installation and make changes to it. | Administrators |
| Read-Only | Can view administrative information for a Distributed Computing Cluster installation but cannot change it. | Administrators, Everyone |
| Client | Can run jobs on a Distributed Computing Cluster installation. | Administrators, Everyone |
| Worker | Can start Worker operations. Note: Each Worker's authorization group must contain the identities of every Worker and Scheduler associated with that Distributed Computing Cluster installation. |
Administrators, Everyone |
The default settings will work for most Distributed Computing Cluster installations. If Distributed Computing Cluster or Laserfiche applications are running as Windows users that are not in the Administrators or Everyone group, or if you want to use different groups, you can customize these settings to fit your organization's needs.
You configure the authorization roles for Distributed Computing Cluster from the Laserfiche Web Administration Console.
To configure authorization roles for Distributed Computing Cluster
- Log in as a System Manager to the Laserfiche Web Administration Console where your Distributed Computing Cluster cluster is registered.
- Click Distributed Computing Clusters.
- Expand the cluster you want configure authorization roles for, and then select a machine.
- Click the Users tab, and then click the Add button. The Add User window will appear. If the Users tab is not visible, the machine's Authentication Mode is set to None.
- In the User field, enter the Windows user or group name you want to add. Click the (…) button to browse.
- Next to Roles, select the role that the user or group will be assigned to.
- Click OK to finish adding the user or group.