Configuring Run-As Security

To enable run-as security, you must edit the properties file for the 3DOrchestrate Distribution Server and make additional changes on each 3DOrchestrate Station.

All encryption key generation and management for the 3DOrchestrate run-as feature is automatic and requires no configuration. The system administrator needs only to enable the feature and specify the security domains for stations to authenticate user credentials.

Unless each station is manually configured, all stations will use the same security domain (realm) to authenticate user credentials. You can have different stations authenticate to different security domains, but each station can use only a single domain.

When the 3DOrchestrate Distribution Server and its stations use separate security domains, users must have a common username and password for all domains in which their job executes. It is not possible to authenticate a single job with multiple usernames and passwords.

This task shows you how to:

Enable Run-As Security in the 3DOrchestrate Distribution Server

  1. Edit the <server_install_dir>/config/SMAExeServer-xxxx.properties file in the 3DOrchestrate Distribution Server installation to set the following properties:

    fiper.security.runas.enabled=
    fiper.security.runas.domain=

  2. Set fiper.security.runas.enabled to true. Uncomment and activate the line by deleting the leading # character.
  3. If you will be authenticating users with a Windows Active Directory server, set the fiper.security.runas.domain property to the name of your Windows domain:

    fiper.security.runas.domain=windows-domain

    Uncomment and activate the line by deleting the leading # character.

    If run-as security is enabled, this property can be set to a Windows security domain name that the 3DOrchestrate Distribution Server will use to look up users and passwords. Unless a particular 3DOrchestrate Station is explicitly configured otherwise, this domain name will be used by all Windows-based stations. This setting is ignored on Linux.

  4. If the 3DOrchestrate Distribution Server is installed on Linux and you are using LSF DRM mode or Open DRM, follow these additional steps:
    1. Log into the 3DOrchestrate Distribution Server computer as root.
    2. Open a terminal/shell, and change directory (cd) to the following directory:

      <server_install_dir>/config/

      In this directory, the file SMAExePlaunch was created by the deployment utility.

    3. Execute the following commands:

      chown root SMAExePlaunch
      chmod 4510 SMAExePlaunch

      Setting permissions to 4510 on the SMAExePlaunch file equates to set-user-id, owner read/execute, group execute only, and no access for others.

    4. Locate the following file:

      /etc/pam.d/login

      Make a copy of this file and rename it fiper. Be sure that the contents of this copy are identical to the original file.

  5. Stop and restart the 3DOrchestrate Distribution Server application in the application server.

By default, each 3DOrchestrate Station follows the run-as configuration of the 3DOrchestrate Distribution Server to which it is connected (as determined by the fiper.security.runas.enabled property in the SMAExeServer.properties file). You can use the Run-As property of a particular station to force it to run with run-as disabled even when the 3DOrchestrate Distribution Server has run-as enabled.

Configure Run-As Security on a Windows Station

By default, a station follows the run-as configuration of the 3DOrchestrate Distribution Server to which it is connected, but you can override that setting in the Run-As property of each station.

To configure a Windows-based station to use the run-as security feature, follow the steps below.

  1. Do one of the following:
    • If you plan to use the same security domain as the 3DOrchestrate Distribution Server, skip to step 3.
    • If you plan to use a security domain that is different than the 3DOrchestrate Distribution Server, continue with step 2.
  2. If you will be authenticating users with a Windows Active Directory server, edit the Domain property of the station to specify the name of the Windows domain to be used.

    The 3DOrchestrate Station will now use this domain to authenticate users' credentials instead of the domain specified in the SMAExeServer-xxxx.properties file of the 3DOrchestrate Distribution Server.

  3. Grant Read, Write, Execute, Create folders, and Create files access (or full access) on the 3DOrchestrate Station temporary directory to all users that may submit jobs. This directory is specified in the Temp Directory property of the station configuration (or the fiper.station.tempdir property in the properties file).

    The steps necessary for granting this access to the station temporary directory differ slightly across Windows operating systems and may require special access rights.

  4. Locate the system user rights as described below:
    • Windows Server 2016: Navigate to Start > Control Panel > System and Security > Administrative Tools > Local Security Policy; and from the Local Security Policy dialog box, access the User Rights Assignment settings under the Local Policies option.

    • Windows 10: Navigate to Start > Control Panel > System and Security > Administrative Tools > Local Security Policy; and from the Local Security Policy dialog box, access the User Rights Assignment settings under the Local Policies option.

  5. Add the user account that will run the station to the local Administrators group and grant that user the privilege Replace a process level token in the Local Security Policy dialog box.
  6. Log out and log back on to the station computer. This causes the operating system to recognize the privilege changes.

Configure Run-As Security on a Linux Station (Built-in DRM mode only)

By default, a station follows the run-as configuration of the 3DOrchestrate Distribution Server to which it is connected.

These configurations are only necessary if the the DRM mode is built-in (the default). If the DRM mode is LSF or Open DRM, you must make similar configurations on the Linux-based 3DOrchestrate Distribution Server, as described above in Enable Run-As Security in the 3DOrchestrate Distribution Server.

To configure a Linux-based station to use the run-as security feature, you must 1) change permissions on the SMAExePlaunch file, 2) specify a temporary directory in the station properties, and 3) add a new file to the system's /etc directory.

  1. If you will be authenticating users with a Windows Active Directory server, edit the Domain property of the station to specify the name of the Windows domain to be used.

    The 3DOrchestrate Station will now use this domain to authenticate users' credentials instead of the domain specified in the SMAExeServer-xxxx.properties file of the 3DOrchestrate Distribution Server.

  2. Log into the 3DOrchestrate Station computer as root.
  3. Open a terminal/shell, and change directory (cd) to the following directory:

    <station_install_dir>/config/

  4. Execute the following commands:

    chown root SMAExePlaunch
    chmod 4510 SMAExePlaunch

    Setting permissions to 4510 on the SMAExePlaunch file equates to set-user-id, owner read/execute, group execute only, and no access for others. This requires that all users who will start run-as stations must be in the same group, which is recommended for production environments.

  5. Specify a temporary directory in the Temp Directory property of the station configuration (or the fiper.station.tempdir property in the properties file).

    The temporary directory must be world-writable; for example, something similar to /var/tmp/ds-tmp-dir/. Set the permissions on the temporary directory so that it is fully accessible by any user, by using the following command:

    chmod 1777 <temp-directory>
    For example:
    chmod 1777 /var/tmp/thisdir

    This mode sets the sticky bit, which allows contents (files, subdirectories) to be removed only by the owner (or root).

  6. Locate the following file:

    /etc/pam.d/login

    Make a copy of this file and rename it fiper. Be sure that the contents of this copy are identical to the original file.

  7. Start (or restart) the 3DOrchestrate Station program.