Set Optional Security Features

Set optional security features for your MATLAB^® Job Scheduler cluster. For example, you can:

Create a shared secret file to establish trust between the processes on different machines.
Establish encrypted communication between MATLAB Job Scheduler, client and workers.
Configure the cluster to verify whether a MATLAB client can connect to your MATLAB Job Scheduler cluster.
Restrict privileged command usage to only specified users.
Configure the cluster to authenticate user credentials using your company Lightweight Directory Access Protocol (LDAP) server.

Before starting the mjs service on your cluster nodes, set a security level. For instructions, see Set MATLAB Job Scheduler Cluster Security.

In the following instructions, matlabroot refers to the location of your installed MATLAB Parallel Server™ software. Where you see this term used in the instructions that follow, substitute the path to your location.

You can find the mjs_def file in matlabroot/toolbox/parallel/bin for Linux^® (mjs_def.sh) and Windows^® (mjs_def.bat). To learn more about the parameters in mjs_def file, see Define MATLAB Job Scheduler Startup Parameters.

Create Shared Secret File

The secret file establishes trust between the processes on different machines.

To create this file, run one of these scripts:

matlabroot/toolbox/parallel/bin/createSharedSecret on Linux operating systems
matlabroot\toolbox\parallel\bin\createSharedSecret.bat on Windows operating systems

Specify the location of the secret file in the SHARED_SECRET_FILE parameter in the mjs_def file to enable MATLAB Job Scheduler to find it. The shared secret file contains sensitive data and must be read-only for the user who starts the mjs process.

In a shared file system, all the nodes can point to the same secret file. The nodes can also share the same mjs_def file.
In a nonshared file system, create a secret file with the provided script, then copy the file to each node and make sure the mjs_def file of each node indicates the location of its secret file.

Set Encrypted Communication

To set encrypted communication between MATLAB Job Scheduler, the client, and the workers, set these values in the mjs_def file:

USE_SECURE_COMMUNICATION = true
ALL_SERVER_SOCKETS_IN_CLUSTER = true

Encrypted communication is provided using TLSv1.3.

Before R2023a: Encrypted communication is provided via an SSLSocket using TLSv1.2.

Note

Before R2023a: If you specify ALL_SERVER_SOCKETS_IN_CLUSTER as false in the mjs_def file, then the mjs service establishes encrypted communication between MATLAB Job Scheduler and workers only. Communication between workers is never encrypted. If communication between a worker and the client is sent via another worker, only the communication between that worker and the client is encrypted.

Additionally, all hosts that run job managers or workers require the secret file at the location specified by the SHARED_SECRET_FILE parameter in the mjs_def file. To create the secret file, see Create Shared Secret File.

Note

Encrypted communication is required when you use MATLAB Job Scheduler security level 3.

Set MATLAB Client Verification

Verify whether a MATLAB client can connect to your MATLAB Job Scheduler cluster.

You must use the same secret file as the cluster to create a certificate file. Use the certificate when you start the job manager and to create a certified cluster profile. To create the secret file, see Create Shared Secret File.

Connections between the MATLAB client and MATLAB Job Scheduler cluster are verified using mutual TLS (mTLS).

Configure MATLAB Job Scheduler Cluster

In the mjs_def file, set REQUIRE_CLIENT_CERTIFICATE to true.

Navigate to one of these folders:

matlabroot\toolbox\parallel\bin on Windows operating systems
matlabroot/toolbox/parallel/bin on Linux operating systems

When you have a location for the secret file, use the generateCerticate command to generate the certificate. Specify the path to the secret file and the name of the certificate.

generateCertificate -secretfile path_to_shared_secret_file/secret -certfile mjsClusterClientCert

To start the job manager, specify the file path to the certificate to the startjobmanager command using the -certificate flag.

startjobmanager -certificate mjsClusterClientCert

Create Certified Cluster Profile

The MATLAB client must also have a cluster profile with the correct certificate to connect to the job manager.

To create the certified cluster profile, use the createProfile command. Specify the name and hostname of the cluster and the path of the certificate file. For example, create a cluster profile for the cluster clusterName, host name mjsHost, and certificate file mjsClusterClientCert. The command creates a cluster profile file clusterName with the extension .mlsettings. This file contains the certificate that the MATLAB client needs to connect to the job manager.

createProfile -name clusterName -host mjsHost -certfile mjsClusterClientCert

The certificate and associated cluster profile control which users can connect to the job manager. You must store this data securely and distribute the cluster profile to users through a secure channel. You can use the Cluster Profile Manager to import a profile into the MATLAB client. For more information, see Discover Clusters and Use Cluster Profiles (Parallel Computing Toolbox).

Set Cluster Command Verification

MATLAB Job Scheduler cluster administrators can restrict use of MATLAB Job Scheduler cluster commands to only specified users. Restrict command use to prevent unauthorized users from sending privileged commands to the cluster. Privileged commands are commands that can change the state of the cluster.

Privileged Commands

This table lists the privileged commands that require verification. You can find the executables for these commands in these folders:

matlabroot\toolbox\parallel\bin on Windows operating systems
matlabroot/toolbox/parallel/bin on Linux operating systems

Command	Description
`pausejobmanager`	Pause a job manager that is running under the `mjs` service.
`resize`	Determine or update resizing information for job manager processes under the `mjs` service.
`resumejobmanager`	Resume a job manager that is running under the `mjs` service.
`startjobmanager`	Start a job manager process and the associated job manager lookup process under the `mjs` service.
`startworker`	Start a MATLAB worker process under the `mjs` service.
`stopjobmanager`	Stop a job manager process and the associated job manager lookup process under the `mjs` service.
`stopworker`	Stop a MATLAB worker process under the `mjs` service.
`util/clusterlogs`	Set or get the log level of the `mjs` service.
`util/workerRegisterWithJobManager`	Register a MATLAB worker to a specified job manager.

Note

Command verification is enabled by default when you set MATLAB Job Scheduler to Security Level 3.

Set Command Verification in `mjs_def` File

To require verification before the mjs service executes a privileged command on the cluster, set the REQUIRE_SCRIPT_VERIFICATION parameter to true in the mjs_def file.

You must also set the SHARED_SECRET_FILE parameter to the location of the secret file used by the mjs process you are trying to send commands to.

Specify the secret file using one of these options.

Provide a secret file at the command line. You can provide the path to the secret file when you send a privileged command to the cluster.
For example, to stop a worker in the cluster, enter this command in a Windows or Linux command prompt:
```
stopworker -name worker1 -secretfile path_to_shared_secret_file/secret
```
Provide a path in the mjs_def file. If you are using the same cluster host as the location of the secret file, you can provide a path to the secret file in the mjs_def file.
Only users that have read access to the secret file can run privileged commands on the cluster.

Set LDAP Server Authentication

Configure MATLAB Job Scheduler to use your company Lightweight Directory Access Protocol (LDAP) server to authenticate user credentials. For details, see Configure LDAP Server Authentication for MATLAB Job Scheduler.