Set Optional Security Features
Set optional security features for your MATLAB® Job Scheduler cluster. For example, you can:
- Create a shared secret file to establish trust between the processes on different machines. 
- Establish encrypted communication between MATLAB Job Scheduler, client and workers. 
- Configure the cluster to verify whether a MATLAB client can connect to your MATLAB Job Scheduler cluster. 
- Restrict privileged command usage to only specified users. 
- Configure the cluster to authenticate user credentials using your company Lightweight Directory Access Protocol (LDAP) server. 
Before starting the mjs service on your cluster nodes, set a security
   level. For instructions, see Set MATLAB Job Scheduler Cluster Security.
In the following instructions, matlabroot refers to the location
   of your installed MATLAB
            Parallel Server™ software. Where you see this term used in the instructions that follow, substitute
   the path to your location. 
 You can find the mjs_def file in
     matlabroot/toolbox/parallel/binmjs_def.sh) and Windows® (mjs_def.bat). To learn more about the parameters in
    mjs_def file, see Define MATLAB Job Scheduler Startup Parameters.
Create Shared Secret File
The secret file establishes trust between the processes on different machines.
To create this file, run one of these scripts:
- matlabroot/toolbox/parallel/bin/createSharedSecret
- matlabroot\toolbox\parallel\bin\createSharedSecret.bat
Specify the location of the secret file in the SHARED_SECRET_FILE
    parameter in the mjs_def file to enable MATLAB Job Scheduler to find it. The shared secret file contains sensitive data and must
    be read-only for the user who starts the mjs process.
- In a shared file system, all the nodes can point to the same secret file. The nodes can also share the same - mjs_deffile.
- In a nonshared file system, create a secret file with the provided script, then copy the file to each node and make sure the - mjs_deffile of each node indicates the location of its secret file.
Set Encrypted Communication
To set encrypted communication between MATLAB Job Scheduler, the client, and the workers, set these values in the
     mjs_def file:
- USE_SECURE_COMMUNICATION = true
- ALL_SERVER_SOCKETS_IN_CLUSTER = true
Encrypted communication is provided using TLSv1.3.
Before R2023a: Encrypted communication is provided via an SSLSocket using TLSv1.2.
Note
Before R2023a: If you specify
      ALL_SERVER_SOCKETS_IN_CLUSTER as false in the
      mjs_def file, then the mjs service establishes encrypted
     communication between MATLAB Job Scheduler and workers only. Communication between workers is never encrypted.
     If communication between a worker and the client is sent via another worker, only the
     communication between that worker and the client is encrypted.
Additionally, all hosts that run job managers or workers require the secret file at the
    location specified by the SHARED_SECRET_FILE parameter in the
     mjs_def file. To create the secret file, see Create Shared Secret File.
Note
Encrypted communication is required when you use MATLAB Job Scheduler security level 3.
Set MATLAB Client Verification
Verify whether a MATLAB client can connect to your MATLAB Job Scheduler cluster.
You must use the same secret file as the cluster to create a certificate file. Use the certificate when you start the job manager and to create a certified cluster profile. To create the secret file, see Create Shared Secret File.
Connections between the MATLAB client and MATLAB Job Scheduler cluster are verified using mutual TLS (mTLS).
Configure MATLAB Job Scheduler Cluster
 In the mjs_def file, set REQUIRE_CLIENT_CERTIFICATE
     to true.
Navigate to one of these folders:
- matlabroot\toolbox\parallel\binon Windows operating systems
- matlabroot/toolbox/parallel/binon Linux operating systems
When you have a location for the secret file, use the generateCerticate
     command to generate the certificate. Specify the path to the secret file and the name of the
     certificate.
generateCertificate -secretfile path_to_shared_secret_file/secret -certfile mjsClusterClientCert
To start the job manager, specify the file path to the certificate to the startjobmanager command using the -certificate
     flag.
startjobmanager -certificate mjsClusterClientCert
Create Certified Cluster Profile
The MATLAB client must also have a cluster profile with the correct certificate to connect to the job manager.
To create the certified cluster profile, use the createProfile command.
     Specify the name and hostname of the cluster and the path of the certificate file. For example,
     create a cluster profile for the cluster clusterName, host name
      mjsHost, and certificate file mjsClusterClientCert. The
     command creates a cluster profile file clusterName with the extension
      .mlsettings. This file contains the certificate that the MATLAB client needs to connect to the job
     manager.
createProfile -name clusterName -host mjsHost -certfile mjsClusterClientCert
The certificate and associated cluster profile control which users can connect to the job manager. You must store this data securely and distribute the cluster profile to users through a secure channel. You can use the Cluster Profile Manager to import a profile into the MATLAB client. For more information, see Discover Clusters and Use Cluster Profiles (Parallel Computing Toolbox).
Set Cluster Command Verification
MATLAB Job Scheduler cluster administrators can restrict use of MATLAB Job Scheduler cluster commands to only specified users. Restrict command use to prevent unauthorized users from sending privileged commands to the cluster. Privileged commands are commands that can change the state of the cluster.
Privileged Commands
This table lists the privileged commands that require verification. You can find the executables for these commands in these folders:
- matlabroot\toolbox\parallel\binon Windows operating systems
- matlabroot/toolbox/parallel/binon Linux operating systems
| Command | Description | 
|---|---|
| Pause a job manager that is running under the  | |
| 
 | Determine or update resizing information for job manager processes under the
             | 
| Resume a job manager that is running under the  | |
|  Start a job manager process and the associated job manager lookup process
           under the  | |
| Start a MATLAB worker process under the  | |
| Stop a job manager process and the associated job manager lookup process under
           the  | |
| Stop a MATLAB worker process under the  | |
| 
 | Set or get the log level of the  | 
| 
 | Register a MATLAB worker to a specified job manager. | 
Note
Command verification is enabled by default when you set MATLAB Job Scheduler to Security Level 3.
Set Command Verification in mjs_def File
To require verification before the mjs service executes a privileged
     command on the cluster, set the REQUIRE_SCRIPT_VERIFICATION parameter to
      true in the mjs_def file.
You must also set the SHARED_SECRET_FILE parameter to the location of
     the secret file used by the mjs process you are trying to send commands
     to.
Specify the secret file using one of these options.
- Provide a secret file at the command line. You can provide the path to the secret file when you send a privileged command to the cluster. - For example, to stop a worker in the cluster, enter this command in a Windows or Linux command prompt: - stopworker -name worker1 -secretfile path_to_shared_secret_file/secret 
- Provide a path in the - mjs_deffile. If you are using the same cluster host as the location of the secret file, you can provide a path to the secret file in the- mjs_deffile.- Only users that have read access to the secret file can run privileged commands on the cluster. 
Set LDAP Server Authentication
Configure MATLAB Job Scheduler to use your company Lightweight Directory Access Protocol (LDAP) server to authenticate user credentials. For details, see Configure LDAP Server Authentication for MATLAB Job Scheduler.