After installing the server application shortcut to Operations Center Settings it is placed on the server's desktop. This is where all the Fotoware services are configured. The first time you start it, you will be prompted for your credentials.
Who can access Operations Center Settings?
When Operations Center Settings is installed, it creates a local Fotoware Administrators group on the server. By default, members of the local Administrators group on the server are automatically members of this group.
All users with server access (with RDP (Remote Desktop Protocol), for example), can access the Operations Centre Settings, FotoWeb Settings, Index Manager Settings, Color Factory Settings, and Connect Settings.
Only users who are members of the Fotoware Administrators group can access Operations Center Status. You can add any existing users on your network to the group, for instance, domain users, to give them access to the system. Operations Center Status can be accessed from any workstation on the network. When you first install Fotoware, you need to log off and log in again to activate group membership.
Note: You cannot add groups to the group - users must be added explicitly.
Legacy note: Prior to version 8.1, an FW Operators group was also created. This group no longer exists.
Setting a process account for the Fotoware services
While each application's service runs under the Local System Account, the Process Account is used for scanning document folders, writing and maintaining indexes, handling FotoWeb requests, and so on. In short, it's a common account that handles the processing carried out by all Fotoware applications on the server.
Choosing a process account
Note: This process account must be a member of the local Administrators group on the server that it runs. Learn why.
The first time you access Operations Center Settings you must provide credentials for the Fotoware process account. However, if FotoWeb has been installed on the server, you will already have been asked to set up a process account by the FotoWeb setup wizard. To change the process account credentials, go to Operations Center Settings > General:
Process account implications for FotoWeb
If you specify a domain account and enter yourcompany.com, yourcompany.net, or similar using a suffix in the Domain field, you will not be able to use a trusted connection when connecting FotoWeb to the SQL database. This is because the SQL database stores the windows user with only the short form of the domain name, omitting the three-letter suffix (.net, .com etc.) so that the SQL server will not be able to find the user.
Note: If your FotoWeb site runs on Internet Information Services, the process account specified in Operations Center Settings will be used to power the FotoWeb application pool in IIS. Ensure that any password renewal policies in your domain do not affect the process account as this can potentially lock out the process account and cause the Fotoware services on the server to stop. Also, if you change the process account in Operations Center Settings, you must manually make sure to set the same account for the IIS app pool.
Using a domain account as the process account
Normally, when a Fotoware server is added to a domain, the local machine (System account) is automatically granted READ permissions for CN=Users in the directory. This is required to look up the appropriate AD account for the process account and to delegate the correct permissions for the process account on the machine. This means User Access Control can remain enabled on the server, as recommended by Microsoft.
If the local machine (system account) does not have this privilege, the Fotoware services will not be able to run and it will be necessary to grant those permissions explicitly in the directory.
Choosing authentication type
- To configure client and server authentication, go to Operations Center Settings > Authentication.
- The Authentication view opens. Here you can select the authentication method used for communications between Fotoware applications.
When connecting to an index, for example, a FotoStation user may need to authenticate with a user name and password. The same is true when an Index Manager union server connects to member indexes on other servers, for example. The Client authentication setting manages whether the clients are authenticated in the server's local user registry, through Active Directory (AD), or by using any SAML-compliant identity provider. If you choose AD authentication, the server must first be a member of the domain. For more information about SAML authentication, see SAML Authentication.
Select Access keys to open the Server access keys view.
Server access keys are used for incoming connections from other Fotoware server products on the network to this server's Operations Center Settings - without having to use actual user accounts. Another benefit of using access keys rather than user accounts is that an access key can be easily revoked to invalidate it as required. One access key should be created per server.
You have an Index Manager server that needs to accept incoming connections from Color Factory running on another server on the network.
On the Index Manager server,select Add to create an access key pair and copy the Account ID and Access Key to the clipboard (and store them safely in a secure document). Once you close the dialog you will not be able to retrieve the keys again.
On the Color Factory server, add these account credentials to the Authentication settings in Operations Center Settings, so that when connecting to the Index Manager server Color Factory will pass these credentials.
Operations Center Settings can be configured to authenticate clients and servers using an SAML Identity Provider (IdP)
- Select SAML to open the SAML view.
- Select SAML 2.0 as the client authentication method and select the Settings link to set up the connection to the IdP.
- Enter the certificate endpoint URL in the corresponding fields as seen in the above screenshot. They are both obtained from the Identity Provider (IdP) configuration interface, although where you find them may vary from one IdP to another.
- Set up group name mappings, mapping the SAML group name with a corresponding Group name stored in Operations Center Settings. This is the group name value Operations Center Settings returns when a client requests to know which group a user is a member of.
- In the Property Mapping section, set the attribute that the IdP sends containing group membership data and the format of the values from the drop down field (Single/Multi).
Note: The First name and Last name fields are only used for the history function.
Tip: To upload configurations from FotoStation to an Index Manager server, the user who updates the configuration must be a member of the Fotoware Administrators group. Therefore, you must set up a mapping between an SAML Group name and a corresponding Operations Center Settings group named Fotoware Administrators (this name must be exact) to facilitate configuration updates for these users.
Here you can set the user name and password that this Fotoware server uses when setting up outgoing connections to other Fotoware servers on the network.
To add a new entry in the list, select Add and enter the host name of the server you want to connect to (and, optionally, the port number) and which user account to use when connecting to that server. You can also specify that you want to authenticate using a domain account by entering domain\username in the Username field.
We recommend creating access keys on the server that receives the incoming connections and then adding the credentials obtained to the server that sets up the connection.
Note: When using the file browser in any of the server interfaces to connect to a server for which no authentication credentials have been defined, you can manually enter a user name and password. This information will be stored in this list in Operations Center Settings and used for future connections to the same server.