Configure services in the Operations Center
After installing the server applications a shortcut to the Operations Center is placed in the server's desktop. This is where all the FotoWare services are configured. The first time you start it, it will ask you for credentials before you may access it.
Video: Installation and configuration of the Operations Center
The video below outlines the installation of the Operations Center and the configuration of the FotoWare service account. It also explains how to control access to the configuration of FotoWare services on the server through the Operations Center.
Who can access the Operations Center?
When the Operations Center is installed, it creates two user groups on the server - FotoWare Operators and FotoWare Administrators. By default, members of the local Administrators group on the server are automatically made members of both the FotoWare groups.
The idea behind these two groups is that members of the FotoWare Operators group can access the Operations Center and are allowed to start, stop and restart server services and individual processes. However, FotoWare Operators may not change the actual configuration and workflow on the installed server applications. This is the privilege of the FotoWare Administrators group, which has full access to the Operations Center and may configure the workflow and configuration of the server applications.
You can add any existing user on your network, for instance domain users, to one or both the FotoWare groups on the server to give them access to the system. Note, however, that you cannot add groups to these groups - users have be added explicitly.
| Privilege | FotoWare Operator | FotoWare Administrator |
|---|---|---|
| Access the Operations Center | Yes | Yes |
| Monitor server activity, performance and load | Yes | Yes |
| Start and stop services | Yes | Yes |
| Configure indexes in Index Manager | No | Yes |
| Configure channels in Connect | No | Yes |
| Configure workflow in Color Factory | No | Not implemented, Color Factory uses a separate administration program. |
Setting a process account for the FotoWare services
While each application's service runs under the Local System Account, the Process Account is used for scanning document folders, writing and maintaining indexes, handling FotoWeb requests and so on. In short, it's a common account that handles the processing that is carried out by all FotoWare applications on the server.
Choosing a process account
Important: This process account must be a member of the local Administrators group on the server that it runs. Learn why.
The first time you access the Operations Center you will be asked to provide credentials for the FotoWare process account. However, if FotoWeb has been installed on the server, the FotoWeb setup wizard will already have asked you to set a process account. If you want to change it, you can go to the Server Settings tab in the Operations Center and change its credentials in the Process account section.
Process account implications for FotoWeb
If you specify a domain account and fill in the Domain field as yourcompany.com, yourcompany.net or something similar using a suffix, you will not be able to use a trusted connection when connecting FotoWeb to the SQL database. That's because the SQL database stores the windows user with only the short form of the domain name, omitting the three-letter suffix (.net, .com etc.) so that the SQL server will not be able to find the user.
You should also be aware that if your FotoWeb site runs on Internet Information Services, the process account specified in the Operations Center will be used to power the FotoWeb application pool in IIS. You should make sure any password renewal policies in your domain do not affect the process account, as this may potentially lock out the process account and cause the FotoWare services on the server to stop. Also, if you change the process account in the Operations Center at any time, you must manually make sure to set the same account for the IIS app pool.
Using a domain account as the process account
Normally, when a FotoWare server is added to a domain, the local machine (System account) is automatically granted READ permissions for CN=Users in the directory. This is required to look up the appropriate AD account for the process account and to delegate the correct permissions for the process account on the machine. By using this approach, User Access Control can remain enabled on the server, as recommended by Microsoft.
If, for some reason, the local machine (System account) does not have this privilege, the FotoWare services will not to run and it will be necessary to grant those permissions explicitly in the directory.
Choosing authentication type
This is where you choose the authentication methods and user accounts that are used when the FotoWare server tries to reach other FotoWare servers in the network. These settings are configured on the Server settings tab in the Operations Center.
Client authentication
Here you set the method of authentication to use for communications between FotoWare applications. When connecting to an index, for example, a FotoStation user may be asked to authenticate with a user name and password. The same is true when an Index Manager Union server connects to member indexes on other servers, for example. The Client Authentication setting controls whether the clients are authenticated in the server's local user registry, through Active Directory or using any SAML-compliant Identity Provider. If you choose AD authentication, naturally the server must first be a member of the domain. For details on SAML authentication, see the paragraph below.
Server authentication
Here you can set the user name and password that this FotoWare server should use when connecting to other FotoWare servers on the network. You add a new entry in the list by clicking the Add button, after which you type in the host name of the server you want to connect to and optionally the port number, and which user account you wish to use when connecting to that server. You can also specify that you want to authenticate using a domain account by typing domain\username in the Username field.
Example
Let's say that you have set up two Index Manager servers already, called IM1 and IM2. Currently you are setting up a union server you want to configure to connect to the indexes on IM1 and IM2.
All three servers are members of a domain called FWWORKFLOW, and the domain user fwuser is configured as a local admin on all three servers.
When setting up the union server, you will need to specify which account it should use when connecting to IM1 and IM2. Simply click on Add and type in IM1 in the Host name field. Then type in FWWORKFLOW\fwuser in the Username field to authenticate using the domain user. Then type in the fwuser's password in the Password field.
Repeat the process to add the IM2 server authentication in the same way.
Note: When using the file browser in any of the server interfaces you will notice that when connecting to a server for which no authentication credentials have been defined, you will be given the opportunity to manually enter a user name and password. This information will be stored in this list in the Operations Center and used for future connections to that server.
SAML Authentication
The Operations Center can be configured to authenticate clients and servers using a SAML Identity Provider (IdP)
First choose SAML 2.0 as the client authentication method and click on the Settings link to set up the connection to the IdP.
Paste in the certificate endpoint url in the corresponding fields as seen in the above screenshot. They are both obtained from the Identity Provider (IdP) configuration interface, although where you find them may vary from one IdP to another.
Next, set up group name mappings, mapping the SAML group name with a corresponding Group name stored in the Operations Center. This is the group name value the Operations Center will return when a client requests to know which group a user is a member of.
Finally, in the Property Mapping section, set the attribute that the IdP sends containing group membership data and the format of the values from the drop down field (Single/Multi).
Note: The Username, First name, and Last name fields are NOT currently in use.
FotoStation TIP: To upload configurations from FotoStation to an Index Manager server, the user who updates the configuration must be a member of the FotoWare Administrators group. Hence you should take care to set up a mapping between a SAML Group name and a curresponding Operations Center group named precisely FotoWare Administrators, to facilitate configuration updates for these users.
Server Access Keys
Server access keys are used to connect FotoWare server products to the Operations Center. One access key should be created per server.
Example: Say you have an Index Manager Server that you need to accept incoming connections from a Color Factory running on another server.
On the Index Manager server, click on Add to create an access key pair and copy the Account ID and Access Key to the clipboard (and store them safely in a secure document). Once you close the dialog you will not be able to retrieve the keys again.
Now, on the Color Factory server, add these account credentials to the Server Authentication settings in the Operations Center, so that when connecting to the Index Manager server (hostname IMSERVER in the example screenshot below), Color Factory will pass these credentials.
