Introduction
By default, the Node Manager service runs as a Local System account when installed on a Windows system. This can later be changed to another account, but the account used must be an administrator on the local machine for the Spotfire system to function. This article describes how to configure the Spotfire Windows node to run as an account that is not a local administrator.
The solution works by running a PowerShell script as a local Windows administrator, which gives a non-administrator Windows account the necessary privileges to run the Node Manager and its services. The script is attached at the end of this article.
The solution includes manual execution of a PowerShell script that is run after the Node Manager is installed and the services are deployed. The script must be re-run after any changes are made to the service deployments.
Prerequisites
The following versions are supported by the solution (the PowerShell script):
Node Manager version 10.3.1 or later on a Windows machine.
The node services (Web Player and Automation Services) version 10.3.1 or later*
* Note:
- If using version 10.3, you need 10.3.1 hotfix HF-004 or later
- If using version 10.4, you need 10.4.0 hotfix HF-001 or later
PowerShell 5.1 or later.
Setup
- Install the Node Manager.
- Trust the Node Manager with the Spotfire Server.
- Deploy the Automation Services and Web Player services on the node.
- (Create the Windows account to be used to run the Node Manager Windows service.)
- Remote into the Windows machine running the Node Manager.
- Open a PowerShell command line as a local administrator.
-
Run the PowerShell script with the following parameters (see the script for more information):
-
Path to the Node Manager folder (
C:\Tibco\tsnm\10.4.0\nm
). -
Username of the Windows account to use for the Node Manager (
domain\user
). -
Password of the Windows account to use for the Node Manager (
pa55w0rd
).
-
Path to the Node Manager folder (
Note: The password is not stored, it is only used to change the Windows account for the service.
When to re-run the setup script
Some changes to the Spotfire system require that the script is run again. If such changes are done, the script must be run again as a local administrator on the Node Manager Windows machine.
When one of the following changes occurs, the script must be run again:
- The Node Manager is re-installed
- The Node Manager gets new trust certificates, either via revoking and trusting again or via the automatic renewal of certificates (after 1 year by default)
- A new Automation Services or Web Player service is installed that uses a new port
Reverting the setup
The changes made by the script can be reverted so you return to running using a system account. This is done by running the PowerShell script again with the extra parameter -revert
. All other parameters must be the same as during setup. This must be done before uninstalling the services or the Node Manager.
What the script does
Stops the Node Manager service.
Gives the account full access to the Node Manager folder. This is required for the services to run, create logs and temporary files.
Adds the account to the local Windows groups Performance Monitor Users and Performance Log Users. This is required for the services to be able to gather information on the Windows system that is used to make routing decisions.
Changes the account that runs the Node Manager service to the given Windows account.
Installs the trust certificates into the Windows certificate store (Local Machine). This is required for the services to create a Web Service host.
Gives the account access to create Web Services on the ports used by the services.
Gives the account access to the private key of the node certificate to be able to create outgoing TLS connections to the Spotfire Server.
Starts the Node Manager service.
Extending the script/third-party add-ins
If the services use third-party add-ins/extensions that require access to other administrative resources, local or remote, the script must be modified to give the account access to those resources.
Troubleshooting
On older operating systems, like Windows Server 2012, there is a problem with PowerShell that can cause the following error:
Give user 'domain\user' full access to node manager folder 'C:\tibco\tsnm\<VERSION>\nm'.
Set-Acl : The security identifier is not allowed to be the owner of this object.
In that case, this step needs to be done manually.
The account (domain\user) to use must be given ?Full control? access to the node manager folder (C:\Tibco\tsnm\10.4.0\nm).
Recommended Comments
There are no comments to display.