Secure Server Instance Using Dashboard

When you install MATLAB^® Production Server™ using the on-premises dashboard, the dashboard interface provides options for enabling security, configuring client authentication, and enabling application access for specified clients.

Enable Security

To enable a server instance to use HTTPS:

Select the server instance from the leftmost navigation pane.
Select the Settings tab.
Open the Http area.
In the Https field, enter the port number the server instance will use for receiving requests over HTTPS.
Click Save.
Restart the server instance.

Configure Client Authentication

To ensure that only trusted clients have access to a server instance, configure the server instance to require client authentication:

Select the server instance from the leftmost navigation pane.
Select the Settings tab.
Expand the SSL area.
Set SSL Verify Peer Mode to verify-peer-require-peer-cert.
Configure the server instance to use the system-provided CA store, a server-specific CA store, or both.
Use these configuration properties to control the CA stores used by the server instance:
- X509 CA File Store specifies a PEM formatted CA store to authenticate clients.
- X509 Use System Store directs the server instance to use the system's CA store to authenticate clients.
Note
X509 Use System Store does not work on Windows.
Optionally select the X509 Use CRL property to configure the server instance to respect any certificate revocation lists (CRLs) in the CA store.
If this property is not specified, the server instance ignores the CRLs and potentially authenticates clients using revoked credentials.
Click Save.
Restart the server instance.

Caution

You must add a CRL list to the server's CA store before selecting the X509 Use CRL property. If the CA store does not include a CRL list, the server crashes.

Specify Client Access to Deployed Applications

By default, MATLAB Production Server instances allow all clients to access all hosted MATLAB programs. To specify a list of allowed clients:

Select the server instance from the leftmost navigation pane.
Select the Settings tab.
Expand the SSL area.
Set SSL Allowed Client to a comma-separated list of clients that can access the server instance.
Clients are identified by the common name of their certificate.
Click Save.
Restart the server instance.

Adjust Security Protocols and Ciphers

By default, MATLAB Production Server instances try to use TLSv1.2 to secure connections between client and server. To change the list of protocols and ciphers available to the server instance:

Select the server instance from the leftmost navigation pane.
Select the Settings tab.
Expand the SSL area.
Set SSL Protocols to a comma-separated list of the protocols available to the server instance.
To enable only TLSv1, set the property to TLSv1.
Because TLSv1.1 and TLSv1.2 are not included in the list, the server instance does not enable the protocols.
Set SSL Ciphers to a comma-separated list of the cipher suites available to the server instance.
To enable only high strength cipher suites, set the property to HIGH.
Click Save.
Restart the server instance.

Improve Start Time When Security Is Enabled

When a server instance is configured to use HTTPS, it generates an ephemeral DH key at startup. Generating the DH key at startup provides more security than reading it from a file on disk. However, this generation can add a couple of minutes to server instance startup time.

If you need the server instance to start without delay and are not concerned about the loss of security, you can configure the server instance to read the ephemeral DH key from a file:

Select the server instance from the leftmost navigation pane.
Select the Settings tab.
Expand the SSL area.
Set SSL DH Key Parameter File to the path of the file containing the DH key.
Click Save.
Restart the server instance. See Restart Server Instance.